Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI evaluation check does allow impure evaluation #997

Open
Mic92 opened this issue Feb 3, 2025 · 2 comments
Open

CI evaluation check does allow impure evaluation #997

Mic92 opened this issue Feb 3, 2025 · 2 comments

Comments

@Mic92
Copy link
Collaborator

Mic92 commented Feb 3, 2025
edited
Loading

When using nix-eval-jobs with --expr the evaluation is impure i.e. allows to read arbitrary files and environment variables

ghaf/.github/eval.sh

Line 167 in 88e0844

--expr "$(cat "$TMPDIR/eval.nix")"

However there is a work around it that we use in the terraform module of nixos-anywhere: https://github.com/nix-community/nixos-anywhere/blob/d4a3ecf32bd3cc9d243e0a2f37de91bc84b14216/terraform/nix-build/nix-build.sh#L38

When builtins.getFlake also receives a narHash than it can be used in pure evaluation.

This means we can set --option pure-eval true in nix-eval-jobs to force pure evaluation.
@henrirosten
Copy link
Collaborator

henrirosten commented Feb 11, 2025
edited
Loading

I agree we should do the evaluation check differently, not using --expr.

The reason the eval check is now done the way it is (using the eval.sh) is an attempt to improve the evaluation check runtime in github action, as discussed in PR#988.

I think such impure evaluation might be acceptable in this specific case, since we only check if ghaf flake still evaluates after the changes, but otherwise don't store or reuse the evaluation results anywhere.

As an example, github action triggered builds still run 'pure' in a separate workflow.

@henrirosten
Copy link
Collaborator

henrirosten commented Feb 11, 2025
edited
Loading

@Mic92 wrote:

However there is a work around it that we use in the terraform module of nixos-anywhere: https://github.com/nix-community/nixos-anywhere/blob/d4a3ecf32bd3cc9d243e0a2f37de91bc84b14216/terraform/nix-build/nix-build.sh#L38

When builtins.getFlake also receives a narHash than it can be used in pure evaluation.

I did trial the above suggested workaround here: henrirosten@9440fdc but it gives the following error:

# Trial-run eval.sh manually in ghaf devshell, with '-v' for verbose output:

❯ .github/eval.sh -v
[+] Using tmpdir: '/tmp/tmp.X2bP4in8D9.evaltmp'
...
[+] flake_nar: sha256-upcpAueiIS7H7wa1IiIUrpExkXie0bDZ4oJUaD7t1TQ=
...
error:
       … while calling the 'import' builtin
         at «string»:3:10:
            2|   flake = builtins.getFlake (git+file:// + (toString ./.) + "?narHash=sha256-upcpAueiIS7H7wa1IiIUrpExkXie0bDZ4oJUaD7t1TQ=");
            3|   lib = (import flake.inputs.nixpkgs { }).lib;
             |          ^
            4| in {

       … while realising the context of a path

       … while calling the 'getFlake' builtin
         at «string»:2:11:
            1| let
            2|   flake = builtins.getFlake (git+file:// + (toString ./.) + "?narHash=sha256-upcpAueiIS7H7wa1IiIUrpExkXie0bDZ4oJUaD7t1TQ=");
             |           ^
            3|   lib = (import flake.inputs.nixpkgs { }).lib;

       error: cannot call 'getFlake' on unlocked flake reference 'git+file:///home/hrosten/projects/ghaf-fork?narHash=sha256-upcpAueiIS7H7wa1IiIUrpExkXie0bDZ4oJUaD7t1TQ=', at «none»:0 (use --impure to override)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mic92 @henrirosten