feat(ops/pipelines): allow accessing the nix store

This is already allowed de facto, since there seems to be a special
exception for reading from derivation outputs. What is forbidden, is
access to files imported to the store (even via builtins.toFile) and
derivation files. The latter is required for doing dependency analysis
on arbitrary derivations, unfortunately.

Access to the store allows kind of evil things, but it should
be (hopefully) hard to do this by accident, and accessing derivation
files is not impure, though it relies on store implementation internals
so to speak.

Change-Id: I33a7de83ef0ee20a7076690329d62f6caffffe5f
Reviewed-on: https://cl.tvl.fyi/c/depot/+/6835
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
sterni 2022-10-01 22:52:12 +02:00
parent 70113407d2
commit ca3bd5c7ca

View file

@ -52,7 +52,8 @@ steps:
PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
fi
nix-build --option restrict-eval true --include "depot=$${PWD}"\
nix-build --option restrict-eval true --include "depot=$${PWD}" \
--include "store=/nix/store" \
--allowed-uris 'https://' \
-A ops.pipelines.depot \
-o pipeline --show-trace $$PIPELINE_ARGS