From b77b2c22c1b685c4aba894e4fd424318081b26e9 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 27 Mar 2024 15:53:11 +0100
Subject: [PATCH] Add test

(cherry picked from commit 00ce36fafe175ba607522a9c9d549a604ed00522)
---
 tests/nixos/github-flakes.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/nixos/github-flakes.nix b/tests/nixos/github-flakes.nix
index 6f8a5b9d8..221045009 100644
--- a/tests/nixos/github-flakes.nix
+++ b/tests/nixos/github-flakes.nix
@@ -187,9 +187,14 @@ in
     client.succeed("nix flake metadata nixpkgs --tarball-ttl 0 >&2")
 
     # Test fetchTree on a github URL.
-    hash = client.succeed(f"nix eval --raw --expr '(fetchTree {info['url']}).narHash'")
+    hash = client.succeed(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr '(fetchTree {info['url']}).narHash'")
     assert hash == info['locked']['narHash']
 
+    # Fetching without a narHash should succeed if trust-github is set and fail otherwise.
+    client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'")
+    out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1")
+    assert "will not fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error"
+
     # Shut down the web server. The flake should be cached on the client.
     github.succeed("systemctl stop httpd.service")