I'm a new nixpkgs-review user and when running it against a PR I got the following warning:
warning: ignoring the user-specified setting 'sandbox', because it is a restricted setting and you are not a trusted user

Is this warning showing up because sandbox is already enabled globally on nixos or have I just screwed something up? 😅

nix-shell -p nix-info --run "nix-info -m"

• system: "x86_64-linux"
• host os: Linux 5.8.10, NixOS, 21.03pre244416.daaa0e33505 (Okapi)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.7
• channels(root): "home-manager, nixos-21.03pre244416.daaa0e33505, nixos-hardware"
• channels(jk): ""
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

I got a 3900X, and having 24 jobs take up potentially 24 cores each actually hinders the job (as well as makes my computer almost unusable). Would really like to have an option where I can do something like NIX_REVIEW_MAX_JOBS=4 nix-review pr <...>, using an env var also makes the implementation easier:

# nix.py
...
        os.environ.get("NIX_REVIEW_MAX_JOBS", str(multiprocessing.cpu_count())),
...

how to reproduce:

1. clone the nixpkgs repository
2. cd nixpkgs
3. git checkout fe7bab33d75cece4750fd1a51406a6e8993807ce
4. nix-build . -A nixpkgs-review
5. ./result/bin/nixpkgs-review pr 95739

It should crash here. If not, maybe those configuration may be relevant in the configuration.nix of nixos:

nix.package = pkgs.nixUnstable;
nix.extraOptions = ''
    experimental-features = nix-command flakes
'';

and I am nixpkgs revision 6a0fd33b4c15d7e0e0b0cdad5ef280eba32ccdcc

here is the log when I run the build command:

$ git -c fetch.prune=false fetch --force https://github.com/NixOS/nixpkgs master:refs/nixpkgs-review/0 pull/95739/head:refs/nixpkgs-review/1
$ git worktree add /home/marius/.cache/nixpkgs-review/pr-95739-14/nixpkgs fe7bab33d75cece4750fd1a51406a6e8993807ce
Préparation de l'arbre de travail (HEAD détachée fe7bab33d75)
Mise à jour des fichiers: 100% (22453/22453), fait.
HEAD est maintenant à fe7bab33d75 Merge pull request #95553 from zowoq/rename-maintainers
$ git merge --no-commit 147e24dcd6988118c4c548c6ff5b0e1b62463037
La fusion automatique a réussi ; stoppée avant la validation comme demandé
nix: symbol lookup error: nix: undefined symbol: _ZN3nix16downloadSettingsE
https://github.com/NixOS/nixpkgs/pull/95739 failed to build
$ git worktree prune

Currently nix needs around 3.6GB heap space when evaluation nixpkgs.
This is too much.

Describe the bug

nixpkgs-review is a great tool, but it suffers from quite a lot of false positives. One reason for them is obviously broken packages not marked as broken, this is already tracked in #85. The other reason, which I am concerned about, is packages that build (and thus are not marked as broken), but require some manual intervention in the build process. This may be by:

• Providing a license key (for nonfree packages)
• Providing a binary
• Manually doing some other things.

Steps To Reproduce

See NixOS/nixpkgs#91790. Of the 24 packages that fail to build, 8 failed because of the problem mentioned above. See citrix_workspace, worldofgoo, sqldeveloper and quartus-prime-lite as some examples.

Expected behavior

nixpkgs-review should recognize these packages and skip them, as it does for broken packages.

Maybe not an issue since nix-review is possibly smart. I have 8 GB of ram on my laptop. Nix-review often times takes up 7+ GB of ram. This may be an issue as nixpkgs gets larger?

People often run reviews on their normal desktops. For some packages it even makes sense to execute the results under the regular user account for testing. However, this can modify configs in a non-backward compatible way.

For example this locked me out of my DE and prevented Firefox from launching. Debugging from the segfaults would have taken ages and a quick recovery was only possible as I luckily had seen the entry on the font cache issue minutes before.

Would it be reasonable to mount an Overlay FIlesystem for $HOME and point HOME and XDG_*_HOME there (in the resulting nix-shell)?

Or other kinds of nixpkgs repositories like private nixpkgs repos.

Often, code reviewers will run nixpkgs-review pr <num> then manually paste the
results into the code review, like this:

NixOS/nixpkgs#83695

I would like to add the ability to provide a nixpkgs-review pr 1234 --comment flag which will do this automatically, using the markdown report that nixpkgs-review is already producing.

Something I often find myself doing is trying to determine whether a build failure was caused by the PR or whether a particular package was already failing on my machine anyway. Currently it's a little painful fetching & checking out the branch's base, could be made a lot quicker...

The PR template recommends

* Determined the impact on package closure size (by running `nix path-info -S` before and after

It would be nice to have nix-review do that automatically. This may require a second rebuild, so maybe it should be disabled by default. Then again in 99% of the cases the second rebuild would be quick. Maybe it would even be possible to time the changed build first and then decide based on that weather or not to determine closure size.

It would be good if it was possible to specify an alternate temporary directory than $HOME/.cache for the git work tree.

I tried setting XDG_CACHE_HOME explicitely when running nix-review but as far as I can tell , that has no effect if HOME is set.

If ofborg detects a not so secret sentinel markdown comment applied not so secretively on the fly by nixpkgs whem commenting on issues, it should apply corresponding label such as:

nixpkgs-reviewed, which indicates confidence of having passed a nixpkgs-review run without failure.

https://discourse.nixos.org/t/how-many-people-are-paid-to-work-on-nix-nixpkgs/8307/73?u=blaggacao

I want to review NixOS/nixpkgs#42854, but it fails because one of the packages that need to be rebuilt after that PR has since been dropped from Nixpkgs. It would be nice to have the option of not using ofborg cache in such cases.

Hi,

what are the scopes one has to activate for a github API token to work with nixpkgs-review?

I get an error message with the scopes I picked:

urllib.error.HTTPError: HTTP Error 403: Forbidden

For example:

[danbst@station:~/dev/nixpkgs]$ nix-review pr 54931
$ git fetch --force https://github.com/NixOS/nixpkgs master:refs/nix-review/0 pull/54931/head:refs/nix-review/1
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Total 7 (delta 5), reused 5 (delta 5), pack-reused 2
Unpacking objects: 100% (7/7), done.
From https://github.com/NixOS/nixpkgs
   6195a47d259..dd5aa1a67db  master               -> refs/nix-review/0
 + 2981a7b0e33...0648935cd6b refs/pull/54931/head -> refs/nix-review/1  (forced update)
$ git worktree add /home/danbst/.cache/nix-review/pr-54931/nixpkgs dd5aa1a67db46daf02201b54e83c0d58b89db10f
Preparing worktree (detached HEAD dd5aa1a67db)
Checking out files: 100% (18166/18166), done.
HEAD is now at dd5aa1a67db Merge pull request #54626 from FlorianFranzen/bionic
$ git merge --no-commit 0648935cd6bd1c83fc02abedebfadcf68fa13216
Automatic merge went well; stopped before committing as requested
Nothing changed
https://github.com/NixOS/nixpkgs/pull/54931
No packages were successfully build, skip nix-shell
$ git worktree prune

[danbst@station:~/dev/nixpkgs]$

well, I understand there are no packages, but why exit from shell?

Running nixpkgs-review crashes when there are some removed packages but no changed ones.

That line seems wrong: https://github.com/Mic92/nixpkgs-review/blob/master/nixpkgs_review/review.py#L70

Possible patch: s/pkg/p/.

Scoping rules of python are surprising, to say the least.

I am currently reviewing/fixing a lot of packages for Darwin. It would be handy if bit and architecture would be mentioned by default in the report.md.

Example:

Result of nixpkgs-review run on darwin x84_64

Result of nixpkgs-review run on NixOS i386

This is similar to #129

I've run nixpkgs-review on NixOS/nixpkgs#81173. The result is a 'Nothing changed' while the PR removes 2 packages. I would like to see the attributes removed if possible ?

I've hit this a couple of times already with no background nix-review working. How can I force nix-review to ignore things ?

(ins)[teto@jedha:~/nixpkgs3]$ nix-review rev HEAD
/home/teto/.cache/nix-review/rev-bc84ba0d802d3095e0e64cbf19fb83e8e2840993/nixpkgs already exists. Is a different review already running?
Traceback (most recent call last):
  File "/nix/store/jyxbl0k4vv85928mhl72c70ikglz0491-nix-review-1.0.5/bin/.nix-review-wrapped", line 12, in <module>
    sys.exit(main())
  File "/nix/store/jyxbl0k4vv85928mhl72c70ikglz0491-nix-review-1.0.5/lib/python3.7/site-packages/nix_review/__init__.py", line 10, in main
    cli.main(command, args)
  File "/nix/store/jyxbl0k4vv85928mhl72c70ikglz0491-nix-review-1.0.5/lib/python3.7/site-packages/nix_review/cli/__init__.py", line 119, in main
    args.func(args)
  File "/nix/store/jyxbl0k4vv85928mhl72c70ikglz0491-nix-review-1.0.5/lib/python3.7/site-packages/nix_review/cli/rev.py", line 18, in rev_command
    with Builddir(f"rev-{commit}") as builddir:
  File "/nix/store/jyxbl0k4vv85928mhl72c70ikglz0491-nix-review-1.0.5/lib/python3.7/site-packages/nix_review/builddir.py", line 53, in __init__
    os.makedirs(self.worktree_dir)
  File "/nix/store/b75brsgimlrw33l9ykhacz5fni3vq0jn-python3-3.7.2/lib/python3.7/os.py", line 221, in makedirs
    mkdir(name, mode)
FileExistsError: [Errno 17] File exists: '/home/teto/.cache/nix-review/rev-bc84ba0d802d3095e0e64cbf19fb83e8e2840993/nixpkgs'

