Build-time flake inputs #49
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
edolstra
force-pushed
the
build-time-fetch-tree
branch
from
88d5913 to
d146d3b
Compare
edolstra
force-pushed
the
build-time-fetch-tree
branch
from
d146d3b to
36a25f9
Compare
This builtin builder is similar to `builtins.fetchTree` but works at build time.
This is needed for builtin:fetch-tree to get access to it.
This only works for non-flake inputs. Example:
inputs.repo1 = {
type = "github";
owner = "DeterminateSystems";
repo = "blabla";
flake = false;
buildTime = true;
};
`call-flake.nix` maps this to a builtin:fetch-tree derivation. Thus
you can pass it to other derivations, and it will be fetched at build
time rather than eval time. (It will still be fetched at eval time to
create/update locks.) Importing from such an input triggers IFD.
edolstra
force-pushed
the
build-time-fetch-tree
branch
from
36a25f9 to
febe4de
Compare
This reverts commit 94facc9.
The cache is now part of fetchers::Settings.
This keeps the tarball cache open across calls.
In the builtin:fetch-tree sandbox, we don't have the `git` executable available, so let's use libgit2 instead. This generally won't work very well for SSH, but that currently doesn't work anyway because the sandbox doesn't have access to SSH keys.
edolstra
force-pushed
the
build-time-fetch-tree
branch
from
3264b8e to
1201c72
Compare
| derivation { | ||
| name = "source"; | ||
| builder = "builtin:fetch-tree"; | ||
| system = "builtin"; | ||
| __structuredAttrs = true; | ||
| input = node.locked; | ||
| outputHashMode = "recursive"; | ||
| outputHash = node.locked.narHash; | ||
| } |
There was a problem hiding this comment.
My memory is that, because of the way derivations are added to the store by way of registerOutputs, they are scanned for references to the Nix store. Since the eval-time fetcher doesn't do that (and so the retrieved sources can contain paths to the Nix store), the build-time fetcher will reject some of the sources which the eval-time fetcher would accept (since fixed-output derivations are not allowed to contain references to the Nix store).
Is that correct or something to worry about?
There was a problem hiding this comment.
Nix only scans for references that are part of the input closure of a derivation. It doesn't scan for arbitrary references. For the build-time fetcher, the input closure is empty, so no sources will ever be rejected by the build-time fetcher. This also means Nix won't find references that are "hard-coded" (e.g. part of the tarball), but that's the same for other types of derivations (e.g. fetchurl in Nixpkgs).
Motivation
This PR does two things:
It adds a new builtin derivation builder named
builtin:fetch-tree, which is similar tobuiltins.fetchTreebut works at build time rather than eval time.It allows flake inputs to be fetched at build time. Example:
call-flake.nixmaps this to abuiltin:fetch-treederivation. Thus you can pass it to other derivations, and it will be fetched at build time rather than eval time. (It will still be fetched at eval time to create/update locks.)Inputs like this can be passed to derivations as usual, e.g.
Note that trying to access them at evaluation time (e.g.
import repo1) will trigger import-from-derivation behaviour, i.e. it will cause a build during evaluation.Context
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.