24.11 beta release

.devcontainer/devcontainer.json

@@ -1,34 +0,0 @@
-{
-  "name": "nixpkgs",
-  "image": "mcr.microsoft.com/devcontainers/universal:2-linux",
-  "features": {
-    "ghcr.io/devcontainers/features/nix:1": {
-      // fails in the devcontainer sandbox, enable sandbox via config instead
-      "multiUser": false,
-      "packages": "nixpkgs.nixd,nixpkgs.nixfmt-rfc-style",
-      "useAttributePath": true,
-      "extraNixConfig": "experimental-features = nix-command flakes,sandbox = true"
-    }
-  },
-  // Fixup permissions inside container.
-  // https://github.com/NixOS/nix/issues/6680#issuecomment-1230902525
-  "postCreateCommand": "sudo apt-get install -y acl",
-  "postStartCommand": "sudo setfacl -k /tmp; if [ -e /dev/kvm ]; then sudo chgrp $(id -g) /dev/kvm; fi",
-  "customizations": {
-    "vscode": {
-      "extensions": [
-        "jnoortheen.nix-ide"
-      ],
-      "settings": {
-        "[nix]": {
-            "editor.formatOnSave": true
-        },
-        "nix.enableLanguageServer": true,
-        "nix.serverPath": "nixd"
-      }
-    }
-  },
-  "remoteEnv": {
-    "NIXPKGS": "/workspaces/nixpkgs"
-  }
-}

.editorconfig

@@ -24,7 +24,7 @@ insert_final_newline = false
 # see https://nixos.org/nixpkgs/manual/#chap-conventions
 
 # Match json/lockfiles/markdown/nix/perl/python/ruby/shell/docbook files, set indent to spaces
-[*.{bash,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
+[*.{json,lock,md,nix,pl,pm,py,rb,sh,xml}]
 indent_style = space
 
 # Match docbook files, set indent width of one
@@ -35,12 +35,8 @@ indent_size = 1
 [*.{json,lock,md,nix,rb}]
 indent_size = 2
 
-# Match all the Bash code in Nix files, set indent width of two
-[*.{bash,sh}]
-indent_size = 2
-
-# Match Perl and Python scripts, set indent width of four
-[*.{pl,pm,py}]
+# Match perl/python/shell scripts, set indent width of four
+[*.{pl,pm,py,sh}]
 indent_size = 4
 
 # Match gemfiles, set indent to spaces with width of two
@@ -48,10 +44,9 @@ indent_size = 4
 indent_size = 2
 indent_style = space
 
-# Match package.json and package-lock.json, which are generally pulled from upstream and accept them as they are
-[package{,-lock}.json]
+# Match package.json, which are generally pulled from upstream and accept them as they are
+[package.json]
 indent_style = unset
-insert_final_newline = unset
 
 # Disable file types or individual files
 # some of these files may be auto-generated and/or require significant changes
@@ -86,10 +81,42 @@ charset = unset
 [eggs.nix]
 trim_trailing_whitespace = unset
 
-[registry.dat]
+[nixos/modules/services/networking/ircd-hybrid/*.{conf,in}]
+trim_trailing_whitespace = unset
+
+[pkgs/build-support/dotnetenv/Wrapper/**]
+end_of_line = unset
+indent_style = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+
+[pkgs/development/compilers/elm/registry.dat]
 end_of_line = unset
 insert_final_newline = unset
 
-# Keep this hint at the bottom:
-# Please don't add entries for subfolders here.
-# Create <subfolder>/.editorconfig instead.
+[pkgs/development/haskell-modules/hackage-packages.nix]
+indent_style = unset
+trim_trailing_whitespace = unset
+
+[pkgs/misc/documentation-highlighter/**]
+insert_final_newline = unset
+
+[pkgs/servers/dict/wordnet_structures.py]
+trim_trailing_whitespace = unset
+
+[pkgs/tools/misc/timidity/timidity.cfg]
+trim_trailing_whitespace = unset
+
+[pkgs/tools/virtualization/ovftool/*.ova]
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+charset = unset
+
+[lib/tests/*.plist]
+indent_style = tab
+insert_final_newline = unset
+
+[pkgs/kde/generated/**]
+insert_final_newline = unset
+end_of_line = unset

.git-blame-ignore-revs

@@ -1,11 +1,5 @@
 # This file contains a list of commits that are not likely what you
 # are looking for in a blame, such as mass reformatting or renaming.
-#
-# If a commit's line ends with `# !autorebase <command>`,
-# where <command> is an idempotent bash command that reapplies the changes from the commit,
-# the `maintainers/scripts/auto-rebase/run.sh` script can be used to rebase
-# across that commit while automatically resolving merge conflicts caused by the commit.
-#
 # You can set this file as a default ignore file for blame by running
 # the following command.
 #
@@ -210,59 +204,5 @@ ce21e97a1f20dee15da85c084f9d1148d84f853b
 # sqlc: format with nixfmt
 2bdec131b2bb2c8563f4556d741d34ccb77409e2
 
-# ant: format with nixfmt-rfc-style
-2538d58436b8d0b56d29780aeebf4bf720ddb9ea
-
 # treewide: migrate packages to pkgs/by-name, take 1
 571c71e6f73af34a229414f51585738894211408
-
-# format files with nixfmt (#347275)
-adb9714bd909df283c66bbd641bd631ff50a4260
-
-# treewide: incus packages
-9ab59bb5fb943ad6740f64f5a79eae9642fb8211
-
-# treewide nixfmt reformat pass 1, master, staging and staging-next
-4f0dadbf38ee4cf4cc38cbc232b7708fddf965bc
-667d42c00d566e091e6b9a19b365099315d0e611
-84d4f874c2bac9f3118cb6907d7113b3318dcb5e
-
-# tmuxPlugins sha-to-sri.py script
-516b1e74c358a9c4b06e5591f8c1a2897aad0c33
-
-# treewide: migrate comments in lib to rfc145 style
-ef85e0daa092c9eae0d32c7ce16b889728a5fbc0
-d89ad6c70e0e89aaae75e9f886878ea4e103965a
-e0fe216f4912dd88a021d12a44155fd2cfeb31c8
-80d5b411f6397d5c3e755a0635d95742f76f3c75
-
-# nixos/movim: format with nixfmt-rfc-style
-43c1654cae47cbf987cb63758c06245fa95c1e3b
-
-# nixos/iso-image.nix: nixfmt
-da9a092c34cef6947d7aee2b134f61df45171631
-
-# python-packages: format with nixfmt-rfc-style
-5f6f5e13ae0b6960cbf1be8aeb3d0048285a08d1
-
-# python-packages: sort with keep-sorted
-fd14c067813572afc03ddbf7cdedc3eab5a59954
-783add849cbca228a36ffdf407e5d380dc2fe6c4
-
-# treewide format of all Nix files
-374e6bcc403e02a35e07b650463c01a52b13a7c8 # !autorebase nix-shell --run treefmt
-
-# nix: nixfmt-rfc-style
-a4f7e161b380b35b2f7bc432659a95fd71254ad8
-0812c9a321003c924868051d2b2e1934e8880f3f
-34f269c14ac18d89ddee9a8f54b1ca92a85bbcc6
-062c34cdace499aa44f0fa6ca6f2ca71769f6c43
-
-# haskellPackages.hercules-ci-agent (cabal2nix -> nixfmt-rfc-style)
-9314da7ee8d2aedfb15193b8c489da51efe52bb5
-
-# nix-builder-vm: nixfmt-rfc-style
-a034fb50f79816c6738fb48b48503b09ea3b0132
-
-# treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
-05580f4b4433fda48fff30f60dfd303d6ee05d21

.github/ISSUE_TEMPLATE.md

@@ -1,6 +1,11 @@
-<!--
-    Please note: This blank issue template is meant for extraordinary issues
-    that do not fit the templates. Unless you know your issue is relevant to
-    Nixpkgs and requires the free-form blank issue, please use the issue
-    templates instead.
--->
+## Issue description
+
+
+
+### Steps to reproduce
+
+
+
+## Technical details
+
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->

.github/ISSUE_TEMPLATE/01_bug_report.yml

@@ -1,143 +0,0 @@
-name: "Bug report (package)"
-description: "Create a generic bug report against a package."
-title: "PACKAGENAME: BUG TITLE"
-labels: ["0.kind: bug"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`PACKAGENAME: BUG TITLE`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) and a short title summarising what the bug entails.
-
-        > [!TIP]
-        > For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on ARM Linux, your title would be as follows:
-        > `hello: fails to launch on aarch64-linux`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.05)"
-        - "- Stable (24.11)"
-        - "- Previous Stable (24.05)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the bug"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "input"
-    id: "expected-behaviour"
-    attributes:
-      label: "Expected behaviour"
-      description: "Please write a concise description of what was supposed to happen."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "screenshots"
-    attributes:
-      label: "Screenshots"
-      description: |
-        If applicable, add screenshots to help explain your problem.
-        If you need help uploading images to GitHub, please review the [relevant documentation](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#uploading-assets).
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        If applicable, copy and paste any relevant log output.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+-label%3A%226.topic%3A+darwin%22+-label%3A%226.topic%3A+nixos%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml

@@ -1,157 +0,0 @@
-name: "Bug report (macOS)"
-description: "Create a bug report against a package where the issue only occurs on macOS."
-title: "PACKAGENAME: BUG TITLE"
-labels: ["0.kind: bug", "6.topic: darwin"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`PACKAGENAME: BUG TITLE`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) and a short title summarising what the bug entails.
-
-        > [!TIP]
-        > For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on Apple Silicon, your title would be as follows:
-        > `hello: fails to launch on aarch64-darwin`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.05)"
-        - "- Stable (24.11)"
-        - "- Previous Stable (24.05)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the bug"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "input"
-    id: "expected-behaviour"
-    attributes:
-      label: "Expected behaviour"
-      description: "Please write a concise description of what was supposed to happen."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "screenshots"
-    attributes:
-      label: "Screenshots"
-      description: |
-        If applicable, add screenshots to help explain your problem.
-        If you need help uploading images to GitHub, please review the [relevant documentation](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#uploading-assets).
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        If applicable, copy and paste any relevant log output.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "dropdown"
-    id: "nix-darwin"
-    attributes:
-      label: "Are you using nix-darwin?"
-      description: |
-        [`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
-      options:
-        - "Yes, I am using nix-darwin."
-        - "No, I am not using nix-darwin."
-      default: 1
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-
-        If this issue is related to the Darwin packaging architecture as a whole, or is related to the core Darwin frameworks, consider mentioning the `@NixOS/darwin-core` team.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs/NixOS, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+label%3A%226.topic%3A+darwin%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml

@@ -1,147 +0,0 @@
-name: "Bug report (NixOS module)"
-description: "Create a bug report against a NixOS Module."
-title: "nixos/MODULENAME: BUG TITLE"
-labels: ["0.kind: bug", "6.topic: nixos"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`nixos/MODULENAME: BUG TITLE`** template above with the correct module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)) and a short title summarising what the bug entails.
-
-        > [!TIP]
-        > For instance, if you were filing a bug against the [`systemd-boot`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.enable&from=0&size=1) module about it failing to install [`memtest86`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.memtest86.enable&from=0&size=1), your title would be as follows:
-        > `nixos/systemd-boot: fails to install memtest86`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.05)"
-        - "- Stable (24.11)"
-        - "- Previous Stable (24.05)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the bug"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "input"
-    id: "expected-behaviour"
-    attributes:
-      label: "Expected behaviour"
-      description: "Please write a concise description of what was supposed to happen."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "screenshots"
-    attributes:
-      label: "Screenshots"
-      description: |
-        If applicable, add screenshots to help explain your problem.
-        If you need help uploading images to GitHub, please review the [relevant documentation](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#uploading-assets).
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        If applicable, copy and paste any relevant log output.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the `meta.maintainers` list of the offending module. This is done by prefixing the person's username with an '@' character. You can quickly go to the source code of a module by searching for it on the [NixOS Option Search](https://search.nixos.org/options) and clicking the "Declared in..." button.
-
-        Please note that the maintainer attribute name does not always match the maintainer's GitHub username. If that occurs, try looking in [`maintainers/maintainer-list.nix`](https://github.com/NixOS/nixpkgs/blob/master/maintainers/maintainer-list.nix) for the maintainer attribute name, and checking if the maintainer has a listed GitHub username.
-
-        If in doubt, check `git blame` for whoever last touched the module, or check the associated package's maintainers. Please add the mentions above the `---` characters.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+label%3A%226.topic%3A+nixos%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/04_build_failure.yml

@@ -1,152 +0,0 @@
-name: "Build failure"
-description: "Report a package that is failing to build."
-title: "Build failure: PACKAGENAME"
-labels: ["0.kind: build failure"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Build failure: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
-
-        > [!TIP]
-        > For instance, if you were filing a build failure against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package, your title would be as follows:
-        > `Build failure: hello`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        In what version of Nixpkgs did the build failure occur?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please update to the latest stable version and check if the build failure persists before continuing this report.
-        > If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
-      options:
-        - "Please select a version."
-        - "- Unstable (25.05)"
-        - "- Stable (24.11)"
-        - "- Previous Stable (24.05)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this build failure. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "dropdown"
-    id: "hydra"
-    attributes:
-      label: "Can Hydra reproduce this build failure?"
-      description: |
-        Can [Hydra](https://hydra.nixos.org), Nixpkgs' Continuous Integration system, reproduce this build failure?
-        Please use the search function in the header bar to locate the last build job for the package in question.
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-red-x-274c.svg" width="20px" align="top" alt="Red X"> icon near the package entry, say '**Yes, Hydra can reproduce this build failure.**'
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-gray-x-2716.svg" width="20px" align="top" alt="Dark Gray X"> icon near the package entry, then the build failure occurs with another package, and you need to track the original failing package by going down the chain of 'Cached failures' until you reach the final package in the failing dependency chain. Once you locate the failing package, re-write this report against that package and say '**Yes, Hydra can reproduce this build failure.**'
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-check-2714.svg" width="20px" align="top" alt="Green Check Mark"> icon near the package entry, then it most likely means it's a local issue with your system. (Maybe you ran out of space?)
-          You can still open a build failure report, but please say '**No, Hydra cannot reproduce this build failure.**' below.
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-question-2754.svg" width="20px" align="top" alt="Gray Question Mark"> icon near the package entry, say '**Hydra is currently rebuilding this package.**'
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-stopsign-1f6d1.svg" width="20px" align="top" alt="Red Stop Sign"> icon near the package entry, then the build job was stopped manually. If this occurs, please coordinate with the [Infrastructure Team](https://matrix.to/#/#infra:nixos.org), and say '**The last build job was manually cancelled.**'
-        - If Hydra isn't supposed to build the package at all, say '**Hydra doesn’t try to build the package.**'
-      options:
-        - "Please select the Hydra Status."
-        - "Yes, Hydra can reproduce this build failure."
-        - "No, Hydra cannot reproduce this build failure."
-        - "Hydra is currently rebuilding this package."
-        - "The last build job was manually cancelled."
-        - "Hydra doesn’t try to build the package."
-      default: 0
-    validations:
-      required: true
-  - type: "input"
-    id: "hydra-logs"
-    attributes:
-      label: "Link to Hydra build job"
-      description: "If you answered 'yes' in the question above, please copy-and-paste the link to the failing Hydra job here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        Please copy and paste the logs from the failed build.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: true
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+build+failure%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/05_update_request.yml

