Merge remote-tracking branch 'origin/master' into nix-copy-gc

tests/functional/binary-cache.sh

@@ -238,7 +238,7 @@ clearCache
 # preserve quotes variables in the single-quoted string
 # shellcheck disable=SC2016
 outPath=$(nix-build --no-out-link -E '
-  with import ./config.nix;
+  with import '"${config_nix}"';
   mkDerivation {
     name = "nar-listing";
     buildCommand = "mkdir $out; echo foo > $out/bar; ln -s xyzzy $out/link";
@@ -258,7 +258,7 @@ clearCache
 # preserve quotes variables in the single-quoted string
 # shellcheck disable=SC2016
 outPath=$(nix-build --no-out-link -E '
-  with import ./config.nix;
+  with import '"${config_nix}"';
   mkDerivation {
     name = "debug-info";
     buildCommand = "mkdir -p $out/lib/debug/.build-id/02; echo foo > $out/lib/debug/.build-id/02/623eda209c26a59b1a8638ff7752f6b945c26b.debug";
@@ -276,7 +276,7 @@ diff -u \
 # preserve quotes variables in the single-quoted string
 # shellcheck disable=SC2016
 expr='
-  with import ./config.nix;
+  with import '"${config_nix}"';
   mkDerivation {
     name = "multi-output";
     buildCommand = "mkdir -p $out; echo foo > $doc; echo $doc > $out/docref";

tests/functional/build-hook-ca-fixed.nix

@@ -1,6 +1,6 @@
 { busybox }:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
 

tests/functional/build-hook.nix

@@ -1,6 +1,6 @@
 { busybox, contentAddressed ? false }:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
 

tests/functional/build.sh

@@ -84,6 +84,7 @@ expectStderr 1 nix build --expr '""' --no-link \
   | grepQuiet "has 0 entries in its context. It should only have exactly one entry"
 
 # Too much string context
+# shellcheck disable=SC2016 # The ${} in this is Nix, not shell
 expectStderr 1 nix build --impure --expr 'with (import ./multiple-outputs.nix).e.a_a; "${drvPath}${outPath}"' --no-link \
   | grepQuiet "has 2 entries in its context. It should only have exactly one entry"
 
@@ -160,7 +161,7 @@ printf "%s\n" "$drv^*" | nix build --no-link --stdin --json | jq --exit-status '
 out="$(nix build -f fod-failing.nix -L 2>&1)" && status=0 || status=$?
 test "$status" = 1
 # one "hash mismatch" error, one "build of ... failed"
-test "$(<<<"$out" grep -E '^error:' | wc -l)" = 2
+test "$(<<<"$out" grep -cE '^error:')" = 2
 <<<"$out" grepQuiet -E "hash mismatch in fixed-output derivation '.*-x1\\.drv'"
 <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x3\\.drv'"
 <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x2\\.drv'"
@@ -169,7 +170,7 @@ test "$(<<<"$out" grep -E '^error:' | wc -l)" = 2
 out="$(nix build -f fod-failing.nix -L x1 x2 x3 --keep-going 2>&1)" && status=0 || status=$?
 test "$status" = 1
 # three "hash mismatch" errors - for each failing fod, one "build of ... failed"
-test "$(<<<"$out" grep -E '^error:' | wc -l)" = 4
+test "$(<<<"$out" grep -cE '^error:')" = 4
 <<<"$out" grepQuiet -E "hash mismatch in fixed-output derivation '.*-x1\\.drv'"
 <<<"$out" grepQuiet -E "hash mismatch in fixed-output derivation '.*-x3\\.drv'"
 <<<"$out" grepQuiet -E "hash mismatch in fixed-output derivation '.*-x2\\.drv'"
@@ -177,13 +178,13 @@ test "$(<<<"$out" grep -E '^error:' | wc -l)" = 4
 
 out="$(nix build -f fod-failing.nix -L x4 2>&1)" && status=0 || status=$?
 test "$status" = 1
-test "$(<<<"$out" grep -E '^error:' | wc -l)" = 2
+test "$(<<<"$out" grep -cE '^error:')" = 2
 <<<"$out" grepQuiet -E "error: 1 dependencies of derivation '.*-x4\\.drv' failed to build"
 <<<"$out" grepQuiet -E "hash mismatch in fixed-output derivation '.*-x2\\.drv'"
 
 out="$(nix build -f fod-failing.nix -L x4 --keep-going 2>&1)" && status=0 || status=$?
 test "$status" = 1
-test "$(<<<"$out" grep -E '^error:' | wc -l)" = 3
+test "$(<<<"$out" grep -cE '^error:')" = 3
 <<<"$out" grepQuiet -E "error: 2 dependencies of derivation '.*-x4\\.drv' failed to build"
 <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x3\\.drv'"
 <<<"$out" grepQuiet -vE "hash mismatch in fixed-output derivation '.*-x2\\.drv'"

tests/functional/ca/content-addressed.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/ca/config.nix";
 
 let mkCADerivation = args: mkDerivation ({
     __contentAddressed = true;

tests/functional/ca/derivation-json.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-#
+
 source common.sh
 
 export NIX_TESTS_CA_BY_DEFAULT=1

tests/functional/ca/duplicate-realisation-in-closure.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-source ./common.sh
+source common.sh
 
 requireDaemonNewerThan "2.4pre20210625"
 

tests/functional/ca/import-from-derivation.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/env bash
+
 source common.sh
 
 export NIX_TESTS_CA_BY_DEFAULT=1

tests/functional/ca/meson.build

@@ -29,5 +29,5 @@ suites += {
     'substitute.sh',
     'why-depends.sh',
   ],
-  'workdir': meson.current_build_dir(),
+  'workdir': meson.current_source_dir(),
 }

tests/functional/ca/new-build-cmd.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/env bash
+
 source common.sh
 
 export NIX_TESTS_CA_BY_DEFAULT=1

tests/functional/ca/nix-run.sh

@@ -2,6 +2,11 @@
 
 source common.sh
 
-FLAKE_PATH=path:$PWD
+flakeDir="$TEST_HOME/flake"
+mkdir -p "${flakeDir}"
+cp flake.nix "${_NIX_TEST_BUILD_DIR}/ca/config.nix" content-addressed.nix "${flakeDir}"
 
-nix run --no-write-lock-file "$FLAKE_PATH#runnable"
+# `config.nix` cannot be gotten via build dir / env var (runs afoul pure eval). Instead get from flake.
+removeBuildDirRef "$flakeDir"/*.nix
+
+nix run --no-write-lock-file "path:${flakeDir}#runnable"

tests/functional/ca/nix-shell.sh

@@ -5,4 +5,3 @@ source common.sh
 CONTENT_ADDRESSED=true
 cd ..
 source ./nix-shell.sh
-

tests/functional/ca/nondeterministic.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/ca/config.nix";
 
 let mkCADerivation = args: mkDerivation ({
     __contentAddressed = true;

tests/functional/ca/racy.nix

@@ -2,7 +2,7 @@
 # build it at once.
 
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/ca/config.nix";
 
 mkDerivation {
   name = "simple";

tests/functional/ca/repl.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/env bash
+
 source common.sh
 
 export NIX_TESTS_CA_BY_DEFAULT=1

tests/functional/ca/why-depends.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/env bash
+
 source common.sh
 
 export NIX_TESTS_CA_BY_DEFAULT=1

tests/functional/check-refs.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
 

tests/functional/check-reqs.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
   dep1 = mkDerivation {

tests/functional/check.nix

@@ -1,6 +1,6 @@
 {checkBuildId ? 0}:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 {
   nondeterministic = mkDerivation {

tests/functional/check.sh

@@ -7,9 +7,9 @@ buggyNeedLocalStore "see #4813"
 
 checkBuildTempDirRemoved ()
 {
-    buildDir=$(sed -n 's/CHECK_TMPDIR=//p' $1 | head -1)
+    buildDir=$(sed -n 's/CHECK_TMPDIR=//p' "$1" | head -1)
     checkBuildIdFile=${buildDir}/checkBuildId
-    [[ ! -f $checkBuildIdFile ]] || ! grep $checkBuildId $checkBuildIdFile
+    [[ ! -f $checkBuildIdFile ]] || ! grep "$checkBuildId" "$checkBuildIdFile"
 }
 
 # written to build temp directories to verify created by this instance
@@ -23,20 +23,20 @@ nix-build dependencies.nix --no-out-link
 nix-build dependencies.nix --no-out-link --check
 
 # Build failure exit codes (100, 104, etc.) are from
-# doc/manual/src/command-ref/status-build-failure.md
+# doc/manual/source/command-ref/status-build-failure.md
 
 # check for dangling temporary build directories
 # only retain if build fails and --keep-failed is specified, or...
 # ...build is non-deterministic and --check and --keep-failed are both specified
-nix-build check.nix -A failed --argstr checkBuildId $checkBuildId \
-    --no-out-link 2> $TEST_ROOT/log || status=$?
+nix-build check.nix -A failed --argstr checkBuildId "$checkBuildId" \
+    --no-out-link 2> "$TEST_ROOT/log" || status=$?
 [ "$status" = "100" ]
-checkBuildTempDirRemoved $TEST_ROOT/log
+checkBuildTempDirRemoved "$TEST_ROOT/log"
 
