unit-test: convert to shell app

I saw the exit status in ci was actually ignored.

.github/workflows/test.yml

@@ -15,4 +15,4 @@ jobs:
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
     - name: Run unit tests
-      run: nix develop .#unit-tests --command "true"
+      run: nix run .#unit-tests

flake.nix

@@ -147,13 +147,16 @@
                 nix --extra-experimental-features "nix-command flakes" hash path ./dev/private | tr -d '\n' > ./dev/private.narHash
               ''}";
             };
+            unit-tests = {
+              type = "app";
+              program = "${pkgs.callPackage ./pkgs/unit-tests.nix { }}/bin/unit-tests";
+            };
           }
         );
 
         devShells = eachSystem (
           { pkgs, ... }:
           {
-            unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix { };
             default = pkgs.callPackage ./shell.nix { };
           }
         );

pkgs/unit-tests.nix

@@ -4,30 +4,18 @@
 let
   sopsPkgs = import ../. { inherit pkgs; };
 in
-pkgs.stdenv.mkDerivation {
-  name = "env";
-  nativeBuildInputs =
-    with pkgs;
-    [
-      bashInteractive
-      gnupg
-      util-linux
-      nix
-      sopsPkgs.sops-pgp-hook-test
-    ]
-    ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest;
-  # allow to prefetch shell dependencies in build phase
-  dontUnpack = true;
-  installPhase = ''
-    echo $nativeBuildInputs > $out
-  '';
-  shellHook = ''
-    set -x
-    NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
-      sops-pgp-hook.test
-    ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
-      sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
-        unshare --mount --fork sops-install-secrets.test
+pkgs.writeShellApplication {
+  name = "unit-tests";
+  runtimeInputs = [
+    pkgs.gnupg
+    pkgs.nix
+  ] ++ pkgs.lib.optionals pkgs.stdenv.isLinux [
+    pkgs.util-linux
+  ];
+  text = ''
+    NIX_PATH=nixpkgs=${pkgs.path} TEST_ASSETS="$PWD/pkgs/sops-pgp-hook/test-assets" ${sopsPkgs.sops-pgp-hook-test}/bin/sops-pgp-hook.test -test.v
+    ${pkgs.lib.optionalString pkgs.stdenv.isLinux ''
+      sudo TEST_ASSETS="$PWD/pkgs/sops-install-secrets/test-assets" unshare --mount --fork ${sopsPkgs.sops-install-secrets.unittest}/bin/sops-install-secrets.test -test.v
     ''}
   '';
 }