feat(ops/pipelines): allow accessing the nix store
This is already allowed de facto, since there seems to be a special exception for reading from derivation outputs. What is forbidden, is access to files imported to the store (even via builtins.toFile) and derivation files. The latter is required for doing dependency analysis on arbitrary derivations, unfortunately. Access to the store allows kind of evil things, but it should be (hopefully) hard to do this by accident, and accessing derivation files is not impure, though it relies on store implementation internals so to speak. Change-Id: I33a7de83ef0ee20a7076690329d62f6caffffe5f Reviewed-on: https://cl.tvl.fyi/c/depot/+/6835 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
parent
70113407d2
commit
ca3bd5c7ca
1 changed files with 2 additions and 1 deletions
|
@ -52,7 +52,8 @@ steps:
|
||||||
PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
|
PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
nix-build --option restrict-eval true --include "depot=$${PWD}"\
|
nix-build --option restrict-eval true --include "depot=$${PWD}" \
|
||||||
|
--include "store=/nix/store" \
|
||||||
--allowed-uris 'https://' \
|
--allowed-uris 'https://' \
|
||||||
-A ops.pipelines.depot \
|
-A ops.pipelines.depot \
|
||||||
-o pipeline --show-trace $$PIPELINE_ARGS
|
-o pipeline --show-trace $$PIPELINE_ARGS
|
||||||
|
|
Loading…
Reference in a new issue