Merge release-25.11 into staging-next-25.11

.github/workflows/periodic-merge-24h.yml

@@ -22,7 +22,7 @@ defaults:
 
 jobs:
   periodic-merge:
-    if: github.repository_owner == 'NixOS'
+    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -49,3 +49,34 @@ jobs:
     name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+
+  # Resets the target branch of the current haskell-updates PR.
+  # This makes GitHub hide all the commits that are already part of staging and gives us a much clearer PR view.
+  haskell-updates:
+    needs: periodic-merge
+    runs-on: ubuntu-slim
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Find PR and update target branch
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            // There will at most be a single haskell-updates PR anyway, so no need to paginate.
+            await Promise.all(
+              (
+                await github.rest.pulls.list({
+                  ...context.repo,
+                  state: 'open',
+                  head: `${context.repo.owner}:haskell-updates`,
+                })
+              ).data.map((pr) =>
+                github.rest.pulls.update({
+                  ...context.repo,
+                  pull_number: pr.number,
+                  // Just updating to the same branch to trigger a UI update.
+                  // This is staging most of the time, but could be staging-next in rare cases.
+                  base: pr.base.ref,
+                }),
+              ),
+            )

.github/workflows/periodic-merge-6h.yml

@@ -22,7 +22,7 @@ defaults:
 
 jobs:
   periodic-merge:
-    if: github.repository_owner == 'NixOS'
+    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false

pkgs/by-name/je/jellyfin-web/package.nix

@@ -13,7 +13,7 @@
 }:
 buildNpmPackage rec {
   pname = "jellyfin-web";
-  version = "10.11.8";
+  version = "10.11.10";
 
   src =
     assert version == jellyfin.version;
@@ -21,7 +21,7 @@ buildNpmPackage rec {
       owner = "jellyfin";
       repo = "jellyfin-web";
       tag = "v${version}";
-      hash = "sha256-Nrh4BNlhJyzj9cXQ6Yr7349r5H+4r9W3aldcg9+J6dU=";
+      hash = "sha256-fSpzF6Arx0JfL9fuQHjzf3m82XZR2BZkV0lA37L4DN4=";
     };
 
   nodejs = nodejs_22;
@@ -31,7 +31,7 @@ buildNpmPackage rec {
       --replace-fail "git describe --always --dirty" "echo ${src.rev}" \
   '';
 
-  npmDepsHash = "sha256-oxytp6n/4X1bhpfFqpqMAji86sbjV669F324zY3hoK4=";
+  npmDepsHash = "sha256-DCFgivbZrDufRaB+4PeFxO6ISbEM9lXhXmlzc/5GbVU=";
 
   preBuild = ''
     # using sass-embedded fails at executing node_modules/sass-embedded-linux-x64/dart-sass/src/dart

pkgs/by-name/je/jellyfin/package.nix

@@ -13,13 +13,13 @@
 
 buildDotnetModule rec {
   pname = "jellyfin";
-  version = "10.11.8"; # ensure that jellyfin-web has matching version
+  version = "10.11.10"; # ensure that jellyfin-web has matching version
 
   src = fetchFromGitHub {
     owner = "jellyfin";
     repo = "jellyfin";
     tag = "v${version}";
-    hash = "sha256-wBf561mZvC65Hu4MHHSu8YeILQDp/WN9vGA+JxGXwE8=";
+    hash = "sha256-bad532F8Ln5Y3TV4x5c7mgsiI+ZJGTZoahuSZhefMvQ=";
   };
 
   propagatedBuildInputs = [ sqlite ];

pkgs/by-name/ma/mattermost/package.nix

@@ -26,8 +26,8 @@
     #
     # Ensure you also check ../mattermostLatest/package.nix.
     regex = "^v(10\\.11\\.[0-9]+)$";
-    version = "10.11.17";
-    srcHash = "sha256-RS/Q3Q2UJjUuQQ8PaaLkVe00ixhZML2jBHeAq0/n/aA=";
+    version = "10.11.18";
+    srcHash = "sha256-oHBuC31mvWiPbL6iOBg7yTxCXQbXmnfsCvSTGdmz+xk=";
     vendorHash = "sha256-zngDxO3UCuB53PMpaE+ga8v2FL5l78BD2NmJsu+zZ00=";
     npmDepsHash = "sha256-p9dq31qw0EZDQIl2ysKE38JgDyLA6XvSv+VtHuRh+8A=";
     lockfileOverlay = ''
@@ -176,13 +176,6 @@ buildMattermost rec {
     })
   ];
 
-  postPatch = ''
-    if [ "$version" == 10.11.17 ]; then
-      # 25.11 only: tagged and released as 10.11.17 but prints the wrong version
-      substituteInPlace server/public/model/version.go --replace-fail "10.11.16" "10.11.17"
-    fi
-  '';
-
   modRoot = "./server";
   preBuild = ''
     make setup-go-work

pkgs/by-name/ma/mattermostLatest/package.nix

@@ -15,10 +15,10 @@ mattermost.override (
       # and make sure the version regex is up to date here.
       # Ensure you also check ../mattermost/package.nix for ESR releases.
       regex = "^v(11\\.[0-9]+\\.[0-9]+)$";
-      version = "11.7.0";
-      srcHash = "sha256-oH9bLN2BPvRSWl5m3VNHBNMBXfdmkwaE9tzL7pcD1mg=";
-      vendorHash = "sha256-PmwwiXNaDarc1H7z1G4zstgs7tvmZ/d7V5eGqMh1VX4=";
-      npmDepsHash = "sha256-C3vfWW2hMOMnrPn1538kT+ma09T9VswrmADV/KPkrPc=";
+      version = "11.7.1";
+      srcHash = "sha256-9eI9tX6qHEEzm7aro7ky2JORfAmqbjmrmxABFVTZzW8=";
+      vendorHash = "sha256-xu399pAtIJUIns+GhKFlDR0crWV+8HiN9Wf38EMu5q8=";
+      npmDepsHash = "sha256-M+yoCLR4yT30n3rhqZu1z8zeWas+5VniP4aaIJPz6VU=";
       autoUpdate = ./package.nix;
     };
   }

pkgs/development/python-modules/nodriver/default.nix

@@ -11,12 +11,12 @@
 
 buildPythonPackage rec {
   pname = "nodriver";
-  version = "0.48.1";
+  version = "0.50.3";
   pyproject = true;
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-SsjNiLavEzwm3BV/t49asXRipZtKDaMwTjrxK75LQ0M=";
+    hash = "sha256-JMpojYZG74/61cjOZYBOXnZxp3mtJqJNdvZGXVZmxjE=";
   };
 
   disabled = pythonOlder "3.9";