chn/nixpkgs
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixpkgs.git synced 2026-01-13 03:22:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: chn:fix-boost
Branches Tags
chn:nixos-25.05 chn:nixos-25.11 chn:enhance-slurm chn:fix-bintools-wrapper chn:fix-wrapper chn:fix-slurm-2 chn:fix-slurm chn:fix-tailscale chn:nixos-unstable-2505 chn:nixos-unstable chn:fix-ctranslate2 chn:nixos-23.11 chn:update-httplib chn:fix-boost chn:nvidia chn:update-gitlfs chn:update-phonopy chn:nixos-24.11 chn:update-ovito chn:fix-hackage chn:fix-libvirt chn:next chn:fix-architecture chn:fix-phonopy chn:add-gitlfstransfer chn:fix-legion chn:nixos-24.05 chn:fix-utterly-theme chn:utterly-backup chn:utterly-debug chn:fix-nomacs chn:nixos-23.11-desktop chn:xrdp chn:nixos-23.11-old chn:nixos-23.05 chn:nixos-unstable-23.05 chn:nixos-unstable-next chn:nixos-23.05-next chn:diff chn:master chn:new-machine chn:add-more-arch chn:nixos-22.05 chn:staging-22.11 chn:staging-next-22.11 chn:haskell-updates chn:staging chn:staging-next chn:nixos-unstable-small chn:nixpkgs-unstable chn:nixos-22.11-small chn:nixpkgs-22.11-darwin chn:release-22.11 chn:nixos-22.11 chn:lanzaboote chn:upgrade/pixelfed chn:backport-231556-to-release-22.11 chn:kde-gear-23.04.1 chn:python-test-refactoring chn:backport-231190-to-release-22.11 chn:backport-206688-to-release-22.11 chn:backport-230427-to-release-22.11 chn:netboot-tests chn:backport-230037-to-release-22.11 chn:backport-229688-to-release-22.11 chn:backport-229507-to-release-22.11 chn:pr/yoda_1_9_8 chn:even-more-vulkan-updates chn:backport-229141-to-release-22.11 chn:qemu-vm/tpm chn:qemu-vm/read-efi-var chn:partition-table-qemu chn:backport-228461-to-release-22.11 chn:backport-228489-to-release-22.11 chn:nixos-22.05-aarch64 chn:nixos-22.05-small chn:nixpkgs-22.05-darwin chn:release-22.05 chn:make-disk-image/no-nix-store chn:angelfish-fix chn:backport-227646-to-release-22.11 chn:backport-227331-to-release-22.11 chn:backport-227448-to-release-22.11 chn:revert-227360-paperwm-bump chn:pr/texlive_texinfo_fix_hash chn:backport-216987-to-release-22.11 chn:backport-224094-to-release-22.11 chn:backport-225322-to-release-22.11 chn:pr/hepmc3_3_2_6 chn:backport-223455-to-release-22.11 chn:bump-llvm-latest chn:revert-215109-gnupg-libgcrypt-lts chn:revert-224746-asciify-message chn:kf5-5.105 chn:r-updates chn:backport-224069-to-staging-22.11 chn:backport-205134-to-release-22.11 chn:jtojnar/deps-nd-fix chn:pr/pymoo_0_6_0_1 chn:pr/root_6_28_00 chn:rustc chn:backport-217366-to-release-22.11 chn:bye-dpi chn:ory-hydra chn:sniproxy-update chn:diffoscope-unfree chn:python-updates chn:release-21.11 chn:llvm16 chn:backport-217341-to-release-22.11 chn:backport-206105-to-release-22.11 chn:backport-217578-to-release-22.11 chn:gokrazy-rsync chn:hass-onboarding chn:sudo-by-default chn:backport-216643-to-release-22.11 chn:balsoft/add-gnss-share chn:system chn:balsoft/add-qmlkonsole chn:pr/libredirect_system_test chn:backport-216167-to-release-22.11 chn:backport-215928-to-release-22.11 chn:isAarchDarwin chn:samuela/apache-beam chn:upd/openssh-92 chn:backport-213424-to-release-22.11 chn:backport-208549-to-release-22.11 chn:backport-213196-to-release-22.11 chn:backport-212206-to-release-22.11 chn:llvm15-wip chn:plasma-5.27 chn:backport-209550-to-release-22.11 chn:uri-canva-patch-1 chn:backport-209919-to-release-22.11 chn:pr/dask-awkward chn:qt-5.15.8 chn:backport-209022-to-release-22.11 chn:staging-22.05 chn:staging-next-22.05 chn:garage-multiple-versions chn:domenkozar-patch-1 chn:backport-199069-to-release-22.11 chn:auto-update/python3.10-autofaiss chn:pixelfed-module chn:simplified-qemu-boot-disks chn:backport-205765-to-release-22.11 chn:qemu-smm chn:backport-206912-to-release-22.11 chn:backport-205900-to-release-22.11 chn:backport-201949-to-release-22.11 chn:backport-203874-to-release-22.11 chn:backport-201203-to-release-22.11 chn:backport-140890-to-release-22.11 chn:upvote-convention chn:backport-189935-to-release-22.11 chn:backport-202314-to-release-22.11 chn:backport-202767-to-release-22.11 chn:backport-201875-to-release-22.11 chn:ibus-no-force-gtk-im chn:wip/jtojnar/account-service-util-nogui chn:pr/xrootd_rpath chn:clipboard-inspector chn:upd8n chn:kpackage-fix chn:balsoft/nuitka-update-1.1.5 chn:python-test-refactoring-baseline chn:direnv-module chn:emacs-manual-remove-absolute-paths chn:staging-python chn:nixos-21.05 chn:nixos-21.05-aarch64 chn:nixos-21.05-small chn:nixpkgs-21.05-darwin chn:release-21.05 chn:nixos-21.11 chn:nixos-21.11-aarch64 chn:nixos-21.11-small chn:nixpkgs-21.11-darwin chn:staging-21.11 chn:staging-next-21.11 chn:nixos-test-staging chn:nixos-test-staging-baseline chn:miniaudicle-gcc-10 chn:mkcue-gcc10 chn:staging-21.05 chn:staging-next-21.05 chn:release-19.03 chn:release-19.09 chn:release-20.03 chn:nixos-20.09-small chn:nixpkgs-20.09-darwin chn:release-20.09 chn:grahamc-patch-3 chn:rpi-cm4-support chn:grahamc-patch-2 chn:ghcHEAD-update chn:default-parameters chn:init-ueforth chn:mmahut/prometheus-nginx-exporter chn:nixos-20.09 chn:staging-20.09 chn:nixos-20.09-aarch64 chn:grahamc-patch-1 chn:structured-attrs chn:nixos-20.03 chn:nixos-20.03-small chn:nixpkgs-20.03-darwin chn:staging-20.03 chn:systemd-lib-reintroduce chn:nixos-19.09 chn:nixos-19.09-small chn:nixpkgs-19.09-darwin chn:gnome-20.03 chn:staging-patchelf chn:staging-19.09 chn:release-18.03 chn:release-18.09 chn:nixos-19.03 chn:nixos-19.03-small chn:nixpkgs-19.03-darwin chn:staging-19.03 chn:nixpkgs-18.09-darwin chn:kevincox-openarena-server chn:nixos-18.09 chn:nixos-18.09-small chn:staging-18.09 chn:release-17.09 chn:release-18.09-firefox64 chn:staging-18.03 chn:docs-all-packages chn:unstable-aarch64 chn:release-17.03 chn:release-16.09 chn:release-15.09 chn:release-16.03 chn:nixpart chn:release-14.12 chn:release-14.04 chn:release-13.10 chn:staging.patchShebangs chn:0.5-stable
chn:22.11 chn:23.05-pre chn:22.11-beta chn:22.05 chn:22.05-beta chn:21.11 chn:22.05-pre chn:21.11-beta chn:21.05 chn:21.11-pre chn:21.05-beta chn:20.09 chn:20.09-beta chn:20.09-alpha chn:20.03 chn:20.03-beta chn:19.09 chn:19.09-beta chn:19.03 chn:19.03-beta chn:18.09 chn:18.09-beta chn:18.03 chn:18.03-beta chn:17.09 chn:17.09-beta chn:17.03 chn:17.03-beta chn:16.09 chn:16.09-beta chn:black@2016-09-01 chn:black@2016-08-31 chn:black@2016-06-02 chn:black@2016-05-13 chn:release-16.03-start chn:16.03 chn:16.03-beta chn:v208 chn:v206 chn:15.09-beta chn:15.09 chn:v192 chn:last-glibc-2.13 chn:binary chn:0.14 chn:backups/stdenv-updates@34093 chn:backups/kmod-no-lib-modules@34172 chn:backups/glib-2.30-take2@33502 chn:backups/kmod-MODULE_DIR@33576 chn:backups/stdenv-updates@32824 chn:backups/libpng15@32782 chn:backups/glib-2.30@32938 chn:backups/darwin-without-xcode@34172 chn:backups/drop-kde4.5@30929 chn:backups/multiple-outputs-sandbox@34172 chn:backups/pure-python@34174 chn:backups/darwin-updates@34176 chn:backups/udev-173@28837 chn:backups/kde-4.7@34170 chn:backups/stdenv-ada@26758 chn:backups/modular-python@26697 chn:backups/x-updates@26704 chn:backups/cve-2010-3856@34170 chn:backups/stdenv-bootstrap-20100825@23426 chn:backups/parallel-building-merger@34171 chn:backups/x-updates@22736 chn:backups/multitask-builds@34175 chn:backups/mass-update-01@31456 chn:backups/stdenv-updates@19858 chn:0.13 chn:backups/kernel-config@19023 chn:backups/x86_64-darwin@34171 chn:backups/stdenv-updates2@18282 chn:backups/stdenv-updates2@18273 chn:backups/stdenv-updates@18281 chn:backups/xorg-7.5@18179 chn:backups/armv5tel-linux@18007 chn:backups/stdenv-updates@15332 chn:backups/0.12-release@15293 chn:0.12 chn:backups/stdenv-updates@12144 chn:backups/stdenv-updates-merge@10849 chn:backups/master@10848 chn:backups/stdenv-updates@10965 chn:backups/0.11-release@9315 chn:0.11 chn:0.10 chn:backups/0.10-release@6725 chn:backups/usability@34170 chn:0.9 chn:backups/0.9-release@4651 chn:0.8 chn:backups/0.8-release@2530 chn:0.7 chn:backups/0.7-release@2398 chn:backups/one-click@2549 chn:backups/nixos-pkgs@34170 chn:backups/0.6-release@1775 chn:0.6 chn:backups/martin2@34171 chn:backups/0.5.1-release@996 chn:0.5.1 chn:backups/0.5-stable@34171 chn:0.5 chn:backups/0.5-release@989 chn:backups/martin@828 chn:0.4 chn:backups/logistics@34171 chn:0.3 chn:0.2 chn:backups/freebsd-losser@34171 chn:0.1 chn:backups/master@59
..
compare: chn:fix-hackage
Branches Tags
chn:nixos-25.11 chn:enhance-slurm chn:fix-bintools-wrapper chn:fix-wrapper chn:fix-slurm-2 chn:fix-slurm chn:fix-tailscale chn:nixos-unstable-2505 chn:nixos-unstable chn:fix-ctranslate2 chn:nixos-23.11 chn:nixos-25.05 chn:update-httplib chn:fix-boost chn:nvidia chn:update-gitlfs chn:update-phonopy chn:nixos-24.11 chn:update-ovito chn:fix-hackage chn:fix-libvirt chn:next chn:fix-architecture chn:fix-phonopy chn:add-gitlfstransfer chn:fix-legion chn:nixos-24.05 chn:fix-utterly-theme chn:utterly-backup chn:utterly-debug chn:fix-nomacs chn:nixos-23.11-desktop chn:xrdp chn:nixos-23.11-old chn:nixos-23.05 chn:nixos-unstable-23.05 chn:nixos-unstable-next chn:nixos-23.05-next chn:diff chn:master chn:new-machine chn:add-more-arch chn:nixos-22.05 chn:staging-22.11 chn:staging-next-22.11 chn:haskell-updates chn:staging chn:staging-next chn:nixos-unstable-small chn:nixpkgs-unstable chn:nixos-22.11-small chn:nixpkgs-22.11-darwin chn:release-22.11 chn:nixos-22.11 chn:lanzaboote chn:upgrade/pixelfed chn:backport-231556-to-release-22.11 chn:kde-gear-23.04.1 chn:python-test-refactoring chn:backport-231190-to-release-22.11 chn:backport-206688-to-release-22.11 chn:backport-230427-to-release-22.11 chn:netboot-tests chn:backport-230037-to-release-22.11 chn:backport-229688-to-release-22.11 chn:backport-229507-to-release-22.11 chn:pr/yoda_1_9_8 chn:even-more-vulkan-updates chn:backport-229141-to-release-22.11 chn:qemu-vm/tpm chn:qemu-vm/read-efi-var chn:partition-table-qemu chn:backport-228461-to-release-22.11 chn:backport-228489-to-release-22.11 chn:nixos-22.05-aarch64 chn:nixos-22.05-small chn:nixpkgs-22.05-darwin chn:release-22.05 chn:make-disk-image/no-nix-store chn:angelfish-fix chn:backport-227646-to-release-22.11 chn:backport-227331-to-release-22.11 chn:backport-227448-to-release-22.11 chn:revert-227360-paperwm-bump chn:pr/texlive_texinfo_fix_hash chn:backport-216987-to-release-22.11 chn:backport-224094-to-release-22.11 chn:backport-225322-to-release-22.11 chn:pr/hepmc3_3_2_6 chn:backport-223455-to-release-22.11 chn:bump-llvm-latest chn:revert-215109-gnupg-libgcrypt-lts chn:revert-224746-asciify-message chn:kf5-5.105 chn:r-updates chn:backport-224069-to-staging-22.11 chn:backport-205134-to-release-22.11 chn:jtojnar/deps-nd-fix chn:pr/pymoo_0_6_0_1 chn:pr/root_6_28_00 chn:rustc chn:backport-217366-to-release-22.11 chn:bye-dpi chn:ory-hydra chn:sniproxy-update chn:diffoscope-unfree chn:python-updates chn:release-21.11 chn:llvm16 chn:backport-217341-to-release-22.11 chn:backport-206105-to-release-22.11 chn:backport-217578-to-release-22.11 chn:gokrazy-rsync chn:hass-onboarding chn:sudo-by-default chn:backport-216643-to-release-22.11 chn:balsoft/add-gnss-share chn:system chn:balsoft/add-qmlkonsole chn:pr/libredirect_system_test chn:backport-216167-to-release-22.11 chn:backport-215928-to-release-22.11 chn:isAarchDarwin chn:samuela/apache-beam chn:upd/openssh-92 chn:backport-213424-to-release-22.11 chn:backport-208549-to-release-22.11 chn:backport-213196-to-release-22.11 chn:backport-212206-to-release-22.11 chn:llvm15-wip chn:plasma-5.27 chn:backport-209550-to-release-22.11 chn:uri-canva-patch-1 chn:backport-209919-to-release-22.11 chn:pr/dask-awkward chn:qt-5.15.8 chn:backport-209022-to-release-22.11 chn:staging-22.05 chn:staging-next-22.05 chn:garage-multiple-versions chn:domenkozar-patch-1 chn:backport-199069-to-release-22.11 chn:auto-update/python3.10-autofaiss chn:pixelfed-module chn:simplified-qemu-boot-disks chn:backport-205765-to-release-22.11 chn:qemu-smm chn:backport-206912-to-release-22.11 chn:backport-205900-to-release-22.11 chn:backport-201949-to-release-22.11 chn:backport-203874-to-release-22.11 chn:backport-201203-to-release-22.11 chn:backport-140890-to-release-22.11 chn:upvote-convention chn:backport-189935-to-release-22.11 chn:backport-202314-to-release-22.11 chn:backport-202767-to-release-22.11 chn:backport-201875-to-release-22.11 chn:ibus-no-force-gtk-im chn:wip/jtojnar/account-service-util-nogui chn:pr/xrootd_rpath chn:clipboard-inspector chn:upd8n chn:kpackage-fix chn:balsoft/nuitka-update-1.1.5 chn:python-test-refactoring-baseline chn:direnv-module chn:emacs-manual-remove-absolute-paths chn:staging-python chn:nixos-21.05 chn:nixos-21.05-aarch64 chn:nixos-21.05-small chn:nixpkgs-21.05-darwin chn:release-21.05 chn:nixos-21.11 chn:nixos-21.11-aarch64 chn:nixos-21.11-small chn:nixpkgs-21.11-darwin chn:staging-21.11 chn:staging-next-21.11 chn:nixos-test-staging chn:nixos-test-staging-baseline chn:miniaudicle-gcc-10 chn:mkcue-gcc10 chn:staging-21.05 chn:staging-next-21.05 chn:release-19.03 chn:release-19.09 chn:release-20.03 chn:nixos-20.09-small chn:nixpkgs-20.09-darwin chn:release-20.09 chn:grahamc-patch-3 chn:rpi-cm4-support chn:grahamc-patch-2 chn:ghcHEAD-update chn:default-parameters chn:init-ueforth chn:mmahut/prometheus-nginx-exporter chn:nixos-20.09 chn:staging-20.09 chn:nixos-20.09-aarch64 chn:grahamc-patch-1 chn:structured-attrs chn:nixos-20.03 chn:nixos-20.03-small chn:nixpkgs-20.03-darwin chn:staging-20.03 chn:systemd-lib-reintroduce chn:nixos-19.09 chn:nixos-19.09-small chn:nixpkgs-19.09-darwin chn:gnome-20.03 chn:staging-patchelf chn:staging-19.09 chn:release-18.03 chn:release-18.09 chn:nixos-19.03 chn:nixos-19.03-small chn:nixpkgs-19.03-darwin chn:staging-19.03 chn:nixpkgs-18.09-darwin chn:kevincox-openarena-server chn:nixos-18.09 chn:nixos-18.09-small chn:staging-18.09 chn:release-17.09 chn:release-18.09-firefox64 chn:staging-18.03 chn:docs-all-packages chn:unstable-aarch64 chn:release-17.03 chn:release-16.09 chn:release-15.09 chn:release-16.03 chn:nixpart chn:release-14.12 chn:release-14.04 chn:release-13.10 chn:staging.patchShebangs chn:0.5-stable
chn:22.11 chn:23.05-pre chn:22.11-beta chn:22.05 chn:22.05-beta chn:21.11 chn:22.05-pre chn:21.11-beta chn:21.05 chn:21.11-pre chn:21.05-beta chn:20.09 chn:20.09-beta chn:20.09-alpha chn:20.03 chn:20.03-beta chn:19.09 chn:19.09-beta chn:19.03 chn:19.03-beta chn:18.09 chn:18.09-beta chn:18.03 chn:18.03-beta chn:17.09 chn:17.09-beta chn:17.03 chn:17.03-beta chn:16.09 chn:16.09-beta chn:black@2016-09-01 chn:black@2016-08-31 chn:black@2016-06-02 chn:black@2016-05-13 chn:release-16.03-start chn:16.03 chn:16.03-beta chn:v208 chn:v206 chn:15.09-beta chn:15.09 chn:v192 chn:last-glibc-2.13 chn:binary chn:0.14 chn:backups/stdenv-updates@34093 chn:backups/kmod-no-lib-modules@34172 chn:backups/glib-2.30-take2@33502 chn:backups/kmod-MODULE_DIR@33576 chn:backups/stdenv-updates@32824 chn:backups/libpng15@32782 chn:backups/glib-2.30@32938 chn:backups/darwin-without-xcode@34172 chn:backups/drop-kde4.5@30929 chn:backups/multiple-outputs-sandbox@34172 chn:backups/pure-python@34174 chn:backups/darwin-updates@34176 chn:backups/udev-173@28837 chn:backups/kde-4.7@34170 chn:backups/stdenv-ada@26758 chn:backups/modular-python@26697 chn:backups/x-updates@26704 chn:backups/cve-2010-3856@34170 chn:backups/stdenv-bootstrap-20100825@23426 chn:backups/parallel-building-merger@34171 chn:backups/x-updates@22736 chn:backups/multitask-builds@34175 chn:backups/mass-update-01@31456 chn:backups/stdenv-updates@19858 chn:0.13 chn:backups/kernel-config@19023 chn:backups/x86_64-darwin@34171 chn:backups/stdenv-updates2@18282 chn:backups/stdenv-updates2@18273 chn:backups/stdenv-updates@18281 chn:backups/xorg-7.5@18179 chn:backups/armv5tel-linux@18007 chn:backups/stdenv-updates@15332 chn:backups/0.12-release@15293 chn:0.12 chn:backups/stdenv-updates@12144 chn:backups/stdenv-updates-merge@10849 chn:backups/master@10848 chn:backups/stdenv-updates@10965 chn:backups/0.11-release@9315 chn:0.11 chn:0.10 chn:backups/0.10-release@6725 chn:backups/usability@34170 chn:0.9 chn:backups/0.9-release@4651 chn:0.8 chn:backups/0.8-release@2530 chn:0.7 chn:backups/0.7-release@2398 chn:backups/one-click@2549 chn:backups/nixos-pkgs@34170 chn:backups/0.6-release@1775 chn:0.6 chn:backups/martin2@34171 chn:backups/0.5.1-release@996 chn:0.5.1 chn:backups/0.5-stable@34171 chn:0.5 chn:backups/0.5-release@989 chn:backups/martin@828 chn:0.4 chn:backups/logistics@34171 chn:0.3 chn:0.2 chn:backups/freebsd-losser@34171 chn:0.1 chn:backups/master@59

1 Commits
fix-boost ... fix-hackag

Author SHA1 Message Date
chn
12fbbac878 fix hackage 2025-02-16 17:41:48 +08:00
31215 changed files with 1780690 additions and 2020075 deletions
Expand all files Collapse all files

11
.devcontainer/devcontainer.json
View File

@@ -5,24 +5,17 @@
"ghcr.io/devcontainers/features/nix:1": {
// fails in the devcontainer sandbox, enable sandbox via config instead
"multiUser": false,
"packages": "nixpkgs.nixd,nixpkgs.nixfmt-rfc-style",
"useAttributePath": true,
"packages": "nixd,nixfmt-unstable",
"extraNixConfig": "experimental-features = nix-command flakes,sandbox = true"
}
},
// Fixup permissions inside container.
// https://github.com/NixOS/nix/issues/6680#issuecomment-1230902525
"postCreateCommand": "sudo apt-get install -y acl",
"postStartCommand": "sudo setfacl -k /tmp; if [ -e /dev/kvm ]; then sudo chgrp $(id -g) /dev/kvm; fi",
"customizations": {
"vscode": {
"extensions": [
"jnoortheen.nix-ide"
],
"settings": {
"[nix]": {
"editor.formatOnSave": true
},
"nix.formatterPath": "nixfmt-rfc-style",
"nix.enableLanguageServer": true,
"nix.serverPath": "nixd"
}

57
.editorconfig
View File

@@ -24,7 +24,7 @@ insert_final_newline = false
# see https://nixos.org/nixpkgs/manual/#chap-conventions
# Match json/lockfiles/markdown/nix/perl/python/ruby/shell/docbook files, set indent to spaces
[*.{bash,js,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
[*.{bash,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
indent_style = space
# Match docbook files, set indent width of one
@@ -32,15 +32,11 @@ indent_style = space
indent_size = 1
# Match json/lockfiles/markdown/nix/ruby files, set indent width of two
[*.{js,json,lock,md,nix,rb}]
[*.{json,lock,md,nix,rb}]
indent_size = 2
# Match all the Bash code in Nix files, set indent width of two
[*.{bash,sh}]
indent_size = 2
# Match Perl and Python scripts, set indent width of four
[*.{pl,pm,py}]
# Match perl/python/shell scripts, set indent width of four
[*.{bash,pl,pm,py,sh}]
indent_size = 4
# Match gemfiles, set indent to spaces with width of two
@@ -48,10 +44,9 @@ indent_size = 4
indent_size = 2
indent_style = space
# Match package.json and package-lock.json, which are generally pulled from upstream and accept them as they are
[package{,-lock}.json]
# Match package.json, which are generally pulled from upstream and accept them as they are
[package.json]
indent_style = unset
insert_final_newline = unset
# Disable file types or individual files
# some of these files may be auto-generated and/or require significant changes
@@ -86,10 +81,42 @@ charset = unset
[eggs.nix]
trim_trailing_whitespace = unset
[registry.dat]
[nixos/modules/services/networking/ircd-hybrid/*.{conf,in}]
trim_trailing_whitespace = unset
[pkgs/build-support/dotnetenv/Wrapper/**]
end_of_line = unset
indent_style = unset
insert_final_newline = unset
trim_trailing_whitespace = unset
[pkgs/development/compilers/elm/registry.dat]
end_of_line = unset
insert_final_newline = unset
# Keep this hint at the bottom:
# Please don't add entries for subfolders here.
# Create <subfolder>/.editorconfig instead.
[pkgs/development/haskell-modules/hackage-packages.nix]
indent_style = unset
trim_trailing_whitespace = unset
[pkgs/misc/documentation-highlighter/**]
insert_final_newline = unset
[pkgs/servers/dict/wordnet_structures.py]
trim_trailing_whitespace = unset
[pkgs/tools/misc/timidity/timidity.cfg]
trim_trailing_whitespace = unset
[pkgs/tools/virtualization/ovftool/*.ova]
end_of_line = unset
insert_final_newline = unset
trim_trailing_whitespace = unset
charset = unset
[lib/tests/*.plist]
indent_style = tab
insert_final_newline = unset
[pkgs/kde/generated/**]
insert_final_newline = unset
end_of_line = unset

56
.git-blame-ignore-revs
View File

@@ -193,9 +193,6 @@ cffc27daf06c77c0d76bc35d24b929cb9d68c3c9
# nixos/kanidm: inherit lib, nixfmt
8f18393d380079904d072007fb19dc64baef0a3a
# fetchhg: format after refactoring with lib.extendMkDerivation and make overridable (#423539)
34a5b1eb23129f8fb62c677e3760903f6d43228f
# fetchurl: nixfmt-rfc-style
ce21e97a1f20dee15da85c084f9d1148d84f853b
@@ -232,56 +229,3 @@ adb9714bd909df283c66bbd641bd631ff50a4260
# tmuxPlugins sha-to-sri.py script
516b1e74c358a9c4b06e5591f8c1a2897aad0c33
# treewide: migrate comments in lib to rfc145 style
ef85e0daa092c9eae0d32c7ce16b889728a5fbc0
d89ad6c70e0e89aaae75e9f886878ea4e103965a
e0fe216f4912dd88a021d12a44155fd2cfeb31c8
80d5b411f6397d5c3e755a0635d95742f76f3c75
# nixos/movim: format with nixfmt-rfc-style
43c1654cae47cbf987cb63758c06245fa95c1e3b
# nixos/iso-image.nix: nixfmt
da9a092c34cef6947d7aee2b134f61df45171631
# python-packages: format with nixfmt-rfc-style
5f6f5e13ae0b6960cbf1be8aeb3d0048285a08d1
# python-packages: sort with keep-sorted
fd14c067813572afc03ddbf7cdedc3eab5a59954
783add849cbca228a36ffdf407e5d380dc2fe6c4
# treewide format of all Nix files
374e6bcc403e02a35e07b650463c01a52b13a7c8 # !autorebase nix-shell --run treefmt
# nix: nixfmt-rfc-style
a4f7e161b380b35b2f7bc432659a95fd71254ad8
0812c9a321003c924868051d2b2e1934e8880f3f
34f269c14ac18d89ddee9a8f54b1ca92a85bbcc6
062c34cdace499aa44f0fa6ca6f2ca71769f6c43
# haskellPackages.hercules-ci-agent (cabal2nix -> nixfmt-rfc-style)
9314da7ee8d2aedfb15193b8c489da51efe52bb5
# nix-builder-vm: nixfmt-rfc-style
a034fb50f79816c6738fb48b48503b09ea3b0132
# treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
05580f4b4433fda48fff30f60dfd303d6ee05d21
# nixos/redmine: Get rid of global lib expansions
d7f1102f04c58b2edfc74c9a1d577e3aebfca775
# **/README.md: one sentence per line
3d505c03610b6102af6d870ae3506a151cef1f68
60e35e4ded6e91524364a74b3b4ec233ed9321f2
99f2e655d9db009ee0b4ede3edced5f6c882c7f4
b4532efe93882ae2e3fc579929a42a5a56544146
# emacs: keep elpa/nongnu/melpa package overrides sorted
9f2faf683ed48704aa17f693208a13aa64e22181
# nixfmt 1.0.0
62fe01651911043bd3db0add920af3d2935d9869 # !autorebase nix-shell --run treefmt
5a0711127cd8b916c3d3128f473388c8c79df0da # !autorebase nix-shell --run treefmt

21
.github/ISSUE_TEMPLATE/01_bug_report.yml vendored
View File

@@ -9,9 +9,9 @@ body:
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
@@ -20,9 +20,7 @@ body:
> [!TIP]
> For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on ARM Linux, your title would be as follows:
> ```
> hello: fails to launch on aarch64-linux
> ```
> `hello: fails to launch on aarch64-linux`
---
- type: "dropdown"
@@ -32,11 +30,13 @@ body:
description: |
What version of Nixpkgs are you using?
If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
> [!IMPORTANT]
> If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
options:
- "Please select a version."
- "- Unstable (25.11)"
- "- Stable (25.05)"
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
@@ -100,8 +100,7 @@ body:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
value: |
---

