From 5b578b0679e27d5bb46831c48f1cba44f23803ef Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 19 Mar 2025 19:05:22 +0100 Subject: [PATCH 1/2] ci/eval/compare: fix reading store paths from json file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This suddenly appeared after updating Nix to v26, which then complained: … while calling the 'fromJSON' builtin at /home/runner/work/nixpkgs/nixpkgs/target/ci/eval/compare/default.nix:74:19: 73| 74| getAttrs = dir: builtins.fromJSON (builtins.readFile "${dir}/outpaths.json"); | ^ 75| beforeAttrs = getAttrs beforeResultDir; … while evaluating the first argument passed to builtins.fromJSON error: the string '{ "AMB-plugins.aarch64-linux": { "out": "/nix/store/faw59ba5p6h4b177n8q2ilb3hlm7xlc2-AMB-plugins-0.8.1" }, .... "zzuf.aarch64-linux": { "out": "/nix/store/bqvm1h7jfd8smgnjc1v1gpmbwdgvwy5g-zzuf-0.15" }, "zzuf.x86_64-linux": { "out": "/nix/store/6qs4lnmzn1qlr3smqqxnmhnrcdcfiv6a-zzuf-0.15" } } ' is not allowed to refer to a store path (such as '134m2q047vsr9miwh5l227j7sh9jb130-jq-1.7.1-bin') By discard the unsafe string context, we explicitly allow loading those store paths. It's unclear why this blew up now, especially because I was not possible to consistently replicate this locally, so far. --- ci/eval/compare/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ci/eval/compare/default.nix b/ci/eval/compare/default.nix index b844d45f5902..9b71c6656914 100644 --- a/ci/eval/compare/default.nix +++ b/ci/eval/compare/default.nix @@ -71,7 +71,15 @@ let getLabels ; - getAttrs = dir: builtins.fromJSON (builtins.readFile "${dir}/outpaths.json"); + getAttrs = + dir: + let + raw = builtins.readFile "${dir}/outpaths.json"; + # The file contains Nix paths; we need to ignore them for evaluation purposes, + # else there will be a "is not allowed to refer to a store path" error. + data = builtins.unsafeDiscardStringContext raw; + in + builtins.fromJSON data; beforeAttrs = getAttrs beforeResultDir; afterAttrs = getAttrs afterResultDir; From 3fa48f33779f2963cf1a865cf69b872e4b76ff3f Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 19 Mar 2025 18:26:35 +0100 Subject: [PATCH 2/2] Reapply "build(deps): bump cachix/install-nix-action from 30 to 31" This reverts commit 281875261d71aaa786eb4e25a45f4ec355fe7aef. --- .github/workflows/check-maintainers-sorted.yml | 2 +- .github/workflows/check-nix-format.yml | 2 +- .github/workflows/check-nixf-tidy.yml | 2 +- .github/workflows/check-shell.yml | 2 +- .github/workflows/codeowners-v2.yml | 4 ++-- .github/workflows/editorconfig-v2.yml | 2 +- .github/workflows/eval-lib-tests.yml | 2 +- .github/workflows/eval.yml | 10 +++++----- .github/workflows/manual-nixos-v2.yml | 2 +- .github/workflows/manual-nixpkgs-v2.yml | 2 +- .github/workflows/nix-parse-v2.yml | 2 +- .github/workflows/nixpkgs-vet.yml | 2 +- 12 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/check-maintainers-sorted.yml b/.github/workflows/check-maintainers-sorted.yml index 07cd525e8542..c7a39a66b5b6 100644 --- a/.github/workflows/check-maintainers-sorted.yml +++ b/.github/workflows/check-maintainers-sorted.yml @@ -20,7 +20,7 @@ jobs: lib maintainers - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml index 96727ee994e6..0eb9d99a7aa5 100644 --- a/.github/workflows/check-nix-format.yml +++ b/.github/workflows/check-nix-format.yml @@ -44,7 +44,7 @@ jobs: rev=$(jq -r .rev ci/pinned-nixpkgs.json) echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV" - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml index 8b148ba33bc4..e7b366439442 100644 --- a/.github/workflows/check-nixf-tidy.yml +++ b/.github/workflows/check-nixf-tidy.yml @@ -34,7 +34,7 @@ jobs: rev=$(jq -r .rev ci/pinned-nixpkgs.json) echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV" - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true nix_path: nixpkgs=${{ env.url }} diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml index e1f079619dc3..6de72f9b8bda 100644 --- a/.github/workflows/check-shell.yml +++ b/.github/workflows/check-shell.yml @@ -27,7 +27,7 @@ jobs: with: ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 - name: Build shell run: nix-build shell.nix diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml index ac6fbac74b90..a1e78609f8c8 100644 --- a/.github/workflows/codeowners-v2.yml +++ b/.github/workflows/codeowners-v2.yml @@ -45,7 +45,7 @@ jobs: needs: get-merge-commit if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha steps: - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16 with: @@ -90,7 +90,7 @@ jobs: runs-on: ubuntu-24.04 if: github.repository_owner == 'NixOS' steps: - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # This is intentional, because we need to request the review of owners as declared in the base branch. diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml index bd48be1650f1..f3f6f3b56077 100644 --- a/.github/workflows/editorconfig-v2.yml +++ b/.github/workflows/editorconfig-v2.yml @@ -32,7 +32,7 @@ jobs: with: ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: # nixpkgs commit is pinned so that it doesn't break # editorconfig-checker 2.4.0 diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml index f0f5fbf376c2..1199ad8edeb9 100644 --- a/.github/workflows/eval-lib-tests.yml +++ b/.github/workflows/eval-lib-tests.yml @@ -22,7 +22,7 @@ jobs: with: ref: ${{ needs.get-merge-commit.outputs.mergedSha }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml index 4e6735f3b48e..99a0ec40dedf 100644 --- a/.github/workflows/eval.yml +++ b/.github/workflows/eval.yml @@ -43,7 +43,7 @@ jobs: echo "targetSha=$targetSha" >> "$GITHUB_OUTPUT" - name: Install Nix - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true @@ -71,7 +71,7 @@ jobs: path: nixpkgs - name: Install Nix - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true @@ -108,7 +108,7 @@ jobs: path: nixpkgs - name: Install Nix - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true @@ -149,7 +149,7 @@ jobs: path: nixpkgs - name: Install Nix - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true @@ -254,7 +254,7 @@ jobs: path: comparison - name: Install Nix - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 # Important: This workflow job runs with extra permissions, # so we need to make sure to not run untrusted code from PRs diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml index 362a73e4bb57..1f0321538817 100644 --- a/.github/workflows/manual-nixos-v2.yml +++ b/.github/workflows/manual-nixos-v2.yml @@ -25,7 +25,7 @@ jobs: with: ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml index d8516fb8de4f..326360748ca8 100644 --- a/.github/workflows/manual-nixpkgs-v2.yml +++ b/.github/workflows/manual-nixpkgs-v2.yml @@ -20,7 +20,7 @@ jobs: with: ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml index 2f8e97d3a8a0..cd59d0607062 100644 --- a/.github/workflows/nix-parse-v2.yml +++ b/.github/workflows/nix-parse-v2.yml @@ -32,7 +32,7 @@ jobs: ref: ${{ needs.get-merge-commit.outputs.mergedSha }} if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }} - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 with: extra_nix_config: sandbox = true nix_path: nixpkgs=channel:nixpkgs-unstable diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml index 0b2f4e1c96d3..756c7ed11767 100644 --- a/.github/workflows/nixpkgs-vet.yml +++ b/.github/workflows/nixpkgs-vet.yml @@ -43,7 +43,7 @@ jobs: git worktree add "$target" "$(git rev-parse HEAD^1)" echo "target=$target" >> "$GITHUB_ENV" - - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 + - uses: cachix/install-nix-action@02a151ada4993995686f9ed4f1be7cfbb229e56f # v31 - name: Fetching the pinned tool # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh