lib: fix merging of functions

.editorconfig

@@ -44,10 +44,6 @@ indent_size = 4
 indent_size = 2
 indent_style = space
 
-# Match package.json, which are generally pulled from upstream and accept them as they are
-[package.json]
-indent_style = unset
-
 # Disable file types or individual files
 # some of these files may be auto-generated and/or require significant changes
 

.git-blame-ignore-revs

@@ -40,9 +40,6 @@ d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
 # fix indentation in meteor default.nix
 a37a6de881ec4c6708e6b88fd16256bbc7f26bbd
 
-# pkgs/stdenv/make-derivation: Reindent
-b4cc2a2479a7ab0f6440b2e1319221920ef72699
-
 # treewide: automatically md-convert option descriptions
 2e751c0772b9d48ff6923569adfa661b030ab6a2
 
@@ -157,52 +154,5 @@ bdfde18037f8d9f9b641a4016c8ada4dc4cbf856
 # nixos/ollama: format with nixfmt-rfc-style (#329561)
 246d1ee533810ac1946d863bbd9de9b525818d56
 
-# steam: cleanup (#216972)
-ad815aebfbfe1415ff6436521d545029c803c3fb
-
 # nixos/nvidia: apply nixfmt-rfc-style (#313440)
 fbdcdde04a7caa007e825a8b822c75fab9adb2d6
-
-# treewide: reformat files which need reformatting after (#341407)
-e0464e47880a69896f0fb1810f00e0de469f770a
-
-# step-cli: format package.nix with nixfmt (#331629)
-fc7a83f8b62e90de5679e993d4d49ca014ea013d
-
-# ndn-cxx: format with nixfmt-rfc-style
-160b2b769c3b8a6d1ae9947afa77520fa2887db7
-
-# ndn-tools: format with nixfmt-rfc-style
-4882ef721ce3d7bb3b5e48ff80125255db515013
-
-# nfd: format with nixfmt-rfc-style
-548c2377fa81e2abfc192fbf4f521e601251c468
-
-# darwin.stdenv: format with nixfmt-rfc-style (#333962)
-93c10ac9e561c6594d3baaeaff2341907390d9b8
-
-# nrr: format with nixfmt-rfc-style (#334578)
-cffc27daf06c77c0d76bc35d24b929cb9d68c3c9
-
-# nixos/kanidm: inherit lib, nixfmt
-8f18393d380079904d072007fb19dc64baef0a3a
-
-# fetchurl: nixfmt-rfc-style
-ce21e97a1f20dee15da85c084f9d1148d84f853b
-
-# percona: apply nixfmt
-8d14fa2886fec877690c6d28cfcdba4503dbbcea
-
-# nixos/virtualisation: format image-related files
-# Original formatting commit that was reverted
-04fadac429ca7d6b92025188652376c230205730
-# Revert commit
-4cec81a9959ce612b653860dcca53101a36f328a
-# Final commit that does the formatting
-88b285c01d84de82c0b2b052fd28eaf6709c2d26
-
-# sqlc: format with nixfmt
-2bdec131b2bb2c8563f4556d741d34ccb77409e2
-
-# treewide: migrate packages to pkgs/by-name, take 1
-571c71e6f73af34a229414f51585738894211408

.gitattributes

@@ -16,5 +16,3 @@ nixos/doc/default.nix linguist-documentation=false
 
 nixos/modules/module-list.nix merge=union
 # pkgs/top-level/all-packages.nix merge=union
-
-ci/OWNERS linguist-language=CODEOWNERS

.github/CODEOWNERS

@@ -0,0 +1,389 @@
+# CODEOWNERS file
+#
+# This file is used to describe who owns what in this repository. This file does not
+# replace `meta.maintainers` but is instead used for other things than derivations
+# and modules, like documentation, package sets, and other assets.
+#
+# For documentation on this file, see https://help.github.com/articles/about-codeowners/
+# Mentioned users will get code review requests.
+#
+# IMPORTANT NOTE: in order to actually get pinged, commit access is required.
+# This also holds true for GitHub teams. Since almost none of our teams have write
+# permissions, you need to list all members of the team with commit access individually.
+
+# CI
+/.github/workflows @NixOS/Security @Mic92 @zowoq
+/.github/workflows/check-nix-format.yml @infinisil
+/ci @infinisil @NixOS/Security
+
+# Develompent support
+/.editorconfig @Mic92 @zowoq
+/shell.nix @infinisil @NixOS/Security
+
+# Libraries
+/lib                        @infinisil
+/lib/systems                @alyssais @ericson2314
+/lib/generators.nix         @infinisil @Profpatsch
+/lib/cli.nix                @infinisil @Profpatsch
+/lib/debug.nix              @infinisil @Profpatsch
+/lib/asserts.nix            @infinisil @Profpatsch
+/lib/path.*                 @infinisil
+/lib/fileset                @infinisil
+## Libraries / Module system
+/lib/modules.nix            @infinisil @roberth
+/lib/types.nix              @infinisil @roberth
+/lib/options.nix            @infinisil @roberth
+/lib/tests/modules.sh       @infinisil @roberth
+/lib/tests/modules          @infinisil @roberth
+
+# Nixpkgs Internals
+/default.nix                                     @Ericson2314
+/pkgs/top-level/default.nix                      @Ericson2314
+/pkgs/top-level/impure.nix                       @Ericson2314
+/pkgs/top-level/stage.nix                        @Ericson2314
+/pkgs/top-level/splice.nix                       @Ericson2314
+/pkgs/top-level/release-cross.nix                @Ericson2314
+/pkgs/stdenv/generic                             @Ericson2314
+/pkgs/stdenv/generic/check-meta.nix              @Ericson2314
+/pkgs/stdenv/cross                               @Ericson2314
+/pkgs/build-support/cc-wrapper                   @Ericson2314
+/pkgs/build-support/bintools-wrapper             @Ericson2314
+/pkgs/build-support/setup-hooks                  @Ericson2314
+/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
+/pkgs/build-support/setup-hooks/auto-patchelf.py @layus
+/pkgs/pkgs-lib                                   @infinisil
+## Format generators/serializers
+/pkgs/pkgs-lib/formats/libconfig                 @h7x4
+/pkgs/pkgs-lib/formats/hocon                     @h7x4
+
+# pkgs/by-name
+/pkgs/test/check-by-name @infinisil
+/pkgs/by-name/README.md @infinisil
+/pkgs/top-level/by-name-overlay.nix @infinisil
+/.github/workflows/check-by-name.yml @infinisil
+
+# Nixpkgs build-support
+/pkgs/build-support/writers @lassulus @Profpatsch
+
+# Nixpkgs make-disk-image
+/doc/build-helpers/images/makediskimage.section.md  @raitobezarius
+/nixos/lib/make-disk-image.nix                 @raitobezarius
+
+# Nix, the package manager
+# @raitobezarius is not "code owner", but is listed here to be notified of changes
+# pertaining to the Nix package manager.
+# i.e. no authority over those files.
+pkgs/tools/package-management/nix/                    @raitobezarius
+nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
+
+# Nixpkgs documentation
+/maintainers/scripts/db-to-md.sh @jtojnar @ryantm
+/maintainers/scripts/doc @jtojnar @ryantm
+
+# Contributor documentation
+/CONTRIBUTING.md @infinisil
+/.github/PULL_REQUEST_TEMPLATE.md @infinisil
+/doc/contributing/ @infinisil
+/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil
+/lib/README.md @infinisil
+/doc/README.md @infinisil
+/nixos/README.md @infinisil
+/pkgs/README.md @infinisil
+/maintainers/README.md @infinisil
+
+# User-facing development documentation
+/doc/development.md @infinisil
+/doc/development @infinisil
+
+# NixOS Internals
+/nixos/default.nix                                    @infinisil
+/nixos/lib/from-env.nix                               @infinisil
+/nixos/lib/eval-config.nix                            @infinisil
+/nixos/modules/system/activation/bootspec.nix         @grahamc @cole-h @raitobezarius
+/nixos/modules/system/activation/bootspec.cue         @grahamc @cole-h @raitobezarius
+
+# NixOS integration test driver
+/nixos/lib/test-driver  @tfc
+
+# NixOS QEMU virtualisation
+/nixos/virtualisation/qemu-vm.nix           @raitobezarius
+
+# ACME
+/nixos/modules/security/acme                @arianvp @flokli @aanderse # no merge permission: @m1cr0man @emilazy
+
+# Systemd
+/nixos/modules/system/boot/systemd.nix      @NixOS/systemd
+/nixos/modules/system/boot/systemd          @NixOS/systemd
+/nixos/lib/systemd-*.nix                    @NixOS/systemd
+/pkgs/os-specific/linux/systemd             @NixOS/systemd
+
+# Systemd-boot
+/nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
+
+# Images and installer media
+/nixos/modules/installer/cd-dvd/
+/nixos/modules/installer/sd-card/
+
+# Updaters
+## update.nix
+/maintainers/scripts/update.nix   @jtojnar
+/maintainers/scripts/update.py    @jtojnar
+## common-updater-scripts
+/pkgs/common-updater/scripts/update-source-version    @jtojnar
+
+# Python-related code and docs
+/doc/languages-frameworks/python.section.md   @mweinelt @natsukium
+/maintainers/scripts/update-python-libraries            @natsukium
+/pkgs/development/interpreters/python                   @natsukium
+/pkgs/top-level/python-packages.nix                     @natsukium
+/pkgs/top-level/release-python.nix                      @natsukium
+
+# Haskell
+/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn @ncfavier
+/maintainers/scripts/haskell                  @sternenseemann @maralorn @ncfavier
+/pkgs/development/compilers/ghc               @sternenseemann @maralorn @ncfavier
+/pkgs/development/haskell-modules             @sternenseemann @maralorn @ncfavier
+/pkgs/test/haskell                            @sternenseemann @maralorn @ncfavier
+/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn @ncfavier
+/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn @ncfavier
+
+# Perl
+/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
+/pkgs/top-level/perl-packages.nix   @stigtsp @zakame @marcusramberg
+/pkgs/development/perl-modules      @stigtsp @zakame @marcusramberg
+
+# R
+/pkgs/applications/science/math/R   @jbedo
+/pkgs/development/r-modules         @jbedo
+
+# Rust
+/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda
+/pkgs/build-support/rust @zowoq @winterqt @figsoda
+/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
+
+# C compilers
+/pkgs/development/compilers/gcc
+/pkgs/development/compilers/llvm @RossComputerGuy
+/pkgs/development/compilers/emscripten @raitobezarius
+/doc/languages-frameworks/emscripten.section.md @raitobezarius
+
+# Audio
+/nixos/modules/services/audio/botamusique.nix @mweinelt
+/nixos/modules/services/audio/snapserver.nix @mweinelt
+/nixos/tests/modules/services/audio/botamusique.nix @mweinelt
+/nixos/tests/snapcast.nix @mweinelt
+
+# Browsers
+/pkgs/applications/networking/browsers/firefox @mweinelt
+/pkgs/applications/networking/browsers/chromium @emilylange
+/nixos/tests/chromium.nix @emilylange
+
+# Certificate Authorities
+pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt
+pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt
+pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
+
+# Jetbrains
+/pkgs/applications/editors/jetbrains @edwtjo
+
+# Licenses
+/lib/licenses.nix @alyssais
+
+# Qt
+/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
+/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel
+
+# KDE / Plasma 5
+/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel
+/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel
+/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel
+
+# KDE / Plasma 6
+/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel
+/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
+
+# PostgreSQL and related stuff
+/pkgs/servers/sql/postgresql @thoughtpolice
+/nixos/modules/services/databases/postgresql.xml @thoughtpolice
+/nixos/modules/services/databases/postgresql.nix @thoughtpolice
+/nixos/tests/postgresql.nix @thoughtpolice
+
+# Hardened profile & related modules
+/nixos/modules/profiles/hardened.nix @joachifm
+/nixos/modules/security/hidepid.nix @joachifm
+/nixos/modules/security/lock-kernel-modules.nix @joachifm
+/nixos/modules/security/misc.nix @joachifm
+/nixos/tests/hardened.nix @joachifm
+/pkgs/os-specific/linux/kernel/hardened-config.nix @joachifm
+
+# Home Automation
+/nixos/modules/services/misc/home-assistant.nix @mweinelt
+/nixos/modules/services/misc/zigbee2mqtt.nix @mweinelt
+/nixos/tests/home-assistant.nix @mweinelt
+/nixos/tests/zigbee2mqtt.nix @mweinelt
+/pkgs/servers/home-assistant @mweinelt
+/pkgs/tools/misc/esphome @mweinelt
+
+# Network Time Daemons
+/pkgs/tools/networking/chrony @thoughtpolice
+/pkgs/tools/networking/ntp @thoughtpolice
+/pkgs/tools/networking/openntpd @thoughtpolice
+/nixos/modules/services/networking/ntp @thoughtpolice
+
+# Network
+/pkgs/tools/networking/kea/default.nix @mweinelt
+/pkgs/tools/networking/babeld/default.nix @mweinelt
+/nixos/modules/services/networking/babeld.nix @mweinelt
+/nixos/modules/services/networking/kea.nix @mweinelt
+/nixos/modules/services/networking/knot.nix @mweinelt
+/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt
+/nixos/tests/babeld.nix @mweinelt
+/nixos/tests/kea.nix @mweinelt
+/nixos/tests/knot.nix @mweinelt
+
+# Web servers
+/doc/packages/nginx.section.md @raitobezarius
+/pkgs/servers/http/nginx/ @raitobezarius
+/nixos/modules/services/web-servers/nginx/ @raitobezarius
+
+# Dhall
+/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch @ehmry
+/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry
+
+# Idris
+/pkgs/development/idris-modules @Infinisil
+
+# Bazel
+/pkgs/development/tools/build-managers/bazel @Profpatsch
+
+# NixOS modules for e-mail and dns services
+/nixos/modules/services/mail/mailman.nix    @peti
+/nixos/modules/services/mail/postfix.nix    @peti
+/nixos/modules/services/networking/bind.nix @peti
+/nixos/modules/services/mail/rspamd.nix     @peti
+
+# Emacs
+/pkgs/applications/editors/emacs/elisp-packages @adisbladis
+/pkgs/applications/editors/emacs                @adisbladis
+/pkgs/top-level/emacs-packages.nix              @adisbladis
+
+# Neovim
+/pkgs/applications/editors/neovim      @figsoda @teto
+
+# VimPlugins
+/pkgs/applications/editors/vim/plugins         @figsoda
+
+# VsCode Extensions
+/pkgs/applications/editors/vscode/extensions
+
+# PHP interpreter, packages, extensions, tests and documentation
+/doc/languages-frameworks/php.section.md          @aanderse @drupol @globin @ma27 @talyz
+/nixos/tests/php                                  @aanderse @drupol @globin @ma27 @talyz
+/pkgs/build-support/php/build-pecl.nix            @aanderse @drupol @globin @ma27 @talyz
+/pkgs/build-support/php                                     @drupol
+/pkgs/development/interpreters/php       @jtojnar @aanderse @drupol @globin @ma27 @talyz
+/pkgs/development/php-packages                    @aanderse @drupol @globin @ma27 @talyz
+/pkgs/top-level/php-packages.nix         @jtojnar @aanderse @drupol @globin @ma27 @talyz
+
+# Docker tools
+/pkgs/build-support/docker                   @roberth
+/nixos/tests/docker-tools*                   @roberth
+/doc/build-helpers/images/dockertools.section.md  @roberth
+
+# Blockchains
+/pkgs/applications/blockchains  @mmahut @RaghavSood
+
+# Go
+/doc/languages-frameworks/go.section.md @kalbasit @katexochen @Mic92 @zowoq
+/pkgs/build-support/go @kalbasit @katexochen @Mic92 @zowoq
+/pkgs/development/compilers/go @kalbasit @katexochen @Mic92 @zowoq
+
+# GNOME
+/pkgs/desktops/gnome                              @jtojnar
+/pkgs/desktops/gnome/extensions                   @jtojnar
+/pkgs/build-support/make-hardcode-gsettings-patch @jtojnar
+
+# Cinnamon
+/pkgs/by-name/ci/cinnamon-*    @mkg20001
+/pkgs/by-name/cj/cjs           @mkg20001
+/pkgs/by-name/mu/muffin        @mkg20001
+/pkgs/by-name/ne/nemo          @mkg20001
+/pkgs/by-name/ne/nemo-*        @mkg20001
+
+# nim
+/pkgs/development/compilers/nim   @ehmry
+/pkgs/development/nim-packages    @ehmry
+/pkgs/top-level/nim-packages.nix  @ehmry
+
+# terraform providers
+/pkgs/applications/networking/cluster/terraform-providers @zowoq
+
+# Forgejo
+nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange
+pkgs/by-name/fo/forgejo/package.nix     @adamcstephens @bendlas @emilylange
+
+# Dotnet
+/pkgs/build-support/dotnet                  @corngood
+/pkgs/development/compilers/dotnet          @corngood
+/pkgs/test/dotnet                           @corngood
+/doc/languages-frameworks/dotnet.section.md @corngood
+
+# Node.js
+/pkgs/build-support/node/build-npm-package      @winterqt
+/pkgs/build-support/node/fetch-npm-deps         @winterqt
+/doc/languages-frameworks/javascript.section.md @winterqt
+
+# environment.noXlibs option aka NoX
+/nixos/modules/config/no-x-libs.nix  @SuperSandro2000
+
+# OCaml
+/pkgs/build-support/ocaml           @ulrikstrid
+/pkgs/development/compilers/ocaml   @ulrikstrid
+/pkgs/development/ocaml-modules     @ulrikstrid
+
+# ZFS
+pkgs/os-specific/linux/zfs/2_1.nix        @raitobezarius
+pkgs/os-specific/linux/zfs/generic.nix    @raitobezarius
+nixos/modules/tasks/filesystems/zfs.nix   @raitobezarius
+nixos/tests/zfs.nix                       @raitobezarius
+
+# Zig
+/pkgs/development/compilers/zig @figsoda
+/doc/hooks/zig.section.md       @figsoda
+
+# Buildbot
+nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq
+nixos/tests/buildbot.nix                               @Mic92 @zowoq
+pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq
+
+# Pretix
+pkgs/by-name/pr/pretix/ @mweinelt
+pkgs/by-name/pr/pretalx/ @mweinelt
+nixos/modules/services/web-apps/pretix.nix @mweinelt
+nixos/modules/services/web-apps/pretalx.nix @mweinelt
+nixos/tests/web-apps/pretix.nix @mweinelt
+nixos/tests/web-apps/pretalx.nix @mweinelt
+
+# incus/lxc/lxd
+nixos/maintainers/scripts/lxd/          @adamcstephens
+nixos/modules/virtualisation/incus.nix  @adamcstephens
+nixos/modules/virtualisation/lxc*       @adamcstephens
+nixos/modules/virtualisation/lxd*       @adamcstephens
+nixos/tests/incus/                      @adamcstephens
+nixos/tests/lxd/                        @adamcstephens
+pkgs/by-name/in/incus/                  @adamcstephens
+pkgs/by-name/lx/lxc*                    @adamcstephens
+pkgs/by-name/lx/lxd*                    @adamcstephens
+
+# ExpidusOS, Flutter
+/pkgs/development/compilers/flutter @RossComputerGuy
+/pkgs/desktops/expidus              @RossComputerGuy
+
+# GNU Tar & Zip
+/pkgs/tools/archivers/gnutar        @RossComputerGuy
+/pkgs/tools/archivers/zip           @RossComputerGuy
+
+# SELinux
+/pkgs/os-specific/linux/checkpolicy @RossComputerGuy
+/pkgs/os-specific/linux/libselinux  @RossComputerGuy
+/pkgs/os-specific/linux/libsepol    @RossComputerGuy

.github/ISSUE_TEMPLATE.md

@@ -8,4 +8,4 @@
 
 ## Technical details
 
-<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
+Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,44 +7,38 @@ assignees: ''
 
 ---
 
-## Describe the bug
-
-<!-- A clear and concise description of what the bug is. -->
-
-## Steps To Reproduce
+### Describe the bug
+A clear and concise description of what the bug is.
 
+### Steps To Reproduce
 Steps to reproduce the behavior:
-
 1. ...
 2. ...
 3. ...
 
-## Expected behavior
+### Expected behavior
+A clear and concise description of what you expected to happen.
 
-<!-- A clear and concise description of what you expected to happen. -->
+### Screenshots
+If applicable, add screenshots to help explain your problem.
 
-## Screenshots
+### Additional context
+Add any other context about the problem here.
 
-<!-- If applicable, add screenshots to help explain your problem: -->
-
-## Additional context
-
-<!-- Add any other context about the problem here. -->
-
-## Metadata
-
-<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
-
-## Notify maintainers
+### Notify maintainers
 
 <!--
 Please @ people who are in the `meta.maintainers` list of the offending package or module.
 If in doubt, check `git blame` for whoever last touched something.
 -->
 
----
+### Metadata
+Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
 
-Note for maintainers: Please tag this issue in your PR.
+```console
+[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
+output here
+```
 
 ---
 

.github/ISSUE_TEMPLATE/build_failure.md

@@ -7,43 +7,36 @@ assignees: ''
 
 ---
 
-## Steps To Reproduce
+### Steps To Reproduce
 
 Steps to reproduce the behavior:
-
 1. build *X*
 
-## Build log
-
-<!-- insert build log in code block in collapsable section -->
-
-<details>
-
-<summary>Build Log</summary>
+### Build log
 
 ```
+log here if short otherwise a link to a gist
 ```
 
-</details>
+### Additional context
 
-## Additional context
+Add any other context about the problem here.
 
-<!-- Add any other context about the problem here. -->
-
-## Metadata
-
-<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
-
-## Notify maintainers
+### Notify maintainers
 
 <!--
 Please @ people who are in the `meta.maintainers` list of the offending package or module.
 If in doubt, check `git blame` for whoever last touched something.
 -->
 
----
+### Metadata
 
-Note for maintainers: Please tag this issue in your PR.
+Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
+
+```console
+[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
+output here
+```
 
 ---
 

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -23,9 +23,12 @@ assignees: ''
 - [ ] checked [open documentation issues] for possible duplicates
 - [ ] checked [open documentation pull requests] for possible solutions
 
----
-
-Note for maintainers: Please tag this issue in your PR.
+[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
+[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
+[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
+[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
+[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
+[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22
 
 ---
 
@@ -33,9 +36,3 @@ Add a :+1: [reaction] to [issues you find important].
 
 [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
 [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
-[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
-[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
-[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
-[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
-[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
-[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22

.github/ISSUE_TEMPLATE/module_request.md

@@ -1,27 +0,0 @@
----
-name: Module requests
-about: For NixOS modules that you would like to see
-title: 'Module request: MODULENAME'
-labels: '9.needs: module (new)'
-assignees: ''
-
----
-
-## Description
-
-<!-- Describe what the module should accomplish: -->
-
-## Notify maintainers
-
-<!-- If applicable, tag the maintainers of the package that corresponds to the module. If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
-
------
-
-Note for maintainers: Please tag this issue in your PR.
-
----
-
-Add a :+1: [reaction] to [issues you find important].
-
-[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/out_of_date_package_report.md

@@ -7,30 +7,23 @@ assignees: ''
 
 ---
 
-## Package Information
-
-<!-- Search for the package here: https://search.nixos.org/packages?channel=unstable -->
-
 - Package name:
 - Latest released version:
+<!-- Search your package here: https://search.nixos.org/packages?channel=unstable -->
 - Current version on the unstable channel:
 - Current version on the stable/release channel:
-
-## Checklist
-
 <!--
 Type the name of your package and try to find an open pull request for the package
 If you find an open pull request, you can review it!
 There's a high chance that you'll have the new version right away while helping the community!
 -->
-
 - [ ] Checked the [nixpkgs pull requests](https://github.com/NixOS/nixpkgs/pulls)
 
-## Notify maintainers
+**Notify maintainers**
 
 <!-- If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
 
----
+-----
 
 Note for maintainers: Please tag this issue in your PR.
 

.github/ISSUE_TEMPLATE/packaging_request.md

@@ -7,11 +7,11 @@ assignees: ''
 
 ---
 
-## Project description
+**Project description**
 
 <!-- Describe the project a little: -->
 
-## Metadata
+**Metadata**
 
 * homepage URL:
 * source URL:
@@ -20,10 +20,6 @@ assignees: ''
 
 ---
 
-Note for maintainers: Please tag this issue in your PR.
-
----
-
 Add a :+1: [reaction] to [issues you find important].
 
 [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/

.github/ISSUE_TEMPLATE/unreproducible_package.md

@@ -31,12 +31,12 @@ Fixing bit-by-bit reproducibility also has additional advantages, such as
 avoiding hard-to-reproduce bugs, making content-addressed storage more effective
 and reducing rebuilds in such systems.
 
-## Steps To Reproduce
+### Steps To Reproduce
 
 In the following steps, replace `<package>` with the canonical name of the
 package.
 
-### 1. Build the package
+#### 1. Build the package
 
 This step will build the package. Specific arguments are passed to the command
 to keep the build artifacts so we can compare them in case of differences.
@@ -53,7 +53,7 @@ Or using the new command line style:
 nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed
 ```
 
-### 2. Compare the build artifacts
+#### 2. Compare the build artifacts
 
 If the previous command completes successfully, no differences were found and
 there's nothing to do, builds are reproducible.
@@ -67,7 +67,7 @@ metadata (*e.g. timestamp*) differences.
 nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
 ```
 
-### 3. Examine the build log
+#### 3. Examine the build log
 
 To examine the build log, use:
 
@@ -81,20 +81,10 @@ Or with the new command line style:
 nix log $(nix path-info --derivation nixpkgs#<package>)
 ```
 
-## Additional context
+### Additional context
 
-(please share the relevant fragment of the diffoscope output here, and any additional analysis you may have done)
-
-## Notify maintainers
-
-<!--
-Please @ people who are in the `meta.maintainers` list of the offending package or module.
-If in doubt, check `git blame` for whoever last touched something.
--->
-
----
-
-Note for maintainers: Please tag this issue in your PR.
+(please share the relevant fragment of the diffoscope output here, and any
+additional analysis you may have done)
 
 ---
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,7 +1,6 @@
+## Description of changes
 
 <!--
-^ Please summarise the changes you have done and explain why they are necessary here ^
-
 For package updates please link to a changelog or describe changes, this helps your fellow maintainers discover breaking updates.
 For new packages please briefly describe the package or provide a link to its homepage.
 -->
@@ -22,7 +21,7 @@ For new packages please briefly describe the package or provide a link to its ho
   - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
   - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests)
   - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
-  - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
+  - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
 - [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes)

.github/labeler.yml

@@ -1,4 +1,3 @@
-# NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":
   - any:
     - changed-files:
@@ -22,47 +21,6 @@
         - pkgs/by-name/ne/nemo/**/*
         - pkgs/by-name/ne/nemo-*/**/*
 
-"6.topic: continuous integration":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - .github/**/*
-        - ci/**/*
-
-"6.topic: coq":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/applications/science/logic/coq/**/*
-        - pkgs/development/coq-modules/**/*
-        - pkgs/top-level/coq-packages.nix
-
-"6.topic: crystal":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/compilers/crystal/**/*
-
-"6.topic: cuda":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/cuda-modules/**/*
-        - pkgs/top-level/cuda-packages.nix
-
-"6.topic: deepin":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/desktops/deepin/**/*
-        - pkgs/desktops/deepin/**/*
-
-"6.topic: docker tools":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/applications/virtualization/docker/**/*
-
 "6.topic: dotnet":
   - any:
     - changed-files:
@@ -128,12 +86,6 @@
         - pkgs/build-support/flutter/*.nix
         - pkgs/development/compilers/flutter/**/*.nix
 
-"6.topic: games":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/games/**/*
-
 "6.topic: GNOME":
   - any:
     - changed-files:
@@ -153,12 +105,6 @@
         - pkgs/build-support/go/**/*
         - pkgs/development/compilers/go/**/*
 
-"6.topic: hardware":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/hardware/**/*
-
 "6.topic: haskell":
   - any:
     - changed-files:
@@ -172,28 +118,6 @@
         - pkgs/top-level/haskell-packages.nix
         - pkgs/top-level/release-haskell.nix
 
-"6.topic: java":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/programs/java.nix
-        - pkgs/development/compilers/graalvm/**/*
-        - pkgs/development/compilers/openjdk/**/*
-        - pkgs/development/compilers/temurin-bin/**/*
-        - pkgs/development/compilers/zulu/**/*
-        - pkgs/development/java-modules/**/*
-        - pkgs/top-level/java-packages.nix
-
-"6.topic: jitsi":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/networking/jitsi-videobridge.nix
-        - nixos/modules/services/web-apps/jitsi-meet.nix
-        - pkgs/servers/web-apps/jitsi-meet/**/*
-        - pkgs/servers/jitsi-videobridge/**/*
-        - pkgs/applications/networking/instant-messengers/jitsi/**/*
-
 "6.topic: julia":
   - any:
     - changed-files:
@@ -281,35 +205,21 @@
         - lib/tests/modules.sh
         - lib/tests/modules/**
 
-"6.topic: musl":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/os-specific/linux/musl/**/*
-
 "6.topic: nixos":
   - any:
     - changed-files:
       - any-glob-to-any-file:
         - nixos/**/*
-        - pkgs/by-name/sw/switch-to-configuration-ng/**/*
         - pkgs/os-specific/linux/nixos-rebuild/**/*
 
-"6.topic: nixos-container":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/virtualisation/nixos-containers.nix
-        - pkgs/tools/virtualization/nixos-container/**/*
-
 "6.topic: nim":
   - any:
     - changed-files:
       - any-glob-to-any-file:
         - doc/languages-frameworks/nim.section.md
-        - pkgs/build-support/build-nim-package.nix
-        - pkgs/by-name/ni/nim*
-        - pkgs/top-level/nim-overrides.nix
+        - pkgs/development/compilers/nim/*
+        - pkgs/development/nim-packages/**/*
+        - pkgs/top-level/nim-packages.nix
 
 "6.topic: nodejs":
   - any:
@@ -323,15 +233,6 @@
         - pkgs/development/tools/pnpm/**/*
         - pkgs/development/web/nodejs/*
 
-"6.topic: nvidia":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/hardware/video/nvidia.nix
-        - nixos/modules/services/hardware/nvidia-container-toolkit/**/*
-        - nixos/modules/services/hardware/nvidia-optimus.nix
-        - pkgs/os-specific/linux/nvidia-x11/**/*
-
 "6.topic: ocaml":
   - any:
     - changed-files:
@@ -358,9 +259,8 @@
     - changed-files:
       - any-glob-to-any-file:
         - doc/languages-frameworks/php.section.md
-        - nixos/tests/php/**/*
         - pkgs/build-support/php/**/*
-        - pkgs/development/interpreters/php/**/*
+        - pkgs/development/interpreters/php/*
         - pkgs/development/php-packages/**/*
         - pkgs/test/php/default.nix
         - pkgs/top-level/php-packages.nix
@@ -370,12 +270,6 @@
     - changed-files:
       - any-glob-to-any-file:
         - .github/**/*
-        - CONTRIBUTING.md
-        - pkgs/README.md
-        - nixos/README.md
-        - maintainers/README.md
-        - lib/README.md
-        - doc/README.md
 
 "6.topic: printing":
   - any:
@@ -405,19 +299,6 @@
         - pkgs/development/libraries/kde-frameworks/**/*
         - pkgs/development/libraries/qt-5/**/*
 
-"6.topic: R":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/applications/science/math/R/**/*
-        - pkgs/development/r-modules/**/*
-
-"6.topic: rocm":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/rocm-modules/**/*
-
 "6.topic: ruby":
   - any:
     - changed-files:
@@ -453,15 +334,6 @@
         - pkgs/os-specific/linux/systemd/**/*
         - nixos/modules/system/boot/systemd*/**/*
 
-"6.topic: tcl":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/tcl.section.md
-        - pkgs/development/interpreters/tcl/*
-        - pkgs/development/tcl-modules/**/*
-        - pkgs/top-level/tcl-packages.nix
-
 "6.topic: TeX":
   - any:
     - changed-files:
@@ -486,12 +358,6 @@
         - nixos/tests/make-test-python.nix  # legacy
         # lib/debug.nix has a test framework (runTests) but it's not the main focus
 
-"6.topic: updaters":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/common-updater/**/*
-
 "6.topic: vim":
   - any:
     - changed-files:
@@ -508,25 +374,6 @@
       - any-glob-to-any-file:
         - pkgs/applications/editors/vscode/**/*
 
-"6.topic: windows":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/os-specific/windows/**/*
-
-"6.topic: xen-project":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/virtualisation/xen*
-        - pkgs/by-name/xe/xen/*
-        - pkgs/by-name/qe/qemu_xen/*
-        - pkgs/by-name/xe/xen-guest-agent/*
-        - pkgs/by-name/xt/xtf/*
-        - pkgs/build-support/xen/*
-        - pkgs/development/ocaml-modules/xen*/*
-        - pkgs/development/ocaml-modules/vchan/*
-
 "6.topic: xfce":
   - any:
     - changed-files:

.github/workflows/backport.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Create backport PRs

.github/workflows/basic-eval.yml

@@ -15,17 +15,15 @@ permissions:
 
 jobs:
   tests:
-    name: basic-eval-checks
     runs-on: ubuntu-latest
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
     - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
         name: nixpkgs-ci
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-    - run: nix --experimental-features 'nix-command flakes' flake check --all-systems --no-build
     # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset
     - run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin"  ]'

.github/workflows/check-by-name.yml

@@ -0,0 +1,123 @@
+# Checks pkgs/by-name (see pkgs/by-name/README.md)
+# using the nixpkgs-check-by-name tool (see https://github.com/NixOS/nixpkgs-check-by-name)
+#
+# When you make changes to this workflow, also update pkgs/test/check-by-name/run-local.sh adequately
+name: Check pkgs/by-name
+
+on:
+  # Using pull_request_target instead of pull_request avoids having to approve first time contributors
+  pull_request_target:
+    # This workflow depends on the base branch of the PR,
+    # but changing the base branch is not included in the default trigger events,
+    # which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here
+    # While `edited` is also triggered when the PR title/body is changed,
+    # this PR action is fairly quick, and PR's don't get edited that often,
+    # so it shouldn't be a problem
+    # There is a feature request for adding a `base_changed` event:
+    # https://github.com/orgs/community/discussions/35058
+    types: [opened, synchronize, reopened, edited]
+
+permissions: {}
+
+# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit
+# trigger), and contributers would get notified on any canceled run.
+# There is a feature request for supressing notifications on concurrency-canceled runs:
+# https://github.com/orgs/community/discussions/13015
+
+jobs:
+  check:
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases
+    runs-on: ubuntu-latest
+    # This should take 1 minute at most, but let's be generous.
+    # The default of 6 hours is definitely too long
+    timeout-minutes: 10
+    steps:
+      # This step has to be in this file,
+      # because it's needed to determine which revision of the repository to fetch,
+      # and we can only use other files from the repository once it's fetched.
+      - name: Resolving the merge commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # This checks for mergeability of a pull request as recommended in
+          # https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests
+
+          # Retry the API query this many times
+          retryCount=5
+          # Start with 5 seconds, but double every retry
+          retryInterval=5
+          while true; do
+            echo "Checking whether the pull request can be merged"
+            prInfo=$(gh api \
+              -H "Accept: application/vnd.github+json" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              /repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }})
+            mergeable=$(jq -r .mergeable <<< "$prInfo")
+            mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo")
+
+            if [[ "$mergeable" == "null" ]]; then
+              if (( retryCount == 0 )); then
+                echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+                exit 1
+              else
+                (( retryCount -= 1 )) || true
+
+                # null indicates that GitHub is still computing whether it's mergeable
+                # Wait a couple seconds before trying again
+                echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+                sleep "$retryInterval"
+
+                (( retryInterval *= 2 )) || true
+              fi
+            else
+              break
+            fi
+          done
+
+          if [[ "$mergeable" == "true" ]]; then
+            echo "The PR can be merged, checking the merge commit $mergedSha"
+            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
+          else
+            echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."
+          fi
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        if: env.mergedSha
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: ${{ env.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+      - name: Checking out base branch
+        if: env.mergedSha
+        run: |
+          base=$(mktemp -d)
+          git worktree add "$base" "$(git rev-parse HEAD^1)"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+        if: env.mergedSha
+      - name: Fetching the pinned tool
+        if: env.mergedSha
+        # Update the pinned version using pkgs/test/check-by-name/update-pinned-tool.sh
+        run: |
+          # The pinned version of the tooling to use
+          toolVersion=$(<pkgs/test/check-by-name/pinned-version.txt)
+          # Fetch the x86_64-linux-specific release artifact containing the Gzipped NAR of the pre-built tool
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-check-by-name/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+            | gzip -cd | nix-store --import | tail -1)
+          # Adds a result symlink as a GC root
+          nix-store --realise "$toolPath" --add-root result
+      - name: Running nixpkgs-check-by-name
+        if: env.mergedSha
+        env:
+          # Force terminal colors to be enabled. The library that
+          # nixpkgs-check-by-name uses respects: https://bixense.com/clicolors/
+          CLICOLOR_FORCE: 1
+        run: |
+          if result/bin/nixpkgs-check-by-name --base "$base" .; then
+            exit 0
+          else
+            exitCode=$?
+            echo "To run locally: ./maintainers/scripts/check-by-name.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
+            exit "$exitCode"
+          fi

.github/workflows/check-cherry-picks.yml

@@ -10,11 +10,10 @@ permissions: {}
 
 jobs:
   check:
-    name: cherry-pick-check
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: 0
         filter: blob:none

.github/workflows/check-maintainers-sorted.yaml

@@ -9,11 +9,10 @@ permissions:
 
 jobs:
   nixos:
-    name: maintainer-list-check
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
@@ -21,7 +20,7 @@ jobs:
           sparse-checkout: |
             lib
             maintainers
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/check-nix-format.yml

@@ -7,18 +7,17 @@ name: Check that Nix files are formatted
 
 on:
   pull_request_target:
-    # See the comment at the same location in ./nixpkgs-vet.yml
+    # See the comment at the same location in ./check-by-name.yml
     types: [opened, synchronize, reopened, edited]
 permissions:
   contents: read
 
 jobs:
   nixos:
-    name: nixfmt-check
     runs-on: ubuntu-latest
     if: "!contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
@@ -38,7 +37,7 @@ jobs:
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
@@ -83,8 +82,7 @@ jobs:
 
           if (( "${#unformattedFiles[@]}" > 0 )); then
             echo "Some new/changed Nix files are not properly formatted"
-            echo "Please go to the Nixpkgs root directory, run \`nix-shell\`, then:"
+            echo "Please run the following in \`nix-shell\`:"
             echo "nixfmt ${unformattedFiles[*]@Q}"
-            echo "If you're having trouble, please ping @NixOS/nix-formatting"
             exit 1
           fi

.github/workflows/check-nixf-tidy.yml

@@ -8,11 +8,10 @@ permissions:
 
 jobs:
   nixos:
-    name: exp-nixf-tidy-check
     runs-on: ubuntu-latest
     if: "!contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
@@ -32,7 +31,7 @@ jobs:
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/check-shell.yml

@@ -7,25 +7,23 @@ permissions: {}
 
 jobs:
   x86_64-linux:
-    name: shell-check-x86_64-linux
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
       - name: Build shell
         run: nix-build shell.nix
 
   aarch64-darwin:
-    name: shell-check-aarch64-darwin
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
       - name: Build shell
         run: nix-build shell.nix

.github/workflows/codeowners-v2.yml

@@ -1,104 +0,0 @@
-name: Codeowners v2
-
-# This workflow depends on two GitHub Apps with the following permissions:
-# - For checking code owners:
-#   - Permissions:
-#     - Repository > Administration: read-only
-#     - Organization > Members: read-only
-#   - Install App on this repository, setting these variables:
-#     - OWNER_RO_APP_ID (variable)
-#     - OWNER_RO_APP_PRIVATE_KEY (secret)
-# - For requesting code owners:
-#   - Permissions:
-#     - Repository > Administration: read-only
-#     - Organization > Members: read-only
-#     - Repository > Pull Requests: read-write
-#   - Install App on this repository, setting these variables:
-#     - OWNER_APP_ID (variable)
-#     - OWNER_APP_PRIVATE_KEY (secret)
-#
-# This split is done because checking code owners requires handling untrusted PR input,
-# while requesting code owners requires PR write access, and those shouldn't be mixed.
-
-on:
-  pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened, edited]
-
-# We don't need any default GitHub token
-permissions: {}
-
-env:
-  OWNERS_FILE: ci/OWNERS
-  # Don't do anything on draft PRs
-  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-
-jobs:
-  # Check that code owners is valid
-  check:
-    name: Check
-    runs-on: ubuntu-latest
-    steps:
-    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-
-    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
-      if: github.repository_owner == 'NixOS'
-      with:
-        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-        name: nixpkgs-ci
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-
-    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
-    # We later build and run code from the base branch with access to secrets,
-    # so it's important this is not the PRs code.
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        path: base
-
-    - name: Build codeowners validator
-      run: nix-build base/ci -A codeownersValidator
-
-    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
-      id: app-token
-      with:
-        app-id: ${{ vars.OWNER_RO_APP_ID }}
-        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: refs/pull/${{ github.event.number }}/merge
-        path: pr
-
-    - name: Validate codeowners
-      run: result/bin/codeowners-validator
-      env:
-        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
-        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-        REPOSITORY_PATH: pr
-        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
-        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
-        EXPERIMENTAL_CHECKS: "avoid-shadowing"
-
-  # Request reviews from code owners
-  request:
-    name: Request
-    runs-on: ubuntu-latest
-    steps:
-    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-
-    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
-    # This is intentional, because we need to request the review of owners as declared in the base branch.
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
-      id: app-token
-      with:
-        app-id: ${{ vars.OWNER_APP_ID }}
-        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-
-    - name: Build review request package
-      run: nix-build ci -A requestReviews
-
-    - name: Request reviews
-      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
-      env:
-        GH_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/editorconfig-v2.yml

@@ -1,44 +0,0 @@
-name: "Checking EditorConfig v2"
-
-permissions:
-  pull-requests: read
-  contents: read
-
-on:
-  # avoids approving first time contributors
-  pull_request_target:
-    branches-ignore:
-      - 'release-**'
-
-jobs:
-  tests:
-    name: editorconfig-check
-    runs-on: ubuntu-latest
-    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
-    steps:
-    - name: Get list of changed files from PR
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        gh api \
-          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
-          | jq '.[] | select(.status != "removed") | .filename' \
-          > "$HOME/changed_files"
-    - name: print list of changed files
-      run: |
-        cat "$HOME/changed_files"
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        # pull_request_target checks out the base branch by default
-        ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-      with:
-        # nixpkgs commit is pinned so that it doesn't break
-        # editorconfig-checker 2.4.0
-        nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz
-    - name: Checking EditorConfig
-      run: |
-        cat "$HOME/changed_files" | nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'
-    - if: ${{ failure() }}
-      run: |
-        echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."

.github/workflows/editorconfig.yml

@@ -0,0 +1,41 @@
+name: "Checking EditorConfig"
+
+permissions: read-all
+
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq '.[] | select(.status != "removed") | .filename' \
+          > "$HOME/changed_files"
+    - name: print list of changed files
+      run: |
+        cat "$HOME/changed_files"
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      with:
+        # nixpkgs commit is pinned so that it doesn't break
+        # editorconfig-checker 2.4.0
+        nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz
+    - name: Checking EditorConfig
+      run: |
+        cat "$HOME/changed_files" | nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'
+    - if: ${{ failure() }}
+      run: |
+        echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."

.github/workflows/labels.yml

@@ -15,7 +15,6 @@ permissions:
 
 jobs:
   labels:
-    name: label-pr
     runs-on: ubuntu-latest
     if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:

.github/workflows/manual-nixos-v2.yml

@@ -1,33 +0,0 @@
-name: "Build NixOS manual v2"
-
-permissions:
-  contents: read
-
-on:
-  pull_request_target:
-    branches:
-      - master
-    paths:
-      - 'nixos/**'
-
-jobs:
-  nixos:
-    name: nixos-manual-build
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'NixOS'
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        with:
-          # explicitly enable sandbox
-          extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
-        with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - name: Building NixOS manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixos.yml

@@ -0,0 +1,31 @@
+name: "Build NixOS manual"
+
+permissions: read-all
+
+on:
+  pull_request_target:
+    branches:
+      - master
+    paths:
+      - 'nixos/**'
+
+jobs:
+  nixos:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+        with:
+          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - name: Building NixOS manual
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixpkgs-v2.yml

@@ -1,35 +0,0 @@
-name: "Build Nixpkgs manual v2"
-
-permissions:
-  contents: read
-
-on:
-  pull_request_target:
-    branches:
-      - master
-    paths:
-      - 'doc/**'
-      - 'lib/**'
-      - 'pkgs/tools/nix/nixdoc/**'
-
-jobs:
-  nixpkgs:
-    name: nixpkgs-manual-build
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'NixOS'
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        with:
-          # explicitly enable sandbox
-          extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
-        with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-      - name: Building Nixpkgs manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests

.github/workflows/manual-nixpkgs.yml

@@ -0,0 +1,33 @@
+name: "Build Nixpkgs manual"
+
+permissions: read-all
+
+on:
+  pull_request_target:
+    branches:
+      - master
+    paths:
+      - 'doc/**'
+      - 'lib/**'
+      - 'pkgs/tools/nix/nixdoc/**'
+
+jobs:
+  nixpkgs:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+        with:
+          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - name: Building Nixpkgs manual
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests

.github/workflows/nix-parse-v2.yml

@@ -1,45 +0,0 @@
-name: "Check whether nix files are parseable v2"
-
-permissions:
-  pull-requests: read
-  contents: read
-
-on:
-  # avoids approving first time contributors
-  pull_request_target:
-    branches-ignore:
-      - 'release-**'
-
-jobs:
-  tests:
-    name: nix-files-parseable-check
-    runs-on: ubuntu-latest
-    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
-    steps:
-    - name: Get list of changed files from PR
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        gh api \
-          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
-          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
-          > "$HOME/changed_files"
-        if [[ -s "$HOME/changed_files" ]]; then
-          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
-        fi
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        # pull_request_target checks out the base branch by default
-        ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
-    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-      with:
-        nix_path: nixpkgs=channel:nixpkgs-unstable
-    - name: Parse all changed or added nix files
-      run: |
-        ret=0
-        while IFS= read -r file; do
-          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
-        done < "$HOME/changed_files"
-        exit "$ret"
-      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}

.github/workflows/nix-parse.yml

@@ -0,0 +1,42 @@
+name: "Check whether nix files are parseable"
+
+permissions: read-all
+
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
+          > "$HOME/changed_files"
+        if [[ -s "$HOME/changed_files" ]]; then
+          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
+        fi
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
+    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      with:
+        nix_path: nixpkgs=channel:nixpkgs-unstable
+    - name: Parse all changed or added nix files
+      run: |
+        ret=0
+        while IFS= read -r file; do
+          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
+        done < "$HOME/changed_files"
+        exit "$ret"
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}

.github/workflows/nixpkgs-vet.yml

@@ -1,86 +0,0 @@
-# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more.
-# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
-# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
-# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
-name: Vet nixpkgs
-
-on:
-  # Using pull_request_target instead of pull_request avoids having to approve first time contributors.
-  pull_request_target:
-    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-    # Instead it causes an `edited` event, so we need to add it explicitly here.
-    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
-    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
-    types: [opened, synchronize, reopened, edited]
-
-permissions: {}
-
-# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.
-# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
-
-jobs:
-  check:
-    name: nixpkgs-vet
-    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
-    runs-on: ubuntu-latest
-    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
-    timeout-minutes: 10
-    steps:
-      # This checks out the base branch because of pull_request_target
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: base
-          sparse-checkout: ci
-      - name: Resolving the merge commit
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
-            echo "Checking the merge commit $mergedSha"
-            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
-          else
-            echo "Skipping the rest..."
-          fi
-          rm -rf base
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        if: env.mergedSha
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: ${{ env.mergedSha }}
-          # Fetches the merge commit and its parents
-          fetch-depth: 2
-      - name: Checking out base branch
-        if: env.mergedSha
-        run: |
-          base=$(mktemp -d)
-          git worktree add "$base" "$(git rev-parse HEAD^1)"
-          echo "base=$base" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        if: env.mergedSha
-      - name: Fetching the pinned tool
-        if: env.mergedSha
-        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
-        run: |
-          # The pinned version of the tooling to use.
-          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
-
-          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
-          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
-            | gzip -cd | nix-store --import | tail -1)
-
-          # Adds a result symlink as a GC root.
-          nix-store --realise "$toolPath" --add-root result
-      - name: Running nixpkgs-vet
-        if: env.mergedSha
-        env:
-          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
-          CLICOLOR_FORCE: 1
-        run: |
-          if result/bin/nixpkgs-vet --base "$base" .; then
-            exit 0
-          else
-            exitCode=$?
-            echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
-            echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
-            exit "$exitCode"
-          fi

.github/workflows/ofborg-pending.yml

@@ -16,7 +16,6 @@ permissions:
 
 jobs:
   action:
-    name: set-ofborg-pending
     if: github.repository_owner == 'NixOS'
     permissions:
       statuses: write

.github/workflows/periodic-merge-24h.yml

@@ -41,7 +41,7 @@ jobs:
             into: staging-24.05
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

.github/workflows/periodic-merge-6h.yml

@@ -39,7 +39,7 @@ jobs:
             into: staging
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

.github/workflows/update-terraform-providers.yml

@@ -0,0 +1,69 @@
+name: "Update terraform-providers"
+
+on:
+  #schedule:
+  #  - cron: "0 3 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  tf-providers:
+    permissions:
+      contents: write # for peter-evans/create-pull-request to create branch
+      pull-requests: write # for peter-evans/create-pull-request to create a PR
+    if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+        with:
+          nix_path: nixpkgs=channel:nixpkgs-unstable
+      - name: setup
+        id: setup
+        run: |
+          echo "title=terraform-providers: update $(date -u +"%Y-%m-%d")" >> $GITHUB_OUTPUT
+      - name: update terraform-providers
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          echo | nix-shell \
+            maintainers/scripts/update.nix \
+            --argstr commit true \
+            --argstr keep-going true \
+            --argstr max-workers 2 \
+            --argstr path terraform-providers
+      - name: get failed updates
+        run: |
+          echo 'FAILED<<EOF' >> $GITHUB_ENV
+          git ls-files --others >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
+      # cleanup logs of failed updates so they aren't included in the PR
+      - name: clean repo
+        run: |
+          git clean -f
+      - name: create PR
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+        with:
+          body: |
+            Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.
+
+            https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}
+
+            These providers failed to update:
+            ```
+            ${{ env.FAILED }}
+            ```
+
+            Check that all providers build with:
+            ```
+            @ofborg build opentofu.full
+            ```
+            If there is more than ten commits in the PR `ofborg` won't build it automatically and you will need to use the above command.
+          branch: terraform-providers-update
+          delete-branch: false
+          title: ${{ steps.setup.outputs.title }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.mailmap

@@ -1,18 +1,9 @@
 ajs124 <git@ajs124.de> <ajs124@users.noreply.github.com>
 Anderson Torres <torres.anderson.85@protonmail.com>
-Atemu <git@atemu.net> <atemu.main@gmail.com>
-Christina Sørensen <christina@cafkafk.com>
-Christina Sørensen <christina@cafkafk.com> <christinaafk@gmail.com>
-Christina Sørensen <christina@cafkafk.com> <89321978+cafkafk@users.noreply.github.com>
 Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
 Fabian Affolter <mail@fabian-affolter.ch> <fabian@affolter-engineering.ch>
-Fiona Behrens <me@kloenk.dev>
-Fiona Behrens <me@kloenk.dev> <me@kloenk.de>
-goatastronaut0212 <goatastronaut0212@outlook.com> <goatastronaut0212@proton.me>
 Janne Heß <janne@hess.ooo> <dasJ@users.noreply.github.com>
 Jörg Thalheim <joerg@thalheim.io> <Mic92@users.noreply.github.com>
-Lin Jian <me@linj.tech> <linj.dev@outlook.com>
-Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>
 Martin Weinelt <hexa@darmstadt.ccc.de> <mweinelt@users.noreply.github.com>
 R. RyanTM <ryantm-bot@ryantm.com>
 Robert Hensing <robert@roberthensing.nl> <roberth@users.noreply.github.com>

CONTRIBUTING.md

@@ -93,8 +93,6 @@ This section describes in some detail how changes can be made and proposed with
 7. Respond to review comments, potential CI failures and potential merge conflicts by updating the pull request.
    Always keep the pull request in a mergeable state.
 
-   This process is covered in more detail from the non-technical side in [I opened a PR, how do I get it merged?](#i-opened-a-pr-how-do-i-get-it-merged).
-
    The custom [OfBorg](https://github.com/NixOS/ofborg) CI system will perform various checks to help ensure code quality, whose results you can see at the bottom of the pull request.
    See [the OfBorg Readme](https://github.com/NixOS/ofborg#readme) for more details.
 
@@ -195,12 +193,19 @@ The last checkbox is about whether it fits the guidelines in this `CONTRIBUTING.
 [rebase]: #rebasing-between-branches-ie-from-master-to-staging
 
 From time to time, changes between branches must be rebased, for example, if the
-number of new rebuilds they would cause is too large for the target branch.
+number of new rebuilds they would cause is too large for the target branch. When
+rebasing, care must be taken to include only the intended changes, otherwise
+many CODEOWNERS will be inadvertently requested for review. To achieve this,
+rebasing should not be performed directly on the target branch, but on the merge
+base between the current and target branch. As an additional precautionary measure,
+you should temporarily mark the PR as draft for the duration of the operation.
+This reduces the probability of mass-pinging people. (OfBorg might still
+request a couple of persons for reviews though.)
 
 In the following example, we assume that the current branch, called `feature`,
 is based on `master`, and we rebase it onto the merge base between
-`master` and `staging` so that the PR can be retargeted to
-`staging`. The example uses `upstream` as the remote for `NixOS/nixpkgs.git`
+`master` and `staging` so that the PR can eventually be retargeted to
+`staging` without causing a mess. The example uses `upstream` as the remote for `NixOS/nixpkgs.git`
 while `origin` is the remote you are pushing to.
 
 
@@ -229,6 +234,36 @@ git status
 git push origin feature --force-with-lease
 ```
 
+#### Something went wrong and a lot of people were pinged
+
+It happens. Remember to be kind, especially to new contributors.
+There is no way back, so the pull request should be closed and locked
+(if possible). The changes should be re-submitted in a new PR, in which the people
+originally involved in the conversation need to manually be pinged again.
+No further discussion should happen on the original PR, as a lot of people
+are now subscribed to it.
+
+The following message (or a version thereof) might be left when closing to
+describe the situation, since closing and locking without any explanation
+is kind of rude:
+
+```markdown
+It looks like you accidentally mass-pinged a bunch of people, which are now subscribed
+and getting notifications for everything in this pull request. Unfortunately, they
+cannot be automatically unsubscribed from the issue (removing review request does not
+unsubscribe), therefore development cannot continue in this pull request anymore.
+
+Please open a new pull request with your changes, link back to this one and ping the
+people actually involved in here over there.
+
+In order to avoid this in the future, there are instructions for how to properly
+rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging).
+Setting your pull request to draft prior to rebasing is strongly recommended.
+In draft status, you can preview the list of people that are about to be requested
+for review, which allows you to sidestep this issue.
+This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs.
+```
+
 ## How to backport pull requests
 [pr-backport]: #how-to-backport-pull-requests
 
@@ -280,22 +315,6 @@ When reviewing a pull request, please always be nice and polite. Controversial c
 
 GitHub provides reactions as a simple and quick way to provide feedback to pull requests or any comments. The thumb-down reaction should be used with care and if possible accompanied with some explanation so the submitter has directions to improve their contribution.
 