Also the help doesn't show all options (like -p or --builder-args)

I run nix as a single-user, non-root on CentOS 7.4, without sandboxing (c.f. NixOS/nix#2632), which normally works fine. But when I'm using nix-review I get errors like this:

[0/19 built, 0/23 copied (0.0/369.1 MiB), 0.0/81.2 MiB DL] error: cloning builder process: Invalid argument

When building the same package directly with nix-build I don't get this problems.

I suspect it might have something to do with sandboxing. If true, would it make sense to provide an option to not sandbox?

Since write_shell_expression write the attributes as is
https://github.com/Mic92/nix-review/blob/8ae2b2f822fc6d8f47d3348221abc415facb6873/nix_review/nix.py#L164 it fails on attributes which are nix keywords, for instance haskellPackages.if

$ nix-review pr 62037
$ git fetch --force https://github.com/NixOS/nixpkgs master:refs/nix-review/0 pull/62037/head:refs/nix-review/1
From https://github.com/NixOS/nixpkgs
   1b698b8392d..48d6a67f12d  master               -> refs/nix-review/0
   94496d0ac85..888c84dc3cb  refs/pull/62037/head -> refs/nix-review/1
Auto packing the repository in background for optimum performance.
$ git worktree add /Users/marsam/.cache/nix-review/pr-62037/nixpkgs 48d6a67f12de6ac5a32098d296b45f7c1546a5ea
Preparing worktree (detached HEAD 48d6a67f12d)
Checking out files: 100% (18964/18964), done.
HEAD is now at 48d6a67f12d smplayer: 19.1.0 -> 19.5.0
$ git merge --no-commit 888c84dc3cb37329d0330efb7969f3c18433cec1
Automatic merge went well; stopped before committing as requested
$ nix build --no-link --keep-going --max-jobs 8 --option build-use-sandbox true -f /Users/marsam/.cache/nix-review/pr-62037/build.nix
error: syntax error, unexpected IF, expecting ID or OR_KW or DOLLAR_CURLY or '"', at /Users/marsam/.cache/nix-review/pr-62037/build.nix:2960:21

Allow a -c/--comment option to include a comment.

Eg: nixpkgs-review approve -m "Tested basic functionality on NixOS."

The nixpkgs-review report.md file, when used in nixpkgs-update doesn't look good in email messages:

GitHub PR:
NixOS/nixpkgs#85305

Email screenshot from Gmail:

Original email HTML:

<p>Result of <code>nixpkgs-review</code> <a href="https://github.com/Mic92/nixpkgs-review">1</a></p>
<details>
  <summary>1 package failed to build:</summary>
<br>- python37Packages.rl-coach
</details>
<details>
  <summary>16 packages built:</summary>
<br>- cmake-format
<br>- patroni
<br>- python27Packages.autopep8
<br>- python27Packages.pyls-isort
<br>- python27Packages.python-language-server
<br>- python37Packages.autopep8
<br>- python37Packages.django_silk
<br>- python37Packages.kubernetes
<br>- python37Packages.pyls-black
<br>- python37Packages.pyls-isort
<br>- python37Packages.pyls-mypy
<br>- python37Packages.python-language-server
<br>- spyder (python37Packages.spyder)
<br>- python38Packages.autopep8
<br>- python38Packages.django_silk
<br>- python38Packages.kubernetes
</details>

PR report source:

Result of `nixpkgs-review` [1](https://github.com/Mic92/nixpkgs-review)
<details>
  <summary>1 package failed to build:</summary>
<br>- python37Packages.rl-coach
</details>
<details>
  <summary>16 packages built:</summary>
<br>- cmake-format
<br>- patroni
<br>- python27Packages.autopep8
<br>- python27Packages.pyls-isort
<br>- python27Packages.python-language-server
<br>- python37Packages.autopep8
<br>- python37Packages.django_silk
<br>- python37Packages.kubernetes
<br>- python37Packages.pyls-black
<br>- python37Packages.pyls-isort
<br>- python37Packages.pyls-mypy
<br>- python37Packages.python-language-server
<br>- spyder (python37Packages.spyder)
<br>- python38Packages.autopep8
<br>- python38Packages.django_silk
<br>- python38Packages.kubernetes
</details>

cc @bhipple

Since this is posted on github, It would make sense to provide a default checklist of additional checks performed.
Although, arguably, if it's checklistable, it's also scriptable.

