NixOS · tomberek · Feb 19, 2023 · Feb 19, 2023 · Feb 19, 2023 · roberth
@@ -104,6 +104,7 @@ static FlakeInput parseFlakeInput(EvalState & state,
  auto sUrl = state.symbols.create("url");
  auto sFlake = state.symbols.create("flake");
  auto sFollows = state.symbols.create("follows");
+ auto sSubmodules = state.symbols.create("submodules");
 
  fetchers::Attrs attrs;
  std::optional<std::string> url;
@@ -117,6 +118,9 @@ static FlakeInput parseFlakeInput(EvalState & state,
  } else if (attr.name == sFlake) {
  expectType(state, nBool, *attr.value, attr.pos);
  input.isFlake = attr.value->boolean;
+ } else if (attr.name == sSubmodules) {
+ expectType(state, nBool, *attr.value, attr.pos);
+ input.hasSubmodules = attr.value->boolean;
  } else if (attr.name == sInputs) {
  input.overrides = parseFlakeInputs(state, attr.value, attr.pos, baseDir, lockRootPath);
  } else if (attr.name == sFollows) {
@@ -229,8 +233,20 @@ static Flake getFlake(
 
  auto sInputs = state.symbols.create("inputs");
 
- if (auto inputs = vInfo.attrs->get(sInputs))
+ if (auto inputs = vInfo.attrs->get(sInputs)) {
  flake.inputs = parseFlakeInputs(state, inputs->value, inputs->pos, flakeDir, lockRootPath);
+ if (originalRef.input.attrs.count("submodules") == 0) {
+ auto self = flake.inputs.find("self");
+ if (self != flake.inputs.end() && self->second.hasSubmodules) {
+ auto newRef = originalRef;
+ newRef.input.attrs["submodules"] = nix::Explicit<bool>{true};
+ // note: Called twice due to submodule handling in src/libfetcher (55cefd41d6)
+ warn("Loading submodules for %s because 'inputs.self.submodule' is true at %s",
+ originalRef.input.to_string(),state.positions[inputs->pos]);
+ return getFlake(state,newRef,allowLookup,flakeCache,lockRootPath);
+ }
+ }
+ }
 
  auto sOutputs = state.symbols.create("outputs");
 
@@ -405,6 +421,7 @@ LockedFlake lockFlake(
  necessary (i.e. if they're new or the flakeref changed
  from what's in the lock file). */
  for (auto & [id, input2] : flakeInputs) {
+ if (id == "self") continue;
  auto inputPath(inputPathPrefix);
  inputPath.push_back(id);
  auto inputPathS = printInputPath(inputPath);

@@ -41,6 +41,7 @@ typedef std::map<FlakeId, FlakeInput> FlakeInputs;
 struct FlakeInput
 {
  std::optional<FlakeRef> ref;
+ bool hasSubmodules = false;
  bool isFlake = true; // true = process flake to get outputs, false = (fetched) static source path
  std::optional<InputPath> follows;
  FlakeInputs overrides;

@@ -114,6 +114,8 @@ reference types:
 
 * `ref`: A Git or Mercurial branch or tag name.
 
+* `submodules`: A boolean supporting Git submodules.
-* `submodules`: A boolean supporting Git submodules.
+* `submodules`: Whether to also include Git submodules. Defaults to `false`.
+
-* `submodules`: A boolean supporting Git submodules.
+* `submodules`: Whether to also include Git submodules. Defaults to `false`.
+
+
 Finally, some attribute are typically not specified by the user, but
 can occur in *locked* flake references and are available to Nix code:
 

@@ -0,0 +1,118 @@
+source common.sh
+
+set -u
+
+if [[ -z $(type -p git) ]]; then
+ echo "Git not installed; skipping Git submodule tests"
+ exit 99
+fi
+
+clearStore
+
+rootRepo=$TEST_ROOT/gitSubmodulesRoot
+subRepo=$TEST_ROOT/gitSubmodulesSub
+
+rm -rf ${rootRepo} ${subRepo} $TEST_HOME/.cache/nix
+
+# Submodules can't be fetched locally by default, which can cause
+# information leakage vulnerabilities, but for these tests our
+# submodule is intentionally local and it's all trusted, so we
+# disable this restriction. Setting it per repo is not sufficient, as
+# the repo-local config does not apply to the commands run from
+# outside the repos by Nix.
+export XDG_CONFIG_HOME=$TEST_HOME/.config
+git config --global protocol.file.allow always
+
+initGitRepo() {
+ git init $1
+ git -C $1 config user.email "foobar@example.com"
+ git -C $1 config user.name "Foobar"
+}
+
+addGitContent() {
+ echo "lorem ipsum" > $1/content
+ git -C $1 add content
+ git -C $1 commit -m "Initial commit"
+}
+
+initGitRepo $subRepo
+addGitContent $subRepo
+
+initGitRepo $rootRepo
+
+git -C $rootRepo submodule init
+git -C $rootRepo submodule add $subRepo sub
+git -C $rootRepo add sub
+git -C $rootRepo commit -m "Add submodule"
+
+rev=$(git -C $rootRepo rev-parse HEAD)
+
+cd $rootRepo
+
+touch flake.nix
+git add flake.nix
+
+# Case, CLI parameter
+cat <<EOF > flake.nix
+{
+ outputs = {self}: {
+ sub = self.outPath;
+ };
+}
+EOF
+[ -e $(nix eval '.?submodules=1#sub' --raw)/sub/content ]
+
+# Case, CLI parameter
+cat <<EOF > flake.nix
+{
+ outputs = {self}: {
+ sub = self.outPath;
+ };
+}
+EOF
+[ ! -e $(nix eval '.?submodules=0#sub' --raw)/sub/content ]
+
+# Case, flake.nix parameter
+cat <<EOF > flake.nix
+{
+ inputs.self.submodules = false;
+ outputs = {self}: {
+ sub = self.outPath;
+ };
+}
+EOF
+
+[ ! -e $(nix eval .#sub --raw)/sub/content ]
+
+# Case, flake.nix parameter
+cat <<EOF > flake.nix
+{
+ inputs.self.submodules = true;
+ outputs = {self}: {
+ sub = self.outPath;
+ };
+}
+EOF
+[ -e $(nix eval .#sub --raw)/sub/content ]
+
+# Case, CLI precedence
+cat <<EOF > flake.nix
+{
+ inputs.self.submodules = true;
+ outputs = {self}: {
+ sub = self.outPath;
+ };
+}
+EOF
+[ ! -e $(nix eval '.?submodules=0#sub' --raw)/sub/content ]
+
+# Case, CLI precedence
+cat <<EOF > flake.nix
+{
+ inputs.self.submodules = false;
+ outputs = {self}: {
+ sub = self.outPath;
+ };
+}
+EOF
+[ -e $(nix eval '.?submodules=1#sub' --raw)/sub/content ]
@@ -10,6 +10,7 @@ nix_tests = \
  flakes/unlocked-override.sh \
  flakes/absolute-paths.sh \
  flakes/build-paths.sh \
+ flakes/submodules.sh \
  ca/gc.sh \
  gc.sh \
  remote-store.sh \