-When doing a review:
-- Aim to drive the proposal to a timely conclusion.
-- Focus on the proposed changes to keep the scope of the discussion narrow.
-- Help the contributor prioritise their efforts towards getting their change merged.
-
-If you find anything related that could be improved but is not immediately required for acceptance, consider
-- Implementing the changes yourself in a follow-up pull request (and request review from the person who inspired you)
-- Tracking your idea in an issue
-- Offering the original contributor to review a follow-up pull request
-- Making concrete [suggestions](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/incorporating-feedback-in-your-pull-request) in the same pull request.
-
-For example, follow-up changes could involve refactoring code in the affected files.
-
-But please remember not to make such additional considerations a blocker, and communicate that to the contributor, for example by following the [conventional comments](https://conventionalcomments.org/) pattern.
-If the related change is essential for the contribution at hand, make clear why you think it is important to address that first.
-
 Pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review.
 
 All the review template samples provided in this section are generic and meant as examples. Their usage is optional and the reviewer is free to adapt them to their liking.
@@ -308,18 +327,20 @@ If you consider having enough knowledge and experience in a topic and would like
 
 Container system, boot system and library changes are some examples of the pull requests fitting this category.
 
-## How to merge pull requests yourself
+## How to merge pull requests
 [pr-merge]: #how-to-merge-pull-requests
 
 To streamline automated updates, leverage the nixpkgs-merge-bot by simply commenting `@NixOS/nixpkgs-merge-bot merge`. The bot will verify if the following conditions are met, refusing to merge otherwise:
 
-- the PR author should be @r-ryantm;
 - the commenter that issued the command should be among the package maintainers;
 - the package should reside in `pkgs/by-name`.
 
 Further, nixpkgs-merge-bot will ensure all ofBorg checks (except the Darwin-related ones) are successfully completed before merging the pull request. Should the checks still be underway, the bot patiently waits for ofBorg to finish before attempting the merge again.
 
-For other pull requests, please see [I opened a PR, how do I get it merged?](#i-opened-a-pr-how-do-i-get-it-merged).
+For other pull requests, the *Nixpkgs committers* are people who have been given
+permission to merge.
+
+It is possible for community members that have enough knowledge and experience on a special topic to contribute by merging pull requests.
 
 In case the PR is stuck waiting for the original author to apply a trivial
 change (a typo, capitalisation change, etc.) and the author allowed the members
@@ -333,7 +354,7 @@ The following paragraphs about how to deal with unactive contributors is just a
 Please note that contributors with commit rights unactive for more than three months will have their commit rights revoked.
 -->
 
-Please see the discussion in [GitHub nixpkgs issue #321665](https://github.com/NixOS/nixpkgs/issues/321665) for information on how to proceed to be granted this level of access.
+Please see the discussion in [GitHub nixpkgs issue #50105](https://github.com/NixOS/nixpkgs/issues/50105) for information on how to proceed to be granted this level of access.
 
 In a case a contributor definitively leaves the Nix community, they should create an issue or post on [Discourse](https://discourse.nixos.org) with references of packages and modules they maintain so the maintainership can be taken over by other contributors.
 
@@ -393,10 +414,14 @@ Here is a Git history diagram showing the flow of commits between the three bran
 } }%%
 gitGraph
     commit id:" "
-    branch staging
-    commit id:"  "
     branch staging-next
+    branch staging
 
+    checkout master
+    checkout staging
+    checkout master
+    commit id:"    "
+    checkout staging-next
     merge master id:"automatic"
     checkout staging
     merge staging-next id:"automatic "
@@ -512,7 +537,6 @@ To get a sense for what changes are considered mass rebuilds, see [previously me
   - [Commit conventions](./doc/README.md#commit-conventions) for changes to `doc`, the Nixpkgs manual.
 
 ### Writing good commit messages
-[writing-good-commit-messages]: #writing-good-commit-messages
 
 In addition to writing properly formatted commit messages, it's important to include relevant information so other developers can later understand *why* a change was made. While this information usually can be found by digging code, mailing list/Discourse archives, pull request discussions or upstream changes, it may require a lot of work.
 
@@ -597,7 +621,7 @@ Names of files and directories should be in lowercase, with dashes between words
 
   ```nix
   {
-    buildInputs = lib.optional stdenv.hostPlatform.isDarwin iconv;
+    buildInputs = lib.optional stdenv.isDarwin iconv;
   }
   ```
 
@@ -605,198 +629,9 @@ Names of files and directories should be in lowercase, with dashes between words
 
   ```nix
   {
-    buildInputs = if stdenv.hostPlatform.isDarwin then [ iconv ] else null;
+    buildInputs = if stdenv.isDarwin then [ iconv ] else null;
   }
   ```
 
   As an exception, an explicit conditional expression with null can be used when fixing a important bug without triggering a mass rebuild.
   If this is done a follow up pull request _should_ be created to change the code to `lib.optional(s)`.
-
-# Practical contributing advice
-
-To contribute effectively and efficiently, you need to be aware of how the contributing process generally works.
-This section aims to document the process as we live it in Nixpkgs to set expectations right and give practical tips on how to work with it.
-
-## I opened a PR, how do I get it merged?
-[i-opened-a-pr-how-do-i-get-it-merged]:#i-opened-a-pr-how-do-i-get-it-merged
-
-In order for your PR to be merged, someone with merge permissions on the repository ("committer") needs to review and merge it.
-Because the group of people with merge permissions is mostly a collection of independent unpaid volunteers who do this in their own free time, this can take some time to happen.
-It is entirely normal for your PR to sit around without any feedback for days, weeks or sometimes even months.
-We strive to avoid the latter cases of course but the reality of it is that this does happen quite frequently.
-Even when you get feedback, follow-up feedback may take similarly long.
-Don't be intimidated by this and kindly ask for feedback again every so often.
-If your change is good it will eventually be merged at some point.
-
-There are some things you can do to help speed up the process of your PR being merged though.
-In order to speed the process up, you need to know what needs to happen before a committer will actually hit the merge button.
-This section intends to give a little overview and insight of what happens after you create your PR.
-
-### The committer's perspective
-
-PRs have varying quality and even the best people make mistakes.
-It is the role of the committer team to assess whether any PR's changes are good changes or not.
-In order for any PR to be merged, at least one committer needs to be convinced of its quality enough to merge it.
-
-Committers typically assess three aspects of your PR:
-
-1. Whether the change's intention is necessary and desirable
-2. Whether the code quality of your changes is good
-3. Whether the artefacts produced by the code are good
-
-If you want your PR to get merged quickly and smoothly, it is in your best interest to help convince committers in these three aspects.
-
-### How to help committers assess your PR
-
-For the committer to judge your intention, it's best to explain why you've made your change.
-This does not apply to trivial changes like version updates because the intention is obvious (though linking the changelog is appreciated).
-For any more nuanced changed or even major version upgrades, it helps if you explain the background behind your change a bit.
-E.g. if you're adding a package, explain what it is and why it should be in Nixpkgs.
-This goes hand in hand with [Writing good commit messages](#writing-good-commit-messages).
-
-For the code quality assessment, you cannot do anything yourself as only the committer can do this and they already have your code to look at.
-In order to minimise the need for back and forth though, do take a look over your code changes yourself and try to put yourself into the shoes of someone who didn't just write that code.
-Would you immediately know what the code does or why it is needed by glancing at it?
-If not, reviewers will notice this and will ask you to clarify the code by refactoring it and/or adding a few explanations in code comments.
-Doing this preemptively can save you and the committer a lot of time.
-To better convey the "story" of your change, consider dividing your change into multiple atomic commits.
-There is a balance to strike however: over-fragmentation causes friction.
-
-The code artefacts are the hardest for committers to assess because PRs touch all sorts of components: applications, libraries, NixOS modules, editor plugins and many many other things.
-Any individual committer can only really assess components that they themselves know how to use however and yet they must still be convinced somehow.
-There isn't a good generic solution to this but there are some ways easing the committer's job here:
-
-- Provide smoke tests that the committer can run without much research or setup.
-
-  Committers usually don't have the time or interest to learn how your component works and how they could test its functionality.
-  If you can provide a quick guide on how to use the component in a meaningful way or a ready-made command that demonstrates that the component works as expected, the committer can easily convince themselves that your change is good.
-  If it can be automated, you could even turn this smoke test into an automated NixOS test which reviewers could simply run via Nix.
-- Invite other users of the component to try it out and report their findings.
-
-  If a committer sees the testimonials of other users trying your change and it works as expected for them, that too can convince the committer of your PR's quality.
-- Describe what you have done to test your PR.
-
-  If you can convince the committer that you have done sufficient quality assurance on your changes and they trust your report, this too can convince them of your PR's quality, albeit not as strongly as the methods above.
-- Become a maintainer of the component.
-
-  This isn't something you can do on your first few PRs touching a component but listed maintainers generally receive more trust when it comes to changes to their maintained components and committers may opt to merge changes without deeper review when they see they're done by their respective maintainer.
-
-Even if you adhere to all of these recommendations, it is still quite possible for your PR to be forgotten or abandoned by any given committer.
-Please remain mindful of the fact that they are doing this on their own volition and unpaid in their free time and therefore [owe you nothing](https://mikemcquaid.com/open-source-maintainers-owe-you-nothing/).
-Causing a stink in such a situation is a surefire way to get any other potential committer to not want to look at your PR either.
-Ask them nicely whether they still intend to review your PR and find yourself another committer to look at your PR if not.
-
-### How can I get a committer to look at my PR?
-
-- Improve skimmability: use a simple descriptive PR title (details go in commit titles) outlining _what_ is done and _why_.
-- Improve discoverability: apply all relevant labels, tick all relevant PR body checkboxes.
-- Wait. Reviewers frequently browse open PRs and may happen to run across yours and take a look.
-- Get non-committers to review/approve. Many committers filter open PRs for low-hanging fruit that are already been reviewed.
-- [@-mention](https://github.blog/news-insights/mention-somebody-they-re-notified/) someone and ask them nicely
-- Post in one of the channels made for this purpose if there has been no activity for at least one week
-  - The current "PRs ready for review" or "PRs already reviewed" threads in the [NixOS Discourse](https://discourse.nixos.org/c/dev/14) (of course choose the one that applies to your situation)
-  - The [Nixpkgs Review Requests Matrix room](https://matrix.to/#/#review-requests:nixos.org).
-
-### CI failed or got stuck on my PR, what do I do?
-
-First ensure that the failure is actually related to your change.
-Sometimes, the CI system simply has a hiccup or the check was broken by someone else before you made your changes.
-Read through the error message; it's usually quite easy to tell whether it is caused by anything you did by checking whether it mentions the component you touched anywhere.
-If it is indeed caused by your change, obviously try to fix it.
-Don't be afraid of asking for advice if you're uncertain how to do that, others have likely fixed such issues dozens of times and can help you out.
-Your PR is unlikely to be merged if it has a known issue and it is the purpose of CI to alert you aswell as reviewers to these issues.
-
-ofBorg builds can often get stuck, particularly in PRs targeting `staging` and in builders for the Darwin platform. Reviewers will know how to handle them or when to ignore them.
-Don't worry about it.
-If there is a build failure however and it happened due to a package related to your change, you need to investigate it of course.
-If ofBorg reveals the build to be broken on some platform and you don't have access to that platform, you should set your package's `meta.broken` accordingly.
-
-When in any doubt, please ask via a comment in your PR or through one of the help channels.
-
-## I received a review on my PR, how do I get it over the finish line?
-
-In the review process, the committer will have left some sort of feedback on your PR.
-They may have immediately approved of your PR or even merged it but the more likely case is that they want you to change a few things or that they require further input.
-
-A reviewer may have taken a look at the code and it looked good to them ("Diff LGTM") but they still need to be convinced of the artefact's quality.
-They might also be waiting on input from other users of the component or its listed maintainer on whether the intention of your PR makes sense for the component.
-If you know of people who could help clarify any of this, please bring the PR to their attention.
-The current state of the PR is frequently not clearly communicated, so please don't hesitate to ask about it if it's unclear to you.
-
-It's also possible for the reviewer to not be convinced that your PR is necessary or that the method you've chose to achieve your intention is the right one.
-
-Please explain your intentions and reasoning to the committer in such a case.
-There may be constraints you had to work with which they're not aware of or qualities of your approach that they didn't immediately notice.
-(If these weren't clear to the reviewer, that's a good sign you should explain them in your commit message or code comments!)
-
-There are some further pitfalls and realities which this section intends to make you aware of.
-
-### Aim to reduce cycles
-
-Please be prepared for it to take a while before the reviewer gets back to you after you respond.
-This is simply the reality of community projects at the scale of Nixpkgs.
-As such, make sure to respond to _all_ feedback, either by applying suggested changes or argue in favor of something else or no change.
-It wastes everyone time waiting for a couple of days just for the reviewer to remind you to address something they asked for.
-
-### A reviewer requested a bunch of insubstantial changes on my PR
-
-The people involved in Nixpkgs care about code quality because, once in Nixpkgs, it needs to be maintained for many years to come.
-It is therefore likely that other people will ask you to do some things in another way or adhere to some standard.
-Sometimes however, they also care a bit too much and may ask you to adhere to a personal preference of theirs.
-It's not always easy to tell which is which and whether the requests are critically important to merging the PR.
-Sometimes another reviewer may also come along with totally different opinions on some points too.
-
-It is convention to mark review comments that are not critical to the PR as nitpicks but this is not always followed.
-As the PR author, you should still take a look at these as they will often reveal best practices and unwritten rules that usually have good reasons behind them and you may want to incorporate them into your modus operandi.
-
-Please keep in mind that reviewers almost always mean well here.
-Their intent is not to denounce your code, they want your code to be as good as it can be.
-Through their experience, they may also take notice of a seemingly insignificant issues that have caused significant burden before.
-
-Sometimes however, they can also get a bit carried away and become too perfectionistic.
-If you feel some of the requests are unreasonable, out of scope, or merely a matter of personal preference, try to nicely remind the reviewers that you may not intend this code to be 100% perfect or that you have different taste in some regards and press them on whether they think that these requests are *critical* to the PR's success.
-
-While we do have a set of [official standards for the Nix community](https://github.com/NixOS/rfcs/), we don't have standards for everything and there are often multiple valid ways to achieve the same goal.
-Unless there are standards forbidding the patterns used in your code or there are serious technical, maintainability or readability issues with your code, you can insist to keep the code the way you made it and disregard the requests.
-Please communicate this clearly though; a simple "I prefer it this way and see no major issue with it" can save you a lot of arguing.
-
-If you are unsure about some change requests, please ask reviewers *why* they requested them.
-This will usually reveal how important they deem it to be and will help educate you about standards, best practices, unwritten rules aswell as preferences people have and why.
-
-Some committers may have stronger opinions on some things and therefore (understandably) may not want to merge your PR if you don't follow their requests.
-It is totally fine to get yourself a second or third opinion in such a case.
-
-### Committers work on a push-basis
-
-It's possible for you to get a review but nothing happens afterwards, even if you reply to review comments.
-A committer not following up on your PR does not necessarily mean they're disinterested or unresponsive, they may have simply forgotten to follow up on it or had some other circumstances preventing them from doing so.
-
-Committers typically handle many other PRs besides yours and it is not realistic for them to keep up with all of them to a degree where they could reasonably remember to follow up on all PRs that they had intended following up upon.
-If someone left an approving review on your PR and didn't merge a few days later, the most likely case is that they simply forgot.
-
-Please see it as your responsibility to actively remind reviewers of your open PRs.
-
-The easiest way to do so is to cause them a Github notification.
-Github notifies people involved in the PR whenever you add a comment to your PR, push your PR or re-request their review.
-Doing any of that will get you people's attention again.
-Everyone deserves proper attention, and yes that includes you!
-However please be mindful that committers can sadly not always give everyone the attention they deserve.
-
-It may very well be the case that you have to do this every time you need the committer to follow up upon your PR.
-Again, this is a community project so please be mindful of people's circumstances here; be nice when requesting reviews again.
-
-It may also be the case that the committer has lost interest or isn't familiar enough with the component you're touching to be comfortable merging your PR.
-They will likely not immediately state that fact however, so please ask for clarification and don't hesitate to find yourself another committer to take a look at your PR.
-
-### Nothing helped
-
-If you followed these guidelines but still got no results or if you feel that you have been wronged in some way, please explicitly reach out to the greater community via its communication channels.
-
-The [NixOS Discourse](https://discourse.nixos.org/) is a great place to do this as it has historically been the asynchronous medium with the greatest concentration of committers and other people who are significantly involved in Nixpkgs.
-There is a dedicated discourse thread [PRs in distress](https://discourse.nixos.org/t/prs-in-distress/3604) where you can link your PR if everything else fails.
-The [Nixpkgs / NixOS contributions Matrix channel](https://matrix.to/#/#dev:nixos.org) is the best synchronous channel with the same qualities.
-
-Please reserve these for cases where you've made a serious effort in trying to get the attention of multiple active committers and provided realistic means for them to assess your PR's quality though.
-As mentioned previously, it is unfortunately perfectly normal for a PR to sit around for weeks on end due to the realities of this being a community project.
-Please don't blow up situations where progress is happening but is merely not going fast enough for your tastes.
-Honking in a traffic jam will not make you go any faster.

README.md

@@ -9,7 +9,7 @@
 </p>
 
 <p align="center">
-  <a href="CONTRIBUTING.md"><img src="https://img.shields.io/github/contributors-anon/NixOS/nixpkgs" alt="Contributors badge" /></a>
+  <a href="https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md"><img src="https://img.shields.io/github/contributors-anon/NixOS/nixpkgs" alt="Contributors badge" /></a>
   <a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a>
 </p>
 
@@ -74,7 +74,7 @@ Community contributions are always welcome through GitHub Issues and
 Pull Requests.
 
 For more information about contributing to the project, please visit
-the [contributing page](CONTRIBUTING.md).
+the [contributing page](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
 
 # Donations
 

ci/OWNERS

@@ -1,431 +0,0 @@
-# This file is used to describe who owns what in this repository.
-# Users/teams will get review requests for PRs that change their files.
-#
-# This file does not replace `meta.maintainers`
-# but is instead used for other things than derivations and modules,
-# like documentation, package sets, and other assets.
-#
-# This file uses the same syntax as the natively supported CODEOWNERS file,
-# see https://help.github.com/articles/about-codeowners/ for documentation.
-# However it comes with some notable differences:
-# - There is no need for user/team listed here to have write access.
-# - No reviews will be requested for PRs that target the wrong base branch.
-#
-# Processing of this file is implemented in workflows/codeowners-v2.yml
-
-# CI
-/.github/workflows @NixOS/Security @Mic92 @zowoq
-/.github/workflows/check-nix-format.yml @infinisil
-/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
-/.github/workflows/codeowners-v2.yml @infinisil
-/ci @infinisil @philiptaron @NixOS/Security
-/ci/OWNERS @infinisil @philiptaron
-
-# Development support
-/.editorconfig @Mic92 @zowoq
-/shell.nix @infinisil @NixOS/Security
-
-# Libraries
-/lib                        @infinisil
-/lib/systems                @alyssais @ericson2314 @NixOS/stdenv
-/lib/generators.nix         @infinisil @Profpatsch
-/lib/cli.nix                @infinisil @Profpatsch
-/lib/debug.nix              @infinisil @Profpatsch
-/lib/asserts.nix            @infinisil @Profpatsch
-/lib/path/*                 @infinisil
-/lib/fileset                @infinisil
-## Libraries / Module system
-/lib/modules.nix            @infinisil @roberth
-/lib/types.nix              @infinisil @roberth
-/lib/options.nix            @infinisil @roberth
-/lib/tests/modules.sh       @infinisil @roberth
-/lib/tests/modules          @infinisil @roberth
-
-# Nixpkgs Internals
-/default.nix                                     @Ericson2314
-/pkgs/top-level/default.nix                      @Ericson2314
-/pkgs/top-level/impure.nix                       @Ericson2314
-/pkgs/top-level/stage.nix                        @Ericson2314
-/pkgs/top-level/splice.nix                       @Ericson2314
-/pkgs/top-level/release-cross.nix                @Ericson2314
-/pkgs/top-level/by-name-overlay.nix              @infinisil @philiptaron
-/pkgs/stdenv                                     @philiptaron @NixOS/stdenv
-/pkgs/stdenv/generic                             @Ericson2314 @NixOS/stdenv
-/pkgs/stdenv/generic/check-meta.nix              @Ericson2314 @NixOS/stdenv
-/pkgs/stdenv/cross                               @Ericson2314 @NixOS/stdenv
-/pkgs/build-support                              @philiptaron
-/pkgs/build-support/cc-wrapper                   @Ericson2314
-/pkgs/build-support/bintools-wrapper             @Ericson2314
-/pkgs/build-support/setup-hooks                  @Ericson2314
-/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
-/pkgs/by-name/au/auto-patchelf                   @layus
-/pkgs/pkgs-lib                                   @infinisil
-## Format generators/serializers
-/pkgs/pkgs-lib/formats/libconfig                 @h7x4
-/pkgs/pkgs-lib/formats/hocon                     @h7x4
-
-# Nixpkgs build-support
-/pkgs/build-support/writers @lassulus @Profpatsch
-
-# Nixpkgs make-disk-image
-/doc/build-helpers/images/makediskimage.section.md  @raitobezarius
-/nixos/lib/make-disk-image.nix                 @raitobezarius
-
-# Nix, the package manager
-# @raitobezarius is not "code owner", but is listed here to be notified of changes
-# pertaining to the Nix package manager.
-# i.e. no authority over those files.
-pkgs/tools/package-management/nix/                    @NixOS/nix-team @raitobezarius
-nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobezarius
-
-# Nixpkgs documentation
-/maintainers/scripts/db-to-md.sh @jtojnar @ryantm
-/maintainers/scripts/doc @jtojnar @ryantm
-
-# Contributor documentation
-/CONTRIBUTING.md @infinisil
-/.github/PULL_REQUEST_TEMPLATE.md @infinisil
-/doc/contributing/ @infinisil
-/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil
-/lib/README.md @infinisil
-/doc/README.md @infinisil
-/nixos/README.md @infinisil
-/pkgs/README.md @infinisil
-/pkgs/by-name/README.md @infinisil
-/maintainers/README.md @infinisil
-
-# User-facing development documentation
-/doc/development.md @infinisil
-/doc/development @infinisil
-
-# NixOS Internals
-/nixos/default.nix                                    @infinisil
-/nixos/lib/from-env.nix                               @infinisil
-/nixos/lib/eval-config.nix                            @infinisil
-/nixos/modules/system/activation/bootspec.nix         @grahamc @cole-h @raitobezarius
-/nixos/modules/system/activation/bootspec.cue         @grahamc @cole-h @raitobezarius
-
-# NixOS integration test driver
-/nixos/lib/test-driver  @tfc
-
-# NixOS QEMU virtualisation
-/nixos/modules/virtualisation/qemu-vm.nix           @raitobezarius
-
-# ACME
-/nixos/modules/security/acme                @NixOS/acme
-
-# Systemd
-/nixos/modules/system/boot/systemd.nix      @NixOS/systemd
-/nixos/modules/system/boot/systemd          @NixOS/systemd
-/nixos/lib/systemd-*.nix                    @NixOS/systemd
-/pkgs/os-specific/linux/systemd             @NixOS/systemd
-
-# Systemd-boot
-/nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
-
-# Images and installer media
-/nixos/modules/profiles/installation-device.nix @ElvishJerricco
-/nixos/modules/installer/cd-dvd/                @ElvishJerricco
-/nixos/modules/installer/sd-card/
-
-# Amazon
-/nixos/modules/virtualisation/amazon-init.nix     @arianvp
-/nixos/modules/virtualisation/ec2-data.nix        @arianvp
-/nixos/modules/virtualisation/amazon-options.nix  @arianvp
-/nixos/modules/virtualisation/amazon-image.nix    @arianvp
-/nixos/maintainers/scripts/ec2/                   @arianvp
-/nixos/modules/services/misc/amazon-ssm-agent.nix @arianvp
-/nixos/tests/amazon-ssm-agent.nix                 @arianvp
-/nixos/modules/system/boot/grow-partition.nix     @arianvp
-
-
-
-# Updaters
-## update.nix
-/maintainers/scripts/update.nix   @jtojnar
-/maintainers/scripts/update.py    @jtojnar
-## common-updater-scripts
-/pkgs/common-updater/scripts/update-source-version    @jtojnar
-
-# Python-related code and docs
-/doc/languages-frameworks/python.section.md   @mweinelt @natsukium
-/maintainers/scripts/update-python-libraries  @mweinelt @natsukium
-/pkgs/development/interpreters/python         @mweinelt @natsukium
-/pkgs/top-level/python-packages.nix                     @natsukium
-/pkgs/top-level/release-python.nix                      @natsukium
-
-# Haskell
-/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn
-/maintainers/scripts/haskell                  @sternenseemann @maralorn
-/pkgs/development/compilers/ghc               @sternenseemann @maralorn
-/pkgs/development/haskell-modules             @sternenseemann @maralorn
-/pkgs/test/haskell                            @sternenseemann @maralorn
-/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn
-/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn
-
-# Perl
-/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
-/pkgs/top-level/perl-packages.nix   @stigtsp @zakame @marcusramberg
-/pkgs/development/perl-modules      @stigtsp @zakame @marcusramberg
-
-# R
-/pkgs/applications/science/math/R   @jbedo
-/pkgs/development/r-modules         @jbedo
-
-# Rust
-/pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt @figsoda
-/pkgs/build-support/rust @zowoq @winterqt @figsoda
-/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
-
-# Tcl
-/pkgs/development/interpreters/tcl  @fgaz
-/pkgs/development/libraries/tk      @fgaz
-/pkgs/top-level/tcl-packages.nix    @fgaz
-/pkgs/development/tcl-modules       @fgaz
-/doc/languages-frameworks/tcl.section.md @fgaz
-
-# C compilers
-/pkgs/development/compilers/gcc
-/pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
-/pkgs/development/compilers/emscripten @raitobezarius
-/doc/languages-frameworks/emscripten.section.md @raitobezarius
-
-# Audio
-/nixos/modules/services/audio/botamusique.nix @mweinelt
-/nixos/modules/services/audio/snapserver.nix @mweinelt
-/nixos/tests/botamusique.nix @mweinelt
-/nixos/tests/snapcast.nix @mweinelt
-
-# Browsers
-/pkgs/applications/networking/browsers/firefox @mweinelt
-/pkgs/applications/networking/browsers/chromium @emilylange
-/nixos/tests/chromium.nix @emilylange
-
-# Certificate Authorities
-pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt
-pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt
-pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
-
-# Java
-/doc/languages-frameworks/java.section.md @NixOS/java
-/doc/languages-frameworks/gradle.section.md @NixOS/java
-/doc/languages-frameworks/maven.section.md @NixOS/java
-/pkgs/top-level/java-packages.nix @NixOS/java
-
-# Jetbrains
-/pkgs/applications/editors/jetbrains @edwtjo
-
-# Licenses
-/lib/licenses.nix @alyssais
-
-# Qt
-/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
-/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel
-
-# KDE / Plasma 5
-/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel
-/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel
-/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel
-
-# KDE / Plasma 6
-/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel
-/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
-
-# PostgreSQL and related stuff
-/pkgs/servers/sql/postgresql @NixOS/postgres
-/nixos/modules/services/databases/postgresql.md @NixOS/postgres
-/nixos/modules/services/databases/postgresql.nix @NixOS/postgres
-/nixos/tests/postgresql @NixOS/postgres
-
-# Hardened profile & related modules
-/nixos/modules/profiles/hardened.nix                       @joachifm
-/nixos/modules/security/lock-kernel-modules.nix            @joachifm
-/nixos/modules/security/misc.nix                           @joachifm
-/nixos/tests/hardened.nix                                  @joachifm
-/pkgs/os-specific/linux/kernel/hardened/        @fabianhjr @joachifm
-
-# Home Automation
-/nixos/modules/services/home-automation/home-assistant.nix @mweinelt
-/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt
-/nixos/tests/home-assistant.nix @mweinelt
-/nixos/tests/zigbee2mqtt.nix @mweinelt
-/pkgs/servers/home-assistant @mweinelt
-/pkgs/tools/misc/esphome @mweinelt
-
-# Network Time Daemons
-/pkgs/by-name/ch/chrony @thoughtpolice
-/pkgs/by-name/nt/ntp @thoughtpolice
-/pkgs/by-name/op/openntpd @thoughtpolice
-/nixos/modules/services/networking/ntp @thoughtpolice
-
-# Network
-/pkgs/by-name/ke/kea @mweinelt
-/pkgs/by-name/ba/babeld @mweinelt
-/nixos/modules/services/networking/babeld.nix @mweinelt
-/nixos/modules/services/networking/kea.nix @mweinelt
-/nixos/modules/services/networking/knot.nix @mweinelt
-/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt
-/nixos/tests/babeld.nix @mweinelt
-/nixos/tests/kea.nix @mweinelt
-/nixos/tests/knot.nix @mweinelt
-
-# Web servers
-/doc/packages/nginx.section.md @raitobezarius
-/pkgs/servers/http/nginx/ @raitobezarius
-/nixos/modules/services/web-servers/nginx/ @raitobezarius
-
-# Dhall
-/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch @ehmry
-/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry
-
-# Idris
-/pkgs/development/idris-modules @Infinisil
-/pkgs/development/compilers/idris2 @mattpolzin
-
-# Bazel
-/pkgs/development/tools/build-managers/bazel @Profpatsch
-
-# NixOS modules for e-mail and dns services
-/nixos/modules/services/mail/mailman.nix    @peti
-/nixos/modules/services/mail/postfix.nix    @peti
-/nixos/modules/services/networking/bind.nix @peti
-/nixos/modules/services/mail/rspamd.nix     @peti
-
-# Emacs
-/pkgs/applications/editors/emacs/elisp-packages @NixOS/emacs
-/pkgs/applications/editors/emacs                @NixOS/emacs
-/pkgs/top-level/emacs-packages.nix              @NixOS/emacs
-/doc/packages/emacs.section.md                  @NixOS/emacs
-/nixos/modules/services/editors/emacs.md        @NixOS/emacs
-
-# Kakoune
-/pkgs/applications/editors/kakoune     @philiptaron
-
-# Neovim
-/pkgs/applications/editors/neovim      @NixOS/neovim
-
-# VimPlugins
-/pkgs/applications/editors/vim/plugins         @NixOS/neovim
-
-# VsCode Extensions
-/pkgs/applications/editors/vscode/extensions
-
-# PHP interpreter, packages, extensions, tests and documentation
-/doc/languages-frameworks/php.section.md          @aanderse @drupol @globin @ma27 @talyz
-/nixos/tests/php                                  @aanderse @drupol @globin @ma27 @talyz
-/pkgs/build-support/php/build-pecl.nix            @aanderse @drupol @globin @ma27 @talyz
-/pkgs/build-support/php                                     @drupol
-/pkgs/development/interpreters/php       @jtojnar @aanderse @drupol @globin @ma27 @talyz
-/pkgs/development/php-packages                    @aanderse @drupol @globin @ma27 @talyz
-/pkgs/top-level/php-packages.nix         @jtojnar @aanderse @drupol @globin @ma27 @talyz
-
-# Docker tools
-/pkgs/build-support/docker                   @roberth
-/nixos/tests/docker-tools*                   @roberth
-/doc/build-helpers/images/dockertools.section.md  @roberth
-
-# Blockchains
-/pkgs/applications/blockchains  @mmahut @RaghavSood
-
-# Go
-/doc/languages-frameworks/go.section.md @kalbasit @katexochen @Mic92 @zowoq
-/pkgs/build-support/go @kalbasit @katexochen @Mic92 @zowoq
-/pkgs/development/compilers/go @kalbasit @katexochen @Mic92 @zowoq
-
-# GNOME
-/pkgs/desktops/gnome                              @jtojnar
-/pkgs/desktops/gnome/extensions                   @jtojnar
-/pkgs/build-support/make-hardcode-gsettings-patch @jtojnar
-
-# Cinnamon
-/pkgs/by-name/ci/cinnamon-*    @mkg20001
-/pkgs/by-name/cj/cjs           @mkg20001
-/pkgs/by-name/mu/muffin        @mkg20001
-/pkgs/by-name/ne/nemo          @mkg20001
-/pkgs/by-name/ne/nemo-*        @mkg20001
-
-# Xfce
-/doc/hooks/xfce4-dev-tools.section.md @NixOS/xfce
-
-# nim
-/doc/languages-frameworks/nim.section.md  @ehmry
-/pkgs/build-support/build-nim-package.nix @ehmry
-/pkgs/top-level/nim-overrides.nix         @ehmry
-
-# terraform providers
-/pkgs/applications/networking/cluster/terraform-providers @zowoq
-
-# Forgejo
-nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange
-pkgs/by-name/fo/forgejo/                @adamcstephens @bendlas @emilylange
-
-# Dotnet
-/pkgs/build-support/dotnet                  @corngood
-/pkgs/development/compilers/dotnet          @corngood
-/pkgs/test/dotnet                           @corngood
-/doc/languages-frameworks/dotnet.section.md @corngood
-
-# Node.js
-/pkgs/build-support/node/build-npm-package      @winterqt
-/pkgs/build-support/node/fetch-npm-deps         @winterqt
-/doc/languages-frameworks/javascript.section.md @winterqt
-/pkgs/development/tools/pnpm                    @Scrumplex @gepbird
-
-# OCaml
-/pkgs/build-support/ocaml           @ulrikstrid
-/pkgs/development/compilers/ocaml   @ulrikstrid
-/pkgs/development/ocaml-modules     @ulrikstrid
-
-# ZFS
-pkgs/os-specific/linux/zfs/2_1.nix        @raitobezarius
-pkgs/os-specific/linux/zfs/generic.nix    @raitobezarius
-nixos/modules/tasks/filesystems/zfs.nix   @raitobezarius
-nixos/tests/zfs.nix                       @raitobezarius
-
-# Zig
-/pkgs/development/compilers/zig @figsoda
-/doc/hooks/zig.section.md       @figsoda
-
-# Buildbot
-nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq
-nixos/tests/buildbot.nix                               @Mic92 @zowoq
-pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq
-
-# Pretix
-pkgs/by-name/pr/pretix/ @mweinelt
-pkgs/by-name/pr/pretalx/ @mweinelt
-nixos/modules/services/web-apps/pretix.nix @mweinelt
-nixos/modules/services/web-apps/pretalx.nix @mweinelt
-nixos/tests/web-apps/pretix.nix @mweinelt
-nixos/tests/web-apps/pretalx.nix @mweinelt
-
-# incus/lxc
-nixos/maintainers/scripts/incus/        @adamcstephens
-nixos/modules/virtualisation/incus.nix  @adamcstephens
-nixos/modules/virtualisation/lxc*       @adamcstephens
-nixos/tests/incus/                      @adamcstephens
-pkgs/by-name/in/incus/                  @adamcstephens
-pkgs/by-name/lx/lxc*                    @adamcstephens
-
-# ExpidusOS, Flutter
-/pkgs/development/compilers/flutter @RossComputerGuy
-/pkgs/desktops/expidus              @RossComputerGuy
-
-# GNU Tar & Zip
-/pkgs/tools/archivers/gnutar        @RossComputerGuy
-/pkgs/by-name/zi/zip           @RossComputerGuy
-
-# SELinux
-/pkgs/by-name/ch/checkpolicy @RossComputerGuy
-/pkgs/by-name/li/libselinux  @RossComputerGuy
-/pkgs/by-name/li/libsepol    @RossComputerGuy
-
-# installShellFiles
-/pkgs/by-name/in/installShellFiles/*     @Ericson2314
-/pkgs/test/install-shell-files/*         @Ericson2314
-/doc/hooks/installShellFiles.section.md  @Ericson2314
-
-# Darwin
-/pkgs/by-name/ap/apple-sdk                     @NixOS/darwin-core
-/pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
-/pkgs/stdenv/darwin                            @NixOS/darwin-core

