assorted: prefer runCommandLocal over runCommand where it makes sense

2024-02-27 22:26:56 +00:00 · 2024-02-27 22:26:56 +00:00 · 6ef729bbaf
parent 8f424dcd5a
commit 6ef729bbaf
3 changed files with 9 additions and 7 deletions
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -2,6 +2,7 @@
 , buildPackages
 , callPackage
 , runCommand
+, runCommandLocal
 , runtimeShell
 , sane-sandboxed
 , symlinkJoin
@ -143,7 +144,7 @@ let
  } else {};

  # helper used for `wrapperType == "wrappedDerivation"` which simply symlinks all a package's binaries into a new derivation
-  symlinkBinaries = pkgName: package: (runCommand "${pkgName}-bin-only" {} ''
+  symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {} ''
    set -e
    if [ -e "${package}/bin" ]; then
      mkdir -p "$out/bin"
@ -199,7 +200,7 @@ let
      # we have to patch those out as a way to whitelist them.
      checkSandboxed = let
        sandboxedNonBin = fixHardcodedRefs unsandboxed "/dev/null" unsandboxedNonBin;
-      in runCommand "${sandboxedNonBin.name}-check-sandboxed"
+      in runCommandLocal "${sandboxedNonBin.name}-check-sandboxed"
        { disallowedReferences = [ unsandboxed ]; }
        ''
          # dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries.
@ -215,7 +216,7 @@ let
  # patch them to use the sandboxed binaries,
  # and add some passthru metadata to enforce no lingering references to the unsandboxed binaries.
  sandboxNonBinaries = pkgName: unsandboxed: sandboxedBin: let
-    sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} ''
+    sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {} ''
      set -e
      mkdir "$out"
      # link in a limited subset of the directories.
@ -245,7 +246,7 @@ let
      priority = ((prevAttrs.meta or {}).priority or 0) - 1;
    };
    passthru = (prevAttrs.passthru or {}) // extraPassthru // {
-      checkSandboxed = runCommand "${pkgName}-check-sandboxed" {} ''
+      checkSandboxed = runCommandLocal "${pkgName}-check-sandboxed" {} ''
        set -e
        # invoke each binary in a way only the sandbox wrapper will recognize,
        # ensuring that every binary has in fact been wrapped.
--- a/pkgs/additional/static-nix-shell/default.nix
+++ b/pkgs/additional/static-nix-shell/default.nix
@ -61,6 +61,7 @@ in rec {
  in
    stdenv.mkDerivation (final: {
      version = "0.1.0";  # default version
+      preferLocalBuild = true;
      patchPhase = ''
        substituteInPlace ${srcPath} \
          --replace '#!/usr/bin/env nix-shell' '#!${interpreter}' \
--- a/pkgs/additional/trivial-builders/default.nix
+++ b/pkgs/additional/trivial-builders/default.nix
@ -1,4 +1,4 @@
-{ runCommand
+{ runCommandLocal
 , rmDbusServicesInPlace
 , symlinkJoin
 }:
@ -7,7 +7,7 @@
  # its own package, but otherwise keeping the same path.
  # this is done by copying the bits, so as to avoid including the item's neighbors
  # in its runtime closure.
-  copyIntoOwnPackage = pkg: path: runCommand "${pkg.pname or pkg.name}-${path}" {
+  copyIntoOwnPackage = pkg: path: runCommandLocal "${pkg.pname or pkg.name}-${path}" {
    env.item = path;
    env.fromPkg = pkg;
  } ''
@ -16,7 +16,7 @@
    runHook postFixup
  '';

-  linkIntoOwnPackage = pkg: path: runCommand "${pkg.pname or pkg.name}-${path}" {
+  linkIntoOwnPackage = pkg: path: runCommandLocal "${pkg.pname or pkg.name}-${path}" {
    env.item = path;
    env.fromPkg = pkg;
  } ''