[add] migrate allow_insecure from lockfile to config

internal/devbox/devbox.go

@@ -113,9 +113,16 @@ func Open(opts *devopt.Opts) (*Devbox, error) {
 	}
 	// if lockfile has any allow insecure, we need to set the env var to ensure
 	// all nix commands work.
-	if lock.HasAllowInsecurePackages() {
-		nix.AllowInsecurePackages()
+	if err := box.moveAllowInsecureFromLockfile(box.stderr, lock, cfg); err != nil {
+		ux.Fwarning(
+			box.stderr,
+			"Failed to move allow_insecure from devbox.lock to devbox.json. An insecure package may "+
+				"not work until you invoke `devbox add <pkg> --allow-insecure=<packages>` again: %s\n",
+			err,
+		)
+		// continue on, since we do not want to block user.
 	}
+
 	box.pluginManager.ApplyOptions(
 		plugin.WithDevbox(box),
 		plugin.WithLockfile(lock),

internal/devbox/packages.go

@@ -6,6 +6,7 @@ package devbox
 import (
 	"context"
 	"fmt"
+	"io"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -17,8 +18,10 @@ import (
 	"github.com/pkg/errors"
 	"github.com/samber/lo"
 	"go.jetpack.io/devbox/internal/devbox/devopt"
+	"go.jetpack.io/devbox/internal/devconfig"
 	"go.jetpack.io/devbox/internal/devpkg"
 	"go.jetpack.io/devbox/internal/devpkg/pkgtype"
+	"go.jetpack.io/devbox/internal/lock"
 	"go.jetpack.io/devbox/internal/nix/nixprofile"
 	"go.jetpack.io/devbox/internal/shellgen"
 
@@ -516,3 +519,51 @@ func (d *Devbox) packagesToInstallInProfile(ctx context.Context) ([]*devpkg.Pack
 	}
 	return packagesToInstall, nil
 }
+
+// moveAllowInsecureFromLockfile will modernize a Devbox project by moving the allow_insecure: boolean
+// setting from the devbox.lock file to the corresponding package in devbox.json.
+//
+// NOTE: ideally, this function would be in devconfig, but it leads to an import cycle with devpkg, so
+// leaving in this "top-level" devbox package where we can import devconfig, devpkg and lock.
+func (d *Devbox) moveAllowInsecureFromLockfile(writer io.Writer, lockfile *lock.File, cfg *devconfig.Config) error {
+	if !lockfile.HasAllowInsecurePackages() {
+		return nil
+	}
+
+	insecurePackages := []string{}
+	for name, pkg := range lockfile.Packages {
+		if pkg.AllowInsecure {
+			insecurePackages = append(insecurePackages, name)
+		}
+		pkg.AllowInsecure = false
+	}
+
+	// Set the devbox.json packages to allow_insecure
+	for _, versionedName := range insecurePackages {
+		pkg := devpkg.PackageFromStringWithDefaults(versionedName, lockfile)
+		storeName, err := pkg.StoreName()
+		if err != nil {
+			return fmt.Errorf("failed to get package's store name for package %q with error %w", versionedName, err)
+		}
+		if err := cfg.Packages.SetAllowInsecure(writer, versionedName, []string{storeName}); err != nil {
+			return fmt.Errorf("failed to set allow_insecure in devbox.json for package %q with error %w", versionedName, err)
+		}
+	}
+
+	if err := d.saveCfg(); err != nil {
+		return err
+	}
+
+	// Now, clear it from the lockfile
+	if err := lockfile.Save(); err != nil {
+		return err
+	}
+
+	ux.Finfo(
+		writer,
+		"Modernized the allow_insecure setting for package %q by moving it from devbox.lock to devbox.json. Please commit the changes.\n",
+		strings.Join(insecurePackages, ", "),
+	)
+
+	return nil
+}

testscripts/testrunner/examplesrunner.go

@@ -75,12 +75,6 @@ func RunDevboxTestscripts(t *testing.T, dir string) {
 			return nil
 		}
 
-		if strings.Contains(path, "insecure") {
-			// TODO: next PR will fix this
-			t.Logf("skipping insecure, config at: %s\n", path)
-			return nil
-		}
-
 		t.Logf("running testscript for example: %s\n", path)
 		runSingleDevboxTestscript(t, dir, path)
 		return nil