feat(ops/pipelines): Evaluate depot pipeline in restricted-eval mode

Change-Id: Ic5b98a0777860b68dabb9a9b59e8c682236a71c7
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4884
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
Vincent Ambo 2022-05-26 14:31:18 +02:00 committed by tazjin
parent 46d71fbff8
commit 772f8f1b90

View file

@ -52,7 +52,10 @@ steps:
PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
fi
nix-build -A ops.pipelines.depot -o pipeline --show-trace $$PIPELINE_ARGS
nix-build --option restrict-eval true --include "depot=$${PWD}"\
--allowed-uris 'https://' \
-A ops.pipelines.depot \
-o pipeline --show-trace $$PIPELINE_ARGS
# Steps need to be uploaded in reverse order because pipeline
# upload prepends instead of appending.