ci: Install gcov, nettools, cacert in nix images (#7398)

docker/check-tools.sh

@@ -10,11 +10,13 @@ cmake --version
 conan --version
 g++ --version
 gcc --version
+gcov --version
 gcovr --version
 git --version
 less --version
 make --version
 mold --version
+netstat --version
 ninja --version
 perl --version
 pkg-config --version
@@ -22,3 +24,9 @@ pre-commit --version
 python3 --version
 run-clang-tidy --help
 vim --version
+
+# A simple test to verify that git can clone a repository over HTTPS
+# (i.e. the CA bundle is wired up). Clone to a temp dir and clean up.
+tmp_clone="$(mktemp -d)"
+git clone --depth 1 https://github.com/XRPLF/actions.git "${tmp_clone}/actions"
+rm -rf "${tmp_clone}"

docker/nix.Dockerfile

@@ -47,6 +47,12 @@ COPY --from=builder /tmp/build/result /nix/ci-env
 
 ENV PATH="/nix/ci-env/bin:${PATH}"
 
+# Point HTTPS clients (git, curl, conan, ...) at the CA bundle shipped in the
+# Nix CI environment, so TLS verification works without ca-certificates being
+# installed in the system.
+ENV SSL_CERT_FILE="/nix/ci-env/etc/ssl/certs/ca-bundle.crt"
+ENV GIT_SSL_CAINFO="/nix/ci-env/etc/ssl/certs/ca-bundle.crt"
+
 # Externally-built dynamically-linked ELF binaries hard-code the loader path
 # (e.g. /lib64/ld-linux-x86-64.so.2) in their PT_INTERP header. Install it
 # from the Nix store when the base image doesn't already provide one.
@@ -65,8 +71,8 @@ if [ ! -e "${target}" ]; then
 fi
 EOF
 
-COPY docker/check-tool-versions.sh /tmp/check-tool-versions.sh
-RUN /tmp/check-tool-versions.sh
+COPY docker/check-tools.sh /tmp/check-tools.sh
+RUN /tmp/check-tools.sh
 
 # Sanity-check that the g++/clang++ are able to build binaries, including sanitizer-instrumented ones.
 COPY docker/test_files/cpp_sources/ /tmp/cpp_sources/