`nixops deploy --build-only` can corrupt the state

[roberth]

Workaround (Hercules CI Effects users)

Use runIf instead of action = "build";. This will perform a pure build instead of running nixops with access to the state.

To Reproduce

1. nixops deploy on production branch
2. create feature branch, which removes some nodes, adds some
3. nixops deploy --build-only on feature branch
4. nixops deploy --build-only on feature branch
5. nixops deploy --build-only on feature branch
6. nixops check locally on production branch
7. nodes that aren't in the feature branch are missing from the production state!

I was lucky to notice the problem in nixops check; don't know what would've happened if the next step was nixops deploy from production.
I'm also glad that I took the precaution of using the hercules ci state backend, which preserves old state revisions remotely.

Suggested fix

• run the deploy command with the state db in read-only mode, if certain flags are present, such as --build-only.
• make the rest of the deploy code work with that change