21
.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml vendored
View File

@@ -9,9 +9,9 @@ body:
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
@@ -20,9 +20,7 @@ body:
> [!TIP]
> For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on Apple Silicon, your title would be as follows:
> ```
> hello: fails to launch on aarch64-darwin
> ```
> `hello: fails to launch on aarch64-darwin`
---
- type: "dropdown"
@@ -32,11 +30,13 @@ body:
description: |
What version of Nixpkgs are you using?
If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
> [!IMPORTANT]
> If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
options:
- "Please select a version."
- "- Unstable (25.11)"
- "- Stable (25.05)"
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
@@ -114,8 +114,7 @@ body:
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
If this issue is related to the Darwin packaging architecture as a whole, or is related to the core Darwin frameworks, consider mentioning the `@NixOS/darwin-core` team.
value: |2
value: |
---

21
.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml vendored
View File

@@ -9,9 +9,9 @@ body:
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
@@ -20,9 +20,7 @@ body:
> [!TIP]
> For instance, if you were filing a bug against the [`systemd-boot`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.enable&from=0&size=1) module about it failing to install [`memtest86`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.memtest86.enable&from=0&size=1), your title would be as follows:
> ```
> nixos/systemd-boot: fails to install memtest86
> ```
> `nixos/systemd-boot: fails to install memtest86`
---
- type: "dropdown"
@@ -32,11 +30,13 @@ body:
description: |
What version of Nixpkgs are you using?
If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
> [!IMPORTANT]
> If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
options:
- "Please select a version."
- "- Unstable (25.11)"
- "- Stable (25.05)"
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
@@ -104,8 +104,7 @@ body:
Please note that the maintainer attribute name does not always match the maintainer's GitHub username. If that occurs, try looking in [`maintainers/maintainer-list.nix`](https://github.com/NixOS/nixpkgs/blob/master/maintainers/maintainer-list.nix) for the maintainer attribute name, and checking if the maintainer has a listed GitHub username.
If in doubt, check `git blame` for whoever last touched the module, or check the associated package's maintainers. Please add the mentions above the `---` characters.
value: |2
value: |
---

26
.github/ISSUE_TEMPLATE/04_build_failure.yml vendored
View File

@@ -9,9 +9,9 @@ body:
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
@@ -20,9 +20,7 @@ body:
> [!TIP]
> For instance, if you were filing a build failure against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package, your title would be as follows:
> ```
> Build failure: hello
> ```
> `Build failure: hello`
---
- type: "dropdown"
@@ -32,13 +30,14 @@ body:
description: |
In what version of Nixpkgs did the build failure occur?
If you are using an older version, please update to the latest stable version and check if the build failure persists before continuing this report.
If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
> [!IMPORTANT]
> If you are using an older version, please update to the latest stable version and check if the build failure persists before continuing this report.
> If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
options:
- "Please select a version."
- "- Unstable (25.11)"
- "- Stable (25.05)"
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
@@ -62,14 +61,12 @@ body:
You can still open a build failure report, but please say '**No, Hydra cannot reproduce this build failure.**' below.
- If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-question-2754.svg" width="20px" align="top" alt="Gray Question Mark"> icon near the package entry, say '**Hydra is currently rebuilding this package.**'
- If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-stopsign-1f6d1.svg" width="20px" align="top" alt="Red Stop Sign"> icon near the package entry, then the build job was stopped manually. If this occurs, please coordinate with the [Infrastructure Team](https://matrix.to/#/#infra:nixos.org), and say '**The last build job was manually cancelled.**'
- If Hydra isn't supposed to build the package at all, say '**Hydra doesnt try to build the package.**'
options:
- "Please select the Hydra Status."
- "Yes, Hydra can reproduce this build failure."
- "No, Hydra cannot reproduce this build failure."
- "Hydra is currently rebuilding this package."
- "The last build job was manually cancelled."
- "Hydra doesnt try to build the package."
default: 0
validations:
required: true
@@ -110,8 +107,7 @@ body:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
value: |
---

127
.github/ISSUE_TEMPLATE/05_package_request.yml vendored Normal file
View File

@@ -0,0 +1,127 @@
name: "Request: new package"
description: "Create a package request for software that is not yet included in Nixpkgs."
title: "Package request: PACKAGENAME"
labels: ["0.kind: enhancement", "0.kind: packaging request", "9.needs: package (new)"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Package request: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
> [!TIP]
> For instance, if you were filing a request against the missing `hello` package, your title would be as follows:
> `Package request: hello`
---
- type: "dropdown"
id: "version"
attributes:
label: "Nixpkgs version"
description: |
What version of Nixpkgs are you using?
> [!IMPORTANT]
> If you are using an older or stable version, please update to the latest **unstable** version and check if the package still does not exist before continuing this request.
options:
- "Please select a version."
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
- type: "textarea"
id: "description"
attributes:
label: "Describe the package"
description: "Please include a clear and concise description of what the package is."
validations:
required: true
- type: "input"
id: "homepage"
attributes:
label: "Upstream homepage"
description: "Please copy and paste a link to the package's homepage. Leave this field blank if there is no upstream homepage."
validations:
required: false
- type: "input"
id: "source"
attributes:
label: "Source URL"
description: "Please copy and paste a link to the package's source code or binary download page."
validations:
required: true
- type: "input"
id: "license"
attributes:
label: "License"
description: "Please indicate the package's license. If the package has no license, or the source code is not public, please indicate the package is `unfree`."
validations:
required: true
- type: "dropdown"
id: "platforms"
attributes:
label: "Platforms"
description: "Please indicate the platforms this package compiles for. `darwin` refers to macOS. `Exotic` refers to uncommon platforms like RISC-V or 32-bit ARM; please mention in the 'Additional Context' section below if this package is supposed to compile for such exotic platforms."
multiple: true
options:
- "x86_64-linux"
- "aarch64-linux"
- "x86_64-darwin"
- "aarch64-darwin"
- "Exotic"
validations:
required: true
- type: "textarea"
id: "additional-context"
attributes:
label: "Additional context"
description: "Add any other context about the proposed module here."
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this package does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+package+%28new%29%22) or in [Nixpkgs Unstable](https://search.nixos.org/packages?channel=unstable)."
required: true
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%220.kind%3A+packaging+request%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "For this package's maintainers:"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction and also reminds them to tag this issue in their pull requests.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
---
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

126
.github/ISSUE_TEMPLATE/05_update_request.yml vendored
View File

@@ -1,126 +0,0 @@
name: "Request: package update"
description: "Create an update request for an existing, but outdated package."
title: "Update Request: PACKAGENAME OLDVERSION → NEWVERSION"
labels: ["0.kind: enhancement", "9.needs: package (update)"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Update Request: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package, and the latest version of the package.
> [!TIP]
> For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs is 1.0.0, but the latest version upstream is 1.0.1, your title would be as follows:
> ```
> Update Request: hello 1.0.0 → 1.0.1
> ```
---
- type: "dropdown"
id: "version"
attributes:
label: "Nixpkgs version"
description: |
What version of Nixpkgs are you using?
If you are using an older or stable version, please update to the latest **unstable** version and check if the package is still out of date.
If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
options:
- "Please select a version."
- "- Unstable (25.11)"
- "- Stable (25.05)"
default: 0
validations:
required: true
- type: "input"
id: "name"
attributes:
label: "Package name"
description: "Please indicate the name of the package."
validations:
required: true
- type: "input"
id: "upstream-version"
attributes:
label: "Upstream version"
description: "Please indicate the latest version of the package."
validations:
required: true
- type: "input"
id: "nixpkgs-version"
attributes:
label: "Nixpkgs version"
description: |
Please indicate the current version number in Nixpkgs' **unstable** channel. You can check this by setting the [NixOS Package Search](https://search.nixos.org/packages?channel=unstable) channel to 'unstable' and searching for the package.
If you meant to request an upgrade in the stable channel, please file the '**Request: backport to stable**' form instead.
validations:
required: true
- type: "input"
id: "changelog"
attributes:
label: "Changelog"
description: "If applicable, please link the upstream changelog for the latest version."
validations:
required: false
- type: "textarea"
id: "additional-context"
attributes:
label: "Additional context"
description: "Add any other context about the update here."
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this package update does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+package+%28update%29%22) or in [Nixpkgs Unstable](https://search.nixos.org/packages?channel=unstable)."
required: true
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+package+%28update%29%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

101
.github/ISSUE_TEMPLATE/06_module_request.yml vendored
View File

@@ -1,101 +0,0 @@
name: "Request: NixOS module"
description: "Create a new NixOS Module request for an existing package."
title: "Module Request: nixos/MODULENAME"
labels: ["0.kind: enhancement", "6.topic: nixos", "9.needs: module (new)"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Module Request: nixos/MODULENAME`** template above with the correct module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
> [!TIP]
> For instance, if you were filing a request against the missing `hello` module, your title would be as follows:
> ```
> Module Request: nixos/hello
> ```
---
- type: "dropdown"
id: "version"
attributes:
label: "Nixpkgs version"
description: |
What version of Nixpkgs are you using?
If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
options:
- "Please select a version."
- "- Unstable (25.11)"
- "- Stable (25.05)"
default: 0
validations:
required: true
- type: "textarea"
id: "description"
attributes:
label: "Describe the proposed module"
description: "Please include a clear and concise description of what the module should accomplish."
validations:
required: true
- type: "textarea"
id: "additional-context"
attributes:
label: "Additional context"
description: "Add any other context about the proposed module here."
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this module does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+module+%28new%29%22) or in [NixOS Unstable](https://search.nixos.org/options?channel=unstable)."
required: true
- label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+module+%28new%29%22). "
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve NixOS!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

120
.github/ISSUE_TEMPLATE/06_update_request.yml vendored Normal file
View File

@@ -0,0 +1,120 @@
name: "Request: package update"
description: "Create an update request for an existing, but outdated package."
title: "Update Request: PACKAGENAME OLDVERSION → NEWVERSION"
labels: ["0.kind: enhancement", "9.needs: package (update)"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Update Request: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package, and the latest version of the package.
> [!TIP]
> For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs is 1.0.0, but the latest version upstream is 1.0.1, your title would be as follows:
> `Update Request: hello 1.0.0 → 1.0.1`
> [!NOTE]
> If you are filing an update request to change a package's source to a fork, please file a new package request instead. Even if the original upstream is outdated, the fork should be considered a new package.
---
- type: "dropdown"
id: "version"
attributes:
label: "Nixpkgs version"
description: |
What version of Nixpkgs are you using?
> [!IMPORTANT]
> If you are using an older or stable version, please update to the latest **unstable** version and check if the package is still out of date.
> If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
options:
- "Please select a version."
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
- type: "input"
id: "name"
attributes:
label: "Package name"
description: "Please indicate the name of the package."
validations:
required: true
- type: "input"
id: "upstream-version"
attributes:
label: "Upstream version"
description: "Please indicate the latest version of the package."
validations:
required: true
- type: "input"
id: "nixpkgs-version"
attributes:
label: "Nixpkgs version"
description: |
Please indicate the current version number in Nixpkgs' **unstable** channel. You can check this by setting the [NixOS Package Search](https://search.nixos.org/packages?channel=unstable) channel to 'unstable' and searching for the package.
If you meant to request an upgrade in the stable channel, please file the '**Request: backport to stable**' form instead.
validations:
required: true
- type: "input"
id: "changelog"
attributes:
label: "Changelog"
description: "If applicable, please link the upstream changelog for the latest version."
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this package update does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+package+%28update%29%22) or in [Nixpkgs Unstable](https://search.nixos.org/packages?channel=unstable)."
required: true
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+package+%28update%29%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

107
.github/ISSUE_TEMPLATE/07_backport_request.yml vendored
View File

@@ -1,107 +0,0 @@
name: "Request: backport to stable"
description: "Create a backport request for a package that is up-to-date in the unstable channel, but outdated in the stable channel."
title: "Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION"
labels: ["0.kind: enhancement", "9.needs: port to stable"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
> [!CAUTION]
> **Before you begin:** Be advised that backports are subject to the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
>
> Stable releases of Nixpkgs do not receive breaking changes, which include major package updates that have incompatible API changes and break backwards compatibility. In the [Semantic Versioning standard](https://semver.org/), this is the first version number (1.X.X).
>
> Generally, only minor package updates, such as security patches, bug fixes and feature additions (but not removals!) will be considered for backporting. Please read the rules above carefully before filing this backport request.
Welcome to Nixpkgs. Please replace the **`Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package in Nixpkgs Stable and the current version of the package in Nixpkgs Unstable.
> [!TIP]
> For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs Unstable is 1.0.1, but the current version in Nixpkgs Stable is 1.0.0, your title would be as follows:
> ```
> Backport to Stable: hello 1.0.0 → 1.0.1
> ```
---
- type: "input"
id: "name"
attributes:
label: "Package name"
description: "Please indicate the name of the package."
validations:
required: true
- type: "input"
id: "unstable-version"
attributes:
label: "Version in unstable"
description: "Please indicate the current version of the package in the unstable channel."
validations:
required: true
- type: "input"
id: "stable-version"
attributes:
label: "Version in stable"
description: "Please indicate the current version of the package in the stable channel."
validations:
required: true
- type: "textarea"
id: "reasoning"
attributes:
label: "Reasoning for backport"
description: "Please briefly explain why this backport fits the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases) and why you think this update should be backported."
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this backport does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+in%3Atitle+backport)."
required: true
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+port+to+stable%22+)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

100
.github/ISSUE_TEMPLATE/07_module_request.yml vendored Normal file
View File

@@ -0,0 +1,100 @@
name: "Request: NixOS module"
description: "Create a new NixOS Module request for an existing package."
title: "Module Request: nixos/MODULENAME"
labels: ["0.kind: enhancement", "6.topic: nixos", "9.needs: module (new)"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Module Request: nixos/MODULENAME`** template above with the correct module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
> [!TIP]
> For instance, if you were filing a request against the missing `hello` module, your title would be as follows:
> `Module Request: nixos/hello`
---
- type: "dropdown"
id: "version"
attributes:
label: "Nixpkgs version"
description: |
What version of Nixpkgs are you using?
> [!IMPORTANT]
> If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
options:
- "Please select a version."
- "- Unstable (25.05)"
- "- Stable (24.11)"
- "- Previous Stable (24.05)"
default: 0
validations:
required: true
- type: "textarea"
id: "description"
attributes:
label: "Describe the proposed module"
description: "Please include a clear and concise description of what the module should accomplish."
validations:
required: true
- type: "textarea"
id: "additional-context"
attributes:
label: "Additional context"
description: "Add any other context about the proposed module here."
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this module does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+module+%28new%29%22) or in [NixOS Unstable](https://search.nixos.org/options?channel=unstable)."
required: true
- label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+module+%28new%29%22). "
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve NixOS!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

102
.github/ISSUE_TEMPLATE/08_backport_request.yml vendored Normal file
View File

@@ -0,0 +1,102 @@
name: "Request: backport to stable"
description: "Create a backport request for a package that is up-to-date in the unstable channel, but outdated in the stable channel."
title: "Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION"
labels: ["0.kind: enhancement", "9.needs: port to stable"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
> [!CAUTION]
> **Before you begin:** Be advised that backports are subject to the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
> Stable releases of Nixpkgs do not receive breaking changes, which include major package updates that have incompatible API changes and break backwards compatibility. In the [Semantic Versioning standard](https://semver.org/), this is the first version number. (1.X.X)
> Generally, only minor package updates, such as security patches, bug fixes and feature additions (but not removals!) will be considered for backporting. Please read the rules above carefully before filing this backport request.
Welcome to Nixpkgs. Please replace the **`Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package in Nixpkgs Stable and the current version of the package in Nixpkgs Unstable.
> [!TIP]
> For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs Unstable is 1.0.1, but the current version in Nixpkgs Stable is 1.0.0, your title would be as follows:
> `Backport to Stable: hello 1.0.0 → 1.0.1`
---
- type: "input"
id: "name"
attributes:
label: "Package name"
description: "Please indicate the name of the package."
validations:
required: true
- type: "input"
id: "unstable-version"
attributes:
label: "Version in unstable"
description: "Please indicate the current version of the package in the unstable channel."
validations:
required: true
- type: "input"
id: "stable-version"
attributes:
label: "Version in stable"
description: "Please indicate the current version of the package in the stable channel."
validations:
required: true
- type: "textarea"
id: "reasoning"
attributes:
label: "Reasoning for backport"
description: "Please briefly explain why this backport fits the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases) and why you think this update should be backported."
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this backport does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+in%3Atitle+backport)."
required: true
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+port+to+stable%22+)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

89
.github/ISSUE_TEMPLATE/08_documentation_request.yml vendored
View File

@@ -1,89 +0,0 @@
name: "Request: documentation"
description: "Report missing or incorrect documentation in the NixOS or Nixpkgs manuals."
title: "Missing Documentation: PACKAGENAME"
labels: ["0.kind: enhancement", "9.needs: documentation"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Missing Documentation: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) or module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
> [!TIP]
> For instance, if you were filing an issue against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it not having any NixOS-specific documentation, your title would be as follows:
> ```
> Missing Documentation: hello
> ```
---
- type: "textarea"
id: "description"
attributes:
label: "Describe the problem"
description: "Please include a clear and concise description of what the issue is."
validations:
required: true
- type: "textarea"
id: "proposal"
attributes:
label: "Proposed solution"
description: |
If possible, please draft a tentative documentation chapter to resolve this issue.
Your proposal should be written in CommonMark Markdown, optionally enhanced with [Nix-specific extensions](https://github.com/NixOS/nixpkgs/tree/master/doc#syntax).
render: "markdown"
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this request is not already implemented in the latest [NixOS](https://nixos.org/manual/nixos/unstable/) or [Nixpkgs](https://nixos.org/manual/nixpkgs/unstable/) manuals."
required: true
- label: "I assert that this is not a [duplicate of an existing documentation issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "priorisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

86
.github/ISSUE_TEMPLATE/09_documentation_request.yml vendored Normal file
View File

@@ -0,0 +1,86 @@
name: "Request: documentation"
description: "Report missing or incorrect documentation in the NixOS or Nixpkgs manuals."
title: "Missing Documentation: PACKAGENAME"
labels: ["0.kind: enhancement", "9.needs: documentation"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Missing Documentation: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) or module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
> [!TIP]
> For instance, if you were filing an issue against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it not having any NixOS-specific documentation, your title would be as follows:
> `Missing Documentation: hello`
---
- type: "textarea"
id: "description"
attributes:
label: "Describe the problem"
description: "Please include a clear and concise description of what the issue is."
validations:
required: true
- type: "textarea"
id: "proposal"
attributes:
label: "Proposed solution"
description: |
If possible, please draft a tentative documentation chapter to resolve this issue.
Your proposal should be written in CommonMark Markdown, optionally enhanced with [Nix-specific extensions](https://github.com/NixOS/nixpkgs/tree/master/doc#syntax).
render: "markdown"
validations:
required: false
- type: "textarea"
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this request is not already implemented in the latest [NixOS](https://nixos.org/manual/nixos/unstable/) or [Nixpkgs](https://nixos.org/manual/nixpkgs/unstable/) manuals."
required: true
- label: "I assert that this is not a [duplicate of an existing documentation issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "priorisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

159
.github/ISSUE_TEMPLATE/09_unreproducible_package.yml vendored
View File

@@ -1,159 +0,0 @@
name: "Unreproducible Package"
description: "Report a package that does not produce a bit-by-bit reproducible result each time it is built."
title: "Unreproducible Package: PACKAGENAME"
labels: ["0.kind: enhancement", "6.topic: reproducible builds"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Unreproducible Package: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
> [!NOTE]
> This form is for reporting unreproducible packages. For more information, see the [Reproducible Builds Status](https://reproducible.nixos.org/) page.
>
> To report a package that fails to build entirely, please use the "Build Failure" form instead.
---
- type: "input"
id: "version"
attributes:
label: "Nixpkgs Revision"
description: "In which commit of Nixpkgs is this package displaying unreproducibility?"
- type: "textarea"
id: "introduction"
attributes:
label: "Introduction"
description: |
This is a generic introduction to build reproducibility.
Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the title above.
value: |
Building **PACKAGENAME** multiple times does not yield bit-by-bit identical
results, complicating the detection of Continuous Integration (CI) breaches. For
more information on this issue, visit [reproducible-builds.org](https://reproducible-builds.org/).
Fixing bit-by-bit reproducibility also has additional advantages, such as
avoiding hard-to-reproduce bugs, making content-addressed storage more effective
and reducing rebuilds in such systems.
validations:
required: true
- type: "textarea"
id: "how-to-reproduce"
attributes:
label: "Steps to reproduce"
description: |
This is a step-by-step instruction set meant for maintainers to debug the package that is failing to reproduce. You should also follow it to gather the `diffoscope` logs that will be needed below.
Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the introduction and the title above.
value: |
### 1. Build the package
This step will build the package. Specific arguments are passed to the command
to keep the build artifacts so we can compare them in case of differences.
Execute the following command:
```
nix-build '<nixpkgs>' -A PACKAGENAME && nix-build '<nixpkgs>' -A PACKAGENAME --check --keep-failed
```
Or using the new command line style:
```
nix build nixpkgs#PACKAGENAME && nix build nixpkgs#PACKAGENAME --rebuild --keep-failed
```
### 2. Compare the build artifacts
If the previous command completes successfully, no differences were found and
there's nothing to do, builds are reproducible.
If it terminates with the error message `error: derivation '<X>' may not be
deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
the discrepancies between the two build outputs. You may need to add the
`--exclude-directory-metadata recursive` option to ignore files and directories
metadata (*e.g. timestamp*) differences.
```
nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
```
### 3. Examine the build log
To examine the build log, use:
```
nix-store --read-log $(nix-instantiate '<nixpkgs>' -A PACKAGENAME)
```
Or with the new command line style:
```
nix log $(nix path-info --derivation nixpkgs#PACKAGENAME)
```
validations:
required: true
- type: "textarea"
id: "logs"
attributes:
label: "Diffoscope log"
description: |
Please copy and paste the relevant `diffoscope` log output, gathered from the steps above.
This will be automatically formatted into a monospaced text block, so no need for backticks.
render: "console"
- type: "textarea"
id: "additional-context"
attributes:
label: "Additional context"
description: "Add any other context about the problem here."
validations:
required: false
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |2
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

157
.github/ISSUE_TEMPLATE/10_unreproducible_package.yml vendored Normal file
View File

@@ -0,0 +1,157 @@
name: "Unreproducible Package"
description: "Report a package that does not produce a bit-by-bit reproducible result each time it is built."
title: "Unreproducible Package: PACKAGENAME"
labels: ["0.kind: enhancement", "6.topic: reproducible builds"]
body:
- type: "markdown"
attributes:
value: |
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
</picture>
</a>
</p>
Welcome to Nixpkgs. Please replace the **`Unreproducible Package: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
> [!NOTE]
> This form is for reporting unreproducible packages. For more information, see the [Reproducible Builds Status](https://reproducible.nixos.org/) page.
> To report a package that fails to build entirely, please use the "Build Failure" form instead.
---
- type: "input"
id: "version"
attributes:
label: "Nixpkgs Revision"
description: "In which commit of Nixpkgs is this package displaying unreproducibility?"
- type: "textarea"
id: "introduction"
attributes:
label: "Introduction"
description: |
This is a generic introduction to build reproducibility.
Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the title above.
value: |
Building **PACKAGENAME** multiple times does not yield bit-by-bit identical
results, complicating the detection of Continuous Integration (CI) breaches. For
more information on this issue, visit [reproducible-builds.org](https://reproducible-builds.org/).
Fixing bit-by-bit reproducibility also has additional advantages, such as
avoiding hard-to-reproduce bugs, making content-addressed storage more effective
and reducing rebuilds in such systems.
validations:
required: true
- type: "textarea"
id: "how-to-reproduce"
attributes:
label: "Steps to reproduce"
description: |
This is a step-by-step instruction set meant for maintainers to debug the package that is failing to reproduce. You should also follow it to gather the `diffoscope` logs that will be needed below.
Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the introduction and the title above.
value: |
### 1. Build the package
This step will build the package. Specific arguments are passed to the command
to keep the build artifacts so we can compare them in case of differences.
Execute the following command:
```
nix-build '<nixpkgs>' -A PACKAGENAME && nix-build '<nixpkgs>' -A PACKAGENAME --check --keep-failed
```
Or using the new command line style:
```
nix build nixpkgs#PACKAGENAME && nix build nixpkgs#PACKAGENAME --rebuild --keep-failed
```
### 2. Compare the build artifacts
If the previous command completes successfully, no differences were found and
there's nothing to do, builds are reproducible.
If it terminates with the error message `error: derivation '<X>' may not be
deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
the discrepancies between the two build outputs. You may need to add the
`--exclude-directory-metadata recursive` option to ignore files and directories
metadata (*e.g. timestamp*) differences.
```
nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
```
### 3. Examine the build log
To examine the build log, use:
```
nix-store --read-log $(nix-instantiate '<nixpkgs>' -A PACKAGENAME)
```
Or with the new command line style:
```
nix log $(nix path-info --derivation nixpkgs#PACKAGENAME)
```
validations:
required: true
- type: "textarea"
id: "logs"
attributes:
label: "Diffoscope log"
description: |
Please copy and paste the relevant `diffoscope` log output, gathered from the steps above.
This will be automatically formatted into a monospaced text block, so no need for backticks.
render: "console"
- type: "textarea"
id: "additional-context"
attributes:
label: "Additional context"
description: "Add any other context about the problem here."
validations:
required: false
id: "maintainers"
attributes:
label: "Notify maintainers"
description: |
Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
value: |
---
**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
validations:
required: false
- type: "checkboxes"
id: "sanity-check"
attributes:
label: "I assert that this issue is relevant for Nixpkgs"
options:
- label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22)."
required: true
- label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
required: true
- type: "markdown"
attributes:
value: |
# Thank you for helping improve Nixpkgs!
---
- type: "textarea"
id: "prioritisation"
attributes:
label: "Is this issue important to you?"
description: |
**Please do not modify this text area!**
This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
value: |
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

47
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -10,34 +10,37 @@ For new packages please briefly describe the package or provide a link to its ho
<!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->
- Built on platform:
- Built on platform(s)
- [ ] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- Tested, as applicable:
- [ ] [NixOS tests] in [nixos/tests].
- [ ] [Package tests] at `passthru.tests`.
- [ ] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality.
- [ ] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage].
- [ ] Tested basic functionality of all binary files, usually in `./result/bin/`.
- Nixpkgs Release Notes
- [ ] Package update: when the change is major or breaking.
- NixOS Release Notes
- [ ] Module addition: when adding a new NixOS module.
- [ ] Module update: when the change is significant.
- [ ] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs.
- For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html))
- [ ] `sandbox = relaxed`
- [ ] `sandbox = true`
- [ ] Tested, as applicable:
- [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests)
- or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
- made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
- [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
[NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests
[Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests
[nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage
<!--
To help with the large amounts of pull requests, we would appreciate your
reviews of other pull requests, especially simple package updates. Just leave a
comment describing what you have tested in the relevant package/service.
Reviewing helps to reduce the average time-to-merge for everyone.
Thanks a lot if you do!
[CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md
[lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests
[maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md
[nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests
[pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md
[pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test
List of open PRs: https://github.com/NixOS/nixpkgs/pulls
Reviewing guidelines: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#reviewing-contributions
-->
---

95
.github/actions/get-merge-commit/action.yml vendored
View File

@@ -1,95 +0,0 @@
name: Get merge commit
description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
inputs:
mergedSha:
description: "The merge commit SHA, previously collected."
type: string
merged-as-untrusted:
description: "Whether to checkout the merge commit in the ./untrusted folder."
type: boolean
targetSha:
description: "The target commit SHA, previously collected."
type: string
target-as-trusted:
description: "Whether to checkout the target commit in the ./trusted folder."
type: boolean
outputs:
mergedSha:
description: "The merge commit SHA"
value: ${{ steps.commits.outputs.mergedSha }}
targetSha:
description: "The target commit SHA"
value: ${{ steps.commits.outputs.targetSha }}
runs:
using: composite
steps:
- id: commits
if: ${{ !inputs.mergedSha && !inputs.targetSha }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
if (context.eventName == 'push') return core.setOutput('mergedSha', context.sha)
for (const retryInterval of [5, 10, 20, 40, 80]) {
console.log("Checking whether the pull request can be merged...")
const prInfo = (await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.pull_request.number
})).data
if (prInfo.state != 'open') throw new Error ("PR is not open anymore.")
if (prInfo.mergeable == null) {
console.log(`GitHub is still computing whether this PR can be merged, waiting ${retryInterval} seconds before trying again...`)
await new Promise(resolve => setTimeout(resolve, retryInterval * 1000))
continue
}
let mergedSha, targetSha
if (prInfo.mergeable) {
console.log("The PR can be merged.")
mergedSha = prInfo.merge_commit_sha
targetSha = (await github.rest.repos.getCommit({
owner: context.repo.owner,
repo: context.repo.repo,
ref: prInfo.merge_commit_sha
})).data.parents[0].sha
} else {
console.log("The PR has a merge conflict.")
mergedSha = prInfo.head.sha
targetSha = (await github.rest.repos.compareCommitsWithBasehead({
owner: context.repo.owner,
repo: context.repo.repo,
basehead: `${prInfo.base.sha}...${prInfo.head.sha}`
})).data.merge_base_commit.sha
}
console.log(`Checking the commits:\nmerged:${mergedSha}\ntarget:${targetSha}`)
core.setOutput('mergedSha', mergedSha)
core.setOutput('targetSha', targetSha)
return
}
throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
- if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha)
# Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
# but Nix is broken with them:
# https://github.com/NixOS/nix/issues/6073
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }}
path: untrusted
- if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }}
path: trusted

