ci: Do not pass --accept-flake-config by default

srid · srid · commit 0659c836faaa · 2025-02-04T10:59:02.000-05:00
NixOS/nix#9649
diff --git a/crates/nix_rs/src/flake/command.rs b/crates/nix_rs/src/flake/command.rs
@@ -119,7 +119,7 @@ pub struct FlakeOptions {
     pub refresh: bool,
 
     /// Accept `nixConfig` configuration in flake.nix
-    pub accept_flake_config: bool,
+    pub accept_flake_config: Option<bool>,
 
     /// The directory from which to run our nix command (such that relative flake URLs resolve properly)
     pub current_dir: Option<PathBuf>,
@@ -131,7 +131,8 @@ impl Default for FlakeOptions {
             override_inputs: BTreeMap::new(),
             no_write_lock_file: false,
             refresh: false,
-            accept_flake_config: true, // --accept-flake-config is the default
+            // Do not enable this by default since it is not secure; https://github.com/NixOS/nix/issues/9649
+            accept_flake_config: None,
             current_dir: None,
         }
     }
@@ -152,8 +153,12 @@ impl FlakeOptions {
         if self.refresh {
             cmd.arg("--refresh");
         }
-        if self.accept_flake_config {
-            cmd.arg("--accept-flake-config");
+        if let Some(accept) = self.accept_flake_config {
+            if accept {
+                cmd.arg("--accept-flake-config");
+            } else {
+                cmd.arg("--no-accept-flake-config");
+            }
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ pub struct FlakeOptions {`
`119`	`119`	`pub refresh: bool,`
`120`	`120`
`121`	`121`	/// Accept `nixConfig` configuration in flake.nix
`122`		`- pub accept_flake_config: bool,`
	`122`	`+ pub accept_flake_config: Option<bool>,`
`123`	`123`
`124`	`124`	`/// The directory from which to run our nix command (such that relative flake URLs resolve properly)`
`125`	`125`	`pub current_dir: Option<PathBuf>,`
`@@ -131,7 +131,8 @@ impl Default for FlakeOptions {`
`131`	`131`	`override_inputs: BTreeMap::new(),`
`132`	`132`	`no_write_lock_file: false,`
`133`	`133`	`refresh: false,`
`134`		`- accept_flake_config: true, // --accept-flake-config is the default`
	`134`	`+ // Do not enable this by default since it is not secure; https://github.com/NixOS/nix/issues/9649`
	`135`	`+ accept_flake_config: None,`
`135`	`136`	`current_dir: None,`
`136`	`137`	`}`
`137`	`138`	`}`
`@@ -152,8 +153,12 @@ impl FlakeOptions {`
`152`	`153`	`if self.refresh {`
`153`	`154`	`cmd.arg("--refresh");`
`154`	`155`	`}`
`155`		`- if self.accept_flake_config {`
`156`		`- cmd.arg("--accept-flake-config");`
	`156`	`+ if let Some(accept) = self.accept_flake_config {`
	`157`	`+ if accept {`
	`158`	`+ cmd.arg("--accept-flake-config");`
	`159`	`+ } else {`
	`160`	`+ cmd.arg("--no-accept-flake-config");`
	`161`	`+ }`
`157`	`162`	`}`
`158`	`163`	`}`
`159`	`164`	`}`