ci/README.md

@@ -1,7 +1,7 @@
 # CI support files
 
 This directory contains files to support CI, such as [GitHub Actions](https://github.com/NixOS/nixpkgs/tree/master/.github/workflows) and [Ofborg](https://github.com/nixos/ofborg).
-This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which is for human use instead.
+This is in contrast with [`maintainers/scripts`](`../maintainers/scripts`) which is for human use instead.
 
 ## Pinned Nixpkgs
 
@@ -10,89 +10,3 @@ In order to ensure that the needed packages are generally available without buil
 [`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
 
 Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
-
-## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
-
-Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
-In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.
-
-Arguments:
-
-- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
-- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
-
-## `ci/nixpkgs-vet`
-
-This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
-See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
-
-## `ci/nixpkgs-vet/update-pinned-tool.sh`
-
-Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
-
-Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
-
-This script currently needs to be called manually when the CI tooling needs to be updated.
-
-Why not just build the tooling right from the PRs Nixpkgs version?
-
-- Because it allows CI to check all PRs, even if they would break the CI tooling.
-- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
-- Because it improves security, since we don't have to build potentially untrusted code from PRs.
-  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
-
-## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
-
-Check whether a PR is mergeable and return the test merge commit as
-[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests).
-
-Arguments:
-- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
-- `PR_NUMBER`: The PR number, e.g. `1234`
-
-Exit codes:
-- 0: The PR can be merged, the test merge commit hash is returned on stdout
-- 1: The PR cannot be merged because it's not open anymore
-- 2: The PR cannot be merged because it has a merge conflict
-- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
-
-### Usage
-
-This script can be used in GitHub Actions workflows as follows:
-
-```yaml
-on: pull_request_target
-
-# We need a token to query the API, but it doesn't need any special permissions
-permissions: {}
-
-jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-      # Important: Because of `pull_request_target`, this doesn't check out the PR,
-      # but rather the base branch of the PR, which is needed so we don't run untrusted code
-      - uses: actions/checkout@<VERSION>
-        with:
-          path: base
-          sparse-checkout: ci
-      - name: Resolving the merge commit
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
-            echo "Checking the merge commit $mergedSha"
-            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
-          else
-            # Skipping so that no notifications are sent
-            echo "Skipping the rest..."
-          fi
-          rm -rf base
-      - uses: actions/checkout@<VERSION>
-        # Add this to _all_ subsequent steps to skip them
-        if: env.mergedSha
-        with:
-          ref: ${{ env.mergedSha }}
-      - ...
-```

ci/codeowners-validator/default.nix

@@ -1,31 +0,0 @@
-{
-  buildGoModule,
-  fetchFromGitHub,
-  fetchpatch,
-}:
-buildGoModule {
-  name = "codeowners-validator";
-  src = fetchFromGitHub {
-    owner = "mszostok";
-    repo = "codeowners-validator";
-    rev = "f3651e3810802a37bd965e6a9a7210728179d076";
-    hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ=";
-  };
-  patches = [
-    # https://github.com/mszostok/codeowners-validator/pull/222
-    (fetchpatch {
-      name = "user-write-access-check";
-      url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch";
-      hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU=";
-    })
-    # Undoes part of the above PR: We don't want to require write access
-    # to the repository, that's only needed for GitHub's native CODEOWNERS.
-    # Furthermore, it removes an unneccessary check from the code
-    # that breaks tokens generated for GitHub Apps.
-    ./permissions.patch
-    # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var
-    ./owners-file-name.patch
-  ];
-  postPatch = "rm -r docs/investigation";
-  vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";
-}

ci/codeowners-validator/owners-file-name.patch

@@ -1,15 +0,0 @@
-diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go
-index 6910bd2..e0c95e9 100644
---- a/pkg/codeowners/owners.go
-+++ b/pkg/codeowners/owners.go
-@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) {
- // openCodeownersFile finds a CODEOWNERS file and returns content.
- // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location
- func openCodeownersFile(dir string) (io.Reader, error) {
-+	if file, ok := os.LookupEnv("OWNERS_FILE"); ok {
-+		return fs.Open(file)
-+	}
-+
- 	var detectedFiles []string
- 	for _, p := range []string{".", "docs", ".github"} {
- 		pth := path.Join(dir, p)

ci/codeowners-validator/permissions.patch

@@ -1,36 +0,0 @@
-diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go
-index a264bcc..610eda8 100644
---- a/internal/check/valid_owner.go
-+++ b/internal/check/valid_owner.go
-@@ -16,7 +16,6 @@ import (
- const scopeHeader = "X-OAuth-Scopes"
- 
- var reqScopes = map[github.Scope]struct{}{
--	github.ScopeReadOrg: {},
- }
- 
- type ValidOwnerConfig struct {
-@@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr
- 	for _, t := range v.repoTeams {
- 		// GitHub normalizes name before comparison
- 		if strings.EqualFold(t.GetSlug(), team) {
--			if t.Permissions["push"] {
--				return nil
--			}
--			return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName)
-+			return nil
- 		}
- 	}
- 
-@@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid
- 	for _, u := range v.repoUsers {
- 		// GitHub normalizes name before comparison
- 		if strings.EqualFold(u.GetLogin(), userName) {
--			if u.Permissions["push"] {
--				return nil
--			}
--			return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName)
-+			return nil
- 		}
- 	}
- 

ci/default.nix

@@ -1,29 +0,0 @@
-let
-  pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
-in
-{
-  system ? builtins.currentSystem,
-
-  nixpkgs ? null,
-}:
-let
-  nixpkgs' =
-    if nixpkgs == null then
-      fetchTarball {
-        url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
-        sha256 = pinnedNixpkgs.sha256;
-      }
-    else
-      nixpkgs;
-
-  pkgs = import nixpkgs' {
-    inherit system;
-    config = { };
-    overlays = [ ];
-  };
-in
-{
-  inherit pkgs;
-  requestReviews = pkgs.callPackage ./request-reviews { };
-  codeownersValidator = pkgs.callPackage ./codeowners-validator { };
-}

ci/get-merge-commit.sh

@@ -1,62 +0,0 @@
-#!/usr/bin/env bash
-# See ./README.md for docs
-
-set -euo pipefail
-
-log() {
-    echo "$@" >&2
-}
-
-if (( $# < 2 )); then
-    log "Usage: $0 GITHUB_REPO PR_NUMBER"
-    exit 99
-fi
-repo=$1
-prNumber=$2
-
-# Retry the API query this many times
-retryCount=5
-# Start with 5 seconds, but double every retry
-retryInterval=5
-
-while true; do
-    log "Checking whether the pull request can be merged"
-    prInfo=$(gh api \
-        -H "Accept: application/vnd.github+json" \
-        -H "X-GitHub-Api-Version: 2022-11-28" \
-        "/repos/$repo/pulls/$prNumber")
-
-    # Non-open PRs won't have their mergeability computed no matter what
-    state=$(jq -r .state <<< "$prInfo")
-    if [[ "$state" != open ]]; then
-        log "PR is not open anymore"
-        exit 1
-    fi
-
-    mergeable=$(jq -r .mergeable <<< "$prInfo")
-    if [[ "$mergeable" == "null" ]]; then
-        if (( retryCount == 0 )); then
-            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
-            exit 3
-        else
-            (( retryCount -= 1 )) || true
-
-            # null indicates that GitHub is still computing whether it's mergeable
-            # Wait a couple seconds before trying again
-            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
-            sleep "$retryInterval"
-
-            (( retryInterval *= 2 )) || true
-        fi
-    else
-        break
-    fi
-done
-
-if [[ "$mergeable" == "true" ]]; then
-    log "The PR can be merged"
-    jq -r .merge_commit_sha <<< "$prInfo"
-else
-    log "The PR has a merge conflict"
-    exit 2
-fi

ci/nixpkgs-vet.sh

@@ -1,71 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq
-
-set -o pipefail -o errexit -o nounset
-
-trace() { echo >&2 "$@"; }
-
-tmp=$(mktemp -d)
-cleanup() {
-    # Don't exit early if anything fails to cleanup
-    set +o errexit
-
-    trace -n "Cleaning up.. "
-
-    [[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base"
-    [[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged"
-
-    rm -rf "$tmp"
-
-    trace "Done"
-}
-trap cleanup exit
-
-
-repo=https://github.com/NixOS/nixpkgs.git
-
-if (( $# != 0 )); then
-    baseBranch=$1
-    shift
-else
-    trace "Usage: $0 BASE_BRANCH [REPOSITORY]"
-    trace "BASE_BRANCH: The base branch to use, e.g. master or release-23.11"
-    trace "REPOSITORY: The repository to fetch the base branch from, defaults to $repo"
-    exit 1
-fi
-
-if (( $# != 0 )); then
-    repo=$1
-    shift
-fi
-
-if [[ -n "$(git status --porcelain)" ]]; then
-    trace -e "\e[33mWarning: Dirty tree, uncommitted changes won't be taken into account\e[0m"
-fi
-headSha=$(git rev-parse HEAD)
-trace -e "Using HEAD commit \e[34m$headSha\e[0m"
-
-trace -n "Creating Git worktree for the HEAD commit in $tmp/merged.. "
-git worktree add --detach -q "$tmp/merged" HEAD
-trace "Done"
-
-trace -n "Fetching base branch $baseBranch to compare against.. "
-git fetch -q "$repo" refs/heads/"$baseBranch"
-baseSha=$(git rev-parse FETCH_HEAD)
-trace -e "\e[34m$baseSha\e[0m"
-
-trace -n "Creating Git worktree for the base branch in $tmp/base.. "
-git worktree add -q "$tmp/base" "$baseSha"
-trace "Done"
-
-trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
-git -C "$tmp/merged" merge -q --no-edit "$baseSha"
-trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
-trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
-toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
-trace -e "\e[34m$toolVersion\e[0m"
-
-trace -n "Building tool.. "
-nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
-trace "Running nixpkgs-vet.."
-"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

ci/nixpkgs-vet/pinned-version.txt

@@ -1 +0,0 @@
-0.1.4

ci/pinned-nixpkgs.json

@@ -1,4 +1,4 @@
 {
-  "rev": "4de4818c1ffa76d57787af936e8a23648bda6be4",
-  "sha256": "0l3b9jr5ydzqgvd10j12imc9jqb6jv5v2bdi1gyy5cwkwplfay67"
+  "rev": "521d48afa9ae596930a95325529df27fa7135ff5",
+  "sha256": "0a1pa5azw990narsfipdli1wng4nc3vhvrp00hb8v1qfchcq7dc9"
 }

ci/request-reviews/default.nix

@@ -1,43 +0,0 @@
-{
-  lib,
-  stdenvNoCC,
-  makeWrapper,
-  coreutils,
-  codeowners,
-  jq,
-  curl,
-  github-cli,
-  gitMinimal,
-}:
-stdenvNoCC.mkDerivation {
-  name = "request-reviews";
-  src = lib.fileset.toSource {
-    root = ./.;
-    fileset = lib.fileset.unions [
-      ./get-reviewers.sh
-      ./request-reviews.sh
-      ./verify-base-branch.sh
-      ./dev-branches.txt
-    ];
-  };
-  nativeBuildInputs = [ makeWrapper ];
-  dontBuild = true;
-  installPhase = ''
-    mkdir -p $out/bin
-    mv dev-branches.txt $out/bin
-    for bin in *.sh; do
-      mv "$bin" "$out/bin"
-      wrapProgram "$out/bin/$bin" \
-        --set PATH ${
-          lib.makeBinPath [
-            coreutils
-            codeowners
-            jq
-            curl
-            github-cli
-            gitMinimal
-          ]
-        }
-    done
-  '';
-}

ci/request-reviews/dev-branches.txt

@@ -1,7 +0,0 @@
-# Trusted development branches:
-# These generally require PRs to update and are built by Hydra.
-master
-staging
-release-*
-staging-*
-haskell-updates

ci/request-reviews/get-reviewers.sh

@@ -1,126 +0,0 @@
-#!/usr/bin/env bash
-
-# Get the code owners of the files changed by a PR,
-# suitable to be consumed by the API endpoint to request reviews:
-# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request
-
-set -euo pipefail
-
-log() {
-    echo "$@" >&2
-}
-
-if (( "$#" < 7 )); then
-    log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REPO BASE_REF HEAD_REF PR_NUMBER PR_AUTHOR"
-    exit 1
-fi
-
-gitRepo=$1
-ownersFile=$2
-baseRepo=$3
-baseRef=$4
-headRef=$5
-prNumber=$6
-prAuthor=$7
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files"
-readarray -t touchedFiles < "$tmp/touched-files"
-log "This PR touches ${#touchedFiles[@]} files"
-
-# Get the owners file from the base, because we don't want to allow PRs to
-# remove code owners to avoid pinging them
-git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
-
-# Associative array with the user as the key for easy de-duplication
-# Make sure to always lowercase keys to avoid duplicates with different casings
-declare -A users=()
-
-for file in "${touchedFiles[@]}"; do
-    result=$(codeowners --file "$tmp"/codeowners "$file")
-
-    read -r file owners <<< "$result"
-    if [[ "$owners" == "(unowned)" ]]; then
-        log "File $file is unowned"
-        continue
-    fi
-    log "File $file is owned by $owners"
-
-    # Split up multiple owners, separated by arbitrary amounts of spaces
-    IFS=" " read -r -a entries <<< "$owners"
-
-    for entry in "${entries[@]}"; do
-        # GitHub technically also supports Emails as code owners,
-        # but we can't easily support that, so let's not
-        if [[ ! "$entry" =~ @(.*) ]]; then
-            warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2
-            # Don't fail, because the PR for which this script runs can't fix it,
-            # it has to be fixed in the base branch
-            continue
-        fi
-        # The first regex match is everything after the @
-        entry=${BASH_REMATCH[1]}
-
-        if [[ "$entry" =~ (.*)/(.*) ]]; then
-            # Teams look like $org/$team
-            org=${BASH_REMATCH[1]}
-            team=${BASH_REMATCH[2]}
-
-            # Instead of requesting a review from the team itself,
-            # we request reviews from the individual users.
-            # This is because once somebody from a team reviewed the PR,
-            # the API doesn't expose that the team was already requested for a review,
-            # so we wouldn't be able to avoid rerequesting reviews
-            # without saving some some extra state somewhere
-
-            # We could also consider implementing a more advanced heuristic
-            # in the future that e.g. only pings one team member,
-            # but escalates to somebody else if that member doesn't respond in time.
-            gh api \
-                --cache=1h \
-                -H "Accept: application/vnd.github+json" \
-                -H "X-GitHub-Api-Version: 2022-11-28" \
-                "/orgs/$org/teams/$team/members" \
-                --jq '.[].login' > "$tmp/team-members"
-            readarray -t members < "$tmp/team-members"
-            log "Team $entry has these members: ${members[*]}"
-
-            for user in "${members[@]}"; do
-                users[${user,,}]=
-            done
-        else
-            # Everything else is a user
-            users[${entry,,}]=
-        fi
-    done
-
-done
-
-# Cannot request a review from the author
-if [[ -v users[${prAuthor,,}] ]]; then
-    log "One or more files are owned by the PR author, ignoring"
-    unset 'users[${prAuthor,,}]'
-fi
-
-gh api \
-    -H "Accept: application/vnd.github+json" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
-    "/repos/$baseRepo/pulls/$prNumber/reviews" \
-    --jq '.[].user.login' > "$tmp/already-reviewed-by"
-
-# And we don't want to rerequest reviews from people who already reviewed
-while read -r user; do
-    if [[ -v users[${user,,}] ]]; then
-        log "User $user is a code owner but has already left a review, ignoring"
-        unset 'users[${user,,}]'
-    fi
-done < "$tmp/already-reviewed-by"
-
-# Turn it into a JSON for the GitHub API call to request PR reviewers
-jq -n \
-    --arg users "${!users[*]}" \
-    '{
-      reviewers: $users | split(" "),
-    }'

ci/request-reviews/request-reviews.sh

@@ -1,95 +0,0 @@
-#!/usr/bin/env bash
-
-# Requests reviews for a PR after verifying that the base branch is correct
-
-set -euo pipefail
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-SCRIPT_DIR=$(dirname "$0")
-
-log() {
-    echo "$@" >&2
-}
-
-effect() {
-    if [[ -n "${DRY_MODE:-}" ]]; then
-        log "Skipping in dry mode:" "${@@Q}"
-    else
-        "$@"
-    fi
-}
-
-if (( $# < 3 )); then
-    log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE"
-    exit 1
-fi
-baseRepo=$1
-prNumber=$2
-ownersFile=$3
-
-log "Fetching PR info"
-prInfo=$(gh api \
-  -H "Accept: application/vnd.github+json" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  "/repos/$baseRepo/pulls/$prNumber")
-
-baseBranch=$(jq -r .base.ref <<< "$prInfo")
-log "Base branch: $baseBranch"
-prRepo=$(jq -r .head.repo.full_name <<< "$prInfo")
-log "PR repo: $prRepo"
-prBranch=$(jq -r .head.ref <<< "$prInfo")
-log "PR branch: $prBranch"
-prAuthor=$(jq -r .user.login <<< "$prInfo")
-log "PR author: $prAuthor"
-
-extraArgs=()
-if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then
-    # Speedup for local runs
-    extraArgs+=(--reference-if-able "$pwdRepo")
-fi
-
-log "Fetching Nixpkgs commit history"
-# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0
-# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary
-git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git
-
-log "Fetching the PR commit history"
-# Fetch the PR
-git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git
-# This remote config is the same as --filter=tree:0 when cloning
-git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0
-git -C "$tmp/nixpkgs.git" config remote.fork.promisor true
-
-git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch"
-headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch")
-
-log "Checking correctness of the base branch"
-if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then
-    log "Posting error as comment"
-    if ! response=$(effect gh api \
-        --method POST \
-        -H "Accept: application/vnd.github+json" \
-        -H "X-GitHub-Api-Version: 2022-11-28" \
-        "/repos/$baseRepo/issues/$prNumber/comments" \
-        -F "body=@$tmp/invalid-base-error"); then
-        log "Failed to post the comment: $response"
-    fi
-    exit 1
-fi
-
-log "Getting code owners to request reviews from"
-"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseRepo" "$baseBranch" "$headRef" "$prNumber" "$prAuthor" > "$tmp/reviewers.json"
-
-log "Requesting reviews from: $(<"$tmp/reviewers.json")"
-
-if ! response=$(effect gh api \
-    --method POST \
-    -H "Accept: application/vnd.github+json" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
-    "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \
-    --input "$tmp/reviewers.json"); then
-    log "Failed to request reviews: $response"
-    exit 1
-fi
-
-log "Successfully requested reviews"

ci/request-reviews/verify-base-branch.sh

@@ -1,104 +0,0 @@
-#!/usr/bin/env bash
-
-# Check that a PR doesn't include commits from other development branches.
-# Fails with next steps if it does
-
-set -euo pipefail
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-SCRIPT_DIR=$(dirname "$0")
-
-log() {
-    echo "$@" >&2
-}
-
-# Small helper to check whether an element is in a list
-# Usage: `elementIn foo "${list[@]}"`
-elementIn() {
-    local e match=$1
-    shift
-    for e; do
-        if [[ "$e" == "$match" ]]; then
-            return 0
-        fi
-    done
-    return 1
-}
-
-if (( $# < 6 )); then
-    log "Usage: $0 LOCAL_REPO HEAD_REF BASE_REPO BASE_BRANCH PR_REPO PR_BRANCH"
-    exit 1
-fi
-localRepo=$1
-headRef=$2
-baseRepo=$3
-baseBranch=$4
-prRepo=$5
-prBranch=$6
-
-# All development branches
-devBranchPatterns=()
-while read -r pattern; do
-    if [[ "$pattern" != '#'* ]]; then
-        devBranchPatterns+=("$pattern")
-    fi
-done < "$SCRIPT_DIR/dev-branches.txt"
-
-git -C "$localRepo" branch --list --format "%(refname:short)" "${devBranchPatterns[@]}" > "$tmp/dev-branches"
-readarray -t devBranches < "$tmp/dev-branches"
-
-if [[ "$baseRepo" == "$prRepo" ]] && elementIn "$prBranch" "${devBranches[@]}"; then
-    log "This PR merges $prBranch into $baseBranch, no commit check necessary"
-    exit 0
-fi
-
-# The current merge base of the PR
-prMergeBase=$(git -C "$localRepo" merge-base "$baseBranch" "$headRef")
-log "The PR's merge base with the base branch $baseBranch is $prMergeBase"
-
-# This is purely for debugging
-git -C "$localRepo" rev-list --reverse "$baseBranch".."$headRef" > "$tmp/pr-commits"
-log "The PR includes these $(wc -l < "$tmp/pr-commits") commits:"
-cat <"$tmp/pr-commits" >&2
-
-for testBranch in "${devBranches[@]}"; do
-
-    if [[ -z "$(git -C "$localRepo" rev-list -1 --since="1 month ago" "$testBranch")" ]]; then
-        log "Not checking $testBranch, was inactive for the last month"
-        continue
-    fi
-    log "Checking if commits from $testBranch are included in the PR"
-
-    # We need to check for any commits that are in the PR which are also in the test branch.
-    # We could check each commit from the PR individually, but that's unnecessarily slow.
-    #
-    # This does _almost_ what we want: `git rev-list --count headRef testBranch ^baseBranch`,
-    # except that it includes commits that are reachable from _either_ headRef or testBranch,
-    # instead of restricting it to ones reachable by both
-
-    # Easily fixable though, because we can use `git merge-base testBranch headRef`
-    # to get the least common ancestor (aka merge base) commit reachable by both.
-    # If the branch being tested is indeed the right base branch,
-    # this is then also the commit from that branch that the PR is based on top of.
-    testMergeBase=$(git -C "$localRepo" merge-base "$testBranch" "$headRef")
-
-    # And then use the `git rev-list --count`, but replacing the non-working
-    # `headRef testBranch` with the merge base of the two.
-    extraCommits=$(git -C "$localRepo" rev-list --count "$testMergeBase" ^"$baseBranch")
-
-    if (( extraCommits != 0 )); then
-        log -e "\e[33m"
-        echo "The PR's base branch is set to $baseBranch, but $extraCommits commits from the $testBranch branch are included. Make sure you know the [right base branch for your changes](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#branch-conventions), then:"
-        echo "- If the changes should go to the $testBranch branch, [change the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) to $testBranch"
-        echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $baseBranch branch:"
-        echo "  \`\`\`bash"
-        echo "  # git rebase --onto \$(git merge-base upstream/$baseBranch HEAD) \$(git merge-base upstream/$testBranch HEAD)"
-        echo "  git rebase --onto $prMergeBase $testMergeBase"
-        echo "  git push --force-with-lease"
-        echo "  \`\`\`"
-        log -e "\e[m"
-        exit 1
-    fi
-done
-
-log "Base branch is correct, no commits from development branches are included"

doc/README.md

@@ -2,20 +2,10 @@
 
 This directory houses the sources files for the Nixpkgs reference manual.
 
