wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-04 07:11:47 +02:00
Code Activity

Compute NAR hash for Git archive flakes if --no-trust-tarballs-from-git-forges

Browse source
This commit is contained in:
Eelco Dolstra 2025-02-10 19:38:47 +01:00
parent 2890a2e25d
commit 3432184136
2 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/libfetchers/github.cc
View file

@ -299,6 +299,13 @@ struct GitArchiveInputScheme : InputScheme
false, false,
"«" + input.to_string() + "»"); "«" + input.to_string() + "»");
if (!input.settings->trustTarballsFromGitForges)
// FIXME: computing the NAR hash here is wasteful if
// copyInputToStore() is just going to hash/copy it as
// well.
input.attrs.insert_or_assign("narHash",
accessor->hashPath(CanonPath::root).to_string(HashFormat::SRI, true));
return {accessor, input}; return {accessor, input};
} }

2
tests/nixos/github-flakes.nix
View file

@ -205,7 +205,7 @@ in
cat_log() cat_log()
# ... otherwise it should use the API # ... otherwise it should use the API
out = client.succeed("nix flake metadata private-flake --json --access-tokens github.com=ghp_000000000000000000000000000000000000 --tarball-ttl 0") out = client.succeed("nix flake metadata private-flake --json --access-tokens github.com=ghp_000000000000000000000000000000000000 --tarball-ttl 0 --no-trust-tarballs-from-git-forges")
print(out) print(out)
info = json.loads(out) info = json.loads(out)
assert info["revision"] == "${private-flake-rev}", f"revision mismatch: {info['revision']} != ${private-flake-rev}" assert info["revision"] == "${private-flake-rev}", f"revision mismatch: {info['revision']} != ${private-flake-rev}"