@@ -1,125 +0,0 @@
-name: "Request: package update"
-description: "Create an update request for an existing, but outdated package."
-title: "Update Request: PACKAGENAME OLDVERSION → NEWVERSION"
-labels: ["0.kind: enhancement", "9.needs: package (update)"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Update Request: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package, and the latest version of the package.
-
-        > [!TIP]
-        > For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs is 1.0.0, but the latest version upstream is 1.0.1, your title would be as follows:
-        > `Update Request: hello 1.0.0 → 1.0.1`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older or stable version, please update to the latest **unstable** version and check if the package is still out of date.
-        > If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.05)"
-        - "- Stable (24.11)"
-        - "- Previous Stable (24.05)"
-      default: 0
-    validations:
-      required: true
-  - type: "input"
-    id: "name"
-    attributes:
-      label: "Package name"
-      description: "Please indicate the name of the package."
-    validations:
-      required: true
-  - type: "input"
-    id: "upstream-version"
-    attributes:
-      label: "Upstream version"
-      description: "Please indicate the latest version of the package."
-    validations:
-      required: true
-  - type: "input"
-    id: "nixpkgs-version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        Please indicate the current version number in Nixpkgs' **unstable** channel. You can check this by setting the [NixOS Package Search](https://search.nixos.org/packages?channel=unstable) channel to 'unstable' and searching for the package.
-        If you meant to request an upgrade in the stable channel, please file the '**Request: backport to stable**' form instead.
-    validations:
-      required: true
-  - type: "input"
-    id: "changelog"
-    attributes:
-      label: "Changelog"
-      description: "If applicable, please link the upstream changelog for the latest version."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the update here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this package update does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+package+%28update%29%22) or in [Nixpkgs Unstable](https://search.nixos.org/packages?channel=unstable)."
-          required: true
-        - label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+package+%28update%29%22)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/06_module_request.yml

@@ -1,101 +0,0 @@
-name: "Request: NixOS module"
-description: "Create a new NixOS Module request for an existing package."
-title: "Module Request: nixos/MODULENAME"
-labels: ["0.kind: enhancement", "6.topic: nixos", "9.needs: module (new)"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Module Request: nixos/MODULENAME`** template above with the correct module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
-
-        > [!TIP]
-        > For instance, if you were filing a request against the missing `hello` module, your title would be as follows:
-        > `Module Request: nixos/hello`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.05)"
-        - "- Stable (24.11)"
-        - "- Previous Stable (24.05)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the proposed module"
-      description: "Please include a clear and concise description of what the module should accomplish."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the proposed module here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this module does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+module+%28new%29%22) or in [NixOS Unstable](https://search.nixos.org/options?channel=unstable)."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+module+%28new%29%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve NixOS!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/07_backport_request.yml

@@ -1,103 +0,0 @@
-name: "Request: backport to stable"
-description: "Create a backport request for a package that is up-to-date in the unstable channel, but outdated in the stable channel."
-title: "Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION"
-labels: ["0.kind: enhancement", "9.needs: port to stable"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        > [!CAUTION]
-        > **Before you begin:** Be advised that backports are subject to the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
-        > Stable releases of Nixpkgs do not receive breaking changes, which include major package updates that have incompatible API changes and break backwards compatibility. In the [Semantic Versioning standard](https://semver.org/), this is the first version number. (1.X.X)
-        > Generally, only minor package updates, such as security patches, bug fixes and feature additions (but not removals!) will be considered for backporting. Please read the rules above carefully before filing this backport request.
-
-        Welcome to Nixpkgs. Please replace the **`Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package in Nixpkgs Stable and the current version of the package in Nixpkgs Unstable.
-
-        > [!TIP]
-        > For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs Unstable is 1.0.1, but the current version in Nixpkgs Stable is 1.0.0, your title would be as follows:
-        > `Backport to Stable: hello 1.0.0 → 1.0.1`
-
-        ---
-  - type: "input"
-    id: "name"
-    attributes:
-      label: "Package name"
-      description: "Please indicate the name of the package."
-    validations:
-      required: true
-  - type: "input"
-    id: "unstable-version"
-    attributes:
-      label: "Version in unstable"
-      description: "Please indicate the current version of the package in the unstable channel."
-    validations:
-      required: true
-  - type: "input"
-    id: "stable-version"
-    attributes:
-      label: "Version in stable"
-      description: "Please indicate the current version of the package in the stable channel."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "reasoning"
-    attributes:
-      label: "Reasoning for backport"
-      description: "Please briefly explain why this backport fits the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases) and why you think this update should be backported."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this backport does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+in%3Atitle+backport)."
-          required: true
-        - label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+port+to+stable%22+)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/08_documentation_request.yml

@@ -1,87 +0,0 @@
-name: "Request: documentation"
-description: "Report missing or incorrect documentation in the NixOS or Nixpkgs manuals."
-title: "Missing Documentation: PACKAGENAME"
-labels: ["0.kind: enhancement", "9.needs: documentation"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Missing Documentation: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) or module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
-
-        > [!TIP]
-        > For instance, if you were filing an issue against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it not having any NixOS-specific documentation, your title would be as follows:
-        > `Missing Documentation: hello`
-
-        ---
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the problem"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "proposal"
-    attributes:
-      label: "Proposed solution"
-      description: |
-        If possible, please draft a tentative documentation chapter to resolve this issue.
-        Your proposal should be written in CommonMark Markdown, optionally enhanced with [Nix-specific extensions](https://github.com/NixOS/nixpkgs/tree/master/doc#syntax).
-      render: "markdown"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this request is not already implemented in the latest [NixOS](https://nixos.org/manual/nixos/unstable/) or [Nixpkgs](https://nixos.org/manual/nixpkgs/unstable/) manuals."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing documentation issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "priorisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/09_unreproducible_package.yml

@@ -1,158 +0,0 @@
-name: "Unreproducible Package"
-description: "Report a package that does not produce a bit-by-bit reproducible result each time it is built."
-title: "Unreproducible Package: PACKAGENAME"
-labels: ["0.kind: enhancement", "6.topic: reproducible builds"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Unreproducible Package: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
-
-        > [!NOTE]
-        > This form is for reporting unreproducible packages. For more information, see the [Reproducible Builds Status](https://reproducible.nixos.org/) page.
-        > To report a package that fails to build entirely, please use the "Build Failure" form instead.
-
-        ---
-  - type: "input"
-    id: "version"
-    attributes:
-      label: "Nixpkgs Revision"
-      description: "In which commit of Nixpkgs is this package displaying unreproducibility?"
-  - type: "textarea"
-    id: "introduction"
-    attributes:
-      label: "Introduction"
-      description: |
-        This is a generic introduction to build reproducibility.
-        Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the title above.
-      value: |
-        Building **PACKAGENAME** multiple times does not yield bit-by-bit identical
-        results, complicating the detection of Continuous Integration (CI) breaches. For
-        more information on this issue, visit [reproducible-builds.org](https://reproducible-builds.org/).
-
-        Fixing bit-by-bit reproducibility also has additional advantages, such as
-        avoiding hard-to-reproduce bugs, making content-addressed storage more effective
-        and reducing rebuilds in such systems.
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: |
-        This is a step-by-step instruction set meant for maintainers to debug the package that is failing to reproduce. You should also follow it to gather the `diffoscope` logs that will be needed below.
-        Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the introduction and the title above.
-      value: |
-        ### 1. Build the package
-
-        This step will build the package. Specific arguments are passed to the command
-        to keep the build artifacts so we can compare them in case of differences.
-
-        Execute the following command:
-
-        ```
-        nix-build '<nixpkgs>' -A PACKAGENAME && nix-build '<nixpkgs>' -A PACKAGENAME --check --keep-failed
-        ```
-
-        Or using the new command line style:
-
-        ```
-        nix build nixpkgs#PACKAGENAME && nix build nixpkgs#PACKAGENAME --rebuild --keep-failed
-        ```
-
-        ### 2. Compare the build artifacts
-
-        If the previous command completes successfully, no differences were found and
-        there's nothing to do, builds are reproducible.
-        If it terminates with the error message `error: derivation '<X>' may not be
-        deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
-        the discrepancies between the two build outputs. You may need to add the
-        `--exclude-directory-metadata recursive` option to ignore files and directories
-        metadata (*e.g. timestamp*) differences.
-
-        ```
-        nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
-        ```
-
-        ### 3. Examine the build log
-
-        To examine the build log, use:
-
-        ```
-        nix-store --read-log $(nix-instantiate '<nixpkgs>' -A PACKAGENAME)
-        ```
-
-        Or with the new command line style:
-
-        ```
-        nix log $(nix path-info --derivation nixpkgs#PACKAGENAME)
-        ```
-    validations:
-      required: true
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Diffoscope log"
-      description: |
-        Please copy and paste the relevant `diffoscope` log output, gathered from the steps above.
-        This will be automatically formatted into a monospaced text block, so no need for backticks.
-      render: "console"
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,54 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: '0.kind: bug'
+assignees: ''
+
+---
+
+## Describe the bug
+
+<!-- A clear and concise description of what the bug is. -->
+
+## Steps To Reproduce
+
+Steps to reproduce the behavior:
+
+1. ...
+2. ...
+3. ...
+
+## Expected behavior
+
+<!-- A clear and concise description of what you expected to happen. -->
+
+## Screenshots
+
+<!-- If applicable, add screenshots to help explain your problem: -->
+
+## Additional context
+
+<!-- Add any other context about the problem here. -->
+
+## Metadata
+
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
+
+## Notify maintainers
+
+<!--
+Please @ people who are in the `meta.maintainers` list of the offending package or module.
+If in doubt, check `git blame` for whoever last touched something.
+-->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/build_failure.md

@@ -0,0 +1,53 @@
+---
+name: Build failure
+about: Create a report to help us improve
+title: 'Build failure: PACKAGENAME'
+labels: '0.kind: build failure'
+assignees: ''
+
+---
+
+## Steps To Reproduce
+
+Steps to reproduce the behavior:
+
+1. build *X*
+
+## Build log
+
+<!-- insert build log in code block in collapsable section -->
+
+<details>
+
+<summary>Build Log</summary>
+
+```
+```
+
+</details>
+
+## Additional context
+
+<!-- Add any other context about the problem here. -->
+
+## Metadata
+
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
+
+## Notify maintainers
+
+<!--
+Please @ people who are in the `meta.maintainers` list of the offending package or module.
+If in doubt, check `git blame` for whoever last touched something.
+-->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -0,0 +1,41 @@
+---
+name: Missing or incorrect documentation
+about: Help us improve the Nixpkgs and NixOS reference manuals
+title: 'Documentation: '
+labels: '9.needs: documentation'
+assignees: ''
+
+---
+
+## Problem
+
+<!-- describe your problem -->
+
+## Proposal
+
+<!-- propose a solution (optional) -->
+
+## Checklist
+
+<!-- make sure this issue is not redundant or obsolete -->
+
+- [ ] checked [latest Nixpkgs manual] \([source][nixpkgs-source]) and [latest NixOS manual] \([source][nixos-source])
+- [ ] checked [open documentation issues] for possible duplicates
+- [ ] checked [open documentation pull requests] for possible solutions
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
+[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
+[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
+[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
+[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
+[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
+[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22

.github/ISSUE_TEMPLATE/module_request.md

@@ -0,0 +1,27 @@
+---
+name: Module requests
+about: For NixOS modules that you would like to see
+title: 'Module request: MODULENAME'
+labels: '9.needs: module (new)'
+assignees: ''
+
+---
+
+## Description
+
+<!-- Describe what the module should accomplish: -->
+
+## Notify maintainers
+
+<!-- If applicable, tag the maintainers of the package that corresponds to the module. If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
+
+-----
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/out_of_date_package_report.md

@@ -0,0 +1,42 @@
+---
+name: Out-of-date package reports
+about: For packages that are out-of-date
+title: 'Update request: PACKAGENAME OLDVERSION → NEWVERSION'
+labels: '9.needs: package (update)'
+assignees: ''
+
+---
+
+## Package Information
+
+<!-- Search for the package here: https://search.nixos.org/packages?channel=unstable -->
+
+- Package name:
+- Latest released version:
+- Current version on the unstable channel:
+- Current version on the stable/release channel:
+
+## Checklist
+
+<!--
+Type the name of your package and try to find an open pull request for the package
+If you find an open pull request, you can review it!
+There's a high chance that you'll have the new version right away while helping the community!
+-->
+
+- [ ] Checked the [nixpkgs pull requests](https://github.com/NixOS/nixpkgs/pulls)
+
+## Notify maintainers
+
+<!-- If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/packaging_request.md

@@ -0,0 +1,30 @@
+---
+name: Packaging requests
+about: For packages that are missing
+title: 'Package request: PACKAGENAME'
+labels: '0.kind: packaging request'
+assignees: ''
+
+---
+
+## Project description
+
+<!-- Describe the project a little: -->
+
+## Metadata
+
+* homepage URL:
+* source URL:
+* license: mit, bsd, gpl2+ , ...
+* platforms: unix, linux, darwin, ...
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/unreproducible_package.md