-> [!IMPORTANT]
-> We are actively restructuring our documentation to follow the [Diátaxis framework](https://diataxis.fr/)
->
-> Going forward, this directory should **only** contain [reference documentation](https://nix.dev/contributing/documentation/diataxis#reference).
-> For tutorials, guides and explanations, contribute to <https://nix.dev/> instead.
->
-> We are actively working to generate **all** reference documentation from the [doc-comments](https://github.com/NixOS/rfcs/blob/master/rfcs/0145-doc-strings.md) present in code.
-> This also provides the benefit of using `:doc` in the `nix repl` to view reference documentation locally on the fly.
+Going forward, it should only contain [reference](https://nix.dev/contributing/documentation/diataxis#reference) documentation.
+For tutorials, guides and explanations, contribute to <https://nix.dev/> instead.
 
-For documentation only relevant for contributors, use Markdown files next to the source and regular code comments.
-
-> [!TIP]
-> Feedback for improving support for parsing and rendering doc-comments is highly appreciated.
-> [Open an issue](https://github.com/NixOS/nixpkgs/issues/new?labels=6.topic%3A+documentation&title=Doc%3A+) to request bugfixes or new features.
+For documentation only relevant for contributors, use Markdown files and code comments in the source code.
 
 Rendered documentation:
 - [Unstable (from master)](https://nixos.org/manual/nixpkgs/unstable/)
@@ -176,138 +166,109 @@ When needed, each convention explain why it exists, so you can make a decision w
 Note that these conventions are about the **structure** of the manual (and its source files), not about the content that goes in it.
 You, as the writer of documentation, are still in charge of its content.
 
-### One sentence per line
+- Put each sentence in its own line.
+  This makes reviews and suggestions much easier, since GitHub's review system is based on lines.
+  It also helps identifying long sentences at a glance.
 
-Put each sentence in its own line.
-This makes reviews and suggestions much easier, since GitHub's review system is based on lines.
-It also helps identifying long sentences at a glance.
+- Use the [admonition syntax](#admonitions) for callouts and examples.
 
-### Callouts and examples
+- Provide at least one example per function, and make examples self-contained.
+  This is easier to understand for beginners.
+  It also helps with testing that it actually works – especially once we introduce automation.
 
-Use the [admonition syntax](#admonitions) for callouts and examples.
+  Example code should be such that it can be passed to `pkgs.callPackage`.
+  Instead of something like:
 
-### Provide self-contained examples
+  ```nix
+  pkgs.dockerTools.buildLayeredImage {
+    name = "hello";
+    contents = [ pkgs.hello ];
+  }
+  ```
 
-Provide at least one example per function, and make examples self-contained.
-This is easier to understand for beginners.
-It also helps with testing that it actually works – especially once we introduce automation.
+  Write something like:
 
-Example code should be such that it can be passed to `pkgs.callPackage`.
-Instead of something like:
+  ```nix
+  { dockerTools, hello }:
+  dockerTools.buildLayeredImage {
+    name = "hello";
+    contents = [ hello ];
+  }
+  ```
 
-```nix
-pkgs.dockerTools.buildLayeredImage {
-  name = "hello";
-  contents = [ pkgs.hello ];
-}
-```
+- When showing inputs/outputs of any [REPL](https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop), such as a shell or the Nix REPL, use a format as you'd see in the REPL, while trying to visually separate inputs from outputs.
+  This means that for a shell, you should use a format like the following:
+  ```shell
+  $ nix-build -A hello '<nixpkgs>' \
+    --option require-sigs false \
+    --option trusted-substituters file:///tmp/hello-cache \
+    --option substituters file:///tmp/hello-cache
+  /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1
+  ```
+  Note how the input is preceded by `$` on the first line and indented on subsequent lines, and how the output is provided as you'd see on the shell.
 
-Write something like:
+  For the Nix REPL, you should use a format like the following:
+  ```shell
+  nix-repl> builtins.attrNames { a = 1; b = 2; }
+  [ "a" "b" ]
+  ```
+  Note how the input is preceded by `nix-repl>` and the output is provided as you'd see on the Nix REPL.
 
-```nix
-{ dockerTools, hello }:
-dockerTools.buildLayeredImage {
-  name = "hello";
-  contents = [ hello ];
-}
-```
+- When documenting functions or anything that has inputs/outputs and example usage, use nested headings to clearly separate inputs, outputs, and examples.
+  Keep examples as the last nested heading, and link to the examples wherever applicable in the documentation.
 
-### REPLs
+  The purpose of this convention is to provide a familiar structure for navigating the manual, so any reader can expect to find content related to inputs in an "inputs" heading, examples in an "examples" heading, and so on.
+  An example:
+  ```
+  ## buildImage
 
-When showing inputs/outputs of any [REPL](https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop), such as a shell or the Nix REPL, use a format as you'd see in the REPL, while trying to visually separate inputs from outputs.
-This means that for a shell, you should use a format like the following:
-```shell
-$ nix-build -A hello '<nixpkgs>' \
-  --option require-sigs false \
-  --option trusted-substituters file:///tmp/hello-cache \
-  --option substituters file:///tmp/hello-cache
-/nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1
-```
-Note how the input is preceded by `$` on the first line and indented on subsequent lines, and how the output is provided as you'd see on the shell.
+  Some explanation about the function here.
+  Describe a particular scenario, and point to [](#ex-dockerTools-buildImage), which is an example demonstrating it.
 
-For the Nix REPL, you should use a format like the following:
-```shell
-nix-repl> builtins.attrNames { a = 1; b = 2; }
-[ "a" "b" ]
-```
-Note how the input is preceded by `nix-repl>` and the output is provided as you'd see on the Nix REPL.
+  ### Inputs
 
-### Headings for inputs, outputs and examples
+  Documentation for the inputs of `buildImage`.
+  Perhaps even point to [](#ex-dockerTools-buildImage) again when talking about something specifically linked to it.
 
-When documenting functions or anything that has inputs/outputs and example usage, use nested headings to clearly separate inputs, outputs, and examples.
-Keep examples as the last nested heading, and link to the examples wherever applicable in the documentation.
+  ### Passthru outputs
 
-The purpose of this convention is to provide a familiar structure for navigating the manual, so any reader can expect to find content related to inputs in an "inputs" heading, examples in an "examples" heading, and so on.
-An example:
-```
-## buildImage
+  Documentation for any passthru outputs of `buildImage`.
 
-Some explanation about the function here.
-Describe a particular scenario, and point to [](#ex-dockerTools-buildImage), which is an example demonstrating it.
+  ### Examples
 
-### Inputs
+  Note that this is the last nested heading in the `buildImage` section.
 
-Documentation for the inputs of `buildImage`.
-Perhaps even point to [](#ex-dockerTools-buildImage) again when talking about something specifically linked to it.
+  :::{.example #ex-dockerTools-buildImage}
 
-### Passthru outputs
+  # Using `buildImage`
 
-Documentation for any passthru outputs of `buildImage`.
+  Example of how to use `buildImage` goes here.
 
-### Examples
+  :::
+  ```
 
-Note that this is the last nested heading in the `buildImage` section.
+- Use [definition lists](#definition-lists) to document function arguments, and the attributes of such arguments as well as their [types](https://nixos.org/manual/nix/stable/language/values).
+  For example:
 
-:::{.example #ex-dockerTools-buildImage}
+  ```markdown
+  # pkgs.coolFunction
 
-# Using `buildImage`
+  Description of what `coolFunction` does.
 
-Example of how to use `buildImage` goes here.
+  ## Inputs
 
-:::
-```
+  `coolFunction` expects a single argument which should be an attribute set, with the following possible attributes:
 
-### Function arguments
+  `name` (String)
 
-Use [definition lists](#definition-lists) to document function arguments, and the attributes of such arguments as well as their [types](https://nixos.org/manual/nix/stable/language/values).
-For example:
+  : The name of the resulting image.
 
-```markdown
-# pkgs.coolFunction {#pkgs.coolFunction}
+  `tag` (String; _optional_)
 
-`pkgs.coolFunction` *`name`* *`config`*
+  : Tag of the generated image.
 
-Description of what `callPackage` does.
-
-
-## Inputs {#pkgs-coolFunction-inputs}
-
-If something's special about `coolFunction`'s general argument handling, you can say so here.
-Otherwise, just describe the single argument or start the arguments' definition list without introduction.
-
-*`name`* (String)
-
-: The name of the resulting image.
-
-*`config`* (Attribute set)
-
-: Introduce the parameter. Maybe you have a test to make sure `{ }` is a sensible default; then you can say: these attributes are optional; `{ }` is a valid argument.
-
-  `outputHash` (String; _optional_)
-
-  : A brief explanation including when and when not to pass this attribute.
-
-  : _Default:_ the output path's hash.
-```
-
-Checklist:
-- Start with a synopsis, to show the order of positional arguments.
-- Metavariables are in emphasized code spans: ``` *`arg1`* ```. Metavariables are placeholders where users may write arbitrary expressions. This includes positional arguments.
-- Attribute names are regular code spans: ``` `attr1` ```. These identifiers can _not_ be picked freely by users, so they are _not_ metavariables.
-- _optional_ attributes have a _`Default:`_ if it's easily described as a value.
-- _optional_ attributes have a _`Default behavior:`_ if it's not easily described using a value.
-- Nix types aren't in code spans, because they are not code
-- Nix types are capitalized, to distinguish them from the camelCase Module System types, which _are_ code and behave like functions.
+    _Default:_ the output path's hash.
+  ```
 
 #### Examples
 

doc/build-helpers/fetchers.chapter.md

@@ -157,12 +157,6 @@ Here are security considerations for this scenario:
 
   In more concrete terms, if you use any other hash, the [`--insecure` flag](https://curl.se/docs/manpage.html#-k) will be passed to the underlying call to `curl` when downloading content.
 
-## Proxy usage {#sec-pkgs-fetchers-proxy}
-
-Nixpkgs fetchers can make use of a http(s) proxy. Each fetcher will automatically inherit proxy-related environment variables (`http_proxy`, `https_proxy`, etc) via [impureEnvVars](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-impureEnvVars).
-
-The environment variable `NIX_SSL_CERT_FILE` is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors.
-
 []{#fetchurl}
 ## `fetchurl` {#sec-pkgs-fetchers-fetchurl}
 

doc/build-helpers/images/appimagetools.section.md

@@ -64,7 +64,7 @@ let
 
   src = fetchurl {
     url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
-    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
+    sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
   };
 in appimageTools.wrapType2 {
   inherit pname version src;
@@ -100,7 +100,7 @@ let
 
   src = fetchurl {
     url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
-    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
+    sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
   };
 
   appimageContents = appimageTools.extract {
@@ -117,7 +117,7 @@ in appimageTools.wrapType2 {
     install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/512x512/apps/irccloud.png \
       $out/share/icons/hicolor/512x512/apps/irccloud.png
     substituteInPlace $out/share/applications/irccloud.desktop \
-      --replace-fail 'Exec=AppRun' 'Exec=${pname}'
+      --replace 'Exec=AppRun' 'Exec=${pname}'
   '';
 }
 ```
@@ -141,13 +141,13 @@ let
 
   src = fetchurl {
     url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
-    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
+    sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
   };
 
   appimageContents = appimageTools.extract {
     inherit pname version src;
     postExtract = ''
-      substituteInPlace $out/irccloud.desktop --replace-fail 'Exec=AppRun' 'Exec=${pname}'
+      substituteInPlace $out/irccloud.desktop --replace 'Exec=AppRun' 'Exec=${pname}'
     '';
   };
 in appimageTools.wrapType2 {

doc/build-helpers/images/dockertools.section.md

@@ -50,10 +50,6 @@ Similarly, if you encounter errors similar to `Error_Protocol ("certificate has
   If specified, the layer created by `buildImage` will be appended to the layers defined in the base image, resulting in an image with at least two layers (one or more layers from the base image, and the layer created by `buildImage`).
   Otherwise, the resulting image with contain the single layer created by `buildImage`.
 
-  :::{.note}
-  Only **Env** configuration is inherited from the base image.
-  :::
-
   _Default value:_ `null`.
 
 `fromImageName` (String or Null; _optional_)
@@ -453,7 +449,7 @@ See [](#ex-dockerTools-streamLayeredImage-exploringlayers) to understand how the
 `streamLayeredImage` allows scripts to be run when creating the additional layer with symlinks, allowing custom behaviour to affect the final results of the image (see the documentation of the `extraCommands` and `fakeRootCommands` attributes).
 
 The resulting repository tarball will list a single image as specified by the `name` and `tag` attributes.
-By default, that image will use a static creation date (see documentation for the `created` and `mtime` attributes).
+By default, that image will use a static creation date (see documentation for the `created` attribute).
 This allows the function to produce reproducible images.
 
 ### Inputs {#ssec-pkgs-dockerTools-streamLayeredImage-inputs}
@@ -516,7 +512,6 @@ This allows the function to produce reproducible images.
 `created` (String; _optional_)
 
 : Specifies the time of creation of the generated image.
-  This date will be used for the image metadata.
   This should be either a date and time formatted according to [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601) or `"now"`, in which case the current date will be used.
 
   :::{.caution}
@@ -525,18 +520,6 @@ This allows the function to produce reproducible images.
 
   _Default value:_ `"1970-01-01T00:00:01Z"`.
 
-`mtime` (String; _optional_)
-
-: Specifies the time used for the modification timestamp of files within the layers of the generated image.
-  This should be either a date and time formatted according to [ISO-8601](https://en.wikipedia.org/wiki/ISO_8601) or `"now"`, in which case the current date will be used.
-
-  :::{.caution}
-  Using a non-constant date will cause built layers to have a different hash each time, preventing deduplication.
-  Using `"now"` also means that the generated image will not be reproducible anymore (because the date will always change whenever it's built).
-  :::
-
-  _Default value:_ `"1970-01-01T00:00:01Z"`.
-
 `uid` (Number; _optional_) []{#dockerTools-buildLayeredImage-arg-uid}
 `gid` (Number; _optional_) []{#dockerTools-buildLayeredImage-arg-gid}
 `uname` (String; _optional_) []{#dockerTools-buildLayeredImage-arg-uname}

doc/build-helpers/special/vm-tools.section.md

@@ -125,8 +125,6 @@ A set of functions that build a predefined set of minimal Linux distributions im
   * `debian10x86_64`
   * `debian11i386`
   * `debian11x86_64`
-  * `debian12i386`
-  * `debian12x86_64`
 
 ### Attributes {#vm-tools-diskImageFuns-attributes}
 

doc/build-helpers/testers.chapter.md

@@ -339,41 +339,6 @@ once to get a derivation hash, and again to produce the final fixed output deriv
 
 :::
 
-## `runCommand` {#tester-runCommand}
-
-`runCommand :: { name, script, stdenv ? stdenvNoCC, hash ? "...", ... } -> Derivation`
-
-This is a wrapper around `pkgs.runCommandWith`, which
-- produces a fixed-output derivation, enabling the command(s) to access the network ;
-- salts the derivation's name based on its inputs, ensuring the command is re-run whenever the inputs changes.
-
-It accepts the following attributes:
-- the derivation's `name` ;
-- the `script` to be executed ;
-- `stdenv`, the environment to use, defaulting to `stdenvNoCC` ;
-- the derivation's output `hash`, defaulting to the empty file's.
-  The derivation's `outputHashMode` is set by default to recursive, so the `script` can output a directory as well.
-
-All other attributes are passed through to [`mkDerivation`](#sec-using-stdenv),
-including `nativeBuildInputs` to specify dependencies available to the `script`.
-
-:::{.example #ex-tester-runCommand-nix}
-
-# Run a command with network access
-
-```nix
-testers.runCommand {
-  name = "access-the-internet";
-  command = ''
-    curl -o /dev/null https://example.com
-    touch $out
-  '';
-  nativeBuildInputs = with pkgs; [ cacert curl ];
-}
-```
-
-:::
-
 ## `runNixOSTest` {#tester-runNixOSTest}
 
 A helper function that behaves exactly like the NixOS `runTest`, except it also assigns this Nixpkgs package set as the `pkgs` of the test and makes the `nixpkgs.*` options read-only.

doc/build-helpers/trivial-build-helpers.chapter.md

@@ -3,122 +3,32 @@
 Nixpkgs provides a variety of wrapper functions that help build commonly useful derivations.
 Like [`stdenv.mkDerivation`](#sec-using-stdenv), each of these build helpers creates a derivation, but the arguments passed are different (usually simpler) from those required by `stdenv.mkDerivation`.
 
+## `runCommand` {#trivial-builder-runCommand}
 
-## `runCommandWith` {#trivial-builder-runCommandWith}
+`runCommand :: String -> AttrSet -> String -> Derivation`
 
-The function `runCommandWith` returns a derivation built using the specified command(s), in a specified environment.
+The result of `runCommand name drvAttrs buildCommand` is a derivation that is built by running the specified shell commands.
 
-It is the underlying base function of  all [`runCommand*` variants].
-The general behavior is controlled via a single attribute set passed
-as the first argument, and allows specifying `stdenv` freely.
+By default `runCommand` runs in a stdenv with no compiler environment, whereas [`runCommandCC`](#trivial-builder-runCommandCC) uses the default stdenv, `pkgs.stdenv`.
 
-The following [`runCommand*` variants] exist: `runCommand`, `runCommandCC`, and `runCommandLocal`.
+`name :: String`
+:   The name that Nix will append to the store path in the same way that `stdenv.mkDerivation` uses its `name` attribute.
 
-[`runCommand*` variants]: #trivial-builder-runCommand
+`drvAttr :: AttrSet`
+:   Attributes to pass to the underlying call to [`stdenv.mkDerivation`](#chap-stdenv).
 
-### Type {#trivial-builder-runCommandWith-Type}
-
-```
-runCommandWith :: {
-  name :: name;
-  stdenv? :: Derivation;
-  runLocal? :: Bool;
-  derivationArgs? :: { ... };
-} -> String -> Derivation
-```
-
-### Inputs {#trivial-builder-runCommandWith-Inputs}
-
-`name` (String)
-:   The derivation's name, which Nix will append to the store path; see [`mkDerivation`](#sec-using-stdenv).
-
-`runLocal` (Boolean)
-:   If set to `true` this forces the derivation to be built locally, not using [substitutes] nor remote builds.
-    This is intended for very cheap commands (<1s execution time) which can be sped up by avoiding the network round-trip(s).
-    Its effect is to set [`preferLocalBuild = true`][preferLocalBuild] and [`allowSubstitutes = false`][allowSubstitutes].
-
-   ::: {.note}
-   This prevents the use of [substituters][substituter], so only set `runLocal` (or use `runCommandLocal`) when certain the user will
-   always have a builder for the `system` of the derivation. This should be true for most trivial use cases
-   (e.g., just copying some files to a different location or adding symlinks) because there the `system`
-   is usually the same as `builtins.currentSystem`.
-   :::
-
-`stdenv` (Derivation)
-:   The [standard environment](#chap-stdenv) to use, defaulting to `pkgs.stdenv`
-
-`derivationArgs` (Attribute set)
-:   Additional arguments for [`mkDerivation`](#sec-using-stdenv).
-
-`buildCommand` (String)
+`buildCommand :: String`
 :   Shell commands to run in the derivation builder.
 
     ::: {.note}
     You have to create a file or directory `$out` for Nix to be able to run the builder successfully.
     :::
 
-[allowSubstitutes]: https://nixos.org/nix/manual/#adv-attr-allowSubstitutes
-[preferLocalBuild]: https://nixos.org/nix/manual/#adv-attr-preferLocalBuild
-[substituter]: https://nix.dev/manual/nix/latest/glossary#gloss-substituter
-[substitutes]: https://nix.dev/manual/nix/2.23/glossary#gloss-substitute
-
-::: {.example #ex-runcommandwith}
-# Invocation of `runCommandWith`
-
-```nix
-runCommandWith {
-  name = "example";
-  derivationArgs.nativeBuildInputs = [ cowsay ];
-} ''
-  cowsay > $out <<EOMOO
-  'runCommandWith' is a bit cumbersome,
-  so we have more ergonomic wrappers.
-  EOMOO
-''
-```
-
-:::
-
-
-## `runCommand` and `runCommandCC` {#trivial-builder-runCommand}
-
-The function `runCommand` returns a derivation built using the specified command(s), in the `stdenvNoCC` environment.
-
-`runCommandCC` is similar but uses the default compiler environment. To minimize dependencies, `runCommandCC`
-should only be used when the build command needs a C compiler.
-
-`runCommandLocal` is also similar to `runCommand`, but forces the derivation to be built locally.
-See the note on [`runCommandWith`] about `runLocal`.
-
-[`runCommandWith`]: #trivial-builder-runCommandWith
-
-### Type {#trivial-builder-runCommand-Type}
-
-```
-runCommand      :: String -> AttrSet -> String -> Derivation
-runCommandCC    :: String -> AttrSet -> String -> Derivation
-runCommandLocal :: String -> AttrSet -> String -> Derivation
-```
-
-### Input {#trivial-builder-runCommand-Input}
-
-While the type signature(s) differ from [`runCommandWith`], individual arguments with the same name will have the same type and meaning:
-
-`name` (String)
-:   The derivation's name
-
-`derivationArgs` (Attribute set)
-:   Additional parameters passed to [`mkDerivation`]
-
-`buildCommand` (String)
-:   The command(s) run to build the derivation.
-
-
 ::: {.example #ex-runcommand-simple}
 # Invocation of `runCommand`
 
 ```nix
-runCommand "my-example" {} ''
+(import <nixpkgs> {}).runCommand "my-example" {} ''
   echo My example command is running
 
   mkdir $out
@@ -139,24 +49,18 @@ runCommand "my-example" {} ''
 ```
 :::
 
+## `runCommandCC` {#trivial-builder-runCommandCC}
+
+This works just like `runCommand`. The only difference is that it also provides a C compiler in `buildCommand`'s environment. To minimize your dependencies, you should only use this if you are sure you will need a C compiler as part of running your command.
+
+## `runCommandLocal` {#trivial-builder-runCommandLocal}
+
+Variant of `runCommand` that forces the derivation to be built locally, it is not substituted. This is intended for very cheap commands (<1s execution time). It saves on the network round-trip and can speed up a build.
+
 ::: {.note}
-`runCommand name derivationArgs buildCommand` is equivalent to
-```nix
-runCommandWith {
-  inherit name derivationArgs;
-  stdenv = stdenvNoCC;
-} buildCommand
-```
-
-Likewise, `runCommandCC name derivationArgs buildCommand` is equivalent to
-```nix
-runCommandWith {
-  inherit name derivationArgs;
-} buildCommand
-```
+This sets [`allowSubstitutes` to `false`](https://nixos.org/nix/manual/#adv-attr-allowSubstitutes), so only use `runCommandLocal` if you are certain the user will always have a builder for the `system` of the derivation. This should be true for most trivial use cases (e.g., just copying some files to a different location or adding symlinks) because there the `system` is usually the same as `builtins.currentSystem`.
 :::
 
-
 ## Writing text files {#trivial-builder-text-writing}
 
 Nixpkgs provides the following functions for producing derivations which write text files or executable scripts into the Nix store.
@@ -501,7 +405,7 @@ writeTextFile {
   text = ''
     Contents of File
   '';
-  destination = "/share/my-file";
+  destination = "share/my-file";
 }
 ```
 
@@ -533,6 +437,7 @@ writeScript "my-file"
   Contents of File
   ''
 ```
+:::
 
 This is equivalent to:
 
@@ -545,7 +450,6 @@ writeTextFile {
   executable = true;
 }
 ```
-:::
 
