Skip to content

scripts: allow setting a path for exec, fixes #17 #2168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2025
Merged

scripts: allow setting a path for exec, fixes #17 #2168

merged 1 commit into from
Sep 19, 2025

Conversation

domenkozar
Copy link
Member

No description provided.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 19, 2025
edited
Loading

🔍 Suggested Reviewers

Based on git blame analysis of the changed lines, the following contributors have significant experience with the modified code:

  • @sandydoo - 66.7% of changed lines (4 lines)
  • @rawkode - 33.3% of changed lines (2 lines)

Please consider reviewing this PR as you have authored significant portions of the code being modified. Your expertise would be valuable! 🙏

This comment was automatically generated by git-blame-auto-reviewer

Last updated: 2025-09-19T12:37:32.608Z

@claude Claude
Copy link
Contributor

claude bot commented Sep 19, 2025
edited
Loading

Claude finished @domenkozar's task —— View job

Code Review for PR #2168: scripts: allow setting a path for exec

Todo List:

  • Read repository guidelines (CLAUDE.md)
  • Analyze changed files and understand the implementation
  • Review code quality and best practices
  • Check for potential bugs or issues
  • Evaluate performance considerations
  • Assess security concerns
  • Check test coverage
  • Provide constructive feedback

Summary

This PR adds the ability to specify a file path (instead of just string content) for the exec attribute in scripts. The implementation allows both string scripts and path-based scripts by changing the type from types.str to types.oneOf [ types.str types.path ] and handling both cases in the script generation.

Issues & Improvements Needed

1. Missing File Validation (Critical)

src/modules/scripts.nix:53-61

execScript = pkgs.writeScript "${name}-script" (
  if builtins.isPath config.exec
  then ''
    #!${binary}
    ${builtins.readFile config.exec}
  ''
  else ''
    #!${binary}
    ${config.exec}
  ''
);

The builtins.readFile call has no error handling for missing or unreadable files. This will cause cryptic build failures.

Fix: Add file existence validation:

if builtins.isPath config.exec
then 
  if builtins.pathExists config.exec
  then ''
    #!${binary}
    ${builtins.readFile config.exec}
  ''
  else throw "Script file ${toString config.exec} does not exist"

2. Inconsistent Documentation Examples

docs/scripts.md:122 & examples/scripts/devenv.nix:38
The documentation shows exec = ./file-script.sh; but the file file-script.sh doesn't exist in the repository, causing the example to fail.

Fix: Either:

  • Add the missing file-script.sh file to the examples directory
  • Update examples to use an existing file or inline script

3. Missing Test Coverage (High Priority)

No dedicated tests for the new path-based functionality exist. The existing enterTest in examples/scripts/devenv.nix tests the file-example script, but there's no actual file-script.sh file.

Fix: Add tests in /tests/scripts/ to verify:

  • Path-based scripts execute correctly
  • Error handling for missing files
  • File permissions are handled properly
  • Both relative and absolute paths work

4. Type Description Could Be More Specific

src/modules/scripts.nix:15

description = "Shell code to execute when the script is run, or path to a script file.";

Improvement: More specific about file requirements:

description = "Shell code to execute when the script is run, or path to an executable script file. File paths must be readable at build time.";

5. Security Consideration - Path Traversal

While Nix's sandboxing mitigates this, there's no explicit validation that paths are within expected boundaries.

Improvement: Consider adding path validation to prevent accidental inclusion of sensitive files outside the project directory.

6. Performance: Unnecessary File Reading

src/modules/scripts.nix:56
The builtins.readFile happens at evaluation time, which is fine, but the implementation could be optimized by checking file existence first to fail faster.

Positive Aspects

Clean Type System: Using types.oneOf [ types.str types.path ] is the correct Nix approach
Backward Compatibility: Existing string-based scripts continue to work
Consistent API: Follows existing devenv patterns for handling both strings and paths
Good Documentation: The basic functionality is documented with examples

Recommendations

  1. Immediate: Fix the missing file issue and add proper error handling
  2. Short-term: Add comprehensive tests for the new functionality
  3. Medium-term: Consider adding path validation for security

The core implementation is solid and follows Nix best practices, but the missing error handling and tests need to be addressed before this can be considered production-ready.

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Sep 19, 2025
edited
Loading

Deploying devenv with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6b7e999
Status: ✅  Deploy successful!
Preview URL: https://365ffd97.devenv.pages.dev
Branch Preview URL: https://scripts-path.devenv.pages.dev

View logs

@domenkozar domenkozar merged commit 0ea6a0d into main Sep 19, 2025
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@domenkozar