Use a fixed Nix version

This makes the binary always use the same Nix version, instead of getting it from PATH. This makes it more reproducible, because issues from different Nix versions can't occur anymore, e.g. #78
NixOS · Jul 19, 2024 · f55f7a6 · f55f7a6
1 parent 30d4f4d
commit f55f7a6
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/default.nix b/default.nix
@@ -45,6 +45,10 @@ let
     settings.formatter.shfmt.options = [ "--space-redirects" ];
   };
 
+  # The resulting package is built to always use this Nix version, such that the result is reproducible
+  # TODO: Switch this to pkgs.nixVersions.minimum, because that's what Nixpkgs CI should use
+  defaultNixPackage = pkgs.nix;
+
   packages = {
     build = pkgs.callPackage ./package.nix {
       inherit
@@ -54,10 +58,12 @@ let
         testNixpkgsPath
         version
         ;
+      nix = defaultNixPackage;
     };
 
     shell = pkgs.mkShell {
       env.NIX_CHECK_BY_NAME_EXPR_PATH = toString runtimeExprPath;
+      env.NIX_CHECK_BY_NAME_NIX_PACKAGE = lib.getBin defaultNixPackage;
       env.NIX_PATH = "test-nixpkgs=${toString testNixpkgsPath}:test-nixpkgs/lib=${toString nixpkgsLibPath}";
       env.RUST_SRC_PATH = "${pkgs.rustPlatform.rustLibSrc}";
       inputsFrom = [ packages.build ];
@@ -69,6 +75,7 @@ let
         rust-analyzer
         rustfmt
         treefmtEval.config.build.wrapper
+        defaultNixPackage
       ];
     };
 

diff --git a/package.nix b/package.nix
@@ -33,6 +33,7 @@ rustPlatform.buildRustPackage {
     makeWrapper
   ];
   env.NIX_CHECK_BY_NAME_EXPR_PATH = "${runtimeExprPath}";
+  env.NIX_CHECK_BY_NAME_NIX_PACKAGE = lib.getBin nix;
   env.NIX_PATH = "test-nixpkgs=${testNixpkgsPath}:test-nixpkgs/lib=${nixpkgsLibPath}";
   preCheck = initNix;
   postCheck = ''
@@ -41,6 +42,7 @@ rustPlatform.buildRustPackage {
   '';
   postInstall = ''
     wrapProgram $out/bin/nixpkgs-check-by-name \
-      --set NIX_CHECK_BY_NAME_EXPR_PATH "$NIX_CHECK_BY_NAME_EXPR_PATH"
+      --set NIX_CHECK_BY_NAME_EXPR_PATH "$NIX_CHECK_BY_NAME_EXPR_PATH" \
+      --set NIX_CHECK_BY_NAME_NIX_PACKAGE ${lib.getBin nix}
   '';
 }
diff --git a/src/eval.rs b/src/eval.rs
@@ -125,8 +125,12 @@ pub fn check_values(
     let expr_path = std::env::var("NIX_CHECK_BY_NAME_EXPR_PATH")
         .with_context(|| "Could not get environment variable NIX_CHECK_BY_NAME_EXPR_PATH")?;
 
+    // Pinning nix in this way makes the tool more reproducible
+    let nix_package = std::env::var("NIX_CHECK_BY_NAME_NIX_PACKAGE")
+        .with_context(|| "Could not get environment variable NIX_CHECK_BY_NAME_NIX_PACKAGE")?;
+
     // With restrict-eval, only paths in NIX_PATH can be accessed. We explicitly specify them here.
-    let mut command = process::Command::new("nix-instantiate");
+    let mut command = process::Command::new(format!("{nix_package}/bin/nix-instantiate"));
     command
         // Capture stderr so that it can be printed later in case of failure
         .stderr(process::Stdio::piped())