 ### `writeScriptBin` {#trivial-builder-writeScriptBin}
 
@@ -586,7 +490,7 @@ writeTextFile {
     echo "hi"
   '';
   executable = true;
-  destination = "/bin/my-script";
+  destination = "bin/my-script";
 }
 ```
 
@@ -674,7 +578,7 @@ writeTextFile {
     echo "hi"
   '';
   executable = true;
-  destination = "/bin/my-script";
+  destination = "bin/my-script";
 }
 ```
 
@@ -732,7 +636,7 @@ writeShellApplication {
 
 ## `symlinkJoin` {#trivial-builder-symlinkJoin}
 
-This can be used to put many derivations into the same directory structure. It works by creating a new derivation and adding symlinks to each of the paths listed. It expects two arguments, `name`, and `paths`. `name` (or alternatively `pname` and `version`) is the name used in the Nix store path for the created derivation. `paths` is a list of paths that will be symlinked. These paths can be to Nix store derivations or any other subdirectory contained within.
+This can be used to put many derivations into the same directory structure. It works by creating a new derivation and adding symlinks to each of the paths listed. It expects two arguments, `name`, and `paths`. `name` is the name used in the Nix store path for the created derivation. `paths` is a list of paths that will be symlinked. These paths can be to Nix store derivations or any other subdirectory contained within.
 Here is an example:
 ```nix
 # adds symlinks of hello and stack to current build and prints "links added"

doc/doc-support/lib-function-docs.nix

@@ -74,7 +74,7 @@
     }
     {
       name = "customisation";
-      description = "Functions to customise (derivation-related) functions, derivations, or attribute sets";
+      description = "Functions to customise (derivation-related) functions, derivatons, or attribute sets";
     }
     {
       name = "meta";
@@ -106,7 +106,6 @@ stdenvNoCC.mkDerivation {
       --arg nixpkgsPath "./." \
       --argstr revision ${nixpkgs.rev or "master"} \
       --argstr libsetsJSON ${lib.escapeShellArg (builtins.toJSON libsets)} \
-      --store $(mktemp -d) \
       > locations.json
 
     function docgen {

doc/doc-support/package.nix

@@ -5,8 +5,6 @@
   lib,
   stdenvNoCC,
   callPackage,
-  devmode,
-  mkShellNoCC,
   documentation-highlighter,
   nixos-render-docs,
   nixpkgs ? { },
@@ -62,7 +60,7 @@ stdenvNoCC.mkDerivation (
 
       nixos-render-docs manual html \
         --manpage-urls ./manpage-urls.json \
-        --revision ${nixpkgs.rev or "master"} \
+        --revision ${lib.trivial.revisionWithDefault (nixpkgs.rev or "master")} \
         --stylesheet style.css \
         --stylesheet highlightjs/mono-blue.css \
         --script ./highlightjs/highlight.pack.js \
@@ -97,14 +95,10 @@ stdenvNoCC.mkDerivation (
 
       pythonInterpreterTable = callPackage ./python-interpreter-table.nix { };
 
-      shell =
-        let
-          devmode' = devmode.override {
-            buildArgs = "./.";
-            open = "/share/doc/nixpkgs/manual.html";
-          };
-        in
-        mkShellNoCC { packages = [ devmode' ]; };
+      shell = callPackage ../../pkgs/tools/nix/web-devmode.nix {
+        buildArgs = "./.";
+        open = "/share/doc/nixpkgs/manual.html";
+      };
 
       tests.manpage-urls = callPackage ../tests/manpage-urls.nix { };
     };

doc/hooks/aws-c-common.section.md

@@ -1,4 +0,0 @@
-# `aws-c-common` {#aws-c-common}
-
-This hook exposes its own [CMake](#cmake) modules by setting [`CMAKE_MODULE_PATH`](https://cmake.org/cmake/help/latest/variable/CMAKE_MODULE_PATH.html) through [the `cmakeFlags` variable](#cmake-flags)
-to the nonstandard `$out/lib/cmake` directory, as a workaround for [an upstream bug](https://github.com/awslabs/aws-c-common/issues/844).

doc/hooks/cernlib.section.md

@@ -1,3 +0,0 @@
-# CERNLIB {#cernlib-hook}
-
-This hook sets the `CERN`, `CERN_LEVEL`, and `CERN_ROOT` environment variables. They are part of [CERNLIB's build system](https://cernlib.web.cern.ch/install/install.html), and are are needed for some programs to compile correctly.

doc/hooks/cmake.section.md

@@ -1,35 +1,3 @@
 # cmake {#cmake}
 
-Overrides the default configure phase to run the CMake command.
-
-By default, we use the Make generator of CMake.
-But when Ninja is also available as a `nativeBuildInput`, this setup hook will detect that and use the ninja generator.
-
-Dependencies are added automatically to `CMAKE_PREFIX_PATH` so that packages are correctly detected by CMake.
-Some additional flags are passed in to give similar behavior to configure-based packages.
-
-By default, parallel building is enabled as CMake supports parallel building almost everywhere.
-
-You can disable this hook’s behavior by setting `configurePhase` to a custom value, or by setting `dontUseCmakeConfigure`.
-
-## Variables controlling CMake {#cmake-variables-controlling}
-
-### CMake Exclusive Variables {#cmake-exclusive-variables}
-
-#### `cmakeFlags` {#cmake-flags}
-
-Controls the flags passed to `cmake setup` during configure phase.
-
-#### `cmakeBuildDir` {#cmake-build-dir}
-
-Directory where CMake will put intermediate files.
-
-Setting this can be useful for debugging multiple CMake builds while in the same source directory, for example, when building for different platforms.
-Different values for each build will prevent build artefacts from interefering with each other.
-This setting has no tangible effect when running the build in a sandboxed derivation.
-
-The default value is `build`.
-
-#### `dontUseCmakeConfigure` {#dont-use-cmake-configure}
-
-When set to true, don't use the predefined `cmakeConfigurePhase`.
+Overrides the default configure phase to run the CMake command. By default, we use the Make generator of CMake. In addition, dependencies are added automatically to `CMAKE_PREFIX_PATH` so that packages are correctly detected by CMake. Some additional flags are passed in to give similar behavior to configure-based packages. You can disable this hook’s behavior by setting `configurePhase` to a custom value, or by setting `dontUseCmakeConfigure`. `cmakeFlags` controls flags passed only to CMake. By default, parallel building is enabled as CMake supports parallel building almost everywhere. When Ninja is also in use, CMake will detect that and use the ninja generator.

doc/hooks/desktop-file-utils.section.md

@@ -1,5 +0,0 @@
-# desktop-file-utils {#desktop-file-utils}
-
-This setup hook removes the MIME cache (located at `$out/share/applications/mimeinfo.cache`) in the `preFixupPhase`.
-
-This hook is necessary because `mimeinfo.cache` can be created when a package uses `desktop-file-utils`, resulting in collisions if multiple packages are installed that contain this file (as in [#48295](https://github.com/NixOS/nixpkgs/issues/48295)).

doc/hooks/haredo.section.md

@@ -1,29 +0,0 @@
-# `haredo` {#haredo-hook}
-
-This hook uses [the `haredo` command runner](https://sr.ht/~autumnull/haredo/) to build, check, and install the package. It overrides `buildPhase`, `checkPhase`, and `installPhase` by default.
-
-The hook builds its targets in parallel if [`config.enableParallelBuilding`](#var-stdenv-enableParallelBuilding) is set to `true`.
-
-## `buildPhase` {#haredo-hook-buildPhase}
-
-This phase attempts to build the default target.
-
-[]{#haredo-hook-haredoBuildTargets} Targets can be explicitly set by adding a string to the `haredoBuildTargets` list.
-
-[]{#haredo-hook-dontUseHaredoBuild} This behavior can be disabled by setting `dontUseHaredoBuild` to `true`.
-
-## `checkPhase` {#haredo-hook-checkPhase}
-
-This phase searches for the `check.do` or `test.do` targets, running them if they exist.
-
-[]{#haredo-hook-haredoCheckTargets} Targets can be explicitly set by adding a string to the `haredoCheckTargets` list.
-
-[]{#haredo-hook-dontUseHaredoCheck} This behavior can be disabled by setting `dontUseHaredoCheck` to `true`.
-
-## `installPhase` {#haredo-hook-installPhase}
-
-This phase attempts to build the `install.do` target, if it exists.
-
-[]{#haredo-hook-haredoInstallTargets} Targets can be explicitly set by adding a string to the `haredoInstallTargets` list.
-
-[]{#haredo-hook-dontUseHaredoInstall} This behavior can be disabled by setting `dontUseHaredoInstall` to `true`.

doc/hooks/index.md

@@ -8,18 +8,13 @@ The stdenv built-in hooks are documented in [](#ssec-setup-hooks).
 autoconf.section.md
 automake.section.md
 autopatchelf.section.md
-aws-c-common.section.md
 bmake.section.md
 breakpoint.section.md
-cernlib.section.md
 cmake.section.md
-desktop-file-utils.section.md
 gdk-pixbuf.section.md
 ghc.section.md
 gnome.section.md
-haredo.section.md
 installShellFiles.section.md
-just.section.md
 libiconv.section.md
 libxml2.section.md
 meson.section.md
@@ -29,10 +24,8 @@ patch-rc-path-hooks.section.md
 perl.section.md
 pkg-config.section.md
 postgresql-test-hook.section.md
-premake.section.md
 python.section.md
 scons.section.md
-tauri.section.md
 tetex-tex-live.section.md
 unzip.section.md
 validatePkgConfig.section.md
@@ -40,5 +33,4 @@ versionCheckHook.section.md
 waf.section.md
 zig.section.md
 xcbuild.section.md
-xfce4-dev-tools.section.md
 ```

doc/hooks/installShellFiles.section.md

@@ -1,79 +1,16 @@
 # `installShellFiles` {#installshellfiles}
 
-This hook adds helpers that install artifacts like executable files, manpages
-and shell completions.
+This hook helps with installing manpages and shell completion files. It exposes 2 shell functions `installManPage` and `installShellCompletion` that can be used from your `postInstall` hook.
 
-It exposes the following functions that can be used from your `postInstall`
-hook:
+The `installManPage` function takes one or more paths to manpages to install. The manpages must have a section suffix, and may optionally be compressed (with `.gz` suffix). This function will place them into the correct `share/man/man<section>/` directory, in [`outputMan`](#outputman).
 
-## `installBin` {#installshellfiles-installbin}
-
-The `installBin` function takes one or more paths to files to install as
-executable files.
-
-This function will place them into [`outputBin`](#outputbin).
-
-### Example Usage {#installshellfiles-installbin-exampleusage}
-
-```nix
-{
-  nativeBuildInputs = [ installShellFiles ];
-
-  # Sometimes the file has an undersirable name. It should be renamed before
-  # being installed via installBin
-  postInstall = ''
-    mv a.out delmar
-    installBin foobar delmar
-  '';
-}
-```
-
-## `installManPage` {#installshellfiles-installmanpage}
-
-The `installManPage` function takes one or more paths to manpages to install.
-
-The manpages must have a section suffix, and may optionally be compressed (with
-`.gz` suffix). This function will place them into the correct
-`share/man/man<section>/` directory in [`outputMan`](#outputman).
-
-### Example Usage {#installshellfiles-installmanpage-exampleusage}
-
-```nix
-{
-  nativeBuildInputs = [ installShellFiles ];
-
-  # Sometimes the manpage file has an undersirable name; e.g. it conflicts with
-  # another software with an equal name. It should be renamed before being
-  # installed via installManPage
-  postInstall = ''
-    mv fromsea.3 delmar.3
-    installManPage foobar.1 delmar.3
-  '';
-}
-```
-
-## `installShellCompletion` {#installshellfiles-installshellcompletion}
-
-The `installShellCompletion` function takes one or more paths to shell
-completion files.
-
-By default it will autodetect the shell type from the completion file extension,
-but you may also specify it by passing one of `--bash`, `--fish`, or
-`--zsh`. These flags apply to all paths listed after them (up until another
-shell flag is given). Each path may also have a custom installation name
-provided by providing a flag `--name NAME` before the path. If this flag is not
-provided, zsh completions will be renamed automatically such that `foobar.zsh`
-becomes `_foobar`. A root name may be provided for all paths using the flag
-`--cmd NAME`; this synthesizes the appropriate name depending on the shell
-(e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for
-zsh).
-
-### Example Usage {#installshellfiles-installshellcompletion-exampleusage}
+The `installShellCompletion` function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of `--bash`, `--fish`, or `--zsh`. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag `--name NAME` before the path. If this flag is not provided, zsh completions will be renamed automatically such that `foobar.zsh` becomes `_foobar`. A root name may be provided for all paths using the flag `--cmd NAME`; this synthesizes the appropriate name depending on the shell (e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for zsh).
 
 ```nix
 {
   nativeBuildInputs = [ installShellFiles ];
   postInstall = ''
+    installManPage doc/foobar.1 doc/barfoo.3
     # explicit behavior
     installShellCompletion --bash --name foobar.bash share/completions.bash
     installShellCompletion --fish --name foobar.fish share/completions.fish
@@ -84,17 +21,9 @@ zsh).
 }
 ```
 
-The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which
-case the shell and name must be provided (see below).
+The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which case the shell and name must be provided (see below).
 
-If the destination shell completion file is not actually present or consists of
-zero bytes after calling `installShellCompletion` this is treated as a build
-failure. In particular, if completion files are not vendored but are generated
-by running an executable, this is likely to fail in cross compilation
-scenarios. The result will be a zero byte completion file and hence a build
-failure. To prevent this, guard the completion generation commands.
-
-### Example Usage {#installshellfiles-installshellcompletion-exampleusage-guarded}
+If the destination shell completion file is not actually present or consists of zero bytes after calling `installShellCompletion` this is treated as a build failure. In particular, if completion files are not vendored but are generated by running an executable, this is likely to fail in cross compilation scenarios. The result will be a zero byte completion file and hence a build failure. To prevent this, guard the completion commands against this, e.g.
 
 ```nix
 {

doc/hooks/just.section.md

@@ -1,23 +0,0 @@
-# `just` {#just-hook}
-
-This setup hook attempts to use [the `just` command runner](https://just.systems/man/en/) to build, check, and install the package. The hook overrides `buildPhase`, `checkPhase`, and `installPhase` by default.
-
-[]{#just-hook-justFlags} The `justFlags` variable can be set to a list of strings to add additional flags passed to all invocations of `just`.
-
-## `buildPhase` {#just-hook-buildPhase}
-
-This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/the-default-recipe.html).
-
-[]{#just-hook-dontUseJustBuild} This behavior can be disabled by setting `dontUseJustBuild` to `true`.
-
-## `checkPhase` {#just-hook-checkPhase}
-
-This phase attempts to invoke the `just test` recipe, if it is available. This can be overrided by setting `checkTarget` to a string.
-
-[]{#just-hook-dontUseJustCheck} This behavior can be disabled by setting `dontUseJustCheck` to `true`.
-
-## `installPhase` {#just-hook-installPhase}
-
-This phase attempts to invoke the `just install` recipe.
-
-[]{#just-hook-dontUseJustInstall} This behavior can be disabled by setting `dontUseJustInstall` to `true`.

doc/hooks/meson.section.md

@@ -18,16 +18,6 @@ setup hook registering ninja-based build and install phases.
 
 Controls the flags passed to `meson setup` during configure phase.
 
-#### `mesonBuildDir` {#meson-build-dir}
-
-Directory where Meson will put intermediate files.
-
-Setting this can be useful for debugging multiple Meson builds while in the same source directory, for example, when building for different platforms.
-Different values for each build will prevent build artefacts from interefering with each other.
-This setting has no tangible effect when running the build in a sandboxed derivation.
-
-The default value is `build`.
-
 #### `mesonWrapMode` {#meson-wrap-mode}
 
 Which value is passed as

doc/hooks/premake.section.md

@@ -1,7 +0,0 @@
-# Premake {#premake-hook}
-
-This setup hook attempts to configure the package using [the Premake build configuration system](https://premake.github.io/). It overrides the `configurePhase` by default, if none exists.
-
-[]{#premake-hook-premakefile} The Premakefile to use can be specified by setting `premakefile` in the derivation.
-
-[]{#premake-hook-premakeFlagsArray} The flags passed to Premake can be configured by adding strings to the `premakeFlags` list.

doc/hooks/tauri.section.md

@@ -1,108 +0,0 @@
-# cargo-tauri.hook {#tauri-hook}
-
-[Tauri](https://tauri.app/) is a framework for building smaller, faster, and
-more secure desktop applications with a web frontend.
-
-In Nixpkgs, `cargo-tauri.hook` overrides the default build and install phases.
-
-## Example code snippet {#tauri-hook-example-code-snippet}
-
-```nix
-{
-  lib,
-  stdenv,
-  rustPlatform,
-  fetchNpmDeps,
-  cargo-tauri,
-  darwin,
-  glib-networking,
-  libsoup,
-  nodejs,
-  npmHooks,
-  openssl,
-  pkg-config,
-  webkitgtk_4_0,
-  wrapGAppsHook3,
-}:
-
-rustPlatform.buildRustPackage rec {
-  # . . .
-
-  cargoHash = "...";
-
-  # Assuming our app's frontend uses `npm` as a package manager
-  npmDeps = fetchNpmDeps {
-    name = "${pname}-npm-deps-${version}";
-    inherit src;
-    hash = "...";
-  };
-
-  nativeBuildInputs = [
-    # Pull in our main hook
-    cargo-tauri.hook
-
-    # Setup npm
-    nodejs
-    npmHooks.npmConfigHook
-
-    # Make sure we can find our libraries
-    pkg-config
-    wrapGAppsHook3
-  ];
-
-  buildInputs =
-    [ openssl ]
-    ++ lib.optionals stdenv.hostPlatform.isLinux [
-      glib-networking # Most Tauri apps need networking
-      libsoup
-      webkitgtk_4_0
-    ]
-    ++ lib.optionals stdenv.hostPlatform.isDarwin (
-      with darwin.apple_sdk.frameworks;
-      [
-        AppKit
-        CoreServices
-        Security
-        WebKit
-      ]
-    );
-
-  # Set our Tauri source directory
-  cargoRoot = "src-tauri";
-  # And make sure we build there too
-  buildAndTestSubdir = cargoRoot;
-
-  # . . .
-}
-```
-
-## Variables controlling cargo-tauri {#tauri-hook-variables-controlling}
-
-### Tauri Exclusive Variables {#tauri-hook-exclusive-variables}
-
-#### `tauriBuildFlags` {#tauri-build-flags}
-
-Controls the flags passed to `cargo tauri build`.
-
-#### `tauriBundleType` {#tauri-bundle-type}
-
-The [bundle type](https://tauri.app/v1/guides/building/) to build.
-
-#### `dontTauriBuild` {#dont-tauri-build}
-
-Disables using `tauriBuildHook`.
-
-#### `dontTauriInstall` {#dont-tauri-install}
-
-Disables using `tauriInstallPostBuildHook` and `tauriInstallHook`.
-
-### Honored Variables {#tauri-hook-honored-variables}
-
-Along with those found in [](#compiling-rust-applications-with-cargo), the
-following variables used by `cargoBuildHook` and `cargoInstallHook` are honored
-by the cargo-tauri setup hook.
-
-- `buildAndTestSubdir`
-- `cargoBuildType`
-- `cargoBuildNoDefaultFeatures`
-- `cargoBuildFeatures`

doc/hooks/versionCheckHook.section.md

@@ -28,7 +28,7 @@ It does so in a clean environment (using `env --ignore-environment`), and it che
 
 The variables that this phase control are:
 
-- `dontVersionCheck`: Disable adding this hook to the [`preInstallCheckHooks`](#ssec-installCheck-phase). Useful if you do want to load the bash functions of the hook, but run them differently.
+- `dontVersionCheck`: Disable adding this hook to the [`preDistPhases`](#var-stdenv-preDist). Useful if you do want to load the bash functions of the hook, but run them differently.
 - `versionCheckProgram`: The full path to the program that should print the `${version}` string. Defaults roughly to `${placeholder "out"}/bin/${pname}`. Using `$out` in the value of this variable won't work, as environment variables from this variable are not expanded by the hook. Hence using `placeholder` is unavoidable.
 - `versionCheckProgramArg`: The argument that needs to be passed to `versionCheckProgram`. If undefined the hook tries first `--help` and then `--version`. Examples: `version`, `-V`, `-v`.
 - `preVersionCheck`: A hook to run before the check is done.

doc/hooks/xfce4-dev-tools.section.md

@@ -1,5 +0,0 @@
-# `xfce.xfce4-dev-tools` {#xfce4-dev-tools}
-
-This setup hook attempts to run `xdt-autogen` in `xdtAutogenPhase`, which is part of `preConfigurePhases`.
-
-[]{#dontUseXdtAutogenPhase} This behavior can be disabled by setting `dontUseXdtAutogenPhase` to `true`.

doc/languages-frameworks/beam.section.md

@@ -349,8 +349,8 @@ let
     nodePackages.prettier
   ];
 
-  inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ]
-    ++ lib.optionals stdenv.hostPlatform.isDarwin
+  inputs = basePackages ++ lib.optionals stdenv.isLinux [ inotify-tools ]
+    ++ lib.optionals stdenv.isDarwin
     (with darwin.apple_sdk.frameworks; [ CoreFoundation CoreServices ]);
 
   # define shell startup command

doc/languages-frameworks/bower.section.md

@@ -4,7 +4,7 @@
 
 The end result of running Bower is a `bower_components` directory which can be included in the web app's build process.
 
-Bower can be run interactively, by installing `nodePackages.bower`. More interestingly, the Bower components can be declared in a Nix derivation, with the help of `bower2nix`.
+Bower can be run interactively, by installing `nodePackages.bower`. More interestingly, the Bower components can be declared in a Nix derivation, with the help of `nodePackages.bower2nix`.
 
 ## bower2nix usage {#ssec-bower2nix-usage}
 

doc/languages-frameworks/coq.section.md

@@ -23,13 +23,12 @@ The recommended way of defining a derivation for a Coq library, is to use the `c
   * if it is a string of the form `owner:branch` then it tries to download the `branch` of owner `owner` for a project of the same name using the same vcs, and the `version` attribute of the resulting derivation is set to `"dev"`, additionally if the owner is not provided (i.e. if the `owner:` prefix is missing), it defaults to the original owner of the package (see below),
   * if it is a string of the form `"#N"`, and the domain is github, then it tries to download the current head of the pull request `#N` from github,
 * `defaultVersion` (optional). Coq libraries may be compatible with some specific versions of Coq only. The `defaultVersion` attribute is used when no `version` is provided (or if `version = null`) to select the version of the library to use by default, depending on the context. This selection will mainly depend on a `coq` version number but also possibly on other packages versions (e.g. `mathcomp`). If its value ends up to be `null`, the package is marked for removal in end-user `coqPackages` attribute set.
-* `release` (optional, defaults to `{}`), lists all the known releases of the library and for each of them provides an attribute set with at least a `hash` attribute (you may put the empty string `""` in order to automatically insert a fake hash, this will trigger an error which will allow you to find the correct hash), each attribute set of the list of releases also takes optional overloading arguments for the fetcher as below (i.e.`domain`, `owner`, `repo`, `rev`, `artifact` assuming the default fetcher is used) and optional overrides for the result of the fetcher (i.e. `version` and `src`).
+* `release` (optional, defaults to `{}`), lists all the known releases of the library and for each of them provides an attribute set with at least a `sha256` attribute (you may put the empty string `""` in order to automatically insert a fake sha256, this will trigger an error which will allow you to find the correct sha256), each attribute set of the list of releases also takes optional overloading arguments for the fetcher as below (i.e.`domain`, `owner`, `repo`, `rev` assuming the default fetcher is used) and optional overrides for the result of the fetcher (i.e. `version` and `src`).
 * `fetcher` (optional, defaults to a generic fetching mechanism supporting github or gitlab based infrastructures), is a function that takes at least an `owner`, a `repo`, a `rev`, and a `hash` and returns an attribute set with a `version` and `src`.
 * `repo` (optional, defaults to the value of `pname`),
 * `owner` (optional, defaults to `"coq-community"`).
 * `domain` (optional, defaults to `"github.com"`), domains including the strings `"github"` or `"gitlab"` in their names are automatically supported, otherwise, one must change the `fetcher` argument to support them (cf `pkgs/development/coq-modules/heq/default.nix` for an example),
 * `releaseRev` (optional, defaults to `(v: v)`), provides a default mapping from release names to revision hashes/branch names/tags,
-* `releaseArtifact` (optional, defaults to `(v: null)`), provides a default mapping from release names to artifact names (only works for github artifact for now),
 * `displayVersion` (optional), provides a way to alter the computation of `name` from `pname`, by explaining how to display version numbers,
 * `namePrefix` (optional, defaults to `[ "coq" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
 * `nativeBuildInputs` (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely `which`, `dune` and `ocaml` depending on whether `useDune`, `useDuneifVersion` and `mlPlugin` are set).
@@ -70,15 +69,15 @@ mkCoqDerivation {
       { cases = [ (isEq "8.6")         (range "1.6" "1.7") ];  out = "1.1"; }
     ] null;
   release = {
-    "1.5.2".hash = "sha256-mjCx9XKa38Nz9E6wNK7YSqHdJ7YTua5fD3d6J4e7WpU=";
-    "1.5.1".hash = "sha256-Q8tm0y2FQAt2V1kZYkDlHWRia/lTvXAMVjdmzEV11I4=";
-    "1.5.0".hash = "sha256-HIK0f21G69oEW8JG46gSBde/Q2LR3GiBCv680gHbmRg=";
-    "1.5.0".rev  = "1.5";
-    "1.4".hash   = "sha256-F9g3MSIr3B6UZ3p8QWjz3/Jpw9sudJ+KRlvjiHSO024=";
-    "1.3".hash   = "sha256-BPJTlAL0ETHvLMBslE0KFVt3DNoaGuMrHt2SBGyJe1A=";
-    "1.2".hash   = "sha256-mHXBXSLYO4BN+jfN50y/+XCx0Qq5g4Ac2Y/qlsbgAdY=";
-    "1.1".hash   = "sha256-ejAsMQbB/LtU9j+g160VdGXULrCe9s0gBWzyhKqmCuE=";
-    "1.0".hash   = "sha256-tZTOltEBBKWciDxDMs/Ye4Jnq/33CANrHJ4FBMPtq+I=";
+    "1.5.2".sha256 = "15aspf3jfykp1xgsxf8knqkxv8aav2p39c2fyirw7pwsfbsv2c4s";
+    "1.5.1".sha256 = "13nlfm2wqripaq671gakz5mn4r0xwm0646araxv0nh455p9ndjs3";
+    "1.5.0".sha256 = "064rvc0x5g7y1a0nip6ic91vzmq52alf6in2bc2dmss6dmzv90hw";
+    "1.5.0".rev    = "1.5";
+    "1.4".sha256   = "0vnkirs8iqsv8s59yx1fvg1nkwnzydl42z3scya1xp1b48qkgn0p";
+    "1.3".sha256   = "0l3vi5n094nx3qmy66hsv867fnqm196r8v605kpk24gl0aa57wh4";
+    "1.2".sha256   = "1mh1w339dslgv4f810xr1b8v2w7rpx6fgk9pz96q0fyq49fw2xcq";
+    "1.1".sha256   = "1q8alsm89wkc0lhcvxlyn0pd8rbl2nnxg81zyrabpz610qqjqc3s";
+    "1.0".sha256   = "1qmbxp1h81cy3imh627pznmng0kvv37k4hrwi2faa101s6bcx55m";
   };
 
   propagatedBuildInputs =
@@ -127,7 +126,7 @@ For example, here is how you could locally add a new release of the `multinomial
 coqPackages.lib.overrideCoqDerivation
   {
     defaultVersion = "2.0";
-    release."2.0".hash = "sha256-czoP11rtrIM7+OLdMisv2EF7n/IbGuwFxHiPtg3qCNM=";
+    release."2.0".sha256 = "1lq8x86vd3vqqh2yq6hvyagpnhfq5wmk5pg2z0xq7b7dbbbhyfkk";
   }
   coqPackages.multinomials
 ```

doc/languages-frameworks/cuda.section.md

@@ -149,104 +149,3 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
 | Find libraries | `buildPhase` or `patchelf` | Missing dependency on a `lib` or `static` output | Add the missing dependency | The `lib` or `static` output typically contain the libraries |
 