@@ -0,0 +1,104 @@
+---
+name: Unreproducible package
+about: A package that does not produce a bit-by-bit reproducible result each time it is built
+title: ''
+labels: [ '0.kind: enhancement', '6.topic: reproducible builds' ]
+assignees: ''
+
+---
+
+<!--
+Hello dear reporter,
+
+Thank you for bringing attention to this issue. Your insights are valuable to
+us, and we appreciate the time you took to document the problem.
+
+I wanted to kindly point out that in this issue template, it would be beneficial
+to replace the placeholder `<package>` with the actual, canonical name of the
+package you're reporting the issue for. Doing so will provide better context and
+facilitate quicker troubleshooting for anyone who reads this issue in the
+future.
+
+Best regards
+-->
+
+Building this package multiple times does not yield bit-by-bit identical
+results, complicating the detection of Continuous Integration (CI) breaches. For
+more information on this issue, visit
+[reproducible-builds.org](https://reproducible-builds.org/).
+
+Fixing bit-by-bit reproducibility also has additional advantages, such as
+avoiding hard-to-reproduce bugs, making content-addressed storage more effective
+and reducing rebuilds in such systems.
+
+## Steps To Reproduce
+
+In the following steps, replace `<package>` with the canonical name of the
+package.
+
+### 1. Build the package
+
+This step will build the package. Specific arguments are passed to the command
+to keep the build artifacts so we can compare them in case of differences.
+
+Execute the following command:
+
+```
+nix-build '<nixpkgs>' -A <package> && nix-build '<nixpkgs>' -A <package> --check --keep-failed
+```
+
+Or using the new command line style:
+
+```
+nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed
+```
+
+### 2. Compare the build artifacts
+
+If the previous command completes successfully, no differences were found and
+there's nothing to do, builds are reproducible.
+If it terminates with the error message `error: derivation '<X>' may not be
+deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
+the discrepancies between the two build outputs. You may need to add the
+`--exclude-directory-metadata recursive` option to ignore files and directories
+metadata (*e.g. timestamp*) differences.
+
+```
+nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
+```
+
+### 3. Examine the build log
+
+To examine the build log, use:
+
+```
+nix-store --read-log $(nix-instantiate '<nixpkgs>' -A <package>)
+```
+
+Or with the new command line style:
+
+```
+nix log $(nix path-info --derivation nixpkgs#<package>)
+```
+
+## Additional context
+
+(please share the relevant fragment of the diffoscope output here, and any additional analysis you may have done)
+
+## Notify maintainers
+
+<!--
+Please @ people who are in the `meta.maintainers` list of the offending package or module.
+If in doubt, check `git blame` for whoever last touched something.
+-->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,7 +25,7 @@ For new packages please briefly describe the package or provide a link to its ho
   - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
-- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
+- [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes)
   - [ ] (Package updates) Added a release notes entry if the change is major or breaking
   - [ ] (Module updates) Added a release notes entry if the change is significant
   - [ ] (Module addition) Added a release notes entry if adding a new NixOS module

.github/dependabot.yml

@@ -4,4 +4,3 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    labels: [ ]

.github/labeler-development-branches.yml

@@ -1,23 +0,0 @@
-# This file is used by .github/workflows/labels.yml
-# This version is only run for Pull Requests from development branches like staging-next, haskell-updates or python-updates.
-
-"4.workflow: package set update":
-  - any:
-    - head-branch:
-      - '-updates$'
-
-"4.workflow: staging":
-  - any:
-    - head-branch:
-      - '^staging-next$'
-      - '^staging-next-'
-
-"6.topic: haskell":
-  - any:
-    - head-branch:
-      - '^haskell-updates$'
-
-"6.topic: python":
-  - any:
-    - head-branch:
-      - '^python-updates$'

.github/labeler-no-sync.yml

@@ -1,32 +0,0 @@
-# This file is used by .github/workflows/labels.yml
-# This version uses `sync-labels: false`, meaning that a non-match will NOT remove the label
-
-# keep-sorted start case=no numeric=yes newline_separated=yes skip_lines=1
-
-"6.topic: policy discussion":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - .github/**/*
-        - CONTRIBUTING.md
-        - pkgs/README.md
-        - nixos/README.md
-        - maintainers/README.md
-        - lib/README.md
-        - doc/README.md
-
-"8.has: documentation":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/**/*
-        - nixos/doc/**/*
-
-"backport release-24.11":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - .github/workflows/*
-        - ci/**/*.*
-
-# keep-sorted end

.github/labeler.yml

@@ -1,15 +1,3 @@
-# This file is used by .github/workflows/labels.yml
-# This version uses `sync-labels: true`, meaning that a non-match will remove the label
-
-# keep-sorted start case=no numeric=yes newline_separated=yes skip_lines=1
-
-"4.workflow: backport":
-  - any:
-    - base-branch:
-      - '^release-'
-      - '^staging-\d'
-      - '^staging-next-\d'
-
 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":
   - any:
@@ -39,7 +27,7 @@
     - changed-files:
       - any-glob-to-any-file:
         - .github/**/*
-        - ci/**/*.*
+        - ci/**/*
 
 "6.topic: coq":
   - any:
@@ -49,16 +37,6 @@
         - pkgs/development/coq-modules/**/*
         - pkgs/top-level/coq-packages.nix
 
-"6.topic: COSMIC":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/desktop-managers/cosmic.nix
-        - nixos/modules/services/display-managers/cosmic-greeter.nix
-        - nixos/tests/cosmic.nix
-        - pkgs/by-name/co/cosmic-*/**/*
-        - pkgs/by-name/xd/xdg-desktop-portal-cosmic/*
-
 "6.topic: crystal":
   - any:
     - changed-files:
@@ -198,33 +176,13 @@
   - any:
     - changed-files:
       - any-glob-to-any-file:
-        # Distributions
-        - pkgs/development/compilers/adoptopenjdk-icedtea-web/**/*
-        - pkgs/development/compilers/corretto/**/*
+        - nixos/modules/programs/java.nix
         - pkgs/development/compilers/graalvm/**/*
         - pkgs/development/compilers/openjdk/**/*
-        - pkgs/by-name/op/openjfx/**/*
-        - pkgs/development/compilers/semeru-bin/**/*
         - pkgs/development/compilers/temurin-bin/**/*
         - pkgs/development/compilers/zulu/**/*
-        # Documentation
-        - doc/languages-frameworks/java.section.md
-        # Gradle
-        - doc/languages-frameworks/gradle.section.md
-        - pkgs/development/tools/build-managers/gradle/**/*
-        - pkgs/by-name/gr/gradle-completion/**/*
-        # Maven
-        - pkgs/by-name/ma/maven/**/*
-        - doc/languages-frameworks/maven.section.md
-        # Ant
-        - pkgs/by-name/an/ant/**/*
-        # javaPackages attrset
         - pkgs/development/java-modules/**/*
         - pkgs/top-level/java-packages.nix
-        # Maintainer tooling
-        - pkgs/by-name/ni/nixpkgs-openjdk-updater/**/*
-        # Misc
-        - nixos/modules/programs/java.nix
 
 "6.topic: jitsi":
   - any:
@@ -329,23 +287,12 @@
       - any-glob-to-any-file:
         - pkgs/os-specific/linux/musl/**/*
 
-"6.topic: nim":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/nim.section.md
-        - pkgs/build-support/build-nim-package.nix
-        - pkgs/build-support/build-nim-sbom.nix
-        - pkgs/by-name/ni/nim*
-        - pkgs/top-level/nim-overrides.nix
-
 "6.topic: nixos":
   - any:
     - changed-files:
       - any-glob-to-any-file:
         - nixos/**/*
         - pkgs/by-name/sw/switch-to-configuration-ng/**/*
-        - pkgs/by-name/ni/nixos-rebuild-ng/**/*
         - pkgs/os-specific/linux/nixos-rebuild/**/*
 
 "6.topic: nixos-container":
@@ -355,6 +302,15 @@
         - nixos/modules/virtualisation/nixos-containers.nix
         - pkgs/tools/virtualization/nixos-container/**/*
 
+"6.topic: nim":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/nim.section.md
+        - pkgs/build-support/build-nim-package.nix
+        - pkgs/by-name/ni/nim*
+        - pkgs/top-level/nim-overrides.nix
+
 "6.topic: nodejs":
   - any:
     - changed-files:
@@ -409,6 +365,18 @@
         - pkgs/test/php/default.nix
         - pkgs/top-level/php-packages.nix
 
+"6.topic: policy discussion":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - .github/**/*
+        - CONTRIBUTING.md
+        - pkgs/README.md
+        - nixos/README.md
+        - maintainers/README.md
+        - lib/README.md
+        - doc/README.md
+
 "6.topic: printing":
   - any:
     - changed-files:
@@ -457,7 +425,6 @@
         - doc/languages-frameworks/ruby.section.md
         - pkgs/development/interpreters/ruby/**/*
         - pkgs/development/ruby-modules/**/*
-        - pkgs/top-level/ruby-packages.nix
 
 "6.topic: rust":
   - any:
@@ -495,11 +462,13 @@
         - pkgs/development/tcl-modules/**/*
         - pkgs/top-level/tcl-packages.nix
 
-"6.topic: teams":
+"6.topic: TeX":
   - any:
     - changed-files:
       - any-glob-to-any-file:
-          - maintainers/team-list.nix
+        - doc/languages-frameworks/texlive.section.md
+        - pkgs/test/texlive/**
+        - pkgs/tools/typesetting/tex/**/*
 
 "6.topic: testing":
   - any:
@@ -517,14 +486,6 @@
         - nixos/tests/make-test-python.nix  # legacy
         # lib/debug.nix has a test framework (runTests) but it's not the main focus
 
-"6.topic: TeX":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/texlive.section.md
-        - pkgs/test/texlive/**
-        - pkgs/tools/typesetting/tex/**/*
-
 "6.topic: updaters":
   - any:
     - changed-files:
@@ -588,16 +549,20 @@
       - any-glob-to-any-file:
         - nixos/doc/manual/release-notes/**/*
 
-"8.has: maintainer-list (update)":
+"8.has: documentation":
   - any:
     - changed-files:
       - any-glob-to-any-file:
-        - maintainers/maintainer-list.nix
+        - doc/**/*
+        - nixos/doc/**/*
 
 "8.has: module (update)":
   - any:
     - changed-files:
       - any-glob-to-any-file:
         - nixos/modules/**/*
-
-# keep-sorted end
+"8.has: maintainer-list (update)":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - maintainers/maintainer-list.nix

.github/workflows/README.md

@@ -1,20 +0,0 @@
-# GitHub Actions Workflows
-
-Some architectural notes about key decisions and concepts in our workflows:
-
-- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors.
-
-- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.
-
-- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.
-
-- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.
-
-- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.
-
-## Terminology
-
-- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`.
-- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`.
-- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
-- **target commit**: The base branch's parent of the "test merge commit" to compare against.

.github/workflows/backport.yml

@@ -1,58 +1,35 @@
+name: Backport
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
 # WARNING:
 # When extending this action, be aware that $GITHUB_TOKEN allows write access to
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
-name: Backport
-
-on:
-  pull_request_target:
-    types: [closed, labeled]
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   backport:
+    permissions:
+      contents: write # for korthout/backport-action to create branch
+      pull-requests: write # for korthout/backport-action to create PR to backport
     name: Backport Pull Request
-    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
-    runs-on: ubuntu-24.04-arm
+    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+    runs-on: ubuntu-latest
     steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-contents: write
-          permission-pull-requests: write
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-          token: ${{ steps.app-token.outputs.token }}
-
       - name: Create backport PRs
-        id: backport
-        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
+        uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
         with:
           # Config README: https://github.com/korthout/backport-action#backport-action
           copy_labels_pattern: 'severity:\ssecurity'
-          github_token: ${{ steps.app-token.outputs.token }}
           pull_description: |-
             Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}.
 
             * [ ] Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
-              * Even as a non-committer, if you find that it is not acceptable, leave a comment.
-
-      - name: "Add 'has: port to stable' label"
-        if: steps.backport.outputs.created_pull_numbers != ''
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-        run: |
-          gh api \
-            --method POST \
-            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            -f "labels[]=8.has: port to stable"
+              * Even as a non-commiter, if you find that it is not acceptable, leave a comment.

.github/workflows/basic-eval.yml

@@ -0,0 +1,31 @@
+name: Basic evaluation checks
+
+on:
+  workflow_dispatch
+  # pull_request:
+  #   branches:
+  #    - master
+  #    - release-**
+  # push:
+  #   branches:
+  #    - master
+  #    - release-**
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    name: basic-eval-checks
+    runs-on: ubuntu-latest
+    # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      with:
+        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+        name: nixpkgs-ci
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+    - run: nix --experimental-features 'nix-command flakes' flake check --all-systems --no-build
+    # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset
+    - run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin"  ]'

.github/workflows/check-cherry-picks.yml

@@ -1,30 +1,26 @@
 name: "Check cherry-picks"
-
 on:
-  pull_request:
-    paths:
-      - .github/workflows/check-cherry-picks.yml
   pull_request_target:
     branches:
-      - 'release-**'
-      - 'staging-**'
-      - '!staging-next'
+     - 'release-**'
+     - 'staging-**'
+     - '!staging-next'
 
 permissions: {}
 
 jobs:
   check:
     name: cherry-pick-check
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          filter: blob:none
-
-      - name: Check cherry-picks
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        run: |
-          ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        fetch-depth: 0
+        filter: blob:none
+    - name: Check cherry-picks
+      env:
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      run: |
+        ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"

.github/workflows/check-format.yml

@@ -1,43 +0,0 @@
-name: Check that files are formatted
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/check-format.yml
-  pull_request_target:
-
-permissions: {}
-
-jobs:
-  get-merge-commit:
-    uses: ./.github/workflows/get-merge-commit.yml
-
-  nixos:
-    name: fmt-check
-    runs-on: ubuntu-24.04-arm
-    needs: get-merge-commit
-    if: needs.get-merge-commit.outputs.mergedSha
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Check that files are formatted
-        run: |
-          # Note that it's fine to run this on untrusted code because:
-          # - There's no secrets accessible here
-          # - The build is sandboxed
-          if ! nix-build ci -A fmt.check; then
-            echo "Some files are not properly formatted"
-            echo "Please format them by going to the Nixpkgs root directory and running one of:"
-            echo "  nix-shell --run treefmt"
-            echo "  nix develop --command treefmt"
-            echo "  nix fmt"
-            echo "Make sure your branch is up to date with master; rebase if not."
-            echo "If you're having trouble, please ping @NixOS/nix-formatting"
-            exit 1
-          fi

.github/workflows/check-maintainers-sorted.yaml

@@ -0,0 +1,29 @@
+name: "Check that maintainer list is sorted"
+
+on:
+  pull_request_target:
+    paths:
+      - 'maintainers/maintainer-list.nix'
+permissions:
+  contents: read
+
+jobs:
+  nixos:
+    name: maintainer-list-check
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          # Only these directories to perform the check
+          sparse-checkout: |
+            lib
+            maintainers
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - name: Check that maintainer-list.nix is sorted
+        run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix

