diff options
| author | sterni <sternenseemann@systemli.org> | 2022-10-01T20·52+0200 |
|---|---|---|
| committer | sterni <sternenseemann@systemli.org> | 2022-10-08T10·59+0000 |
| commit | ca3bd5c7cabf517f23234501928912d55fef45b3 (patch) | |
| tree | 31faab978a41b5f837d24e0e429098692633cb35 /ops/pipelines/static-pipeline.yaml | |
| parent | 70113407d2a30ab9ac71e933662f722f6dd1f149 (diff) | |
feat(ops/pipelines): allow accessing the nix store r/5059
This is already allowed de facto, since there seems to be a special exception for reading from derivation outputs. What is forbidden, is access to files imported to the store (even via builtins.toFile) and derivation files. The latter is required for doing dependency analysis on arbitrary derivations, unfortunately. Access to the store allows kind of evil things, but it should be (hopefully) hard to do this by accident, and accessing derivation files is not impure, though it relies on store implementation internals so to speak. Change-Id: I33a7de83ef0ee20a7076690329d62f6caffffe5f Reviewed-on: https://cl.tvl.fyi/c/depot/+/6835 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
Diffstat (limited to 'ops/pipelines/static-pipeline.yaml')
| -rw-r--r-- | ops/pipelines/static-pipeline.yaml | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ops/pipelines/static-pipeline.yaml b/ops/pipelines/static-pipeline.yaml index bd7491110c..2dd7781feb 100644 --- a/ops/pipelines/static-pipeline.yaml +++ b/ops/pipelines/static-pipeline.yaml @@ -52,7 +52,8 @@ steps: PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json" fi - nix-build --option restrict-eval true --include "depot=$${PWD}"\ + nix-build --option restrict-eval true --include "depot=$${PWD}" \ + --include "store=/nix/store" \ --allowed-uris 'https://' \ -A ops.pipelines.depot \ -o pipeline --show-trace $$PIPELINE_ARGS |