-nix-build check.nix -A failed --argstr checkBuildId $checkBuildId \
-    --no-out-link --keep-failed 2> $TEST_ROOT/log || status=$?
+nix-build check.nix -A failed --argstr checkBuildId "$checkBuildId" \
+    --no-out-link --keep-failed 2> "$TEST_ROOT/log" || status=$?
 [ "$status" = "100" ]
-if checkBuildTempDirRemoved $TEST_ROOT/log; then false; fi
+if checkBuildTempDirRemoved "$TEST_ROOT/log"; then false; fi
 
 test_custom_build_dir() {
   local customBuildDir="$TEST_ROOT/custom-build-dir"
@@ -44,42 +44,46 @@ test_custom_build_dir() {
   # Nix does not create the parent directories, and perhaps it shouldn't try to
   # decide the permissions of build-dir.
   mkdir "$customBuildDir"
-  nix-build check.nix -A failed --argstr checkBuildId $checkBuildId \
-      --no-out-link --keep-failed --option build-dir "$TEST_ROOT/custom-build-dir" 2> $TEST_ROOT/log || status=$?
+  nix-build check.nix -A failed --argstr checkBuildId "$checkBuildId" \
+      --no-out-link --keep-failed --option build-dir "$TEST_ROOT/custom-build-dir" 2> "$TEST_ROOT/log" || status=$?
   [ "$status" = "100" ]
   [[ 1 == "$(count "$customBuildDir/nix-build-"*)" ]]
-  local buildDir="$customBuildDir/nix-build-"*""
-  if [[ -e $buildDir/build ]]; then
-      buildDir=$buildDir/build
+  local buildDir=("$customBuildDir/nix-build-"*)
+  if [[ "${#buildDir[@]}" -ne 1 ]]; then
+    echo "expected one nix-build-* directory, got: ${buildDir[*]}" >&2
+    exit 1
   fi
-  grep $checkBuildId $buildDir/checkBuildId
+  if [[ -e ${buildDir[*]}/build ]]; then
+      buildDir[0]="${buildDir[*]}/build"
+  fi
+  grep "$checkBuildId" "${buildDir[*]}/checkBuildId"
 }
 test_custom_build_dir
 
-nix-build check.nix -A deterministic --argstr checkBuildId $checkBuildId \
-    --no-out-link 2> $TEST_ROOT/log
-checkBuildTempDirRemoved $TEST_ROOT/log
+nix-build check.nix -A deterministic --argstr checkBuildId "$checkBuildId" \
+    --no-out-link 2> "$TEST_ROOT/log"
+checkBuildTempDirRemoved "$TEST_ROOT/log"
 
-nix-build check.nix -A deterministic --argstr checkBuildId $checkBuildId \
-    --no-out-link --check --keep-failed 2> $TEST_ROOT/log
-if grepQuiet 'may not be deterministic' $TEST_ROOT/log; then false; fi
-checkBuildTempDirRemoved $TEST_ROOT/log
+nix-build check.nix -A deterministic --argstr checkBuildId "$checkBuildId" \
+    --no-out-link --check --keep-failed 2> "$TEST_ROOT/log"
+if grepQuiet 'may not be deterministic' "$TEST_ROOT/log"; then false; fi
+checkBuildTempDirRemoved "$TEST_ROOT/log"
 
-nix-build check.nix -A nondeterministic --argstr checkBuildId $checkBuildId \
-    --no-out-link 2> $TEST_ROOT/log
-checkBuildTempDirRemoved $TEST_ROOT/log
+nix-build check.nix -A nondeterministic --argstr checkBuildId "$checkBuildId" \
+    --no-out-link 2> "$TEST_ROOT/log"
+checkBuildTempDirRemoved "$TEST_ROOT/log"
 
-nix-build check.nix -A nondeterministic --argstr checkBuildId $checkBuildId \
-    --no-out-link --check 2> $TEST_ROOT/log || status=$?
-grep 'may not be deterministic' $TEST_ROOT/log
+nix-build check.nix -A nondeterministic --argstr checkBuildId "$checkBuildId" \
+    --no-out-link --check 2> "$TEST_ROOT/log" || status=$?
+grep 'may not be deterministic' "$TEST_ROOT/log"
 [ "$status" = "104" ]
-checkBuildTempDirRemoved $TEST_ROOT/log
+checkBuildTempDirRemoved "$TEST_ROOT/log"
 
-nix-build check.nix -A nondeterministic --argstr checkBuildId $checkBuildId \
-    --no-out-link --check --keep-failed 2> $TEST_ROOT/log || status=$?
-grep 'may not be deterministic' $TEST_ROOT/log
+nix-build check.nix -A nondeterministic --argstr checkBuildId "$checkBuildId" \
+    --no-out-link --check --keep-failed 2> "$TEST_ROOT/log" || status=$?
+grep 'may not be deterministic' "$TEST_ROOT/log"
 [ "$status" = "104" ]
-if checkBuildTempDirRemoved $TEST_ROOT/log; then false; fi
+if checkBuildTempDirRemoved "$TEST_ROOT/log"; then false; fi
 
 TODO_NixOS
 
@@ -87,24 +91,24 @@ clearStore
 
 path=$(nix-build check.nix -A fetchurl --no-out-link)
 
-chmod +w $path
-echo foo > $path
-chmod -w $path
+chmod +w "$path"
+echo foo > "$path"
+chmod -w "$path"
 
 nix-build check.nix -A fetchurl --no-out-link --check
 # Note: "check" doesn't repair anything, it just compares to the hash stored in the database.
-[[ $(cat $path) = foo ]]
+[[ $(cat "$path") = foo ]]
 
 nix-build check.nix -A fetchurl --no-out-link --repair
-[[ $(cat $path) != foo ]]
+[[ $(cat "$path") != foo ]]
 
-echo 'Hello World' > $TEST_ROOT/dummy
+echo 'Hello World' > "$TEST_ROOT/dummy"
 nix-build check.nix -A hashmismatch --no-out-link || status=$?
 [ "$status" = "102" ]
 
-echo -n > $TEST_ROOT/dummy
+echo -n > "$TEST_ROOT/dummy"
 nix-build check.nix -A hashmismatch --no-out-link
-echo 'Hello World' > $TEST_ROOT/dummy
+echo 'Hello World' > "$TEST_ROOT/dummy"
 
 nix-build check.nix -A hashmismatch --no-out-link --check || status=$?
 [ "$status" = "102" ]

tests/functional/chroot-store.sh

@@ -37,7 +37,10 @@ if canUseSandbox; then
 }
 EOF
 
-    cp simple.nix shell.nix simple.builder.sh config.nix "$flakeDir/"
+    cp simple.nix shell.nix simple.builder.sh "${config_nix}" "$flakeDir/"
+
+    # `config.nix` cannot be gotten via build dir / env var (runs afoul pure eval). Instead get from flake.
+    removeBuildDirRef "$flakeDir"/*.nix
 
     TODO_NixOS
 

tests/functional/common/functions.sh

@@ -28,7 +28,7 @@ clearProfiles() {
 
 # Clear the store, but do not fail if we're in an environment where we can't.
 # This allows the test to run in a NixOS test environment, where we use the system store.
-# See doc/manual/src/contributing/testing.md / Running functional tests on NixOS.
+# See doc/manual/source/contributing/testing.md / Running functional tests on NixOS.
 clearStoreIfPossible() {
     if isTestOnNixOS; then
         echo "clearStoreIfPossible: Not clearing store, because we're on NixOS. Moving on."
@@ -343,6 +343,15 @@ count() {
   echo $#
 }
 
+# Sometimes, e.g. due to pure eval, restricted eval, or sandboxing, we
+# cannot look up `config.nix` in the build dir, and have to instead get
+# it from the current directory. (In this case, the current directly
+# will be somewhere in `$TEST_ROOT`.)
+removeBuildDirRef() {
+  # shellcheck disable=SC2016 # The ${} in this is Nix, not shell
+  sed -i -e 's,"${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/[^ ]*config.nix",./config.nix,' "$@"
+}
+
 trap onError ERR
 
 fi # COMMON_FUNCTIONS_SH_SOURCED

tests/functional/common/paths.sh

@@ -8,11 +8,10 @@ COMMON_PATHS_SH_SOURCED=1
 
 commonDir="$(readlink -f "$(dirname "${BASH_SOURCE[0]-$0}")")"
 
-# Since these are generated files
-# shellcheck disable=SC1091
+# Just for `isTestOnNixOS`
 source "$commonDir/functions.sh"
 # shellcheck disable=SC1091
-source "$commonDir/subst-vars.sh"
+source "${_NIX_TEST_BUILD_DIR}/common/subst-vars.sh"
 # Make sure shellcheck knows this will be defined by the above generated snippet
 : "${bash?}" "${bindir?}"
 

tests/functional/common/vars.sh

@@ -6,11 +6,14 @@ if [[ -z "${COMMON_VARS_SH_SOURCED-}" ]]; then
 
 COMMON_VARS_SH_SOURCED=1
 
+_NIX_TEST_SOURCE_DIR=$(realpath "${_NIX_TEST_SOURCE_DIR}")
+_NIX_TEST_BUILD_DIR=$(realpath "${_NIX_TEST_BUILD_DIR}")
+
 commonDir="$(readlink -f "$(dirname "${BASH_SOURCE[0]-$0}")")"
 