.github/workflows/check-nix-format.yml

@@ -0,0 +1,90 @@
+# This file was copied mostly from check-maintainers-sorted.yaml.
+# NOTE: Formatting with the RFC-style nixfmt command is not yet stable. See
+# https://github.com/NixOS/rfcs/pull/166.
+# Because of this, this action is not yet enabled for all files -- only for
+# those who have opted in.
+name: Check that Nix files are formatted
+
+on:
+  pull_request_target:
+    # See the comment at the same location in ./nixpkgs-vet.yml
+    types: [opened, synchronize, reopened, edited]
+permissions:
+  contents: read
+
+jobs:
+  nixos:
+    name: nixfmt-check
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+      - name: Checking out base branch
+        run: |
+          base=$(mktemp -d)
+          baseRev=$(git rev-parse HEAD^1)
+          git worktree add "$base" "$baseRev"
+          echo "baseRev=$baseRev" >> "$GITHUB_ENV"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - name: Get Nixpkgs revision for nixfmt
+        run: |
+          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
+          # from staging
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+          nix_path: nixpkgs=${{ env.url }}
+      - name: Install nixfmt
+        run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
+      - name: Check that Nix files are formatted according to the RFC style
+        run: |
+          unformattedFiles=()
+
+          # TODO: Make this more parallel
+
+          # Loop through all Nix files touched by the PR
+          while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
+            type=${entry[0]}
+            file=${entry[1]}
+            case $type in
+              A*)
+                source=""
+                dest=$file
+                ;;
+              M*)
+                source=$file
+                dest=$file
+                ;;
+              C*|R*)
+                source=$file
+                read -r -d '' dest
+                ;;
+              *)
+                echo "Ignoring file $file with type $type"
+                continue
+            esac
+
+            # Ignore files that weren't already formatted
+            if [[ -n "$source" ]] && ! nixfmt --check ${{ env.base }}/"$source" 2>/dev/null; then
+              echo "Ignoring file $file because it's not formatted in the base commit"
+            elif ! nixfmt --check "$dest"; then
+              unformattedFiles+=("$dest")
+            fi
+          done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix')
+
+          if (( "${#unformattedFiles[@]}" > 0 )); then
+            echo "Some new/changed Nix files are not properly formatted"
+            echo "Please go to the Nixpkgs root directory, run \`nix-shell\`, then:"
+            echo "nixfmt ${unformattedFiles[*]@Q}"
+            echo "If you're having trouble, please ping @NixOS/nix-formatting"
+            exit 1
+          fi

.github/workflows/check-nixf-tidy.yml

@@ -0,0 +1,129 @@
+name: Check changed Nix files with nixf-tidy (experimental)
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, edited]
+permissions:
+  contents: read
+
+jobs:
+  nixos:
+    name: exp-nixf-tidy-check
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+      - name: Checking out base branch
+        run: |
+          base=$(mktemp -d)
+          baseRev=$(git rev-parse HEAD^1)
+          git worktree add "$base" "$baseRev"
+          echo "baseRev=$baseRev" >> "$GITHUB_ENV"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - name: Get Nixpkgs revision for nixf
+        run: |
+          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
+          # from staging
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+          nix_path: nixpkgs=${{ env.url }}
+      - name: Install nixf and jq
+        # provided jq is incompatible with our expression
+        run: "nix-env -f '<nixpkgs>' -iAP nixf jq"
+      - name: Check that Nix files pass nixf-tidy
+        run: |
+          # Filtering error messages we don't like
+          nixf_wrapper(){
+            nixf-tidy --variable-lookup < "$1" | jq -r '
+              [
+                "sema-escaping-with"
+              ]
+              as $ignored_errors|[.[]|select(.sname as $s|$ignored_errors|index($s)|not)]
+            '
+          }
+
+          failedFiles=()
+
+          # Don't report errors to file overview
+          # to avoid duplicates when editing title and description
+          if [[ "${{ github.event.action }}" == 'edited' ]] && [[ -z "${{ github.event.edited.changes.base }}" ]]; then
+            DONT_REPORT_ERROR=1
+          else
+            DONT_REPORT_ERROR=
+          fi
+          # TODO: Make this more parallel
+
+          # Loop through all Nix files touched by the PR
+          while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
+            type=${entry[0]}
+            file=${entry[1]}
+            case $type in
+              A*)
+                source=""
+                dest=$file
+                ;;
+              M*)
+                source=$file
+                dest=$file
+                ;;
+              C*|R*)
+                source=$file
+                read -r -d '' dest
+                ;;
+              *)
+                echo "Ignoring file $file with type $type"
+                continue
+            esac
+
+            if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.base }}/"$source")" != '[]' ]] 2>/dev/null; then
+              echo "Ignoring file $file because it doesn't pass nixf-tidy in the base commit"
+              echo # insert blank line
+            else
+              nixf_report="$(nixf_wrapper "$dest")"
+              if [[ "$nixf_report" != '[]' ]]; then
+                echo "$dest doesn't pass nixf-tidy. Reported by nixf-tidy:"
+                errors=$(echo "$nixf_report" | jq -r --arg dest "$dest" '
+                  def getLCur: "line=" + (.line+1|tostring) + ",col=" + (.column|tostring);
+                  def getRCur: "endLine=" + (.line+1|tostring) + ",endColumn=" + (.column|tostring);
+                  def getRange: "file=\($dest)," + (.lCur|getLCur) + "," + (.rCur|getRCur);
+                  def getBody: . as $top|(.range|getRange) + ",title="+ .sname + "::" +
+                    (.message|sub("{}" ; ($top.args.[]|tostring)));
+                  def getNote: "\n::notice " + (.|getBody);
+                  def getMessage: "::error " + (.|getBody) + (if (.notes|length)>0 then
+                    ([.notes.[]|getNote]|add) else "" end);
+                  .[]|getMessage
+                ')
+                if [[ -z "$DONT_REPORT_ERROR" ]]; then
+                  echo "$errors"
+                else
+                  # just print in plain text
+                  echo "$errors" | sed 's/^:://'
+                  echo # add one empty line
+                fi
+                failedFiles+=("$dest")
+              fi
+            fi
+          done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix')
+
+          if [[ -n "$DONT_REPORT_ERROR" ]]; then
+            echo "Edited the PR but didn't change the base branch, only the description/title."
+            echo "Not reporting errors again to avoid duplication."
+            echo # add one empty line
+          fi
+
+          if (( "${#failedFiles[@]}" > 0 )); then
+            echo "Some new/changed Nix files don't pass nixf-tidy."
+            echo "See ${{ github.event.pull_request.html_url }}/files for reported errors."
+            echo "If you believe this is a false positive, ping @Aleksanaa and @inclyc in this PR."
+            exit 1
+          fi

.github/workflows/check-shell.yml

@@ -1,40 +1,31 @@
 name: "Check shell"
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/check-shell.yml
   pull_request_target:
-    paths:
-      - 'shell.nix'
-      - 'ci/**'
 
 permissions: {}
 
 jobs:
-  shell-check:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            system: x86_64-linux
-          - runner: ubuntu-24.04-arm
-            system: aarch64-linux
-          - runner: macos-13
-            system: x86_64-darwin
-          - runner: macos-14
-            system: aarch64-darwin
-
-    name: shell-check-${{ matrix.system }}
-    runs-on: ${{ matrix.runner }}
-
+  x86_64-linux:
+    name: shell-check-x86_64-linux
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       - name: Build shell
-        run: nix-build ci -A shell
+        run: nix-build shell.nix
+
+  aarch64-darwin:
+    name: shell-check-aarch64-darwin
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - name: Build shell
+        run: nix-build shell.nix

.github/workflows/codeowners-v2.yml

@@ -1,3 +1,5 @@
+name: Codeowners v2
+
 # This workflow depends on two GitHub Apps with the following permissions:
 # - For checking code owners:
 #   - Permissions:
@@ -17,18 +19,12 @@
 #
 # This split is done because checking code owners requires handling untrusted PR input,
 # while requesting code owners requires PR write access, and those shouldn't be mixed.
-#
-# Note that the latter is also used for ./eval.yml requesting reviewers.
-
-name: Codeowners v2
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/codeowners-v2.yml
   pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
+    types: [opened, ready_for_review, synchronize, reopened, edited]
 
+# We don't need any default GitHub token
 permissions: {}
 
 env:
@@ -37,87 +33,72 @@ env:
   DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 
 jobs:
-  get-merge-commit:
-    if: github.repository_owner == 'NixOS'
-    uses: ./.github/workflows/get-merge-commit.yml
-
   # Check that code owners is valid
   check:
     name: Check
-    runs-on: ubuntu-24.04-arm
-    needs: get-merge-commit
-    if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
+    runs-on: ubuntu-latest
     steps:
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
-        with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      if: github.repository_owner == 'NixOS'
+      with:
+        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+        name: nixpkgs-ci
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
-      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
-      # We later build and run code from the base branch with access to secrets,
-      # so it's important this is not the PRs code.
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: base
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+    # We later build and run code from the base branch with access to secrets,
+    # so it's important this is not the PRs code.
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        path: base
 
-      - name: Build codeowners validator
-        run: nix-build base/ci -A codeownersValidator
+    - name: Build codeowners validator
+      run: nix-build base/ci -A codeownersValidator
 
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_RO_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_RO_APP_ID }}
-          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-          path: pr
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: refs/pull/${{ github.event.number }}/merge
+        path: pr
 
-      - name: Validate codeowners
-        if: steps.app-token.outputs.token
-        run: result/bin/codeowners-validator
-        env:
-          OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
-          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: pr
-          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
-          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
-          EXPERIMENTAL_CHECKS: "avoid-shadowing"
+    - name: Validate codeowners
+      run: result/bin/codeowners-validator
+      env:
+        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
+        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        REPOSITORY_PATH: pr
+        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+        EXPERIMENTAL_CHECKS: "avoid-shadowing"
 
   # Request reviews from code owners
   request:
     name: Request
-    runs-on: ubuntu-24.04-arm
-    if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
     steps:
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
-      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
-      # This is intentional, because we need to request the review of owners as declared in the base branch.
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
+    # This is intentional, because we need to request the review of owners as declared in the base branch.
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
 
-      - name: Build review request package
-        run: nix-build ci -A requestReviews
+    - name: Build review request package
+      run: nix-build ci -A requestReviews
 
-      - name: Request reviews
-        if: steps.app-token.outputs.token
-        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+    - name: Request reviews
+      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+      env:
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/edited.yml

@@ -1,49 +0,0 @@
-# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-# Instead it causes an `edited` event.
-# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
-# There are already feature requests for adding a `base_changed` event:
-# - https://github.com/orgs/community/discussions/35058
-# - https://github.com/orgs/community/discussions/64119
-#
-# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
-# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
-# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
-# This is much simpler and reliable than other approaches.
-
-name: "Edited base branch"
-
-on:
-  pull_request_target:
-    types: [edited]
-
-permissions: {}
-
-jobs:
-  base:
-    name: Trigger jobs
-    runs-on: ubuntu-24.04
-    if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-        run: |
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=closed"
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=open"

.github/workflows/editorconfig-v2.yml

@@ -0,0 +1,44 @@
+name: "Checking EditorConfig v2"
+
+permissions:
+  pull-requests: read
+  contents: read
+
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
+
+jobs:
+  tests:
+    name: editorconfig-check
+    runs-on: ubuntu-latest
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq '.[] | select(.status != "removed") | .filename' \
+          > "$HOME/changed_files"
+    - name: print list of changed files
+      run: |
+        cat "$HOME/changed_files"
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      with:
+        # nixpkgs commit is pinned so that it doesn't break
+        # editorconfig-checker 2.4.0
+        nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz
+    - name: Checking EditorConfig
+      run: |
+        cat "$HOME/changed_files" | nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'
+    - if: ${{ failure() }}
+      run: |
+        echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."

.github/workflows/eval-aliases.yml

@@ -1,36 +0,0 @@
-name: Eval aliases
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/eval-aliases.yml
-  pull_request_target:
-
-permissions: {}
-
-jobs:
-  get-merge-commit:
-    uses: ./.github/workflows/get-merge-commit.yml
-
-  eval-aliases:
-    name: Eval nixpkgs with aliases enabled
-    runs-on: ubuntu-24.04-arm
-    needs: [ get-merge-commit ]
-    steps:
-      - name: Check out the PR at the test merge commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-          path: nixpkgs
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Ensure flake outputs on all systems still evaluate
-        run: nix flake check --all-systems --no-build ./nixpkgs
-
-      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
-        run: |
-          time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

