Add tags to BuildProvenance

[edolstra]

Motivation

These are name/value pairs from the build host that can be configured through the build-provenance-tags setting.

Context

Summary by CodeRabbit

• New Features

  • Added a build-provenance-tags setting to record arbitrary name/value metadata for builds.
  • Build provenance now includes those tags and displays them in JSON and textual outputs.
  • Tag names are validated; invalid names produce user-facing errors.

• Tests

  • Functional tests updated to cover sample provenance tags and invalid-tag validation.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds build-provenance tags: new buildProvenanceTags setting (map<string,string>) with parsing/serialization, BuildProvenance::tags (constructor, validation, JSON in/out), derivation-builder passes tags, and provenance display prints tags.

Changes

Cohort / File(s)	Summary
Configuration & Settings src/libstore/include/nix/store/globals.hh, src/libstore/globals.cc	Add public buildProvenanceTags setting (Setting<std::map<std::string,std::string>>) and BaseSetting specializations to parse/serialize std::map<std::string,std::string> as JSON.
BuildProvenance Core src/libstore/include/nix/store/provenance.hh, src/libstore/provenance.cc	Add tags member to BuildProvenance, extend constructor to accept tags, validate tag names, include tags in to_json(), and read tags during deserialization/registration.
Derivation Integration src/libstore/unix/build/derivation-builder.cc	Pass settings.buildProvenanceTags.get() into BuildProvenance when registering outputs.
Display & Output src/nix/provenance.cc	Emit textual provenance lines for each tag: tag <name>: <value>.
Tests & Defaults tests/functional/common/init.sh, tests/functional/flakes/provenance.sh	Add build-provenance-tags = {"pr": "1234", "branch": "main"} to test config, update expected provenance outputs, and add invalid-tag-name checks.
Cleanup src/libcmd/include/nix/cmd/installable-attr-path.hh	Remove transitive #include <nlohmann/json.hpp> from header.
CI Workflow .github/workflows/ci.yml, .github/workflows/build.yml	Enable experimental provenance feature for determinate-nix-action via extra-conf entries in CI workflow steps.

Sequence Diagram(s)

sequenceDiagram
    participant Settings as Settings (config)
    participant Deriver as DerivationBuilder
    participant Store as BuildProvenance
    participant JSON as JSON (serialization)
    participant CLI as CLI/display

    Settings->>Deriver: provide buildProvenanceTags (map)
    Deriver->>Store: construct BuildProvenance(..., tags)
    Store->>JSON: to_json() includes "tags"
    JSON->>Store: registerBuildProvenance(... parse "tags" ...)
    Store->>CLI: display emits "tag <name>: <value>"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Record builder host name in build provenance #341: Modifies BuildProvenance and its constructor/usage — strong overlap with tags propagation.
• Add nix provenance verify command #356: Extends provenance handling and display/serialization — touches same provenance serialization/display paths.
• Build provenance improvements #343: Alters BuildProvenance structure/serialization and derivation-builder propagation — closely related.

Suggested reviewers

• grahamc

Poem

🐰 I hopped through settings, tags in tow,
Left tiny notes where build logs glow.
Branch and PR snug in a line,
Provenance tidy, metadata fine.
Hop, stamp, nudge — the traces show. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add tags to BuildProvenance' directly and clearly summarizes the main change: introducing tags functionality to the BuildProvenance structure, which is evident across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch provenance-tags

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/functional/common/init.sh (1)

56-56: Keep test config parity across NixOS and non-NixOS paths.

build-provenance-tags is only set in one branch right now. Adding it to the NixOS branch too will prevent configuration drift if/when the same provenance expectations are enabled there.

💡 Proposed patch

 cat > "$test_nix_conf" <<EOF
 # TODO: this is not needed for all tests and prevents stable commands from be tested in isolation
 experimental-features = ${experimental_features:-}
 flake-registry = $TEST_ROOT/registry.json
 show-trace = true
+build-provenance-tags = {"pr": "1234", "branch": "main"}
 EOF

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/functional/common/init.sh` at line 56, The NixOS branch of the test
init script is missing the build-provenance-tags assignment; add the same line
build-provenance-tags = {"pr": "1234", "branch": "main"} into the NixOS
configuration branch (the block that configures NixOS paths/variables in
tests/functional/common/init.sh) so both NixOS and non-NixOS branches set
identical provenance tags.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/libstore/provenance.cc`:
- Around line 27-29: The current parsing of tags uses optionalValueAt(obj,
"tags") and immediately calls p->get<std::map<std::string, std::string>>(),
which throws if the JSON value is null; update the code to detect a null value
before calling get — e.g., after obtaining p from optionalValueAt(obj, "tags")
check p->is_null() (or equivalent) and only call p->get<std::map<std::string,
std::string>>() when not null, leaving the tags map empty when the JSON value is
null.

