GitRepo::fetch(): Fall back to using libgit2 for fetching

edolstra · edolstra · commit 1201c720dc28 · 2025-08-20T16:41:16.000+02:00
In the builtin:fetch-tree sandbox, we don't have the `git` executable
available, so let's use libgit2 instead. This generally won't work
very well for SSH, but that currently doesn't work anyway because the
sandbox doesn't have access to SSH keys.
diff --git a/src/libfetchers/git-utils.cc b/src/libfetchers/git-utils.cc
@@ -10,6 +10,7 @@
 #include "nix/util/sync.hh"
 #include "nix/util/thread-pool.hh"
 #include "nix/util/pool.hh"
+#include "nix/util/executable-path.hh"
 
 #include <git2/attr.h>
 #include <git2/blob.h>
@@ -549,21 +550,44 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
         // that)
         //       then use code that was removed in this commit (see blame)
 
-        auto dir = this->path;
-        Strings gitArgs{"-C", dir.string(), "--git-dir", ".", "fetch", "--quiet", "--force"};
-        if (shallow)
-            append(gitArgs, {"--depth", "1"});
-        append(gitArgs, {std::string("--"), url, refspec});
-
-        runProgram(
-            RunOptions{
-                .program = "git",
-                .lookupPath = true,
-                // FIXME: git stderr messes up our progress indicator, so
-                // we're using --quiet for now. Should process its stderr.
-                .args = gitArgs,
-                .input = {},
-                .isInteractive = true});
+        if (ExecutablePath::load().findName("git")) {
+            auto dir = this->path;
+            Strings gitArgs{"-C", dir.string(), "--git-dir", ".", "fetch", "--quiet", "--force"};
+            if (shallow)
+                append(gitArgs, {"--depth", "1"});
+            append(gitArgs, {std::string("--"), url, refspec});
+
+            runProgram(
+                RunOptions{
+                    .program = "git",
+                    .lookupPath = true,
+                    // FIXME: git stderr messes up our progress indicator, so
+                    // we're using --quiet for now. Should process its stderr.
+                    .args = gitArgs,
+                    .input = {},
+                    .isInteractive = true});
+        } else {
+            // Fall back to using libgit2 for fetching. This does not
+            // support SSH very well.
+            Remote remote;
+
+            if (git_remote_create_anonymous(Setter(remote), *this, url.c_str()))
+                throw Error("cannot create Git remote '%s': %s", url, git_error_last()->message);
+
+            char * refspecs[] = {(char *) refspec.c_str()};
+            git_strarray refspecs2{.strings = refspecs, .count = 1};
+
+            git_fetch_options opts = GIT_FETCH_OPTIONS_INIT;
+            // FIXME: for some reason, shallow fetching over ssh barfs
+            // with "could not read from remote repository".
+            opts.depth = shallow && parseURL(url).scheme != "ssh" ? 1 : GIT_FETCH_DEPTH_FULL;
+            opts.callbacks.payload = &act;
+            opts.callbacks.sideband_progress = sidebandProgressCallback;
+            opts.callbacks.transfer_progress = transferProgressCallback;
+
+            if (git_remote_fetch(remote.get(), &refspecs2, &opts, nullptr))
+                throw Error("fetching '%s' from '%s': %s", refspec, url, git_error_last()->message);
+        }
     }
 
     void verifyCommit(const Hash & rev, const std::vector<fetchers::PublicKey> & publicKeys) override
diff --git a/tests/nixos/fetch-git/test-cases/build-time-fetch-tree/default.nix b/tests/nixos/fetch-git/test-cases/build-time-fetch-tree/default.nix
@@ -0,0 +1,49 @@
+{ config, ... }:
+{
+  description = "build-time fetching";
+  script = ''
+    import json
+
+    # add a file to the repo
+    client.succeed(f"""
+      echo ${config.name # to make the git tree and store path unique
+      } > {repo.path}/test-case \
+      && echo chiang-mai > {repo.path}/thailand \
+      && {repo.git} add test-case thailand \
+      && {repo.git} commit -m 'commit1' \
+      && {repo.git} push origin main
+    """)
+
+    # get the NAR hash
+    nar_hash = json.loads(client.succeed(f"""
+      nix flake prefetch --flake-registry "" git+{repo.remote} --json
+    """))['hash']
+
+    # construct the derivation
+    expr = f"""
+      derivation {{
+        name = "source";
+        builder = "builtin:fetch-tree";
+        system = "builtin";
+        __structuredAttrs = true;
+        input = {{
+          type = "git";
+          url = "{repo.remote}";
+          ref = "main";
+        }};
+        outputHashMode = "recursive";
+        outputHash = "{nar_hash}";
+      }}
+    """
+
+    # do the build-time fetch
+    out_path = client.succeed(f"""
+      nix build --print-out-paths --store /run/store --flake-registry "" --extra-experimental-features build-time-fetch-tree --expr '{expr}'
+    """).strip()
+
+    # check if the committed file is there
+    client.succeed(f"""
+      test -f /run/store/{out_path}/thailand
+    """)
+  '';
+}