 In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
-
-## Running Docker or Podman containers with CUDA support {#cuda-docker-podman}
-
-It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html).
-
-The NVIDIA Container Toolkit can be enabled in NixOS like follows:
-
-```nix
-{
-  hardware.nvidia-container-toolkit.enable = true;
-}
-```
-
-This will automatically enable a service that generates a CDI specification (located at `/var/run/cdi/nvidia-container-toolkit.json`) based on the auto-detected hardware of your machine. You can check this service by running:
-
-```ShellSession
-$ systemctl status nvidia-container-toolkit-cdi-generator.service
-```
-
-::: {.note}
-Depending on what settings you had already enabled in your system, you might need to restart your machine in order for the NVIDIA Container Toolkit to generate a valid CDI specification for your machine.
-:::
-
-Once that a valid CDI specification has been generated for your machine on boot time, both Podman and Docker (> 25) will use this spec if you provide them with the `--device` flag:
-
-```ShellSession
-$ podman run --rm -it --device=nvidia.com/gpu=all ubuntu:latest nvidia-smi -L
-GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
-GPU 1: NVIDIA GeForce RTX 2080 SUPER (UUID: <REDACTED>)
-```
-
-```ShellSession
-$ docker run --rm -it --device=nvidia.com/gpu=all ubuntu:latest nvidia-smi -L
-GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
-GPU 1: NVIDIA GeForce RTX 2080 SUPER (UUID: <REDACTED>)
-```
-
-You can check all the identifiers that have been generated for your auto-detected hardware by checking the contents of the `/var/run/cdi/nvidia-container-toolkit.json` file:
-
-```ShellSession
-$ nix run nixpkgs#jq -- -r '.devices[].name' < /var/run/cdi/nvidia-container-toolkit.json
-0
-1
-all
-```
-
-### Specifying what devices to expose to the container {#specifying-what-devices-to-expose-to-the-container}
-
-You can choose what devices are exposed to your containers by using the identifier on the generated CDI specification. Like follows:
-
-```ShellSession
-$ podman run --rm -it --device=nvidia.com/gpu=0 ubuntu:latest nvidia-smi -L
-GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
-```
-
-You can repeat the `--device` argument as many times as necessary if you have multiple GPU's and you want to pick up which ones to expose to the container:
-
-```ShellSession
-$ podman run --rm -it --device=nvidia.com/gpu=0 --device=nvidia.com/gpu=1 ubuntu:latest nvidia-smi -L
-GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
-GPU 1: NVIDIA GeForce RTX 2080 SUPER (UUID: <REDACTED>)
-```
-
-::: {.note}
-By default, the NVIDIA Container Toolkit will use the GPU index to identify specific devices. You can change the way to identify what devices to expose by using the `hardware.nvidia-container-toolkit.device-name-strategy` NixOS attribute.
-:::
-
-### Using docker-compose {#using-docker-compose}
-
-It's possible to expose GPU's to a `docker-compose` environment as well. With a `docker-compose.yaml` file like follows:
-
-```yaml
-services:
-  some-service:
-    image: ubuntu:latest
-    command: sleep infinity
-    deploy:
-      resources:
-        reservations:
-          devices:
-          - driver: cdi
-            device_ids:
-            - nvidia.com/gpu=all
-```
-
-In the same manner, you can pick specific devices that will be exposed to the container:
-
-```yaml
-services:
-  some-service:
-    image: ubuntu:latest
-    command: sleep infinity
-    deploy:
-      resources:
-        reservations:
-          devices:
-          - driver: cdi
-            device_ids:
-            - nvidia.com/gpu=0
-            - nvidia.com/gpu=1
-```

doc/languages-frameworks/dotnet.section.md

@@ -93,18 +93,18 @@ The `dotnetCorePackages.sdk` contains both a runtime and the full sdk of a given
 To package Dotnet applications, you can use `buildDotnetModule`. This has similar arguments to `stdenv.mkDerivation`, with the following additions:
 
 * `projectFile` is used for specifying the dotnet project file, relative to the source root. These have `.sln` (entire solution) or `.csproj` (single project) file extensions. This can be a list of multiple projects as well. When omitted, will attempt to find and build the solution (`.sln`). If running into problems, make sure to set it to a file (or a list of files) with the `.csproj` extension - building applications as entire solutions is not fully supported by the .NET CLI.
-* `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. For compatibility, if the argument is a list of derivations, they will be added to `buildInputs`.
+* `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. If the argument is a derivation, it will be used directly and assume it has the same output as `mkNugetDeps`.
 ::: {.note}
 For more detail about managing the `deps.nix` file, see [Generating and updating NuGet dependencies](#generating-and-updating-nuget-dependencies)
 :::
 
-* `packNupkg` is used to pack project as a `nupkg`, and installs it to `$out/share`. If set to `true`, the derivation can be used as a dependency for another dotnet project by adding it to `buildInputs`.
-* `buildInputs` can be used to resolve `ProjectReference` project items. Referenced projects can be packed with `buildDotnetModule` by setting the `packNupkg = true` attribute and passing a list of derivations to `buildInputs`. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as `PackageReference` as well.
+* `packNupkg` is used to pack project as a `nupkg`, and installs it to `$out/share`. If set to `true`, the derivation can be used as a dependency for another dotnet project by adding it to `projectReferences`.
+* `projectReferences` can be used to resolve `ProjectReference` project items. Referenced projects can be packed with `buildDotnetModule` by setting the `packNupkg = true` attribute and passing a list of derivations to `projectReferences`. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as `PackageReference` as well.
  For example, your project has a local dependency:
  ```xml
      <ProjectReference Include="../foo/bar.fsproj" />
  ```
- To enable discovery through `buildInputs` you would need to add:
+ To enable discovery through `projectReferences` you would need to add:
  ```xml
      <ProjectReference Include="../foo/bar.fsproj" />
      <PackageReference Include="bar" Version="*" Condition=" '$(ContinuousIntegrationBuild)'=='true' "/>
@@ -118,7 +118,6 @@ For more detail about managing the `deps.nix` file, see [Generating and updating
 * `dotnet-sdk` is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of `dotnetSdkPackages.combinePackages`, if the project uses multiple SDKs to build.
 * `dotnet-runtime` is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore.
 * `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed.
-* `testFilters` is used to disable running unit tests based on various [filters](https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-test#filter-option-details). This gets passed as: `dotnet test --filter "{}"`, with each filter being concatenated using `"&"`.
 * `disabledTests` is used to disable running specific unit tests. This gets passed as: `dotnet test --filter "FullyQualifiedName!={}"`, to ensure compatibility with all unit test frameworks.
 * `dotnetRestoreFlags` can be used to pass flags to `dotnet restore`.
 * `dotnetBuildFlags` can be used to pass flags to `dotnet build`.
@@ -144,7 +143,7 @@ in buildDotnetModule rec {
   projectFile = "src/project.sln";
   nugetDeps = ./deps.nix; # see "Generating and updating NuGet dependencies" section for details
 
-  buildInputs = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.
+  projectReferences = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.
 
   dotnet-sdk = dotnetCorePackages.sdk_6_0;
   dotnet-runtime = dotnetCorePackages.runtime_6_0;
@@ -219,7 +218,7 @@ buildDotnetGlobalTool {
 ## Generating and updating NuGet dependencies {#generating-and-updating-nuget-dependencies}
 
 When writing a new expression, you can use the generated `fetch-deps` script to initialise the lockfile.
-After setting `nugetDeps` to the desired location of the lockfile (e.g. `./deps.nix`),
+After creating a blank `deps.nix` and pointing `nugetDeps` to it,
 build the script with `nix-build -A package.fetch-deps` and then run the result.
 (When the root attr is your package, it's simply `nix-build -A fetch-deps`.)
 

doc/languages-frameworks/emscripten.section.md

@@ -84,7 +84,7 @@ One advantage is that when `pkgs.zlib` is updated, it will automatically update
     echo "================= /testing zlib using node ================="
   '';
 
-  postPatch = pkgs.lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
+  postPatch = pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
     substituteInPlace configure \
       --replace-fail '/usr/bin/libtool' 'ar' \
       --replace-fail 'AR="libtool"' 'AR="ar"' \

doc/languages-frameworks/gnome.section.md

@@ -64,7 +64,7 @@ To avoid costly file system access when locating icons, GTK, [as well as Qt](htt
 
 ### Packaging icon themes {#ssec-icon-theme-packaging}
 
-Icon themes may inherit from other icon themes. The inheritance is specified using the `Inherits` key in the `index.theme` file distributed with the icon theme. According to the [icon theme specification](https://specifications.freedesktop.org/icon-theme-spec/latest), icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.
+Icon themes may inherit from other icon themes. The inheritance is specified using the `Inherits` key in the `index.theme` file distributed with the icon theme. According to the [icon theme specification](https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html), icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.
 
 The package `hicolor-icon-theme` provides a setup hook which makes symbolic links for the parent themes into the directory `share/icons` of the current theme directory in the nix store, making sure they can be found at runtime. For that to work the packages providing parent icon themes should be listed as propagated build dependencies, together with `hicolor-icon-theme`.
 
@@ -155,11 +155,9 @@ There are no schemas available in `XDG_DATA_DIRS`. Temporarily add a random pack
 
 Package is missing some GSettings schemas. You can find out the package containing the schema with `nix-locate org.gnome.foo.gschema.xml` and let the hooks handle the wrapping as [above](#ssec-gnome-common-issues-no-schemas).
 
-### When using `wrapGApps*` hook with special derivers or hooks you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
+### When using `wrapGApps*` hook with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
 
-This is because some setup hooks like `qt6.wrapQtAppsHook` also wrap programs using `makeWrapper`.  Likewise, some derivers (e.g. `python.pkgs.buildPythonApplication`) automatically pull in their own setup hooks that produce wrappers.
-
-The simplest workaround is to disable the `wrapGApps*` hook's automatic wrapping using `dontWrapGApps = true;` while passing its `makeWrapper` arguments to another wrapper.
+This is because derivers like `python.pkgs.buildPythonApplication` or `qt5.mkDerivation` have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the `wrapGApps*` hook automatic wrapping with `dontWrapGApps = true;` and pass the arguments it intended to pass to makeWrapper to another.
 
 In the case of a Python application it could look like:
 
@@ -186,19 +184,19 @@ python3.pkgs.buildPythonApplication {
 And for a QT app like:
 
 ```nix
-stdenv.mkDerivation {
+mkDerivation {
   pname = "calibre";
   version = "3.47.0";
 
   nativeBuildInputs = [
     wrapGAppsHook3
-    qt6.wrapQtAppsHook
     qmake
     # ...
   ];
 
   dontWrapGApps = true;
 
+  # Arguments to be passed to `makeWrapper`, only used by qt5’s mkDerivation
   preFixup = ''
     qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
   '';

doc/languages-frameworks/go.section.md

@@ -62,65 +62,6 @@ The following is an example expression using `buildGoModule`:
 }
 ```
 
-### Obtaining and overriding `vendorHash` for `buildGoModule` {#buildGoModule-vendorHash}
-
-We can use `nix-prefetch` to obtain the actual hash. The following command gets the value of `vendorHash` for package `pet`:
-
-```sh
-cd path/to/nixpkgs
-nix-prefetch -E "{ sha256 }: ((import ./. { }).my-package.overrideAttrs { vendorHash = sha256; }).goModules"
-```
-
-To obtain the hash without external tools, set `vendorHash = lib.fakeHash;` and run the build. ([more details here](#sec-source-hashes)).
-
-`vendorHash` can be overridden with `overrideAttrs`. Override the above example like this:
-
-```nix
-{
-  pet_0_4_0 = pet.overrideAttrs (
-    finalAttrs: previousAttrs: {
-      version = "0.4.0";
-      src = fetchFromGitHub {
-        inherit (previousAttrs.src) owner repo;
-        rev = "v${finalAttrs.version}";
-        hash = "sha256-gVTpzmXekQxGMucDKskGi+e+34nJwwsXwvQTjRO6Gdg=";
-      };
-      vendorHash = "sha256-dUvp7FEW09V0xMuhewPGw3TuAic/sD7xyXEYviZ2Ivs=";
-    }
-  );
-}
-```
-
-### Overriding `goModules` {#buildGoModule-goModules-override}
-
-Overriding `<pkg>.goModules` by calling `goModules.overrideAttrs` is unsupported. Still, it is possible to override the `vendorHash` (`goModules`'s `outputHash`) and the `pre`/`post` hooks for both the build and patch phases of the primary and `goModules` derivation. Alternatively, the primary derivation provides an overridable `passthru.overrideModAttrs` function to store the attribute overlay implicitly taken by `goModules.overrideAttrs`. Here's an example usage of `overrideModAttrs`:
-
-```nix
-{
-  pet-overridden = pet.overrideAttrs (
-    finalAttrs: previousAttrs: {
-      passthru = previousAttrs.passthru // {
-        # If the original package has an `overrideModAttrs` attribute set, you'd
-        # want to extend it, and not replace it. Hence we use
-        # `lib.composeExtensions`. If you are sure the `overrideModAttrs` of the
-        # original package trivially does nothing, you can safely replace it
-        # with your own by not using `lib.composeExtensions`.
-        overrideModAttrs = lib.composeExtensions previousAttrs.passthru.overrideModAttrs (
-          finalModAttrs: previousModAttrs: {
-            # goModules-specific overriding goes here
-            postBuild = ''
-              # Here you have access to the `vendor` directory.
-              substituteInPlace vendor/github.com/example/repo/file.go \
-                --replace-fail "panic(err)" ""
-            '';
-          }
-        );
-      };
-    }
-  );
-}
-```
-
 ## `buildGoPackage` (legacy) {#ssec-go-legacy}
 
 The function `buildGoPackage` builds legacy Go programs, not supporting Go modules.

doc/languages-frameworks/haskell.section.md

@@ -57,8 +57,8 @@ Available compilers are collected under `haskell.compiler`.
 Each of those compiler versions has a corresponding attribute set `packages` built with
 it. However, the non-standard package sets are not tested regularly and, as a
 result, contain fewer working packages. The corresponding package set for GHC
-9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` (at the time of writing) is just an alias
-for `haskell.packages.ghc966`:
+9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` is just an alias
+for `haskell.packages.ghc964`:
 
 Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`.
 
@@ -191,10 +191,6 @@ and `version` from Hackage.
 `sha256`
 : Hash to use for the default case of `src`.
 
-`sourceRoot`, `setSourceRoot`
-: Passed to `stdenv.mkDerivation`; see [“Variables controlling the unpack
-phase”](#variables-controlling-the-unpack-phase).
-
 `revision`
 : Revision number of the updated cabal file to fetch from Hackage.
 If `null` (which is the default value), the one included in `src` is used.
@@ -764,7 +760,7 @@ that depend on that library, you may want to use:
 
 ```nix
 haskellPackages.haskell-ci.overrideScope (self: super: {
-  Cabal = self.Cabal_3_14_0_0;
+  Cabal = self.Cabal_3_6_2_0;
 })
 ```
 
@@ -1080,9 +1076,6 @@ benchmark component.
 `disableLibraryProfiling drv`
 : Sets the `enableLibraryProfiling` argument to `false` for `drv`.
 
-`disableParallelBuilding drv`
-: Sets the `enableParallelBuilding` argument to `false` for `drv`.
-
 #### Library functions in the Haskell package sets {#haskell-package-set-lib-functions}
 
 Some library functions depend on packages from the Haskell package sets. Thus they are

doc/languages-frameworks/index.md

@@ -67,7 +67,6 @@ dotnet.section.md
 emscripten.section.md
 gnome.section.md
 go.section.md
-gradle.section.md
 hare.section.md
 haskell.section.md
 hy.section.md
@@ -93,7 +92,6 @@ ruby.section.md
 rust.section.md
 scheme.section.md
 swift.section.md
-tcl.section.md
 texlive.section.md
 titanium.section.md
 vim.section.md

doc/languages-frameworks/java.section.md

@@ -33,7 +33,8 @@ stdenv.mkDerivation {
 ```
 
 Note that `jdk` is an alias for the OpenJDK (self-built where available,
-or pre-built via Zulu).
+or pre-built via Zulu). Platforms with OpenJDK not (yet) in Nixpkgs
+(`Aarch32`, `Aarch64`) point to the (unfree) `oraclejdk`.
 
 Also note that not using `stripJavaArchivesHook` will likely cause the
 generated `.jar` files to be non-deterministic, which is not optimal.

doc/languages-frameworks/javascript.section.md

@@ -258,39 +258,26 @@ It returns a derivation with all `package-lock.json` dependencies downloaded int
 
 #### importNpmLock {#javascript-buildNpmPackage-importNpmLock}
 
-This function replaces the npm dependency references in `package.json` and `package-lock.json` with paths to the Nix store.
-How each dependency is fetched can be customized with the `fetcherOpts` argument.
+`importNpmLock` is a Nix function that requires the following optional arguments:
 
-This is a simpler and more convenient alternative to [`fetchNpmDeps`](#javascript-buildNpmPackage-fetchNpmDeps) for managing npm dependencies in Nixpkgs.
-There is no need to specify a `hash`, since it relies entirely on the integrity hashes already present in the `package-lock.json` file.
-
-##### Inputs {#javascript-buildNpmPackage-inputs}
-
-- `npmRoot`: Path to package directory containing the source tree.
-  If this is omitted, the `package` and `packageLock` arguments must be specified instead.
+- `npmRoot`: Path to package directory containing the source tree
 - `package`: Parsed contents of `package.json`
 - `packageLock`: Parsed contents of `package-lock.json`
 - `pname`: Package name
 - `version`: Package version
-- `fetcherOpts`: An attribute set of arguments forwarded to the underlying fetcher.
 
 It returns a derivation with a patched `package.json` & `package-lock.json` with all dependencies resolved to Nix store paths.
 
-:::{.note}
-`npmHooks.npmConfigHook` cannot be used with `importNpmLock`.
-Use `importNpmLock.npmConfigHook` instead.
-:::
+This function is analogous to using `fetchNpmDeps`, but instead of specifying `hash` it uses metadata from `package.json` & `package-lock.json`.
 
-:::{.example}
+Note that `npmHooks.npmConfigHook` cannot be used with `importNpmLock`. You will instead need to use `importNpmLock.npmConfigHook`:
 
-##### `pkgs.importNpmLock` usage example {#javascript-buildNpmPackage-example}
 ```nix
 { buildNpmPackage, importNpmLock }:
 
 buildNpmPackage {
   pname = "hello";
   version = "0.1.0";
-  src = ./.;
 
   npmDeps = importNpmLock {
     npmRoot = ./.;
@@ -299,75 +286,6 @@ buildNpmPackage {
   npmConfigHook = importNpmLock.npmConfigHook;
 }
 ```
-:::
-
-:::{.example}
-##### `pkgs.importNpmLock` usage example with `fetcherOpts` {#javascript-buildNpmPackage-example-fetcherOpts}
-
-`importNpmLock` uses the following fetchers:
-
-- `pkgs.fetchurl` for `http(s)` dependencies
-- `builtins.fetchGit` for `git` dependencies
-
-It is possible to provide additional arguments to individual fetchers as needed:
-
-```nix
-{ buildNpmPackage, importNpmLock }:
-
-buildNpmPackage {
-  pname = "hello";
-  version = "0.1.0";
-  src = ./.;
-
-  npmDeps = importNpmLock {
-    npmRoot = ./.;
-    fetcherOpts = {
-      # Pass 'curlOptsList' to 'pkgs.fetchurl' while fetching 'axios'
-      { "node_modules/axios" = { curlOptsList = [ "--verbose" ]; }; }
-    };
-  };
-
-  npmConfigHook = importNpmLock.npmConfigHook;
-}
-```
-:::
-
-#### importNpmLock.buildNodeModules {#javascript-buildNpmPackage-importNpmLock.buildNodeModules}
-
-`importNpmLock.buildNodeModules` returns a derivation with a pre-built `node_modules` directory, as imported by `importNpmLock`.
-
-This is to be used together with `importNpmLock.hooks.linkNodeModulesHook` to facilitate `nix-shell`/`nix develop` based development workflows.
-
-It accepts an argument with the following attributes:
-
-`npmRoot` (Path; optional)
-: Path to package directory containing the source tree. If not specified, the `package` and `packageLock` arguments must both be specified.
-
-`package` (Attrset; optional)
-: Parsed contents of `package.json`, as returned by `lib.importJSON ./my-package.json`. If not specified, the `package.json` in `npmRoot` is used.
-
-`packageLock` (Attrset; optional)
-: Parsed contents of `package-lock.json`, as returned `lib.importJSON ./my-package-lock.json`. If not specified, the `package-lock.json` in `npmRoot` is used.
-
-`derivationArgs` (`mkDerivation` attrset; optional)
-: Arguments passed to `stdenv.mkDerivation`
-
-For example:
-
-```nix
-pkgs.mkShell {
-  packages = [
-    importNpmLock.hooks.linkNodeModulesHook
-    nodejs
-  ];
-
-  npmDeps = importNpmLock.buildNodeModules {
-    npmRoot = ./.;
-    inherit nodejs;
-  };
-}
-```
-will create a development shell where a `node_modules` directory is created & packages symlinked to the Nix store when activated.
 
 ### corepack {#javascript-corepack}
 
@@ -428,30 +346,11 @@ NOTE: It is highly recommended to use a pinned version of pnpm (i.e. `pnpm_8` or
 
 In case you are patching `package.json` or `pnpm-lock.yaml`, make sure to pass `finalAttrs.patches` to the function as well (i.e. `inherit (finalAttrs) patches`.
 
-`pnpm.configHook` supports adding additional `pnpm install` flags via `pnpmInstallFlags` which can be set to a Nix string array:
-
-```nix
-{
-  pnpm,
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  pname = "foo";
-  version = "0-unstable-1980-01-01";
-
-  src = ...;
-
-  pnpmInstallFlags = [ "--shamefully-hoist" ];
-
-  pnpmDeps = pnpm.fetchDeps {
-    inherit (finalAttrs) pnpmInstallFlags;
-  };
-})
-```
-
 #### Dealing with `sourceRoot` {#javascript-pnpm-sourceRoot}
 
-If the pnpm project is in a subdirectory, you can just define `sourceRoot` or `setSourceRoot` for `fetchDeps`.
+NOTE: Nixpkgs pnpm tooling doesn't support building projects with a `pnpm-workspace.yaml`, or building monorepos. It maybe possible to use `pnpm.fetchDeps` for these projects, but it may be hard or impossible to produce a binary from such projects ([an example attempt](https://github.com/NixOS/nixpkgs/pull/290715#issuecomment-2144543728)).
+
+If the pnpm project is in a subdirectory, you can just define `sourceRoot` or `setSourceRoot` for `fetchDeps`. Note, that projects using `pnpm-workspace.yaml` are currently not supported, and will probably not work using this approach.
 If `sourceRoot` is different between the parent derivation and `fetchDeps`, you will have to set `pnpmRoot` to effectively be the same location as it is in `fetchDeps`.
 
 Assuming the following directory structure, we can define `sourceRoot` and `pnpmRoot` as follows:
@@ -476,62 +375,12 @@ Assuming the following directory structure, we can define `sourceRoot` and `pnpm
   pnpmRoot = "frontend";
 ```
 
-#### PNPM Workspaces {#javascript-pnpm-workspaces}
-
-If you need to use a PNPM workspace for your project, then set `pnpmWorkspaces = [ "<workspace project name 1>" "<workspace project name 2>" ]`, etc, in your `pnpm.fetchDeps` call,
-which will make PNPM only install dependencies for those workspace packages.
-
-For example:
-
-```nix
-...
-pnpmWorkspaces = [ "@astrojs/language-server" ];
-pnpmDeps = pnpm.fetchDeps {
-  inherit (finalAttrs) pnpmWorkspaces;
-  ...
-}
-```
-
-The above would make `pnpm.fetchDeps` call only install dependencies for the `@astrojs/language-server` workspace package.
-Note that you do not need to set `sourceRoot` to make this work.
-
-Usually in such cases, you'd want to use `pnpm --filter=<pnpm workspace name> build` to build your project, as `npmHooks.npmBuildHook` probably won't work. A `buildPhase` based on the following example will probably fit most workspace projects:
-
-```nix
-buildPhase = ''
-  runHook preBuild
-
-  pnpm --filter=@astrojs/language-server build
-
-  runHook postBuild
-'';
-```
-
-#### Additional PNPM Commands and settings {#javascript-pnpm-extraCommands}
-
-If you require setting an additional PNPM configuration setting (such as `dedupe-peer-dependents` or similar),
-set `prePnpmInstall` to the right commands to run. For example:
-
-```nix
-prePnpmInstall = ''
-  pnpm config set dedupe-peer-dependants false
-'';
-pnpmDeps = pnpm.fetchDeps {
-  inherit (finalAttrs) prePnpmInstall;
-  ...
-};
-```
-
-In this example, `prePnpmInstall` will be run by both `pnpm.configHook` and by the `pnpm.fetchDeps` builder.
-
-
 ### Yarn {#javascript-yarn}
 
 Yarn based projects use a `yarn.lock` file instead of a `package-lock.json` to pin dependencies. Nixpkgs provides the Nix function `fetchYarnDeps` which fetches an offline cache suitable for running `yarn install` before building the project. In addition, Nixpkgs provides the hooks:
 
 - `yarnConfigHook`: Fetches the dependencies from the offline cache and installs them into `node_modules`.
 - `yarnBuildHook`: Runs `yarn build` or a specified `yarn` command that builds the project.
-- `yarnInstallHook`: Runs `yarn install --production` to prune dependencies and installs the project into `$out`.
 
 An example usage of the above attributes is:
 
@@ -543,8 +392,8 @@ An example usage of the above attributes is:
   fetchYarnDeps,
   yarnConfigHook,
   yarnBuildHook,
-  yarnInstallHook,
   nodejs,
+  npmHooks,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -560,15 +409,15 @@ stdenv.mkDerivation (finalAttrs: {
 
   yarnOfflineCache = fetchYarnDeps {
     yarnLock = finalAttrs.src + "/yarn.lock";
-    hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+    hash = "sha256-mo8urQaWIHu33+r0Y7mL9mJ/aSe/5CihuIetTeDHEUQ=";
   };
 
   nativeBuildInputs = [
     yarnConfigHook
     yarnBuildHook
-    yarnInstallHook
     # Needed for executing package.json scripts
     nodejs
+    npmHooks.npmInstallHook
   ];
 
   meta = {
@@ -577,6 +426,8 @@ stdenv.mkDerivation (finalAttrs: {
 })
 ```
 
+Note that there is no setup hook for installing yarn based packages - `npmHooks.npmInstallHook` should fit most cases, but sometimes you may need to override the `installPhase` completely.
+
 #### `yarnConfigHook` arguments {#javascript-yarnconfighook}
 
 By default, `yarnConfigHook` relies upon the attribute `${yarnOfflineCache}` (or `${offlineCache}` if the former is not set) to find the location of the offline cache produced by `fetchYarnDeps`. To disable this phase, you can set `dontYarnInstallDeps = true` or override the `configurePhase`.
@@ -588,15 +439,9 @@ This script by default runs `yarn --offline build`, and it relies upon the proje
 - `yarnBuildScript`: Sets a different `yarn --offline` subcommand (defaults to `build`).
 - `yarnBuildFlags`: Single string list of additional flags to pass the above command, or a Nix list of such additional flags.
 
