Hi all,
I have a git repo that includes a flake.nix and also a justfile for execution with just. The justfile contains some recipes to run some checks on the codebase. It would be nice to be able to also run the just recipes from the checks output declared in flake.nix. For some recipes that is not a problem, but in just recipes, it is fairly common to start the recipes with a hashbang, e.g. #!/usr/bin/env bash. (For one reason to do this, see here.) Now from the nix devShell, running the recipes works fine, but using nix flake check doesn’t work, as /usr/bin/env doesn’t exist in the environment that the checks are being executed in, IIUC.
Here’s a repo that demonstrates the issue. Entering a devShell and running either just without-hashbang and just with-hashbang both work fine. The flake.nix file declares two checks that correspond to the two just recipes. When running nix flake check, it fails with:
evaluating flake...
running flake checks...
building '/nix/store/cq7a7il5r6yd0ddar93xmll2067yjq6a-with-hashbang.drv'...
building '/nix/store/pj7d4z0xhyafp2z6nvwh4bw9wnk80slw-without-hashbang.drv'...
error: builder for '/nix/store/cq7a7il5r6yd0ddar93xmll2067yjq6a-with-hashbang.drv' failed with exit code 1;
last 1 log lines:
> error: Recipe `with-hashbang` with shebang `#!/usr/bin/env bash` execution error: No such file or directory (os error 2)
For full logs, run 'nix log /nix/store/cq7a7il5r6yd0ddar93xmll2067yjq6a-with-hashbang.drv'.
error: build of '/nix/store/cq7a7il5r6yd0ddar93xmll2067yjq6a-with-hashbang.drv', '/nix/store/pj7d4z0xhyafp2z6nvwh4bw9wnk80slw-without-hashbang.drv' failed
I can work around this by passing the --no-sandbox cli option. But it’s a bit sad to disable sandboxing altogether, just to be able to use just. Is there a way to make a /usr/bin/env file available while keeping the sandboxing? (If yes, I would then imagine that the /usr/bin/env would only be able to locate executables provided by nix configured in the flake.nix file.)
Thanks!
I’m running:
nix (Nix) 2.13.3
Ubuntu 22.10