 # Since this is a generated file
 # shellcheck disable=SC1091
-source "$commonDir/subst-vars.sh"
+source "${_NIX_TEST_BUILD_DIR}/common/subst-vars.sh"
 # Make sure shellcheck knows all these will be defined by the above generated snippet
 : "${bindir?} ${coreutils?} ${dot?} ${SHELL?} ${busybox?} ${version?} ${system?}"
 export coreutils dot busybox version system
@@ -69,4 +72,9 @@ if [[ $(uname) == Linux ]] && [[ -L /proc/self/ns/user ]] && unshare --user true
     _canUseSandbox=1
 fi
 
+# Very common, shorthand helps
+# Used in other files
+# shellcheck disable=SC2034
+config_nix="${_NIX_TEST_BUILD_DIR}/config.nix"
+
 fi # COMMON_VARS_SH_SOURCED

tests/functional/dependencies.nix

@@ -1,5 +1,5 @@
 { hashInvalidator ? "" }:
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let {
 

tests/functional/dyn-drv/meson.build

@@ -15,5 +15,5 @@ suites += {
     'dep-built-drv.sh',
     'old-daemon-error-hack.sh',
   ],
-  'workdir': meson.current_build_dir(),
+  'workdir': meson.current_source_dir(),
 }

tests/functional/dyn-drv/old-daemon-error-hack.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/dyn-drv/config.nix";
 
 # A simple content-addressed derivation.
 # The derivation can be arbitrarily modified by passing a different `seed`,

tests/functional/dyn-drv/recursive-mod-json.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/dyn-drv/config.nix";
 
 let innerName = "foo"; in
 

tests/functional/dyn-drv/text-hashed-output.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/dyn-drv/config.nix";
 
 # A simple content-addressed derivation.
 # The derivation can be arbitrarily modified by passing a different `seed`,

tests/functional/eval.sh

@@ -35,17 +35,17 @@ nix-instantiate --eval -E 'assert 1 + 2 == 3; true'
 [[ "$(nix-instantiate --eval -E '{"assert"=1;bar=2;}')" == '{ "assert" = 1; bar = 2; }' ]]
 
 # Check that symlink cycles don't cause a hang.
-ln -sfn cycle.nix $TEST_ROOT/cycle.nix
-(! nix eval --file $TEST_ROOT/cycle.nix)
+ln -sfn cycle.nix "$TEST_ROOT/cycle.nix"
+(! nix eval --file "$TEST_ROOT/cycle.nix")
 
 # Check that relative symlinks are resolved correctly.
-mkdir -p $TEST_ROOT/xyzzy $TEST_ROOT/foo
-ln -sfn ../xyzzy $TEST_ROOT/foo/bar
-printf 123 > $TEST_ROOT/xyzzy/default.nix
+mkdir -p "$TEST_ROOT/xyzzy" "$TEST_ROOT/foo"
+ln -sfn ../xyzzy "$TEST_ROOT/foo/bar"
+printf 123 > "$TEST_ROOT/xyzzy/default.nix"
 [[ $(nix eval --impure --expr "import $TEST_ROOT/foo/bar") = 123 ]]
 
 # Test --arg-from-file.
-[[ "$(nix eval --raw --arg-from-file foo config.nix --expr '{ foo }: { inherit foo; }' foo)" = "$(cat config.nix)" ]]
+[[ "$(nix eval --raw --arg-from-file foo "${config_nix}" --expr '{ foo }: { inherit foo; }' foo)" = "$(cat "${config_nix}")" ]]
 
 # Check that special(-ish) files are drained.
 if [[ -e /proc/version ]]; then
@@ -57,7 +57,7 @@ fi
 
 # Test that unknown settings are warned about
 out="$(expectStderr 0 nix eval --option foobar baz --expr '""' --raw)"
-[[ "$(echo "$out" | grep foobar | wc -l)" = 1 ]]
+[[ "$(echo "$out" | grep -c foobar)" = 1 ]]
 
 # Test flag alias
 out="$(nix eval --expr '{}' --build-cores 1)"

tests/functional/export-graph.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
 

tests/functional/extra-sandbox-profile.nix

@@ -1,6 +1,6 @@
 { destFile, seed }:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "simple";

tests/functional/failing.nix

@@ -1,5 +1,5 @@
 { busybox }:
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 let
 
   mkDerivation = args:

tests/functional/fetchPath.sh

@@ -6,3 +6,6 @@ touch "$TEST_ROOT/foo" -t 202211111111
 # We only check whether 2022-11-1* **:**:** is the last modified date since
 # `lastModified` is transformed into UTC in `builtins.fetchTarball`.
 [[ "$(nix eval --impure --raw --expr "(builtins.fetchTree \"path://$TEST_ROOT/foo\").lastModifiedDate")" =~ 2022111.* ]]
+
+# Check that we can override lastModified for "path:" inputs.
+[[ "$(nix eval --impure --expr "(builtins.fetchTree { type = \"path\"; path = \"$TEST_ROOT/foo\"; lastModified = 123; }).lastModified")" = 123 ]]

tests/functional/fetchurl.sh

@@ -9,12 +9,12 @@ clearStore
 # Test fetching a flat file.
 hash=$(nix-hash --flat --type sha256 ./fetchurl.sh)
 
-outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link)
+outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url "file://$(pwd)/fetchurl.sh" --argstr sha256 "$hash" --no-out-link)
 
-cmp $outPath fetchurl.sh
+cmp "$outPath" fetchurl.sh
 
 # Do not re-fetch paths already present.
-outPath2=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file:///does-not-exist/must-remain-unused/fetchurl.sh --argstr sha256 $hash --no-out-link)
+outPath2=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file:///does-not-exist/must-remain-unused/fetchurl.sh --argstr sha256 "$hash" --no-out-link)
 test "$outPath" == "$outPath2"
 
 # Now using a base-64 hash.
@@ -22,9 +22,9 @@ clearStore
 
 hash=$(nix hash file --type sha512 --base64 ./fetchurl.sh)
 
-outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link)
+outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url "file://$(pwd)/fetchurl.sh" --argstr sha512 "$hash" --no-out-link)
 
-cmp $outPath fetchurl.sh
+cmp "$outPath" fetchurl.sh
 
 # Now using an SRI hash.
 clearStore
@@ -33,58 +33,58 @@ hash=$(nix hash file ./fetchurl.sh)
 
 [[ $hash =~ ^sha256- ]]
 
-outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr hash $hash --no-out-link)
+outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url "file://$(pwd)/fetchurl.sh" --argstr hash "$hash" --no-out-link)
 
-cmp $outPath fetchurl.sh
+cmp "$outPath" fetchurl.sh
 
 # Test that we can substitute from a different store dir.
 clearStore
 
-other_store=file://$TEST_ROOT/other_store?store=/fnord/store
+other_store="file://$TEST_ROOT/other_store?store=/fnord/store"
 
 hash=$(nix hash file --type sha256 --base16 ./fetchurl.sh)
 
-storePath=$(nix --store $other_store store add-file ./fetchurl.sh)
+nix --store "$other_store" store add-file ./fetchurl.sh
 
-outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)
+outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 "$hash" --no-out-link --substituters "$other_store")
 
 # Test hashed mirrors with an SRI hash.
-nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix hash to-sri --type sha256 $hash) \
-          --no-out-link --substituters $other_store
+nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash "$(nix hash to-sri --type sha256 "$hash")" \
+          --no-out-link --substituters "$other_store"
 
 # Test unpacking a NAR.
-rm -rf $TEST_ROOT/archive
-mkdir -p $TEST_ROOT/archive
-cp ./fetchurl.sh $TEST_ROOT/archive
-chmod +x $TEST_ROOT/archive/fetchurl.sh
-ln -s foo $TEST_ROOT/archive/symlink
-nar=$TEST_ROOT/archive.nar
-nix-store --dump $TEST_ROOT/archive > $nar
+rm -rf "$TEST_ROOT/archive"
+mkdir -p "$TEST_ROOT/archive"
+cp ./fetchurl.sh "$TEST_ROOT/archive"
+chmod +x "$TEST_ROOT/archive/fetchurl.sh"
+ln -s foo "$TEST_ROOT/archive/symlink"
+nar="$TEST_ROOT/archive.nar"
+nix-store --dump "$TEST_ROOT/archive" > "$nar"
 
-hash=$(nix-hash --flat --type sha256 $nar)
+hash=$(nix-hash --flat --type sha256 "$nar")
 
-outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file://$nar --argstr sha256 $hash \
+outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url "file://$nar" --argstr sha256 "$hash" \
           --arg unpack true --argstr name xyzzy --no-out-link)
 
-echo $outPath | grepQuiet 'xyzzy'
+echo "$outPath" | grepQuiet 'xyzzy'
 
-test -x $outPath/fetchurl.sh
-test -L $outPath/symlink
+test -x "$outPath/fetchurl.sh"
+test -L "$outPath/symlink"
 
-nix-store --delete $outPath
+nix-store --delete "$outPath"
 
 # Test unpacking a compressed NAR.
-narxz=$TEST_ROOT/archive.nar.xz
-rm -f $narxz
-xz --keep $nar
-outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url file://$narxz --argstr sha256 $hash \
+narxz="$TEST_ROOT/archive.nar.xz"
+rm -f "$narxz"
+xz --keep "$nar"
+outPath=$(nix-build -vvvvv --expr 'import <nix/fetchurl.nix>' --argstr url "file://$narxz" --argstr sha256 "$hash" \
           --arg unpack true --argstr name xyzzy --no-out-link)
 
-test -x $outPath/fetchurl.sh
-test -L $outPath/symlink
+test -x "$outPath/fetchurl.sh"
+test -L "$outPath/symlink"
 
