[PR #199] [MERGED] fix(nix): enable sandboxed builds with bun2nix #183

New issue

Closed

opened 2026-02-27 15:55:27 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 15:55:27 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/199
Author: @arunavo4
Created: 2/27/2026
Status: ✅ Merged
Merged: 2/27/2026
Merged by: @arunavo4

Base: main ← Head: fix/nix-sandboxed-build

📝 Commits (2)

cf10adc fix(nix): enable sandboxed builds with bun2nix
c2a853c fix(nix): create writable workdir for database access

📊 Changes

6 files changed (+3969 additions, -90 deletions)

View changed files

📝 .github/workflows/nix-build.yml (+2 -10)
📝 bun.lock (+67 -66)
➕ bun.nix (+3724 -0)
📝 flake.lock (+110 -1)
📝 flake.nix (+64 -12)
📝 package.json (+2 -1)

📄 Description

Summary

Integrates bun2nix to pre-fetch all npm dependencies as Nix derivations, eliminating the need for network access during build
Adds nanoid as an explicit dependency (was directly imported from 5 source files but only available as a transitive dep through better-auth, which breaks with bun2nix's isolated linker)
Copies bun cache to a writable temp location during the build phase to work around bunx/astro writing to the read-only Nix store
Updates CI to perform a full nix build instead of just evaluating the derivation
Adds bun2nix CLI to the devShell — run bun2nix -o bun.nix after changing dependencies

Closes #197

Test plan

nix flake check passes
nix build --print-build-logs completes successfully (verified on macOS aarch64)
CI builds on ubuntu-latest (sandboxed) and macos-latest

🤖 Generated with Claude Code

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/199 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 2/27/2026 **Status:** ✅ Merged **Merged:** 2/27/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `fix/nix-sandboxed-build` --- ### 📝 Commits (2) - [`cf10adc`](https://github.com/RayLabsHQ/gitea-mirror/commit/cf10adcf73e53b373c715118021673f5e24f0e2c) fix(nix): enable sandboxed builds with bun2nix - [`c2a853c`](https://github.com/RayLabsHQ/gitea-mirror/commit/c2a853c92c6aadae578c2b214bf707b1617f7c35) fix(nix): create writable workdir for database access ### 📊 Changes **6 files changed** (+3969 additions, -90 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/nix-build.yml` (+2 -10) 📝 `bun.lock` (+67 -66) ➕ `bun.nix` (+3724 -0) 📝 `flake.lock` (+110 -1) 📝 `flake.nix` (+64 -12) 📝 `package.json` (+2 -1) </details> ### 📄 Description ## Summary - Integrates [bun2nix](https://github.com/nix-community/bun2nix) to pre-fetch all npm dependencies as Nix derivations, eliminating the need for network access during build - Adds `nanoid` as an explicit dependency (was directly imported from 5 source files but only available as a transitive dep through `better-auth`, which breaks with bun2nix's isolated linker) - Copies bun cache to a writable temp location during the build phase to work around `bunx`/astro writing to the read-only Nix store - Updates CI to perform a full `nix build` instead of just evaluating the derivation - Adds `bun2nix` CLI to the devShell — run `bun2nix -o bun.nix` after changing dependencies Closes #197 ## Test plan - [x] `nix flake check` passes - [x] `nix build --print-build-logs` completes successfully (verified on macOS aarch64) - [ ] CI builds on ubuntu-latest (sandboxed) and macos-latest 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>