1
.github/dependabot.yml vendored
View File

@@ -4,4 +4,3 @@ updates:
directory: "/"
schedule:
interval: "weekly"
labels: []

23
.github/labeler-development-branches.yml vendored
View File

@@ -1,23 +0,0 @@
# This file is used by .github/workflows/labels.yml
# This version is only run for Pull Requests from development branches like staging-next, haskell-updates or python-updates.
"4.workflow: package set update":
- any:
- head-branch:
- '-updates$'
"4.workflow: staging":
- any:
- head-branch:
- '^staging-next$'
- '^staging-next-'
"6.topic: haskell":
- any:
- head-branch:
- '^haskell-updates$'
"6.topic: python":
- any:
- head-branch:
- '^python-updates$'

42
.github/labeler-no-sync.yml vendored
View File

@@ -1,32 +1,28 @@
# This file is used by .github/workflows/labels.yml
# This version uses `sync-labels: false`, meaning that a non-match will NOT remove the label
# keep-sorted start case=no numeric=yes newline_separated=yes skip_lines=1
"backport release-24.11":
- any:
- changed-files:
- any-glob-to-any-file:
- .github/workflows/*
- ci/**/*.*
"6.topic: policy discussion":
- any:
- changed-files:
- any-glob-to-any-file:
- .github/**/*
- CONTRIBUTING.md
- pkgs/README.md
- nixos/README.md
- maintainers/README.md
- lib/README.md
- doc/README.md
- changed-files:
- any-glob-to-any-file:
- .github/**/*
- CONTRIBUTING.md
- pkgs/README.md
- nixos/README.md
- maintainers/README.md
- lib/README.md
- doc/README.md
"8.has: documentation":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/**/*
- nixos/doc/**/*
"backport release-25.05":
- any:
- changed-files:
- any-glob-to-any-file:
- .github/workflows/*
- ci/**/*.*
# keep-sorted end
- changed-files:
- any-glob-to-any-file:
- doc/**/*
- nixos/doc/**/*

801
.github/labeler.yml vendored
View File

@@ -1,604 +1,581 @@
# This file is used by .github/workflows/labels.yml
# This version uses `sync-labels: true`, meaning that a non-match will remove the label
# keep-sorted start case=no numeric=yes newline_separated=yes skip_lines=1
"4.workflow: backport":
- any:
- base-branch:
- '^release-'
- '^staging-\d'
- '^staging-next-\d'
# NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
"6.topic: agda":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/agda.section.md
- nixos/tests/agda.nix
- pkgs/build-support/agda/**/*
- pkgs/development/libraries/agda/**/*
- pkgs/top-level/agda-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/agda.section.md
- nixos/tests/agda.nix
- pkgs/build-support/agda/**/*
- pkgs/development/libraries/agda/**/*
- pkgs/top-level/agda-packages.nix
"6.topic: cinnamon":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/cinnamon.nix
- nixos/tests/cinnamon.nix
- nixos/tests/cinnamon-wayland.nix
- pkgs/by-name/ci/cinnamon-*/**/*
- pkgs/by-name/cj/cjs/**/*
- pkgs/by-name/mu/muffin/**/*
- pkgs/by-name/ne/nemo/**/*
- pkgs/by-name/ne/nemo-*/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/cinnamon.nix
- nixos/tests/cinnamon.nix
- nixos/tests/cinnamon-wayland.nix
- pkgs/by-name/ci/cinnamon-*/**/*
- pkgs/by-name/cj/cjs/**/*
- pkgs/by-name/mu/muffin/**/*
- pkgs/by-name/ne/nemo/**/*
- pkgs/by-name/ne/nemo-*/**/*
"6.topic: continuous integration":
- any:
- changed-files:
- any-glob-to-any-file:
- .github/**/*
- ci/**/*.*
- changed-files:
- any-glob-to-any-file:
- .github/**/*
- ci/**/*
"6.topic: coq":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/science/logic/coq/**/*
- pkgs/development/coq-modules/**/*
- pkgs/top-level/coq-packages.nix
"6.topic: COSMIC":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/desktop-managers/cosmic.nix
- nixos/modules/services/display-managers/cosmic-greeter.nix
- nixos/tests/cosmic.nix
- pkgs/by-name/co/cosmic-*/**/*
- pkgs/by-name/xd/xdg-desktop-portal-cosmic/*
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/science/logic/coq/**/*
- pkgs/development/coq-modules/**/*
- pkgs/top-level/coq-packages.nix
"6.topic: crystal":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/crystal/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/crystal/**/*
"6.topic: cuda":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/cuda-modules/**/*
- pkgs/top-level/cuda-packages.nix
- changed-files:
- any-glob-to-any-file:
- pkgs/development/cuda-modules/**/*
- pkgs/top-level/cuda-packages.nix
"6.topic: deepin":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/desktops/deepin/**/*
- pkgs/desktops/deepin/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/desktops/deepin/**/*
- pkgs/desktops/deepin/**/*
"6.topic: docker tools":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/virtualization/docker/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/virtualization/docker/**/*
"6.topic: dotnet":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/dotnet.section.md
- maintainers/scripts/update-dotnet-lockfiles.nix
- pkgs/build-support/dotnet/**/*
- pkgs/development/compilers/dotnet/**/*
- pkgs/test/dotnet/**/*
- pkgs/top-level/dotnet-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/dotnet.section.md
- maintainers/scripts/update-dotnet-lockfiles.nix
- pkgs/build-support/dotnet/**/*
- pkgs/development/compilers/dotnet/**/*
- pkgs/test/dotnet/**/*
- pkgs/top-level/dotnet-packages.nix
"6.topic: emacs":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/editors/emacs.nix
- nixos/modules/services/editors/emacs.xml
- nixos/tests/emacs-daemon.nix
- pkgs/applications/editors/emacs/build-support/**/*
- pkgs/applications/editors/emacs/elisp-packages/**/*
- pkgs/applications/editors/emacs/**/*
- pkgs/top-level/emacs-packages.nix
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/editors/emacs.nix
- nixos/modules/services/editors/emacs.xml
- nixos/tests/emacs-daemon.nix
- pkgs/applications/editors/emacs/build-support/**/*
- pkgs/applications/editors/emacs/elisp-packages/**/*
- pkgs/applications/editors/emacs/**/*
- pkgs/top-level/emacs-packages.nix
"6.topic: Enlightenment DE":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/enlightenment.nix
- pkgs/desktops/enlightenment/**/*
- pkgs/development/python-modules/python-efl/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/enlightenment.nix
- pkgs/desktops/enlightenment/**/*
- pkgs/development/python-modules/python-efl/*
"6.topic: erlang":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/beam.section.md
- pkgs/development/beam-modules/**/*
- pkgs/development/interpreters/elixir/**/*
- pkgs/development/interpreters/erlang/**/*
- pkgs/development/tools/build-managers/rebar/**/*
- pkgs/development/tools/build-managers/rebar3/**/*
- pkgs/development/tools/erlang/**/*
- pkgs/top-level/beam-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/beam.section.md
- pkgs/development/beam-modules/**/*
- pkgs/development/interpreters/elixir/**/*
- pkgs/development/interpreters/erlang/**/*
- pkgs/development/tools/build-managers/rebar/**/*
- pkgs/development/tools/build-managers/rebar3/**/*
- pkgs/development/tools/erlang/**/*
- pkgs/top-level/beam-packages.nix
"6.topic: fetch":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/fetch*/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/fetch*/**/*
"6.topic: flakes":
- any:
- changed-files:
- any-glob-to-any-file:
- '**/flake.nix'
- lib/systems/flake-systems.nix
- nixos/modules/config/nix-flakes.nix
- changed-files:
- any-glob-to-any-file:
- '**/flake.nix'
- lib/systems/flake-systems.nix
- nixos/modules/config/nix-flakes.nix
"6.topic: flutter":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/flutter/*.nix
- pkgs/development/compilers/flutter/**/*.nix
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/flutter/*.nix
- pkgs/development/compilers/flutter/**/*.nix
"6.topic: games":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/games/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/games/**/*
"6.topic: GNOME":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/gnome.section.md
- nixos/modules/services/desktops/gnome/**/*
- nixos/modules/services/desktop-managers/gnome.nix
- nixos/tests/gnome-xorg.nix
- nixos/tests/gnome.nix
- pkgs/desktops/gnome/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/gnome.section.md
- nixos/modules/services/desktops/gnome/**/*
- nixos/modules/services/x11/desktop-managers/gnome.nix
- nixos/tests/gnome-xorg.nix
- nixos/tests/gnome.nix
- pkgs/desktops/gnome/**/*
"6.topic: golang":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/go.section.md
- pkgs/build-support/go/**/*
- pkgs/development/compilers/go/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/go.section.md
- pkgs/build-support/go/**/*
- pkgs/development/compilers/go/**/*
"6.topic: hardware":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/hardware/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/hardware/**/*
"6.topic: haskell":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/haskell.section.md
- maintainers/scripts/haskell/**/*
- pkgs/development/compilers/ghc/**/*
- pkgs/development/haskell-modules/**/*
- pkgs/development/tools/haskell/**/*
- pkgs/test/haskell/**/*
- pkgs/top-level/haskell-packages.nix
- pkgs/top-level/release-haskell.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/haskell.section.md
- maintainers/scripts/haskell/**/*
- pkgs/development/compilers/ghc/**/*
- pkgs/development/haskell-modules/**/*
- pkgs/development/tools/haskell/**/*
- pkgs/test/haskell/**/*
- pkgs/top-level/haskell-packages.nix
- pkgs/top-level/release-haskell.nix
"6.topic: java":
- any:
- changed-files:
- any-glob-to-any-file:
# Distributions
- pkgs/development/compilers/adoptopenjdk-icedtea-web/**/*
- pkgs/development/compilers/corretto/**/*
- pkgs/development/compilers/graalvm/**/*
- pkgs/development/compilers/openjdk/**/*
- pkgs/by-name/op/openjfx/**/*
- pkgs/development/compilers/semeru-bin/**/*
- pkgs/development/compilers/temurin-bin/**/*
- pkgs/development/compilers/zulu/**/*
# Documentation
- doc/languages-frameworks/java.section.md
# Gradle
- doc/languages-frameworks/gradle.section.md
- pkgs/development/tools/build-managers/gradle/**/*
- pkgs/by-name/gr/gradle-completion/**/*
# Maven
- pkgs/by-name/ma/maven/**/*
- doc/languages-frameworks/maven.section.md
# Ant
- pkgs/by-name/an/ant/**/*
# javaPackages attrset
- pkgs/development/java-modules/**/*
- pkgs/top-level/java-packages.nix
# Maintainer tooling
- pkgs/by-name/ni/nixpkgs-openjdk-updater/**/*
# Misc
- nixos/modules/programs/java.nix
- changed-files:
- any-glob-to-any-file:
# Distributions
- pkgs/development/compilers/adoptopenjdk-icedtea-web/**/*
- pkgs/development/compilers/corretto/**/*
- pkgs/development/compilers/graalvm/**/*
- pkgs/development/compilers/openjdk/**/*
- pkgs/by-name/op/openjfx/**/*
- pkgs/development/compilers/semeru-bin/**/*
- pkgs/development/compilers/temurin-bin/**/*
- pkgs/development/compilers/zulu/**/*
# Documentation
- doc/languages-frameworks/java.section.md
# Gradle
- doc/languages-frameworks/gradle.section.md
- pkgs/development/tools/build-managers/gradle/**/*
- pkgs/by-name/gr/gradle-completion/**/*
# Maven
- pkgs/by-name/ma/maven/**/*
- doc/languages-frameworks/maven.section.md
# Ant
- pkgs/by-name/an/ant/**/*
# javaPackages attrset
- pkgs/development/java-modules/**/*
- pkgs/top-level/java-packages.nix
# Maintainer tooling
- pkgs/by-name/ni/nixpkgs-openjdk-updater/**/*
# Misc
- nixos/modules/programs/java.nix
"6.topic: jitsi":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/networking/jitsi-videobridge.nix
- nixos/modules/services/web-apps/jitsi-meet.nix
- pkgs/servers/web-apps/jitsi-meet/**/*
- pkgs/servers/jitsi-videobridge/**/*
- pkgs/applications/networking/instant-messengers/jitsi/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/networking/jitsi-videobridge.nix
- nixos/modules/services/web-apps/jitsi-meet.nix
- pkgs/servers/web-apps/jitsi-meet/**/*
- pkgs/servers/jitsi-videobridge/**/*
- pkgs/applications/networking/instant-messengers/jitsi/**/*
"6.topic: julia":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/julia.section.md
- pkgs/development/compilers/julia/**/*
- pkgs/development/julia-modules/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/julia.section.md
- pkgs/development/compilers/julia/**/*
- pkgs/development/julia-modules/**/*
"6.topic: jupyter":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/python-modules/jupyter*/**/*
- pkgs/development/python-modules/mkdocs-jupyter/*
- nixos/modules/services/development/jupyter/**/*
- pkgs/applications/editors/jupyter-kernels/**/*
- pkgs/applications/editors/jupyter/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/development/python-modules/jupyter*/**/*
- pkgs/development/python-modules/mkdocs-jupyter/*
- nixos/modules/services/development/jupyter/**/*
- pkgs/applications/editors/jupyter-kernels/**/*
- pkgs/applications/editors/jupyter/**/*
"6.topic: k3s":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/cluster/k3s/**/*
- nixos/tests/k3s/**/*
- pkgs/applications/networking/cluster/k3s/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/cluster/k3s/**/*
- nixos/tests/k3s/**/*
- pkgs/applications/networking/cluster/k3s/**/*
"6.topic: kernel":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/kernel/**/*
- pkgs/os-specific/linux/kernel/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/kernel/**/*
- pkgs/os-specific/linux/kernel/**/*
"6.topic: lib":
- any:
- changed-files:
- any-glob-to-any-file:
- lib/**
- changed-files:
- any-glob-to-any-file:
- lib/**
"6.topic: llvm/clang":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/llvm/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/llvm/**/*
"6.topic: lua":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/tools/misc/luarocks/*
- pkgs/development/interpreters/lua-5/**/*
- pkgs/development/interpreters/luajit/**/*
- pkgs/development/lua-modules/**/*
- pkgs/top-level/lua-packages.nix
- changed-files:
- any-glob-to-any-file:
- pkgs/development/tools/misc/luarocks/*
- pkgs/development/interpreters/lua-5/**/*
- pkgs/development/interpreters/luajit/**/*
- pkgs/development/lua-modules/**/*
- pkgs/top-level/lua-packages.nix
"6.topic: Lumina DE":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/lumina.nix
- pkgs/desktops/lumina/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/lumina.nix
- pkgs/desktops/lumina/**/*
"6.topic: LXQt":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/lxqt.nix
- pkgs/desktops/lxqt/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/lxqt.nix
- pkgs/desktops/lxqt/**/*
"6.topic: mate":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/mate.nix
- nixos/tests/mate.nix
- pkgs/desktops/mate/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/x11/desktop-managers/mate.nix
- nixos/tests/mate.nix
- pkgs/desktops/mate/**/*
"6.topic: module system":
- any:
- changed-files:
- any-glob-to-any-file:
- lib/modules.nix
- lib/types.nix
- lib/options.nix
- lib/tests/modules.sh
- lib/tests/modules/**
- changed-files:
- any-glob-to-any-file:
- lib/modules.nix
- lib/types.nix
- lib/options.nix
- lib/tests/modules.sh
- lib/tests/modules/**
"6.topic: musl":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/linux/musl/**/*
"6.topic: nim":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/nim.section.md
- pkgs/build-support/build-nim-package.nix
- pkgs/build-support/build-nim-sbom.nix
- pkgs/by-name/ni/nim*
- pkgs/top-level/nim-overrides.nix
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/linux/musl/**/*
"6.topic: nixos":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/**/*
- pkgs/by-name/sw/switch-to-configuration-ng/**/*
- pkgs/by-name/ni/nixos-rebuild-ng/**/*
- pkgs/os-specific/linux/nixos-rebuild/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/**/*
- pkgs/by-name/sw/switch-to-configuration-ng/**/*
- pkgs/by-name/ni/nixos-rebuild-ng/**/*
- pkgs/os-specific/linux/nixos-rebuild/**/*
"6.topic: nixos-container":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/virtualisation/nixos-containers.nix
- pkgs/tools/virtualization/nixos-container/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/virtualisation/nixos-containers.nix
- pkgs/tools/virtualization/nixos-container/**/*
"6.topic: nim":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/nim.section.md
- pkgs/build-support/build-nim-package.nix
- pkgs/build-support/build-nim-sbom.nix
- pkgs/by-name/ni/nim*
- pkgs/top-level/nim-overrides.nix
"6.topic: nodejs":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/javascript.section.md
- pkgs/build-support/node/**/*
- pkgs/development/node-packages/**/*
- pkgs/development/tools/yarn/*
- pkgs/development/tools/yarn2nix-moretea/**/*
- pkgs/development/tools/pnpm/**/*
- pkgs/development/web/nodejs/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/javascript.section.md
- pkgs/build-support/node/**/*
- pkgs/development/node-packages/**/*
- pkgs/development/tools/yarn/*
- pkgs/development/tools/yarn2nix-moretea/**/*
- pkgs/development/tools/pnpm/**/*
- pkgs/development/web/nodejs/*
"6.topic: nvidia":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/hardware/video/nvidia.nix
- nixos/modules/services/hardware/nvidia-container-toolkit/**/*
- nixos/modules/services/hardware/nvidia-optimus.nix
- pkgs/os-specific/linux/nvidia-x11/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/hardware/video/nvidia.nix
- nixos/modules/services/hardware/nvidia-container-toolkit/**/*
- nixos/modules/services/hardware/nvidia-optimus.nix
- pkgs/os-specific/linux/nvidia-x11/**/*
"6.topic: ocaml":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/ocaml.section.md
- pkgs/development/compilers/ocaml/**/*
- pkgs/development/compilers/reason/**/*
- pkgs/development/ocaml-modules/**/*
- pkgs/development/tools/ocaml/**/*
- pkgs/top-level/ocaml-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/ocaml.section.md
- pkgs/development/compilers/ocaml/**/*
- pkgs/development/compilers/reason/**/*
- pkgs/development/ocaml-modules/**/*
- pkgs/development/tools/ocaml/**/*
- pkgs/top-level/ocaml-packages.nix
"6.topic: pantheon":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/desktops/pantheon/**/*
- nixos/modules/services/x11/desktop-managers/pantheon.nix
- nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
- nixos/tests/pantheon.nix
- pkgs/desktops/pantheon/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/desktops/pantheon/**/*
- nixos/modules/services/x11/desktop-managers/pantheon.nix
- nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
- nixos/tests/pantheon.nix
- pkgs/desktops/pantheon/**/*
"6.topic: php":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/php.section.md
- nixos/tests/php/**/*
- pkgs/build-support/php/**/*
- pkgs/development/interpreters/php/**/*
- pkgs/development/php-packages/**/*
- pkgs/test/php/default.nix
- pkgs/top-level/php-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/php.section.md
- nixos/tests/php/**/*
- pkgs/build-support/php/**/*
- pkgs/development/interpreters/php/**/*
- pkgs/development/php-packages/**/*
- pkgs/test/php/default.nix
- pkgs/top-level/php-packages.nix
"6.topic: printing":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/printing/cupsd.nix
- pkgs/misc/cups/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/printing/cupsd.nix
- pkgs/misc/cups/**/*
"6.topic: python":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/python.section.md
- pkgs/development/interpreters/python/**/*
- pkgs/development/python-modules/**/*
- pkgs/top-level/python-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/python.section.md
- pkgs/development/interpreters/python/**/*
- pkgs/development/python-modules/**/*
- pkgs/top-level/python-packages.nix
"6.topic: qt/kde":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/qt.section.md
- nixos/modules/services/x11/desktop-managers/plasma5.nix
- nixos/tests/plasma5.nix
- pkgs/applications/kde/**/*
- pkgs/desktops/plasma-5/**/*
- pkgs/development/libraries/kde-frameworks/**/*
- pkgs/development/libraries/qt-5/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/qt.section.md
- nixos/modules/services/x11/desktop-managers/plasma5.nix
- nixos/tests/plasma5.nix
- pkgs/applications/kde/**/*
- pkgs/desktops/plasma-5/**/*
- pkgs/development/libraries/kde-frameworks/**/*
- pkgs/development/libraries/qt-5/**/*
"6.topic: R":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/science/math/R/**/*
- pkgs/development/r-modules/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/science/math/R/**/*
- pkgs/development/r-modules/**/*
"6.topic: rocm":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/rocm-modules/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/development/rocm-modules/**/*
"6.topic: ruby":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/ruby.section.md
- pkgs/development/interpreters/ruby/**/*
- pkgs/development/ruby-modules/**/*
- pkgs/top-level/ruby-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/ruby.section.md
- pkgs/development/interpreters/ruby/**/*
- pkgs/development/ruby-modules/**/*
- pkgs/top-level/ruby-packages.nix
"6.topic: rust":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/rust.section.md
- pkgs/build-support/rust/**/*
- pkgs/development/compilers/rust/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/rust.section.md
- pkgs/build-support/rust/**/*
- pkgs/development/compilers/rust/**/*
"6.topic: stdenv":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/stdenv/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/stdenv/**/*
"6.topic: steam":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/games/steam/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/games/steam/**/*
"6.topic: systemd":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/linux/systemd/**/*
- nixos/modules/system/boot/systemd*/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/linux/systemd/**/*
- nixos/modules/system/boot/systemd*/**/*
"6.topic: tcl":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/tcl.section.md
- pkgs/development/interpreters/tcl/*
- pkgs/development/tcl-modules/**/*
- pkgs/top-level/tcl-packages.nix
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/tcl.section.md
- pkgs/development/interpreters/tcl/*
- pkgs/development/tcl-modules/**/*
- pkgs/top-level/tcl-packages.nix
"6.topic: teams":
- any:
- changed-files:
- any-glob-to-any-file:
- maintainers/team-list.nix
"6.topic: testing":
- any:
- changed-files:
- any-glob-to-any-file:
# NOTE: Let's keep the scope limited to test frameworks that are
# *developed in this repo*;
# - not individual tests
# - not packages for test frameworks
- pkgs/build-support/testers/**
- nixos/lib/testing/**
- nixos/lib/test-driver/**
- nixos/tests/nixos-test-driver/**
- nixos/lib/testing-python.nix # legacy
- nixos/tests/make-test-python.nix # legacy
# lib/debug.nix has a test framework (runTests) but it's not the main focus
- changed-files:
- any-glob-to-any-file:
- maintainers/team-list.nix
"6.topic: TeX":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/texlive.section.md
- pkgs/test/texlive/**
- pkgs/tools/typesetting/tex/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/texlive.section.md
- pkgs/test/texlive/**
- pkgs/tools/typesetting/tex/**/*
"6.topic: testing":
- any:
- changed-files:
- any-glob-to-any-file:
# NOTE: Let's keep the scope limited to test frameworks that are
# *developed in this repo*;
# - not individual tests
# - not packages for test frameworks
- pkgs/build-support/testers/**
- nixos/lib/testing/**
- nixos/lib/test-driver/**
- nixos/tests/nixos-test-driver/**
- nixos/lib/testing-python.nix # legacy
- nixos/tests/make-test-python.nix # legacy
# lib/debug.nix has a test framework (runTests) but it's not the main focus
"6.topic: updaters":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/common-updater/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/common-updater/**/*
"6.topic: vim":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/vim.section.md
- pkgs/applications/editors/vim/**/*
- pkgs/applications/editors/vim/plugins/**/*
- nixos/modules/programs/neovim.nix
- pkgs/applications/editors/neovim/**/*
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/vim.section.md
- pkgs/applications/editors/vim/**/*
- pkgs/applications/editors/vim/plugins/**/*
- nixos/modules/programs/neovim.nix
- pkgs/applications/editors/neovim/**/*
"6.topic: vscode":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/editors/vscode/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/editors/vscode/**/*
"6.topic: windows":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/windows/**/*
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/windows/**/*
"6.topic: xen-project":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/virtualisation/xen*
- pkgs/by-name/xe/xen/*
- pkgs/by-name/qe/qemu_xen/*
- pkgs/by-name/xe/xen-guest-agent/*
- pkgs/by-name/xt/xtf/*
- pkgs/build-support/xen/*
- pkgs/development/ocaml-modules/xen*/*
- pkgs/development/ocaml-modules/vchan/*
- changed-files:
- any-glob-to-any-file:
- nixos/modules/virtualisation/xen*
- pkgs/by-name/xe/xen/*
- pkgs/by-name/qe/qemu_xen/*
- pkgs/by-name/xe/xen-guest-agent/*
- pkgs/by-name/xt/xtf/*
- pkgs/build-support/xen/*
- pkgs/development/ocaml-modules/xen*/*
- pkgs/development/ocaml-modules/vchan/*
"6.topic: xfce":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/doc/manual/configuration/xfce.xml
- nixos/modules/services/x11/desktop-managers/xfce.nix
- nixos/tests/xfce.nix
- pkgs/desktops/xfce/**/*
- changed-files:
- any-glob-to-any-file:
- nixos/doc/manual/configuration/xfce.xml
- nixos/modules/services/x11/desktop-managers/xfce.nix
- nixos/tests/xfce.nix
- pkgs/desktops/xfce/**/*
"6.topic: zig":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/zig/**/*
- doc/hooks/zig.section.md
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/zig/**/*
- doc/hooks/zig.section.md
"8.has: changelog":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/release-notes/**/*
- nixos/doc/manual/release-notes/**/*
"8.has: maintainer-list (update)":
- any:
- changed-files:
- any-glob-to-any-file:
- maintainers/maintainer-list.nix
- changed-files:
- any-glob-to-any-file:
- nixos/doc/manual/release-notes/**/*
"8.has: module (update)":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/**/*
# keep-sorted end
- changed-files:
- any-glob-to-any-file:
- nixos/modules/**/*
"8.has: maintainer-list (update)":
- any:
- changed-files:
- any-glob-to-any-file:
- maintainers/maintainer-list.nix

9
.github/stale.yml vendored Normal file
View File

@@ -0,0 +1,9 @@
# Configuration for probot-stale - https://github.com/probot/stale
daysUntilStale: 180
daysUntilClose: false
exemptLabels:
- "1.severity: security"
- "2.status: never-stale"
staleLabel: "2.status: stale"
markComment: false
closeComment: false

59
.github/workflows/README.md vendored
View File

@@ -2,62 +2,19 @@
Some architectural notes about key decisions and concepts in our workflows:
- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows.
This has the advantage that those workflows will run without prior approval for external contributors.
- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors.
- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches.
**Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible.
Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.
- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.
- By definition `pull_request_target` runs in the context of the **base** of the pull request.
This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default.
To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.
- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.
- To test the pull request's contents, we checkout the "test merge commit".
This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?".
The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore).
This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout.
Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.
- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.
- Various workflows need to make comparisons against the base branch.
In this case, we checkout the parent of the "test merge commit" for best results.
Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.
- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.
## Terminology
- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions.
Same as `github.event.pull_request.base.sha`.
- **head commit**: The HEAD commit in the pull request's branch.
Same as `github.event.pull_request.head.sha`.
- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request.
Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`.
- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`.
- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
- **target commit**: The base branch's parent of the "test merge commit" to compare against.
## Concurrency Groups
We use [GitHub's Concurrency Groups](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs) to cancel older jobs on pushes to Pull Requests.
When two workflows are in the same group, a newer workflow cancels an older workflow.
Thus, it is important how to construct the group keys:
- Because we want to run jobs for different events at same time, we add `github.event_name` to the key.
This is the case for the `pull_request` which runs on changes to the workflow files to test the new files and the same workflow from the base branch run via `pull_request_event`.
- We don't want workflows of different Pull Requests to cancel each other, so we include `github.event.pull_request.number`.
The [GitHub docs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs#example-using-a-fallback-value) show using `github.head_ref` for this purpose, but this doesn't work well with forks: Different users could have the same head branch name in their forks and run CI for their PRs at the same time.
- Sometimes, there is no `pull_request.number`.
To ensure non-PR runs are never cancelled, we add a fallback of `github.run_id`.
This is a unique value for each workflow run.
- Of course, we run multiple workflows at the same time, so we add `github.workflow` to the key.
Otherwise workflows would cancel each other.
- There is a special case for reusable workflows called via `workflow_call` - they will have `github.workflow` set to their parent workflow's name.
Thus, they would cancel each other.
That's why we additionally hardcode the name of the workflow as well.
This results in a key with the following semantics:
```
<running-workflow>-<triggering-workflow>-<triggered-event>-<pull-request/fallback>
```

45
.github/workflows/backport.yml vendored
View File

@@ -9,44 +9,29 @@ on:
pull_request_target:
types: [closed, labeled]
permissions:
contents: read
issues: write
pull-requests: write
defaults:
run:
shell: bash
permissions: {}
jobs:
backport:
name: Backport Pull Request
if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
runs-on: ubuntu-24.04-arm
if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
runs-on: ubuntu-24.04
steps:
# Use a GitHub App to create the PR so that CI gets triggered
# The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
- uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
id: app-token
with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ steps.app-token.outputs.token }}
- name: Log current API rate limits
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: Create backport PRs
id: backport
uses: korthout/backport-action@0193454f0c5947491d348f33a275c119f30eb736 # v3.2.1
uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
with:
# Config README: https://github.com/korthout/backport-action#backport-action
copy_labels_pattern: 'severity:\ssecurity'
@@ -55,22 +40,4 @@ jobs:
Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}.
* [ ] Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
* Even as a non-committer, if you find that it is not acceptable, leave a comment.
- name: Log current API rate limits
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: "Add 'has: port to stable' label"
if: steps.backport.outputs.created_pull_numbers != ''
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
# Not using the app on purpose to avoid triggering another workflow run after adding this label.
script: |
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: [ '8.has: port to stable' ]
})
* Even as a non-commiter, if you find that it is not acceptable, leave a comment.