 # Make sure that *not* passing a outputHash fails.
 requireDaemonNewerThan "2.20"
 expected=100
 if [[ -v NIX_DAEMON_PACKAGE ]]; then expected=1; fi # work around the daemon not returning a 100 status correctly
-expectStderr $expected nix-build --expr '{ url }: builtins.derivation { name = "nix-cache-info"; system = "x86_64-linux"; builder = "builtin:fetchurl"; inherit url; outputHashMode = "flat"; }' --argstr url file://$narxz 2>&1 | grep 'must be a fixed-output or impure derivation'
+expectStderr $expected nix-build --expr '{ url }: builtins.derivation { name = "nix-cache-info"; system = "x86_64-linux"; builder = "builtin:fetchurl"; inherit url; outputHashMode = "flat"; }' --argstr url "file://$narxz" 2>&1 | grep 'must be a fixed-output or impure derivation'

tests/functional/filter-source.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "filter";

tests/functional/fixed.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
 

tests/functional/flakes/build-paths.sh

@@ -79,7 +79,7 @@ cat > "$flake1Dir"/flake.nix <<EOF
 }
 EOF
 
-cp ../simple.nix ../simple.builder.sh ../config.nix "$flake1Dir/"
+cp ../simple.nix ../simple.builder.sh "${config_nix}" "$flake1Dir/"
 
 echo bar > "$flake1Dir/foo"
 

tests/functional/flakes/bundle.sh

@@ -2,7 +2,10 @@
 
 source common.sh
 
-cp ../simple.nix ../simple.builder.sh ../config.nix "$TEST_HOME"
+cp ../simple.nix ../simple.builder.sh "${config_nix}" "$TEST_HOME"
+
+# `config.nix` cannot be gotten via build dir / env var (runs afoul pure eval). Instead get from flake.
+removeBuildDirRef "$TEST_HOME"/*.nix
 
 cd "$TEST_HOME"
 

tests/functional/flakes/common.sh

@@ -1,10 +1,13 @@
+# shellcheck shell=bash
+
 source ../common.sh
 
+# shellcheck disable=SC2034 # this variable is used by tests that source this file
 registry=$TEST_ROOT/registry.json
 
 writeSimpleFlake() {
     local flakeDir="$1"
-    cat > $flakeDir/flake.nix <<EOF
+    cat > "$flakeDir/flake.nix" <<EOF
 {
   description = "Bla bla";
 
@@ -31,19 +34,22 @@ writeSimpleFlake() {
 }
 EOF
 
-    cp ../simple.nix ../shell.nix ../simple.builder.sh ../config.nix $flakeDir/
+    cp ../simple.nix ../shell.nix ../simple.builder.sh "${config_nix}" "$flakeDir/"
+
+    # `config.nix` cannot be gotten via build dir / env var (runs afoul pure eval). Instead get from flake.
+    removeBuildDirRef "$flakeDir"/*.nix
 }
 
 createSimpleGitFlake() {
     local flakeDir="$1"
-    writeSimpleFlake $flakeDir
-    git -C $flakeDir add flake.nix simple.nix shell.nix simple.builder.sh config.nix
-    git -C $flakeDir commit -m 'Initial'
+    writeSimpleFlake "$flakeDir"
+    git -C "$flakeDir" add flake.nix simple.nix shell.nix simple.builder.sh config.nix
+    git -C "$flakeDir" commit -m 'Initial'
 }
 
 writeDependentFlake() {
     local flakeDir="$1"
-    cat > $flakeDir/flake.nix <<EOF
+    cat > "$flakeDir/flake.nix" <<EOF
 {
   outputs = { self, flake1 }: {
     packages.$system.default = flake1.packages.$system.default;
@@ -55,7 +61,7 @@ EOF
 
 writeTrivialFlake() {
     local flakeDir="$1"
-    cat > $flakeDir/flake.nix <<EOF
+    cat > "$flakeDir/flake.nix" <<EOF
 {
   outputs = { self }: {
     expr = 123;
@@ -71,6 +77,7 @@ createGitRepo() {
     rm -rf "$repo" "$repo".tmp
     mkdir -p "$repo"
 
+    # shellcheck disable=SC2086 # word splitting of extraArgs is intended
     git -C "$repo" init $extraArgs
     git -C "$repo" config user.email "foobar@example.com"
     git -C "$repo" config user.name "Foobar"

tests/functional/flakes/config.sh

@@ -2,7 +2,8 @@
 
 source common.sh
 
-cp ../simple.nix ../simple.builder.sh ../config.nix $TEST_HOME
+cp ../simple.nix ../simple.builder.sh "${config_nix}" $TEST_HOME
+removeBuildDirRef "$TEST_HOME/simple.nix"
 
 cd $TEST_HOME
 

tests/functional/flakes/develop.sh

@@ -8,7 +8,7 @@ clearStore
 rm -rf $TEST_HOME/.cache $TEST_HOME/.config $TEST_HOME/.local
 
 # Create flake under test.
-cp ../shell-hello.nix ../config.nix $TEST_HOME/
+cp ../shell-hello.nix "${config_nix}" $TEST_HOME/
 cat <<EOF >$TEST_HOME/flake.nix
 {
     inputs.nixpkgs.url = "$TEST_HOME/nixpkgs";
@@ -25,7 +25,11 @@ EOF
 
 # Create fake nixpkgs flake.
 mkdir -p $TEST_HOME/nixpkgs
-cp ../config.nix ../shell.nix $TEST_HOME/nixpkgs
+cp "${config_nix}" ../shell.nix $TEST_HOME/nixpkgs
+
+# `config.nix` cannot be gotten via build dir / env var (runs afoul pure eval). Instead get from flake.
+removeBuildDirRef "$TEST_HOME/nixpkgs"/*.nix
+
 cat <<EOF >$TEST_HOME/nixpkgs/flake.nix
 {
     outputs = {self}: {

tests/functional/flakes/eval-cache.sh

@@ -7,7 +7,7 @@ requireGit
 flake1Dir="$TEST_ROOT/eval-cache-flake"
 
 createGitRepo "$flake1Dir" ""
-cp ../simple.nix ../simple.builder.sh ../config.nix "$flake1Dir/"
+cp ../simple.nix ../simple.builder.sh "${config_nix}" "$flake1Dir/"
 git -C "$flake1Dir" add simple.nix simple.builder.sh config.nix
 git -C "$flake1Dir" commit -m "config.nix"
 

tests/functional/flakes/flakes.sh

@@ -390,7 +390,7 @@ cat > "$flake3Dir/flake.nix" <<EOF
 }
 EOF
 
-cp ../config.nix "$flake3Dir"
+cp "${config_nix}" "$flake3Dir"
 
 git -C "$flake3Dir" add flake.nix config.nix
 git -C "$flake3Dir" commit -m 'Add nonFlakeInputs'

tests/functional/flakes/meson.build

@@ -25,5 +25,5 @@ suites += {
     'show.sh',
     'dubious-query.sh',
   ],
-  'workdir': meson.current_build_dir(),
+  'workdir': meson.current_source_dir(),
 }

tests/functional/flakes/run.sh

@@ -6,7 +6,10 @@ TODO_NixOS
 
 clearStore
 rm -rf $TEST_HOME/.cache $TEST_HOME/.config $TEST_HOME/.local
-cp ../shell-hello.nix ../config.nix $TEST_HOME
+
+cp ../shell-hello.nix "${config_nix}" $TEST_HOME
+# `config.nix` cannot be gotten via build dir / env var (runs afoul pure eval). Instead get from flake.
+removeBuildDirRef "$TEST_HOME"/*.nix
 cd $TEST_HOME
 
 cat <<EOF > flake.nix

tests/functional/fmt.sh

@@ -7,7 +7,7 @@ TODO_NixOS # Provide a `shell` variable. Try not to `export` it, perhaps.
 clearStoreIfPossible
 rm -rf "$TEST_HOME"/.cache "$TEST_HOME"/.config "$TEST_HOME"/.local
 
-cp ./simple.nix ./simple.builder.sh ./fmt.simple.sh ./config.nix "$TEST_HOME"
+cp ./simple.nix ./simple.builder.sh ./fmt.simple.sh "${config_nix}" "$TEST_HOME"
 
 cd "$TEST_HOME"
 

tests/functional/fod-failing.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 rec {
   x1 = mkDerivation {
     name = "x1";

tests/functional/gc-auto.sh

@@ -23,7 +23,7 @@ fifoLock=$TEST_ROOT/fifoLock
 mkfifo "$fifoLock"
 
 expr=$(cat <<EOF
-with import ./config.nix; mkDerivation {
+with import ${config_nix}; mkDerivation {
   name = "gc-A";
   buildCommand = ''
     set -x
@@ -51,7 +51,7 @@ EOF
 )
 
 expr2=$(cat <<EOF
-with import ./config.nix; mkDerivation {
+with import ${config_nix}; mkDerivation {
   name = "gc-B";
   buildCommand = ''
     set -x

tests/functional/gc-concurrent.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 { lockFifo ? null }:
 

tests/functional/gc-non-blocking.sh

@@ -38,7 +38,7 @@ pid2=$!
 
