Skip to content

Disallow executable bit on .nix files without shebang (NPV-145)#199

Open
philiptaron wants to merge 2 commits intoNixOS:mainfrom
philiptaron:npv-145-executable-nix-files
Open

Disallow executable bit on .nix files without shebang (NPV-145)#199
philiptaron wants to merge 2 commits intoNixOS:mainfrom
philiptaron:npv-145-executable-nix-files

Conversation

@philiptaron
Copy link
Contributor

@philiptaron philiptaron commented Feb 16, 2026

Summary

  • Adds NPV-145: detects .nix files with the executable bit set that lack a shebang (#!) line
  • This is a non-ratchet (hard error) check applied to all .nix files in nixpkgs
  • Wiki updated with NPV-145 page

Closes #110

Test plan

  • New test case nix-file-executable with an executable package.nix (no shebang) verifies the error is reported
  • All existing tests continue to pass
  • cargo fmt -- --check passes

Copy link
Member

@mdaniels5757 mdaniels5757 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good to me.

Ideally I think there would be another test case or 2 covering the "+x with shebang" and/or "-x with shebang" cases. (We have no shortage of the "-x without shebang" case, of course :) )

Address PR feedback: check executable iff shebang, not just
executable-implies-shebang. Rename check_not_executable to
check_executable_iff_shebang. Add test cases for +x/+shebang
(pass) and -x/+shebang (fail).
@philiptaron
Copy link
Contributor Author

I've added NPV-146 and an accompanying nixpkgs PR for it

Copy link
Member

@mdaniels5757 mdaniels5757 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but this will need #491208 and #491190 to make it to the nixpkgs-unstable channel, then the automated update workflow to be run, then a rebase.

@philiptaron
Copy link
Contributor Author

Yes, absolutely. It's on ice until then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Disallow executable bit on .nix files

2 participants