Compute NAR hash for Git archive flakes if --no-trust-tarballs-from-git-forges

2025-07-04 07:11:47 +02:00 · 2025-02-10 19:38:47 +01:00 · 2025-02-10 19:38:47 +01:00 · 3432184136
commit 3432184136
parent 2890a2e25d
2 changed files with 8 additions and 1 deletions
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@ -299,6 +299,13 @@ struct GitArchiveInputScheme : InputScheme
            false,
            "«" + input.to_string() + "»");

+        if (!input.settings->trustTarballsFromGitForges)
+            // FIXME: computing the NAR hash here is wasteful if
+            // copyInputToStore() is just going to hash/copy it as
+            // well.
+            input.attrs.insert_or_assign("narHash",
+                accessor->hashPath(CanonPath::root).to_string(HashFormat::SRI, true));
+
        return {accessor, input};
    }

--- a/tests/nixos/github-flakes.nix
+++ b/tests/nixos/github-flakes.nix
@ -205,7 +205,7 @@ in
      cat_log()

      # ... otherwise it should use the API
-      out = client.succeed("nix flake metadata private-flake --json --access-tokens github.com=ghp_000000000000000000000000000000000000 --tarball-ttl 0")
+      out = client.succeed("nix flake metadata private-flake --json --access-tokens github.com=ghp_000000000000000000000000000000000000 --tarball-ttl 0 --no-trust-tarballs-from-git-forges")
      print(out)
      info = json.loads(out)
      assert info["revision"] == "${private-flake-rev}", f"revision mismatch: {info['revision']} != ${private-flake-rev}"