darwin: fix "$HOME is not owned by you" warning

[Parsifa1]

Sanity Checking

• I have updated the changelog as per my changes
• I have tested, and self-reviewed my code
• Style and consistency
  • I ran nix fmt to format my Nix code
  • I ran cargo fmt to format my Rust code
  • I have added appropriate documentation to new code
  • My changes are consistent with the rest of the codebase
• Correctness
  • I ran cargo clippy and fixed any new linter warnings.
• If new changes are particularly complex:
  • My code includes comments in particularly complex areas to explain the
    logic
  • I have documented the motive for those changes in the PR body or commit
    description.
• Tested on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin

---

close #314

Add a 👍 reaction to pull requests you find important.

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved macOS privilege elevation handling with enhanced environment variable management during elevated operations.
  • Refined command construction for more reliable privilege escalation execution.

• Tests

  • Updated test coverage to align with macOS elevation behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Refactored elevation command construction in src/commands.rs to use a new private build_sudo_parts helper function. Added macOS-specific HOME environment variable handling during elevation to prevent Nix ownership warnings. Updated the self_elevate_cmd and run methods to utilize the new helper, with corresponding test suite updates to validate the new behavior.

Changes

Cohort / File(s)

Summary

Elevation command refactoring and macOS HOME handling src/commands.rs

Added private build_sudo_parts helper to construct sudo command parts with optional -A flag for NH_SUDO_ASKPASS and environment passing. Refactored self_elevate_cmd to use the new helper instead of parsing a generated command line. Updated run method to use build_sudo_parts when elevation is involved. Added logic to clear HOME on macOS when elevation is requested to prevent Nix ownership warnings. Updated test assertions for target_os macOS and NH_SUDO_ASKPASS handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Command construction logic: Review the new build_sudo_parts helper for correctness in handling sudo parts, environment variables, and the -A flag conditionally.
• macOS HOME handling: Verify the logic for setting HOME to an empty string on macOS during elevation and confirm it doesn't affect non-elevated commands.
• Refactored self_elevate_cmd: Ensure the refactored method properly appends the target executable and arguments after building sudo parts, maintaining equivalent behavior to the original implementation.
• Test coverage: Validate that test updates correctly reflect macOS-specific semantics and NH_SUDO_ASKPASS propagation.

Possibly related PRs

• PR #459: Modifies self_elevate_cmd command construction and parsing logic, directly related to the refactoring approach taken in this PR.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'darwin: fix "$HOME is not owned by you" warning' directly addresses the main issue being resolved, which is fixing the Nix warning about HOME not being owned by the user on macOS.
Linked Issues check	✅ Passed	The PR implementation addresses the core requirement from issue #314 by fixing HOME environment variable handling during self-elevation on macOS to prevent the '$HOME is not owned by you' warning.
Out of Scope Changes check	✅ Passed	All changes in src/commands.rs are focused on fixing macOS elevation handling and HOME variable propagation, which is directly scoped to resolving the linked issue.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/commands.rs (1)

416-460: LGTM: Well-structured helper method.

The build_sudo_parts method cleanly separates the elevation command construction logic. The implementation correctly handles elevation program selection, sudo -A flag, and environment variable passing.

Minor note: Line 433 binds _askpass but only checks for its existence. Consider using std::env::var("NH_SUDO_ASKPASS").is_ok() directly if the value isn't needed.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4012ba and a7b63c1.

📒 Files selected for processing (1)

• src/commands.rs (7 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/commands.rs (1)

src/checks.rs (1)

• new (338-347)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test NH on Darwin
• GitHub Check: Test NH on Linux
• GitHub Check: Build NH on Darwin
• GitHub Check: Build NH on Linux

🔇 Additional comments (4)

src/commands.rs (4)

25-27: LGTM: Formatting improvement.

The multi-line formatting improves readability without changing behavior.

---

33-35: LGTM: Consistent formatting.

The formatting matches the pattern used in get_cached_password above.

---

468-500: LGTM: Cleaner elevation command construction.

The refactoring eliminates shell command parsing by directly composing command parts using build_sudo_parts. This addresses the escaping issues mentioned in the PR comments (e.g., empty HOME from escaped quotes) and provides a more robust elevation mechanism.

---

894-904: Test coverage may need adjustment.

The tests correctly verify the current implementation (HOME="" unconditionally on macOS). However, if the HOME setting logic is adjusted to only apply to elevated commands on macOS (as suggested in the earlier comment), these tests should be updated to cover both:

• Non-elevated commands: HOME should have actual value on all platforms.
• Elevated commands: HOME="" on macOS, no HOME on other platforms.

Also applies to: 939-947, 1000-1010

[Parsifa1]

@NotAShelf can we give this pr a try?

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

src/commands.rs (1)

1000-1010: Test expectations don't match the new HOME logic.

Same issue as in the previous tests: the test expects HOME="" on macOS for a non-elevated command, but the new logic only sets HOME="" for elevated commands on macOS.

Apply this diff to fix the test expectations:

-    if cfg!(target_os = "macos") {
-      // macOS sets HOME to "" in Nix environment
-      assert!(
-        matches!(cmd.env_vars.get("HOME"), Some(EnvAction::Set(val)) if val.is_empty())
-      );
-    } else {
-      // Other OSes should have the actual HOME value
-      assert!(
-        matches!(cmd.env_vars.get("HOME"), Some(EnvAction::Set(val)) if val == "/test/home")
-      );
-    }
+    // Non-elevated commands should have HOME from environment on all platforms
+    assert!(
+      matches!(cmd.env_vars.get("HOME"), Some(EnvAction::Set(val)) if val == "/test/home")
+    );

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8654cb and 3644e2d.

📒 Files selected for processing (1)

• src/commands.rs (6 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/commands.rs (1)

src/checks.rs (1)

• new (338-347)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build NH on Darwin
• GitHub Check: Build NH on Linux
• GitHub Check: Test NH on Darwin
• GitHub Check: Test NH on Linux
• GitHub Check: treewide-checks

🔇 Additional comments (2)

src/commands.rs (2)

299-305: LGTM! Addresses the past review comment correctly.

The HOME="" setting is now correctly scoped to elevated commands on macOS only. This aligns with the PR objectives to fix the "$HOME is not owned by you" warning and addresses the concern raised in the past review comment.

---

416-460: Solid refactor to eliminate escaping issues.

The new build_sudo_parts helper returns Vec<String> instead of constructing an Exec object, which avoids the shell escaping issues mentioned in the PR comments that caused malformed environment variables (empty HOME). The logic correctly mirrors build_sudo_cmd while producing unescaped string parts suitable for std::process::Command::new().args().

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

src/commands.rs (1)

492-497: SUDO_ASKPASS inconsistency still present (duplicate issue from past review).

The SUDO_ASKPASS environment variable is only set when the strategy is exactly Force("sudo"), but build_sudo_parts() (line 432) adds the -A flag whenever the resolved program is sudo, regardless of strategy (Auto, Prefer, or Force).

This inconsistency means:

• ElevationStrategy::Auto or Prefer that resolves to sudo with NH_SUDO_ASKPASS set → -A flag added but SUDO_ASKPASS env NOT set
• This will cause sudo to fail with "sudo: no askpass program specified"

Apply this diff to check the resolved program name instead of the strategy variant:

-    if let Some(ElevationStrategy::Force("sudo")) = cmd_builder.elevate.as_ref()
-    {
+    // Set SUDO_ASKPASS environment variable when using sudo
+    let sudo_parts = cmd_builder.build_sudo_parts()?;
+    // Check if first part is sudo by examining the resolved program
+    if sudo_parts[0].contains("sudo") {
       if let Ok(askpass) = std::env::var("NH_SUDO_ASKPASS") {
         std_cmd.env("SUDO_ASKPASS", askpass);
       }
     }
+    
+    // Use the sudo_parts we already built
+    let mut std_cmd = std::process::Command::new(&sudo_parts[0]);
+    if sudo_parts.len() > 1 {
+      std_cmd.args(&sudo_parts[1..]);
+    }
-    
-    let mut sudo_parts = cmd_builder.build_sudo_parts()?;
-
-    // Add the target executable and arguments
-    sudo_parts.push(current_exe.to_string_lossy().to_string());
-    let args: Vec<String> = std::env::args().skip(1).collect();
-    sudo_parts.extend(args);
-
-    let mut std_cmd = std::process::Command::new(&sudo_parts[0]);
-    if sudo_parts.len() > 1 {
-      std_cmd.args(&sudo_parts[1..]);
-    }

Note: You'll need to add the executable and args to sudo_parts before the SUDO_ASKPASS check, or restructure to avoid building sudo_parts twice.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3644e2d and 6f934ba.

📒 Files selected for processing (1)

• src/commands.rs (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/commands.rs (1)

src/checks.rs (1)

• new (338-347)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build NH on Darwin
• GitHub Check: Build NH on Linux
• GitHub Check: Test NH on Linux
• GitHub Check: Test NH on Darwin
• GitHub Check: treewide-checks

🔇 Additional comments (1)

src/commands.rs (1)

416-460: LGTM! Clean helper design for building elevation command parts.

The build_sudo_parts() helper cleanly separates the elevation command construction into reusable parts. Returning Vec<String> provides flexibility for assembling commands with std::process::Command in self_elevate_cmd.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/commands.rs (2)

416-460: LGTM! Consider consolidating with build_sudo_cmd if possible.

The build_sudo_parts helper correctly constructs elevation command parts as a Vec<String>, which avoids the shell escaping issues mentioned in the PR discussion. The logic for resolving the program, adding the -A flag, and building environment parts is sound.

Minor observation: There's some code duplication between build_sudo_parts and the existing build_sudo_cmd method (lines 365-414). If build_sudo_cmd is being phased out in favor of the new approach, consider adding a comment or deprecation notice. Otherwise, consider whether the common logic could be extracted to reduce duplication.

---

480-497: Consider more robust SUDO_ASKPASS handling.

The implementation works correctly but has a fragile check at line 493. The condition sudo_parts[1] == "-A" assumes the -A flag is always at index 1 when present. While this matches the current build_sudo_parts implementation, it could break if that method is refactored to add other flags or arguments before -A.

Apply this diff for a more robust approach:

-    // check if using SUDO_ASKPASS
-    if sudo_parts[1] == "-A" {
+    // Set SUDO_ASKPASS if using sudo with -A flag
+    if sudo_parts.contains(&"-A".to_string()) {
       if let Ok(askpass) = std::env::var("NH_SUDO_ASKPASS") {
         std_cmd.env("SUDO_ASKPASS", askpass);
       }
     }

Alternatively, you could check the resolved program name and NH_SUDO_ASKPASS directly:

// Set SUDO_ASKPASS when using sudo with askpass
let elevation_program = cmd_builder
  .elevate
  .as_ref()
  .unwrap()
  .resolve()?;
  
if elevation_program.file_name().and_then(|n| n.to_str()) == Some("sudo") {
  if let Ok(askpass) = std::env::var("NH_SUDO_ASKPASS") {
    std_cmd.env("SUDO_ASKPASS", askpass);
  }
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6f934ba and 395d3c9.

📒 Files selected for processing (1)

• src/commands.rs (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/commands.rs (1)

src/checks.rs (1)

• new (338-347)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build NH on Darwin
• GitHub Check: Test NH on Linux
• GitHub Check: Build NH on Linux
• GitHub Check: Test NH on Darwin
• GitHub Check: treewide-checks

🔇 Additional comments (1)

src/commands.rs (1)

299-305: LGTM! Verify the fix resolves the warning on macOS.

The conditional self.elevate.is_some() && cfg!(target_os = "macos") correctly applies HOME="" only to elevated commands on macOS, which should resolve the "$HOME is not owned by you" warning per the linked Nix source and PR objectives.

Please verify that running nh clean all on macOS no longer produces the warning. If possible, test both elevated and non-elevated commands to ensure HOME handling is correct in both cases.

[NotAShelf]

Sorry for the delay, I've been a little occupied with other projects that are demanding my attention. If you could just rebase this on the current master, I'll try to review this week before I prepare for the 4.3 release.

I apologize in advance if I'm not able to review in time, there is an immediate health concern that might take me out of commission for some time. But I'm sure other Darwin users would appreciate a rebased branch to use your fork for a while if I can merge it in time.

[Parsifa1]

i can't fix the failing check...

[Parsifa1]

I did the rebase :)

I've probably been a bit busy lately as well and most likely won't have time to respond to the review :(
Thanks a lot!

[Parsifa1]

there are some error in #451, so there will have one failed check :(

[NotAShelf]

Checks failing are fine. GH actions are archaic, and they're usually not my metric for a merge.>

I'll try to review the PR this week, perhaps after Monday. Thank you for rebasing :)

[github-actions]

Performance Comparison →

Total Elapsed Time: 326.10ms → 26.84s (+8130.2%) ⚠️

Profiling Mode: timing - Execution duration of functions.

+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| Function                           | Calls            | Avg                              | P95                              | Total                            | % Total                      |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| main                               | 1 → 1 (+0.0%)    | 325.45ms → 26.84s (+8146.4%) ⚠️  | 325.58ms → 26.84s (+8144.8%) ⚠️  | 325.45ms → 26.84s (+8146.4%) ⚠️  | 100.00% → 100.00% (+0.0%)    |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::search::run                    | 1 → 1 (+0.0%)    | 274.51ms → 26.79s (+9657.6%) ⚠️  | 274.73ms → 26.79s (+9652.7%) ⚠️  | 274.51ms → 26.79s (+9657.6%) ⚠️  | 84.34% → 99.80% (+18.3%)     |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| http_request                       | 1 → 1 (+0.0%)    | 75.19ms → 257.25ms (+242.1%) ⚠️  | 75.24ms → 257.29ms (+242.0%) ⚠️  | 75.19ms → 257.25ms (+242.1%) ⚠️  | 23.10% → 0.95% (-95.9%) 🚀   |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::checks::verify_nix_environment | 1 → 1 (+0.0%)    | 50.37ms → 51.92ms (+3.1%)        | 50.40ms → 51.94ms (+3.1%)        | 50.37ms → 51.92ms (+3.1%)        | 15.47% → 0.19% (-98.8%) 🚀   |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::checks::check_nix_version      | 1 → 1 (+0.0%)    | 50.36ms → 51.91ms (+3.1%)        | 50.36ms → 51.94ms (+3.1%)        | 50.36ms → 51.91ms (+3.1%)        | 15.47% → 0.19% (-98.8%) 🚀   |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::util::get_nix_version          | 1 → 1 (+0.0%)    | 24.35ms → 24.35ms (-0.0%)        | 24.36ms → 24.36ms (+0.0%)        | 24.35ms → 24.35ms (-0.0%)        | 7.48% → 0.09% (-98.8%) 🚀    |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| json_parse                         | 1 → 1 (+0.0%)    | 4.40ms → 4.33ms (-1.5%)          | 4.40ms → 4.33ms (-1.6%)          | 4.40ms → 4.33ms (-1.5%)          | 1.35% → 0.01% (-99.3%) 🚀    |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+

---

Generated with hotpath-rs

📊 View Raw JSON Metrics

PR Metrics

{
  "hotpath_profiling_mode": "timing",
  "total_elapsed": 26838437803,
  "description": "Execution duration of functions.",
  "caller_name": "main",
  "output": {
    "json_parse": {
      "calls": 1,
      "avg": 4328724,
      "p95": 4329471,
      "total": 4328724,
      "percent_total": 1
    },
    "nh::checks::verify_nix_environment": {
      "calls": 1,
      "avg": 51918290,
      "p95": 51937279,
      "total": 51918290,
      "percent_total": 19
    },
    "nh::checks::check_nix_version": {
      "calls": 1,
      "avg": 51911848,
      "p95": 51937279,
      "total": 51911848,
      "percent_total": 19
    },
    "nh::util::get_nix_version": {
      "calls": 1,
      "avg": 24347053,
      "p95": 24363007,
      "total": 24347053,
      "percent_total": 9
    },
    "main": {
      "calls": 1,
      "avg": 26837818714,
      "p95": 26843545599,
      "total": 26837818714,
      "percent_total": 10000
    },
    "http_request": {
      "calls": 1,
      "avg": 257251172,
      "p95": 257294335,
      "total": 257251172,
      "percent_total": 95
    },
    "nh::search::run": {
      "calls": 1,
      "avg": 26785289886,
      "p95": 26793213951,
      "total": 26785289886,
      "percent_total": 9980
    }
  }
}

