Merge pull request #391 from qowoz/insecure

allow nixpkgs-review to build insecure packages

flake.nix

@@ -7,10 +7,12 @@
   inputs.treefmt-nix.url = "github:numtide/treefmt-nix";
   inputs.treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
 
+  inputs.runtimeDeps.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+
   nixConfig.extra-substituters = "https://nix-community.cachix.org";
   nixConfig.extra-trusted-public-keys = "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=";
 
-  outputs = { self, nixpkgs, mmdoc, treefmt-nix } @ args:
+  outputs = { self, nixpkgs, mmdoc, treefmt-nix, runtimeDeps } @ args:
     let
       systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
       eachSystem = f: nixpkgs.lib.genAttrs systems (system: f nixpkgs.legacyPackages.${system});

pkgs/default.nix

@@ -1,15 +1,18 @@
 { nixpkgs
 , mmdoc
+, runtimeDeps
 , system
 , self
 , ...
 }:
 
 let
 
+  runtimePkgs = import runtimeDeps { inherit system; };
+
   pkgs = import nixpkgs { inherit system; config = { allowBroken = true; }; };
 
-  drvAttrs = attrs: with pkgs; {
+  drvAttrs = attrs: with runtimePkgs; {
     NIX = nix;
     GIT = git;
     JQ = jq;

src/NixpkgsReview.hs

@@ -43,7 +43,7 @@ run cache commit =
             proc "rm" ["-rf", revDir cache commit]
         (exitCode, _nixpkgsReviewOutput) <-
           ourReadProcessInterleavedSem $
-            proc "timeout" [T.unpack timeout, (binPath <> "/nixpkgs-review"), "rev", T.unpack commit, "--no-shell"]
+            proc "timeout" [T.unpack timeout, (binPath <> "/nixpkgs-review"), "rev", T.unpack commit, "--no-shell", "--extra-nixpkgs-config", "{ allowInsecurePredicate = x: true; }"]
         case exitCode of
           ExitFailure 124 -> do
             output $ "[check][nixpkgs-review] took longer than " <> timeout <> " and timed out"