From ca3bd5c7cabf517f23234501928912d55fef45b3 Mon Sep 17 00:00:00 2001 From: sterni Date: Sat, 1 Oct 2022 22:52:12 +0200 Subject: feat(ops/pipelines): allow accessing the nix store This is already allowed de facto, since there seems to be a special exception for reading from derivation outputs. What is forbidden, is access to files imported to the store (even via builtins.toFile) and derivation files. The latter is required for doing dependency analysis on arbitrary derivations, unfortunately. Access to the store allows kind of evil things, but it should be (hopefully) hard to do this by accident, and accessing derivation files is not impure, though it relies on store implementation internals so to speak. Change-Id: I33a7de83ef0ee20a7076690329d62f6caffffe5f Reviewed-on: https://cl.tvl.fyi/c/depot/+/6835 Reviewed-by: tazjin Tested-by: BuildkiteCI Reviewed-by: grfn --- ops/pipelines/static-pipeline.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ops/pipelines') diff --git a/ops/pipelines/static-pipeline.yaml b/ops/pipelines/static-pipeline.yaml index bd7491110c..2dd7781feb 100644 --- a/ops/pipelines/static-pipeline.yaml +++ b/ops/pipelines/static-pipeline.yaml @@ -52,7 +52,8 @@ steps: PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json" fi - nix-build --option restrict-eval true --include "depot=$${PWD}"\ + nix-build --option restrict-eval true --include "depot=$${PWD}" \ + --include "store=/nix/store" \ --allowed-uris 'https://' \ -A ops.pipelines.depot \ -o pipeline --show-trace $$PIPELINE_ARGS -- cgit 1.4.1