.github/workflows/eval.yml

@@ -1,284 +0,0 @@
-name: Eval
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/eval.yml
-  pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
-  push:
-    # Keep this synced with ci/request-reviews/dev-branches.txt
-    branches:
-      - master
-      - staging
-      - release-*
-      - staging-*
-      - haskell-updates
-      - python-updates
-
-permissions: {}
-
-jobs:
-  get-merge-commit:
-    uses: ./.github/workflows/get-merge-commit.yml
-
-  outpaths:
-    name: Outpaths
-    runs-on: ubuntu-24.04-arm
-    needs: [ get-merge-commit ]
-    strategy:
-      fail-fast: false
-      matrix:
-        system: ${{ fromJSON(needs.get-merge-commit.outputs.systems) }}
-    steps:
-      - name: Enable swap
-        run: |
-          sudo fallocate -l 10G /swap
-          sudo chmod 600 /swap
-          sudo mkswap /swap
-          sudo swapon /swap
-
-      - name: Check out the PR at the test merge commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-          path: nixpkgs
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build nixpkgs/ci -A eval.singleSystem \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --arg chunkSize 10000
-          # If it uses too much memory, slightly decrease chunkSize
-
-      - name: Upload the output paths and eval stats
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: intermediate-${{ matrix.system }}
-          path: result/*
-
-  process:
-    name: Process
-    runs-on: ubuntu-24.04-arm
-    needs: [ outpaths, get-merge-commit ]
-    outputs:
-      targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
-    steps:
-      - name: Download output paths and eval stats for all systems
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: intermediate-*
-          path: intermediate
-
-      - name: Check out the PR at the test merge commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-          fetch-depth: 2
-          path: nixpkgs
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Combine all output paths and eval stats
-        run: |
-          nix-build nixpkgs/ci -A eval.combine \
-            --arg resultsDir ./intermediate \
-            -o prResult
-
-      - name: Upload the combined results
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: result
-          path: prResult/*
-
-      - name: Get target run id
-        if: needs.get-merge-commit.outputs.targetSha
-        id: targetRunId
-        run: |
-          # Get the latest eval.yml workflow run for the PR's target commit
-          if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
-            -f head_sha="$TARGET_SHA" -f event=push \
-            --jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \
-            || [[ -z "$run" ]]; then
-            echo "Could not find an eval.yml workflow run for $TARGET_SHA, cannot make comparison"
-            exit 1
-          fi
-          echo "Comparing against $(jq .html_url <<< "$run")"
-          runId=$(jq .id <<< "$run")
-          conclusion=$(jq -r .conclusion <<< "$run")
-
-          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
-            echo "Workflow not done, waiting 10 seconds before checking again"
-            sleep 10
-            conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
-          done
-
-          if [[ "$conclusion" != "success" ]]; then
-            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
-            exit 1
-          fi
-
-          echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
-        env:
-          REPOSITORY: ${{ github.repository }}
-          TARGET_SHA: ${{ needs.get-merge-commit.outputs.targetSha }}
-          GH_TOKEN: ${{ github.token }}
-
-      - uses: actions/download-artifact@v4
-        if: steps.targetRunId.outputs.targetRunId
-        with:
-          name: result
-          path: targetResult
-          github-token: ${{ github.token }}
-          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
-
-      - name: Compare against the target branch
-        if: steps.targetRunId.outputs.targetRunId
-        run: |
-          git -C nixpkgs worktree add ../target ${{ needs.get-merge-commit.outputs.targetSha }}
-          git -C nixpkgs diff --name-only ${{ needs.get-merge-commit.outputs.targetSha }} \
-            | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
-
-          # Use the target branch to get accurate maintainer info
-          nix-build target/ci -A eval.compare \
-            --arg beforeResultDir ./targetResult \
-            --arg afterResultDir "$(realpath prResult)" \
-            --arg touchedFilesJson ./touched-files.json \
-            --argstr githubAuthorId "$AUTHOR_ID" \
-            -o comparison
-
-          cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
-        env:
-          AUTHOR_ID: ${{ github.event.pull_request.user.id }}
-
-      - name: Upload the combined results
-        if: steps.targetRunId.outputs.targetRunId
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: comparison
-          path: comparison/*
-
-  # Separate job to have a very tightly scoped PR write token
-  tag:
-    name: Tag
-    runs-on: ubuntu-24.04-arm
-    needs: [ get-merge-commit, process ]
-    if: needs.process.outputs.targetRunId
-    permissions:
-      pull-requests: write
-      statuses: write
-    steps:
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-      - name: Download process result
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: comparison
-          path: comparison
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-
-      # Important: This workflow job runs with extra permissions,
-      # so we need to make sure to not run untrusted code from PRs
-      - name: Check out Nixpkgs at the base commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.targetSha }}
-          path: base
-          sparse-checkout: ci
-
-      - name: Build the requestReviews derivation
-        run: nix-build base/ci -A requestReviews
-
-      - name: Labelling pull request
-        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
-        run: |
-          # Get all currently set labels that we manage
-          gh api \
-            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            --jq '.[].name | select(startswith("10.rebuild") or . == "11.by: package-maintainer")' \
-            | sort > before
-
-          # And the labels that should be there
-          jq -r '.labels[]' comparison/changed-paths.json \
-            | sort > after
-
-          # Remove the ones not needed anymore
-          while read -r toRemove; do
-            echo "Removing label $toRemove"
-            gh api \
-              --method DELETE \
-              /repos/"$REPOSITORY"/issues/"$NUMBER"/labels/"$toRemove"
-          done < <(comm -23 before after)
-
-          # And add the ones that aren't set already
-          while read -r toAdd; do
-            echo "Adding label $toAdd"
-            gh api \
-              --method POST \
-              /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-              -f "labels[]=$toAdd"
-          done < <(comm -13 before after)
-
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-
-      - name: Add eval summary to commit statuses
-        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
-        run: |
-          description=$(jq -r '
-          "Package: added " + (.attrdiff.added | length | tostring) +
-          ", removed " + (.attrdiff.removed | length | tostring) +
-          ", changed " + (.attrdiff.changed | length | tostring) +
-          ", Rebuild: linux " + (.rebuildCountByKernel.linux | tostring) +
-          ", darwin " + (.rebuildCountByKernel.darwin | tostring)
-          ' <comparison/changed-paths.json)
-          target_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID?pr=$NUMBER"
-          gh api --method POST \
-            -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
-            -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          NUMBER: ${{ github.event.number }}
-
-      - name: Requesting maintainer reviews
-        if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }}
-        run: |
-          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
-          # There appears to be no API to request reviews based on GitHub IDs
-          jq -r 'keys[]' comparison/maintainers.json \
-            | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
-
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-          # Don't request reviewers on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

.github/workflows/get-merge-commit.yml

@@ -1,58 +0,0 @@
-name: Get merge commit
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/get-merge-commit.yml
-  workflow_call:
-    outputs:
-      mergedSha:
-        description: "The merge commit SHA"
-        value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
-      targetSha:
-        description: "The target commit SHA"
-        value: ${{ jobs.resolve-merge-commit.outputs.targetSha }}
-      systems:
-        description: "The supported systems"
-        value: ${{ jobs.resolve-merge-commit.outputs.systems }}
-
-permissions: {}
-
-jobs:
-  resolve-merge-commit:
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      mergedSha: ${{ steps.merged.outputs.mergedSha }}
-      targetSha: ${{ steps.merged.outputs.targetSha }}
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: base
-          sparse-checkout: ci
-
-      - name: Check if the PR can be merged and get the test merge commit
-        id: merged
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_EVENT: ${{ github.event_name }}
-        run: |
-          case "$GH_EVENT" in
-            push)
-              echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-              ;;
-            pull_request*)
-              if commits=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
-                echo -e "Checking the commits:\n$commits"
-                echo "$commits" >> "$GITHUB_OUTPUT"
-              else
-                # Skipping so that no notifications are sent
-                echo "Skipping the rest..."
-              fi
-              ;;
-          esac
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <base/ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"

.github/workflows/labels.yml

@@ -1,12 +1,13 @@
-# WARNING:
-# When extending this action, be aware that $GITHUB_TOKEN allows some write
-# access to the GitHub API. This means that it should not evaluate user input in
-# a way that allows code injection.
-
 name: "Label PR"
 
 on:
   pull_request_target:
+    types: [edited, opened, synchronize, reopened]
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows some write
+# access to the GitHub API. This means that it should not evaluate user input in
+# a way that allows code injection.
 
 permissions:
   contents: read
@@ -15,45 +16,10 @@ permissions:
 jobs:
   labels:
     name: label-pr
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
     if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        if: |
-          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
-            github.head_ref == 'haskell-updates' ||
-            github.head_ref == 'python-updates' ||
-            github.head_ref == 'staging-next' ||
-            startsWith(github.head_ref, 'staging-next-')
-          )
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          configuration-path: .github/labeler.yml # default
-          sync-labels: true
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        if: |
-          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
-            github.head_ref == 'haskell-updates' ||
-            github.head_ref == 'python-updates' ||
-            github.head_ref == 'staging-next' ||
-            startsWith(github.head_ref, 'staging-next-')
-          )
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          configuration-path: .github/labeler-no-sync.yml
-          sync-labels: false
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        # Development branches like staging-next, haskell-updates and python-updates get special labels.
-        # This is to avoid the mass of labels there, which is mostly useless - and really annoying for
-        # the backport labels.
-        if: |
-          github.event.pull_request.head.repo.owner.login == 'NixOS' && (
-            github.head_ref == 'haskell-updates' ||
-            github.head_ref == 'python-updates' ||
-            github.head_ref == 'staging-next' ||
-            startsWith(github.head_ref, 'staging-next-')
-          )
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          configuration-path: .github/labeler-development-branches.yml
-          sync-labels: true
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        sync-labels: true

.github/workflows/lib-tests.yml

@@ -1,34 +0,0 @@
-name: "Building Nixpkgs lib-tests"
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/lib-tests.yml
-  pull_request_target:
-    paths:
-      - 'lib/**'
-      - 'maintainers/**'
-
-permissions: {}
-
-jobs:
-  get-merge-commit:
-    uses: ./.github/workflows/get-merge-commit.yml
-
-  nixpkgs-lib-tests:
-    name: nixpkgs-lib-tests
-    runs-on: ubuntu-24.04
-    needs: get-merge-commit
-    if: needs.get-merge-commit.outputs.mergedSha
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Building Nixpkgs lib-tests
-        run: |
-          nix-build ci -A lib-tests

.github/workflows/manual-nixos-v2.yml

@@ -1,58 +1,33 @@
 name: "Build NixOS manual v2"
 
+permissions:
+  contents: read
+
 on:
-  pull_request:
-    paths:
-      - .github/workflows/manual-nixos-v2.yml
   pull_request_target:
     branches:
       - master
     paths:
-      - "nixos/**"
-      # Also build when the nixpkgs doc changed, since we take things like
-      # the release notes and some css and js files from there.
-      # See nixos/doc/manual/default.nix
-      - "doc/**"
-      # Build when something in lib changes
-      # Since the lib functions are used to 'massage' the options before producing the manual
-      - "lib/**"
-
-permissions: {}
+      - 'nixos/**'
 
 jobs:
   nixos:
     name: nixos-manual-build
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            system: x86_64-linux
-          - runner: ubuntu-24.04-arm
-            system: aarch64-linux
-    runs-on: ${{ matrix.runner }}
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
+          # explicitly enable sandbox
           extra_nix_config: sandbox = true
-
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
-          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
-
-      - name: Build NixOS manual
-        id: build-manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixos --argstr system ${{ matrix.system }}
-
-      - name: Upload NixOS manual
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: nixos-manual-${{ matrix.system }}
-          path: result/
-          if-no-files-found: error
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - name: Building NixOS manual
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixpkgs-v2.yml

@@ -1,37 +1,35 @@
 name: "Build Nixpkgs manual v2"
 
+permissions:
+  contents: read
+
 on:
-  pull_request:
-    paths:
-      - .github/workflows/manual-nixpkgs-v2.yml
   pull_request_target:
     branches:
       - master
     paths:
       - 'doc/**'
       - 'lib/**'
-      - 'pkgs/by-name/ni/nixdoc/**'
-
-permissions: {}
+      - 'pkgs/tools/nix/nixdoc/**'
 
 jobs:
   nixpkgs:
     name: nixpkgs-manual-build
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
+          # explicitly enable sandbox
           extra_nix_config: sandbox = true
-
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-
       - name: Building Nixpkgs manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixpkgs -A manual-nixpkgs-tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests

.github/workflows/nix-parse-v2.yml

@@ -1,33 +1,45 @@
 name: "Check whether nix files are parseable v2"
 
-on:
-  pull_request:
-    paths:
-      - .github/workflows/nix-parse-v2.yml
-  pull_request_target:
+permissions:
+  pull-requests: read
+  contents: read
 
-permissions: {}
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
 
 jobs:
-  get-merge-commit:
-    uses: ./.github/workflows/get-merge-commit.yml
-
   tests:
     name: nix-files-parseable-check
-    runs-on: ubuntu-24.04-arm
-    needs: get-merge-commit
-    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
+    runs-on: ubuntu-latest
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-          nix_path: nixpkgs=channel:nixpkgs-unstable
-
-      - name: Parse all nix files
-        run: |
-          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
-          nix-build ci -A parse --keep-going
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
+          > "$HOME/changed_files"
+        if [[ -s "$HOME/changed_files" ]]; then
+          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
+        fi
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      with:
+        nix_path: nixpkgs=channel:nixpkgs-unstable
+    - name: Parse all changed or added nix files
+      run: |
+        ret=0
+        while IFS= read -r file; do
+          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
+        done < "$HOME/changed_files"
+        exit "$ret"
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}

.github/workflows/nixpkgs-vet.yml

@@ -2,14 +2,16 @@
 # Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
 # When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
 # See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
-
 name: Vet nixpkgs
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/nixpkgs-vet.yml
+  # Using pull_request_target instead of pull_request avoids having to approve first time contributors.
   pull_request_target:
+    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here.
+    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
+    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
+    types: [opened, synchronize, reopened, edited]
 
 permissions: {}
 
@@ -17,33 +19,46 @@ permissions: {}
 # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
 
 jobs:
-  get-merge-commit:
-    uses: ./.github/workflows/get-merge-commit.yml
-
   check:
     name: nixpkgs-vet
     # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
     timeout-minutes: 10
-    needs: get-merge-commit
-    if: needs.get-merge-commit.outputs.mergedSha
     steps:
+      # This checks out the base branch because of pull_request_target
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: base
+          sparse-checkout: ci
+      - name: Resolving the merge commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+            echo "Checking the merge commit $mergedSha"
+            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
+          else
+            echo "Skipping the rest..."
+          fi
+          rm -rf base
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: env.mergedSha
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: ${{ env.mergedSha }}
           # Fetches the merge commit and its parents
           fetch-depth: 2
-
-      - name: Checking out target branch
+      - name: Checking out base branch
+        if: env.mergedSha
         run: |
-          target=$(mktemp -d)
-          git worktree add "$target" "$(git rev-parse HEAD^1)"
-          echo "target=$target" >> "$GITHUB_ENV"
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-
+          base=$(mktemp -d)
+          git worktree add "$base" "$(git rev-parse HEAD^1)"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        if: env.mergedSha
       - name: Fetching the pinned tool
+        if: env.mergedSha
         # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
         run: |
           # The pinned version of the tooling to use.
@@ -55,13 +70,13 @@ jobs:
 
           # Adds a result symlink as a GC root.
           nix-store --realise "$toolPath" --add-root result
-
       - name: Running nixpkgs-vet
+        if: env.mergedSha
         env:
           # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
           CLICOLOR_FORCE: 1
         run: |
-          if result/bin/nixpkgs-vet --base "$target" .; then
+          if result/bin/nixpkgs-vet --base "$base" .; then
             exit 0
           else
             exitCode=$?

.github/workflows/no-channel.yml

@@ -2,25 +2,25 @@ name: "No channel PR"
 
 on:
   pull_request:
-    paths:
-      - .github/workflows/no-channel.yml
-  pull_request_target:
+    branches:
+      - 'nixos-**'
+      - 'nixpkgs-**'
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   fail:
-    if: |
-      startsWith(github.event.pull_request.base.ref, 'nixos-') ||
-      startsWith(github.event.pull_request.base.ref, 'nixpkgs-')
-    name: "This PR is targeting a channel branch"
-    runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: none
+    name: "This PR is is targeting a channel branch"
+    runs-on: ubuntu-latest
     steps:
-      - run: |
-          cat <<EOF
-          The nixos-* and nixpkgs-* branches are pushed to by the channel
-          release script and should not be merged into directly.
+    - run: |
+        cat <<EOF
+        The nixos-* and nixpkgs-* branches are pushed to by the channel
+        release script and should not be merged into directly.
 
