Actually, adding a SHA-256 value doesn’t solve the issue at all with Hydra throwing an evaluation error when the URI is not whitelisted in the server. There’s currently an open issue, also see this thread.
I was thrown into the wrong direction by evaluating with nix build . --restrict-eval, instead of nix flake check --restrict-eval, which is the right way to evaluate with the restrict mode flag (therefore to reproduce the evaluation error in Hydra) in the example given since the input with an exotic URL (not whitelisted by the Hydra server) is used by the attribute zphinxzerverTest in checks output, through zphinxzerver, rather than the default derivation.
It is also worth mentioning that, since builtins.fetchurl is similarly allowed to only access URI’s in allowed-uris, as explained here, adding the following declaration on the outputs attribute doesn’t lead us anywhere either (it throws the exact same error in restrict mode):
bearssl-src = builtins.fetchurl {
url = "git+https://www.bearssl.org/git/BearSSL";
sha256 = "1wlaymsf3y6vglcimsgvshjpl0cgal06ka3l59r7vrigmy11zn9i";
};