100
.github/workflows/build.yml vendored
View File

@@ -1,100 +0,0 @@
name: Build
on:
workflow_call:
inputs:
baseBranch:
required: true
type: string
mergedSha:
required: true
type: string
secrets:
CACHIX_AUTH_TOKEN:
required: true
permissions: {}
defaults:
run:
shell: bash
jobs:
build:
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-24.04
system: x86_64-linux
builds: [shell, manual-nixos, lib-tests, tarball]
desc: shell, docs, lib, tarball
- runner: ubuntu-24.04-arm
system: aarch64-linux
builds: [shell, manual-nixos, manual-nixpkgs, manual-nixpkgs-tests]
desc: shell, docs
- runner: macos-13
system: x86_64-darwin
builds: [shell]
desc: shell
- runner: macos-14
system: aarch64-darwin
builds: [shell]
desc: shell
name: '${{ matrix.system }}: ${{ matrix.desc }}'
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
with:
mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
with:
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
- name: Build shell
if: contains(matrix.builds, 'shell')
run: nix-build untrusted/ci -A shell
- name: Build NixOS manual
if: |
contains(matrix.builds, 'manual-nixos') && !cancelled() &&
contains(fromJSON(inputs.baseBranch).type, 'primary')
run: nix-build untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }} --out-link nixos-manual
- name: Build Nixpkgs manual
if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled()
run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests
- name: Build Nixpkgs manual tests
if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled()
run: nix-build untrusted/ci -A manual-nixpkgs-tests
- name: Build lib tests
if: contains(matrix.builds, 'lib-tests') && !cancelled()
run: nix-build untrusted/ci -A lib-tests
- name: Build tarball
if: contains(matrix.builds, 'tarball') && !cancelled()
run: nix-build untrusted/ci -A tarball
- name: Upload NixOS manual
if: |
contains(matrix.builds, 'manual-nixos') && !cancelled() &&
contains(fromJSON(inputs.baseBranch).type, 'primary')
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: nixos-manual-${{ matrix.system }}
path: nixos-manual
if-no-files-found: error

28
.github/workflows/check-cherry-picks.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: "Check cherry-picks"
on:
pull_request_target:
branches:
- 'release-**'
- 'staging-**'
- '!staging-next'
permissions: {}
jobs:
check:
name: cherry-pick-check
runs-on: ubuntu-24.04
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
filter: blob:none
- name: Check cherry-picks
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"

28
.github/workflows/check-maintainers-sorted.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: "Check that maintainer list is sorted"
on:
pull_request_target:
paths:
- 'maintainers/maintainer-list.nix'
permissions: {}
jobs:
nixos:
name: maintainer-list-check
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
# Only these directories to perform the check
sparse-checkout: |
lib
maintainers
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- name: Check that maintainer-list.nix is sorted
run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix

100
.github/workflows/check-nix-format.yml vendored Normal file
View File

@@ -0,0 +1,100 @@
# This file was copied mostly from check-maintainers-sorted.yaml.
# NOTE: Formatting with the RFC-style nixfmt command is not yet stable. See
# https://github.com/NixOS/rfcs/pull/166.
# Because of this, this action is not yet enabled for all files -- only for
# those who have opted in.
name: Check that Nix files are formatted
on:
pull_request_target:
types: [opened, synchronize, reopened, edited]
permissions: {}
jobs:
get-merge-commit:
uses: ./.github/workflows/get-merge-commit.yml
nixos:
name: nixfmt-check
runs-on: ubuntu-24.04
needs: get-merge-commit
if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
# Fetches the merge commit and its parents
fetch-depth: 2
- name: Checking out target branch
run: |
target=$(mktemp -d)
targetRev=$(git rev-parse HEAD^1)
git worktree add "$target" "$targetRev"
echo "targetRev=$targetRev" >> "$GITHUB_ENV"
echo "target=$target" >> "$GITHUB_ENV"
- name: Get Nixpkgs revision for nixfmt
run: |
# pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
# from staging
# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
rev=$(jq -r .rev ci/pinned-nixpkgs.json)
echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
nix_path: nixpkgs=${{ env.url }}
- name: Install nixfmt
run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
- name: Check that Nix files are formatted according to the RFC style
run: |
unformattedFiles=()
# TODO: Make this more parallel
# Loop through all Nix files touched by the PR
while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
type=${entry[0]}
file=${entry[1]}
case $type in
A*)
source=""
dest=$file
;;
M*)
source=$file
dest=$file
;;
C*|R*)
source=$file
read -r -d '' dest
;;
*)
echo "Ignoring file $file with type $type"
continue
esac
# Ignore files that weren't already formatted
if [[ -n "$source" ]] && ! nixfmt --check ${{ env.target }}/"$source" 2>/dev/null; then
echo "Ignoring file $file because it's not formatted in the target commit"
elif ! nixfmt --check "$dest"; then
unformattedFiles+=("$dest")
fi
done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix')
if (( "${#unformattedFiles[@]}" > 0 )); then
echo "Some new/changed Nix files are not properly formatted"
echo "Please format them using the Nixpkgs-specific \`nixfmt\` by going to the Nixpkgs root directory, running \`nix-shell\`, then:"
echo
echo "nixfmt ${unformattedFiles[*]@Q}"
echo
echo "Make sure your branch is up to date with master; rebase if not."
echo "If you're having trouble, please ping @NixOS/nix-formatting"
exit 1
fi

132
.github/workflows/check-nixf-tidy.yml vendored Normal file
View File

@@ -0,0 +1,132 @@
name: Check changed Nix files with nixf-tidy (experimental)
on:
pull_request_target:
types: [opened, synchronize, reopened, edited]
permissions: {}
jobs:
nixos:
name: exp-nixf-tidy-check
runs-on: ubuntu-24.04
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
# Fetches the merge commit and its parents
fetch-depth: 2
- name: Checking out target branch
run: |
target=$(mktemp -d)
targetRev=$(git rev-parse HEAD^1)
git worktree add "$target" "$targetRev"
echo "targetRev=$targetRev" >> "$GITHUB_ENV"
echo "target=$target" >> "$GITHUB_ENV"
- name: Get Nixpkgs revision for nixf
run: |
# pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
# from staging
# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
rev=$(jq -r .rev ci/pinned-nixpkgs.json)
echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
nix_path: nixpkgs=${{ env.url }}
- name: Install nixf and jq
# provided jq is incompatible with our expression
run: "nix-env -f '<nixpkgs>' -iAP nixf jq"
- name: Check that Nix files pass nixf-tidy
run: |
# Filtering error messages we don't like
nixf_wrapper(){
nixf-tidy --variable-lookup < "$1" | jq -r '
[
"sema-escaping-with"
]
as $ignored_errors|[.[]|select(.sname as $s|$ignored_errors|index($s)|not)]
'
}
failedFiles=()
# Don't report errors to file overview
# to avoid duplicates when editing title and description
if [[ "${{ github.event.action }}" == 'edited' ]] && [[ -z "${{ github.event.edited.changes.base }}" ]]; then
DONT_REPORT_ERROR=1
else
DONT_REPORT_ERROR=
fi
# TODO: Make this more parallel
# Loop through all Nix files touched by the PR
while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
type=${entry[0]}
file=${entry[1]}
case $type in
A*)
source=""
dest=$file
;;
M*)
source=$file
dest=$file
;;
C*|R*)
source=$file
read -r -d '' dest
;;
*)
echo "Ignoring file $file with type $type"
continue
esac
if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.target }}/"$source")" != '[]' ]] 2>/dev/null; then
echo "Ignoring file $file because it doesn't pass nixf-tidy in the target commit"
echo # insert blank line
else
nixf_report="$(nixf_wrapper "$dest")"
if [[ "$nixf_report" != '[]' ]]; then
echo "$dest doesn't pass nixf-tidy. Reported by nixf-tidy:"
errors=$(echo "$nixf_report" | jq -r --arg dest "$dest" '
def getLCur: "line=" + (.line+1|tostring) + ",col=" + (.column|tostring);
def getRCur: "endLine=" + (.line+1|tostring) + ",endColumn=" + (.column|tostring);
def getRange: "file=\($dest)," + (.lCur|getLCur) + "," + (.rCur|getRCur);
def getBody: . as $top|(.range|getRange) + ",title="+ .sname + "::" +
(.message|sub("{}" ; ($top.args.[]|tostring)));
def getNote: "\n::notice " + (.|getBody);
def getMessage: "::error " + (.|getBody) + (if (.notes|length)>0 then
([.notes.[]|getNote]|add) else "" end);
.[]|getMessage
')
if [[ -z "$DONT_REPORT_ERROR" ]]; then
echo "$errors"
else
# just print in plain text
echo "${errors/::/}"
echo # add one empty line
fi
failedFiles+=("$dest")
fi
fi
done < <(git diff -z --name-status ${{ env.targetRev }} -- '*.nix')
if [[ -n "$DONT_REPORT_ERROR" ]]; then
echo "Edited the PR but didn't change the base branch, only the description/title."
echo "Not reporting errors again to avoid duplication."
echo # add one empty line
fi
if (( "${#failedFiles[@]}" > 0 )); then
echo "Some new/changed Nix files don't pass nixf-tidy."
echo "See ${{ github.event.pull_request.html_url }}/files for reported errors."
echo "If you believe this is a false positive, ping @Aleksanaa and @inclyc in this PR."
exit 1
fi

33
.github/workflows/check-shell.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: "Check shell"
on:
pull_request_target:
paths:
- 'shell.nix'
- 'ci/**'
permissions: {}
jobs:
shell-check:
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-24.04
system: x86_64-linux
- runner: macos-14
system: aarch64-darwin
name: shell-check-${{ matrix.system }}
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
- name: Build shell
run: nix-build shell.nix

71
.github/workflows/check.yml vendored
View File

@@ -1,71 +0,0 @@
name: Check
on:
workflow_call:
inputs:
baseBranch:
required: true
type: string
headBranch:
required: true
type: string
permissions: {}
defaults:
run:
shell: bash
jobs:
no-channel-base:
name: no channel base
if: contains(fromJSON(inputs.baseBranch).type, 'channel')
runs-on: ubuntu-24.04-arm
steps:
- run: |
cat <<EOF
The nixos-* and nixpkgs-* branches are pushed to by the channel
release script and should not be merged into directly.
Please target the equivalent release-* branch or master instead.
EOF
exit 1
cherry-pick:
if: |
github.event_name == 'pull_request' ||
(fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development'))
permissions:
pull-requests: write
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
filter: tree:0
path: trusted
- name: Install dependencies
run: npm install bottleneck
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- name: Check cherry-picks
id: check
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
require('./trusted/ci/github-script/commits.js')({
github,
context,
core,
dry: context.eventName == 'pull_request',
})
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq

102
.github/workflows/codeowners-v2.yml vendored
View File

@@ -23,125 +23,89 @@
name: Codeowners v2
on:
pull_request:
paths:
- .github/workflows/codeowners-v2.yml
pull_request_target:
types: [opened, ready_for_review, synchronize, reopened]
concurrency:
group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
types: [opened, ready_for_review, synchronize, reopened, edited]
permissions: {}
defaults:
run:
shell: bash
env:
OWNERS_FILE: ci/OWNERS
# Don't do anything on draft PRs
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
jobs:
get-merge-commit:
if: github.repository_owner == 'NixOS'
uses: ./.github/workflows/get-merge-commit.yml
# Check that code owners is valid
check:
name: Check
runs-on: ubuntu-24.04-arm
runs-on: ubuntu-24.04
needs: get-merge-commit
if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and checkout the merge and target commits
uses: ./.github/actions/get-merge-commit
with:
merged-as-untrusted: true
target-as-trusted: true
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
- uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Build codeowners validator
run: nix-build trusted/ci -A codeownersValidator
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
# We later build and run code from the base branch with access to secrets,
# so it's important this is not the PRs code.
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: base
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
- name: Build codeowners validator
run: nix-build base/ci -A codeownersValidator
- uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
id: app-token
with:
app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
path: pr
- name: Validate codeowners
if: steps.app-token.outputs.token
run: result/bin/codeowners-validator
env:
OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
REPOSITORY_PATH: untrusted
REPOSITORY_PATH: pr
OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
# Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
EXPERIMENTAL_CHECKS: "avoid-shadowing"
run: result/bin/codeowners-validator
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
# Request reviews from code owners
request:
name: Request
runs-on: ubuntu-24.04-arm
runs-on: ubuntu-24.04
if: github.repository_owner == 'NixOS'
steps:
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
# This is intentional, because we need to request the review of owners as declared in the base branch.
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: trusted
- name: Build review request package
run: nix-build trusted/ci -A requestReviews
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
- uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
id: app-token
with:
app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
permission-pull-requests: write
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: Build review request package
run: nix-build ci -A requestReviews
- name: Request reviews
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
- name: Log current API rate limits
if: steps.app-token.outputs.token
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq

65
.github/workflows/dismissed-review.yml vendored
View File

@@ -1,65 +0,0 @@
name: Dismissed review
on:
workflow_run:
workflows:
- Review dismissed
types: [completed]
concurrency:
group: dismissed-review-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
permissions:
pull-requests: write
defaults:
run:
shell: bash
jobs:
# The `check-cherry-picks` workflow creates review comments which reviewers
# are encouraged to manually dismiss if they're not relevant.
# When a CI-generated review is dismissed, this job automatically minimizes
# it, preventing it from cluttering the PR.
minimize:
name: Minimize as resolved
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
// PRs from forks don't have any PRs associated by default.
// Thus, we request the PR number with an API call *to* the fork's repo.
// Multiple pull requests can be open from the same head commit, either via
// different base branches or head branches.
const { head_repository, head_sha, repository } = context.payload.workflow_run
await Promise.all(
(await github.paginate(github.rest.repos.listPullRequestsAssociatedWithCommit, {
owner: head_repository.owner.login,
repo: head_repository.name,
commit_sha: head_sha
}))
.filter(pull_request => pull_request.base.repo.id == repository.id)
.map(async (pull_request) =>
Promise.all(
(await github.paginate(github.rest.pulls.listReviews, {
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pull_request.number
})).filter(review =>
review.user.login == 'github-actions[bot]' &&
review.state == 'DISMISSED'
).map(review => github.graphql(`
mutation($node_id:ID!) {
minimizeComment(input: {
classifier: RESOLVED,
subjectId: $node_id
})
{ clientMutationId }
}`,
{ node_id: review.node_id }
))
)
)
)

58
.github/workflows/edited.yml vendored
View File

@@ -1,58 +0,0 @@
# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
# Instead it causes an `edited` event.
# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
# There are already feature requests for adding a `base_changed` event:
# - https://github.com/orgs/community/discussions/35058
# - https://github.com/orgs/community/discussions/64119
#
# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
# This is much simpler and reliable than other approaches.
name: "Edited base branch"
on:
pull_request_target:
types: [edited]
concurrency:
group: edited-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
permissions: {}
defaults:
run:
shell: bash
jobs:
base:
name: Trigger jobs
runs-on: ubuntu-24.04
if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
steps:
# Use a GitHub App to create the PR so that CI gets triggered
# The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
# We only need Pull Requests: write here, but the app is also used for backports.
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
id: app-token
with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-pull-requests: write
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
function changeState(state) {
return github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.pull_request.number,
state
})
}
await changeState('closed')
await changeState('open')

47
.github/workflows/editorconfig-v2.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: "Checking EditorConfig v2"
on:
pull_request_target:
permissions: {}
jobs:
get-merge-commit:
uses: ./.github/workflows/get-merge-commit.yml
tests:
name: editorconfig-check
runs-on: ubuntu-24.04
needs: get-merge-commit
if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- name: Get list of changed files from PR
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api \
repos/${{ github.repository }}/pulls/${{ github.event.number }}/files --paginate \
| jq '.[] | select(.status != "removed") | .filename' \
> "$HOME/changed_files"
- name: print list of changed files
run: |
cat "$HOME/changed_files"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
# nixpkgs commit is pinned so that it doesn't break
# editorconfig-checker 2.4.0
nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz
- name: Checking EditorConfig
run: |
< "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'
- if: ${{ failure() }}
run: |
echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."

31
.github/workflows/eval-lib-tests.yml vendored Normal file
View File

@@ -0,0 +1,31 @@
name: "Building Nixpkgs lib-tests"
on:
pull_request_target:
paths:
- 'lib/**'
- 'maintainers/**'
permissions: {}
jobs:
get-merge-commit:
uses: ./.github/workflows/get-merge-commit.yml
nixpkgs-lib-tests:
name: nixpkgs-lib-tests
runs-on: ubuntu-24.04
needs: get-merge-commit
if: needs.get-merge-commit.outputs.mergedSha
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- name: Building Nixpkgs lib-tests
run: |
nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix

456
.github/workflows/eval.yml vendored
View File

@@ -1,52 +1,114 @@
name: Eval
on:
workflow_call:
inputs:
mergedSha:
required: true
type: string
targetSha:
type: string
systems:
required: true
type: string
secrets:
OWNER_APP_PRIVATE_KEY:
required: false
pull_request_target:
types: [opened, ready_for_review, synchronize, reopened]
push:
# Keep this synced with ci/request-reviews/dev-branches.txt
branches:
- master
- staging
- release-*
- staging-*
- haskell-updates
- python-updates
permissions: {}
defaults:
run:
shell: bash
jobs:
eval:
runs-on: ubuntu-24.04-arm
get-merge-commit:
uses: ./.github/workflows/get-merge-commit.yml
attrs:
name: Attributes
runs-on: ubuntu-24.04
needs: get-merge-commit
if: needs.get-merge-commit.outputs.mergedSha
outputs:
targetSha: ${{ steps.targetSha.outputs.targetSha }}
systems: ${{ steps.systems.outputs.systems }}
steps:
- name: Check out the PR at the test merge commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
fetch-depth: 2
path: nixpkgs
- name: Determine target commit
if: github.event_name == 'pull_request_target'
id: targetSha
run: |
targetSha=$(git -C nixpkgs rev-parse HEAD^1)
echo "targetSha=$targetSha" >> "$GITHUB_OUTPUT"
- name: Install Nix
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- name: Evaluate the list of all attributes and get the systems matrix
id: systems
run: |
nix-build nixpkgs/ci -A eval.attrpathsSuperset
echo "systems=$(<result/systems.json)" >> "$GITHUB_OUTPUT"
- name: Upload the list of all attributes
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: paths
path: result/*
eval-aliases:
name: Eval nixpkgs with aliases enabled
runs-on: ubuntu-24.04
needs: [ get-merge-commit ]
steps:
- name: Check out the PR at the test merge commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
path: nixpkgs
- name: Install Nix
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- name: Query nixpkgs with aliases enabled to check for basic syntax errors
run: |
time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
outpaths:
name: Outpaths
runs-on: ubuntu-24.04
needs: [ attrs, get-merge-commit ]
strategy:
fail-fast: false
matrix:
system: ${{ fromJSON(inputs.systems) }}
name: ${{ matrix.system }}
outputs:
targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
system: ${{ fromJSON(needs.attrs.outputs.systems) }}
steps:
- name: Enable swap
run: |
sudo fallocate -l 10G /swap
sudo chmod 600 /swap
sudo mkswap /swap
sudo swapon /swap
sudo fallocate -l 10G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
- name: Download the list of all attributes
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: paths
path: paths
- name: Check out the PR at the test merge commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.mergedSha }}
path: untrusted
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
path: nixpkgs
- name: Install Nix
uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
@@ -54,202 +116,224 @@ jobs:
env:
MATRIX_SYSTEM: ${{ matrix.system }}
run: |
nix-build untrusted/ci -A eval.singleSystem \
nix-build nixpkgs/ci -A eval.singleSystem \
--argstr evalSystem "$MATRIX_SYSTEM" \
--arg chunkSize 10000 \
--out-link merged
--arg attrpathFile ./paths/paths.json \
--arg chunkSize 10000
# If it uses too much memory, slightly decrease chunkSize
- name: Upload the output paths and eval stats
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: merged-${{ matrix.system }}
path: merged/*
name: intermediate-${{ matrix.system }}
path: result/*
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- name: Get target run id
if: inputs.targetSha
id: targetRunId
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
MATRIX_SYSTEM: ${{ matrix.system }}
TARGET_SHA: ${{ inputs.targetSha }}
with:
script: |
const system = process.env.MATRIX_SYSTEM
const targetSha = process.env.TARGET_SHA
let run_id
try {
run_id = (await github.rest.actions.listWorkflowRuns({
...context.repo,
workflow_id: 'push.yml',
event: 'push',
head_sha: targetSha
})).data.workflow_runs[0].id
} catch {
throw new Error(`Could not find a push.yml workflow run for ${targetSha}.`)
}
// Waiting 120 * 5 sec = 10 min. max.
// Eval takes max 5-6 minutes, normally.
for (let i = 0; i < 120; i++) {
const result = await github.rest.actions.listWorkflowRunArtifacts({
...context.repo,
run_id,
name: `merged-${system}`
})
if (result.data.total_count > 0) {
core.setOutput('targetRunId', run_id)
return
}
await new Promise(resolve => setTimeout(resolve, 5000))
}
// No artifact found at this stage. This usually means that Eval failed on the target branch.
// This should only happen when Eval is broken on the target branch and this PR fixes it.
// Continue without targetRunId to skip the remaining steps, but pass the job.
- name: Log current API rate limits
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- uses: actions/download-artifact@v4
if: steps.targetRunId.outputs.targetRunId
with:
run-id: ${{ steps.targetRunId.outputs.targetRunId }}
name: merged-${{ matrix.system }}
path: target
github-token: ${{ github.token }}
merge-multiple: true
- name: Compare outpaths against the target branch
if: steps.targetRunId.outputs.targetRunId
env:
MATRIX_SYSTEM: ${{ matrix.system }}
run: |
nix-build untrusted/ci -A eval.diff \
--arg beforeDir ./target \
--arg afterDir "$(readlink ./merged)" \
--argstr evalSystem "$MATRIX_SYSTEM" \
--out-link diff
- name: Upload outpaths diff and stats
if: steps.targetRunId.outputs.targetRunId
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: diff-${{ matrix.system }}
path: diff/*
compare:
runs-on: ubuntu-24.04-arm
needs: [eval]
if: needs.eval.outputs.targetRunId
permissions:
statuses: write
process:
name: Process
runs-on: ubuntu-24.04
needs: [ outpaths, attrs, get-merge-commit ]
outputs:
targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
steps:
- name: Download output paths and eval stats for all systems
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: diff-*
path: diff
merge-multiple: true
pattern: intermediate-*
path: intermediate
- name: Check out the PR at the target commit
- name: Check out the PR at the test merge commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ inputs.targetSha }}
path: trusted
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
fetch-depth: 2
path: nixpkgs
- name: Install Nix
uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- name: Combine all output paths and eval stats
run: |
nix-build trusted/ci -A eval.combine \
--arg diffDir ./diff \
--out-link combined
nix-build nixpkgs/ci -A eval.combine \
--arg resultsDir ./intermediate \
-o prResult
- name: Upload the combined results
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: result
path: prResult/*
- name: Get target run id
if: needs.attrs.outputs.targetSha
id: targetRunId
run: |
# Get the latest eval.yml workflow run for the PR's target commit
if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
-f head_sha="$TARGET_SHA" -f event=push \
--jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \
|| [[ -z "$run" ]]; then
echo "Could not find an eval.yml workflow run for $TARGET_SHA, cannot make comparison"
exit 1
fi
echo "Comparing against $(jq .html_url <<< "$run")"
runId=$(jq .id <<< "$run")
conclusion=$(jq -r .conclusion <<< "$run")
while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
echo "Workflow not done, waiting 10 seconds before checking again"
sleep 10
conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
done
if [[ "$conclusion" != "success" ]]; then
echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
exit 1
fi
echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
env:
REPOSITORY: ${{ github.repository }}
TARGET_SHA: ${{ needs.attrs.outputs.targetSha }}
GH_TOKEN: ${{ github.token }}
- uses: actions/download-artifact@v4
if: steps.targetRunId.outputs.targetRunId
with:
name: result
path: targetResult
github-token: ${{ github.token }}
run-id: ${{ steps.targetRunId.outputs.targetRunId }}
- name: Compare against the target branch
env:
AUTHOR_ID: ${{ github.event.pull_request.user.id }}
if: steps.targetRunId.outputs.targetRunId
run: |
git -C trusted fetch --depth 1 origin ${{ inputs.mergedSha }}
git -C trusted diff --name-only ${{ inputs.mergedSha }} \
git -C nixpkgs worktree add ../target ${{ needs.attrs.outputs.targetSha }}
git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.targetSha }} \
| jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
# Use the target branch to get accurate maintainer info
nix-build trusted/ci -A eval.compare \
--arg combinedDir "$(realpath ./combined)" \
nix-build target/ci -A eval.compare \
--arg beforeResultDir ./targetResult \
--arg afterResultDir ./prResult \
--arg touchedFilesJson ./touched-files.json \
--argstr githubAuthorId "$AUTHOR_ID" \
--out-link comparison
-o comparison
cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
- name: Upload the comparison results
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- name: Upload the combined results
if: steps.targetRunId.outputs.targetRunId
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: comparison
path: comparison/*
- name: Add eval summary to commit statuses
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const { readFile } = require('node:fs/promises')
const changed = JSON.parse(await readFile('comparison/changed-paths.json', 'utf-8'))
const description =
'Package: ' + [
`added ${changed.attrdiff.added.length}`,
`removed ${changed.attrdiff.removed.length}`,
`changed ${changed.attrdiff.changed.length}`
].join(', ') +
' — Rebuild: ' + [
`linux ${changed.rebuildCountByKernel.linux}`,
`darwin ${changed.rebuildCountByKernel.darwin}`
].join(', ')
const { serverUrl, repo, runId, payload } = context
const target_url =
`${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
await github.rest.repos.createCommitStatus({
...repo,
sha: payload.pull_request.head.sha,
context: 'Eval Summary',
state: 'success',
description,
target_url
})
misc:
if: ${{ github.event_name != 'push' }}
runs-on: ubuntu-24.04-arm
# Separate job to have a very tightly scoped PR write token
tag:
name: Tag
runs-on: ubuntu-24.04
needs: [ attrs, process ]
if: needs.process.outputs.targetRunId
permissions:
pull-requests: write
statuses: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# See ./codeowners-v2.yml, reuse the same App because we need the same permissions
# Can't use the token received from permissions above, because it can't get enough permissions
- uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
id: app-token
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
- name: Download process result
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
merged-as-untrusted: true
name: comparison
path: comparison
- name: Install Nix
uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
# Important: This workflow job runs with extra permissions,
# so we need to make sure to not run untrusted code from PRs
- name: Check out Nixpkgs at the base commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
extra_nix_config: sandbox = true
ref: ${{ needs.attrs.outputs.targetSha }}
path: base
sparse-checkout: ci
- name: Ensure flake outputs on all systems still evaluate
run: nix flake check --all-systems --no-build ./untrusted
- name: Build the requestReviews derivation
run: nix-build base/ci -A requestReviews
- name: Query nixpkgs with aliases enabled to check for basic syntax errors
- name: Labelling pull request
run: |
time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
# Get all currently set rebuild labels
gh api \
/repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
--jq '.[].name | select(startswith("10.rebuild"))' \
| sort > before
# And the labels that should be there
jq -r '.labels[]' comparison/changed-paths.json \
| sort > after
# Remove the ones not needed anymore
while read -r toRemove; do
echo "Removing label $toRemove"
gh api \
--method DELETE \
/repos/"$REPOSITORY"/issues/"$NUMBER"/labels/"$toRemove"
done < <(comm -23 before after)
# And add the ones that aren't set already
while read -r toAdd; do
echo "Adding label $toAdd"
gh api \
--method POST \
/repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-f "labels[]=$toAdd"
done < <(comm -13 before after)
env:
GH_TOKEN: ${{ github.token }}
REPOSITORY: ${{ github.repository }}
NUMBER: ${{ github.event.number }}
- name: Add eval summary to commit statuses
if: ${{ github.event_name == 'pull_request_target' }}
run: |
description=$(jq -r '
"Package: added " + (.attrdiff.added | length | tostring) +
", removed " + (.attrdiff.removed | length | tostring) +
", changed " + (.attrdiff.changed | length | tostring) +
", Rebuild: linux " + (.rebuildCountByKernel.linux | tostring) +
", darwin " + (.rebuildCountByKernel.darwin | tostring)
' <comparison/changed-paths.json)
target_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID?pr=$NUMBER"
gh api --method POST \
-H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
-f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
env:
GH_TOKEN: ${{ github.token }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
NUMBER: ${{ github.event.number }}
- name: Requesting maintainer reviews
run: |
# maintainers.json contains GitHub IDs. Look up handles to request reviews from.
# There appears to be no API to request reviews based on GitHub IDs
jq -r 'keys[]' comparison/maintainers.json \
| while read -r id; do gh api /user/"$id" --jq .login; done \
| GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
env:
GH_TOKEN: ${{ github.token }}
REPOSITORY: ${{ github.repository }}
NUMBER: ${{ github.event.number }}
AUTHOR: ${{ github.event.pull_request.user.login }}
# Don't request reviewers on draft PRs
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