 # Start a build. This should not be blocked by the GC in progress.
 outPath=$(nix-build --max-silent-time 60 -o "$TEST_ROOT/result" -E "
-  with import ./config.nix;
+  with import ${config_nix};
   mkDerivation {
     name = \"non-blocking\";
     buildCommand = \"set -x; test -e $running; mkdir \$out; echo > $fifo2\";

tests/functional/gc-runtime.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "gc-runtime";

tests/functional/gc.sh

@@ -11,46 +11,46 @@ outPath=$(nix-store -rvv "$drvPath")
 
 # Set a GC root.
 rm -f "$NIX_STATE_DIR/gcroots/foo"
-ln -sf $outPath "$NIX_STATE_DIR/gcroots/foo"
+ln -sf "$outPath" "$NIX_STATE_DIR/gcroots/foo"
 
-[ "$(nix-store -q --roots $outPath)" = "$NIX_STATE_DIR/gcroots/foo -> $outPath" ]
+[ "$(nix-store -q --roots "$outPath")" = "$NIX_STATE_DIR/gcroots/foo -> $outPath" ]
 
-nix-store --gc --print-roots | grep $outPath
-nix-store --gc --print-live | grep $outPath
-nix-store --gc --print-dead | grep $drvPath
-if nix-store --gc --print-dead | grep -E $outPath$; then false; fi
+nix-store --gc --print-roots | grep "$outPath"
+nix-store --gc --print-live | grep "$outPath"
+nix-store --gc --print-dead | grep "$drvPath"
+if nix-store --gc --print-dead | grep -E "$outPath"$; then false; fi
 
 nix-store --gc --print-dead
 
-inUse=$(readLink $outPath/reference-to-input-2)
-if nix-store --delete $inUse; then false; fi
-test -e $inUse
+inUse=$(readLink "$outPath/reference-to-input-2")
+if nix-store --delete "$inUse"; then false; fi
+test -e "$inUse"
 
-if nix-store --delete $outPath; then false; fi
-test -e $outPath
+if nix-store --delete "$outPath"; then false; fi
+test -e "$outPath"
 
-for i in $NIX_STORE_DIR/*; do
+for i in "$NIX_STORE_DIR"/*; do
     if [[ $i =~ /trash ]]; then continue; fi # compat with old daemon
-    touch $i.lock
-    touch $i.chroot
+    touch "$i.lock"
+    touch "$i.chroot"
 done
 
 nix-collect-garbage
 
 # Check that the root and its dependencies haven't been deleted.
-cat $outPath/foobar
-cat $outPath/reference-to-input-2/bar
+cat "$outPath/foobar"
+cat "$outPath/reference-to-input-2/bar"
 
 # Check that the derivation has been GC'd.
-if test -e $drvPath; then false; fi
+if test -e "$drvPath"; then false; fi
 
 rm "$NIX_STATE_DIR/gcroots/foo"
 
 nix-collect-garbage
 
 # Check that the output has been GC'd.
-if test -e $outPath/foobar; then false; fi
+if test -e "$outPath/foobar"; then false; fi
 
 # Check that the store is empty.
-rmdir $NIX_STORE_DIR/.links
-rmdir $NIX_STORE_DIR
+rmdir "$NIX_STORE_DIR/.links"
+rmdir "$NIX_STORE_DIR"

tests/functional/git-hashing/meson.build

@@ -4,5 +4,5 @@ suites += {
   'tests': [
     'simple.sh',
   ],
-  'workdir': meson.current_build_dir(),
+  'workdir': meson.current_source_dir(),
 }

tests/functional/help.sh

@@ -65,5 +65,6 @@ def recurse($prefix):
 }
 
 nix __dump-cli | subcommands | while IFS= read -r cmd; do
+    # shellcheck disable=SC2086 # word splitting of cmd is intended
     nix $cmd --help
 done

tests/functional/hermetic.nix

@@ -5,7 +5,7 @@
 , withFinalRefs ? false
 }:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
   contentAddressedByDefault = builtins.getEnv "NIX_TESTS_CA_BY_DEFAULT" == "1";

tests/functional/ifd.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 import (
   mkDerivation {
     name = "foo";

tests/functional/import-from-derivation.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
   bar = mkDerivation {

tests/functional/impure-derivations.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
 

tests/functional/impure-env.nix

@@ -1,6 +1,6 @@
 { var, value }:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "test";

tests/functional/lang.sh

@@ -37,12 +37,14 @@ nix-instantiate --eval -E 'let x = { repeating = x; tracing = builtins.trace x t
   2>&1 | grepQuiet -F 'trace: { repeating = «repeated»; tracing = «potential infinite recursion»; }'
 
 nix-instantiate --eval -E 'builtins.warn "Hello" 123' 2>&1 | grepQuiet 'warning: Hello'
+# shellcheck disable=SC2016 # The ${} in this is Nix, not shell
 nix-instantiate --eval -E 'builtins.addErrorContext "while doing ${"something"} interesting" (builtins.warn "Hello" 123)' 2>/dev/null | grepQuiet 123
 
 # warn does not accept non-strings for now
 expectStderr 1 nix-instantiate --eval -E 'let x = builtins.warn { x = x; } true; in x' \
   | grepQuiet "expected a string but found a set"
 expectStderr 1 nix-instantiate --eval --abort-on-warn -E 'builtins.warn "Hello" 123' | grepQuiet Hello
+# shellcheck disable=SC2016 # The ${} in this is Nix, not shell
 NIX_ABORT_ON_WARN=1 expectStderr 1 nix-instantiate --eval -E 'builtins.addErrorContext "while doing ${"something"} interesting" (builtins.warn "Hello" 123)' | grepQuiet "while doing something interesting"
 
 set +x
@@ -106,6 +108,7 @@ for i in lang/eval-fail-*.nix; do
         fi
     )"
     if
+        # shellcheck disable=SC2086 # word splitting of flags is intended
         expectStderr 1 nix-instantiate $flags "lang/$i.nix" \
             | sed "s!$(pwd)!/pwd!g" > "lang/$i.err"
     then

tests/functional/linux-sandbox-cert-test.nix

@@ -1,6 +1,6 @@
 { mode }:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation (
   {

tests/functional/linux-sandbox.sh

@@ -40,14 +40,14 @@ nix-sandbox-build dependencies.nix --check
 # Test that sandboxed builds with --check and -K can move .check directory to store
 nix-sandbox-build check.nix -A nondeterministic
 
-# `100 + 4` means non-determinstic, see doc/manual/src/command-ref/status-build-failure.md
+# `100 + 4` means non-determinstic, see doc/manual/source/command-ref/status-build-failure.md
 expectStderr 104 nix-sandbox-build check.nix -A nondeterministic --check -K > $TEST_ROOT/log
 grepQuietInverse 'error: renaming' $TEST_ROOT/log
 grepQuiet 'may not be deterministic' $TEST_ROOT/log
 
 # Test that sandboxed builds cannot write to /etc easily
-# `100` means build failure without extra info, see doc/manual/src/command-ref/status-build-failure.md
-expectStderr 100 nix-sandbox-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' |
+# `100` means build failure without extra info, see doc/manual/source/command-ref/status-build-failure.md
+expectStderr 100 nix-sandbox-build -E 'with import '"${config_nix}"'; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' |
     grepQuiet "/etc/test: Permission denied"
 
 
@@ -56,7 +56,7 @@ testCert () {
     expectation=$1 # "missing" | "present"
     mode=$2        # "normal" | "fixed-output"
     certFile=$3    # a string that can be the path to a cert file
-    # `100` means build failure without extra info, see doc/manual/src/command-ref/status-build-failure.md
+    # `100` means build failure without extra info, see doc/manual/source/command-ref/status-build-failure.md
     [ "$mode" == fixed-output ] && ret=1 || ret=100
     expectStderr $ret nix-sandbox-build linux-sandbox-cert-test.nix --argstr mode "$mode" --option ssl-cert-file "$certFile" |
         grepQuiet "CERT_${expectation}_IN_SANDBOX"

tests/functional/local-overlay-store/meson.build

@@ -14,5 +14,5 @@ suites += {
     'optimise.sh',
     'stale-file-handle.sh',
   ],
-  'workdir': meson.current_build_dir(),
+  'workdir': meson.current_source_dir(),
 }

tests/functional/local.mk

@@ -114,7 +114,6 @@ nix_tests = \
   impure-env.sh \
   debugger.sh \
   extra-sandbox-profile.sh \
-  help.sh
 
 ifeq ($(HAVE_LIBCPUID), 1)
   nix_tests += compute-levels.sh
@@ -128,6 +127,10 @@ ifeq ($(ENABLE_BUILD), yes)
   endif
 endif
 
+ifeq ($(ENABLE_DOC_GEN), yes)
+    nix_tests += help.sh
+endif
+
 $(d)/test-libstoreconsumer.sh.test $(d)/test-libstoreconsumer.sh.test-debug: \
   $(buildprefix)$(d)/test-libstoreconsumer/test-libstoreconsumer
 $(d)/plugins.sh.test $(d)/plugins.sh.test-debug: \

tests/functional/logging.sh

@@ -22,7 +22,7 @@ nix-build dependencies.nix --no-out-link --compress-build-log
 builder="$(realpath "$(mktemp)")"
 echo -e "#!/bin/sh\nmkdir \$out" > "$builder"
 outp="$(nix-build -E \
-    'with import ./config.nix; mkDerivation { name = "fnord"; builder = '"$builder"'; }' \
+    'with import '"${config_nix}"'; mkDerivation { name = "fnord"; builder = '"$builder"'; }' \
     --out-link "$(mktemp -d)/result")"
 
 test -d "$outp"

tests/functional/meson.build

@@ -14,27 +14,6 @@ project('nix-functional-tests', 'cpp',
 
 fs = import('fs')
 
