feat(tvix/store): use reqwests' rustls-native-roots feature r/7642

This makes reqwest honor `SSL_CERT_FILE` - previously it was using the
chain bundled in webpki-roots.

`object_store` pulls in `reqwest` with this feature, and the cargo
solver will enable that feature globally as soon as we pull it in, as it
assumes features are additive.

This requires setting `SSL_CERT_FILE` when running tests, otherwise
they'll fail with the unhelpful "NotFound" error.

This was quite some fun to debug, why adding `object_store` to
tvix-castore suddenly made tvix-store tests fail!

Change-Id: I64fc82b4d994715480efdb1ffecb279716456ab9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11090
Reviewed-by: raitobezarius <tvl@lahfa.xyz>
Tested-by: BuildkiteCI

1 files changed, 4 insertions, 0 deletions

diff --git a/tvix/store/default.nix b/tvix/store/default.nix
index 35d2a22bb2ce..2c07cdf2b31f 100644
--- a/tvix/store/default.nix
+++ b/tvix/store/default.nix
@@ -24,6 +24,10 @@ in
 
 (depot.tvix.crates.workspaceMembers.tvix-store.build.override {
   runTests = true;
+  testPreRun = ''
+    export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt;
+  '';
+
   # virtiofs feature currently fails to build on Darwin.
   # we however can ship it for non-darwin.
   features = if pkgs.stdenv.isDarwin then [ "default" ] else [ "default" "virtiofs" ];