Main Branch Metrics

{
  "hotpath_profiling_mode": "timing",
  "total_elapsed": 326096906,
  "description": "Execution duration of functions.",
  "caller_name": "main",
  "output": {
    "nh::checks::verify_nix_environment": {
      "calls": 1,
      "avg": 50367950,
      "p95": 50397183,
      "total": 50367950,
      "percent_total": 1547
    },
    "http_request": {
      "calls": 1,
      "avg": 75192867,
      "p95": 75235327,
      "total": 75192867,
      "percent_total": 2310
    },
    "nh::search::run": {
      "calls": 1,
      "avg": 274507421,
      "p95": 274726911,
      "total": 274507421,
      "percent_total": 8434
    },
    "json_parse": {
      "calls": 1,
      "avg": 4396225,
      "p95": 4399103,
      "total": 4396225,
      "percent_total": 135
    },
    "nh::checks::check_nix_version": {
      "calls": 1,
      "avg": 50362880,
      "p95": 50364415,
      "total": 50362880,
      "percent_total": 1547
    },
    "nh::util::get_nix_version": {
      "calls": 1,
      "avg": 24354560,
      "p95": 24363007,
      "total": 24354560,
      "percent_total": 748
    },
    "main": {
      "calls": 1,
      "avg": 325449511,
      "p95": 325582847,
      "total": 325449511,
      "percent_total": 10000
    }
  }
}

[github-actions]

Performance Comparison →

Total Elapsed Time: 344.56ms → 331.33ms (-3.8%)

Profiling Mode: alloc_bytes_total - Cumulative bytes allocated during each function call (including nested calls).

+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| Function                           | Calls            | Avg                              | P95                              | Total                            | % Total                      |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| main                               | 1 → 1 (+0.0%)    | 2.3 MB → 2.3 MB (+0.0%)          | 2.3 MB → 2.3 MB (+0.0%)          | 2.3 MB → 2.3 MB (+0.0%)          | 100.00% → 100.00% (+0.0%)    |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::checks::verify_nix_environment | 1 → 1 (+0.0%)    | 1017.8 KB → 1017.8 KB (+0.0%)    | 1018.0 KB → 1018.0 KB (+0.0%)    | 1017.8 KB → 1017.8 KB (+0.0%)    | 44.00% → 44.00% (+0.0%)      |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::checks::check_nix_version      | 1 → 1 (+0.0%)    | 1017.8 KB → 1017.8 KB (+0.0%)    | 1018.0 KB → 1018.0 KB (+0.0%)    | 1017.8 KB → 1017.8 KB (+0.0%)    | 44.00% → 44.00% (+0.0%)      |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::search::run                    | 1 → 1 (+0.0%)    | 372.4 KB → 372.4 KB (+0.0%)      | 372.5 KB → 372.5 KB (+0.0%)      | 372.4 KB → 372.4 KB (+0.0%)      | 16.09% → 16.09% (+0.0%)      |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| json_parse                         | 1 → 1 (+0.0%)    | 152.3 KB → 152.3 KB (+0.0%)      | 152.4 KB → 152.4 KB (+0.0%)      | 152.3 KB → 152.3 KB (+0.0%)      | 6.58% → 6.58% (+0.0%)        |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| nh::util::get_nix_version          | 1 → 1 (+0.0%)    | 824 B → 824 B (+0.0%)            | 824 B → 824 B (+0.0%)            | 824 B → 824 B (+0.0%)            | 0.03% → 0.03% (+0.0%)        |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+
| http_request                       | 1 → 1 (+0.0%)    | 325 B → 325 B (+0.0%)            | 325 B → 325 B (+0.0%)            | 325 B → 325 B (+0.0%)            | 0.01% → 0.01% (+0.0%)        |
+------------------------------------+------------------+----------------------------------+----------------------------------+----------------------------------+------------------------------+

