diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index a7f69e93..4ec5836f 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -19,5 +19,5 @@ jobs:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: cd website && nix-shell --command run-tests
+      - run: cd website && nix-build -A tests
       - run: cd website && nix-build -A build
diff --git a/website/default.nix b/website/default.nix
index dc4c662e..d3fc1596 100644
--- a/website/default.nix
+++ b/website/default.nix
@@ -61,8 +61,32 @@ rec {
       ];
     };
 
-  tests = with pkgs; with lib; runCommand "run-tests" { } ''
-    touch $out
-    ${getExe nix-unit} ${./tests.nix} "$@"
-  '';
+  inherit sources pkgs;
+  tests = with pkgs; with lib;
+    let
+      source = fileset.toSource {
+        root = ./.;
+        fileset = fileset.unions [
+          ./default.nix
+          ./tests.nix
+          ./lib.nix
+          ./npins
+        ];
+      };
+    in
+    runCommand "run-tests"
+      {
+        buildInputs = [ pkgs.nix ];
+      }
+      ''
+        export HOME="$(realpath .)"
+        # HACK: nix-unit initialises its own entire Nix, so it needs a store to operate on,
+        # but since we're in a derivation, we can't fetch sources, so copy Nixpkgs manually here.
+        # `''${sources.nixpkgs}` resolves to `<hash>-source`,
+        # adding it verbatim will result in <hash'>-<hash>-source, so rename it first
+        cp -r ${sources.nixpkgs} source
+        nix-store --add --store "$HOME" source
+        ${getExe nix-unit} --gc-roots-dir "$HOME" --store "$HOME" ${source}/tests.nix "$@"
+        touch $out
+      '';
 }