-#### `yarnInstallHook` arguments {#javascript-yarninstallhook}
-
-To install the package `yarnInstallHook` uses both `npm` and `yarn` to cleanup project files and dependencies. To disable this phase, you can set `dontYarnInstall = true` or override the `installPhase`. Below is a list of additional `mkDerivation` arguments read by this hook:
-
-- `yarnKeepDevDeps`: Disables the removal of devDependencies from `node_modules` before installation.
-
 ### yarn2nix {#javascript-yarn2nix}
 
-WARNING: The `yarn2nix` functions have been deprecated in favor of the new `yarnConfigHook`, `yarnBuildHook` and `yarnInstallHook`. Documentation for them still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
+WARNING: The `yarn2nix` functions have been deprecated in favor of the new `yarnConfigHook` and `yarnBuildHook`. Documentation for them still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
 
 #### Preparation {#javascript-yarn2nix-preparation}
 

doc/languages-frameworks/maven.section.md

@@ -219,10 +219,10 @@ stdenv.mkDerivation {
 
   # don't do any fixup
   dontFixup = true;
-  outputHashAlgo = null;
+  outputHashAlgo = "sha256";
   outputHashMode = "recursive";
   # replace this with the correct SHA256
-  outputHash = lib.fakeHash;
+  outputHash = lib.fakeSha256;
 }
 ```
 

doc/languages-frameworks/perl.section.md

@@ -125,8 +125,8 @@ On Darwin, if a script has too many `-Idir` flags in its first line (its “sheb
       hash = "sha256-vOhB/FwQMC8PPvdnjDvxRpU6jAZcC6GMQfc0AH4uwKg=";
     };
 
-    nativeBuildInputs = lib.optional stdenv.hostPlatform.isDarwin shortenPerlShebang;
-    postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    nativeBuildInputs = lib.optional stdenv.isDarwin shortenPerlShebang;
+    postInstall = lib.optionalString stdenv.isDarwin ''
       shortenPerlShebang $out/bin/exiftool
     '';
   };

doc/languages-frameworks/python.section.md

@@ -55,20 +55,13 @@ sets are
 * `pkgs.python311Packages`
 * `pkgs.python312Packages`
 * `pkgs.python313Packages`
-* `pkgs.python314Packages`
-* `pkgs.pypy27Packages`
-* `pkgs.pypy39Packages`
-* `pkgs.pypy310Packages`
+* `pkgs.pypyPackages`
 
 and the aliases
 
 * `pkgs.python2Packages` pointing to `pkgs.python27Packages`
-* `pkgs.python3Packages` pointing to `pkgs.python312Packages`
+* `pkgs.python3Packages` pointing to `pkgs.python311Packages`
 * `pkgs.pythonPackages` pointing to `pkgs.python2Packages`
-* `pkgs.pypy2Packages` pointing to `pkgs.pypy27Packages`
-* `pkgs.pypy3Packages` pointing to `pkgs.pypy39Packages`
-* `pkgs.pypyPackages` pointing to `pkgs.pypy2Packages`
-
 
 #### `buildPythonPackage` function {#buildpythonpackage-function}
 
@@ -169,8 +162,7 @@ following are specific to `buildPythonPackage`:
 * `dontWrapPythonPrograms ? false`: Skip wrapping of Python programs.
 * `permitUserSite ? false`: Skip setting the `PYTHONNOUSERSITE` environment
   variable in wrapped programs.
-* `pyproject`: Whether the pyproject format should be used. As all other formats
-  are deprecated, you are recommended to set this to `true`. When you do so,
+* `pyproject`: Whether the pyproject format should be used. When set to `true`,
   `pypaBuildHook` will be used, and you can add the required build dependencies
   from `build-system.requires` to `build-system`. Note that the pyproject
   format falls back to using `setuptools`, so you can use `pyproject = true`
@@ -215,6 +207,9 @@ because their behaviour is different:
   paths included in this list. Items listed in `install_requires` go here.
 * `optional-dependencies ? { }`: Optional feature flagged dependencies.  Items listed in `extras_requires` go here.
 
+Aside from propagating dependencies,
+  `buildPythonPackage` also injects code into and wraps executables with the
+  paths included in this list. Items listed in `extras_requires` go here.
 
 ##### Overriding Python packages {#overriding-python-packages}
 
@@ -314,7 +309,13 @@ python3Packages.buildPythonApplication rec {
 }
 ```
 
-This is then added to `pkgs/by-name` just as any other application would be.
+This is then added to `all-packages.nix` just as any other application would be.
+
+```nix
+{
+  luigi = callPackage ../applications/networking/cluster/luigi { };
+}
+```
 
 Since the package is an application, a consumer doesn't need to care about
 Python versions or modules, which is why they don't go in `python3Packages`.
@@ -323,27 +324,25 @@ Python versions or modules, which is why they don't go in `python3Packages`.
 
 A distinction is made between applications and libraries, however, sometimes a
 package is used as both. In this case the package is added as a library to
-`python-packages.nix` and as an application to `pkgs/by-name`. To reduce
+`python-packages.nix` and as an application to `all-packages.nix`. To reduce
 duplication the `toPythonApplication` can be used to convert a library to an
 application.
 
 The Nix expression shall use [`buildPythonPackage`](#buildpythonpackage-function) and be called from
-`python-packages.nix`. A reference shall be created from `pkgs/by-name` to
+`python-packages.nix`. A reference shall be created from `all-packages.nix` to
 the attribute in `python-packages.nix`, and the `toPythonApplication` shall be
 applied to the reference:
 
 ```nix
 {
-  python3Packages,
-}:
-
-python3Packages.toPythonApplication python3Packages.youtube-dl
+  youtube-dl = with python3Packages; toPythonApplication youtube-dl;
+}
 ```
 
 #### `toPythonModule` function {#topythonmodule-function}
 
 In some cases, such as bindings, a package is created using
-[`stdenv.mkDerivation`](#sec-using-stdenv) and added as attribute in `pkgs/by-name` or in `all-packages.nix`. The Python
+[`stdenv.mkDerivation`](#sec-using-stdenv) and added as attribute in `all-packages.nix`. The Python
 bindings should be made available from `python-packages.nix`. The
 `toPythonModule` function takes a derivation and makes certain Python-specific
 modifications.
@@ -359,66 +358,6 @@ modifications.
 
 Do pay attention to passing in the right Python version!
 
-#### `mkPythonMetaPackage` function {#mkpythonmetapackage-function}
-
-This will create a meta package containing [metadata files](https://packaging.python.org/en/latest/specifications/recording-installed-packages/) to satisfy a dependency on a package, without it actually having been installed into the environment.
-In nixpkgs this is used to package Python packages with split binary/source distributions such as [psycopg2](https://pypi.org/project/psycopg2/)/[psycopg2-binary](https://pypi.org/project/psycopg2-binary/).
-
-```nix
-mkPythonMetaPackage {
-  pname = "psycopg2-binary";
-  inherit (psycopg2) optional-dependencies version;
-  dependencies = [ psycopg2 ];
-  meta = {
-    inherit (psycopg2.meta) description homepage;
-  };
-}
-```
-
-#### `mkPythonEditablePackage` function {#mkpythoneditablepackage-function}
-
-When developing Python packages it's common to install packages in [editable mode](https://setuptools.pypa.io/en/latest/userguide/development_mode.html).
-Like `mkPythonMetaPackage` this function exists to create an otherwise empty package, but also containing a pointer to an impure location outside the Nix store that can be changed without rebuilding.
-
-The editable root is passed as a string. Normally `.pth` files contains absolute paths to the mutable location. This isn't always ergonomic with Nix, so environment variables are expanded at runtime.
-This means that a shell hook setting up something like a `$REPO_ROOT` variable can be used as the relative package root.
-
-As an implementation detail, the [PEP-518](https://peps.python.org/pep-0518/) `build-system` specified won't be used, but instead the editable package will be built using [hatchling](https://pypi.org/project/hatchling/).
-The `build-system`'s provided will instead become runtime dependencies of the editable package.
-
-Note that overriding packages deeper in the dependency graph _can_ work, but it's not the primary use case and overriding existing packages can make others break in unexpected ways.
-
-``` nix
-{ pkgs ? import <nixpkgs> { } }:
-
-let
-  pyproject = pkgs.lib.importTOML ./pyproject.toml;
-
-  myPython = pkgs.python.override {
-    self = myPython;
-    packageOverrides = pyfinal: pyprev: {
-      # An editable package with a script that loads our mutable location
-      my-editable = pyfinal.mkPythonEditablePackage {
-        # Inherit project metadata from pyproject.toml
-        pname = pyproject.project.name;
-        inherit (pyproject.project) version;
-
-        # The editable root passed as a string
-        root = "$REPO_ROOT/src"; # Use environment variable expansion at runtime
-
-        # Inject a script (other PEP-621 entrypoints are also accepted)
-        inherit (pyproject.project) scripts;
-      };
-    };
-  };
-
-  pythonEnv =  myPython.withPackages (ps: [ ps.my-editable ]);
-
-in pkgs.mkShell {
-  packages = [ pythonEnv ];
-}
-```
-
 #### `python.buildEnv` function {#python.buildenv-function}
 
 Python environments can be created using the low-level `pkgs.buildEnv` function.
@@ -535,6 +474,7 @@ are used in [`buildPythonPackage`](#buildpythonpackage-function).
   See [example usage](#using-pythonrelaxdepshook).
 - `pythonRemoveBinBytecode` to remove bytecode from the `/bin` folder.
 - `setuptoolsBuildHook` to build a wheel using `setuptools`.
+- `setuptoolsCheckHook` to run tests with `python setup.py test`.
 - `sphinxHook` to build documentation and manpages using Sphinx.
 - `venvShellHook` to source a Python 3 `venv` at the `venvDir` location. A
   `venv` is created if it does not yet exist. `postVenvCreation` can be used to
@@ -1307,7 +1247,7 @@ for example:
   ] ++ lib.optionals (pythonAtLeast "3.8") [
     # broken due to python3.8 async changes
     "async"
-  ] ++ lib.optionals stdenv.buildPlatform.isDarwin [
+  ] ++ lib.optionals stdenv.isDarwin [
     # can fail when building with other packages
     "socket"
   ];
@@ -1424,10 +1364,6 @@ those specified in `build-system`. If a package requires incompatible build
 time dependencies, they should be removed in `postPatch` through
 `substituteInPlace` or similar.
 
-For ease of use, both `buildPythonPackage` and `buildPythonApplication` will
-automatically add `pythonRelaxDepsHook` if either `pythonRelaxDeps` or
-`pythonRemoveDeps` is specified.
-
 #### Using unittestCheckHook {#using-unittestcheckhook}
 
 `unittestCheckHook` is a hook which will set up (or configure) a [`checkPhase`](#ssec-check-phase) to run `python -m unittest discover`:
@@ -2091,8 +2027,8 @@ no maintainer, so maintenance falls back to the package set maintainers.
 
 ### Updating packages in bulk {#python-package-bulk-updates}
 
-A tool to bulk-update numerous Python libraries is available in the
-repository at `maintainers/scripts/update-python-libraries`.
+There is a tool to update alot of python libraries in bulk, it exists at
+`maintainers/scripts/update-python-libraries` with this repository.
 
 It can quickly update minor or major versions for all packages selected
 and create update commits, and supports the `fetchPypi`, `fetchurl` and

doc/languages-frameworks/qt.section.md

@@ -25,14 +25,12 @@ stdenv.mkDerivation {
 
 The same goes for Qt 5 where libraries and tools are under `libsForQt5`.
 
-Any Qt package should include `wrapQtAppsHook` or `wrapQtAppsNoGuiHook` in `nativeBuildInputs`, or explicitly set `dontWrapQtApps` to bypass generating the wrappers.
+Any Qt package should include `wrapQtAppsHook` in `nativeBuildInputs`, or explicitly set `dontWrapQtApps` to bypass generating the wrappers.
 
 ::: {.note}
+Qt 6 graphical applications should also include `qtwayland` in `buildInputs` on Linux (but not on platforms e.g. Darwin, where `qtwayland` is not available), to ensure the Wayland platform plugin is available.
 
-`wrapQtAppsHook` propagates plugins and QML components from `qtwayland` on platforms that support it, to allow applications to act as native Wayland clients. It should be used for all graphical applications.
-
-`wrapQtAppsNoGuiHook` does not propagate `qtwayland` to reduce closure size for purely command-line applications.
-
+This may become default in the future, see [NixOS/nixpkgs#269674](https://github.com/NixOS/nixpkgs/pull/269674).
 :::
 
 ## Packages supporting multiple Qt versions {#qt-versions}

doc/languages-frameworks/r.section.md

@@ -104,27 +104,24 @@ directory and executed as follows:
 ```bash
 nix-shell generate-shell.nix
 
-Rscript generate-r-packages.R cran  > cran-packages.json.new
-mv cran-packages.json.new cran-packages.json
+Rscript generate-r-packages.R cran  > cran-packages.nix.new
+mv cran-packages.nix.new cran-packages.nix
 
-Rscript generate-r-packages.R bioc  > bioc-packages.json.new
-mv bioc-packages.json.new bioc-packages.json
+Rscript generate-r-packages.R bioc  > bioc-packages.nix.new
+mv bioc-packages.nix.new bioc-packages.nix
 
-Rscript generate-r-packages.R bioc-annotation > bioc-annotation-packages.json.new
-mv bioc-annotation-packages.json.new bioc-annotation-packages.json
+Rscript generate-r-packages.R bioc-annotation > bioc-annotation-packages.nix.new
+mv bioc-annotation-packages.nix.new bioc-annotation-packages.nix
 
-Rscript generate-r-packages.R bioc-experiment > bioc-experiment-packages.json.new
-mv bioc-experiment-packages.json.new bioc-experiment-packages.json
+Rscript generate-r-packages.R bioc-experiment > bioc-experiment-packages.nix.new
+mv bioc-experiment-packages.nix.new bioc-experiment-packages.nix
 ```
 
-`generate-r-packages.R <repo>` reads  `<repo>-packages.json`, therefore
+`generate-r-packages.R <repo>` reads  `<repo>-packages.nix`, therefore
 the renaming.
 
-The contents of a generated `*-packages.json` file will be used to
-create a package derivation for each R package listed in the file.
-
 Some packages require overrides to specify external dependencies or other
 patches and special requirements. These overrides are specified in the
-`pkgs/development/r-modules/default.nix` file. As the `*-packages.json`
+`pkgs/development/r-modules/default.nix` file. As the `*-packages.nix`
 contents are automatically generated it should not be edited and broken
 builds should be addressed using overrides.

doc/languages-frameworks/ruby.section.md

@@ -2,7 +2,7 @@
 
 ## Using Ruby {#using-ruby}
 
-Several versions of Ruby interpreters are available on Nix, as well as over 250 gems and many applications written in Ruby. The attribute `ruby` refers to the default Ruby interpreter, which is currently MRI 3.3. It's also possible to refer to specific versions, e.g. `ruby_3_y`, `jruby`, or `mruby`.
+Several versions of Ruby interpreters are available on Nix, as well as over 250 gems and many applications written in Ruby. The attribute `ruby` refers to the default Ruby interpreter, which is currently MRI 3.1. It's also possible to refer to specific versions, e.g. `ruby_3_y`, `jruby`, or `mruby`.
 
 In the Nixpkgs tree, Ruby packages can be found throughout, depending on what they do, and are called from the main package set. Ruby gems, however are separate sets, and there's one default set for each interpreter (currently MRI only).
 
@@ -154,7 +154,7 @@ let
     defaultGemConfig = pkgs.defaultGemConfig // {
       pg = attrs: {
         buildFlags =
-        [ "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
+        [ "--with-pg-config=${pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
       };
     };
   };
@@ -172,7 +172,7 @@ let
     gemConfig = pkgs.defaultGemConfig // {
       pg = attrs: {
         buildFlags =
-        [ "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
+        [ "--with-pg-config=${pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
       };
     };
   };
@@ -190,7 +190,9 @@ let
         defaultGemConfig = super.defaultGemConfig // {
           pg = attrs: {
             buildFlags = [
-              "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config"
+              "--with-pg-config=${
+                pkgs."postgresql_${pg_version}"
+              }/bin/pg_config"
             ];
           };
         };

doc/languages-frameworks/rust.section.md

@@ -41,7 +41,7 @@ rustPlatform.buildRustPackage rec {
     description = "Fast line-oriented regex search tool, similar to ag and ack";
     homepage = "https://github.com/BurntSushi/ripgrep";
     license = lib.licenses.unlicense;
-    maintainers = [ ];
+    maintainers = [];
   };
 }
 ```
@@ -162,10 +162,9 @@ rustPlatform.buildRustPackage {
 }
 ```
 
-If the upstream source repository lacks a `Cargo.lock` file, you must add one
-to `src`, as it is essential for building a Rust package. Setting
-`cargoLock.lockFile` or `cargoLock.lockFileContents` will not automatically add
-a `Cargo.lock` file to `src`. A straightforward solution is to use:
+Note that setting `cargoLock.lockFile` or `cargoLock.lockFileContents`
+doesn't add a `Cargo.lock` to your `src`, and a `Cargo.lock` is still
+required to build a rust package. A simple fix is to use:
 
 ```nix
 {
@@ -568,7 +567,8 @@ buildPythonPackage rec {
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
-    inherit pname version src sourceRoot;
+    inherit src sourceRoot;
+    name = "${pname}-${version}";
     hash = "sha256-miW//pnOmww2i6SOGbkrAIdc/JMDT4FJLqdMFojZeoY=";
   };
 
@@ -611,8 +611,9 @@ buildPythonPackage rec {
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
-    inherit pname version src;
+    inherit src;
     sourceRoot = "${pname}-${version}/${cargoRoot}";
+    name = "${pname}-${version}";
     hash = "sha256-PS562W4L1NimqDV2H0jl5vYhL08H9est/pbIxSdYVfo=";
   };
 
@@ -641,7 +642,6 @@ builds the `retworkx` Python package. `fetchCargoTarball` and
 buildPythonPackage rec {
   pname = "retworkx";
   version = "0.6.0";
-  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "Qiskit";
@@ -651,10 +651,13 @@ buildPythonPackage rec {
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
-    inherit pname version src;
+    inherit src;
+    name = "${pname}-${version}";
     hash = "sha256-heOBK8qi2nuc/Ib+I/vLzZ1fUUD/G/KTw9d7M4Hz5O0=";
   };
 
+  format = "pyproject";
+
   nativeBuildInputs = with rustPlatform; [ cargoSetupHook maturinBuildHook ];
 
   # ...
@@ -679,7 +682,7 @@ Some projects, especially GNOME applications, are built with the Meson Build Sys
 , blueprint-compiler
 , libadwaita
 , libsecret
-, tinysparql
+, tracker
 }:
 
 stdenv.mkDerivation rec {
@@ -695,7 +698,8 @@ stdenv.mkDerivation rec {
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
-    inherit pname version src;
+    inherit src;
+    name = "${pname}-${version}";
     hash = "sha256-8fa3fa+sFi5H+49B5sr2vYPkp9C9s6CcE0zv4xB8gww=";
   };
 
@@ -713,7 +717,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     libadwaita
     libsecret
-    tinysparql
+    tracker
   ];
 
   # ...

doc/languages-frameworks/tcl.section.md

@@ -1,54 +0,0 @@
-# Tcl {#sec-language-tcl}
-
-## User guide {#sec-language-tcl-user-guide}
-
-Tcl interpreters are available under the `tcl` and `tcl-X_Y` attributes, where `X_Y` is the Tcl version.
-
-Tcl libraries are available in the `tclPackages` attribute set.
-They are only guaranteed to work with the default Tcl version, but will probably also work with others thanks to the [stubs mechanism](https://wiki.tcl-lang.org/page/Stubs).
-
-## Packaging guide {#sec-language-tcl-packaging}
-
-Tcl packages are typically built with `tclPackages.mkTclDerivation`.
-Tcl dependencies go in `buildInputs`/`nativeBuildInputs`/... like other packages.
-For more complex package definitions, such as packages with mixed languages, use `tcl.tclPackageHook`.
-
-Where possible, make sure to enable stubs for maximum compatibility, usually with the `--enable-stubs` configure flag.
-
-Here is a simple package example to be called with `tclPackages.callPackage`.
-
-```
-{ lib, fetchzip, mkTclDerivation, openssl }:
-
-mkTclDerivation rec {
-  pname = "tcltls";
-  version = "1.7.22";
-
-  src = fetchzip {
-    url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${version}.tar.gz";
-    hash = "sha256-TOouWcQc3MNyJtaAGUGbaQoaCWVe6g3BPERct/V65vk=";
-  };
-
-  buildInputs = [ openssl ];
-
-  configureFlags = [
-    "--with-ssl-dir=${openssl.dev}"
-    "--enable-stubs"
-  ];
-
-  meta = {
-    homepage = "https://core.tcl-lang.org/tcltls/index";
-    description = "OpenSSL / RSA-bsafe Tcl extension";
-    maintainers = [ lib.maintainers.agbrooks ];
-    license = lib.licenses.tcltk;
-    platforms = lib.platforms.unix;
-  };
-}
-```
-
-All Tcl libraries are declared in `pkgs/top-level/tcl-packages.nix` and are defined in `pkgs/development/tcl-modules/`.
-If possible, prefer the by-name hierarchy in `pkgs/development/tcl-modules/by-name/`.
-Its use is documented in `pkgs/development/tcl-modules/by-name/README.md`.
-
-All Tcl applications reside elsewhere.
-In case a package is used as both a library and an application (for example `expect`), it should be defined in `tcl-packages.nix`, with an alias elsewhere.

doc/languages-frameworks/vim.section.md

@@ -232,27 +232,6 @@ To add a new plugin, run `nix-shell -p vimPluginsUpdater --run 'vim-plugins-upda
 
 Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by `vimPluginsUpdater` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of the Language Server Protocol integration with Vim/Neovim.
 
-### Testing Neovim plugins {#testing-neovim-plugins}
-
-`nvimRequireCheck=MODULE` is a simple test which checks if Neovim can requires the lua module `MODULE` without errors. This is often enough to catch missing dependencies.
-
-This can be manually added through plugin definition overrides in the [overrides.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/overrides.nix).
-
-```nix
-  gitsigns-nvim = super.gitsigns-nvim.overrideAttrs {
-    dependencies = [ self.plenary-nvim ];
-    nvimRequireCheck = "gitsigns";
-  };
-```
-
-### Plugin optional configuration {#vim-plugin-required-snippet}
-
-Some plugins require specific configuration to work. We choose not to
-patch those plugins but expose the necessary configuration under
-`PLUGIN.passthru.initLua` for neovim plugins. For instance, the `unicode-vim` plugin
-needs the path towards a unicode database so we expose the following snippet `vim.g.Unicode_data_directory="${self.unicode-vim}/autoload/unicode"` under `vimPlugins.unicode-vim.passthru.initLua`.
-
-
 ## Updating plugins in nixpkgs {#updating-plugins-in-nixpkgs}
 
 Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).

doc/packages/build-support.md

@@ -1,102 +0,0 @@
-# Build Support {#sec-build-support}
-
-## `pkgs.substitute` {#pkgs-substitute}
-
-`pkgs.substitute` is a wrapper around [the `substitute` Bash function](#fun-substitute) in the standard environment.
-It replaces strings in `src` as specified by the `substitutions` argument.
-
-
-:::{.example #ex-pkgs-substitute}
-# Usage of `pkgs.substitute`
-
-In a build script, the line:
-
-```bash
-substitute $infile $outfile --replace-fail @foo@ ${foopkg}/bin/foo
-```
-
-is equivalent to:
-
-```nix
-{ substitute, foopkg }:
-substitute {
-  src = ./sourcefile.txt;
-  substitutions = [
-    "--replace"
-    "@foo@"
-    "${foopkg}/bin/foo"
-  ];
-}
-```
-:::
-
-## `pkgs.substituteAll` {#pkgs-substituteall}
-
-`pkgs.substituteAll` substitutes all instances of `@varName@` (`@`s included) in file `src` with the value of the corresponding environment variable.
-As this uses the [`substituteAll`] (#fun-substitute) function, its limitations regarding variable names that will or will not be replaced also apply here.
-
-:::{.example #ex-pkgs-substituteAll}
-# Usage of `pkgs.substituteAll`
-
-If `say-goodbye.sh` contains the following:
-
-```bash
-#! @bash@/bin/bash
-
-echo @unchanged@
-@hello@/bin/hello --greeting @greeting@
-```
-
-the following derivation will make substitutions to `@bash@`, `@hello@`, and `@greeting@`:
-
-```nix
-{
-  substituteAll,
-  bash,
-  hello,
-}:
-substituteAll {
-  src = ./say-goodbye.sh;
-  env = {
-    inherit bash hello;
-    greeting = "goodbye";
-  };
-}
-```
-
-such that `$out` will result in something like the following:
-
-```
-#! /nix/store/s30jrpgav677fpc9yvkqsib70xfmx7xi-bash-5.2p26/bin/bash
-
-echo @unchanged@
-/nix/store/566f5isbvw014h7knmzmxa5l6hshx43k-hello-2.12.1/bin/hello --greeting goodbye
-```
-:::
-
-## `pkgs.substituteAllFiles` {#pkgs-substituteallfiles}
-
-`pkgs.substituteAllFiles` replaces `@varName@` with the value of the environment variable `varName`.
-It expects `src` to be a directory and requires a `files` argument that specifies which files will be subject to replacements; only these files will be placed in `$out`.
-
-As it also uses the `substituteAll` function, it is subject to the same limitations on environment variables as discussed in [pkgs.substituteAll](#pkgs-substituteall).
-
-:::{.example #ex-pkgs-substitute-all-files}
-# Usage of `pkgs.substituteAllFiles`
-
-If the current directory contains `{foo,bar,baz}.txt` and the following `default.nix`
-
-```nix
-{ substituteAllFiles }:
-substituteAllFiles {
-  src = ./.;
-  files = [
-    "foo.txt"
-    "bar.txt"
-  ];
-  hello = "there";
-}
-```
-
-in the resulting derivation, every instance of `@hello@` will be replaced with `there` in `$out/foo.txt` and` `$out/bar.txt`; `baz.txt` will not be processed nor will it appear in `$out`.
-:::

doc/packages/darwin-builder.section.md

@@ -100,7 +100,7 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
     darwin-builder = nixpkgs.lib.nixosSystem {
       system = linuxSystem;
       modules = [
-        "${nixpkgs}/nixos/modules/profiles/nix-builder-vm.nix"
+        "${nixpkgs}/nixos/modules/profiles/macos-builder.nix"
         { virtualisation = {
             host.pkgs = pkgs;
             darwin-builder.workingDirectory = "/var/lib/darwin-builder";
@@ -158,7 +158,7 @@ in the example below and rebuild.
     darwin-builder = nixpkgs.lib.nixosSystem {
       system = linuxSystem;
       modules = [
-        "${nixpkgs}/nixos/modules/profiles/nix-builder-vm.nix"
+        "${nixpkgs}/nixos/modules/profiles/macos-builder.nix"
         {
           virtualisation.host.pkgs = pkgs;
           virtualisation.darwin-builder.diskSize = 5120;
@@ -185,6 +185,6 @@ nix-repl> darwin.linux-builder.nixosConfig.nix.package
 «derivation /nix/store/...-nix-2.17.0.drv»
 
 nix-repl> :p darwin.linux-builder.nixosOptions.virtualisation.memorySize.definitionsWithLocations
-[ { file = "/home/user/src/nixpkgs/nixos/modules/profiles/nix-builder-vm.nix"; value = 3072; } ]
+[ { file = "/home/user/src/nixpkgs/nixos/modules/profiles/macos-builder.nix"; value = 3072; } ]
 
 ```