Hence, maybe provide a section for manual checks provided?

Additional manual checks completed:
- [ ] Tested all binaries in `./results/bin`
- [ ] `grep WARN ./logs/*` empty
- [ ] `grep ERR ./logs/*` empty

The intent being the reviewer could either:

• complete the list locally editor result.md
• or tick the boxes on github

It would be cool if the tool would generate a markdown report that can be copy-and-pasted onto the PR. Or even appended as a comment automatically.

/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/bin/nix-review

Quick story: had to kill nix-review, filled my disk drive.

~/tmp/nixpkgs/nixpkgs-PR45705 130 $ time nix-review pr 45705
$ git fetch --force https://github.com/NixOS/nixpkgs master:refs/nix-review/0 pull/45705/head:refs/nix-review/1
$ git worktree add ./.review/pr-45705 2d51cceda419f47ca03960728911cbec7d13c2db
fatal: './.review/pr-45705' already exists
$ git worktree prune
Traceback (most recent call last):
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/bin/..nix-review-wrapped-wrapped", line 12, in <module>
    sys.exit(main())
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/__init__.py", line 10, in main
    app.main(command, args)
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/app.py", line 135, in main
    args.func(args)
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/app.py", line 46, in pr_command
    _pr_command(prs, args.build_args, args.token)
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/app.py", line 35, in _pr_command
    attrs = r.build_pr(pr)
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/review.py", line 64, in build_pr
    git_worktree(self.worktree_dir, base_rev)
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/review.py", line 114, in git_worktree
    sh(["git", "worktree", "add", worktree_dir, commit])
  File "/nix/store/vyc91jp4i0g2lnr3xnir0cgcvraqra9q-nix-review-0.3.0/lib/python3.6/site-packages/nix_review/utils.py", line 7, in sh
    subprocess.check_call(command, cwd=cwd)
  File "/nix/store/pz8nl4cnppd3p1cykshcb40mqxjd5yvy-python3-3.6.5/lib/python3.6/subprocess.py", line 291, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['git', 'worktree', 'add', './.review/pr-45705', '2d51cceda419f47ca03960728911cbec7d13c2db']' returned non-zero exit status 128.
Command exited with non-zero status 1

A quick rm -rf .review took care of the situation.

Cheers!

Out of discussion: NixOS/nixpkgs#92612 (comment)

On a power-user workflow (which avoids leaves the command line end-to-end),
it would make sense to combine two things of tow different authoritative origin
in the first PR message:

• Origin 1: GithubTemplate per contribution type (new pkg, new module, pkg update, module update)
• Origin 2: Preliminary results of local nipkgxs-review session

Supersedes #114 #113

/cc @jtojnar uses gh to avoid leaving the command line, but it's not trivial to combine PR template and local input from ./result.md (correct me if I'm wrong)

ANother argument is automating PR with query parameters, see: https://docs.github.com/en/github/managing-your-work-on-github/about-automation-for-issues-and-pull-requests-with-query-parameters

wrong

k3d --version
k3d version 3.0.0
k3s version v1.18.6-k3s1 (default)

vs goo

k3d --version
k3d version 3-dev
k3s version v1.18.4-k3s1 (default)

by overlooking wrong

''
...
        -X github.com/rancher/k3d/version.Version=${version}
        -X github.com/rancher/k3d/version.K3sVersion=v${k3sVersion}
...
''

vs good

''
...
        -X github.com/rancher/k3d/v3/version.Version=${version}
        -X github.com/rancher/k3d/v3/version.K3sVersion=v${k3sVersion}
...
''

a common pattern in go version bumps when bumping major versions.

Derived from #117

Further inspiration (not sure, how fit): https://github.com/GoogleContainerTools/container-structure-test#command-tests

Any idea why a version bump of ili2c (NixOS/nixpkgs#85348) would cause ilixi to pop up in the nixpkgs-review report? Despite the similarity in their names, these packages seem to be unrelated to each other.

content of /home/das-g/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1/report.md:

Result of nixpkgs-review 1

1 package marked as broken and skipped:

• ilixi

1 package built:

• ili2c

[das-g@nixos:~/dev/nixos/nixpkgs]$ nix run -f . nixpkgs-review -c nixpkgs-review wip
$ git -c fetch.prune=false fetch --force https://github.com/NixOS/nixpkgs master:refs/nixpkgs-review/0
$ git worktree add /home/das-g/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1/nixpkgs 2da9490e7656a5ab9b42003e58ebc3496b3fb749
Bereite Arbeitsverzeichnis vor (losgelöster HEAD 2da9490e765)
Aktualisiere Dateien: 100% (21489/21489), Fertig.
HEAD ist jetzt bei 2da9490e765 Merge pull request #85335 from zowoq/podman
$ nix-env -f /home/das-g/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1/nixpkgs -qaP --xml --out-path --show-trace
Applying `nixpkgs` diff...
$ nix-env -f /home/das-g/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1/nixpkgs -qaP --xml --out-path --show-trace --meta
2 package updated:
ili2c (5.0.0 → 5.0.8) ilixi

$ nix build --no-link --keep-going --option build-use-sandbox relaxed -f /home/das-g/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1/build.nix
[1 built, 0.0 MiB DL]
1 package marked as broken and skipped:
ilixi

1 package built:
ili2c

$ nix-shell /home/das-g/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1/shell.nix
these paths will be fetched (1.51 MiB download, 8.27 MiB unpacked):
  /nix/store/7mxin7q10aa47nc88adfv9f2b0z6663w-readline-7.0p5
  /nix/store/ar3aqra4hzi56f7ivphrjy3n2cm9y4jr-bash-interactive-4.4-p23
  /nix/store/c4r9992z20y3xsqn0vbf73b5nqkil302-bash-interactive-4.4-p23-doc
  /nix/store/ky51a90gvfsdrqaiahlns5yqa2bzz3kr-bash-interactive-4.4-p23-man
  /nix/store/l16wccnwr9a7k1lkzvbma3lnzwr4gm0v-bash-interactive-4.4-p23-info
  /nix/store/qr6dpv0wl37p00rdj5pijn1mkz0wfkwd-bash-interactive-4.4-p23-dev
copying path '/nix/store/l16wccnwr9a7k1lkzvbma3lnzwr4gm0v-bash-interactive-4.4-p23-info' from 'https://cache.nixos.org'...
copying path '/nix/store/c4r9992z20y3xsqn0vbf73b5nqkil302-bash-interactive-4.4-p23-doc' from 'https://cache.nixos.org'...
copying path '/nix/store/ky51a90gvfsdrqaiahlns5yqa2bzz3kr-bash-interactive-4.4-p23-man' from 'https://cache.nixos.org'...
copying path '/nix/store/7mxin7q10aa47nc88adfv9f2b0z6663w-readline-7.0p5' from 'https://cache.nixos.org'...
copying path '/nix/store/ar3aqra4hzi56f7ivphrjy3n2cm9y4jr-bash-interactive-4.4-p23' from 'https://cache.nixos.org'...
copying path '/nix/store/qr6dpv0wl37p00rdj5pijn1mkz0wfkwd-bash-interactive-4.4-p23-dev' from 'https://cache.nixos.org'...

[nix-shell:~/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1]$ ls
build.nix  logs  nixpkgs  report.md  results  shell.nix

[nix-shell:~/.cache/nixpkgs-review/rev-7d39eea965f06f2c7a2b9ace0a81d713d7b79408-dirty-1]$ cat report.md 
Result of `nixpkgs-review` [1](https://github.com/Mic92/nixpkgs-review)
<details>
  <summary>1 package marked as broken and skipped:</summary>

  - ilixi
</details>
<details>
  <summary>1 package built:</summary>

  - ili2c
</details>

Noticed this on nix-review pr 53537:

{ pkgs ? import ./nixpkgs {} }:
with pkgs;
stdenv.mkDerivation {
  name = "env";
  buildInputs = [
    check-esxi-hardware
    cloud-init
    cloud-utils
    crda
    euca2ools
    hash-slinger
    python27Packages.m2crypto  # <-- python2
    python27Packages.osc
    python27Packages.pywbem
    python37Packages.m2crypto  # <-- python3
    tribler
    virtinst
  ];
  unpackPhase = ":";
  installPhase = "touch $out";
}

This caused bad errors.

With the new checkMeta it will also mark unfree packages "as broken" since it refuses to evaluate them now.

I know for some users that don't want unfree software on their machines, this is probably a big issue. And the current filtering of unfree packages is probably preferable.

We should probably allow for some way to pass --allow-unfree, so that users that do want to check all packages can.

Noticed this in: NixOS/nixpkgs#99264

When running the git fetch command to fetch the PR, nix-review really needs to specify git -c fetch.prune=false fetch. Otherwise if I've already run nix-review before, it fails and requires re-running again to succeed.

The failure is because the fetch.prune setting causes git to delete the local refs/nix-review/0 and refs/nix-review/1 refs in the same fetch that it's then trying to update those, and this produces an error. Right now I'm getting "fatal: Needed a single revision" but in the past I've seen errors about not being able to acquire the lock for refs/nix-review/0 (I'm guessing there's some race condition between pruning the ref and updating it). This is clearly a bug in git itself, but nix-review should be able to work around it.

