Do not attempt to write a lock file in builtins.getFlake

[ncfavier]

Fixes #6541

[thufschmitt]

I don’t think we can just do that, because that would break purity (since getFlake can be used in pure eval mode, and locking a flake is inherently impure). But it’s probably fine to set writeLockFile to !evalSettings.pureEval, so that it’s only available in impure mode.

For the pure use-case, maybe the interface of getFlake could be extended (to allow passing an external lockfile for example). Alternatively/in the meantime, fetchTree+callLocklessFlake might do the job too

[ncfavier]

This should be covered by the lines above:

nix/src/libexpr/flake/flake.cc

Lines 719 to 720 in 681fc3c

	if (evalSettings.pureEval && !flakeRef.input.isLocked())
	throw Error("cannot call 'getFlake' on unlocked flake reference '%s', at %s (use --impure to override)", flakeRefS, state.positions[pos]);

[edolstra]

@ncfavier That only checks whether the flake reference is locked (e.g. github:nix-community/home-manager/32a7da69dc53c9eb5ad0675eb7fdc58f7fe35272 vs github:nix-community/home-manager). A locked flake reference can refer to a flake that doesn't have a flake.lock, which would be non-reproducible (e.g. its flake.nix can reference an unlocked nixpkgs).

[thufschmitt]

Ah I should have looked better. The line you point to isn’t enough (it only checks whether the ref passed to getFlake is a locked reference, not that it contains a lockfile), but as @edolstra mentionned in #6541 (comment), passing .allowMutable = !evalSettings.pureEval prevents it from updating the lockfile in pure mode. So it’s all right :)

[thufschmitt]

So it’s all right :)

Well, it’s all right, bit given how non-trivial it is, I think it’s definitely worth a test to ensure that it doesn’t get accidentally broken ;)

The whole thing actually deserves some tests imho

[ncfavier]

There seems to already be one:

nix/tests/flakes.sh

Lines 158 to 161 in 51d13c4

	# Building a flake with an unlocked dependency should fail in pure mode.
	(! nix build -o $TEST_ROOT/result flake2#bar --no-registries)
	(! nix build -o $TEST_ROOT/result flake2#bar --no-use-registries)
	(! nix eval --expr "builtins.getFlake \"$flake2Dir\"")

Can you think of other scenarios to test?

[ncfavier]

Added a test for the case that this PR fixes

[thufschmitt]

Added a test for the case that this PR fixes

Thanks :)

Can you think of other scenarios to test?

Nope, should be good since the impure case is already tested :)

Thanks for that then!