Open
Conversation
📝 WalkthroughWalkthroughAdds support for recording build provenance tags (arbitrary name/value pairs): new Settings entry, parsing/serialization for map<string,string>, BuildProvenance gains tags (constructor, JSON in/out), derivation construction passes tags, and textual provenance display prints them. Changes
Sequence Diagram(s)sequenceDiagram
participant Settings as Settings (config)
participant Deriver as DerivationBuilder
participant Store as BuildProvenance
participant JSON as JSON (serialization)
participant CLI as CLI/display
Settings->>Deriver: provide buildProvenanceTags (map)
Deriver->>Store: construct BuildProvenance(..., tags)
Store->>JSON: to_json() includes "tags"
Note right of JSON: JSON persisted/stored
JSON->>Store: registerBuildProvenance(... parse "tags" ...)
Store->>CLI: when displaying, emit "tag <name>: <value>"
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
tests/functional/common/init.sh (1)
56-56: Keep test config parity across NixOS and non-NixOS paths.
build-provenance-tagsis only set in one branch right now. Adding it to the NixOS branch too will prevent configuration drift if/when the same provenance expectations are enabled there.💡 Proposed patch
cat > "$test_nix_conf" <<EOF # TODO: this is not needed for all tests and prevents stable commands from be tested in isolation experimental-features = ${experimental_features:-} flake-registry = $TEST_ROOT/registry.json show-trace = true +build-provenance-tags = {"pr": "1234", "branch": "main"} EOF🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tests/functional/common/init.sh` at line 56, The NixOS branch of the test init script is missing the build-provenance-tags assignment; add the same line build-provenance-tags = {"pr": "1234", "branch": "main"} into the NixOS configuration branch (the block that configures NixOS paths/variables in tests/functional/common/init.sh) so both NixOS and non-NixOS branches set identical provenance tags.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/libstore/provenance.cc`:
- Around line 27-29: The current parsing of tags uses optionalValueAt(obj,
"tags") and immediately calls p->get<std::map<std::string, std::string>>(),
which throws if the JSON value is null; update the code to detect a null value
before calling get — e.g., after obtaining p from optionalValueAt(obj, "tags")
check p->is_null() (or equivalent) and only call p->get<std::map<std::string,
std::string>>() when not null, leaving the tags map empty when the JSON value is
null.
---
Nitpick comments:
In `@tests/functional/common/init.sh`:
- Line 56: The NixOS branch of the test init script is missing the
build-provenance-tags assignment; add the same line build-provenance-tags =
{"pr": "1234", "branch": "main"} into the NixOS configuration branch (the block
that configures NixOS paths/variables in tests/functional/common/init.sh) so
both NixOS and non-NixOS branches set identical provenance tags.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (9)
src/libcmd/include/nix/cmd/installable-attr-path.hhsrc/libstore/globals.ccsrc/libstore/include/nix/store/globals.hhsrc/libstore/include/nix/store/provenance.hhsrc/libstore/provenance.ccsrc/libstore/unix/build/derivation-builder.ccsrc/nix/provenance.cctests/functional/common/init.shtests/functional/flakes/provenance.sh
💤 Files with no reviewable changes (1)
- src/libcmd/include/nix/cmd/installable-attr-path.hh
These are name/value pairs from the build host that can be configured through the `build-provenance-tags` setting.
edolstra
force-pushed
the
provenance-tags
branch
from
0345e76 to
461106e
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/libstore/include/nix/store/provenance.hh (1)
1-6: Consider adding#include <map>forstd::mapusage.The file uses
std::map<std::string, std::string>but doesn't directly include<map>. While it may be transitively included through one of the existing headers, directly including required standard library headers makes the code more robust against changes in transitive dependencies.Suggested include addition
`#pragma` once `#include` "nix/util/provenance.hh" `#include` "nix/store/path.hh" `#include` "nix/store/outputs-spec.hh" + +#include <map> +#include <string> namespace nix {🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/libstore/include/nix/store/provenance.hh` around lines 1 - 6, This header uses std::map<std::string, std::string> (in provenance-related declarations) but doesn't include the <map> header; add a direct include for <map> near the top of src/libstore/include/nix/store/provenance.hh (alongside the other includes) so std::map is available even if transitive includes change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@src/libstore/include/nix/store/provenance.hh`:
- Around line 1-6: This header uses std::map<std::string, std::string> (in
provenance-related declarations) but doesn't include the <map> header; add a
direct include for <map> near the top of
src/libstore/include/nix/store/provenance.hh (alongside the other includes) so
std::map is available even if transitive includes change.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
src/libstore/globals.ccsrc/libstore/include/nix/store/globals.hhsrc/libstore/include/nix/store/provenance.hhsrc/libstore/provenance.ccsrc/libstore/unix/build/derivation-builder.ccsrc/nix/provenance.cctests/functional/common/init.shtests/functional/flakes/provenance.sh
🚧 Files skipped from review as they are similar to previous changes (4)
- src/libstore/unix/build/derivation-builder.cc
- src/libstore/provenance.cc
- tests/functional/common/init.sh
- tests/functional/flakes/provenance.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
These are name/value pairs from the build host that can be configured through the
build-provenance-tagssetting.Context
Summary by CodeRabbit
New Features
Tests