From bfc558c972aa8d6f5ef15a3e720bed964925ae32 Mon Sep 17 00:00:00 2001
From: Archit Gupta <archit@accelbread.com>
Date: Fri, 14 Apr 2023 11:33:38 -0700
Subject: [PATCH] Whitelist commit-lockfile-summary in flake nixConfig

---
 src/libexpr/flake/config.cc | 2 +-
 src/nix/flake.md            | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/libexpr/flake/config.cc b/src/libexpr/flake/config.cc
index 89ddbde7e..e89014862 100644
--- a/src/libexpr/flake/config.cc
+++ b/src/libexpr/flake/config.cc
@@ -31,7 +31,7 @@ static void writeTrustedList(const TrustedList & trustedList)
 
 void ConfigFile::apply()
 {
-    std::set<std::string> whitelist{"bash-prompt", "bash-prompt-prefix", "bash-prompt-suffix", "flake-registry"};
+    std::set<std::string> whitelist{"bash-prompt", "bash-prompt-prefix", "bash-prompt-suffix", "flake-registry", "commit-lockfile-summary"};
 
     for (auto & [name, value] : settings) {
 
diff --git a/src/nix/flake.md b/src/nix/flake.md
index d70f34eeb..965f6eb48 100644
--- a/src/nix/flake.md
+++ b/src/nix/flake.md
@@ -382,9 +382,9 @@ The following attributes are supported in `flake.nix`:
 * `nixConfig`: a set of `nix.conf` options to be set when evaluating any
   part of a flake. In the interests of security, only a small set of
   whitelisted options (currently `bash-prompt`, `bash-prompt-prefix`,
-  `bash-prompt-suffix`, and `flake-registry`) are allowed to be set without
-  confirmation so long as `accept-flake-config` is not set in the global
-  configuration.
+  `bash-prompt-suffix`, `flake-registry`, and `commit-lockfile-summary`)
+  are allowed to be set without confirmation so long as `accept-flake-config`
+  is not set in the global configuration.
 
 ## Flake inputs