43
.github/workflows/get-merge-commit.yml vendored Normal file
View File

@@ -0,0 +1,43 @@
name: Get merge commit
on:
workflow_call:
outputs:
mergedSha:
description: "The merge commit SHA"
value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
permissions: {}
jobs:
resolve-merge-commit:
runs-on: ubuntu-24.04
outputs:
mergedSha: ${{ steps.merged.outputs.mergedSha }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: base
sparse-checkout: ci
- name: Check if the PR can be merged and get the test merge commit
id: merged
env:
GH_TOKEN: ${{ github.token }}
GH_EVENT: ${{ github.event_name }}
run: |
case "$GH_EVENT" in
push)
echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
;;
pull_request_target)
if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
echo "Checking the merge commit $mergedSha"
echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT"
else
# Skipping so that no notifications are sent
echo "Skipping the rest..."
fi
;;
esac
rm -rf base

109
.github/workflows/labels.yml vendored
View File

@@ -3,118 +3,29 @@
# access to the GitHub API. This means that it should not evaluate user input in
# a way that allows code injection.
name: Labels
name: "Label PR"
on:
schedule:
- cron: '07,17,27,37,47,57 * * * *'
workflow_call:
inputs:
headBranch:
required: true
type: string
secrets:
NIXPKGS_CI_APP_PRIVATE_KEY:
required: true
workflow_dispatch:
pull_request_target:
types: [edited, opened, synchronize, reopened]
concurrency:
# This explicitly avoids using `run_id` for the concurrency key to make sure that only
# *one* scheduled run can run at a time.
group: labels-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number }}
# PR-triggered runs will be cancelled, but scheduled runs will be queued.
cancel-in-progress: ${{ github.event_name != 'schedule' }}
# This is used as fallback without app only.
# This happens when testing in forks without setting up that app.
permissions:
issues: write
contents: read
pull-requests: write
defaults:
run:
shell: bash
jobs:
update:
runs-on: ubuntu-24.04-arm
if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
labels:
name: label-pr
runs-on: ubuntu-24.04
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: |
ci/github-script
- name: Install dependencies
run: npm install @actions/artifact bottleneck
# Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
if: vars.NIXPKGS_CI_APP_ID
id: app-token
with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-issues: write
permission-pull-requests: write
- name: Log current API rate limits
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: gh api /rate_limit | jq
- name: Labels from API data and Eval results
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ steps.app-token.outputs.token || github.token }}
retries: 3
script: |
require('./ci/github-script/labels.js')({
github,
context,
core,
dry: context.eventName == 'pull_request'
})
- name: Log current API rate limits
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: gh api /rate_limit | jq
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
name: Labels from touched files
if: |
github.event_name == 'pull_request_target' &&
!contains(fromJSON(inputs.headBranch).type, 'development')
with:
repo-token: ${{ steps.app-token.outputs.token }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: .github/labeler.yml # default
sync-labels: true
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
name: Labels from touched files (no sync)
if: |
github.event_name == 'pull_request_target' &&
!contains(fromJSON(inputs.headBranch).type, 'development')
with:
repo-token: ${{ steps.app-token.outputs.token }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: .github/labeler-no-sync.yml
sync-labels: false
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
name: Labels from touched files (development branches)
# Development branches like staging-next, haskell-updates and python-updates get special labels.
# This is to avoid the mass of labels there, which is mostly useless - and really annoying for
# the backport labels.
if: |
github.event_name == 'pull_request_target' &&
contains(fromJSON(inputs.headBranch).type, 'development')
with:
repo-token: ${{ steps.app-token.outputs.token }}
configuration-path: .github/labeler-development-branches.yml
sync-labels: true
- name: Log current API rate limits
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: gh api /rate_limit | jq

7
.github/workflows/lint-actions.sh vendored Executable file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash actionlint shellcheck -I nixpkgs=../..
set -euo pipefail
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
cd "$SCRIPT_DIR/../.."
actionlint

105
.github/workflows/lint.yml vendored
View File

@@ -1,105 +0,0 @@
name: Lint
on:
workflow_call:
inputs:
mergedSha:
required: true
type: string
targetSha:
required: true
type: string
permissions: {}
defaults:
run:
shell: bash
jobs:
treefmt:
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
with:
mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
with:
extra_nix_config: sandbox = true
- name: Check that files are formatted
run: |
# Note that it's fine to run this on untrusted code because:
# - There's no secrets accessible here
# - The build is sandboxed
if ! nix-build untrusted/ci -A fmt.check; then
echo "Some files are not properly formatted"
echo "Please format them by going to the Nixpkgs root directory and running one of:"
echo " nix-shell --run treefmt"
echo " nix develop --command treefmt"
echo " nix fmt"
echo "Make sure your branch is up to date with master; rebase if not."
echo "If you're having trouble, please ping @NixOS/nix-formatting"
exit 1
fi
parse:
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and checkout the merge commit
uses: ./.github/actions/get-merge-commit
with:
mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
with:
extra_nix_config: sandbox = true
- name: Parse all nix files
run: |
# Tests multiple versions at once, let's make sure all of them run, so keep-going.
nix-build untrusted/ci -A parse --keep-going
nixpkgs-vet:
runs-on: ubuntu-24.04-arm
# This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
timeout-minutes: 10
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: .github/actions
- name: Check if the PR can be merged and checkout merged and target commits
uses: ./.github/actions/get-merge-commit
with:
mergedSha: ${{ inputs.mergedSha }}
merged-as-untrusted: true
targetSha: ${{ inputs.targetSha }}
target-as-trusted: true
- uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
with:
extra_nix_config: sandbox = true
- name: Running nixpkgs-vet
env:
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
CLICOLOR_FORCE: 1
run: |
if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
exit 0
else
exitCode=$?
echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
exit "$exitCode"
fi

33
.github/workflows/manual-nixos-v2.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: "Build NixOS manual v2"
on:
pull_request_target:
branches:
- master
paths:
- 'nixos/**'
permissions: {}
jobs:
nixos:
name: nixos-manual-build
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
if: github.repository_owner == 'NixOS'
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Building NixOS manual
run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

35
.github/workflows/manual-nixpkgs-v2.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: "Build Nixpkgs manual v2"
on:
pull_request_target:
branches:
- master
paths:
- 'doc/**'
- 'lib/**'
- 'pkgs/tools/nix/nixdoc/**'
permissions: {}
jobs:
nixpkgs:
name: nixpkgs-manual-build
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
if: github.repository_owner == 'NixOS'
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Building Nixpkgs manual
run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests

47
.github/workflows/nix-parse-v2.yml vendored Normal file
View File

@@ -0,0 +1,47 @@
name: "Check whether nix files are parseable v2"
on:
pull_request_target:
permissions: {}
jobs:
get-merge-commit:
uses: ./.github/workflows/get-merge-commit.yml
tests:
name: nix-files-parseable-check
runs-on: ubuntu-24.04
needs: get-merge-commit
if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- name: Get list of changed files from PR
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api \
repos/${{ github.repository }}/pulls/${{github.event.number}}/files --paginate \
| jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
> "$HOME/changed_files"
if [[ -s "$HOME/changed_files" ]]; then
echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
fi
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
extra_nix_config: sandbox = true
nix_path: nixpkgs=channel:nixpkgs-unstable
- name: Parse all changed or added nix files
run: |
ret=0
while IFS= read -r file; do
out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
done < "$HOME/changed_files"
exit "$ret"
if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}

73
.github/workflows/nixpkgs-vet.yml vendored Normal file
View File

@@ -0,0 +1,73 @@
# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more.
# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
name: Vet nixpkgs
on:
pull_request_target:
# This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
# Instead it causes an `edited` event, so we need to add it explicitly here.
# While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
# There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
types: [opened, synchronize, reopened, edited]
permissions: {}
# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.
# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
jobs:
get-merge-commit:
uses: ./.github/workflows/get-merge-commit.yml
check:
name: nixpkgs-vet
# This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
runs-on: ubuntu-24.04
# This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
timeout-minutes: 10
needs: get-merge-commit
if: needs.get-merge-commit.outputs.mergedSha
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
# Fetches the merge commit and its parents
fetch-depth: 2
- name: Checking out target branch
run: |
target=$(mktemp -d)
git worktree add "$target" "$(git rev-parse HEAD^1)"
echo "target=$target" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
- name: Fetching the pinned tool
# Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
run: |
# The pinned version of the tooling to use.
toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
# Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
| gzip -cd | nix-store --import | tail -1)
# Adds a result symlink as a GC root.
nix-store --realise "$toolPath" --add-root result
- name: Running nixpkgs-vet
env:
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
CLICOLOR_FORCE: 1
run: |
if result/bin/nixpkgs-vet --base "$target" .; then
exit 0
else
exitCode=$?
echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
exit "$exitCode"
fi

25
.github/workflows/no-channel.yml vendored Normal file
View File

@@ -0,0 +1,25 @@
name: "No channel PR"
on:
pull_request_target:
# Re-run should be triggered when the base branch is updated, instead of silently failing
types: [opened, synchronize, reopened, edited]
branches:
- 'nixos-**'
- 'nixpkgs-**'
permissions: {}
jobs:
fail:
name: "This PR is is targeting a channel branch"
runs-on: ubuntu-24.04
steps:
- run: |
cat <<EOF
The nixos-* and nixpkgs-* branches are pushed to by the channel
release script and should not be merged into directly.
Please target the equivalent release-* branch or master instead.
EOF
exit 1

18
.github/workflows/periodic-merge-24h.yml vendored
View File

@@ -11,15 +11,11 @@ on:
schedule:
# * is a special character in YAML so you have to quote this string
# Merge every 24 hours
- cron: '0 0 * * *'
- cron: '0 0 * * *'
workflow_dispatch:
permissions: {}
defaults:
run:
shell: bash
jobs:
periodic-merge:
if: github.repository_owner == 'NixOS'
@@ -31,16 +27,14 @@ jobs:
max-parallel: 1
matrix:
pairs:
- from: release-25.05
into: staging-next-25.05
- from: staging-next-25.05
into: staging-25.05
- name: merge-base(master,staging) → haskell-updates
from: master staging
- from: release-24.11
into: staging-next-24.11
- from: staging-next-24.11
into: staging-24.11
- from: master staging
into: haskell-updates
uses: ./.github/workflows/periodic-merge.yml
with:
from: ${{ matrix.pairs.from }}
into: ${{ matrix.pairs.into }}
name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
secrets: inherit

7
.github/workflows/periodic-merge-6h.yml vendored
View File

@@ -11,15 +11,11 @@ on:
schedule:
# * is a special character in YAML so you have to quote this string
# Merge every 6 hours
- cron: '0 */6 * * *'
- cron: '0 */6 * * *'
workflow_dispatch:
permissions: {}
defaults:
run:
shell: bash
jobs:
periodic-merge:
if: github.repository_owner == 'NixOS'
@@ -39,5 +35,4 @@ jobs:
with:
from: ${{ matrix.pairs.from }}
into: ${{ matrix.pairs.into }}
name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
secrets: inherit

11
.github/workflows/periodic-merge.yml vendored
View File

@@ -12,23 +12,18 @@ on:
required: true
type: string
defaults:
run:
shell: bash
jobs:
merge:
runs-on: ubuntu-24.04-arm
runs-on: ubuntu-24.04
name: ${{ inputs.from }} → ${{ inputs.into }}
steps:
# Use a GitHub App to create the PR so that CI gets triggered
# The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
- uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
id: app-token
with:
app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: write
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

149
.github/workflows/pr.yml vendored
View File

@@ -1,149 +0,0 @@
name: PR
on:
pull_request:
paths:
- .github/workflows/build.yml
- .github/workflows/check.yml
- .github/workflows/eval.yml
- .github/workflows/lint.yml
- .github/workflows/pr.yml
- .github/workflows/labels.yml
- .github/workflows/reviewers.yml # needs eval results from the same event type
pull_request_target:
concurrency:
group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
permissions: {}
jobs:
prepare:
runs-on: ubuntu-24.04-arm
outputs:
baseBranch: ${{ steps.branches.outputs.base }}
headBranch: ${{ steps.branches.outputs.head }}
mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
systems: ${{ steps.systems.outputs.systems }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: |
.github/actions
ci/supportedBranches.js
ci/supportedSystems.json
- name: Check if the PR can be merged and get the test merge commit
uses: ./.github/actions/get-merge-commit
id: get-merge-commit
- name: Load supported systems
id: systems
run: |
echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
- name: Determine branch type
id: branches
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const { classify } = require('./ci/supportedBranches.js')
const { base, head } = context.payload.pull_request
const baseClassification = classify(base.ref)
core.setOutput('base', baseClassification)
core.info('base classification:', baseClassification)
const headClassification =
(base.repo.full_name == head.repo.full_name) ?
classify(head.ref) :
// PRs from forks are always considered WIP.
{ type: ['wip'] }
core.setOutput('head', headClassification)
core.info('head classification:', headClassification)
check:
name: Check
needs: [prepare]
uses: ./.github/workflows/check.yml
permissions:
# cherry-picks
pull-requests: write
with:
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
headBranch: ${{ needs.prepare.outputs.headBranch }}
lint:
name: Lint
needs: [prepare]
uses: ./.github/workflows/lint.yml
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
eval:
name: Eval
needs: [prepare]
uses: ./.github/workflows/eval.yml
permissions:
# compare
statuses: write
secrets:
OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
with:
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
targetSha: ${{ needs.prepare.outputs.targetSha }}
systems: ${{ needs.prepare.outputs.systems }}
labels:
name: Labels
needs: [prepare, eval]
uses: ./.github/workflows/labels.yml
permissions:
issues: write
pull-requests: write
secrets:
NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
with:
headBranch: ${{ needs.prepare.outputs.headBranch }}
reviewers:
name: Reviewers
needs: [prepare, eval]
if: |
needs.prepare.outputs.targetSha &&
!contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
uses: ./.github/workflows/reviewers.yml
secrets:
OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
build:
name: Build
needs: [prepare]
uses: ./.github/workflows/build.yml
secrets:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
with:
baseBranch: ${{ needs.prepare.outputs.baseBranch }}
mergedSha: ${{ needs.prepare.outputs.mergedSha }}
# This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
# It "needs" all the jobs that should block merging a PR.
# If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
# However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
no-pr-failures:
# Modify this list to add or remove jobs from required status checks.
needs:
- check
- lint
- eval
- build
# WARNING:
# Do NOT change the name of this job, otherwise the rule will not catch it anymore.
# This would prevent all PRs from merging.
name: no PR failures
if: ${{ failure() }}
runs-on: ubuntu-24.04-arm
steps:
- run: exit 1

48
.github/workflows/push.yml vendored
View File

@@ -1,48 +0,0 @@
name: Push
on:
pull_request:
paths:
- .github/workflows/push.yml
# eval is tested via pr.yml
push:
# Keep this synced with ci/request-reviews/dev-branches.txt
branches:
- master
- staging
- release-*
- staging-*
- haskell-updates
- python-updates
permissions: {}
jobs:
prepare:
runs-on: ubuntu-24.04-arm
outputs:
systems: ${{ steps.systems.outputs.systems }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: |
ci/supportedSystems.json
- name: Load supported systems
id: systems
run: |
echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
eval:
name: Eval
needs: [prepare]
uses: ./.github/workflows/eval.yml
# Those are not actually used on push, but will throw an error if not set.
permissions:
# compare
issues: write
pull-requests: write
statuses: write
with:
mergedSha: ${{ github.sha }}
systems: ${{ needs.prepare.outputs.systems }}

17
.github/workflows/review-dismissed.yml vendored
View File

@@ -1,17 +0,0 @@
name: Review dismissed
on:
pull_request_review:
types: [dismissed]
permissions: {}
defaults:
run:
shell: bash
jobs:
trigger:
runs-on: ubuntu-24.04-arm
steps:
- run: echo This is a no-op only used as a trigger for workflow_run.

144
.github/workflows/reviewers.yml vendored
View File

@@ -1,144 +0,0 @@
# This workflow will request reviews from the maintainers of each package
# listed in the PR's most recent eval comparison artifact.
name: Reviewers
on:
pull_request:
paths:
- .github/workflows/reviewers.yml
pull_request_target:
types: [ready_for_review]
workflow_call:
secrets:
OWNER_APP_PRIVATE_KEY:
required: true
concurrency:
group: reviewers-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
permissions: {}
defaults:
run:
shell: bash
jobs:
request:
runs-on: ubuntu-24.04-arm
steps:
- name: Check out the PR at the base commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: trusted
sparse-checkout: ci
- name: Install Nix
uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
with:
extra_nix_config: sandbox = true
- name: Build the requestReviews derivation
run: nix-build trusted/ci -A requestReviews
# See ./codeowners-v2.yml, reuse the same App because we need the same permissions
# Can't use the token received from permissions above, because it can't get enough permissions
- uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
id: app-token
with:
app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
permission-administration: read
permission-members: read
permission-pull-requests: write
- name: Log current API rate limits (github.token)
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
# In the regular case, this workflow is called via workflow_call from the eval workflow directly.
# In the more special case, when a PR is undrafted an eval run will have started already.
- name: Wait for comparison to be done
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: eval
with:
script: |
const run_id = (await github.rest.actions.listWorkflowRuns({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'pr.yml',
event: context.eventName,
head_sha: context.payload.pull_request.head.sha
})).data.workflow_runs[0].id
core.setOutput('run-id', run_id)
// Waiting 120 * 5 sec = 10 min. max.
// The extreme case is an Eval run that just started when the PR is undrafted.
// Eval takes max 5-6 minutes, normally.
for (let i = 0; i < 120; i++) {
const result = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id,
name: 'comparison'
})
if (result.data.total_count > 0) return
await new Promise(resolve => setTimeout(resolve, 5000))
}
throw new Error("No comparison artifact found.")
- name: Log current API rate limits (github.token)
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- name: Download the comparison results
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
run-id: ${{ steps.eval.outputs.run-id }}
github-token: ${{ github.token }}
pattern: comparison
path: comparison
merge-multiple: true
- name: Log current API rate limits (app-token)
if: ${{ steps.app-token.outputs.token }}
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: Log current API rate limits (github.token)
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq
- name: Requesting maintainer reviews
if: ${{ steps.app-token.outputs.token }}
env:
GH_TOKEN: ${{ github.token }}
REPOSITORY: ${{ github.repository }}
NUMBER: ${{ github.event.number }}
AUTHOR: ${{ github.event.pull_request.user.login }}
# Don't request reviewers on draft PRs
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
run: |
# maintainers.json contains GitHub IDs. Look up handles to request reviews from.
# There appears to be no API to request reviews based on GitHub IDs
jq -r 'keys[]' comparison/maintainers.json \
| while read -r id; do gh api /user/"$id" --jq .login; done \
| GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
- name: Log current API rate limits (app-token)
if: ${{ steps.app-token.outputs.token }}
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh api /rate_limit | jq
- name: Log current API rate limits (github.token)
env:
GH_TOKEN: ${{ github.token }}
run: gh api /rate_limit | jq

3
.gitignore vendored
View File

@@ -37,6 +37,3 @@ update-git-commits.txt
# JetBrains IDEA module declaration file
/nixpkgs.iml
# Usually used for manual backports
.worktree/

3
.mailmap
View File

@@ -5,7 +5,6 @@ Christina Sørensen <christina@cafkafk.com>
Christina Sørensen <christina@cafkafk.com> <christinaafk@gmail.com>
Christina Sørensen <christina@cafkafk.com> <89321978+cafkafk@users.noreply.github.com>
Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
Ethan Carter Edwards <ethan@ethancedwards.com> Ethan Edwards <ethancarteredwards@gmail.com>
Fabian Affolter <mail@fabian-affolter.ch> <fabian@affolter-engineering.ch>
Fiona Behrens <me@kloenk.dev>
Fiona Behrens <me@kloenk.dev> <me@kloenk.de>
@@ -27,7 +26,5 @@ superherointj <5861043+superherointj@users.noreply.github.com>
Tomodachi94 <tomodachi94@protonmail.com> Tomo <68489118+Tomodachi94@users.noreply.github.com>
Vladimír Čunát <v@cunat.cz> <vcunat@gmail.com>
Vladimír Čunát <v@cunat.cz> <vladimir.cunat@nic.cz>
Yifei Sun <ysun@hey.com>
Yifei Sun <ysun@hey.com> StepBroBD <ysun@hey.com>
Yifei Sun <ysun@hey.com> StepBroBD <Hi@StepBroBD.com>
Yifei Sun <ysun@hey.com> <ysun+git@stepbrobd.com>

21
.mergify.yml Normal file
View File

@@ -0,0 +1,21 @@
queue_rules:
# This rule is for https://docs.mergify.com/commands/queue/
# and can be triggered with: @mergifyio queue
- name: default
merge_conditions:
# all github action checks in this list are required to merge a pull request
- check-success=Attributes
- check-success=Check
- check-success=Outpaths (aarch64-darwin)
- check-success=Outpaths (aarch64-linux)
- check-success=Outpaths (x86_64-darwin)
- check-success=Outpaths (x86_64-linux)
- check-success=Process
- check-success=Request
- check-success=editorconfig-check
- check-success=label-pr
- check-success=nix-files-parseable-check
- check-success=nixfmt-check
- check-success=nixpkgs-vet
# queue up to 5 pull requests at a time
batch_size: 5

608
CONTRIBUTING.md
View File

File diff suppressed because it is too large Load Diff

66
README.md
View File

@@ -1,9 +1,9 @@
<p align="center">
<a href="https://nixos.org">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
<img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg" width="500px" alt="NixOS logo">
<img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="500px" alt="NixOS logo">
</picture>
</a>
</p>
@@ -13,8 +13,10 @@
<a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a>
</p>
[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 120,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over
100,000 software packages that can be installed with the
[Nix](https://nixos.org/nix/) package manager. It also implements
[NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
# Manuals
@@ -25,15 +27,16 @@ It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux
# Community
* [Discourse Forum](https://discourse.nixos.org/)
* [Matrix Chat](https://matrix.to/#/#space:nixos.org)
* [Matrix Chat](https://matrix.to/#/#community:nixos.org)
* [NixOS Weekly](https://weekly.nixos.org/)
* [Official wiki](https://wiki.nixos.org/)
* [Community-maintained list of ways to get in touch](https://wiki.nixos.org/wiki/Get_In_Touch#Chat) (Discord, Telegram, IRC, etc.)
# Other Project Repositories
The sources of all official Nix-related projects are in the [NixOS organization on GitHub](https://github.com/NixOS/).
Here are some of the main ones:
The sources of all official Nix-related projects are in the [NixOS
organization on GitHub](https://github.com/NixOS/). Here are some of
the main ones:
* [Nix](https://github.com/NixOS/nix) - the purely functional package manager
* [NixOps](https://github.com/NixOS/nixops) - the tool to remotely deploy NixOS machines
@@ -45,33 +48,44 @@ Here are some of the main ones:
# Continuous Integration and Distribution
Nixpkgs and NixOS are built and tested by our continuous integration system, [Hydra](https://hydra.nixos.org/).
Nixpkgs and NixOS are built and tested by our continuous integration
system, [Hydra](https://hydra.nixos.org/).
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for the NixOS 25.05 release](https://hydra.nixos.org/jobset/nixos/release-25.05)
* [Continuous package builds for the NixOS 24.11 release](https://hydra.nixos.org/jobset/nixos/release-24.11)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for the NixOS 25.05 release](https://hydra.nixos.org/job/nixos/release-25.05/tested#tabs-constituents)
* [Tests for the NixOS 24.11 release](https://hydra.nixos.org/job/nixos/release-24.11/tested#tabs-constituents)
Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/.
When successful build and test criteria are met, the Nixpkgs expressions are distributed via [Nix channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
Artifacts successfully built with Hydra are published to cache at
https://cache.nixos.org/. When successful build and test criteria are
met, the Nixpkgs expressions are distributed via [Nix
channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
# Contributing
Nixpkgs is among the most active projects on GitHub.
While thousands of open issues and pull requests might seem a lot at first, it helps consider it in the context of the scope of the project.
Nixpkgs describes how to build tens of thousands of pieces of software and implements a Linux distribution.
The [GitHub Insights](https://github.com/NixOS/nixpkgs/pulse) page gives a sense of the project activity.
Nixpkgs is among the most active projects on GitHub. While thousands
of open issues and pull requests might seem a lot at first, it helps
consider it in the context of the scope of the project. Nixpkgs
describes how to build tens of thousands of pieces of software and implements a
Linux distribution. The [GitHub Insights](https://github.com/NixOS/nixpkgs/pulse)
page gives a sense of the project activity.
Community contributions are always welcome through GitHub Issues and Pull Requests.
Community contributions are always welcome through GitHub Issues and
Pull Requests.
For more information about contributing to the project, please visit the [contributing page](CONTRIBUTING.md).
For more information about contributing to the project, please visit
the [contributing page](CONTRIBUTING.md).
# Donations
The infrastructure for NixOS and related projects is maintained by a nonprofit organization, the [NixOS Foundation](https://nixos.org/nixos/foundation.html).
To ensure the continuity and expansion of the NixOS infrastructure, we are looking for donations to our organization.
The infrastructure for NixOS and related projects is maintained by a
nonprofit organization, the [NixOS
Foundation](https://nixos.org/nixos/foundation.html). To ensure the
continuity and expansion of the NixOS infrastructure, we are looking
for donations to our organization.
You can donate to the NixOS foundation through [SEPA bank transfers](https://nixos.org/donate.html) or by using Open Collective:
You can donate to the NixOS foundation through [SEPA bank
transfers](https://nixos.org/donate.html) or by using Open Collective:
<a href="https://opencollective.com/nixos#support"><img src="https://opencollective.com/nixos/tiers/supporter.svg?width=890" /></a>
@@ -79,7 +93,9 @@ You can donate to the NixOS foundation through [SEPA bank transfers](https://nix
Nixpkgs is licensed under the [MIT License](COPYING).
Note:
MIT license does not apply to the packages built by Nixpkgs, merely to the files in this repository (the Nix expressions, build scripts, NixOS modules, etc.).
It also might not apply to patches included in Nixpkgs, which may be derivative works of the packages to which they apply.
The aforementioned artifacts are all covered by the licenses of the respective packages.
Note: MIT license does not apply to the packages built by Nixpkgs,
merely to the files in this repository (the Nix expressions, build
scripts, NixOS modules, etc.). It also might not apply to patches
included in Nixpkgs, which may be derivative works of the packages to
which they apply. The aforementioned artifacts are all covered by the
licenses of the respective packages.