---

Generated with hotpath

📊 View Raw JSON Metrics

PR Metrics

{
  "hotpath_profiling_mode": "alloc-bytes-total",
  "total_elapsed": 331330064,
  "description": "Cumulative bytes allocated during each function call (including nested calls).",
  "caller_name": "main",
  "output": {
    "nh::checks::verify_nix_environment": {
      "calls": 1,
      "avg": 1042176,
      "p95": 1042431,
      "total": 1042176,
      "percent_total": 4400
    },
    "nh::util::get_nix_version": {
      "calls": 1,
      "avg": 824,
      "p95": 824,
      "total": 824,
      "percent_total": 3
    },
    "http_request": {
      "calls": 1,
      "avg": 325,
      "p95": 325,
      "total": 325,
      "percent_total": 1
    },
    "main": {
      "calls": 1,
      "avg": 2368512,
      "p95": 2369535,
      "total": 2368512,
      "percent_total": 10000
    },
    "nh::search::run": {
      "calls": 1,
      "avg": 381312,
      "p95": 381439,
      "total": 381312,
      "percent_total": 1609
    },
    "json_parse": {
      "calls": 1,
      "avg": 155968,
      "p95": 156031,
      "total": 155968,
      "percent_total": 658
    },
    "nh::checks::check_nix_version": {
      "calls": 1,
      "avg": 1042176,
      "p95": 1042431,
      "total": 1042176,
      "percent_total": 4400
    }
  }
}

Main Branch Metrics

{
  "hotpath_profiling_mode": "alloc-bytes-total",
  "total_elapsed": 344557534,
  "description": "Cumulative bytes allocated during each function call (including nested calls).",
  "caller_name": "main",
  "output": {
    "http_request": {
      "calls": 1,
      "avg": 325,
      "p95": 325,
      "total": 325,
      "percent_total": 1
    },
    "json_parse": {
      "calls": 1,
      "avg": 155968,
      "p95": 156031,
      "total": 155968,
      "percent_total": 658
    },
    "main": {
      "calls": 1,
      "avg": 2368512,
      "p95": 2369535,
      "total": 2368512,
      "percent_total": 10000
    },
    "nh::search::run": {
      "calls": 1,
      "avg": 381312,
      "p95": 381439,
      "total": 381312,
      "percent_total": 1609
    },
    "nh::checks::verify_nix_environment": {
      "calls": 1,
      "avg": 1042176,
      "p95": 1042431,
      "total": 1042176,
      "percent_total": 4400
    },
    "nh::checks::check_nix_version": {
      "calls": 1,
      "avg": 1042176,
      "p95": 1042431,
      "total": 1042176,
      "percent_total": 4400
    },
    "nh::util::get_nix_version": {
      "calls": 1,
      "avg": 824,
      "p95": 824,
      "total": 824,
      "percent_total": 3
    }
  }
}

[NotAShelf]

Nice, the CI is finally working. I don't know why it insists that there's a regression, but it seems to do that for all PRs so I'll assume it's on my end. I'll try to review this tomorrow after work.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/commands.rs (1)

537-542: Prefer safer bounds checking for the askpass flag.

The index-based check sudo_parts[1] == "-A" is fragile and tightly couples this code to the internal ordering of build_sudo_parts. While currently safe (minimum length is 2), future modifications could silently break this assumption.

Consider using safer access:

-    // check if using SUDO_ASKPASS
-    if sudo_parts[1] == "-A" {
+    // check if using SUDO_ASKPASS
+    if sudo_parts.get(1).map_or(false, |s| s == "-A") {
       if let Ok(askpass) = std::env::var("NH_SUDO_ASKPASS") {
         std_cmd.env("SUDO_ASKPASS", askpass);
       }
     }

Alternatively, consider returning a struct from build_sudo_parts that explicitly indicates whether askpass is enabled, making the intent clearer and the code more maintainable.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b74395 and b95240b.

📒 Files selected for processing (1)

• src/commands.rs (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: treewide-checks
• GitHub Check: Test NH on Linux
• GitHub Check: Test NH on Darwin
• GitHub Check: profile
• GitHub Check: Build NH on Linux

🔇 Additional comments (2)

src/commands.rs (2)

344-350: macOS HOME handling looks correct.

The conditional properly restricts HOME="" to elevated commands on macOS only, which aligns with the PR objective to fix the ownership warning. The Nix source reference supports this approach.

---

461-505: LGTM! Helper function correctly constructs elevation command parts.

The build_sudo_parts helper properly mirrors the elevation logic, constructs the command parts without shell escaping issues, and maintains the same environment handling as build_sudo_cmd.