-          Please target the equivalent release-* branch or master instead.
-          EOF
-          exit 1
+        Please target the equivalent release-* branch or master instead.
+        EOF
+        exit 1

.github/workflows/ofborg-pending.yml

@@ -0,0 +1,34 @@
+name: "Set pending OfBorg status"
+on:
+  pull_request_target:
+
+# Sets the ofborg-eval status to "pending" to signal that we are waiting for
+# OfBorg even if it is running late. The status will be overwritten by OfBorg
+# once it starts evaluation.
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows (restricted) write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
+permissions:
+  contents: read
+
+jobs:
+  action:
+    name: set-ofborg-pending
+    if: github.repository_owner == 'NixOS'
+    permissions:
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Set pending OfBorg status"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        curl \
+          -X POST \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -d '{"context": "ofborg-eval", "state": "pending", "description": "Waiting for OfBorg..."}' \
+          "https://api.github.com/repos/NixOS/nixpkgs/commits/${{ github.event.pull_request.head.sha }}/statuses"

.github/workflows/periodic-merge-24h.yml

@@ -7,6 +7,7 @@
 
 name: "Periodic Merges (24h)"
 
+
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
@@ -14,11 +15,16 @@ on:
     - cron:  '0 0 * * *'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -27,20 +33,28 @@ jobs:
       max-parallel: 1
       matrix:
         pairs:
-          - from: release-24.11
-            into: staging-next-24.11
-          - from: staging-next-24.11
-            into: staging-24.11
           - from: master
-            into: staging-next-25.05
-          - from: staging-next-25.05
-            into: staging-25.05
-          - name: merge-base(master,staging) → haskell-updates
-            from: master staging
             into: haskell-updates
-    uses: ./.github/workflows/periodic-merge.yml
-    with:
-      from: ${{ matrix.pairs.from }}
-      into: ${{ matrix.pairs.into }}
-    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+          - from: release-24.05
+            into: staging-next-24.05
+          - from: staging-next-24.05
+            into: staging-24.05
+    name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        with:
+          type: now
+          from_branch: ${{ matrix.pairs.from }}
+          target_branch: ${{ matrix.pairs.into }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: ${{ failure() }}
+        with:
+          issue-number: 105153
+          body: |
+            Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

.github/workflows/periodic-merge-6h.yml

@@ -7,6 +7,7 @@
 
 name: "Periodic Merges (6h)"
 
+
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
@@ -14,11 +15,16 @@ on:
     - cron:  '0 */6 * * *'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -31,9 +37,22 @@ jobs:
             into: staging-next
           - from: staging-next
             into: staging
-    uses: ./.github/workflows/periodic-merge.yml
-    with:
-      from: ${{ matrix.pairs.from }}
-      into: ${{ matrix.pairs.into }}
-    name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        with:
+          type: now
+          from_branch: ${{ matrix.pairs.from }}
+          target_branch: ${{ matrix.pairs.into }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: ${{ failure() }}
+        with:
+          issue-number: 105153
+          body: |
+            Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

.github/workflows/periodic-merge.yml

@@ -1,59 +0,0 @@
-name: "Merge"
-
-on:
-  workflow_call:
-    inputs:
-      from:
-        description: Branch to merge into target branch. Can also be two branches separated by space to find the merge base between them.
-        required: true
-        type: string
-      into:
-        description: Target branch to merge into.
-        required: true
-        type: string
-
-jobs:
-  merge:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-contents: write
-          permission-pull-requests: write
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Find merge base between two branches
-        if: contains(inputs.from, ' ')
-        id: merge_base
-        env:
-          branches: ${{ inputs.from }}
-        run: |
-          # turn into bash array, split on space
-          read -ra branches <<< "$branches"
-          git fetch --shallow-since="1 month ago" origin "${branches[@]}"
-          merge_base="$(git merge-base "refs/remotes/origin/${branches[0]}" "refs/remotes/origin/${branches[1]}")"
-          echo "Found merge base: $merge_base" >&2
-          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
-
-      - name: ${{ inputs.from }} → ${{ inputs.into }}
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
-        with:
-          type: now
-          from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }}
-          target_branch: ${{ inputs.into }}
-          github_token: ${{ steps.app-token.outputs.token }}
-
-      - name: Comment on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-        if: ${{ failure() }}
-        with:
-          issue-number: 105153
-          body: |
-            Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
-          token: ${{ steps.app-token.outputs.token }}

.gitignore

@@ -33,10 +33,6 @@ __pycache__
 
 # generated by pkgs/common-updater/update-script.nix
 update-git-commits.txt
-/*.log
 
 # JetBrains IDEA module declaration file
 /nixpkgs.iml
-
-# Usually used for manual backports
-.worktree/

.mailmap

@@ -5,20 +5,15 @@ Christina Sørensen <christina@cafkafk.com>
 Christina Sørensen <christina@cafkafk.com> <christinaafk@gmail.com>
 Christina Sørensen <christina@cafkafk.com> <89321978+cafkafk@users.noreply.github.com>
 Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
-Ethan Carter Edwards <ethan@ethancedwards.com> Ethan Edwards <ethancarteredwards@gmail.com>
 Fabian Affolter <mail@fabian-affolter.ch> <fabian@affolter-engineering.ch>
 Fiona Behrens <me@kloenk.dev>
 Fiona Behrens <me@kloenk.dev> <me@kloenk.de>
 goatastronaut0212 <goatastronaut0212@outlook.com> <goatastronaut0212@proton.me>
 Janne Heß <janne@hess.ooo> <dasJ@users.noreply.github.com>
-jopejoe1 <nixpkgs@missing.ninja>
-jopejoe1 <nixpkgs@missing.ninja> <johannes@joens.email>
-jopejoe1 <nixpkgs@missing.ninja> <34899572+jopejoe1@users.noreply.github.com>
 Jörg Thalheim <joerg@thalheim.io> <Mic92@users.noreply.github.com>
 Lin Jian <me@linj.tech> <linj.dev@outlook.com>
 Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>
 Martin Weinelt <hexa@darmstadt.ccc.de> <mweinelt@users.noreply.github.com>
-moni <lythe1107@gmail.com> <lythe1107@icloud.com>
 R. RyanTM <ryantm-bot@ryantm.com>
 Robert Hensing <robert@roberthensing.nl> <roberth@users.noreply.github.com>
 Sandro Jäckel <sandro.jaeckel@gmail.com>

.mergify.yml

@@ -1,21 +0,0 @@
-queue_rules:
-  # This rule is for https://docs.mergify.com/commands/queue/
-  # and can be triggered with: @mergifyio queue
-  - name: default
-    merge_conditions:
-      # all github action checks in this list are required to merge a pull request
-      - check-success=Attributes
-      - check-success=Check
-      - check-success=Outpaths (aarch64-darwin)
-      - check-success=Outpaths (aarch64-linux)
-      - check-success=Outpaths (x86_64-darwin)
-      - check-success=Outpaths (x86_64-linux)
-      - check-success=Process
-      - check-success=Request
-      - check-success=editorconfig-check
-      - check-success=label-pr
-      - check-success=nix-files-parseable-check
-      - check-success=nixfmt-check
-      - check-success=nixpkgs-vet
-    # queue up to 5 pull requests at a time
-    batch_size: 5

CONTRIBUTING.md

@@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
 Here's a brief overview of the main Git branches and what channels they're used for:
 
 - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
-- `release-YY.MM` (e.g. `release-25.05`): The NixOS release branches, used for the stable channels such as `nixos-25.05`, `nixos-25.05-small` and `nixpkgs-25.05-darwin`.
+- `release-YY.MM` (e.g. `release-24.05`): The NixOS release branches, used for the stable channels such as `nixos-24.05`, `nixos-24.05-small` and `nixpkgs-24.05-darwin`.
 
 When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
 So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).
@@ -531,31 +531,14 @@ If you removed packages or made some major NixOS changes, write about it in the
 
 Names of files and directories should be in lowercase, with dashes between words — not in camel case. For instance, it should be `all-packages.nix`, not `allPackages.nix` or `AllPackages.nix`.
 
-### Formatting
-
-CI [enforces](./.github/workflows/check-nix-format.yml) all Nix files to be
-formatted using the [official Nix formatter](https://github.com/NixOS/nixfmt).
-
-You can ensure this locally using either of these commands:
-```
-nix-shell --run treefmt
-nix develop --command treefmt
-nix fmt
-```
-
-If you're starting your editor in `nix-shell` or `nix develop`,
-you can also set it up to automatically format the file with `treefmt` on save.
-
-If you have any problems with formatting, please ping the
-[formatting team](https://nixos.org/community/teams/formatting/) via
-[@NixOS/nix-formatting](https://github.com/orgs/NixOS/teams/nix-formatting).
-
 ### Syntax
 
 - Set up [editorconfig](https://editorconfig.org/) for your editor, such that [the settings](./.editorconfig) are automatically applied.
 
 - Use `lowerCamelCase` for variable names, not `UpperCamelCase`. Note, this rule does not apply to package attribute names, which instead follow the rules in [package naming](./pkgs/README.md#package-naming).
 
+- New files must be formatted by entering the `nix-shell` from the repository root and running `nixfmt`.
+
 - Functions should list their expected arguments as precisely as possible. That is, write
 
