From 4dd473067c1c015bfae6b9d984ece7b19ff8176e Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <asf@boinkor.net>
Date: Fri, 6 Dec 2024 13:36:17 -0500
Subject: [PATCH 1/3] Ensure we're only picking up "indirect" path entries

The only kind of lock file entry that's dangerous is the "indirect"
type that comes out of some implicit flake registry. Let's tighten the
check (this also ensures that "path:" entries in the lock file that
are created from in-tree sources are now fine. I think that's
alright.)
---
 .github/workflows/lints.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
index 8a394e5..7d17c1f 100644
--- a/.github/workflows/lints.yml
+++ b/.github/workflows/lints.yml
@@ -46,7 +46,7 @@ jobs:
         run: |
           {
             echo "entries<<EOF"
-            nix flake metadata --json | jq -r '.locks.nodes | map_values(select(.locked.type == "path")) | keys[]'
+            nix flake metadata --json | jq -r '.locks.nodes | map_values(select(.locked.type == "path" and .original.type == "indirect")) | keys[]'
             echo EOF
           } >> "$GITHUB_OUTPUT"
         working-directory: ${{ inputs.root }}

From 6c277592e6b5a28d821001c1fc16de4357e91bb2 Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <asf@boinkor.net>
Date: Fri, 6 Dec 2024 13:37:57 -0500
Subject: [PATCH 2/3] Update the failing check to use an indirect input

---
 tests/fail-safety-check/flake.lock | 17 +++++++----------
 tests/fail-safety-check/flake.nix  |  1 -
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/tests/fail-safety-check/flake.lock b/tests/fail-safety-check/flake.lock
index 7c02f68..3505dfa 100644
--- a/tests/fail-safety-check/flake.lock
+++ b/tests/fail-safety-check/flake.lock
@@ -2,18 +2,15 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733229606,
-        "narHash": "sha256-FLYY5M0rpa5C2QAE3CKLYAM6TwbKicdRK6qNrSHlNrE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "566e53c2ad750c84f6d31f9ccb9d00f823165550",
-        "type": "github"
+        "lastModified": 1731890469,
+        "narHash": "sha256-D1FNZ70NmQEwNxpSSdTXCSklBH1z2isPR84J6DQrJGs=",
+        "path": "/nix/store/n1g84klfb0h3bpwyvc59lcy5ca58h36w-source",
+        "rev": "5083ec887760adfe12af64830a66807423a859a7",
+        "type": "path"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "type": "indirect"
       }
     },
     "root": {
diff --git a/tests/fail-safety-check/flake.nix b/tests/fail-safety-check/flake.nix
index 48b9471..8ad1de0 100644
--- a/tests/fail-safety-check/flake.nix
+++ b/tests/fail-safety-check/flake.nix
@@ -2,7 +2,6 @@
   description = "a flake that should successfully pass the baseline-nix tests";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     some_input = {
       url = "path:./some_input";
       flake = false;

From 9bf70adc5241c2492c64e25c1b332fbbe0bed11b Mon Sep 17 00:00:00 2001
From: Andreas Fuchs <asf@boinkor.net>
Date: Fri, 6 Dec 2024 13:43:47 -0500
Subject: [PATCH 3/3] Remove the unnecessary pull_request condition for e2e.yml

---
 .github/workflows/e2e.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 5ce9bcf..14a5d7b 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -1,7 +1,6 @@
 name: "Tests for this repo"
 on:
   workflow_call:
-  pull_request:
 
 jobs:
   success_build: