What's the conventional way to pass environment variables to tests?

[onsails]

My crate tests depend on environment variables with secrets necessary for some operations. Is there a way to pass those env vars to test without exposing them in nix store?

[dpc]

It might be possible for non-flake setup, but currently there seem to me no way to pass any outside inputs to flakes. NixOS/nix#5663

You might consider something like this instead: https://github.com/ryantm/agenix

[onsails]

I've considered (r)agenix for this but apparently it only works as NixOS module, can't be a part of just crane derivation without it being built as part of full NixOS configuration.

[ipetkov]

Unfortunately there is no good (secure) way of using secrets within a derivation itself (besides turning off the Nix sandbox) other than using nix build .#whatever --impure. My advice would be to:

1. use a regular cargo test --no-run derivation which builds but doesn't run the tests. This can be part of your flake checks and get built by default
2. create a second derivation which uses the artifacts from the first and actually runs the cargo tests (shouldn't need to rebuild because of previous artifacts). Then you can hook up your ci to run MY_SECRET=hunter2 nix build .#mySecondCargoTestDrvWithSecret --impure

As an alternative, cargo nextest's archiving feature could be used to more easily run tests completely outside of Nix and not mess around with impure builds (basically configure one derivation which builds the test archive, then have the CI run cargo-nextest on that result with the secrets accessible to it).

Hope this helps!

[onsails]

Thanks! Solved via nextest.

flake.nix:

          rustTest = craneLib.mkCargoDerivation {
            inherit src nativeBuildInputs;
            cargoArtifacts = craneLib.buildDepsOnly {
              inherit src nativeBuildInputs;
              CARGO_PROFILE = "";
            };

            buildPhaseCargoCommand = ''
              mkdir -p $out
              cargo nextest archive --archive-file $out/archive.tar.zst
            '';
          };

on CI:

nix build -j auto .#rustTest
nix develop -j auto --command cargo nextest run --archive-file result/archive.tar.zst --workspace-remap .