Technically this opens a new attack vector, but if you don't trust
the code you're deploying, you should already have taken precautions
because of nix-shell, direnv etc. This just adds arion to that list.
to ensure that the subtests defined in tests/arion-test/default.nix do
not inadvertently re-use the arion-compose.nix, arion-pkgs.nix, etc. set
up during the _previous_ subtest.
Previously, each subtest attempted to clean itself up by doing
the following:
cd work && [...snip...] && rm -rf work
This removes the directory "work/work", while leaving "work" itself
intact. Subsequent subtests would then run:
cp -r ${../../examples/some-example} work
thereby copying the contents of "some-example" into "work/work" rather
than into "work".
As a result, all subtests but the first simply reapplied the Arion
configuration set up by the first subtest, because this configuration
persisted within the "work" directory used as the working directory for
"arion up", etc.
This commit corrects the issue by:
1. Removing "work" rather than "work/work", and
2. Adding certain flags to the "cp" invocation to ensure it reliably
copies files into "work" rather than "work/work": (a) "-f"
("--force"), to overwrite destination files if they already
exist, and (b) "-T" ("--no-target-directory") to copy the
*contents* of the source directory to "work" rather than copying
the source directory itself as a subdirectory of "work".
Additionally, this commit factors out code common to all subtests into a
reusable subtest generator coderef.
buildLayeredImage doesn't work when the number of nix store layers is 0.
This may be fixed by pull https://github.com/NixOS/nixpkgs/pull/80921/files
but meanwhile, plain buildImage will do the job.
