Fix running hydraJobs in CI

[edolstra]

Motivation

The nix flake show --json output format changed, so the jq query was returning an empty list. This was hiding a couple of broken VM tests.

Context

Summary by CodeRabbit

• Chores
  • Adjusted VM test discovery and disabled VM tests for one build configuration.
• Tests
  • Removed an older upgrade test, cleaned up several integration tests, and pruned some exported test entries.
• Performance
  • Improved retrieval by using known fixed-output store paths when available, with a safe fallback to download.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adjusts GitHub Actions VM test gating and discovery, adds a SHA256 fixed-output fast-path to fetchTree to ensure pinned store paths, and removes/fixes several NixOS test definitions and exports.

Changes

Workflow, fetch, and tests edits

Layer / File(s)	Summary
VM test execution gating .github/workflows/ci.yml, .github/workflows/build.yml	build_x86_64-linux_no_dsp toggles run_vm_tests from true → false; VM test flow inputs updated.
VM test discovery and build invocation .github/workflows/build.yml	Compute tests via nix flake show --json at .inventory.hydraJobs.output.children.tests.children, filter entries with has("derivation"), error if empty, and pass $tests to nix build (uses precomputed variable, increased timeout).
fetchTree SHA256 pinned-path fast-path src/libexpr/primops/fetchTree.cc	For SHA256 expectedHash, compute deterministic fixed-output store path, call state.store->ensurePath(...); on success set store path and return early. For tarball unpack, stop adding __final when expectedHash present.
NixOS test removals and fixups tests/nixos/default.nix, tests/nixos/s3-binary-cache-store.nix, tests/nixos/user-sandboxing/default.nix	Removed exported upgrade-nix* entries from tests/nixos/default.nix; fixed stray tokens at end of test_explicit_path_style; added create-hello-world and pkgs.socat to virtualisation.additionalPaths and removed boot.kernelPackages override in user-sandboxing test.

Sequence Diagram

sequenceDiagram
  participant Actions as GitHub Actions
  participant Flake as "nix flake show --json"
  participant JQ as jq
  participant NixBuild as "nix build"
  Actions->>Flake: run `nix flake show --json`
  Flake->>JQ: JSON at .inventory.hydraJobs.output.children.tests.children
  JQ->>Actions: `$tests` (filtered with has("derivation"))
  Actions->>NixBuild: `nix build $tests --timeout 3600`

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• DeterminateSystems/nix-src#469: Overlaps changes to fetchTree.cc tarball/unpack handling and __final attribute behavior.
• DeterminateSystems/nix-src#288: Related changes to .github/workflows/build.yml VM-test derivation enumeration and selection.

Suggested reviewers

• cole-h

Poem

I nibble at JSON and chase a hash,
A fast-path found in the store—what a dash!
Flags flip low and tests step back,
Fixes tucked in the test file's track,
Hooray, little rabbit hops on the patch. 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix running hydraJobs in CI' directly reflects the main purpose of the PR: fixing CI logic to extract and run Hydra jobs after the nix flake show output format changed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch run-hydra-tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Deployed on https://6a29ca7efa094c6be2b36156--determinate-nix.netlify.app

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 125: vm_tests_all is currently gated only by inputs.run_vm_tests which
causes it to run alongside vm_tests_smoke; change the job condition so
vm_tests_all only runs for the full-suite case (e.g. inputs.run_vm_tests ==
'all') or on merge_group events, making it mutually exclusive with
vm_tests_smoke (which handles the non-merge_group/smoke path). Update the
vm_tests_all job's if expression to explicitly check the input value or
github.event_name rather than a plain inputs.run_vm_tests flag so both jobs
cannot be scheduled in the same run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 47f893dd-4822-4e4d-b7fa-966ae680cab5

📥 Commits

Reviewing files that changed from the base of the PR and between 258d02d and 35d6d72.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build.yml (1)

133-138: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the configured flake input when discovering VM tests.

At Line 133, nix flake show --json ignores inputs.flake, but Line 138 builds targets under ${{ inputs.flake }}#.... If callers pass a non-root flake, discovery and build can diverge and produce empty/incorrect target sets.

Suggested fix

-          tests=$(nix flake show --json \
+          tests=$(nix flake show --json ${{ inputs.flake }} \
             | jq -r '
               .inventory.hydraJobs.output.children.tests.children
               | with_entries(select(.value | has("derivation")))
               | keys[]
               | "${{ inputs.flake }}`#hydraJobs.tests`." + .')

