about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsterni <sternenseemann@systemli.org>2022-10-01T20·52+0200
committersterni <sternenseemann@systemli.org>2022-10-08T10·59+0000
commitca3bd5c7cabf517f23234501928912d55fef45b3 (patch)
tree31faab978a41b5f837d24e0e429098692633cb35
parent70113407d2a30ab9ac71e933662f722f6dd1f149 (diff)
feat(ops/pipelines): allow accessing the nix store r/5059
This is already allowed de facto, since there seems to be a special
exception for reading from derivation outputs. What is forbidden, is
access to files imported to the store (even via builtins.toFile) and
derivation files. The latter is required for doing dependency analysis
on arbitrary derivations, unfortunately.

Access to the store allows kind of evil things, but it should
be (hopefully) hard to do this by accident, and accessing derivation
files is not impure, though it relies on store implementation internals
so to speak.

Change-Id: I33a7de83ef0ee20a7076690329d62f6caffffe5f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6835
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
-rw-r--r--ops/pipelines/static-pipeline.yaml3
1 files changed, 2 insertions, 1 deletions
diff --git a/ops/pipelines/static-pipeline.yaml b/ops/pipelines/static-pipeline.yaml
index bd7491110c05..2dd7781febf1 100644
--- a/ops/pipelines/static-pipeline.yaml
+++ b/ops/pipelines/static-pipeline.yaml
@@ -52,7 +52,8 @@ steps:
         PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
       fi
 
-      nix-build --option restrict-eval true --include "depot=$${PWD}"\
+      nix-build --option restrict-eval true --include "depot=$${PWD}" \
+        --include "store=/nix/store" \
         --allowed-uris 'https://' \
         -A ops.pipelines.depot \
         -o pipeline --show-trace $$PIPELINE_ARGS