From 7d52d9c5cbf68b500ef614825c187ffe0f5083b2 Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Thu, 30 Oct 2025 13:06:55 +0100
Subject: [PATCH] tools: pin OpenSSL to 3.5.4 on test-shared workflow

PR-URL: https://github.com/nodejs/node/pull/60428
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
---
 .github/workflows/test-shared.yml |  7 +++++++
 BUILDING.md                       |  6 ++++++
 shell.nix                         | 18 +++++++++++++++++-
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-shared.yml b/.github/workflows/test-shared.yml
index a1ab5bba2f..3d12284905 100644
--- a/.github/workflows/test-shared.yml
+++ b/.github/workflows/test-shared.yml
@@ -1,3 +1,5 @@
+# This action uses the following secrets:
+#   CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org – without it, the cache is read-only.
 name: Test Shared libraries
 
 on:
@@ -95,6 +97,11 @@ jobs:
         with:
           extra_nix_config: sandbox = true
 
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          name: nodejs
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
       - name: Configure sccache
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         with:
diff --git a/BUILDING.md b/BUILDING.md
index 292b71a3fb..569ea92722 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -270,6 +270,12 @@ direnv allow .
 make build-ci -j12
 ```
 
+Most dependencies will likely be available in the official nixpkgs cache,
+although for some dependencies we have to deviate for the upstream repository,
+in which case those will be built locally, or you can use the Cachix repository
+for the project: `cachix use nodejs`. See <https://docs.cachix.org/> for more
+information.
+
 The use of `make build-ci` is to ensure you are using the `CONFIG_FLAGS`
 environment variable. You can also specify it manually:
 
diff --git a/shell.nix b/shell.nix
index 5b66e922d1..b60bb881aa 100644
--- a/shell.nix
+++ b/shell.nix
@@ -12,7 +12,6 @@
       nghttp2
       nghttp3
       ngtcp2
-      openssl
       simdjson
       simdutf
       sqlite
@@ -21,6 +20,23 @@
       zstd
       ;
     http-parser = pkgs.llhttp;
+    openssl = pkgs.openssl.overrideAttrs (old: {
+      version = "3.5.4";
+      src = pkgs.fetchurl {
+        url = builtins.replaceStrings [ old.version ] [ "3.5.4" ] old.src.url;
+        hash = "sha256-lnMR+ElVMWlpvbHY1LmDcY70IzhjnGIexMNP3e81Xpk=";
+      };
+      doCheck = false;
+      configureFlags = (old.configureFlags or [ ]) ++ [
+        "no-docs"
+        "no-tests"
+      ];
+      outputs = [
+        "bin"
+        "out"
+        "dev"
+      ];
+    });
   },
   ccache ? pkgs.ccache,
   ninja ? pkgs.ninja,