This issue occurs when my global config has fetch.prune set to true.

When reviewing a change we most likely don't want to use local overlays as it can give false results.

I ran into this due to suddenly getting an error from an overlay, tried to pass --args overlays [] as a build-arg, but that didn't work as I guess the flags aren't used when generating the build list.

When using nix-review 2.0 to review NixOS/nixpkgs#52020, it only builds simgear. But flightgear is a package that depends on simgear, so it should be rebuilt too.

An error being thrown, including when it gets thrown with python's disabled usage now causes an review to be halted altogether:

$ nix-review pr 79351
$ git -c fetch.prune=false fetch --force https://github.com/NixOS/nixpkgs master:refs/nixpkgs-review/0 pull/79351/head:refs/nixpkgs-review/1
$ git worktree add /home/jon/.cache/nixpkgs-review/pr-79351-5/nixpkgs 3b7f5c6762bb174bd9951a697b636e1db531e98a
Preparing worktree (detached HEAD 3b7f5c6762b)
HEAD is now at 3b7f5c6762b python3Packages.snowflake-connector-python: 2.1.2 -> 2.2.0
$ git merge --no-commit c37276edf0f11d74c117b3a491251749137277ba
Auto-merging pkgs/development/tools/aws-sam-cli/default.nix
Automatic merge went well; stopped before committing as requested
error: seaborn-0.10.0 not supported for interpreter python2.7
(use '--show-trace' to show detailed location information)
nix eval --json (import /nix/store/9yy1gv7az9mqxak6jsqkyppb4g1zvzl0-nixpkgs-review-2.1.1/lib/python3.7/site-packages/nixpkgs_review/nix/evalAttrs.nix /tmp/tmp4485moms) failed to run, /tmp/tmp4485moms was stored inspection
https://github.com/NixOS/nixpkgs/pull/79351 failed to build

nixpkgs-review==2.1.1

I am trying to debug locally the problem met by:
https://gist.github.com/GrahamcOfBorg/2b89c7fce733a4cd8878f44d924bf2c2

The same error triggers locally but I miss the trace compared to ofborg's output ?

$ git merge --no-commit 916a57dce6d33840edb0efe5c360505edfe92a81
Fusion automatique de pkgs/top-level/lua-packages.nix
Fusion automatique de pkgs/top-level/all-packages.nix
La fusion automatique a réussi ; stoppée avant la validation comme demandé
error: infinite recursion encountered, at /home/teto/.cache/nix-review/rev-916a57dce6d33840edb0efe5c360505edfe92a81/nixpkgs/pkgs/top-level/lua-packages.nix:64:13

Another question/request: would it be possible to review uncommitted changes ? I would like to avoid committing when locally iterating on the PR.

Btw: congrats on disabling overlays, I really missed that in nox review.

After running nixpkgs-review for a pull request, I'd like to test that the executables are working. For this, I'd need to know which store paths nixpkgs-review built. So, it'd be nice if at the end of the review, nixpkgs-review would show all store paths it needed to build. Then I could go through them one by one and see if they contain any executables I'd like to test.

Now I can see this:

1 package built:
rssguard

But as it doesn't have the store path, I'm not able to find it.

Does this make sense? I'm just trying to figure out a good way to test executables that are affected by a pull request.

nix-review enables the sandbox always, but sometimes on darwin we need to use the relaxed option instead (in particular, if the derivation specifies a custom sandbox profile). For example, I can't use nix-review to build nixpkgs.macvim because that requires relaxed mode. To that end, I'd really like a flag that controls the sandbox option. This could also solve #55, if I can just provide a free-form value that's used instead of true for the sandbox option.

When I try to run nix-review now I get an HTTP 401 Unauthorized error. I'm not giving nix-review a token, and it should only be accessing public data by default, so I don't know why it's failing. The error is rather obtuse as it's just a very long stack trace but it's definitely coming from the call to the GitHub API.

I tried running nix-review installed from nixpkgs master but it fails with the following error:

