Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider a flake schema #817

Open
eureka-cpu opened this issue Mar 24, 2025 · 2 comments
Open

Consider a flake schema #817

eureka-cpu opened this issue Mar 24, 2025 · 2 comments
Labels
enhancement New feature or request

Comments

@eureka-cpu
Copy link
Contributor

eureka-cpu commented Mar 24, 2025
edited
Loading

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

It's not a huge problem by any means, though sometimes I find that I just want nix flake check to only run certain checks, eg. check that the thing builds similarly to just running cargo check for the project. Mostly I'm opening this issue because RUSTSEC and licensing checks can be a bit annoying to deal with, but they are handy when you really want them.

Describe the solution you'd like
A clear and concise description of what you want to happen.

It would be sort of cool to have a flake schema for crane where perhaps there is a sec attribute where the audit checks would go, which by default could be inherited into checks.

# flake.nix
{
  outputs = { self /* , ... */ }@inputs: {
    sec = {
      # Audit dependencies
      audit = craneLib.cargoAudit {
        inherit advisory-db src;
      };

      # Audit licenses
      deny = craneLib.cargoDeny {
        inherit src;
      };
    };
    checks = {
      inherit (sec) audit deny;
      # ...
    };
  };
}

This way the default behavior doesn't change, but users can opt out of those checks without fully removing them from their flake. For instance, if I remove inherit (sec) audit deny; from checks, I can still nix build .#sec.x86_64-linux.deny but running nix flake check just runs the trivial checks for which I would normally want to run locally, leaving the security checks to CI.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

I'm sure I could just move this in my project's flake so that crane doesn't have to do the heavy lifting for me, but having to do it each time I start a project, or commenting it out and forgetting it has been an issue.

Additional context
Add any other context or screenshots about the feature request here.

Adding a schema would also get rid of the unknown attribute 'lib' !!
@eureka-cpu eureka-cpu added the enhancement New feature or request label Mar 24, 2025
@eureka-cpu
Copy link
Contributor Author

I realize this would be a bit of an undertaking, and probably need pretty lengthy review to get it right. I'm happy as always to take it on if it's something that could be valuable to the project.

@eureka-cpu
Copy link
Contributor Author

This is what I'm currently doing to avoid having to run the checks during nix flake check:

{
  outputs = { /* ... */ }: {
        sec =
          let
            checkIfFailed = out: ''
              grep -iE 'warning|error' ${out} && exit 1 || true
            '';
          in
          {
            audit = (craneLib.cargoAudit {
              inherit advisory-db src;
              cargoAuditExtraArgs = ''
                --ignore yanked > $out/audit.txt
              '';
              doCheck = true;
              checkPhase = checkIfFailed "$out/audit.txt";
            }).overrideAttrs (old: {
              buildPhase = ''
                mkdir -p $out
                touch $out/audit.txt
              '' + old.buildPhase;
            });

            deny = (craneLib.cargoDeny {
              inherit src;
              cargoDenyChecks = ''
                bans licenses sources > $out/deny.txt
              '';
              doCheck = true;
              checkPhase = checkIfFailed "$out/deny.txt";
            }).overrideAttrs (old: {
              buildPhase = ''
                mkdir -p $out
                touch $out/deny.txt
              '' + old.buildPhase;
            });
          };
  };
}

If I run nix build .#checks.x86_64-linux.deny the derivation builds and there isn't a failure like there is when I run nix build .#checks.x86_64-linux.nextest so I have some other attributes set to get it to fail (there's probably a better way?).

  rustsec-lisence-check:
    name: RUSTSEC and Lisence Check
    runs-on: ubuntu-latest
    permissions:
      id-token: "write"
      contents: "read"
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - name: Cargo Audit
        run: nix build .#sec.x86_64-linux.audit
      - name: Cargo Deny
        run: nix build .#sec.x86_64-linux.deny

@eureka-cpu eureka-cpu mentioned this issue Mar 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eureka-cpu