129
ci/OWNERS
View File

@@ -15,9 +15,11 @@
# CI
/.github/*_TEMPLATE* @SigmaSquadron
/.github/actions @NixOS/nixpkgs-ci
/.github/workflows @NixOS/nixpkgs-ci
/ci @NixOS/nixpkgs-ci
/.github/workflows @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
/.github/workflows/check-nix-format.yml @infinisil @wolfgangwalther
/.github/workflows/codeowners-v2.yml @infinisil @wolfgangwalther
/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron @wolfgangwalther
/ci @infinisil @philiptaron @NixOS/Security @wolfgangwalther
/ci/OWNERS @infinisil @philiptaron
# Development support
@@ -25,26 +27,20 @@
/shell.nix @infinisil @NixOS/Security
# Libraries
/lib @infinisil @hsjobeki
/lib/generators.nix @infinisil @hsjobeki @Profpatsch
/lib/cli.nix @infinisil @hsjobeki @Profpatsch
/lib/debug.nix @infinisil @hsjobeki @Profpatsch
/lib/asserts.nix @infinisil @hsjobeki @Profpatsch
/lib/path/* @infinisil @hsjobeki
/lib/fileset @infinisil @hsjobeki
## Standard environmentrelated libraries
/lib/customisation.nix @alyssais @NixOS/stdenv
/lib/derivations.nix @alyssais @NixOS/stdenv
/lib/fetchers.nix @alyssais @NixOS/stdenv
/lib/meta.nix @alyssais @NixOS/stdenv
/lib/source-types.nix @alyssais @NixOS/stdenv
/lib/systems @alyssais @NixOS/stdenv
/lib @infinisil
/lib/systems @alyssais @ericson2314 @NixOS/stdenv
/lib/generators.nix @infinisil @Profpatsch
/lib/cli.nix @infinisil @Profpatsch
/lib/debug.nix @infinisil @Profpatsch
/lib/asserts.nix @infinisil @Profpatsch
/lib/path/* @infinisil
/lib/fileset @infinisil
## Libraries / Module system
/lib/modules.nix @infinisil @roberth @hsjobeki
/lib/types.nix @infinisil @roberth @hsjobeki
/lib/options.nix @infinisil @roberth @hsjobeki
/lib/tests/modules.sh @infinisil @roberth @hsjobeki
/lib/tests/modules @infinisil @roberth @hsjobeki
/lib/modules.nix @infinisil @roberth
/lib/types.nix @infinisil @roberth
/lib/options.nix @infinisil @roberth
/lib/tests/modules.sh @infinisil @roberth
/lib/tests/modules @infinisil @roberth
# Nixpkgs Internals
/default.nix @Ericson2314
@@ -62,7 +58,6 @@
/pkgs/build-support/cc-wrapper @Ericson2314
/pkgs/build-support/bintools-wrapper @Ericson2314
/pkgs/build-support/setup-hooks @Ericson2314
/pkgs/build-support/setup-hooks/arrayUtilities @ConnorBaker
/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
/pkgs/by-name/au/auto-patchelf @layus
@@ -134,10 +129,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
# Systemd-boot
/nixos/modules/system/boot/loader/systemd-boot @JulienMalka
# Limine
/nixos/modules/system/boot/loader/limine @lzcunt @phip1611 @programmerlexi @johnrtitor
/nixos/tests/limine @johnrtitor
# Images and installer media
/nixos/modules/profiles/installation-device.nix @ElvishJerricco
/nixos/modules/installer/cd-dvd/ @ElvishJerricco
@@ -155,13 +146,10 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix @philipmw
/nixos/tests/amazon-cloudwatch-agent.nix @philipmw
# Monitoring
/nixos/modules/services/monitoring/fluent-bit.nix @arianvp
/nixos/tests/fluent-bit.nix @arianvp
# nixos-rebuild-ng
/pkgs/by-name/ni/nixos-rebuild-ng @thiagokokada
# Updaters
## update.nix
/maintainers/scripts/update.nix @jtojnar
@@ -169,13 +157,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
## common-updater-scripts
/pkgs/common-updater/scripts/update-source-version @jtojnar
# Android tools, libraries, and environments
/pkgs/development/android* @NixOS/android
/pkgs/development/mobile/android* @NixOS/android
/pkgs/applications/editors/android-studio* @NixOS/android
/doc/languages-frameworks/android* @NixOS/android
/pkgs/by-name/an/android* @NixOS/android
# Python-related code and docs
/doc/languages-frameworks/python.section.md @mweinelt @natsukium
/maintainers/scripts/update-python-libraries @mweinelt @natsukium
@@ -184,19 +165,14 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/pkgs/top-level/python-packages.nix @natsukium
/pkgs/top-level/release-python.nix @natsukium
# CUDA
/pkgs/top-level/cuda-packages.nix @NixOS/cuda-maintainers
/pkgs/top-level/release-cuda.nix @NixOS/cuda-maintainers
/pkgs/development/cuda-modules @NixOS/cuda-maintainers
# Haskell
/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @wolfgangwalther
/maintainers/scripts/haskell @sternenseemann @maralorn @wolfgangwalther
/pkgs/development/compilers/ghc @sternenseemann @maralorn @wolfgangwalther
/pkgs/development/haskell-modules @sternenseemann @maralorn @wolfgangwalther
/pkgs/test/haskell @sternenseemann @maralorn @wolfgangwalther
/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn @wolfgangwalther
/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn @wolfgangwalther
/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn
/maintainers/scripts/haskell @sternenseemann @maralorn
/pkgs/development/compilers/ghc @sternenseemann @maralorn
/pkgs/development/haskell-modules @sternenseemann @maralorn
/pkgs/test/haskell @sternenseemann @maralorn
/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn
/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn
# Perl
/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
@@ -224,7 +200,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/pkgs/development/compilers/gcc
/pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
/pkgs/development/compilers/emscripten @raitobezarius
/doc/toolchains/llvm.chapter.md @alyssais @RossComputerGuy @NixOS/llvm
/doc/languages-frameworks/emscripten.section.md @raitobezarius
# Audio
@@ -234,13 +209,12 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/nixos/tests/snapcast.nix @mweinelt
# Browsers
/pkgs/applications/networking/browsers/librewolf @squalus @DominicWrege @fpletz @LordGrimmauld
/pkgs/applications/networking/browsers/firefox @mweinelt
/pkgs/applications/networking/browsers/chromium @emilylange @networkException
/nixos/tests/chromium.nix @emilylange @networkException
# Certificate Authorities
pkgs/by-name/ca/cacert @ajs124 @lukegb @mweinelt
pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt
pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt
pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
@@ -255,7 +229,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara
# Licenses
/lib/licenses.nix @alyssais @emilazy
/lib/licenses.nix @alyssais
# Qt
/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -271,7 +245,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
# PostgreSQL and related stuff
/pkgs/by-name/po/postgresqlTestHook @NixOS/postgres
/pkgs/by-name/ps/psqlodbc @NixOS/postgres
/pkgs/servers/sql/postgresql @NixOS/postgres
/pkgs/development/tools/rust/cargo-pgrx @NixOS/postgres
@@ -280,7 +253,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/nixos/tests/postgresql @NixOS/postgres
# MySQL/MariaDB and related stuff
/nixos/modules/services/databases/mysql.nix @6543
/nixos/modules/services/backup/mysql-backup.nix @6543
# Hardened profile & related modules
@@ -296,11 +268,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/nixos/tests/home-assistant.nix @mweinelt
/nixos/tests/zigbee2mqtt.nix @mweinelt
/pkgs/servers/home-assistant @mweinelt
/pkgs/by-name/es/esphome @mweinelt
# Linux kernel
/pkgs/top-level/linux-kernels.nix @NixOS/linux-kernel
/pkgs/os-specific/linux/kernel/ @NixOS/linux-kernel
/pkgs/tools/misc/esphome @mweinelt
# Network Time Daemons
/pkgs/by-name/ch/chrony @thoughtpolice
@@ -324,12 +292,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/servers/http/nginx/ @raitobezarius
/nixos/modules/services/web-servers/nginx/ @raitobezarius
# D
/pkgs/build-support/dlang @jtbx @TomaSajt
# Dhall
/pkgs/development/dhall-modules @Gabriella439 @Profpatsch
/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch
/pkgs/development/dhall-modules @Gabriella439 @Profpatsch @ehmry
/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry
# Idris
/pkgs/development/idris-modules @Infinisil
@@ -354,9 +319,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
# Kakoune
/pkgs/applications/editors/kakoune @philiptaron
# LuaPackages
/pkgs/development/lua-modules @NixOS/lua
# Neovim
/pkgs/applications/editors/neovim @NixOS/neovim
@@ -403,6 +365,12 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
# Xfce
/doc/hooks/xfce4-dev-tools.section.md @NixOS/xfce
# nim
/doc/languages-frameworks/nim.section.md @ehmry
/pkgs/build-support/build-nim-package.nix @ehmry
/pkgs/build-support/build-nim-sbom.nix @ehmry
/pkgs/top-level/nim-overrides.nix @ehmry
# terraform providers
/pkgs/applications/networking/cluster/terraform-providers @zowoq
@@ -427,11 +395,6 @@ pkgs/by-name/fo/forgejo/ @adamcstephens @bendlas @emilylange
/pkgs/development/compilers/ocaml @ulrikstrid
/pkgs/development/ocaml-modules @ulrikstrid
# ZFS
/nixos/modules/tasks/filesystems/zfs.nix @adamcstephens @amarshall
/nixos/tests/zfs.nix @adamcstephens @amarshall
/pkgs/os-specific/linux/zfs @adamcstephens @amarshall
# Zig
/pkgs/development/compilers/zig @figsoda @RossComputerGuy
/doc/hooks/zig.section.md @figsoda @RossComputerGuy
@@ -479,21 +442,3 @@ pkgs/by-name/lx/lxc* @adamcstephens
/pkgs/by-name/ap/apple-sdk @NixOS/darwin-core
/pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
/pkgs/stdenv/darwin @NixOS/darwin-core
# BEAM
pkgs/development/beam-modules/ @NixOS/beam
pkgs/development/interpreters/erlang/ @NixOS/beam
pkgs/development/interpreters/elixir/ @NixOS/beam
pkgs/development/interpreters/lfe/ @NixOS/beam
# Authelia
pkgs/servers/authelia/ @06kellyjac @dit7ya @nicomem
# OctoDNS
pkgs/by-name/oc/octodns/ @anthonyroussel
# Teleport
pkgs/by-name/te/teleport* @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
# Warp-terminal
pkgs/by-name/wa/warp-terminal/ @emilytrau @imadnyc @donteatoreo @johnrtitor

93
ci/README.md
View File

@@ -6,47 +6,80 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
## Pinned Nixpkgs
CI may need certain packages from Nixpkgs.
In order to ensure that the needed packages are generally available without building, [`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
In order to ensure that the needed packages are generally available without building,
[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
Run [`update-pinned.sh`](./update-pinned.sh) to update it.
Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does.
This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.
Arguments:
- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
- `REPOSITORY`: The repository from which to fetch the base branch.
Defaults to <https://github.com/NixOS/nixpkgs.git>.
- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
# Branch classification
## `ci/nixpkgs-vet`
For the purposes of CI, branches in the NixOS/nixpkgs repository are classified as follows:
This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
- **Channel** branches
- `nixos-` or `nixpkgs-` prefix
- Are only updated from `master` or `release-` branches, when hydra passes.
- Otherwise not worked on, Pull Requests are not allowed.
- Long-lived, no deletion, no force push.
- **Primary development** branches
- `release-` prefix and `master`
- Pull Requests required.
- Long-lived, no deletion, no force push.
- **Secondary development** branches
- `staging-` prefix, `haskell-updates` and `python-updates`
- Pull Requests normally required, except when merging development branches into each other.
- Long-lived, no deletion, no force push.
- **Work-In-Progress** branches
- `backport-`, `revert-` and `wip-` prefixes.
- Deprecated: All other branches, not matched by channel/development.
- Pull Requests are optional.
- Short-lived, force push allowed, deleted after merge.
## `ci/nixpkgs-vet/update-pinned-tool.sh`
Some branches also have a version component, which is either `unstable` or `YY.MM`.
Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
`ci/supportedBranches.js` is a script imported by CI to classify the base and head branches of a Pull Request.
This classification will then be used to skip certain jobs.
This script can also be run locally to print basic test cases.
Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
This script currently needs to be called manually when the CI tooling needs to be updated.
Why not just build the tooling right from the PRs Nixpkgs version?
- Because it allows CI to check all PRs, even if they would break the CI tooling.
- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
- Because it improves security, since we don't have to build potentially untrusted code from PRs.
The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
Check whether a PR is mergeable and return the test merge commit as
[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests).
Arguments:
- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
- `PR_NUMBER`: The PR number, e.g. `1234`
Exit codes:
- 0: The PR can be merged, the test merge commit hash is returned on stdout
- 1: The PR cannot be merged because it's not open anymore
- 2: The PR cannot be merged because it has a merge conflict
- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
### Usage
This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
```yaml
on: pull_request_target
# We need a token to query the API, but it doesn't need any special permissions
permissions: {}
jobs:
get-merge-commit:
# use the relative path of the get-merge-commit workflow yaml here
uses: ./.github/workflows/get-merge-commit.yml
build:
name: Build
runs-on: ubuntu-24.04
needs: get-merge-commit
steps:
- uses: actions/checkout@<VERSION>
# Add this to _all_ subsequent steps to skip them
if: needs.get-merge-commit.outputs.mergedSha
with:
ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
- ...
```

2
ci/codeowners-validator/default.nix
View File

@@ -20,7 +20,7 @@ buildGoModule {
})
# Undoes part of the above PR: We don't want to require write access
# to the repository, that's only needed for GitHub's native CODEOWNERS.
# Furthermore, it removes an unnecessary check from the code
# Furthermore, it removes an unneccessary check from the code
# that breaks tokens generated for GitHub Apps.
./permissions.patch
# Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var

115
ci/default.nix
View File

@@ -1,5 +1,5 @@
let
pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
in
{
system ? builtins.currentSystem,
@@ -10,122 +10,21 @@ let
nixpkgs' =
if nixpkgs == null then
fetchTarball {
inherit (pinned.nixpkgs) url;
sha256 = pinned.nixpkgs.hash;
url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
sha256 = pinnedNixpkgs.sha256;
}
else
nixpkgs;
pkgs = import nixpkgs' {
inherit system;
config = {
permittedInsecurePackages = [ "nix-2.3.18" ];
};
config = { };
overlays = [ ];
};
fmt =
let
treefmtNixSrc = fetchTarball {
inherit (pinned.treefmt-nix) url;
sha256 = pinned.treefmt-nix.hash;
};
treefmtEval = (import treefmtNixSrc).evalModule pkgs {
# Important: The auto-rebase script uses `git filter-branch --tree-filter`,
# which creates trees within the Git repository under `.git-rewrite/t`,
# notably without having a `.git` themselves.
# So if this projectRootFile were the default `.git/config`,
# having the auto-rebase script use treefmt on such a tree would make it
# format all files in the _parent_ Git tree as well.
projectRootFile = ".git-blame-ignore-revs";
# Be a bit more verbose by default, so we can see progress happening
settings.verbose = 1;
# By default it's info, which is too noisy since we have many unmatched files
settings.on-unmatched = "debug";
programs.actionlint.enable = true;
programs.keep-sorted.enable = true;
# This uses nixfmt underneath,
# the default formatter for Nix code.
# See https://github.com/NixOS/nixfmt
programs.nixfmt.enable = true;
programs.yamlfmt = {
enable = true;
settings.formatter = {
retain_line_breaks = true;
};
};
settings.formatter.yamlfmt.excludes = [
# Breaks helm templating
"nixos/tests/k3s/k3s-test-chart/templates/*"
# Aligns comments with whitespace
"pkgs/development/haskell-modules/configuration-hackage2nix/main.yaml"
# TODO: Fix formatting for auto-generated file
"pkgs/development/haskell-modules/configuration-hackage2nix/transitive-broken.yaml"
];
settings.formatter.editorconfig-checker = {
command = "${pkgs.lib.getExe pkgs.editorconfig-checker}";
options = [ "-disable-indent-size" ];
includes = [ "*" ];
priority = 1;
};
};
fs = pkgs.lib.fileset;
nixFilesSrc = fs.toSource {
root = ../.;
fileset = fs.difference ../. (fs.maybeMissing ../.git);
};
in
{
shell = treefmtEval.config.build.devShell;
pkg = treefmtEval.config.build.wrapper;
check = treefmtEval.config.build.check nixFilesSrc;
};
in
rec {
inherit pkgs fmt;
{
inherit pkgs;
requestReviews = pkgs.callPackage ./request-reviews { };
codeownersValidator = pkgs.callPackage ./codeowners-validator { };
# FIXME(lf-): it might be useful to test other Nix implementations
# (nixVersions.stable and Lix) here somehow at some point to ensure we don't
# have eval divergence.
eval = pkgs.callPackage ./eval {
nix = pkgs.nixVersions.latest;
};
# CI jobs
lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
manual-nixpkgs = (import ../doc { });
manual-nixpkgs-tests = (import ../doc { }).tests;
nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
parse = pkgs.lib.recurseIntoAttrs {
latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
# TODO: Raise nixVersions.minimum to 2.24 and flip back to it.
minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_24; };
};
shell = import ../shell.nix { inherit nixpkgs system; };
tarball = import ../pkgs/top-level/make-tarball.nix {
# Mirrored from top-level release.nix:
nixpkgs = {
outPath = pkgs.lib.cleanSource ../.;
revCount = 1234;
shortRev = "abcdef";
revision = "0000000000000000000000000000000000000000";
};
officialRelease = false;
inherit pkgs lib-tests;
# 2.28 / 2.29 take 9x longer than 2.30 or Lix.
# TODO: Switch back to nixVersions.latest
nix = pkgs.lix;
};
eval = pkgs.callPackage ./eval { };
}

13
ci/eval/README.md
View File

@@ -11,15 +11,10 @@ nix-build ci -A eval.full \
--arg evalSystems '["x86_64-linux" "aarch64-darwin"]'
```
- `--max-jobs`: The maximum number of derivations to run at the same time.
Only each [supported system](../supportedSystems.json) gets a separate derivation, so it doesn't make sense to set this higher than that number.
- `--cores`: The number of cores to use for each job.
Recommended to set this to the amount of cores on your system divided by `--max-jobs`.
- `chunkSize`: The number of attributes that are evaluated simultaneously on a single core.
Lowering this decreases memory usage at the cost of increased evaluation time.
If this is too high, there won't be enough chunks to process them in parallel, and will also increase evaluation time.
- `evalSystems`: The set of systems for which `nixpkgs` should be evaluated.
Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).
- `--max-jobs`: The maximum number of derivations to run at the same time. Only each [supported system](../supportedSystems.nix) gets a separate derivation, so it doesn't make sense to set this higher than that number.
- `--cores`: The number of cores to use for each job. Recommended to set this to the amount of cores on your system divided by `--max-jobs`.
- `chunkSize`: The number of attributes that are evaluated simultaneously on a single core. Lowering this decreases memory usage at the cost of increased evaluation time. If this is too high, there won't be enough chunks to process them in parallel, and will also increase evaluation time.
- `evalSystems`: The set of systems for which `nixpkgs` should be evaluated. Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).
A good default is to set `chunkSize` to 10000, which leads to about 3.6GB max memory usage per core, so suitable for fully utilising machines with 4 cores and 16GB memory, 8 cores and 32GB memory or 16 cores and 64GB memory.

154
ci/eval/compare/cmp-stats.py
View File

@@ -1,154 +0,0 @@
import json
import os
from scipy.stats import ttest_rel
import pandas as pd
import numpy as np
from pathlib import Path
# Define metrics of interest (can be expanded as needed)
METRIC_PREFIXES = ("nr", "gc")
def flatten_data(json_data: dict) -> dict:
"""
Extracts and flattens metrics from JSON data.
This is needed because the JSON data can be nested.
For example, the JSON data entry might look like this:
"gc":{"cycles":13,"heapSize":5404549120,"totalBytes":9545876464}
Flattened:
"gc.cycles": 13
"gc.heapSize": 5404549120
...
Args:
json_data (dict): JSON data containing metrics.
Returns:
dict: Flattened metrics with keys as metric names.
"""
flat_metrics = {}
for k, v in json_data.items():
if isinstance(v, (int, float)):
flat_metrics[k] = v
elif isinstance(v, dict):
for sub_k, sub_v in v.items():
flat_metrics[f"{k}.{sub_k}"] = sub_v
return flat_metrics
def load_all_metrics(directory: Path) -> dict:
"""
Loads all stats JSON files in the specified directory and extracts metrics.
Args:
directory (Path): Directory containing JSON files.
Returns:
dict: Dictionary with filenames as keys and extracted metrics as values.
"""
metrics = {}
for system_dir in directory.iterdir():
assert system_dir.is_dir()
for chunk_output in system_dir.iterdir():
with chunk_output.open() as f:
data = json.load(f)
metrics[f"{system_dir.name}/${chunk_output.name}"] = flatten_data(data)
return metrics
def dataframe_to_markdown(df: pd.DataFrame) -> str:
df = df.sort_values(by=df.columns[0], ascending=True)
markdown_lines = []
# Header (get column names and format them)
header = '\n| ' + ' | '.join(df.columns) + ' |'
markdown_lines.append(header)
markdown_lines.append("| - " * (len(df.columns)) + "|") # Separator line
# Iterate over rows to build Markdown rows
for _, row in df.iterrows():
# TODO: define threshold for highlighting
highlight = False
fmt = lambda x: f"**{x}**" if highlight else f"{x}"
# Check for no change and NaN in p_value/t_stat
row_values = []
for val in row:
if isinstance(val, float) and np.isnan(val): # For NaN values in p-value or t-stat
row_values.append("-") # Custom symbol for NaN
elif isinstance(val, float) and val == 0: # For no change (mean_diff == 0)
row_values.append("-") # Custom symbol for no change
else:
row_values.append(fmt(f"{val:.4f}" if isinstance(val, float) else str(val)))
markdown_lines.append('| ' + ' | '.join(row_values) + ' |')
return '\n'.join(markdown_lines)
def perform_pairwise_tests(before_metrics: dict, after_metrics: dict) -> pd.DataFrame:
common_files = sorted(set(before_metrics) & set(after_metrics))
all_keys = sorted({ metric_keys for file_metrics in before_metrics.values() for metric_keys in file_metrics.keys() })
results = []
for key in all_keys:
before_vals, after_vals = [], []
for fname in common_files:
if key in before_metrics[fname] and key in after_metrics[fname]:
before_vals.append(before_metrics[fname][key])
after_vals.append(after_metrics[fname][key])
if len(before_vals) >= 2:
before_arr = np.array(before_vals)
after_arr = np.array(after_vals)
diff = after_arr - before_arr
pct_change = 100 * diff / before_arr
t_stat, p_val = ttest_rel(after_arr, before_arr)
results.append({
"metric": key,
"mean_before": np.mean(before_arr),
"mean_after": np.mean(after_arr),
"mean_diff": np.mean(diff),
"mean_%_change": np.mean(pct_change),
"p_value": p_val,
"t_stat": t_stat
})
df = pd.DataFrame(results).sort_values("p_value")
return df
if __name__ == "__main__":
before_dir = os.environ.get("BEFORE_DIR")
after_dir = os.environ.get("AFTER_DIR")
if not before_dir or not after_dir:
print("Error: Environment variables 'BEFORE_DIR' and 'AFTER_DIR' must be set.")
exit(1)
before_stats = Path(before_dir) / "stats"
after_stats = Path(after_dir) / "stats"
# This may happen if the pull request target does not include PR#399720 yet.
if not before_stats.exists():
print("⚠️ Skipping comparison: stats directory is missing in the target commit.")
exit(0)
# This should never happen, but we're exiting gracefully anyways
if not after_stats.exists():
print("⚠️ Skipping comparison: stats directory missing in current PR evaluation.")
exit(0)
before_metrics = load_all_metrics(before_stats)
after_metrics = load_all_metrics(after_stats)
df1 = perform_pairwise_tests(before_metrics, after_metrics)
markdown_table = dataframe_to_markdown(df1)
print(markdown_table)

102
ci/eval/compare/default.nix
View File

@@ -1,16 +1,14 @@
{
callPackage,
lib,
jq,
runCommand,
writeText,
python3,
...
}:
{
combinedDir,
beforeResultDir,
afterResultDir,
touchedFilesJson,
githubAuthorId,
byName ? false,
}:
let
/*
@@ -19,7 +17,7 @@ let
---
Inputs:
- beforeDir, afterDir: The evaluation result from before and after the change.
- beforeResultDir, afterResultDir: The evaluation result from before and after the change.
They can be obtained by running `nix-build -A ci.eval.full` on both revisions.
---
@@ -31,10 +29,10 @@ let
changed: ["package2", "package3"],
removed: ["package4"],
},
labels: {
"10.rebuild-darwin: 1-10": true,
"10.rebuild-linux: 1-10": true
},
labels: [
"10.rebuild-darwin: 1-10",
"10.rebuild-linux: 1-10"
],
rebuildsByKernel: {
darwin: ["package1", "package2"],
linux: ["package1", "package2", "package3"]
@@ -65,6 +63,7 @@ let
Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
*/
inherit (import ./utils.nix { inherit lib; })
diff
groupByKernel
convertToPackagePlatformAttrs
groupByPlatform
@@ -72,10 +71,14 @@ let
getLabels
;
getAttrs = dir: builtins.fromJSON (builtins.readFile "${dir}/outpaths.json");
beforeAttrs = getAttrs beforeResultDir;
afterAttrs = getAttrs afterResultDir;
# Attrs
# - keys: "added", "changed" and "removed"
# - values: lists of `packagePlatformPath`s
diffAttrs = builtins.fromJSON (builtins.readFile "${combinedDir}/combined-diff.json");
diffAttrs = diff beforeAttrs afterAttrs;
rebuilds = diffAttrs.added ++ diffAttrs.changed;
rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
@@ -97,90 +100,33 @@ let
rebuildCountByKernel
;
labels =
getLabels rebuildCountByKernel
# Sets "10.rebuild-*-stdenv" label to whether the "stdenv" attribute was changed.
// lib.mapAttrs' (
kernel: rebuilds: lib.nameValuePair "10.rebuild-${kernel}-stdenv" (lib.elem "stdenv" rebuilds)
) rebuildsByKernel
# Set the "11.by: package-maintainer" label to whether all packages directly
# changed are maintained by the PR's author.
# (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
// {
"11.by: package-maintainer" =
maintainers ? ${githubAuthorId}
&& lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
lib.flatten (lib.attrValues maintainers)
);
};
(getLabels rebuildCountByKernel)
# Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
);
}
);
maintainers = callPackage ./maintainers.nix { } {
maintainers = import ./maintainers.nix {
changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
changedpathsjson = touchedFilesJson;
inherit byName;
};
in
runCommand "compare"
{
nativeBuildInputs = [
jq
(python3.withPackages (
ps: with ps; [
numpy
pandas
scipy
]
))
];
nativeBuildInputs = [ jq ];
maintainers = builtins.toJSON maintainers;
passAsFile = [ "maintainers" ];
env = {
BEFORE_DIR = "${combinedDir}/before";
AFTER_DIR = "${combinedDir}/after";
};
}
''
mkdir $out
cp ${changed-paths} $out/changed-paths.json
if jq -e '(.attrdiff.added | length == 0) and (.attrdiff.removed | length == 0)' "${changed-paths}" > /dev/null; then
# Chunks have changed between revisions
# We cannot generate a performance comparison
{
echo
echo "# Performance comparison"
echo
echo "This compares the performance of this branch against its pull request base branch (e.g., 'master')"
echo
echo "For further help please refer to: [ci/README.md](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md)"
echo
} >> $out/step-summary.md
python3 ${./cmp-stats.py} >> $out/step-summary.md
else
# Package chunks are the same in both revisions
# We can use the to generate a performance comparison
{
echo
echo "# Performance Comparison"
echo
echo "Performance stats were skipped because the package sets differ between the two revisions."
echo
echo "For further help please refer to: [ci/README.md](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md)"
} >> $out/step-summary.md
fi
{
echo
echo "# Packages"
echo
jq -r -f ${./generate-step-summary.jq} < ${changed-paths}
} >> $out/step-summary.md
jq -r -f ${./generate-step-summary.jq} < ${changed-paths} > $out/step-summary.md
cp "$maintainersPath" "$out/maintainers.json"
# TODO: Compare eval stats
''

27
ci/eval/compare/maintainers.nix
View File

@@ -1,18 +1,12 @@
{
lib,
}:
# Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
{
changedattrs,
changedpathsjson,
byName ? false,
}:
{ changedattrs, changedpathsjson }:
let
pkgs = import ../../.. {
system = "x86_64-linux";
config = { };
overlays = [ ];
};
inherit (pkgs) lib;
changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);
@@ -47,16 +41,7 @@ let
) validPackageAttributes;
attrsWithMaintainers = builtins.map (
pkg:
let
meta = pkg.package.meta or { };
in
pkg
// {
# TODO: Refactor this so we can ping entire teams instead of the individual members.
# Note that this will require keeping track of GH team IDs in "maintainers/teams.nix".
maintainers = meta.maintainers or [ ];
}
pkg: pkg // { maintainers = (pkg.package.meta or { }).maintainers or [ ]; }
) attrsWithPackages;
relevantFilenames =
@@ -64,8 +49,7 @@ let
(lib.lists.unique (
builtins.map (pos: lib.strings.removePrefix (toString ../..) pos.file) (
builtins.filter (x: x != null) [
((drv.meta or { }).maintainersPosition or null)
((drv.meta or { }).teamsPosition or null)
(builtins.unsafeGetAttrPos "maintainers" (drv.meta or { }))
(builtins.unsafeGetAttrPos "src" drv)
# broken because name is always set by stdenv:
# # A hack to make `nix-env -qa` and `nix search` ignore broken packages.
@@ -99,13 +83,12 @@ let
pkg:
builtins.map (maintainer: {
id = maintainer.githubId;
inherit (maintainer) github;
packageName = pkg.name;
dueToFiles = pkg.filenames;
}) pkg.maintainers
) attrsWithModifiedFiles;
byMaintainer = lib.groupBy (ping: toString ping.${if byName then "github" else "id"}) listToPing;
byMaintainer = lib.groupBy (ping: toString ping.id) listToPing;
packagesPerMaintainer = lib.attrsets.mapAttrs (
maintainer: packages: builtins.map (pkg: pkg.packageName) packages

93
ci/eval/compare/utils.nix
View File

@@ -93,6 +93,32 @@ rec {
in
uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);
/*
Computes the key difference between two attrs
{
added: [ <keys only in the second object> ],
removed: [ <keys only in the first object> ],
changed: [ <keys with different values between the two objects> ],
}
*/
diff =
let
filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
in
old: new: {
added = filterKeys (n: _: !(old ? ${n})) new;
removed = filterKeys (n: _: !(new ? ${n})) old;
changed = filterKeys (
n: v:
# Filter out attributes that don't exist anymore
(new ? ${n})
# Filter out attributes that are the same as the new value
&& (v != (new.${n}))
) old;
};
/*
Group a list of `packagePlatformAttr`s by platforms
@@ -151,7 +177,7 @@ rec {
lib.genAttrs [ "linux" "darwin" ] filterKernel;
/*
Maps an attrs of `kernel - rebuild counts` mappings to an attrs of labels
Maps an attrs of `kernel - rebuild counts` mappings to a list of labels
Turns
{
@@ -159,37 +185,54 @@ rec {
darwin = 1;
}
into
{
"10.rebuild-darwin: 1" = true;
"10.rebuild-darwin: 1-10" = true;
"10.rebuild-darwin: 11-100" = false;
# [...]
"10.rebuild-darwin: 1" = false;
"10.rebuild-darwin: 1-10" = false;
"10.rebuild-linux: 11-100" = true;
# [...]
}
[
"10.rebuild-darwin: 1"
"10.rebuild-darwin: 1-10"
"10.rebuild-linux: 11-100"
]
*/
getLabels =
rebuildCountByKernel:
lib.mergeAttrsList (
lib.concatLists (
lib.mapAttrsToList (
kernel: rebuildCount:
let
range = from: to: from <= rebuildCount && (to == null || rebuildCount <= to);
numbers =
if rebuildCount == 0 then
[ "0" ]
else if rebuildCount == 1 then
[
"1"
"1-10"
]
else if rebuildCount <= 10 then
[ "1-10" ]
else if rebuildCount <= 100 then
[ "11-100" ]
else if rebuildCount <= 500 then
[ "101-500" ]
else if rebuildCount <= 1000 then
[
"501-1000"
"501+"
]
else if rebuildCount <= 2500 then
[
"1001-2500"
"501+"
]
else if rebuildCount <= 5000 then
[
"2501-5000"
"501+"
]
else
[
"5001+"
"501+"
];
in
lib.mapAttrs' (number: lib.nameValuePair "10.rebuild-${kernel}: ${number}") {
"0" = range 0 0;
"1" = range 1 1;
"1-10" = range 1 10;
"11-100" = range 11 100;
"101-500" = range 101 500;
"501-1000" = range 501 1000;
"501+" = range 501 null;
"1001-2500" = range 1001 2500;
"2501-5000" = range 2501 5000;
"5001+" = range 5001 null;
}
lib.forEach numbers (number: "10.rebuild-${kernel}: ${number}")
) rebuildCountByKernel
);
}

183
ci/eval/default.nix
View File

@@ -1,23 +1,14 @@
# Evaluates all the accessible paths in nixpkgs.
# *This only builds on Linux* since it requires the Linux sandbox isolation to
# be able to write in various places while evaluating inside the sandbox.
#
# This file is used by nixpkgs CI (see .github/workflows/eval.yml) as well as
# being used directly as an entry point in Lix's CI (in `flake.nix` in the Lix
# repo).
#
# If you know you are doing a breaking API change, please ping the nixpkgs CI
# maintainers and the Lix maintainers (`nix eval -f . lib.teams.lix`).
{
callPackage,
lib,
runCommand,
writeShellScript,
symlinkJoin,
writeText,
linkFarm,
time,
procps,
nix,
nixVersions,
jq,
sta,
}:
let
@@ -34,17 +25,16 @@ let
"nixos"
"pkgs"
".version"
"ci/supportedSystems.json"
"ci/supportedSystems.nix"
]
);
};
supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);
nix = nixVersions.nix_2_24;
supportedSystems = import ../supportedSystems.nix;
attrpathsSuperset =
{
evalSystem,
}:
runCommand "attrpaths-superset.json"
{
src = nixpkgs;
@@ -52,6 +42,8 @@ let
nix
time
];
env.supportedSystems = builtins.toJSON supportedSystems;
passAsFile = [ "supportedSystems" ];
}
''
export NIX_STATE_DIR=$(mktemp -d)
@@ -64,7 +56,8 @@ let
-I "$src" \
--option restrict-eval true \
--option allow-import-from-derivation false \
--option eval-system "${evalSystem}" > $out/paths.json
--arg enableWarnings false > $out/paths.json
mv "$supportedSystemsPath" $out/systems.json
'';
singleSystem =
@@ -74,13 +67,11 @@ let
# because `--argstr system` would only be passed to the ci/default.nix file!
evalSystem,
# The path to the `paths.json` file from `attrpathsSuperset`
attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
attrpathFile,
# The number of attributes per chunk, see ./README.md for more info.
chunkSize,
checkMeta ? true,
# Don't try to eval packages marked as broken.
includeBroken ? false,
includeBroken ? true,
# Whether to just evaluate a single chunk for quick testing
quickTest ? false,
}:
@@ -96,14 +87,12 @@ let
export NIX_SHOW_STATS_PATH="$outputDir/stats/$myChunk"
echo "Chunk $myChunk on $system start"
set +e
command time -o "$outputDir/timestats/$myChunk" \
-f "Chunk $myChunk on $system done [%MKB max resident, %Es elapsed] %C" \
nix-env -f "${nixpkgs}/pkgs/top-level/release-outpaths-parallel.nix" \
--eval-system "$system" \
command time -f "Chunk $myChunk on $system done [%MKB max resident, %Es elapsed] %C" \
nix-env -f "${nixpkgs}/pkgs/top-level/release-attrpaths-parallel.nix" \
--option restrict-eval true \
--option allow-import-from-derivation false \
--query --available \
--out-path --json \
--no-name --attr-path --out-path \
--show-trace \
--arg chunkSize "$chunkSize" \
--arg myChunk "$myChunk" \
@@ -113,19 +102,13 @@ let
--arg includeBroken ${lib.boolToString includeBroken} \
-I ${nixpkgs} \
-I ${attrpathFile} \
> "$outputDir/result/$myChunk" \
2> "$outputDir/stderr/$myChunk"
> "$outputDir/result/$myChunk"
exitCode=$?
set -e
cat "$outputDir/stderr/$myChunk"
cat "$outputDir/timestats/$myChunk"
if (( exitCode != 0 )); then
echo "Evaluation failed with exit code $exitCode"
# This immediately halts all xargs processes
kill $PPID
elif [[ -s "$outputDir/stderr/$myChunk" ]]; then
echo "Nixpkgs on $system evaluated with warnings, aborting"
kill $PPID
fi
'';
in
@@ -155,7 +138,7 @@ let
chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
echo "Chunk count: $chunkCount"
mkdir -p $out/${evalSystem}
mkdir $out
# Record and print stats on free memory and swap in the background
(
@@ -164,11 +147,11 @@ let
freeSwap=$(free -b | grep Swap | awk '{print $4}')
echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"
if [[ ! -f "$out/${evalSystem}/min-avail-memory" ]] || (( availMemory < $(<$out/${evalSystem}/min-avail-memory) )); then
echo "$availMemory" > $out/${evalSystem}/min-avail-memory
if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
echo "$availMemory" > $out/min-avail-memory
fi
if [[ ! -f $out/${evalSystem}/min-free-swap ]] || (( availMemory < $(<$out/${evalSystem}/min-free-swap) )); then
echo "$freeSwap" > $out/${evalSystem}/min-free-swap
if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
echo "$freeSwap" > $out/min-free-swap
fi
sleep 4
done
@@ -181,59 +164,98 @@ let
''}
chunkOutputDir=$(mktemp -d)
mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}
mkdir "$chunkOutputDir"/{result,stats}
seq -w 0 "$seq_end" |
command time -f "%e" -o "$out/${evalSystem}/total-time" \
command time -f "%e" -o "$out/total-time" \
xargs -I{} -P"$cores" \
${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"
cp -r "$chunkOutputDir"/stats $out/${evalSystem}/stats-by-chunk
if (( chunkSize * chunkCount != attrCount )); then
# A final incomplete chunk would mess up the stats, don't include it
rm "$chunkOutputDir"/stats/"$seq_end"
fi
cat "$chunkOutputDir"/result/* | jq -s 'add | map_values(.outputs)' > $out/${evalSystem}/paths.json
# Make sure the glob doesn't break when there's no files
shopt -s nullglob
cat "$chunkOutputDir"/result/* > $out/paths
cat "$chunkOutputDir"/stats/* > $out/stats.jsonstream
'';
diff = callPackage ./diff.nix { };
combine =
{
diffDir,
resultsDir,
}:
runCommand "combined-eval"
runCommand "combined-result"
{
nativeBuildInputs = [
jq
sta
];
}
''
mkdir -p $out
# Combine output paths from all systems
cat ${diffDir}/*/diff.json | jq -s '
reduce .[] as $item ({}; {
added: (.added + $item.added),
changed: (.changed + $item.changed),
removed: (.removed + $item.removed)
})
' > $out/combined-diff.json
# Transform output paths to JSON
cat ${resultsDir}/*/paths |
jq --sort-keys --raw-input --slurp '
split("\n") |
map(select(. != "") | split(" ") | map(select(. != ""))) |
map(
{
key: .[0],
value: .[1] | split(";") | map(split("=") |
if length == 1 then
{ key: "out", value: .[0] }
else
{ key: .[0], value: .[1] }
end) | from_entries}
) | from_entries
' > $out/outpaths.json
mkdir -p $out/before/stats
for d in ${diffDir}/before/*; do
cp -r "$d"/stats-by-chunk $out/before/stats/$(basename "$d")
done
# Computes min, mean, error, etc. for a list of values and outputs a JSON from that
statistics() {
local stat=$1
sta --transpose |
jq --raw-input --argjson stat "$stat" -n '
[
inputs |
split("\t") |
{ key: .[0], value: (.[1] | fromjson) }
] |
from_entries |
{
key: ($stat | join(".")),
value: .
}'
}
mkdir -p $out/after/stats
for d in ${diffDir}/after/*; do
cp -r "$d"/stats-by-chunk $out/after/stats/$(basename "$d")
done
# Gets all available number stats (without .sizes because those are constant and not interesting)
readarray -t stats < <(jq -cs '.[0] | del(.sizes) | paths(type == "number")' ${resultsDir}/*/stats.jsonstream)
# Combines the statistics from all evaluations
{
echo "{ \"key\": \"minAvailMemory\", \"value\": $(cat ${resultsDir}/*/min-avail-memory | sta --brief --min) }"
echo "{ \"key\": \"minFreeSwap\", \"value\": $(cat ${resultsDir}/*/min-free-swap | sta --brief --min) }"
cat ${resultsDir}/*/total-time | statistics '["totalTime"]'
for stat in "''${stats[@]}"; do
cat ${resultsDir}/*/stats.jsonstream |
jq --argjson stat "$stat" 'getpath($stat)' |
statistics "$stat"
done
} |
jq -s from_entries > $out/stats.json
'';
compare = callPackage ./compare { };
compare = import ./compare {
inherit
lib
jq
runCommand
writeText
supportedSystems
;
};
full =
{
@@ -244,26 +266,18 @@ let
quickTest ? false,
}:
let
diffs = symlinkJoin {
name = "diffs";
paths = map (
evalSystem:
let
eval = singleSystem {
inherit quickTest evalSystem chunkSize;
};
in
diff {
inherit evalSystem;
# Local "full" evaluation doesn't do a real diff.
beforeDir = eval;
afterDir = eval;
}
) evalSystems;
};
results = linkFarm "results" (
map (evalSystem: {
name = evalSystem;
path = singleSystem {
inherit quickTest evalSystem chunkSize;
attrpathFile = attrpathsSuperset + "/paths.json";
};
}) evalSystems
);
in
combine {
diffDir = diffs;
resultsDir = results;
};
in
@@ -271,7 +285,6 @@ in
inherit
attrpathsSuperset
singleSystem
diff
combine
compare
# The above three are used by separate VMs in a GitHub workflow,

61
ci/eval/diff.nix
View File

@@ -1,61 +0,0 @@
{
lib,
runCommand,
writeText,
}:
{
beforeDir,
afterDir,
evalSystem,
}:
let
/*
Computes the key difference between two attrs
{
added: [ <keys only in the second object> ],
removed: [ <keys only in the first object> ],
changed: [ <keys with different values between the two objects> ],
}
*/
diff =
let
filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
in
old: new: {
added = filterKeys (n: _: !(old ? ${n})) new;
removed = filterKeys (n: _: !(new ? ${n})) old;
changed = filterKeys (
n: v:
# Filter out attributes that don't exist anymore
(new ? ${n})
# Filter out attributes that are the same as the new value
&& (v != (new.${n}))
) old;
};
getAttrs =
dir:
let
raw = builtins.readFile "${dir}/${evalSystem}/paths.json";
# The file contains Nix paths; we need to ignore them for evaluation purposes,
# else there will be a "is not allowed to refer to a store path" error.
data = builtins.unsafeDiscardStringContext raw;
in
builtins.fromJSON data;
beforeAttrs = getAttrs beforeDir;
afterAttrs = getAttrs afterDir;
diffAttrs = diff beforeAttrs afterAttrs;
diffJson = writeText "diff.json" (builtins.toJSON diffAttrs);
in
runCommand "diff" { } ''
mkdir -p $out/${evalSystem}
cp -r ${beforeDir} $out/before
cp -r ${afterDir} $out/after
cp ${diffJson} $out/${evalSystem}/diff.json
''

62
ci/get-merge-commit.sh Executable file
View File

@@ -0,0 +1,62 @@
#!/usr/bin/env bash
# See ./README.md for docs
set -euo pipefail
log() {
echo "$@" >&2
}
if (( $# < 2 )); then
log "Usage: $0 GITHUB_REPO PR_NUMBER"
exit 99
fi
repo=$1
prNumber=$2
# Retry the API query this many times
retryCount=5
# Start with 5 seconds, but double every retry
retryInterval=5
while true; do
log "Checking whether the pull request can be merged"
prInfo=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/$repo/pulls/$prNumber")
# Non-open PRs won't have their mergeability computed no matter what
state=$(jq -r .state <<< "$prInfo")
if [[ "$state" != open ]]; then
log "PR is not open anymore"
exit 1
fi
mergeable=$(jq -r .mergeable <<< "$prInfo")
if [[ "$mergeable" == "null" ]]; then
if (( retryCount == 0 )); then
log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
exit 3
else
(( retryCount -= 1 )) || true
# null indicates that GitHub is still computing whether it's mergeable
# Wait a couple seconds before trying again
log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
sleep "$retryInterval"
(( retryInterval *= 2 )) || true
fi
else
break
fi
done
if [[ "$mergeable" == "true" ]]; then
log "The PR can be merged"
jq -r .merge_commit_sha <<< "$prInfo"
else
log "The PR has a merge conflict"
exit 2
fi

3
ci/github-script/.editorconfig
View File

@@ -1,3 +0,0 @@
[run]
indent_style = space
indent_size = 2

2
ci/github-script/.gitignore vendored
View File

@@ -1,2 +0,0 @@
node_modules
step-summary.md

2
ci/github-script/.npmrc
View File

@@ -1,2 +0,0 @@
package-lock-only = true
save-exact = true

17
ci/github-script/README.md
View File

@@ -1,17 +0,0 @@
# GitHub specific CI scripts
This folder contains [`actions/github-script`](https://github.com/actions/github-script)-based JavaScript code.
It provides a `nix-shell` environment to run and test these actions locally.
To run any of the scripts locally:
- Enter `nix-shell` in `./ci/github-script`.
- Ensure `gh` is authenticated.
## Check commits
Run `./run commits OWNER REPO PR`, where OWNER is your username or "NixOS", REPO is the name of your fork or "nixpkgs" and PR is the number of the pull request to check.
## Labeler
Run `./run labels OWNER REPO`, where OWNER is your username or "NixOS" and REPO the name of your fork or "nixpkgs".

10
ci/github-script/check-cherry-picks.md
View File

@@ -1,10 +0,0 @@
This report is automatically generated by the `PR / Check / cherry-pick` CI workflow.
Some of the commits in this PR require the author's and reviewer's attention.
Please follow the [backporting guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#how-to-backport-pull-requests) and cherry-pick with the `-x` flag.
This requires changes to the unstable `master` and `staging` branches first, before backporting them.
Occasionally, it is not possible to cherry-pick exactly the same patch.
This most frequently happens when resolving merge conflicts or when updating minor versions of packages which have already advanced to the next major on unstable.
If you need to merge this PR despite the warnings, please [dismiss](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review) this review shortly before merging.

281
ci/github-script/commits.js
View File

@@ -1,281 +0,0 @@
module.exports = async function ({ github, context, core, dry }) {
const { execFileSync } = require('node:child_process')
const { readFile } = require('node:fs/promises')
const { join } = require('node:path')
const { classify } = require('../supportedBranches.js')
const withRateLimit = require('./withRateLimit.js')
await withRateLimit({ github, core }, async (stats) => {
stats.prs = 1
const pull_number = context.payload.pull_request.number
const job_url =
context.runId &&
(
await github.paginate(github.rest.actions.listJobsForWorkflowRun, {
...context.repo,
run_id: context.runId,
per_page: 100,
})
).find(({ name }) => name == 'Check / cherry-pick').html_url +
'?pr=' +
pull_number
async function handle({ sha, commit }) {
// Using the last line with "cherry" + hash, because a chained backport
// can result in multiple of those lines. Only the last one counts.
const match = Array.from(
commit.message.matchAll(/cherry.*([0-9a-f]{40})/g),
).at(-1)
if (!match)
return {
sha,
commit,
severity: 'warning',
message: `Couldn't locate original commit hash in message of ${sha}.`,
}
const original_sha = match[1]
let branches
try {
branches = (
await github.request({
// This is an undocumented endpoint to fetch the branches a commit is part of.
// There is no equivalent in neither the REST nor the GraphQL API.
// The endpoint itself is unlikely to go away, because GitHub uses it to display
// the list of branches on the detail page of a commit.
url: `https://github.com/${context.repo.owner}/${context.repo.repo}/branch_commits/${original_sha}`,
headers: {
accept: 'application/json',
},
})
).data.branches
.map(({ branch }) => branch)
.filter((branch) => classify(branch).type.includes('development'))
} catch (e) {
// For some unknown reason a 404 error comes back as 500 without any more details in a GitHub Actions runner.
// Ignore these to return a regular error message below.
if (![404, 500].includes(e.status)) throw e
}
if (!branches?.length)
return {
sha,
commit,
severity: 'error',
message: `${original_sha} given in ${sha} not found in any pickable branch.`,
}
const diff = execFileSync('git', [
'-C',
__dirname,
'range-diff',
'--no-color',
'--ignore-all-space',
'--no-notes',
// 100 means "any change will be reported"; 0 means "no change will be reported"
'--creation-factor=100',
`${original_sha}~..${original_sha}`,
`${sha}~..${sha}`,
])
.toString()
.split('\n')
// First line contains commit SHAs, which we'll print separately.
.slice(1)
// # The output of `git range-diff` is indented with 4 spaces, but we'll control indentation manually.
.map((line) => line.replace(/^ {4}/, ''))
if (!diff.some((line) => line.match(/^[+-]{2}/)))
return {
sha,
commit,
severity: 'info',
message: `${original_sha} is highly similar to ${sha}.`,
}
const colored_diff = execFileSync('git', [
'-C',
__dirname,
'range-diff',
'--color',
'--no-notes',
'--creation-factor=100',
`${original_sha}~..${original_sha}`,
`${sha}~..${sha}`,
]).toString()
return {
sha,
commit,
diff,
colored_diff,
severity: 'warning',
message: `Difference between ${sha} and original ${original_sha} may warrant inspection.`,
}
}
const commits = await github.paginate(github.rest.pulls.listCommits, {
...context.repo,
pull_number,
})
const results = await Promise.all(commits.map(handle))
// Log all results without truncation, with better highlighting and all whitespace changes to the job log.
results.forEach(({ sha, commit, severity, message, colored_diff }) => {
core.startGroup(`Commit ${sha}`)
core.info(`Author: ${commit.author.name} ${commit.author.email}`)
core.info(`Date: ${new Date(commit.author.date)}`)
core[severity](message)
core.endGroup()
if (colored_diff) core.info(colored_diff)
})
// Only create step summary below in case of warnings or errors.
// Also clean up older reviews, when all checks are good now.
if (results.every(({ severity }) => severity == 'info')) {
if (!dry) {
await Promise.all(
(
await github.paginate(github.rest.pulls.listReviews, {
...context.repo,
pull_number,
})
)
.filter((review) => review.user.login == 'github-actions[bot]')
.map(async (review) => {
if (review.state == 'CHANGES_REQUESTED') {
await github.rest.pulls.dismissReview({
...context.repo,
pull_number,
review_id: review.id,
message: 'All cherry-picks are good now, thank you!',
})
}
await github.graphql(
`mutation($node_id:ID!) {
minimizeComment(input: {
classifier: RESOLVED,
subjectId: $node_id
})
{ clientMutationId }
}`,
{ node_id: review.node_id },
)
}),
)
}
return
}
// In the case of "error" severity, we also fail the job.
// Those should be considered blocking and not be dismissable via review.
if (results.some(({ severity }) => severity == 'error'))
process.exitCode = 1
core.summary.addRaw(
await readFile(join(__dirname, 'check-cherry-picks.md'), 'utf-8'),
true,
)
results.forEach(({ severity, message, diff }) => {
if (severity == 'info') return
// The docs for markdown alerts only show examples with markdown blockquote syntax, like this:
// > [!WARNING]
// > message
// However, our testing shows that this also works with a `<blockquote>` html tag, as long as there
// is an empty line:
// <blockquote>
//
// [!WARNING]
// message
// </blockquote>
// Whether this is intended or just an implementation detail is unclear.
core.summary.addRaw('<blockquote>')
core.summary.addRaw(
`\n\n[!${severity == 'warning' ? 'WARNING' : 'CAUTION'}]`,
true,
)
core.summary.addRaw(`${message}`, true)
if (diff) {
// Limit the output to 10k bytes and remove the last, potentially incomplete line, because GitHub
// comments are limited in length. The value of 10k is arbitrary with the assumption, that after
// the range-diff becomes a certain size, a reviewer is better off reviewing the regular diff in
// GitHub's UI anyway, thus treating the commit as "new" and not cherry-picked.
// Note: if multiple commits are close to the limit, this approach could still lead to a comment
// that's too long. We think this is unlikely to happen, and so don't deal with it explicitly.
const truncated = []
let total_length = 0
for (line of diff) {
total_length += line.length
if (total_length > 10000) {
truncated.push('', '[...truncated...]')
break
} else {
truncated.push(line)
}
}
core.summary.addRaw('<details><summary>Show diff</summary>')
core.summary.addRaw('\n\n``````````diff', true)
core.summary.addRaw(truncated.join('\n'), true)
core.summary.addRaw('``````````', true)
core.summary.addRaw('</details>')
}
core.summary.addRaw('</blockquote>')
})
if (job_url)
core.summary.addRaw(
`\n\n_Hint: The full diffs are also available in the [runner logs](${job_url}) with slightly better highlighting._`,
)
const body = core.summary.stringify()
core.summary.write()
const pendingReview = (
await github.paginate(github.rest.pulls.listReviews, {
...context.repo,
pull_number,
})
).find(
(review) =>
review.user.login == 'github-actions[bot]' &&
// If a review is still pending, we can just update this instead
// of posting a new one.
(review.state == 'CHANGES_REQUESTED' ||
// No need to post a new review, if an older one with the exact
// same content had already been dismissed.
review.body == body),
)
if (dry) {
if (pendingReview)
core.info('pending review found: ' + pendingReview.html_url)
else core.info('no pending review found')
} else {
// Either of those two requests could fail for very long comments. This can only happen
// with multiple commits all hitting the truncation limit for the diff. If you ever hit
// this case, consider just splitting up those commits into multiple PRs.
if (pendingReview) {
await github.rest.pulls.updateReview({
...context.repo,
pull_number,
review_id: pendingReview.id,
body,
})
} else {
await github.rest.pulls.createReview({
...context.repo,
pull_number,
event: 'REQUEST_CHANGES',
