ERROR: no such package '`@io_tweag_rules_nixpkgs//nixpkgs`':
java.io.IOException:
Error downloading
https://github.com/tweag/rules_nixpkgs/archive/3425eb1cddee0f824944e04258f43c97a2e78cc3.tar.gz
to /build/.cache/bazel/_bazel_nixbld/cc61aad5ab2f850e8dc25e1bcc0af429/external/io_tweag_rules_nixpkgs/temp7796387977141492287/3425eb1cddee0f824944e04258f43c97a2e78cc3.tar.gz
Unknown host: github.com
which doesn’t seem to make a lot of sense (if you copy the URL, your browser should download the tarball). It seems like there is a configuration bug.
I found a couple of related threads:
Discussion in buildBazelPackage which mentions that there might be a workaround using a fetchAttrs.sha256, but I can’t tell if that applies to my use case or not.
If possible, I’d like to allow Bazel and only Bazel to fetch stuff (since those are verified with SHA256 checksums in the Bazel config anyways), while still maintaining other forms of sandboxing. I see there is a --no-sandbox flag but that seems like a blunt hammer…
I took a look at the CI config for Tweag’s rules_nixpkgs, but nothing in the shell.nix or in the CI code stands out to me in terms of why their CI doesn’t run into this issue.
Thank you, that is helpful information. I was reading up on FODs and they don’t seem like what I’d want since the hash would have to change for ~every commit.
I was digging into the rules_nixpkgs build, which does have a similar http_archive call:
One of the builds talks to BuildBuddy and performs the build remotely, but that invocation runs through nix-shell:
Resolution: I ended up using a nix develop --command <mycommand> invocation, because disabling sandboxing wasn’t sufficient; I needed Bazel to be able to access nix-build when running, but I couldn’t achieve that with nix build --no-sandbox <blah> (I suppose I could’ve included nix-build as a dependency inside the derivation… but this works fine for now…).