openclaw/nix-openclaw
openclaw/nix-openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Pin safe-write Python in OpenClaw wrapper

Browse Source 
Bundle a Nix Python path inside the OpenClaw batteries wrapper for the safe-write helper. This avoids macOS /usr/bin/python3 triggering the Xcode command-line-tools shim on headless hosts, without exposing Python on the user PATH.

Tests: nix build .#checks.aarch64-darwin.qmd-runtime --no-link; nix eval .#checks.x86_64-linux.qmd-runtime.name; scripts/check-flake-lock-owners.sh; git diff --check
This commit is contained in:
joshp123 2026-05-06 10:37:25 +02:00
parent 32f0772a59
commit 7f55c0bd7b
3 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nix/packages/openclaw-batteries.nix
View File

@ -2,6 +2,7 @@
lib,
stdenvNoCC,
makeWrapper,
python3Minimal,
openclaw-gateway,
openclaw-app ? null,
extendedTools ? [ ],
@ -28,6 +29,7 @@ stdenvNoCC.mkDerivation {
env = {
OPENCLAW_APP_PACKAGE = lib.optionalString (openclaw-app != null) "${openclaw-app}";
OPENCLAW_GATEWAY_BIN = "${openclaw-gateway}/bin/openclaw";
OPENCLAW_PINNED_WRITE_PYTHON = "${python3Minimal}/bin/python3";
OPENCLAW_TOOLS_PATH = toolsPath;
STDENV_SETUP = "${stdenvNoCC}/setup";
};

4
nix/scripts/check-openclaw-qmd-runtime.sh
View File

@ -31,6 +31,10 @@ if ! grep -q "${QMD_PACKAGE}/bin" "$openclaw_bin"; then
echo "openclaw wrapper does not include qmd on the internal runtime PATH" >&2
exit 1
fi
if ! grep -q "OPENCLAW_PINNED_WRITE_PYTHON" "$openclaw_bin"; then
echo "openclaw wrapper does not pin a Nix Python for safe writes" >&2
exit 1
fi
tmp_dir="$(mktemp -d)"
trap 'rm -rf "$tmp_dir"' EXIT

12
nix/scripts/openclaw-batteries-install.sh
View File

@ -9,6 +9,14 @@ if [ ! -x "$OPENCLAW_GATEWAY_BIN" ]; then
echo "OPENCLAW_GATEWAY_BIN is not executable: $OPENCLAW_GATEWAY_BIN" >&2
exit 1
fi
if [ -z "${OPENCLAW_PINNED_WRITE_PYTHON:-}" ]; then
echo "OPENCLAW_PINNED_WRITE_PYTHON is not set" >&2
exit 1
fi
if [ ! -x "$OPENCLAW_PINNED_WRITE_PYTHON" ]; then
echo "OPENCLAW_PINNED_WRITE_PYTHON is not executable: $OPENCLAW_PINNED_WRITE_PYTHON" >&2
exit 1
fi
if [ -z "${STDENV_SETUP:-}" ]; then
echo "STDENV_SETUP is not set" >&2
exit 1
@ -21,9 +29,9 @@ fi
mkdir -p "$out/bin"
if [ -n "${OPENCLAW_TOOLS_PATH:-}" ]; then
bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --prefix PATH : "$OPENCLAW_TOOLS_PATH"'
bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --set OPENCLAW_PINNED_WRITE_PYTHON "$OPENCLAW_PINNED_WRITE_PYTHON" --prefix PATH : "$OPENCLAW_TOOLS_PATH"'
else
bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw"'
bash -e -c '. "$STDENV_SETUP"; makeWrapper "$OPENCLAW_GATEWAY_BIN" "$out/bin/openclaw" --set OPENCLAW_PINNED_WRITE_PYTHON "$OPENCLAW_PINNED_WRITE_PYTHON"'
fi
if [ -n "${OPENCLAW_APP_PACKAGE:-}" ]; then