-# Need to combine source and build trees
-run_command(
-  'rsync',
-  '-a',
-  '--copy-unsafe-links',
-  meson.current_source_dir() / '',
-  meson.current_build_dir() / '',
-)
-# This current-source-escaping relative is no good because we don't know
-# where the build directory will be, therefore we fix it up. Once the
-# Make build system is gone, we should think about doing this better.
-scripts_dir = fs.relative_to(
-  meson.current_source_dir() / '..' / '..' / 'scripts',
-  meson.current_build_dir(),
-)
-run_command(
-  'sed',
-  '-i', meson.current_build_dir() / 'bash-profile.sh',
-  '-e', 's^../../scripts^@0@^'.format(scripts_dir),
-)
-
 nix = find_program('nix')
 bash = find_program('bash', native : true)
 busybox = find_program('busybox', native : true, required : false)
@@ -185,7 +164,7 @@ suites = [
       'extra-sandbox-profile.sh',
       'help.sh',
     ],
-    'workdir': meson.current_build_dir(),
+    'workdir': meson.current_source_dir(),
   },
 ]
 
@@ -200,7 +179,7 @@ if nix_store.found()
     'tests': [
       'test-libstoreconsumer.sh',
     ],
-    'workdir': meson.current_build_dir(),
+    'workdir': meson.current_source_dir(),
   }
 
 endif
@@ -217,7 +196,7 @@ if nix_expr.found() and get_option('default_library') != 'static'
     'tests': [
       'plugins.sh',
     ],
-    'workdir': meson.current_build_dir(),
+    'workdir': meson.current_source_dir(),
   }
 endif
 
@@ -228,14 +207,12 @@ subdir('git-hashing')
 subdir('local-overlay-store')
 
 foreach suite : suites
+  workdir = suite['workdir']
+  suite_name = suite['name']
   foreach script : suite['tests']
-    workdir = suite['workdir']
-    prefix = fs.relative_to(workdir, meson.project_build_root())
-
-    script = script
     # Turns, e.g., `tests/functional/flakes/show.sh` into a Meson test target called
     # `functional-flakes-show`.
-    name = fs.replace_suffix(prefix / script, '')
+    name = fs.replace_suffix(script, '')
 
     test(
       name,
@@ -247,14 +224,17 @@ foreach suite : suites
         '-o', 'pipefail',
         script,
       ],
-      suite : suite['name'],
+      suite : suite_name,
       env : {
-        'TEST_NAME': name,
+        '_NIX_TEST_SOURCE_DIR': meson.current_source_dir(),
+        '_NIX_TEST_BUILD_DIR': meson.current_build_dir(),
+        'TEST_NAME': suite_name / name,
         'NIX_REMOTE': '',
         'PS4': '+(${BASH_SOURCE[0]-$0}:$LINENO) ',
       },
-      # some tests take 15+ seconds even on an otherwise idle machine, on a loaded machine
-      # this can easily drive them to failure. give them more time than default of 30sec
+      # Some tests take 15+ seconds even on an otherwise idle machine;
+      # on a loaded machine this can easily drive them to failure. Give
+      # them more time than the default of 30 seconds.
       timeout : 300,
       # Used for target dependency/ordering tracking, not adding compiler flags or anything.
       depends : suite['deps'],

tests/functional/multiple-outputs.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
 

tests/functional/nar-access.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
     a = mkDerivation {
@@ -20,4 +20,4 @@ asdom 12398
 EOF
       '';
     };
-}
+}

tests/functional/nar-access.sh

@@ -9,57 +9,57 @@ cd "$TEST_ROOT"
 
 # Dump path to nar.
 narFile="$TEST_ROOT/path.nar"
-nix-store --dump $storePath > $narFile
+nix-store --dump "$storePath" > "$narFile"
 
 # Check that find and nar ls match.
-( cd $storePath; find . | sort ) > files.find
-nix nar ls -R -d $narFile "" | sort > files.ls-nar
+( cd "$storePath"; find . | sort ) > files.find
+nix nar ls -R -d "$narFile" "" | sort > files.ls-nar
 diff -u files.find files.ls-nar
 
 # Check that file contents of data match.
-nix nar cat $narFile /foo/data > data.cat-nar
-diff -u data.cat-nar $storePath/foo/data
+nix nar cat "$narFile" /foo/data > data.cat-nar
+diff -u data.cat-nar "$storePath/foo/data"
 
 # Check that file contents of baz match.
-nix nar cat $narFile /foo/baz > baz.cat-nar
-diff -u baz.cat-nar $storePath/foo/baz
+nix nar cat "$narFile" /foo/baz > baz.cat-nar
+diff -u baz.cat-nar "$storePath/foo/baz"
 
-nix store cat $storePath/foo/baz > baz.cat-nar
-diff -u baz.cat-nar $storePath/foo/baz
+nix store cat "$storePath/foo/baz" > baz.cat-nar
+diff -u baz.cat-nar "$storePath/foo/baz"
 
 TODO_NixOS
 
 # Check that 'nix store cat' fails on invalid store paths.
-invalidPath="$(dirname $storePath)/99999999999999999999999999999999-foo"
-cp -r $storePath $invalidPath
-expect 1 nix store cat $invalidPath/foo/baz
+invalidPath="$(dirname "$storePath")/99999999999999999999999999999999-foo"
+cp -r "$storePath" "$invalidPath"
+expect 1 nix store cat "$invalidPath/foo/baz"
 
 # Test --json.
 diff -u \
-    <(nix nar ls --json $narFile / | jq -S) \
+    <(nix nar ls --json "$narFile" / | jq -S) \
     <(echo '{"type":"directory","entries":{"foo":{},"foo-x":{},"qux":{},"zyx":{}}}' | jq -S)
 diff -u \
-    <(nix nar ls --json -R $narFile /foo | jq -S) \
+    <(nix nar ls --json -R "$narFile" /foo | jq -S) \
     <(echo '{"type":"directory","entries":{"bar":{"type":"regular","size":0,"narOffset":368},"baz":{"type":"regular","size":0,"narOffset":552},"data":{"type":"regular","size":58,"narOffset":736}}}' | jq -S)
 diff -u \
-    <(nix nar ls --json -R $narFile /foo/bar | jq -S) \
+    <(nix nar ls --json -R "$narFile" /foo/bar | jq -S) \
     <(echo '{"type":"regular","size":0,"narOffset":368}' | jq -S)
 diff -u \
-    <(nix store ls --json $storePath | jq -S) \
+    <(nix store ls --json "$storePath" | jq -S) \
     <(echo '{"type":"directory","entries":{"foo":{},"foo-x":{},"qux":{},"zyx":{}}}' | jq -S)
 diff -u \
-    <(nix store ls --json -R $storePath/foo | jq -S) \
+    <(nix store ls --json -R "$storePath/foo" | jq -S) \
     <(echo '{"type":"directory","entries":{"bar":{"type":"regular","size":0},"baz":{"type":"regular","size":0},"data":{"type":"regular","size":58}}}' | jq -S)
 diff -u \
-    <(nix store ls --json -R $storePath/foo/bar| jq -S) \
+    <(nix store ls --json -R "$storePath/foo/bar"| jq -S) \
     <(echo '{"type":"regular","size":0}' | jq -S)
 
 # Test missing files.
-expect 1 nix store ls --json -R $storePath/xyzzy 2>&1 | grep 'does not exist'
-expect 1 nix store ls $storePath/xyzzy 2>&1 | grep 'does not exist'
+expect 1 nix store ls --json -R "$storePath/xyzzy" 2>&1 | grep 'does not exist'
+expect 1 nix store ls "$storePath/xyzzy" 2>&1 | grep 'does not exist'
 
 # Test failure to dump.
-if nix-store --dump $storePath >/dev/full ; then
+if nix-store --dump "$storePath" >/dev/full ; then
     echo "dumping to /dev/full should fail"
-    exit -1
+    exit 1
 fi

tests/functional/nars.sh

@@ -134,7 +134,7 @@ rm -f "$TEST_ROOT/unicode-*"
 
 # Unpacking a NAR with a NUL character in a file name should fail.
 rm -rf "$TEST_ROOT/out"
-expectStderr 1 nix-store --restore "$TEST_ROOT/out" < nul.nar | grepQuiet "NAR contains invalid file name 'f"
+expectStderr 1 nix-store --restore "$TEST_ROOT/out" < nul-character.nar | grepQuiet "NAR contains invalid file name 'f"
 