   ```nix
@@ -667,7 +650,7 @@ If you want your PR to get merged quickly and smoothly, it is in your best inter
 
 For the committer to judge your intention, it's best to explain why you've made your change.
 This does not apply to trivial changes like version updates because the intention is obvious (though linking the changelog is appreciated).
-For any more nuanced changes or even major version upgrades, it helps if you explain the background behind your change a bit.
+For any more nuanced changed or even major version upgrades, it helps if you explain the background behind your change a bit.
 E.g. if you're adding a package, explain what it is and why it should be in Nixpkgs.
 This goes hand in hand with [Writing good commit messages](#writing-good-commit-messages).
 

COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2003-2025 Eelco Dolstra and the Nixpkgs/NixOS contributors
+Copyright (c) 2003-2024 Eelco Dolstra and the Nixpkgs/NixOS contributors
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -1,9 +1,9 @@
 <p align="center">
   <a href="https://nixos.org">
     <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://nixos.org/logo/nixos-hires.png">
+      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
       <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://nixos.org/logo/nixos-hires.png" width="500px" alt="NixOS logo">
+      <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="500px" alt="NixOS logo">
     </picture>
   </a>
 </p>
@@ -14,7 +14,7 @@
 </p>
 
 [Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over
-120,000 software packages that can be installed with the
+100,000 software packages that can be installed with the
 [Nix](https://nixos.org/nix/) package manager. It also implements
 [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
 
@@ -27,7 +27,7 @@
 # Community
 
 * [Discourse Forum](https://discourse.nixos.org/)
-* [Matrix Chat](https://matrix.to/#/#space:nixos.org)
+* [Matrix Chat](https://matrix.to/#/#community:nixos.org)
 * [NixOS Weekly](https://weekly.nixos.org/)
 * [Official wiki](https://wiki.nixos.org/)
 * [Community-maintained list of ways to get in touch](https://wiki.nixos.org/wiki/Get_In_Touch#Chat) (Discord, Telegram, IRC, etc.)
@@ -52,14 +52,14 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 24.11 release](https://hydra.nixos.org/jobset/nixos/release-24.11)
+* [Continuous package builds for the NixOS 24.05 release](https://hydra.nixos.org/jobset/nixos/release-24.05)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 24.11 release](https://hydra.nixos.org/job/nixos/release-24.11/tested#tabs-constituents)
+* [Tests for the NixOS 24.05 release](https://hydra.nixos.org/job/nixos/release-24.05/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are
 met, the Nixpkgs expressions are distributed via [Nix
-channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
+channels](https://nixos.org/manual/nix/stable/package-management/channels.html).
 
 # Contributing
 

ci/OWNERS

@@ -14,33 +14,32 @@
 # Processing of this file is implemented in workflows/codeowners-v2.yml
 
 # CI
-/.github/*_TEMPLATE*                    @SigmaSquadron
-/.github/workflows                      @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
-/.github/workflows/check-format.yml     @infinisil @wolfgangwalther
-/.github/workflows/codeowners-v2.yml    @infinisil @wolfgangwalther
-/.github/workflows/nixpkgs-vet.yml      @infinisil @philiptaron @wolfgangwalther
-/ci                                     @infinisil @philiptaron @NixOS/Security @wolfgangwalther
-/ci/OWNERS                              @infinisil @philiptaron
+/.github/workflows @NixOS/Security @Mic92 @zowoq
+/.github/workflows/check-nix-format.yml @infinisil
+/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
+/.github/workflows/codeowners-v2.yml @infinisil
+/ci @infinisil @philiptaron @NixOS/Security
+/ci/OWNERS @infinisil @philiptaron
 
 # Development support
 /.editorconfig @Mic92 @zowoq
 /shell.nix @infinisil @NixOS/Security
 
 # Libraries
-/lib                        @infinisil @hsjobeki
+/lib                        @infinisil
 /lib/systems                @alyssais @ericson2314 @NixOS/stdenv
-/lib/generators.nix         @infinisil @hsjobeki @Profpatsch
-/lib/cli.nix                @infinisil @hsjobeki @Profpatsch
-/lib/debug.nix              @infinisil @hsjobeki @Profpatsch
-/lib/asserts.nix            @infinisil @hsjobeki @Profpatsch
-/lib/path/*                 @infinisil @hsjobeki
-/lib/fileset                @infinisil @hsjobeki
+/lib/generators.nix         @infinisil @Profpatsch
+/lib/cli.nix                @infinisil @Profpatsch
+/lib/debug.nix              @infinisil @Profpatsch
+/lib/asserts.nix            @infinisil @Profpatsch
+/lib/path/*                 @infinisil
+/lib/fileset                @infinisil
 ## Libraries / Module system
-/lib/modules.nix            @infinisil @roberth @hsjobeki
-/lib/types.nix              @infinisil @roberth @hsjobeki
-/lib/options.nix            @infinisil @roberth @hsjobeki
-/lib/tests/modules.sh       @infinisil @roberth @hsjobeki
-/lib/tests/modules          @infinisil @roberth @hsjobeki
+/lib/modules.nix            @infinisil @roberth
+/lib/types.nix              @infinisil @roberth
+/lib/options.nix            @infinisil @roberth
+/lib/tests/modules.sh       @infinisil @roberth
+/lib/tests/modules          @infinisil @roberth
 
 # Nixpkgs Internals
 /default.nix                                     @Ericson2314
@@ -60,9 +59,10 @@
 /pkgs/build-support/setup-hooks                  @Ericson2314
 /pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
 /pkgs/by-name/au/auto-patchelf                   @layus
-
+/pkgs/pkgs-lib                                   @infinisil
 ## Format generators/serializers
-/pkgs/pkgs-lib                                   @Stunkymonkey @h7x4
+/pkgs/pkgs-lib/formats/libconfig                 @h7x4
+/pkgs/pkgs-lib/formats/hocon                     @h7x4
 
 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus @Profpatsch
@@ -102,15 +102,9 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/default.nix                                    @infinisil
 /nixos/lib/from-env.nix                               @infinisil
 /nixos/lib/eval-config.nix                            @infinisil
-/nixos/modules/misc/ids.nix                           @R-VdP
 /nixos/modules/system/activation/bootspec.nix         @grahamc @cole-h @raitobezarius
 /nixos/modules/system/activation/bootspec.cue         @grahamc @cole-h @raitobezarius
 
-# NixOS Render Docs
-/pkgs/by-name/ni/nixos-render-docs @fricklerhandwerk @GetPsyched @hsjobeki
-/doc/redirects.json                @fricklerhandwerk @GetPsyched @hsjobeki
-/nixos/doc/manual/redirects.json   @fricklerhandwerk @GetPsyched @hsjobeki
-
 # NixOS integration test driver
 /nixos/lib/test-driver  @tfc
 
@@ -129,32 +123,22 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Systemd-boot
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
 
-# Limine
-/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi
-
 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
 /nixos/modules/installer/cd-dvd/                @ElvishJerricco
 /nixos/modules/installer/sd-card/
 
 # Amazon
-/nixos/modules/virtualisation/amazon-init.nix                  @arianvp
-/nixos/modules/virtualisation/ec2-data.nix                     @arianvp
-/nixos/modules/virtualisation/amazon-options.nix               @arianvp
-/nixos/modules/virtualisation/amazon-image.nix                 @arianvp
-/nixos/maintainers/scripts/ec2/                                @arianvp
-/nixos/modules/services/misc/amazon-ssm-agent.nix              @arianvp
-/nixos/tests/amazon-ssm-agent.nix                              @arianvp
-/nixos/modules/system/boot/grow-partition.nix                  @arianvp
-/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix @philipmw
-/nixos/tests/amazon-cloudwatch-agent.nix                       @philipmw
+/nixos/modules/virtualisation/amazon-init.nix     @arianvp
+/nixos/modules/virtualisation/ec2-data.nix        @arianvp
+/nixos/modules/virtualisation/amazon-options.nix  @arianvp
+/nixos/modules/virtualisation/amazon-image.nix    @arianvp
+/nixos/maintainers/scripts/ec2/                   @arianvp
+/nixos/modules/services/misc/amazon-ssm-agent.nix @arianvp
+/nixos/tests/amazon-ssm-agent.nix                 @arianvp
+/nixos/modules/system/boot/grow-partition.nix     @arianvp
 
-# Monitoring
-/nixos/modules/services/monitoring/fluent-bit.nix @arianvp
-/nixos/tests/fluent-bit.nix                       @arianvp
 
-# nixos-rebuild-ng
-/pkgs/by-name/ni/nixos-rebuild-ng                 @thiagokokada
 
 # Updaters
 ## update.nix
@@ -166,24 +150,18 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
-/pkgs/by-name/up/update-python-libraries      @mweinelt @natsukium
 /pkgs/development/interpreters/python         @mweinelt @natsukium
 /pkgs/top-level/python-packages.nix                     @natsukium
 /pkgs/top-level/release-python.nix                      @natsukium
 
-# CUDA
-/pkgs/top-level/cuda-packages.nix             @NixOS/cuda-maintainers
-/pkgs/top-level/release-cuda.nix              @NixOS/cuda-maintainers
-/pkgs/development/cuda-modules                @NixOS/cuda-maintainers
-
 # Haskell
-/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn @wolfgangwalther
-/maintainers/scripts/haskell                  @sternenseemann @maralorn @wolfgangwalther
-/pkgs/development/compilers/ghc               @sternenseemann @maralorn @wolfgangwalther
-/pkgs/development/haskell-modules             @sternenseemann @maralorn @wolfgangwalther
-/pkgs/test/haskell                            @sternenseemann @maralorn @wolfgangwalther
-/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn @wolfgangwalther
-/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn @wolfgangwalther
+/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn
+/maintainers/scripts/haskell                  @sternenseemann @maralorn
+/pkgs/development/compilers/ghc               @sternenseemann @maralorn
+/pkgs/development/haskell-modules             @sternenseemann @maralorn
+/pkgs/test/haskell                            @sternenseemann @maralorn
+/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn
+/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn
 
 # Perl
 /pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
@@ -197,7 +175,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Rust
 /pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt @figsoda
 /pkgs/build-support/rust @zowoq @winterqt @figsoda
-/pkgs/build-support/rust/fetch-cargo-vendor* @TomaSajt
 /doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
 
 # Tcl
@@ -221,11 +198,11 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 
 # Browsers
 /pkgs/applications/networking/browsers/firefox @mweinelt
-/pkgs/applications/networking/browsers/chromium @emilylange @networkException
-/nixos/tests/chromium.nix @emilylange @networkException
+/pkgs/applications/networking/browsers/chromium @emilylange
+/nixos/tests/chromium.nix @emilylange
 
 # Certificate Authorities
-pkgs/by-name/ca/cacert @ajs124 @lukegb @mweinelt
+pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt
 pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt
 pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 
@@ -233,11 +210,10 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /doc/languages-frameworks/java.section.md @NixOS/java
 /doc/languages-frameworks/gradle.section.md @NixOS/java
 /doc/languages-frameworks/maven.section.md @NixOS/java
-/nixos/modules/programs/java.nix @NixOS/java
 /pkgs/top-level/java-packages.nix @NixOS/java
 
 # Jetbrains
-/pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara
+/pkgs/applications/editors/jetbrains @edwtjo
 
 # Licenses
 /lib/licenses.nix @alyssais
@@ -256,18 +232,11 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
 
 # PostgreSQL and related stuff
-/pkgs/by-name/po/postgresqlTestHook @NixOS/postgres
-/pkgs/by-name/ps/psqlodbc @NixOS/postgres
 /pkgs/servers/sql/postgresql @NixOS/postgres
-/pkgs/development/tools/rust/cargo-pgrx @NixOS/postgres
 /nixos/modules/services/databases/postgresql.md @NixOS/postgres
 /nixos/modules/services/databases/postgresql.nix @NixOS/postgres
 /nixos/tests/postgresql @NixOS/postgres
 
-# MySQL/MariaDB and related stuff
-/nixos/modules/services/databases/mysql.nix     @6543
-/nixos/modules/services/backup/mysql-backup.nix @6543
-
 # Hardened profile & related modules
 /nixos/modules/profiles/hardened.nix                       @joachifm
 /nixos/modules/security/lock-kernel-modules.nix            @joachifm
@@ -281,7 +250,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/tests/home-assistant.nix @mweinelt
 /nixos/tests/zigbee2mqtt.nix @mweinelt
 /pkgs/servers/home-assistant @mweinelt
-/pkgs/by-name/es/esphome @mweinelt
+/pkgs/tools/misc/esphome @mweinelt
 
 # Network Time Daemons
 /pkgs/by-name/ch/chrony @thoughtpolice
@@ -305,12 +274,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/servers/http/nginx/ @raitobezarius
 /nixos/modules/services/web-servers/nginx/ @raitobezarius
 
-# D
-/pkgs/build-support/dlang @jtbx @TomaSajt
-
 # Dhall
-/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch
-/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch
+/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch @ehmry
+/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry
 
 # Idris
 /pkgs/development/idris-modules @Infinisil
@@ -335,9 +301,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 # Kakoune
 /pkgs/applications/editors/kakoune     @philiptaron
 
-# LuaPackages
-/pkgs/development/lua-modules         @NixOS/lua
-
 # Neovim
 /pkgs/applications/editors/neovim      @NixOS/neovim
 
@@ -384,6 +347,11 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 # Xfce
 /doc/hooks/xfce4-dev-tools.section.md @NixOS/xfce
 
+# nim
+/doc/languages-frameworks/nim.section.md  @ehmry
+/pkgs/build-support/build-nim-package.nix @ehmry
+/pkgs/top-level/nim-overrides.nix         @ehmry
+
 # terraform providers
 /pkgs/applications/networking/cluster/terraform-providers @zowoq
 
@@ -409,13 +377,14 @@ pkgs/by-name/fo/forgejo/                @adamcstephens @bendlas @emilylange
 /pkgs/development/ocaml-modules     @ulrikstrid
 
 # ZFS
-/nixos/modules/tasks/filesystems/zfs.nix @adamcstephens @amarshall
-/nixos/tests/zfs.nix                     @adamcstephens @amarshall
-/pkgs/os-specific/linux/zfs              @adamcstephens @amarshall
+pkgs/os-specific/linux/zfs/2_1.nix        @raitobezarius
+pkgs/os-specific/linux/zfs/generic.nix    @raitobezarius
+nixos/modules/tasks/filesystems/zfs.nix   @raitobezarius
+nixos/tests/zfs.nix                       @raitobezarius
 
 # Zig
-/pkgs/development/compilers/zig @figsoda @RossComputerGuy
-/doc/hooks/zig.section.md       @figsoda @RossComputerGuy
+/pkgs/development/compilers/zig @figsoda
+/doc/hooks/zig.section.md       @figsoda
 
 # Buildbot
 nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq
@@ -460,18 +429,3 @@ pkgs/by-name/lx/lxc*                    @adamcstephens
 /pkgs/by-name/ap/apple-sdk                     @NixOS/darwin-core
 /pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
 /pkgs/stdenv/darwin                            @NixOS/darwin-core
-
-# BEAM
-pkgs/development/beam-modules/          @NixOS/beam
-pkgs/development/interpreters/erlang/   @NixOS/beam
-pkgs/development/interpreters/elixir/   @NixOS/beam
-pkgs/development/interpreters/lfe/      @NixOS/beam
-
-# OctoDNS
-pkgs/by-name/oc/octodns/ @anthonyroussel
-
-# Teleport
-pkgs/by-name/te/teleport*   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
-
-# Warp-terminal
-pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @donteatoreo @johnrtitor

ci/README.md

@@ -44,21 +44,21 @@ Why not just build the tooling right from the PRs Nixpkgs version?
 ## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
 
 Check whether a PR is mergeable and return the test merge commit as
-[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests) and its parent.
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests).
 
 Arguments:
 - `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
 - `PR_NUMBER`: The PR number, e.g. `1234`
 
 Exit codes:
-- 0: The PR can be merged, the hashes of the test merge commit and the target commit are returned on stdout
+- 0: The PR can be merged, the test merge commit hash is returned on stdout
 - 1: The PR cannot be merged because it's not open anymore
 - 2: The PR cannot be merged because it has a merge conflict
 - 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
 
 ### Usage
 
-This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
+This script can be used in GitHub Actions workflows as follows:
 
 ```yaml
 on: pull_request_target
@@ -67,19 +67,32 @@ on: pull_request_target
 permissions: {}
 
