Skip to content

Disallow executable bit on .nix files without shebang (NPV-145)#199

Open
philiptaron wants to merge 2 commits intoNixOS:mainfrom
philiptaron:npv-145-executable-nix-files
Open

Disallow executable bit on .nix files without shebang (NPV-145)#199
philiptaron wants to merge 2 commits intoNixOS:mainfrom
philiptaron:npv-145-executable-nix-files

Conversation

@philiptaron
Copy link
Contributor

@philiptaron philiptaron commented Feb 16, 2026
edited
Loading

Summary

  • Adds NPV-145: detects .nix files with the executable bit set that lack a shebang (#!) line
  • This is a non-ratchet (hard error) check applied to all .nix files in nixpkgs
  • Wiki updated with NPV-145 page

Closes #110

Test plan

  • New test case nix-file-executable with an executable package.nix (no shebang) verifies the error is reported
  • All existing tests continue to pass
  • cargo fmt -- --check passes

@philiptaron philiptaron requested a review from a team as a code owner February 16, 2026 21:59
@philiptaron philiptaron mentioned this pull request Feb 16, 2026
Merged
13 tasks
mdaniels5757
mdaniels5757 reviewed Feb 16, 2026
View reviewed changes
Copy link
Member

@mdaniels5757 mdaniels5757 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good to me.

Ideally I think there would be another test case or 2 covering the "+x with shebang" and/or "-x with shebang" cases. (We have no shortage of the "-x without shebang" case, of course :) )

@philiptaron
Add NPV-146 and make executable check bidirectional
72f3ca8 
Address PR feedback: check executable iff shebang, not just
executable-implies-shebang. Rename check_not_executable to
check_executable_iff_shebang. Add test cases for +x/+shebang
(pass) and -x/+shebang (fail).
@philiptaron philiptaron mentioned this pull request Feb 16, 2026
Merged
13 tasks
@philiptaron
Copy link
Contributor Author

philiptaron commented Feb 17, 2026

I've added NPV-146 and an accompanying nixpkgs PR for it

mdaniels5757
mdaniels5757 approved these changes Feb 18, 2026
View reviewed changes
Copy link
Member

@mdaniels5757 mdaniels5757 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but this will need #491208 and #491190 to make it to the nixpkgs-unstable channel, then the automated update workflow to be run, then a rebase.

@philiptaron
Copy link
Contributor Author

philiptaron commented Feb 18, 2026

Yes, absolutely. It's on ice until then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdaniels5757 mdaniels5757 mdaniels5757 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Disallow executable bit on .nix files

2 participants

@philiptaron @mdaniels5757