 # Likewise for a '.' filename.
 rm -rf "$TEST_ROOT/out"

tests/functional/nested-sandboxing.sh

@@ -8,6 +8,15 @@ TODO_NixOS
 
 requireSandboxSupport
 
+start="$TEST_ROOT/start"
+mkdir -p "$start"
+cp -r common common.sh ${config_nix} ./nested-sandboxing "$start"
+cp "${_NIX_TEST_BUILD_DIR}/common/subst-vars.sh" "$start/common"
+# N.B. redefine
+_NIX_TEST_SOURCE_DIR="$start"
+_NIX_TEST_BUILD_DIR="$start"
+cd "$start"
+
 source ./nested-sandboxing/command.sh
 
 expectStderr 100 runNixBuild badStoreUrl 2 | grepQuiet '`sandbox-build-dir` must not contain'

tests/functional/nested-sandboxing/runner.nix

@@ -19,6 +19,9 @@ mkDerivation {
 
     export PATH=${builtins.getEnv "NIX_BIN_DIR"}:$PATH
 
+    export _NIX_TEST_SOURCE_DIR=$PWD
+    export _NIX_TEST_BUILD_DIR=$PWD
+
     source common.sh
     source ./nested-sandboxing/command.sh
 

tests/functional/nix-build-examples.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
 

tests/functional/nix-channel.sh

@@ -35,7 +35,7 @@ drvPath=$(nix-instantiate dependencies.nix)
 nix copy --to file://$TEST_ROOT/foo?compression="bzip2" $(nix-store -r "$drvPath")
 rm -rf $TEST_ROOT/nixexprs
 mkdir -p $TEST_ROOT/nixexprs
-cp config.nix dependencies.nix dependencies.builder*.sh $TEST_ROOT/nixexprs/
+cp "${config_nix}" dependencies.nix dependencies.builder*.sh $TEST_ROOT/nixexprs/
 ln -s dependencies.nix $TEST_ROOT/nixexprs/default.nix
 (cd $TEST_ROOT && tar cvf - nixexprs) | bzip2 > $TEST_ROOT/foo/nixexprs.tar.bz2
 

tests/functional/nix-profile.sh

@@ -47,7 +47,7 @@ printf World > $flake1Dir/who
 printf 1.0 > $flake1Dir/version
 printf false > $flake1Dir/ca.nix
 
-cp ./config.nix $flake1Dir/
+cp "${config_nix}" $flake1Dir/
 
 # Test upgrading from nix-env.
 nix-env -f ./user-envs.nix -i foo-1.0
@@ -140,7 +140,7 @@ nix profile install $(nix-build --no-out-link ./simple.nix)
 
 # Test packages with same name from different sources
 mkdir $TEST_ROOT/simple-too
-cp ./simple.nix ./config.nix simple.builder.sh $TEST_ROOT/simple-too
+cp ./simple.nix "${config_nix}" simple.builder.sh $TEST_ROOT/simple-too
 nix profile install --file $TEST_ROOT/simple-too/simple.nix ''
 nix profile list | grep -A4 'Name:.*simple' | grep 'Name:.*simple-1'
 nix profile remove simple 2>&1 | grep 'removed 1 packages'

tests/functional/nix-shell.sh

@@ -31,6 +31,15 @@ output=$(nix-shell --pure --keep SELECTED_IMPURE_VAR "$shellDotNix" -A shellDrv
 
 [ "$output" = " - foo - bar - baz" ]
 
+# test NIX_BUILD_TOP
+testTmpDir=$(pwd)/nix-shell
+mkdir -p "$testTmpDir"
+output=$(TMPDIR="$testTmpDir" nix-shell --pure "$shellDotNix" -A shellDrv --run 'echo $NIX_BUILD_TOP')
+[[ "$output" =~ ${testTmpDir}.* ]] || {
+    echo "expected $output =~ ${testTmpDir}.*" >&2
+    exit 1
+}
+
 # Test nix-shell on a .drv
 [[ $(nix-shell --pure $(nix-instantiate "$shellDotNix" -A shellDrv) --run \
     'echo "$IMPURE_VAR - $VAR_FROM_STDENV_SETUP - $VAR_FROM_NIX - $TEST_inNixShell"') = " - foo - bar - false" ]]
@@ -70,7 +79,7 @@ sed -e "s|@ENV_PROG@|$(type -P env)|" shell.shebang.expr > $TEST_ROOT/shell.sheb
 chmod a+rx $TEST_ROOT/shell.shebang.expr
 # Should fail due to expressions using relative path
 ! $TEST_ROOT/shell.shebang.expr bar
-cp shell.nix config.nix $TEST_ROOT
+cp shell.nix "${config_nix}" $TEST_ROOT
 # Should succeed
 echo "cwd: $PWD"
 output=$($TEST_ROOT/shell.shebang.expr bar)
@@ -117,7 +126,7 @@ $TEST_ROOT/shell.shebang.nix
 mkdir $TEST_ROOT/lookup-test $TEST_ROOT/empty
 
 echo "import $shellDotNix" > $TEST_ROOT/lookup-test/shell.nix
-cp config.nix $TEST_ROOT/lookup-test/
+cp "${config_nix}" $TEST_ROOT/lookup-test/
 echo 'abort "do not load default.nix!"' > $TEST_ROOT/lookup-test/default.nix
 
 nix-shell $TEST_ROOT/lookup-test -A shellDrv --run 'echo "it works"' | grepQuiet "it works"

tests/functional/optimise-store.sh

@@ -4,8 +4,8 @@ source common.sh
 
 clearStoreIfPossible
 
-outPath1=$(echo 'with import ./config.nix; mkDerivation { name = "foo1"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --auto-optimise-store)
-outPath2=$(echo 'with import ./config.nix; mkDerivation { name = "foo2"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --auto-optimise-store)
+outPath1=$(echo 'with import '"${config_nix}"'; mkDerivation { name = "foo1"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --auto-optimise-store)
+outPath2=$(echo 'with import '"${config_nix}"'; mkDerivation { name = "foo2"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link --auto-optimise-store)
 
 TODO_NixOS # ignoring the client-specified setting 'auto-optimise-store', because it is a restricted setting and you are not a trusted user
   # TODO: only continue when trusted user or root
@@ -23,7 +23,7 @@ if [ "$nlink" != 3 ]; then
     exit 1
 fi
 
-outPath3=$(echo 'with import ./config.nix; mkDerivation { name = "foo3"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link)
+outPath3=$(echo 'with import '"${config_nix}"'; mkDerivation { name = "foo3"; builder = builtins.toFile "builder" "mkdir $out; echo hello > $out/foo"; }' | nix-build - --no-out-link)
 
 inode3="$(stat --format=%i $outPath3/foo)"
 if [ "$inode1" = "$inode3" ]; then

tests/functional/package.nix

@@ -6,7 +6,6 @@
 , meson
 , ninja
 , pkg-config
-, rsync
 
 , jq
 , git
@@ -48,11 +47,10 @@ mkMesonDerivation (finalAttrs: {
   ];
 
   # Hack for sake of the dev shell
-  passthru.baseNativeBuildInputs = [
+  passthru.externalNativeBuildInputs = [
     meson
     ninja
     pkg-config
-    rsync
 
     jq
     git
@@ -66,7 +64,7 @@ mkMesonDerivation (finalAttrs: {
     util-linux
   ];
 
-  nativeBuildInputs = finalAttrs.passthru.baseNativeBuildInputs ++ [
+  nativeBuildInputs = finalAttrs.passthru.externalNativeBuildInputs ++ [
     nix-cli
   ];
 
@@ -75,7 +73,6 @@ mkMesonDerivation (finalAttrs: {
     nix-expr
   ];
 
-
   preConfigure =
     # "Inline" .version so it's not a symlink, and includes the suffix.
     # Do the meson utils, without modification.

tests/functional/parallel.nix

@@ -1,6 +1,6 @@
 {sleepTime ? 3}:
 
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
 

tests/functional/pass-as-file.sh

@@ -5,7 +5,7 @@ source common.sh
 clearStoreIfPossible
 
 outPath=$(nix-build --no-out-link -E "
-with import ./config.nix;
+with import ${config_nix};
 
 mkDerivation {
   name = \"pass-as-file\";

tests/functional/path.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "filter";

tests/functional/placeholders.sh

@@ -5,7 +5,7 @@ source common.sh
 clearStoreIfPossible
 
 nix-build --no-out-link -E '
-  with import ./config.nix;
+  with import '"${config_nix}"';
 
   mkDerivation {
     name = "placeholders";

tests/functional/plugins.sh

@@ -3,7 +3,7 @@
 source common.sh
 
 for ext in so dylib; do
-    plugin="$PWD/plugins/libplugintest.$ext"
+    plugin="${_NIX_TEST_BUILD_DIR}/plugins/libplugintest.$ext"
     [[ -f "$plugin" ]] && break
 done
 

tests/functional/readfile-context.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
 

tests/functional/recursive.nix

@@ -1,4 +1,5 @@
-with import ./config.nix;
+let config_nix = /. + "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix"; in
+with import config_nix;
 
 mkDerivation rec {
   name = "recursive";
@@ -41,7 +42,7 @@ mkDerivation rec {
 
     # Build a derivation.
     nix $opts build -L --impure --expr '
-      with import ${./config.nix};
+      with import ${config_nix};
       mkDerivation {
         name = "inner1";
         buildCommand = "echo $fnord blaat > $out";

tests/functional/restricted.sh

@@ -7,8 +7,19 @@ clearStoreIfPossible
 nix-instantiate --restrict-eval --eval -E '1 + 2'
 (! nix-instantiate --eval --restrict-eval ./restricted.nix)
 (! nix-instantiate --eval --restrict-eval <(echo '1 + 2'))
+
+mkdir -p "$TEST_ROOT/nix"
+cp ./simple.nix "$TEST_ROOT/nix"
+cp ./simple.builder.sh "$TEST_ROOT/nix"
+cp "${config_nix}" "$TEST_ROOT/nix"
+simple_nix="$TEST_ROOT/nix/simple.nix"
+# N.B. redefine
+config_nix="$TEST_ROOT/nix/config.nix"
+removeBuildDirRef "${simple_nix}"
+cd "$TEST_ROOT/nix"
+
 nix-instantiate --restrict-eval ./simple.nix -I src=.
-nix-instantiate --restrict-eval ./simple.nix -I src1=simple.nix -I src2=config.nix -I src3=./simple.builder.sh
+nix-instantiate --restrict-eval ./simple.nix -I src1=./simple.nix -I src2=./config.nix -I src3=./simple.builder.sh
 
 # no default NIX_PATH
 (unset NIX_PATH; ! nix-instantiate --restrict-eval --find-file .)
@@ -19,25 +30,25 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix' -I sr
 expectStderr 1 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' | grepQuiet "forbidden in restricted mode"
 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' -I src=.
 