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 133 - 138, The nix flake discovery
step uses `nix flake show --json` which inspects the root flake instead of the
configured `inputs.flake`, causing a mismatch with the later build targets that
use `${{ inputs.flake }}`; change the command that computes `tests` to call `nix
flake show` against the configured flake (i.e., `nix flake show "${{
inputs.flake }}" --json`) so the JSON inspection and the resulting keys align
with the targets you later build, keeping the same jq pipeline that produces the
`${{ inputs.flake }}`#hydraJobs.tests`.` keys.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 133-138: The nix flake discovery step uses `nix flake show --json`
which inspects the root flake instead of the configured `inputs.flake`, causing
a mismatch with the later build targets that use `${{ inputs.flake }}`; change
the command that computes `tests` to call `nix flake show` against the
configured flake (i.e., `nix flake show "${{ inputs.flake }}" --json`) so the
JSON inspection and the resulting keys align with the targets you later build,
keeping the same jq pipeline that produces the `${{ inputs.flake
}}`#hydraJobs.tests`.` keys.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7edfad1-ea5c-4191-811e-3d51b1ffcb7d

📥 Commits

Reviewing files that changed from the base of the PR and between 00d7484 and ccb6e84.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• tests/nixos/user-sandboxing/default.nix

💤 Files with no reviewable changes (1)

• tests/nixos/user-sandboxing/default.nix

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 138: The workflow embeds `${{ inputs.flake }}` into a jq expression and
later expands `$tests` unquoted, allowing shell metacharacters in inputs to be
interpreted; change the pipeline to have jq emit a JSON array (rather than
raw/unquoted strings) and then read that JSON safely into a bash array (e.g.,
via mapfile/readarray + jq -r '.[]' or using jq -c to produce an array and jq -r
'.[]' into mapfile) and always expand the results as `"${tests[@]}"`; in short,
stop inserting `${{ inputs.flake }}` raw into shell text, emit/consume JSON-safe
values from jq, populate `tests` with mapfile/readarray, and use quoted
expansion (`"${tests[@]}"`) wherever `$tests` is used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 465dd3d1-087f-49bf-9897-638c2681fe9f

📥 Commits

Reviewing files that changed from the base of the PR and between ccb6e84 and fa8e406.

📒 Files selected for processing (6)

• .github/workflows/build.yml
• src/libexpr/primops/fetchTree.cc
• tests/nixos/default.nix
• tests/nixos/s3-binary-cache-store.nix
• tests/nixos/upgrade-nix.nix
• tests/nixos/user-sandboxing/default.nix

💤 Files with no reviewable changes (4)

• tests/nixos/upgrade-nix.nix
• tests/nixos/default.nix
• tests/nixos/user-sandboxing/default.nix
• tests/nixos/s3-binary-cache-store.nix

🚧 Files skipped from review as they are similar to previous changes (1)

• src/libexpr/primops/fetchTree.cc

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden against code injection via template expansion and unquoted variable usage.

Line 138 embeds ${{ inputs.flake }} into the jq output, and line 146 uses $tests unquoted. If inputs.flake contains shell metacharacters (e.g., ; or |), they will be interpreted by the shell at line 146, enabling command injection.

While the threat is mitigated because this is a workflow_call (only trusted repo workflows can supply inputs), defense-in-depth is warranted.

🔒 Proposed fix using a bash array

Replace lines 133–146 with:

-      - run: |
-          tests=$(nix flake show --json \
-            | jq -r '
-              .inventory.hydraJobs.output.children.tests.children
-              | with_entries(select(.value | has("derivation")))
-              | keys[]
-              | "${{ inputs.flake }}`#hydraJobs.tests`." + .')
-
-          if [ -z "$tests" ]; then
-            echo "error: no tests found in hydraJobs.tests"
-            exit 1
-          fi
-
-          cmd() {
-            nix build -L --keep-going --timeout 600 $tests
-          }
+      - run: |
+          mapfile -t tests < <(
+            nix flake show --json \
+              | jq -r '
+                .inventory.hydraJobs.output.children.tests.children
+                | with_entries(select(.value | has("derivation")))
+                | keys[]
+                | "${{ inputs.flake }}`#hydraJobs.tests`." + .'
+          )
+
+          if [ ${`#tests`[@]} -eq 0 ]; then
+            echo "error: no tests found in hydraJobs.tests"
+            exit 1
+          fi
+
+          cmd() {
+            nix build -L --keep-going --timeout 600 "${tests[@]}"
+          }

This uses mapfile to safely populate an array and "${tests[@]}" to expand elements without shell interpretation of metacharacters.

Also applies to: 146-146

🧰 Tools

🪛 zizmor (1.25.2)

[error] 138-138: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 138, The workflow embeds `${{
inputs.flake }}` into a jq expression and later expands `$tests` unquoted,
allowing shell metacharacters in inputs to be interpreted; change the pipeline
to have jq emit a JSON array (rather than raw/unquoted strings) and then read
that JSON safely into a bash array (e.g., via mapfile/readarray + jq -r '.[]' or
using jq -c to produce an array and jq -r '.[]' into mapfile) and always expand
the results as `"${tests[@]}"`; in short, stop inserting `${{ inputs.flake }}`
raw into shell text, emit/consume JSON-safe values from jq, populate `tests`
with mapfile/readarray, and use quoted expansion (`"${tests[@]}"`) wherever
`$tests` is used.

Source: Linters/SAST tools