body,
})
}
}
})
}

414
ci/github-script/labels.js
View File

@@ -1,414 +0,0 @@
module.exports = async function ({ github, context, core, dry }) {
const path = require('node:path')
const { DefaultArtifactClient } = require('@actions/artifact')
const { readFile, writeFile } = require('node:fs/promises')
const withRateLimit = require('./withRateLimit.js')
const artifactClient = new DefaultArtifactClient()
async function handlePullRequest({ item, stats }) {
const log = (k, v) => core.info(`PR #${item.number} - ${k}: ${v}`)
const pull_number = item.number
// This API request is important for the merge-conflict label, because it triggers the
// creation of a new test merge commit. This is needed to actually determine the state of a PR.
const pull_request = (
await github.rest.pulls.get({
...context.repo,
pull_number,
})
).data
const reviews = await github.paginate(github.rest.pulls.listReviews, {
...context.repo,
pull_number,
})
const approvals = new Set(
reviews
.filter((review) => review.state == 'APPROVED')
.map((review) => review.user?.id),
)
// After creation of a Pull Request, `merge_commit_sha` will be null initially:
// The very first merge commit will only be calculated after a little while.
// To avoid labeling the PR as conflicted before that, we wait a few minutes.
// This is intentionally less than the time that Eval takes, so that the label job
// running after Eval can indeed label the PR as conflicted if that is the case.
const merge_commit_sha_valid =
new Date() - new Date(pull_request.created_at) > 3 * 60 * 1000
const prLabels = {
// We intentionally don't use the mergeable or mergeable_state attributes.
// Those have an intermediate state while the test merge commit is created.
// This doesn't work well for us, because we might have just triggered another
// test merge commit creation by request the pull request via API at the start
// of this function.
// The attribute merge_commit_sha keeps the old value of null or the hash *until*
// the new test merge commit has either successfully been created or failed so.
// This essentially means we are updating the merge conflict label in two steps:
// On the first pass of the day, we just fetch the pull request, which triggers
// the creation. At this stage, the label is likely not updated, yet.
// The second pass will then read the result from the first pass and set the label.
'2.status: merge conflict':
merge_commit_sha_valid && !pull_request.merge_commit_sha,
'12.approvals: 1': approvals.size == 1,
'12.approvals: 2': approvals.size == 2,
'12.approvals: 3+': approvals.size >= 3,
'12.first-time contribution': [
'NONE',
'FIRST_TIMER',
'FIRST_TIME_CONTRIBUTOR',
].includes(pull_request.author_association),
}
const { id: run_id, conclusion } =
(
await github.rest.actions.listWorkflowRuns({
...context.repo,
workflow_id: 'pr.yml',
event: 'pull_request_target',
exclude_pull_requests: true,
head_sha: pull_request.head.sha,
})
).data.workflow_runs[0] ??
// TODO: Remove this after 2025-09-17, at which point all eval.yml artifacts will have expired.
(
await github.rest.actions.listWorkflowRuns({
...context.repo,
// In older PRs, we need eval.yml instead of pr.yml.
workflow_id: 'eval.yml',
event: 'pull_request_target',
status: 'success',
exclude_pull_requests: true,
head_sha: pull_request.head.sha,
})
).data.workflow_runs[0] ??
{}
// Newer PRs might not have run Eval to completion, yet.
// Older PRs might not have an eval.yml workflow, yet.
// In either case we continue without fetching an artifact on a best-effort basis.
log('Last eval run', run_id ?? '<n/a>')
if (conclusion === 'success') {
Object.assign(prLabels, {
// We only set this label if the latest eval run was successful, because if it was not, it
// *could* have requested reviewers. We will let the PR author fix CI first, before "escalating"
// this PR to "needs: reviewer".
// Since the first Eval run on a PR always sets rebuild labels, the same PR will be "recently
// updated" for the next scheduled run. Thus, this label will still be set within a few minutes
// after a PR is created, if required.
// Note that a "requested reviewer" disappears once they have given a review, so we check
// existing reviews, too.
'9.needs: reviewer':
!pull_request.draft &&
pull_request.requested_reviewers.length == 0 &&
reviews.length == 0,
})
}
const artifact =
run_id &&
(
await github.rest.actions.listWorkflowRunArtifacts({
...context.repo,
run_id,
name: 'comparison',
})
).data.artifacts[0]
// Instead of checking the boolean artifact.expired, we will give us a minute to
// actually download the artifact in the next step and avoid that race condition.
// Older PRs, where the workflow run was already eval.yml, but the artifact was not
// called "comparison", yet, will skip the download.
const expired =
!artifact ||
new Date(artifact?.expires_at ?? 0) <
new Date(new Date().getTime() + 60 * 1000)
log('Artifact expires at', artifact?.expires_at ?? '<n/a>')
if (!expired) {
stats.artifacts++
await artifactClient.downloadArtifact(artifact.id, {
findBy: {
repositoryName: context.repo.repo,
repositoryOwner: context.repo.owner,
token: core.getInput('github-token'),
},
path: path.resolve(pull_number.toString()),
expectedHash: artifact.digest,
})
const maintainers = new Set(
Object.keys(
JSON.parse(
await readFile(`${pull_number}/maintainers.json`, 'utf-8'),
),
).map((m) => Number.parseInt(m, 10)),
)
const evalLabels = JSON.parse(
await readFile(`${pull_number}/changed-paths.json`, 'utf-8'),
).labels
Object.assign(
prLabels,
// Ignore `evalLabels` if it's an array.
// This can happen for older eval runs, before we switched to objects.
// The old eval labels would have been set by the eval run,
// so now they'll be present in `before`.
// TODO: Simplify once old eval results have expired (~2025-10)
Array.isArray(evalLabels) ? undefined : evalLabels,
{
'12.approved-by: package-maintainer': Array.from(maintainers).some(
(m) => approvals.has(m),
),
},
)
}
return prLabels
}
async function handle({ item, stats }) {
try {
const log = (k, v, skip) => {
core.info(`#${item.number} - ${k}: ${v}` + (skip ? ' (skipped)' : ''))
return skip
}
log('Last updated at', item.updated_at)
log('URL', item.html_url)
const issue_number = item.number
const itemLabels = {}
if (item.pull_request || context.payload.pull_request) {
stats.prs++
Object.assign(itemLabels, await handlePullRequest({ item, stats }))
} else {
stats.issues++
}
const latest_event_at = new Date(
(
await github.paginate(github.rest.issues.listEventsForTimeline, {
...context.repo,
issue_number,
per_page: 100,
})
)
.filter(({ event }) =>
[
// These events are hand-picked from:
// https://docs.github.com/en/rest/using-the-rest-api/issue-event-types?apiVersion=2022-11-28
// Each of those causes a PR/issue to *not* be considered as stale anymore.
// Most of these use created_at.
'assigned',
'commented', // uses updated_at, because that could be > created_at
'committed', // uses committer.date
'head_ref_force_pushed',
'milestoned',
'pinned',
'ready_for_review',
'renamed',
'reopened',
'review_dismissed',
'review_requested',
'reviewed', // uses submitted_at
'unlocked',
'unmarked_as_duplicate',
].includes(event),
)
.map(
({ created_at, updated_at, committer, submitted_at }) =>
new Date(
updated_at ?? created_at ?? submitted_at ?? committer.date,
),
)
// Reverse sort by date value. The default sort() sorts by string representation, which is bad for dates.
.sort((a, b) => b - a)
.at(0) ?? item.created_at,
)
log('latest_event_at', latest_event_at.toISOString())
const stale_at = new Date(new Date().setDate(new Date().getDate() - 180))
// Create a map (Label -> Boolean) of all currently set labels.
// Each label is set to True and can be disabled later.
const before = Object.fromEntries(
(
await github.paginate(github.rest.issues.listLabelsOnIssue, {
...context.repo,
issue_number,
})
).map(({ name }) => [name, true]),
)
Object.assign(itemLabels, {
'2.status: stale':
!before['1.severity: security'] && latest_event_at < stale_at,
})
const after = Object.assign({}, before, itemLabels)
// No need for an API request, if all labels are the same.
const hasChanges = Object.keys(after).some(
(name) => (before[name] ?? false) != after[name],
)
if (log('Has changes', hasChanges, !hasChanges)) return
// Skipping labeling on a pull_request event, because we have no privileges.
const labels = Object.entries(after)
.filter(([, value]) => value)
.map(([name]) => name)
if (log('Set labels', labels, dry)) return
await github.rest.issues.setLabels({
...context.repo,
issue_number,
labels,
})
} catch (cause) {
throw new Error(`Labeling #${item.number} failed.`, { cause })
}
}
await withRateLimit({ github, core }, async (stats) => {
if (context.payload.pull_request) {
await handle({ item: context.payload.pull_request, stats })
} else {
const lastRun = (
await github.rest.actions.listWorkflowRuns({
...context.repo,
workflow_id: 'labels.yml',
event: 'schedule',
status: 'success',
exclude_pull_requests: true,
per_page: 1,
})
).data.workflow_runs[0]
const cutoff = new Date(
Math.max(
// Go back as far as the last successful run of this workflow to make sure
// we are not leaving anyone behind on GHA failures.
// Defaults to go back 1 hour on the first run.
new Date(lastRun?.created_at ?? new Date().getTime() - 1 * 60 * 60 * 1000).getTime(),
// Go back max. 1 day to prevent hitting all API rate limits immediately,
// when GH API returns a wrong workflow by accident.
new Date().getTime() - 24 * 60 * 60 * 1000,
),
)
core.info('cutoff timestamp: ' + cutoff.toISOString())
const updatedItems = await github.paginate(
github.rest.search.issuesAndPullRequests,
{
q: [
`repo:"${context.repo.owner}/${context.repo.repo}"`,
'is:open',
`updated:>=${cutoff.toISOString()}`,
].join(' AND '),
per_page: 100,
// TODO: Remove in 2025-10, when it becomes the default.
advanced_search: true,
},
)
let cursor
// No workflow run available the first time.
if (lastRun) {
// The cursor to iterate through the full list of issues and pull requests
// is passed between jobs as an artifact.
const artifact = (
await github.rest.actions.listWorkflowRunArtifacts({
...context.repo,
run_id: lastRun.id,
name: 'pagination-cursor',
})
).data.artifacts[0]
// If the artifact is not available, the next iteration starts at the beginning.
if (artifact) {
stats.artifacts++
const { downloadPath } = await artifactClient.downloadArtifact(
artifact.id,
{
findBy: {
repositoryName: context.repo.repo,
repositoryOwner: context.repo.owner,
token: core.getInput('github-token'),
},
expectedHash: artifact.digest,
},
)
cursor = await readFile(path.resolve(downloadPath, 'cursor'), 'utf-8')
}
}
// From GitHub's API docs:
// GitHub's REST API considers every pull request an issue, but not every issue is a pull request.
// For this reason, "Issues" endpoints may return both issues and pull requests in the response.
// You can identify pull requests by the pull_request key.
const allItems = await github.rest.issues.listForRepo({
...context.repo,
state: 'open',
sort: 'created',
direction: 'asc',
per_page: 100,
after: cursor,
})
// Regex taken and comment adjusted from:
// https://github.com/octokit/plugin-paginate-rest.js/blob/8e5da25f975d2f31dda6b8b588d71f2c768a8df2/src/iterator.ts#L36-L41
// `allItems.headers.link` format:
// <https://api.github.com/repositories/4542716/issues?page=3&per_page=100&after=Y3Vyc29yOnYyOpLPAAABl8qNnYDOvnSJxA%3D%3D>; rel="next",
// <https://api.github.com/repositories/4542716/issues?page=1&per_page=100&before=Y3Vyc29yOnYyOpLPAAABl8xFV9DOvoouJg%3D%3D>; rel="prev"
// Sets `next` to undefined if "next" URL is not present or `link` header is not set.
const next = ((allItems.headers.link ?? '').match(
/<([^<>]+)>;\s*rel="next"/,
) ?? [])[1]
if (next) {
cursor = new URL(next).searchParams.get('after')
const uploadPath = path.resolve('cursor')
await writeFile(uploadPath, cursor, 'utf-8')
if (dry) {
core.info(`pagination-cursor: ${cursor} (upload skipped)`)
} else {
// No stats.artifacts++, because this does not allow passing a custom token.
// Thus, the upload will not happen with the app token, but the default github.token.
await artifactClient.uploadArtifact(
'pagination-cursor',
[uploadPath],
path.resolve('.'),
{
retentionDays: 1,
},
)
}
}
// Some items might be in both search results, so filtering out duplicates as well.
const items = []
.concat(updatedItems, allItems.data)
.filter(
(thisItem, idx, arr) =>
idx ==
arr.findIndex((firstItem) => firstItem.number == thisItem.number),
)
;(await Promise.allSettled(items.map((item) => handle({ item, stats }))))
.filter(({ status }) => status == 'rejected')
.map(({ reason }) =>
core.setFailed(`${reason.message}\n${reason.cause.stack}`),
)
}
})
}

1908
ci/github-script/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

10
ci/github-script/package.json
View File

@@ -1,10 +0,0 @@
{
"private": true,
"dependencies": {
"@actions/artifact": "2.3.2",
"@actions/core": "1.11.1",
"@actions/github": "6.0.1",
"bottleneck": "2.19.5",
"commander": "14.0.0"
}
}

72
ci/github-script/run
View File

@@ -1,72 +0,0 @@
#!/usr/bin/env -S node --import ./run
import { execSync } from 'node:child_process'
import { closeSync, mkdtempSync, openSync, rmSync } from 'node:fs'
import { tmpdir } from 'node:os'
import { join } from 'node:path'
import { program } from 'commander'
import * as core from '@actions/core'
import { getOctokit } from '@actions/github'
async function run(action, owner, repo, pull_number, dry = true) {
const token = execSync('gh auth token', { encoding: 'utf-8' }).trim()
const github = getOctokit(token)
const payload = !pull_number ? {} : {
pull_request: (await github.rest.pulls.get({
owner,
repo,
pull_number,
})).data
}
process.env['INPUT_GITHUB-TOKEN'] = token
closeSync(openSync('step-summary.md', 'w'))
process.env.GITHUB_STEP_SUMMARY = 'step-summary.md'
await action({
github,
context: {
payload,
repo: {
owner,
repo,
},
},
core,
dry,
})
}
program
.command('commits')
.description('Check commit structure of a pull request.')
.argument('<owner>', 'Owner of the GitHub repository to check (Example: NixOS)')
.argument('<repo>', 'Name of the GitHub repository to check (Example: nixpkgs)')
.argument('<pr>', 'Number of the Pull Request to check')
.action(async (owner, repo, pr) => {
const commits = (await import('./commits.js')).default
run(commits, owner, repo, pr)
})
program
.command('labels')
.description('Manage labels on pull requests.')
.argument('<owner>', 'Owner of the GitHub repository to label (Example: NixOS)')
.argument('<repo>', 'Name of the GitHub repository to label (Example: nixpkgs)')
.argument('[pr]', 'Number of the Pull Request to label')
.option('--no-dry', 'Make actual modifications')
.action(async (owner, repo, pr, options) => {
const labels = (await import('./labels.js')).default
const tmp = mkdtempSync(join(tmpdir(), 'github-script-'))
try {
process.env.GITHUB_WORKSPACE = tmp
process.chdir(tmp)
run(labels, owner, repo, pr, options.dry)
} finally {
rmSync(tmp, { recursive: true })
}
})
await program.parse()

25
ci/github-script/shell.nix
View File

@@ -1,25 +0,0 @@
{
system ? builtins.currentSystem,
pkgs ? (import ../. { inherit system; }).pkgs,
}:
pkgs.callPackage (
{
gh,
importNpmLock,
mkShell,
nodejs,
}:
mkShell {
packages = [
gh
importNpmLock.hooks.linkNodeModulesHook
nodejs
];
npmDeps = importNpmLock.buildNodeModules {
npmRoot = ./.;
inherit nodejs;
};
}
) { }

63
ci/github-script/withRateLimit.js
View File

@@ -1,63 +0,0 @@
module.exports = async function ({ github, core }, callback) {
const Bottleneck = require('bottleneck')
const stats = {
issues: 0,
prs: 0,
requests: 0,
artifacts: 0,
}
// Rate-Limiting and Throttling, see for details:
// https://github.com/octokit/octokit.js/issues/1069#throttling
// https://docs.github.com/en/rest/using-the-rest-api/best-practices-for-using-the-rest-api
const allLimits = new Bottleneck({
// Avoid concurrent requests
maxConcurrent: 1,
// Will be updated with first `updateReservoir()` call below.
reservoir: 0,
})
// Pause between mutative requests
const writeLimits = new Bottleneck({ minTime: 1000 }).chain(allLimits)
github.hook.wrap('request', async (request, options) => {
// Requests to a different host do not count against the rate limit.
if (options.url.startsWith('https://github.com')) return request(options)
// Requests to the /rate_limit endpoint do not count against the rate limit.
if (options.url == '/rate_limit') return request(options)
// Search requests are in a different resource group, which allows 30 requests / minute.
// We do less than a handful each run, so not implementing throttling for now.
if (options.url.startsWith('/search/')) return request(options)
stats.requests++
if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(options.method))
return writeLimits.schedule(request.bind(null, options))
else return allLimits.schedule(request.bind(null, options))
})
async function updateReservoir() {
let response
try {
response = await github.rest.rateLimit.get()
} catch (err) {
core.error(`Failed updating reservoir:\n${err}`)
// Keep retrying on failed rate limit requests instead of exiting the script early.
return
}
// Always keep 1000 spare requests for other jobs to do their regular duty.
// They normally use below 100, so 1000 is *plenty* of room to work with.
const reservoir = Math.max(0, response.data.resources.core.remaining - 1000)
core.info(`Updating reservoir to: ${reservoir}`)
allLimits.updateSettings({ reservoir })
}
await updateReservoir()
// Update remaining requests every minute to account for other jobs running in parallel.
const reservoirUpdater = setInterval(updateReservoir, 60 * 1000)
try {
await callback(stats)
} finally {
clearInterval(reservoirUpdater)
core.notice(
`Processed ${stats.prs} PRs, ${stats.issues} Issues, made ${stats.requests + stats.artifacts} API requests and downloaded ${stats.artifacts} artifacts.`,
)
}
}

53
ci/nixpkgs-vet.nix
View File

@@ -1,53 +0,0 @@
{
lib,
nix,
nixpkgs-vet,
runCommand,
}:
{
base ? ../.,
head ? ../.,
}:
let
filtered =
with lib.fileset;
path:
toSource {
fileset = (gitTracked path);
root = path;
};
in
runCommand "nixpkgs-vet"
{
nativeBuildInputs = [
nixpkgs-vet
];
env.NIXPKGS_VET_NIX_PACKAGE = nix;
}
''
export NIX_STATE_DIR=$(mktemp -d)
nixpkgs-vet --base ${filtered base} ${filtered head}
# TODO: Upstream into nixpkgs-vet, see:
# https://github.com/NixOS/nixpkgs-vet/issues/164
badFiles=$(find ${filtered head}/pkgs -type f -name '*.nix' -print | xargs grep -l '^[^#]*<nixpkgs/' || true)
if [[ -n $badFiles ]]; then
echo "Nixpkgs is not allowed to use <nixpkgs> to refer to itself."
echo "The offending files:"
echo "$badFiles"
exit 1
fi
# TODO: Upstream into nixpkgs-vet, see:
# https://github.com/NixOS/nixpkgs-vet/issues/166
conflictingPaths=$(find ${filtered head} | awk '{ print $1 " " tolower($1) }' | sort -k2 | uniq -D -f 1 | cut -d ' ' -f 1)
if [[ -n $conflictingPaths ]]; then
echo "Files in nixpkgs must not vary only by case."
echo "The offending paths:"
echo "$conflictingPaths"
exit 1
fi
touch $out
''

7
ci/nixpkgs-vet.sh
View File

@@ -61,6 +61,11 @@ trace "Done"
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
git -C "$tmp/merged" merge -q --no-edit "$baseSha"
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
trace -e "\e[34m$toolVersion\e[0m"
trace -n "Building tool.. "
nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
trace "Running nixpkgs-vet.."
nix-build ci -A nixpkgs-vet --arg base "$tmp/base" --arg head "$tmp/merged"
"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

1
ci/nixpkgs-vet/pinned-version.txt Normal file
View File

@@ -0,0 +1 @@
0.1.4

22
ci/nixpkgs-vet/update-pinned-tool.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p jq curl
set -o pipefail -o errexit -o nounset
trace() { echo >&2 "$@"; }
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
repository=NixOS/nixpkgs-vet
pin_file=$SCRIPT_DIR/pinned-version.txt
trace -n "Fetching latest release of $repository.. "
latestRelease=$(curl -sSfL \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/"$repository"/releases/latest)
latestVersion=$(jq .tag_name -r <<< "$latestRelease")
trace "$latestVersion"
trace "Updating $pin_file"
echo "$latestVersion" > "$pin_file"

43
ci/parse.nix
View File

@@ -1,43 +0,0 @@
{
lib,
nix,
runCommand,
}:
let
nixpkgs =
with lib.fileset;
toSource {
root = ../.;
fileset = (fileFilter (file: file.hasExt "nix") ../.);
};
in
runCommand "nix-parse-${nix.name}"
{
nativeBuildInputs = [
nix
];
}
''
export NIX_STORE_DIR=$TMPDIR/store
export NIX_STATE_DIR=$TMPDIR/state
cd "${nixpkgs}"
# Passes all files to nix-instantiate at once.
# Much faster, but will only show first error.
parse-all() {
find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse >/dev/null 2>/dev/null
}
# Passes each file separately to nix-instantiate with -n1.
# Much slower, but will show all errors.
parse-each() {
find . -type f -iname '*.nix' | xargs -n1 -P $(nproc) nix-instantiate --parse >/dev/null
}
if ! parse-all; then
parse-each
fi
touch $out
''

4
ci/pinned-nixpkgs.json Normal file
View File

@@ -0,0 +1,4 @@
{
"rev": "5757bbb8bd7c0630a0cc4bb19c47e588db30b97c",
"sha256": "0px0lr7ad2zrws400507c9w5nnaffz9mp9hqssm64icdm6f6h0fz"
}

31
ci/pinned.json
View File

@@ -1,31 +0,0 @@
{
"pins": {
"nixpkgs": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "NixOS",
"repo": "nixpkgs"
},
"branch": "nixpkgs-unstable",
"submodules": false,
"revision": "2baf8e1658cba84a032c3a8befb1e7b06629242a",
"url": "https://github.com/NixOS/nixpkgs/archive/2baf8e1658cba84a032c3a8befb1e7b06629242a.tar.gz",
"hash": "0l48zkf2zs7r53fjq46j770vpb5avxihyfypra3fv429akqnsmm1"
},
"treefmt-nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "numtide",
"repo": "treefmt-nix"
},
"branch": "main",
"submodules": false,
"revision": "421b56313c65a0815a52b424777f55acf0b56ddf",
"url": "https://github.com/numtide/treefmt-nix/archive/421b56313c65a0815a52b424777f55acf0b56ddf.tar.gz",
"hash": "1l57hzz704s7izkkcl3xsg77xjfza57cl0fchs24rdpdhmry2dmp"
}
},
"version": 5
}

62
ci/supportedBranches.js
View File

@@ -1,62 +0,0 @@
#!/usr/bin/env nix-shell
/*
#!nix-shell -i node -p nodejs
*/
const typeConfig = {
master: ['development', 'primary'],
release: ['development', 'primary'],
staging: ['development', 'secondary'],
'staging-next': ['development', 'secondary'],
'haskell-updates': ['development', 'secondary'],
'python-updates': ['development', 'secondary'],
nixos: ['channel'],
nixpkgs: ['channel'],
}
function split(branch) {
return { ...branch.match(/(?<prefix>.+?)(-(?<version>\d{2}\.\d{2}|unstable)(?:-(?<suffix>.*))?)?$/).groups }
}
function classify(branch) {
const { prefix, version } = split(branch)
return {
stable: (version ?? 'unstable') !== 'unstable',
type: typeConfig[prefix] ?? [ 'wip' ]
}
}
module.exports = { classify }
// If called directly via CLI, runs the following tests:
if (!module.parent) {
console.log('split(branch)')
function testSplit(branch) {
console.log(branch, split(branch))
}
testSplit('master')
testSplit('release-25.05')
testSplit('staging-next')
testSplit('staging-25.05')
testSplit('staging-next-25.05')
testSplit('nixpkgs-25.05-darwin')
testSplit('nixpkgs-unstable')
testSplit('haskell-updates')
testSplit('backport-123-to-release-25.05')
console.log('')
console.log('classify(branch)')
function testClassify(branch) {
console.log(branch, classify(branch))
}
testClassify('master')
testClassify('release-25.05')
testClassify('staging-next')
testClassify('staging-25.05')
testClassify('staging-next-25.05')
testClassify('nixpkgs-25.05-darwin')
testClassify('nixpkgs-unstable')
testClassify('haskell-updates')
testClassify('backport-123-to-release-25.05')
}

6
ci/supportedSystems.json
View File

@@ -1,6 +0,0 @@
[
"aarch64-linux",
"aarch64-darwin",
"x86_64-linux",
"x86_64-darwin"
]

6
ci/supportedSystems.nix Normal file
View File

@@ -0,0 +1,6 @@
[
"aarch64-linux"
"aarch64-darwin"
"x86_64-linux"
"x86_64-darwin"
]

17
ci/update-pinned-nixpkgs.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p jq
set -euo pipefail
# https://stackoverflow.com/a/246128
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
repo=https://github.com/nixos/nixpkgs
branch=nixpkgs-unstable
file=$SCRIPT_DIR/pinned-nixpkgs.json
defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
rev=${1:-$defaultRev}
sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file

8
ci/update-pinned.sh
View File

@@ -1,8 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p npins
set -euo pipefail
cd "$(dirname "${BASH_SOURCE[0]}")"
npins --lock-file pinned.json update

60
doc/README.md
View File

@@ -34,43 +34,25 @@ $ nix-build doc
If the build succeeds, the manual will be in `./result/share/doc/nixpkgs/manual.html`.
### Development environment
### devmode
In order to reduce repetition, consider using tools from the provided development environment:
Load it from the Nixpkgs documentation directory with
```ShellSession
$ cd /path/to/nixpkgs/doc
$ nix-shell
```
To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
```
/**/.envrc
/**/.direnv
```
#### `devmode`
Use [`devmode`](../pkgs/by-name/de/devmode/README.md) for a live preview when editing the manual.
The shell in the manual source directory makes available a command, `devmode`.
It is a daemon, that:
1. watches the manual's source for changes and when they occur — rebuilds
2. HTTP serves the manual, injecting a script that triggers reload on changes
3. opens the manual in the default browser
### Testing redirects
Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload.
This is because browsers do not re-run client JS code when only the anchor has changed.
Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.
## Syntax
As per [RFC 0072](https://github.com/NixOS/rfcs/pull/72), all new documentation content should be written in [CommonMark](https://commonmark.org/) Markdown dialect.
Additional syntax extensions are available, all of which can be used in NixOS option documentation.
The following extensions are currently used:
Additional syntax extensions are available, all of which can be used in NixOS option documentation. The following extensions are currently used:
#### Tables
@@ -78,8 +60,7 @@ Tables, using the [GitHub-flavored Markdown syntax](https://github.github.com/gf
#### Anchors
Explicitly defined **anchors** on headings, to allow linking to sections.
These should be always used, to ensure the anchors can be linked even when the heading text changes, and to prevent conflicts between [automatically assigned identifiers](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/auto_identifiers.md).
Explicitly defined **anchors** on headings, to allow linking to sections. These should be always used, to ensure the anchors can be linked even when the heading text changes, and to prevent conflicts between [automatically assigned identifiers](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/auto_identifiers.md).
It uses the widely compatible [header attributes](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/attributes.md) syntax:
@@ -102,21 +83,18 @@ They are defined using a hybrid of the link syntax with the attributes syntax kn
#### Automatic links
If you **omit a link text** for a link pointing to a section, the text will be substituted automatically.
For example `[](#chap-contributing)`.
If you **omit a link text** for a link pointing to a section, the text will be substituted automatically. For example `[](#chap-contributing)`.
This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#targets-and-cross-referencing).
#### HTML
Inlining HTML is not allowed.
Parts of the documentation gets rendered to various non-HTML formats, such as man pages in the case of NixOS manual.
Inlining HTML is not allowed. Parts of the documentation gets rendered to various non-HTML formats, such as man pages in the case of NixOS manual.
#### Roles
If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``.
The references will turn into links when a mapping exists in [`doc/manpage-urls.json`](./manpage-urls.json).
If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``. The references will turn into links when a mapping exists in [`doc/manpage-urls.json`](./manpage-urls.json).
Please keep the `manpage-urls.json` file alphabetically sorted.
A few markups for other kinds of literals are also available:
@@ -129,9 +107,7 @@ A few markups for other kinds of literals are also available:
These literal kinds are used mostly in NixOS option documentation.
This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point).
Though, the feature originates from [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage) with slightly different syntax.
They are handled by `myst_role` defined per renderer. <!-- reverse references in code -->
This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point). Though, the feature originates from [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage) with slightly different syntax.
#### Admonitions
@@ -333,11 +309,8 @@ Otherwise, just describe the single argument or start the arguments' definition
Checklist:
- Start with a synopsis, to show the order of positional arguments.
- Metavariables are in emphasized code spans: ``` *`arg1`* ```.
Metavariables are placeholders where users may write arbitrary expressions.
This includes positional arguments.
- Attribute names are regular code spans: ``` `attr1` ```.
These identifiers can _not_ be picked freely by users, so they are _not_ metavariables.
- Metavariables are in emphasized code spans: ``` *`arg1`* ```. Metavariables are placeholders where users may write arbitrary expressions. This includes positional arguments.
- Attribute names are regular code spans: ``` `attr1` ```. These identifiers can _not_ be picked freely by users, so they are _not_ metavariables.
- _optional_ attributes have a _`Default:`_ if it's easily described as a value.
- _optional_ attributes have a _`Default behavior:`_ if it's not easily described using a value.
- Nix types aren't in code spans, because they are not code
@@ -414,8 +387,7 @@ This syntax is taken from [CommonMark](https://spec.commonmark.org/0.30/#link-re
#### Typographic replacements
Typographic replacements are enabled.
Check the [list of possible replacement patterns check](https://github.com/executablebooks/markdown-it-py/blob/3613e8016ecafe21709471ee0032a90a4157c2d1/markdown_it/rules_core/replacements.py#L1-L15).
Typographic replacements are enabled. Check the [list of possible replacement patterns check](https://github.com/executablebooks/markdown-it-py/blob/3613e8016ecafe21709471ee0032a90a4157c2d1/markdown_it/rules_core/replacements.py#L1-L15).
## Getting help

29
doc/build-helpers/dev-shell-tools.chapter.md
View File

@@ -20,12 +20,12 @@ Converts Nix values to strings in the way the [`derivation` built-in function](h
```nix
devShellTools.valueToString (builtins.toFile "foo" "bar")
# => "/nix/store/...-foo"
=> "/nix/store/...-foo"
```
```nix
devShellTools.valueToString false
# => ""
=> ""
```
:::
@@ -42,22 +42,16 @@ This function does not support `__structuredAttrs`, but does support `passAsFile
devShellTools.unstructuredDerivationInputEnv {
drvAttrs = {
name = "foo";
buildInputs = [
hello
figlet
];
buildInputs = [ hello figlet ];
builder = bash;
args = [
"-c"
"${./builder.sh}"
];
args = [ "-c" "${./builder.sh}" ];
};
}
# => {
# name = "foo";
# buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
# builder = "/nix/store/...-bash";
#}
=> {
name = "foo";
buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
builder = "/nix/store/...-bash";
}
```
Note that `args` is not included, because Nix does not added it to the builder process environment.
@@ -75,10 +69,7 @@ Takes the relevant parts of a derivation and returns a set of environment variab
let
pkg = hello;
in
devShellTools.derivationOutputEnv {
outputList = pkg.outputs;
outputMap = pkg;
}
devShellTools.derivationOutputEnv { outputList = pkg.outputs; outputMap = pkg; }
```
:::

32
doc/build-helpers/fetchers.chapter.md
View File

@@ -163,8 +163,6 @@ Nixpkgs fetchers can make use of a http(s) proxy. Each fetcher will automaticall
The environment variable `NIX_SSL_CERT_FILE` is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors.
To use a temporary Tor instance as a proxy for fetching from `.onion` addresses, add `nativeBuildInputs = [ tor.proxyHook ];` to the fetcher parameters.
[]{#fetchurl}
## `fetchurl` {#sec-pkgs-fetchers-fetchurl}
@@ -493,11 +491,7 @@ It might be useful to manipulate the content downloaded by `fetchurl` directly i
In this example, we'll adapt [](#ex-fetchers-fetchurl-nixpkgs-version) to append the result of running the `hello` package to the contents we download, purely to illustrate how to manipulate the content.
```nix
{
fetchurl,
hello,
lib,
}:
{ fetchurl, hello, lib }:
fetchurl {
url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
@@ -720,10 +714,9 @@ A wrapper around `fetchpatch`, which takes:
Here is an example of `fetchDebianPatch` in action:
```nix
{
lib,
fetchDebianPatch,
buildPythonPackage,
{ lib
, fetchDebianPatch
, buildPythonPackage
}:
buildPythonPackage rec {
@@ -775,14 +768,9 @@ Additionally, the following optional arguments can be given:
: Whether to fetch LFS objects.
*`preFetch`* (String)
: Shell code to be executed before the repository has been fetched, to allow
changing the environment the fetcher runs in.
*`postFetch`* (String)
: Shell code executed after the repository has been fetched successfully.
: Shell code executed after the file has been fetched successfully.
This can do things like check or transform the file.
*`leaveDotGit`* (Boolean)
@@ -797,10 +785,6 @@ Additionally, the following optional arguments can be given:
: Clone the entire repository as opposing to just creating a shallow clone.
This implies `leaveDotGit`.
*`fetchTags`* (Boolean)
: Whether to fetch all tags from the remote repository. This is useful when the build process needs to run `git describe` or other commands that require tag information to be available. This parameter implies `leaveDotGit`, as tags are stored in the `.git` directory.
*`sparseCheckout`* (List of String)
: Prevent git from fetching unnecessary blobs from server.
@@ -842,7 +826,7 @@ Used with CVS. Expects `cvsRoot`, `tag`, and `hash`.
## `fetchhg` {#fetchhg}
Used with Mercurial. Expects `url`, `rev`, `hash`, overridable with [`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs).
Used with Mercurial. Expects `url`, `rev`, and `hash`.
A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are mainly convenience functions intended for commonly used destinations of source code in Nixpkgs. These wrapper fetchers are listed below.
@@ -930,9 +914,7 @@ It produces packages that cannot be built automatically.
{ fetchtorrent }:
fetchtorrent {
config = {
peer-limit-global = 100;
};
config = { peer-limit-global = 100; };
url = "magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c";
hash = "";
}

Some files were not shown because too many files have changed in this diff Show More