How does the fixup phase find it files?

I have the following derivation and I noticed that it patched the shebang in one of my Ansible templates from #!/usr/bin/env bash.
This is no suprise and I should have thought of it, what surprised me was that it didn’t patch all the files.
The repo contains a bunch of templates, plain BASH and Python scripts, all with file endings like:

  • .sh.j2
  • .py.j2
  • .sh
  • .py

However I found it only patched one of the files as I far as I can tell and I would like to understand why.
The file it patched had a .sh.j2 ending.

{
  lib,
  root,
  stdenvNoCC,
}:
let
  fs = lib.fileset;
  sourceFiles = fs.unions [
    (root + "/ansible.cfg")
    (root + "/helpers")
    (root + "/inventories")
    (root + "/library")
    (root + "/plays")
    (root + "/roles")
  ];
  src = fs.toSource {
    inherit root;
    fileset = sourceFiles;
  };
in
stdenvNoCC.mkDerivation {
  inherit src;
  description = "Ansible configuration, roles and playbooks for foo";
  name = "foo-ansible";
  installPhase = ''
    cp -r $src $out
  '';
}

Perhaps this?

Thank you, I think I found the solution through this.
It only works on files that are marked as executable and the script that it update was the only one that was marked executable.
For all the other scripts I let Ansible mark them as executable, once they are copied to the target host.