---

Nitpick comments:
In `@tests/functional/common/init.sh`:
- Line 56: The NixOS branch of the test init script is missing the
build-provenance-tags assignment; add the same line build-provenance-tags =
{"pr": "1234", "branch": "main"} into the NixOS configuration branch (the block
that configures NixOS paths/variables in tests/functional/common/init.sh) so
both NixOS and non-NixOS branches set identical provenance tags.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe3515c and 0345e76.

📒 Files selected for processing (9)

• src/libcmd/include/nix/cmd/installable-attr-path.hh
• src/libstore/globals.cc
• src/libstore/include/nix/store/globals.hh
• src/libstore/include/nix/store/provenance.hh
• src/libstore/provenance.cc
• src/libstore/unix/build/derivation-builder.cc
• src/nix/provenance.cc
• tests/functional/common/init.sh
• tests/functional/flakes/provenance.sh

💤 Files with no reviewable changes (1)

• src/libcmd/include/nix/cmd/installable-attr-path.hh

[github-actions]

🚀 Deployed on https://69b209a26e86cfc8e562a7d3--determinate-nix.netlify.app

[coderabbitai]

🧹 Nitpick comments (1)

src/libstore/include/nix/store/provenance.hh (1)

1-6: Consider adding #include <map> for std::map usage.

The file uses std::map<std::string, std::string> but doesn't directly include <map>. While it may be transitively included through one of the existing headers, directly including required standard library headers makes the code more robust against changes in transitive dependencies.

Suggested include addition

 `#pragma` once
 
 `#include` "nix/util/provenance.hh"
 `#include` "nix/store/path.hh"
 `#include` "nix/store/outputs-spec.hh"
+
+#include <map>
+#include <string>
 
 namespace nix {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/libstore/include/nix/store/provenance.hh` around lines 1 - 6, This header
uses std::map<std::string, std::string> (in provenance-related declarations) but
doesn't include the <map> header; add a direct include for <map> near the top of
src/libstore/include/nix/store/provenance.hh (alongside the other includes) so
std::map is available even if transitive includes change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/libstore/include/nix/store/provenance.hh`:
- Around line 1-6: This header uses std::map<std::string, std::string> (in
provenance-related declarations) but doesn't include the <map> header; add a
direct include for <map> near the top of
src/libstore/include/nix/store/provenance.hh (alongside the other includes) so
std::map is available even if transitive includes change.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0345e76 and 461106e.

📒 Files selected for processing (8)

• src/libstore/globals.cc
• src/libstore/include/nix/store/globals.hh
• src/libstore/include/nix/store/provenance.hh
• src/libstore/provenance.cc
• src/libstore/unix/build/derivation-builder.cc
• src/nix/provenance.cc
• tests/functional/common/init.sh
• tests/functional/flakes/provenance.sh

🚧 Files skipped from review as they are similar to previous changes (4)

• src/libstore/unix/build/derivation-builder.cc
• src/libstore/provenance.cc
• tests/functional/common/init.sh
• tests/functional/flakes/provenance.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/libstore/provenance.cc`:
- Around line 15-31: Reject invalid build-provenance tag names earlier during
settings parsing/preflight instead of only in BuildProvenance constructor: add
validation that iterates tags produced from the build-provenance-tags setting
and calls checkProvenanceTagName(name) when parsing or preflighting the setting
(the code path that prepares the tags before move into BuildProvenance, e.g.,
the logic that constructs the tags map in the derivation builder), and return an
error before moving/ registering the output; keep the existing
checkProvenanceTagName call in BuildProvenance as a defensive fallback.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f819925f-1aae-46c1-a3c0-f245f8a64cb4

📥 Commits

Reviewing files that changed from the base of the PR and between 461106e and a60c4db.

📒 Files selected for processing (9)

• src/libcmd/include/nix/cmd/installable-attr-path.hh
• src/libstore/globals.cc
• src/libstore/include/nix/store/globals.hh
• src/libstore/include/nix/store/provenance.hh
• src/libstore/provenance.cc
• src/libstore/unix/build/derivation-builder.cc
• src/nix/provenance.cc
• tests/functional/common/init.sh
• tests/functional/flakes/provenance.sh

💤 Files with no reviewable changes (1)

• src/libcmd/include/nix/cmd/installable-attr-path.hh

🚧 Files skipped from review as they are similar to previous changes (2)

• src/libstore/globals.cc
• src/nix/provenance.cc