-p=$(nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)")
-cmp $p restricted.sh
+p=$(nix eval --raw --expr "builtins.fetchurl file://${_NIX_TEST_SOURCE_DIR}/restricted.sh" --impure --restrict-eval --allowed-uris "file://${_NIX_TEST_SOURCE_DIR}")
+cmp "$p" "${_NIX_TEST_SOURCE_DIR}/restricted.sh"
 
-(! nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval)
+(! nix eval --raw --expr "builtins.fetchurl file://${_NIX_TEST_SOURCE_DIR}/restricted.sh" --impure --restrict-eval)
 
-(! nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
+(! nix eval --raw --expr "builtins.fetchurl file://${_NIX_TEST_SOURCE_DIR}/restricted.sh" --impure --restrict-eval --allowed-uris "file://${_NIX_TEST_SOURCE_DIR}/restricted.sh/")
 
-nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
+nix eval --raw --expr "builtins.fetchurl file://${_NIX_TEST_SOURCE_DIR}/restricted.sh" --impure --restrict-eval --allowed-uris "file://${_NIX_TEST_SOURCE_DIR}/restricted.sh"
 
 (! nix eval --raw --expr "builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz" --impure --restrict-eval)
 (! nix eval --raw --expr "builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz" --impure --restrict-eval)
 (! nix eval --raw --expr "fetchGit git://github.com/NixOS/patchelf.git" --impure --restrict-eval)
 
-ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
+ln -sfn "${_NIX_TEST_SOURCE_DIR}/restricted.nix" "$TEST_ROOT/restricted.nix"
 [[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]]
 (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix)
 (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT)
 (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
-nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
+nix-instantiate --eval --restrict-eval "$TEST_ROOT/restricted.nix" -I "$TEST_ROOT" -I "${_NIX_TEST_SOURCE_DIR}"
 
 [[ $(nix eval --raw --impure --restrict-eval -I . --expr 'builtins.readFile "${import ./simple.nix}/hello"') == 'Hello World!' ]]
 
@@ -54,12 +65,12 @@ expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { pr
 [[ $(nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readDir <foo/tunnel>" -I $TEST_ROOT/tunnel.d) == '{ "tunnel.d" = "directory"; }' ]]
 
 # Check whether we can leak symlink information through directory traversal.
-traverseDir="$(pwd)/restricted-traverse-me"
-ln -sfn "$(pwd)/restricted-secret" "$(pwd)/restricted-innocent"
+traverseDir="${_NIX_TEST_SOURCE_DIR}/restricted-traverse-me"
+ln -sfn "${_NIX_TEST_SOURCE_DIR}/restricted-secret" "${_NIX_TEST_SOURCE_DIR}/restricted-innocent"
 mkdir -p "$traverseDir"
 goUp="..$(echo "$traverseDir" | sed -e 's,[^/]\+,..,g')"
 output="$(nix eval --raw --restrict-eval -I "$traverseDir" \
-    --expr "builtins.readFile \"$traverseDir/$goUp$(pwd)/restricted-innocent\"" \
+    --expr "builtins.readFile \"$traverseDir/$goUp${_NIX_TEST_SOURCE_DIR}/restricted-innocent\"" \
     2>&1 || :)"
 echo "$output" | grep "is forbidden"
 echo "$output" | grepInverse -F restricted-secret

tests/functional/search.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 {
   hello = mkDerivation rec {

tests/functional/secure-drv-outputs.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 {
 

tests/functional/selfref-gc.sh

@@ -7,7 +7,7 @@ requireDaemonNewerThan "2.6.0pre20211215"
 clearStoreIfPossible
 
 nix-build --no-out-link -E '
-  with import ./config.nix;
+  with import '"${config_nix}"';
 
   let d1 = mkDerivation {
     name = "selfref-gc";

tests/functional/shell-hello.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 rec {
   hello = mkDerivation {

tests/functional/shell.nix

@@ -1,6 +1,6 @@
 { inNixShell ? false, contentAddressed ? false, fooContents ? "foo" }:
 
-let cfg = import ./config.nix; in
+let cfg = import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix"; in
 with cfg;
 
 let

tests/functional/shell.sh

@@ -27,8 +27,8 @@ expect 1 nix shell -f shell-hello.nix forbidden-symlink -c hello 2>&1 | grepQuie
 # For instance, we might set an environment variable temporarily to affect some
 # initialization or whatnot, but this must not leak into the environment of the
 # command being run.
-env > $TEST_ROOT/expected-env
-nix shell -f shell-hello.nix hello -c env > $TEST_ROOT/actual-env
+env > "$TEST_ROOT/expected-env"
+nix shell -f shell-hello.nix hello -c env > "$TEST_ROOT/actual-env"
 # Remove/reset variables we expect to be different.
 # - PATH is modified by nix shell
 # - we unset TMPDIR on macOS if it contains /var/folders
@@ -39,10 +39,10 @@ sed -i \
   -e 's/_=.*/_=.../' \
   -e '/^TMPDIR=\/var\/folders\/.*/d' \
   -e '/^__CF_USER_TEXT_ENCODING=.*$/d' \
-  $TEST_ROOT/expected-env $TEST_ROOT/actual-env
-sort $TEST_ROOT/expected-env > $TEST_ROOT/expected-env.sorted
-sort $TEST_ROOT/actual-env > $TEST_ROOT/actual-env.sorted
-diff $TEST_ROOT/expected-env.sorted $TEST_ROOT/actual-env.sorted
+  "$TEST_ROOT/expected-env" "$TEST_ROOT/actual-env"
+sort "$TEST_ROOT/expected-env" > "$TEST_ROOT/expected-env.sorted"
+sort "$TEST_ROOT/actual-env" > "$TEST_ROOT/actual-env.sorted"
+diff "$TEST_ROOT/expected-env.sorted" "$TEST_ROOT/actual-env.sorted"
 
 if isDaemonNewer "2.20.0pre20231220"; then
     # Test that command line attribute ordering is reflected in the PATH
@@ -53,8 +53,8 @@ fi
 
 requireSandboxSupport
 
-chmod -R u+w $TEST_ROOT/store0 || true
-rm -rf $TEST_ROOT/store0
+chmod -R u+w "$TEST_ROOT/store0" || true
+rm -rf "$TEST_ROOT/store0"
 
 clearStore
 
@@ -64,10 +64,10 @@ path=$(nix eval --raw -f shell-hello.nix hello)
 # visible in the sandbox.
 nix shell --sandbox-build-dir /build-tmp \
     --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' \
-    --store $TEST_ROOT/store0 -f shell-hello.nix hello -c hello | grep 'Hello World'
+    --store "$TEST_ROOT/store0" -f shell-hello.nix hello -c hello | grep 'Hello World'
 
-path2=$(nix shell --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store $TEST_ROOT/store0 -f shell-hello.nix hello -c $SHELL -c 'type -p hello')
+path2=$(nix shell --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/store0" -f shell-hello.nix hello -c "$SHELL" -c 'type -p hello')
 
-[[ $path/bin/hello = $path2 ]]
+[[ "$path/bin/hello" = "$path2" ]]
 
-[[ -e $TEST_ROOT/store0/nix/store/$(basename $path)/bin/hello ]]
+[[ -e $TEST_ROOT/store0/nix/store/$(basename "$path")/bin/hello ]]

tests/functional/simple-failing.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "simple-failing";

tests/functional/simple.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 mkDerivation {
   name = "simple";

tests/functional/structured-attrs-shell.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 let
   dep = mkDerivation {
     name = "dep";

tests/functional/structured-attrs.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
 

tests/functional/supplementary-groups.sh

@@ -9,7 +9,7 @@ needLocalStore "The test uses --store always so we would just be bypassing the d
 
 TODO_NixOS
 
-unshare --mount --map-root-user bash <<EOF
+unshare --mount --map-root-user -- bash -e -x <<EOF
   source common.sh
 
   # Avoid store dir being inside sandbox build-dir
@@ -24,15 +24,13 @@ unshare --mount --map-root-user bash <<EOF
   cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1 --no-out-link)
 
   # Fails with default setting
-  # TODO better error
   setLocalStore store1
-  expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+  expectStderr 1 "\${cmd[@]}" | grepQuiet "setgroups failed"
 
   # Fails with `require-drop-supplementary-groups`
-  # TODO better error
   setLocalStore store2
   NIX_CONFIG='require-drop-supplementary-groups = true' \
-    expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+    expectStderr 1 "\${cmd[@]}" | grepQuiet "setgroups failed"
 
   # Works without `require-drop-supplementary-groups`
   setLocalStore store3

tests/functional/symlink-derivation.nix

@@ -1,4 +1,4 @@
-with import ./config.nix;
+with import "${builtins.getEnv "_NIX_TEST_BUILD_DIR"}/config.nix";
 
 let
   foo_in_store = builtins.toFile "foo" "foo";