avoid global NIXPKGS_ALLOW_INSECURE

Author: panva

.github/actions/build-shared/action.yml

@@ -58,7 +58,7 @@ runs:
       run: |
         nix-shell \
           -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
-          --pure --keep TAR_DIR --keep FLAKY_TESTS --keep NIXPKGS_ALLOW_INSECURE \
+          --pure --keep TAR_DIR --keep FLAKY_TESTS \
           --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
           --arg loadJSBuiltinsDynamically false \
           --arg useSeparateDerivationForV8 true \

.github/workflows/test-shared.yml

@@ -211,9 +211,7 @@ jobs:
     continue-on-error: ${{ matrix.openssl['continue-on-error'] }}
     env:
       OPENSSL_ATTR: ${{ matrix.openssl.attr }}
-      # Some EOL-with-extended-support cycles (e.g. 1.1.1) are marked
-      # insecure by nixpkgs' meta check and refuse to evaluate without this.
-      NIXPKGS_ALLOW_INSECURE: '1'
+      OPENSSL_VERSION: ${{ matrix.openssl.version }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -226,4 +224,7 @@ jobs:
           # Override just the `openssl` attr of the default shared-lib set with
           # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All
           # other shared libs (brotli, cares, libuv, …) keep their defaults.
-          extra-nix-args: --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/pkgs.nix {}).$OPENSSL_ATTR; }"
+          # `permittedInsecurePackages` whitelists just the matrix-selected
+          # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support
+          # cycles evaluate without relaxing nixpkgs' meta check globally.
+          extra-nix-args: --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR; }"