From 454a0ff7744963433c03ab813cf9309be5c6b0a9 Mon Sep 17 00:00:00 2001
From: Arun Isaac
Date: Mon, 7 Oct 2024 15:46:58 +0100
Subject: bin: Load manifests without their definitions leaking out.

* bin/ravanan: Do not import (gnu packages) and (guix profiles).
(load-manifest): New function.
(main): Use load-manifest.
---
 bin/ravanan | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'bin')

diff --git a/bin/ravanan b/bin/ravanan
index 2b44163..19bb8b5 100755
--- a/bin/ravanan
+++ b/bin/ravanan
@@ -29,11 +29,7 @@ exec guile --no-auto-compile -e main -s "$0" "$@"
              (json)
              (ravanan reader)
              (ravanan utils)
-             (ravanan workflow)
-
-             ;; required to load manifest files
-             (gnu packages)
-             (guix profiles))
+             (ravanan workflow))
 
 (define %options
   (list (option (list "batch-system" "batchSystem") #t #f
@@ -101,6 +97,27 @@ files that have the token in the @verbatim{SLURM_JWT=token} format."
              string-trim-both
              get-string-all)))
 
+(define (load-manifest manifest-file)
+  "Load manifest from @var{manifest-file} and return it."
+  ;; We load the manifest file into a dummy module of its own so that any
+  ;; definitions from there don't leak out. We also ensure that this dummy
+  ;; module is different for different manifest files so that definitions from
+  ;; one manifest file don't leak into other manifest files.
+  (let ((manifest-file-path (canonicalize-file-name manifest-file))
+        (manifest-module (resolve-module (match (file-name-split manifest-file-path)
+                                           (("" parts ...)
+                                            (map string->symbol parts))))))
+    ;; Import modules required for loading manifests.
+    (for-each (lambda (module-name)
+                (module-use! manifest-module (resolve-interface module-name)))
+              '((guile)
+                (gnu packages)
+                (guix profiles)))
+    (save-module-excursion
+     (lambda ()
+       (set-current-module manifest-module)
+       (load manifest-file-path)))))
+
 (define main
   (match-lambda
     ((program args ...)
@@ -134,8 +151,9 @@ files that have the token in the @verbatim{SLURM_JWT=token} format."
           ;; We must not try to compile guix manifest files.
           (set! %load-should-auto-compile #f)
           (scm->json (run-workflow (file-name-stem workflow-file)
-                                   (load (canonicalize-path
-                                          (assq-ref args 'guix-manifest-file)))
+                                   (load-manifest
+                                    (canonicalize-path
+                                     (assq-ref args 'guix-manifest-file)))
                                    (read-workflow workflow-file)
                                    (read-inputs inputs-file)
                                    (case (assq-ref args 'batch-system)
-- 
cgit v1.2.3