$ cd ~/Projects/nixpkgs
$ result/bin/nix-review pr 39714 
$ git worktree prune
Traceback (most recent call last):
  File "/nix/store/7qk6dqyfqh7s2835wcaqs7ri6mrqwbsw-nix-review-0.1.2/bin/..nix-review-wrapped-wrapped", line 12, in <module>
    sys.exit(main())
  File "/nix/store/7qk6dqyfqh7s2835wcaqs7ri6mrqwbsw-nix-review-0.1.2/lib/python3.6/site-packages/nix_review/app.py", line 106, in main
    real_main(command, args)
  File "/nix/store/7qk6dqyfqh7s2835wcaqs7ri6mrqwbsw-nix-review-0.1.2/lib/python3.6/site-packages/nix_review/app.py", line 99, in real_main
    args.func(args)
  File "/nix/store/7qk6dqyfqh7s2835wcaqs7ri6mrqwbsw-nix-review-0.1.2/lib/python3.6/site-packages/nix_review/app.py", line 15, in pr_command
    r.review_pr(args.number)
  File "/nix/store/7qk6dqyfqh7s2835wcaqs7ri6mrqwbsw-nix-review-0.1.2/lib/python3.6/site-packages/nix_review/review.py", line 65, in review_pr
    pr = json.load(urllib.request.urlopen(api_url))
  File "/nix/store/96wn2gz3mwi71gwcrvpfg39bsymd7gqx-python3-3.6.5/lib/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/nix/store/96wn2gz3mwi71gwcrvpfg39bsymd7gqx-python3-3.6.5/lib/python3.6/urllib/request.py", line 532, in open
    response = meth(req, response)
  File "/nix/store/96wn2gz3mwi71gwcrvpfg39bsymd7gqx-python3-3.6.5/lib/python3.6/urllib/request.py", line 642, in http_response
    'http', request, response, code, msg, hdrs)
  File "/nix/store/96wn2gz3mwi71gwcrvpfg39bsymd7gqx-python3-3.6.5/lib/python3.6/urllib/request.py", line 570, in error
    return self._call_chain(*args)
  File "/nix/store/96wn2gz3mwi71gwcrvpfg39bsymd7gqx-python3-3.6.5/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/nix/store/96wn2gz3mwi71gwcrvpfg39bsymd7gqx-python3-3.6.5/lib/python3.6/urllib/request.py", line 650, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 403: Forbidden

I am on OSX Catalina and I try to review if my own pull request regarding openconnet also works on linux by using linuxkit-nix and nix-review:

nix-shell -p nix-review
nix-review pr --build-args="--builders ssh://root@nix-linuxkit --argstr system x86_64-linux" 71318

Unfortunately it fails with the error:

build of '/nix/store/7g2nsd32plad8ipnqii5z2qivfl7mjjq-bash-completion-2.9.drv'
on 'ssh://root@nix-linuxkit' failed: a 'x86_64-darwin' is required to build
'/nix/store/7g2nsd32plad8ipnqii5z2qivfl7mjjq-bash-completion-2.9.drv', but I am a ### 'x86_64-linux'

If I try it with the --option arg:
nix-review pr --build-args="--builders ssh://root@nix-linuxkit --option system x86_64-linux" 71318

it fails silently by somehow skipping the build because I get the following output:

7 package are marked as broken and were skipped
connman_dmenu gnome3.nautilus-python libsForQt5.alkimia
libsForQt511.alkimia libsForQt512.alkimia networkmanager_dmenu strongswanNM

2 package failed to build:
openconnect openconnect_openssl

Possibly related issues who tried the same using nix-docker.

Using just build --option build-use-sandbox true --argstr system x86_64-linux -A openconnect works just fine.

I'm using nix-review on a PR that causes a fair amount of transitive rebuilds (~1500). A few of these have been failing because they rely on source files that can't be automatically fetched.

Could nix-review somehow ignore by default packages that are set as not buildable on Hydra? This seems like a useful heuristic for "things that can be built unattended with no human action".

Trying to understand some error cases i’m seeing during reviews using nix-review. Not sure exactly how --checkout commit/merge should be interpreted when there is a failure in one or the other.

For packages with many reverse dependencies, nix-review pr #### seem to fail often in this manner (see below). Not sure if this is yarn2nix specific or if there is an easy way to exclude that package to test if the failure is particular to it.

Same errors occur on Ubuntu/NixOS.

nix-review pr 58659
$ git fetch --force https://github.com/NixOS/nixpkgs staging:refs/nix-review/0 pull/58659/head:refs/nix-review/1
$ git worktree add /home/dev/.cache/nix-review/pr-58659-4/nixpkgs e82ef0841152c05b4abca0101a6033aa65472a9d
Preparing worktree (detached HEAD e82ef084115)
Checking out files: 100% (18773/18773), done.
HEAD is now at e82ef084115 btrbk: 0.27.1 -> 0.27.2 (#58651)
$ git merge --no-commit b62e1cd27e83922a6e82b6715530cebae3c1908f
Automatic merge went well; stopped before committing as requested
error: Use upstream https://github.com/moretea/yarn2nix
(use '--show-trace' to show detailed location information)
nix eval --json (import /nix/store/0gabypl11hzc11pj1ipq2rrdsb5k1xdc-nix-review-2.0.0/lib/python3.7/site-packages/nix_review/nix/evalAttrs.nix /tmp/tmpo81o_l63) failed to run, /tmp/tmpo81o_l63 was stored inspection
NixOS/nixpkgs#58659 failed to build
whereas, this seems better:

nix-review pr 58659 --checkout commit
$ git fetch --force https://github.com/NixOS/nixpkgs staging:refs/nix-review/0 pull/58659/head:refs/nix-review/1
$ git worktree add /home/dev/.cache/nix-review/pr-58659-5/nixpkgs b62e1cd27e83922a6e82b6715530cebae3c1908f
Preparing worktree (detached HEAD b62e1cd27e8)
Checking out files: 100% (18685/18685), done.
HEAD is now at b62e1cd27e8 curl: 7.64.0 -> 7.64.1
$ nix build --no-link --keep-going --max-jobs 8 --option build-use-sandbox true -f /home/dev/.cache/nix-review/pr-58659-5/build.nix
...

From Discourse (@timokau):
On a second look, the PR you mentioned targets staging. Probably
merge always tries to merge into nixpkgs master, not staging, which
is causing the issue and explains why commit works. I’m not sure if
Mic92 supports the staging use case, but please still create an issue to
find out

Why doesn't it build the jazzy?

$ nix-review pr 56399
$ git fetch --force https://github.com/NixOS/nixpkgs master:refs/nix-review/0 pull/56399/head:refs/nix-review/1
$ git worktree add /home/ryantm/.cache/nix-review/pr-56399/nixpkgs 6aa7c9d776c99140bbaf3bb885edf29fbb696072
Preparing worktree (detached HEAD 6aa7c9d776c)
Checking out files: 100% (18554/18554), done.
HEAD is now at 6aa7c9d776c Merge pull request #56828 from seqizz/g_gita080
$ git merge --no-commit 53508b1d8e247567d85c49796f42e0ddd6556695
Auto-merging maintainers/maintainer-list.nix
Automatic merge went well; stopped before committing as requested
Nothing changed
https://github.com/NixOS/nixpkgs/pull/56399
No packages were successfully build, skip nix-shell
$ git worktree prune

I would be more than okay with building the target branch's packages to see if any regression happened as part of a nixpkgs-review. Something to the affect of New successes, new failures, still failing would be nice. Similar to hydra evaluations.

My current workflow is to take all the packages that failed and run nix build -f . --keep-going $@. And then manually see which ones passed. This isn't too bad if it's just <10 failures, but some reviews (especially python packages), can have 20-60 failures, and it becomes very difficult to determine regressions.

I am not too familiar with nixpkgs-review, so maybe I have wrong expectations here...

Wanting to review NixOS/nixpkgs#68524, I obtain the following:

[nix-shell:~/Workspace/tools/nixpkgs]$ nix-review pr 68524
$ git -c fetch.prune=false fetch --force https://github.com/NixOS/nixpkgs master:refs/nixpkgs-review/0 pull/68524/head:refs/nixpkgs-review/1
$ git worktree add /home/pamplemousse/.cache/nixpkgs-review/pr-68524/nixpkgs 6127d1e117dfb7c85f216435f3a4378368b2966a
Preparing worktree (detached HEAD 6127d1e117d)
Updating files: 100% (22433/22433), done.
HEAD is now at 6127d1e117d Merge pull request #95261 from r-ryantm/auto-update/operator-sdk
$ nix-env -f /home/pamplemousse/.cache/nixpkgs-review/pr-68524/nixpkgs -qaP --xml --out-path --show-trace
$ git merge --no-commit 01058f5099b92e48d4bccba8639a8b7a7d3b4cb0
warning: inexact rename detection was skipped due to too many files.
warning: you may want to set your merge.renamelimit variable to at least 3864 and retry the command.
Automatic merge went well; stopped before committing as requested
$ nix-env -f /home/pamplemousse/.cache/nixpkgs-review/pr-68524/nixpkgs -qaP --xml --out-path --show-trace --meta
Nothing changed
https://github.com/NixOS/nixpkgs/pull/68524
$ nix-shell /home/pamplemousse/.cache/nixpkgs-review/pr-68524/shell.nix

[nix-shell:~/.cache/nixpkgs-review/pr-68524]$ cat report.md 
Result of `nixpkgs-review pr 68524` [1](https://github.com/Mic92/nixpkgs-review)

It appears that fetchRepoProject is used by amdvlk, so I expected the report to show at least this package being built...

Is there a bug? Did I overlook anything (the warnings)? Was I expecting the wrong behavior?

Thanks for you help 🙂

It would be helpful to run passthru.tests automatically when they exists like nixpkgs-update and ofborg (will) do.

This is messing up with my OCD. This tool is about reviewing nixpkgs only! :D