Cannot run makes on NixOS systems which configure programs.git

[kraftnix]

Problem

I am unable to run any makes commands in any NixOS system which uses NixOS to configure git (resulting in a read-only ~/.config/git/config file).

Reproduction Steps

1. Have a read-only ~/.config/git/config or configure NixOS with programs.git.config.*
2. Run nix run github:fluidattacks/makes -- m github:fluidattacks/makes /helloWorld 1 2 3

error: could not lock config file /home/kraftnix/.config/git/config: Read-only file system

if you remove/move .config/git/config then the command works as expected.

Expected Result

I should be able to run makes on NixOS under a user with a read-only config or NixOS configured config.

I looked through the current documentation and issues and found nothing related to this problem.

[dsalaza4]

@kraftnix Thank you so much for this report!

This is most likely related to this change: 0251c2a#diff-2c1c4ba2536c6703404deca94474d191fa0297bc0ede8a6413ca3185d8cbb1fdR233

@jpverde Can you please provide more context on the Git issue that forced us to to this and possible workarounds?

Thanks!

[dsalaza4]

@kraftnix By the way, I'm guessing you want to keep your git config read only for reproducibility reasons?

This is how I configure git using NixOS and Home Manager: https://github.com/dsalaza4/env/blob/main/modules/pkgs/git/default.nix

The git config is still writable.

[kraftnix]

The git config is still writable.

Curious, I am also using home-manager to configure my .git/config, however the resulting config is a symlink to the nix store and is thus not writable.

@jpverde Can you please provide more context on the Git issue that forced us to to this and possible workarounds?

I remember the issue as well from other projects, here is the related nixpkgs issue: NixOS/nixpkgs#169193

@kraftnix By the way, I'm guessing you want to keep your git config read only for reproducibility reasons?

I would prefer to keep it read-only for reproducibility reasons. I also am not a fan of tools reconfiguring my settings globally, so if we could find a solution which keeps the git config changes project local that would be ideal.

[dsalaza4]

Curious, I am also using home-manager to configure my .git/config, however the resulting config is a symlink to the nix store and is thus not writable.

1. I can confirm that my global git config is read only too.
2. For some reason, when running makes with nix run github:fluidattacks/makes -- github:fluidattacks/makes@main /helloWorld 1 2 3, it works properly for me.
3. If I run the git command that _add_safe_directory has, I get the error you reported:

   $ git config --global --add safe.directory /github/workspace
   error: could not lock config file /home/nixos/.config/git/config: Read-only file system
   

4. I think this means that the Makes CLI is not executing the _add_safe_directory function for me. 🤔
5. These are the conditions for calling _add_safe_directory:

   makes/src/cli/main/cli.py

   Line 122 in d24478d

   if abspath(src) == CWD: # `m .` ?

   I think I should be reaching the function here:

   makes/src/cli/main/cli.py

   Line 130 in d24478d

   _add_safe_directory()

   but for some reason i don't?

@jpverde

[dsalaza4]

@kraftnix Hey!

Were you able to find a solution for this?

[kraftnix]

Unfortunately I never did seem to find a decent solution.

It appears I worked around it by setting git config options from within a script that needed to use git / whenever I ran into this issue.

Something like:

makeScript {
  ...
  entrypoint = ''
    require_env_var GIT_USER
    require_env_var GIT_EMAIL
   
    ...

    git config user.name $GIT_USER
    git config user.email $GIT_EMAIL
  '';
}

This is definitely a bad workaround but it's been working in my CI since so I haven't come back to this issue.

[dsalaza4]

@kraftnix Oh wait a moment, this looks like a different problem!

makeScript does not inherit the $HOME envar used by git to get its global configs.

If you want to use your global git configurations from a makeScript context, you can use the $HOME_IMPURE envar like this:

HOME="${HOME_IMPURE}" git ...

[kraftnix]

In the above script it is a different problem indeed. But nix run github:fluidattacks/makes -- m github:fluidattacks/makes /helloWorld 1 2 3 still fails with the same error as before if I configured my global git config with home-manager or NixOS.

[pjjw]

yeah, just tacking on on this one, editing users' global config leaves a pretty terrible taste in the mouth of the evaluator. took me a while to even figure out what was going on here.

[pjjw]

my guess here is that there's something a bit broken about your "using stable nix" checks. i'm executing it from flakes (nix run -- github:fluidattacks/makes github:fluidattacks/makes) and it's trying to run that global config edit, which it shouldn't need to do.

[dsalaza4]

Hi everyone!

A fix for this has been merged: https://github.com/fluidattacks/makes/pull/1165/files

Make sure you update to the latest version.

Let me know if things work for you now.

[kraftnix]

I had another look at the issue.

The main branch seems to resolve the git config issues, as initially reported

nix run github:fluidattacks/makes -- github:fluidattacks/makes@main /helloWorld 1 2 3

Happy to close the issue now.