anomalyco/opencode

#18405 · @HacknBashe · opened Mar 20, 2026 at 2:32 PM UTC · last updated Mar 21, 2026 at 2:30 AM UTC

fix(nix): pass NODE_EXTRA_CA_CERTS through to bun in node_modules build

appfix
73
+301 files

Score breakdown

Impact

9.0

Clarity

9.0

Urgency

8.0

Ease Of Review

9.0

Guidelines

9.0

Readiness

9.0

Size

10.0

Trust

5.0

Traction

2.0

Summary

This PR fixes a critical build failure in Nix environments for users behind corporate TLS proxies. It addresses the SELF_SIGNED_CERT_IN_CHAIN error by correctly passing NODE_EXTRA_CA_CERTS to Bun during the build process. This is a small, focused change with clear impact.

Open in GitHub

Description

Issue for this PR

Closes #18407

Type of change

  • [x] Bug fix
  • [ ] New feature
  • [ ] Refactor / code improvement
  • [ ] Documentation

What does this PR do?

Adds NODE_EXTRA_CA_CERTS to impureEnvVars in the node_modules fixed-output derivation

Corporate environments with TLS inspection proxies inject their own CA certificates into the chain. This causes bun to fail with SELF_SIGNED_CERT_IN_CHAIN when fetching GitHub tarballs (e.g. ghostty-web) during the nix build.

lib.fetchers.proxyImpureEnvVars already includes NIX_SSL_CERT_FILE, but bun ignores that and only reads NODE_EXTRA_CA_CERTS. Without it in impureEnvVars, there's no way to pass a custom CA bundle through to bun in the sandboxed build.

How did you verify your code works?

No longer see self signed cert error when building my nix flake against my local opencode repo with this change.

    opencode = {
      url = "path:/Users/**/src/opencode";
      inputs.nixpkgs.follows = "nixpkgs";
    };

Screenshots / recordings

error: Cannot build '/nix/store/gkas8rz3acaf0ki1yxgh2p5g5vsn33yg-opencode-node_modules-1.2.27-dirty.drv'.
       Reason: builder failed with exit code 1.
       Output paths:
         /nix/store/p4f478rz4w49p6jlywsrkgw4kbmnz427-opencode-node_modules-1.2.27-dirty
       Last 11 log lines:
       > Running phase: unpackPhase
       > unpacking source archive /nix/store/n45409qd16qldkr02dn2f8rq4wj7bd73-source
       > source root is source
       > Running phase: patchPhase
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: buildPhase
       > bun install v1.3.10 (30e609e0)
       > Resolving dependencies
       > Resolved, downloaded and extracted [434]
       > error: SELF_SIGNED_CERT_IN_CHAIN downloading tarball ghostty-web@github:anomalyco/ghostty-web#main
       > error: ghostty-web@github:anomalyco/ghostty-web#main failed to resolve

old error that is gone

===

Checklist

  • [x] I have tested my changes locally
  • [x] I have not included unrelated changes in this PR

If you do not follow this template your PR will be automatically rejected.

Linked Issues

#18407 Nix build fails behind corporate TLS proxy: bun SELF_SIGNED_CERT_IN_CHAIN

View issue

Comments

PR comments

HacknBashe

I think my opencode agent requested this review? Not sure why you were pinged adam, sorry

Changed Files

nix/node_modules.nix

+30
@@ -47,6 +47,9 @@ stdenvNoCC.mkDerivation {
buildPhase = ''
runHook preBuild
if [ -n "''${NIX_SSL_CERT_FILE:-}" ]; then
export NODE_EXTRA_CA_CERTS="$NIX_SSL_CERT_FILE"
fi
export BUN_INSTALL_CACHE_DIR=$(mktemp -d)
bun install \
--cpu="${bunCpu}" \