-
My crate tests depend on environment variables with secrets necessary for some operations. Is there a way to pass those env vars to test without exposing them in nix store? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
It might be possible for non-flake setup, but currently there seem to me no way to pass any outside inputs to flakes. NixOS/nix#5663 You might consider something like this instead: https://github.com/ryantm/agenix |
Beta Was this translation helpful? Give feedback.
-
Unfortunately there is no good (secure) way of using secrets within a derivation itself (besides turning off the Nix sandbox) other than using
As an alternative, cargo nextest's archiving feature could be used to more easily run tests completely outside of Nix and not mess around with impure builds (basically configure one derivation which builds the test archive, then have the CI run Hope this helps! |
Beta Was this translation helpful? Give feedback.
Unfortunately there is no good (secure) way of using secrets within a derivation itself (besides turning off the Nix sandbox) other than using
nix build .#whatever --impure
. My advice would be to:cargo test --no-run
derivation which builds but doesn't run the tests. This can be part of your flake checks and get built by defaultMY_SECRET=hunter2 nix build .#mySecondCargoTestDrvWithSecret --impure
As an alternative, cargo nextest's archiving feature could be used to more easily ru…