Avoid nix result-* symlinks on CI (#12220)

We really don’t want those anywhere and they currently trip up
blackduck which starts scanning our nix store.

changelog_begin
changelog_end

azure-cron.yml

@@ -60,7 +60,7 @@ jobs:
 
           eval "$(dev-env/bin/dade-assist)"
           HEAD=$(git rev-parse HEAD)
-          while ! nix-build -A tools.sed -A tools.jq -A tools.curl -A tools.base64 nix; do :; done
+          while ! nix-build --no-out-link -A tools.sed -A tools.jq -A tools.curl -A tools.base64 nix; do :; done
 
           trap 'rm -rf ~/.docker' EXIT
           echo $DOCKER_PASSWORD | docker login --username $DOCKER_LOGIN --password-stdin

ci/cron/src/Main.hs

@@ -78,7 +78,7 @@ robustly_download_nix_packages :: IO ()
 robustly_download_nix_packages = do
     h (10 :: Integer)
     where
-        cmd = "nix-build nix -A tools -A ci-cached"
+        cmd = "nix-build nix -A tools -A ci-cached --no-out-link"
         h n = do
             (exit, out, err) <- System.readCreateProcessWithExitCode (System.shell cmd) ""
             case (exit, n) of

ci/dev-env-install.sh

@@ -40,7 +40,7 @@ step "Building dev-env dependencies"
 NIX_FAILED=0
 for i in `seq 10`; do
     NIX_FAILED=0
-    nix-build nix -A tools -A ci-cached 2>&1 | tee nix_log || NIX_FAILED=1
+    nix-build --no-out-link nix -A tools -A ci-cached 2>&1 | tee nix_log || NIX_FAILED=1
     # It should be in the last line but let’s use the last 3 and wildcards
     # to be robust against slight changes.
     if [[ $NIX_FAILED -ne 0 ]] &&

dev-env/lib/dade-common

@@ -57,7 +57,7 @@ dadeBaseHash() {
 
 # List tools defined in dade
 dadeListTools() {
-    cat $(nix-build $DADE_BASE_ROOT/nix -A dade.tools-list)
+    cat $(nix-build --no-out-link $DADE_BASE_ROOT/nix -A dade.tools-list)
 }
 
 # dadeGetOutput get output of a target