 jobs:
-  get-merge-commit:
-    # use the relative path of the get-merge-commit workflow yaml here
-    uses: ./.github/workflows/get-merge-commit.yml
-
   build:
     name: Build
-    runs-on: ubuntu-24.04
-    needs: get-merge-commit
+    runs-on: ubuntu-latest
     steps:
+      # Important: Because of `pull_request_target`, this doesn't check out the PR,
+      # but rather the base branch of the PR, which is needed so we don't run untrusted code
+      - uses: actions/checkout@<VERSION>
+        with:
+          path: base
+          sparse-checkout: ci
+      - name: Resolving the merge commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+            echo "Checking the merge commit $mergedSha"
+            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
+          else
+            # Skipping so that no notifications are sent
+            echo "Skipping the rest..."
+          fi
+          rm -rf base
       - uses: actions/checkout@<VERSION>
         # Add this to _all_ subsequent steps to skip them
-        if: needs.get-merge-commit.outputs.mergedSha
+        if: env.mergedSha
         with:
-          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          ref: ${{ env.mergedSha }}
       - ...
 ```

ci/default.nix

@@ -21,73 +21,9 @@ let
     config = { };
     overlays = [ ];
   };
-
-  fmt =
-    let
-      treefmtNixSrc = fetchTarball {
-        # Master at 2025-02-12
-        url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
-        sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
-      };
-      treefmtEval = (import treefmtNixSrc).evalModule pkgs {
-        # Important: The auto-rebase script uses `git filter-branch --tree-filter`,
-        # which creates trees within the Git repository under `.git-rewrite/t`,
-        # notably without having a `.git` themselves.
-        # So if this projectRootFile were the default `.git/config`,
-        # having the auto-rebase script use treefmt on such a tree would make it
-        # format all files in the _parent_ Git tree as well.
-        projectRootFile = ".git-blame-ignore-revs";
-
-        # Be a bit more verbose by default, so we can see progress happening
-        settings.verbose = 1;
-
-        # By default it's info, which is too noisy since we have many unmatched files
-        settings.on-unmatched = "debug";
-
-        programs.actionlint.enable = true;
-
-        programs.keep-sorted.enable = true;
-
-        # This uses nixfmt-rfc-style underneath,
-        # the default formatter for Nix code.
-        # See https://github.com/NixOS/nixfmt
-        programs.nixfmt.enable = true;
-
-        settings.formatter.editorconfig-checker = {
-          command = "${pkgs.lib.getExe pkgs.editorconfig-checker}";
-          options = [ "-disable-indent-size" ];
-          includes = [ "*" ];
-          priority = 1;
-        };
-      };
-      fs = pkgs.lib.fileset;
-      nixFilesSrc = fs.toSource {
-        root = ../.;
-        fileset = fs.difference ../. (fs.maybeMissing ../.git);
-      };
-    in
-    {
-      shell = treefmtEval.config.build.devShell;
-      pkg = treefmtEval.config.build.wrapper;
-      check = treefmtEval.config.build.check nixFilesSrc;
-    };
-
 in
 {
-  inherit pkgs fmt;
+  inherit pkgs;
   requestReviews = pkgs.callPackage ./request-reviews { };
   codeownersValidator = pkgs.callPackage ./codeowners-validator { };
-  eval = pkgs.callPackage ./eval { };
-
-  # CI jobs
-  lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
-  manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
-  manual-nixpkgs = (import ../pkgs/top-level/release.nix { }).manual;
-  manual-nixpkgs-tests = (import ../pkgs/top-level/release.nix { }).manual.tests;
-  parse = pkgs.lib.recurseIntoAttrs {
-    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
-    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
-    minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.minimum; };
-  };
-  shell = import ../shell.nix { inherit nixpkgs system; };
 }

ci/eval/README.md

@@ -1,21 +0,0 @@
-# Nixpkgs CI evaluation
-
-The code in this directory is used by the [eval.yml](../../.github/workflows/eval.yml) GitHub Actions workflow to evaluate the majority of Nixpkgs for all PRs, effectively making sure that when the development branches are processed by Hydra, no evaluation failures are encountered.
-
-Furthermore it also allows local evaluation using
-```
-nix-build ci -A eval.full \
-  --max-jobs 4 \
-  --cores 2 \
-  --arg chunkSize 10000 \
-  --arg evalSystems '["x86_64-linux" "aarch64-darwin"]'
-```
-
-- `--max-jobs`: The maximum number of derivations to run at the same time. Only each [supported system](../supportedSystems.json) gets a separate derivation, so it doesn't make sense to set this higher than that number.
-- `--cores`: The number of cores to use for each job. Recommended to set this to the amount of cores on your system divided by `--max-jobs`.
-- `chunkSize`: The number of attributes that are evaluated simultaneously on a single core. Lowering this decreases memory usage at the cost of increased evaluation time. If this is too high, there won't be enough chunks to process them in parallel, and will also increase evaluation time.
-- `evalSystems`: The set of systems for which `nixpkgs` should be evaluated. Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).
-
-A good default is to set `chunkSize` to 10000, which leads to about 3.6GB max memory usage per core, so suitable for fully utilising machines with 4 cores and 16GB memory, 8 cores and 32GB memory or 16 cores and 64GB memory.
-
-Note that 16GB memory is the recommended minimum, while with less than 8GB memory evaluation time suffers greatly.

ci/eval/compare/cmp-stats.py

@@ -1,154 +0,0 @@
-import json
-import os
-from scipy.stats import ttest_rel
-import pandas as pd
-import numpy as np
-from pathlib import Path
-
-# Define metrics of interest (can be expanded as needed)
-METRIC_PREFIXES = ("nr", "gc")
-
-def flatten_data(json_data: dict) -> dict:
-    """
-    Extracts and flattens metrics from JSON data.
-    This is needed because the JSON data can be nested.
-    For example, the JSON data entry might look like this:
-
-    "gc":{"cycles":13,"heapSize":5404549120,"totalBytes":9545876464}
-
-    Flattened:
-
-    "gc.cycles": 13
-    "gc.heapSize": 5404549120
-    ...
-
-    Args:
-        json_data (dict): JSON data containing metrics.
-    Returns:
-        dict: Flattened metrics with keys as metric names.
-    """
-    flat_metrics = {}
-    for k, v in json_data.items():
-        if isinstance(v, (int, float)):
-            flat_metrics[k] = v
-        elif isinstance(v, dict):
-            for sub_k, sub_v in v.items():
-                flat_metrics[f"{k}.{sub_k}"] = sub_v
-    return flat_metrics
-
-
-
-
-def load_all_metrics(directory: Path) -> dict:
-    """
-    Loads all stats JSON files in the specified directory and extracts metrics.
-
-    Args:
-        directory (Path): Directory containing JSON files.
-    Returns:
-        dict: Dictionary with filenames as keys and extracted metrics as values.
-    """
-    metrics = {}
-    for system_dir in directory.iterdir():
-        assert system_dir.is_dir()
-
-        for chunk_output in system_dir.iterdir():
-                with chunk_output.open() as f:
-                    data = json.load(f)
-                metrics[f"{system_dir.name}/${chunk_output.name}"] = flatten_data(data)
-
-    return metrics
-
-def dataframe_to_markdown(df: pd.DataFrame) -> str:
-    df = df.sort_values(by=df.columns[0], ascending=True)
-    markdown_lines = []
-
-    # Header (get column names and format them)
-    header = '\n| ' + ' | '.join(df.columns) + ' |'
-    markdown_lines.append(header)
-    markdown_lines.append("| - " * (len(df.columns)) + "|")  # Separator line
-
-    # Iterate over rows to build Markdown rows
-    for _, row in df.iterrows():
-        # TODO: define threshold for highlighting
-        highlight = False
-
-        fmt = lambda x: f"**{x}**" if highlight else f"{x}"
-
-        # Check for no change and NaN in p_value/t_stat
-        row_values = []
-        for val in row:
-            if isinstance(val, float) and np.isnan(val):  # For NaN values in p-value or t-stat
-                row_values.append("-")  # Custom symbol for NaN
-            elif isinstance(val, float) and val == 0:  # For no change (mean_diff == 0)
-                row_values.append("-")  # Custom symbol for no change
-            else:
-                row_values.append(fmt(f"{val:.4f}" if isinstance(val, float) else str(val)))
-
-        markdown_lines.append('| ' + ' | '.join(row_values) + ' |')
-
-    return '\n'.join(markdown_lines)
-
-
-def perform_pairwise_tests(before_metrics: dict, after_metrics: dict) -> pd.DataFrame:
-    common_files = sorted(set(before_metrics) & set(after_metrics))
-    all_keys = sorted({ metric_keys for file_metrics in before_metrics.values() for metric_keys in file_metrics.keys() })
-
-    results = []
-
-    for key in all_keys:
-        before_vals, after_vals = [], []
-
-        for fname in common_files:
-            if key in before_metrics[fname] and key in after_metrics[fname]:
-                before_vals.append(before_metrics[fname][key])
-                after_vals.append(after_metrics[fname][key])
-
-        if len(before_vals) >= 2:
-            before_arr = np.array(before_vals)
-            after_arr = np.array(after_vals)
-
-            diff = after_arr - before_arr
-            pct_change = 100 * diff / before_arr
-            t_stat, p_val = ttest_rel(after_arr, before_arr)
-
-            results.append({
-                "metric": key,
-                "mean_before": np.mean(before_arr),
-                "mean_after": np.mean(after_arr),
-                "mean_diff": np.mean(diff),
-                "mean_%_change": np.mean(pct_change),
-                "p_value": p_val,
-                "t_stat": t_stat
-            })
-
-    df = pd.DataFrame(results).sort_values("p_value")
-    return df
-
-
-if __name__ == "__main__":
-    before_dir = os.environ.get("BEFORE_DIR")
-    after_dir = os.environ.get("AFTER_DIR")
-
-    if not before_dir or not after_dir:
-        print("Error: Environment variables 'BEFORE_DIR' and 'AFTER_DIR' must be set.")
-        exit(1)
-
-    before_stats = Path(before_dir) / "stats"
-    after_stats = Path(after_dir) / "stats"
-
-    # This may happen if the pull request target does not include PR#399720 yet.
-    if not before_stats.exists():
-        print("⚠️  Skipping comparison: stats directory is missing in the target commit.")
-        exit(0)
-
-    # This should never happen, but we're exiting gracefully anyways
-    if not after_stats.exists():
-        print("⚠️  Skipping comparison: stats directory missing in current PR evaluation.")
-        exit(0)
-
-    before_metrics = load_all_metrics(before_stats)
-    after_metrics = load_all_metrics(after_stats)
-    df1 = perform_pairwise_tests(before_metrics, after_metrics)
-    markdown_table = dataframe_to_markdown(df1)
-    print(markdown_table)

ci/eval/compare/default.nix

@@ -1,193 +0,0 @@
-{
-  lib,
-  jq,
-  runCommand,
-  writeText,
-  python3,
-  ...
-}:
-{
-  beforeResultDir,
-  afterResultDir,
-  touchedFilesJson,
-  githubAuthorId,
-  byName ? false,
-}:
-let
-  /*
-    Derivation that computes which packages are affected (added, changed or removed) between two revisions of nixpkgs.
-    Note: "platforms" are "x86_64-linux", "aarch64-darwin", ...
-
-    ---
-    Inputs:
-    - beforeResultDir, afterResultDir: The evaluation result from before and after the change.
-      They can be obtained by running `nix-build -A ci.eval.full` on both revisions.
-
-    ---
-    Outputs:
-      - changed-paths.json: Various information about the changes:
-        {
-          attrdiff: {
-            added: ["package1"],
-            changed: ["package2", "package3"],
-            removed: ["package4"],
-          },
-          labels: [
-            "10.rebuild-darwin: 1-10",
-            "10.rebuild-linux: 1-10"
-          ],
-          rebuildsByKernel: {
-            darwin: ["package1", "package2"],
-            linux: ["package1", "package2", "package3"]
-          },
-          rebuildCountByKernel: {
-            darwin: 2,
-            linux: 3,
-          },
-          rebuildsByPlatform: {
-            aarch64-darwin: ["package1", "package2"],
-            aarch64-linux: ["package1", "package2"],
-            x86_64-linux: ["package1", "package2", "package3"],
-            x86_64-darwin: ["package1"],
-          },
-        }
-      - step-summary.md: A markdown render of the changes
-
-    ---
-    Implementation details:
-
-    Helper functions can be found in ./utils.nix.
-    Two main "types" are important:
-
-    - `packagePlatformPath`: A string of the form "<PACKAGE_PATH>.<PLATFORM>"
-      Example: "python312Packages.numpy.x86_64-linux"
-
-    - `packagePlatformAttr`: An attrs representation of a packagePlatformPath:
-      Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
-  */
-  inherit (import ./utils.nix { inherit lib; })
-    diff
-    groupByKernel
-    convertToPackagePlatformAttrs
-    groupByPlatform
-    extractPackageNames
-    getLabels
-    ;
-
-  getAttrs =
-    dir:
-    let
-      raw = builtins.readFile "${dir}/outpaths.json";
-      # The file contains Nix paths; we need to ignore them for evaluation purposes,
-      # else there will be a "is not allowed to refer to a store path" error.
-      data = builtins.unsafeDiscardStringContext raw;
-    in
-    builtins.fromJSON data;
-  beforeAttrs = getAttrs beforeResultDir;
-  afterAttrs = getAttrs afterResultDir;
-
-  # Attrs
-  # - keys: "added", "changed" and "removed"
-  # - values: lists of `packagePlatformPath`s
-  diffAttrs = diff beforeAttrs afterAttrs;
-
-  rebuilds = diffAttrs.added ++ diffAttrs.changed;
-  rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
-
-  changed-paths =
-    let
-      rebuildsByPlatform = groupByPlatform rebuildsPackagePlatformAttrs;
-      rebuildsByKernel = groupByKernel rebuildsPackagePlatformAttrs;
-      rebuildCountByKernel = lib.mapAttrs (
-        kernel: kernelRebuilds: lib.length kernelRebuilds
-      ) rebuildsByKernel;
-    in
-    writeText "changed-paths.json" (
-      builtins.toJSON {
-        attrdiff = lib.mapAttrs (_: extractPackageNames) diffAttrs;
-        inherit
-          rebuildsByPlatform
-          rebuildsByKernel
-          rebuildCountByKernel
-          ;
-        labels =
-          (getLabels rebuildCountByKernel)
-          # Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
-          ++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
-            lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
-          )
-          # Adds the "11.by: package-maintainer" label if all of the packages directly
-          # changed are maintained by the PR's author. (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
-          ++ lib.optional (
-            maintainers ? ${githubAuthorId}
-            && lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
-              lib.flatten (lib.attrValues maintainers)
-            )
-          ) "11.by: package-maintainer";
-      }
-    );
-
-  maintainers = import ./maintainers.nix {
-    changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
-    changedpathsjson = touchedFilesJson;
-    inherit byName;
-  };
-in
-runCommand "compare"
-  {
-    nativeBuildInputs = [
-      jq
-      (python3.withPackages (
-        ps: with ps; [
-          numpy
-          pandas
-          scipy
-        ]
-      ))
-
-    ];
-    maintainers = builtins.toJSON maintainers;
-    passAsFile = [ "maintainers" ];
-    env = {
-      BEFORE_DIR = "${beforeResultDir}";
-      AFTER_DIR = "${afterResultDir}";
-    };
-  }
-  ''
-    mkdir $out
-
-    cp ${changed-paths} $out/changed-paths.json
-
-
-    if jq -e '(.attrdiff.added | length == 0) and (.attrdiff.removed | length == 0)' "${changed-paths}" > /dev/null; then
-      # Chunks have changed between revisions
-      # We cannot generate a performance comparison
-      {
-        echo
-        echo "# Performance comparison"
-        echo
-        echo "This compares the performance of this branch against its pull request base branch (e.g., 'master')"
-        echo
-        echo "For further help please refer to: [ci/README.md](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md)"
-        echo
-      } >> $out/step-summary.md
-
-      python3 ${./cmp-stats.py} >> $out/step-summary.md
-
-    else
-      # Package chunks are the same in both revisions
-      # We can use the to generate a performance comparison
-      {
-        echo
-        echo "# Performance Comparison"
-        echo
-        echo "Performance stats were skipped because the package sets differ between the two revisions."
-        echo
-        echo "For further help please refer to: [ci/README.md](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md)"
-      } >> $out/step-summary.md
-    fi
-
-    jq -r -f ${./generate-step-summary.jq} < ${changed-paths} >> $out/step-summary.md
-
-    cp "$maintainersPath" "$out/maintainers.json"
-  ''

ci/eval/compare/generate-step-summary.jq

@@ -1,30 +0,0 @@
-def truncate(xs; n):
-  if xs | length > n then xs[:n] + ["..."]
-  else xs
-  end;
-
-def itemize_packages(xs):
-  truncate(xs; 2000) |
-    map("- [\(.)](https://search.nixos.org/packages?channel=unstable&show=\(.)&from=0&size=50&sort=relevance&type=packages&query=\(.))")  |
-    join("\n");
-
-def get_title(s; xs):
-  s + " (" + (xs | length | tostring) + ")";
-
-def section(title; xs):
-  "<details> <summary>" + get_title(title; xs) + "</summary>\n\n" + itemize_packages(xs) + "</details>";
-
-def fallback_document(content; n):
-  if content | utf8bytelength > n then
-    get_title("Added packages"; .attrdiff.added) + "\n\n" +
-    get_title("Removed packages"; .attrdiff.removed) + "\n\n" +
-    get_title("Changed packages"; .attrdiff.changed)
-  else content
-  end;
-
-# we truncate the list to stay below the GitHub limit of 1MB per step summary.
-fallback_document(
-  section("Added packages"; .attrdiff.added) + "\n\n" +
-  section("Removed packages"; .attrdiff.removed) + "\n\n" +
-  section("Changed packages"; .attrdiff.changed); 1000 * 1000
-)

ci/eval/compare/maintainers.nix

@@ -1,112 +0,0 @@
-# Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
-{
-  changedattrs,
-  changedpathsjson,
-  byName ? false,
-}:
-let
-  pkgs = import ../../.. {
-    system = "x86_64-linux";
-    config = { };
-    overlays = [ ];
-  };
-  inherit (pkgs) lib;
-
-  changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);
-
-  anyMatchingFile =
-    filename: builtins.any (changed: lib.strings.hasSuffix changed filename) changedpaths;
-
-  anyMatchingFiles = files: builtins.any anyMatchingFile files;
-
-  enrichedAttrs = builtins.map (name: {
-    path = lib.splitString "." name;
-    name = name;
-  }) changedattrs;
-
-  validPackageAttributes = builtins.filter (
-    pkg:
-    if (lib.attrsets.hasAttrByPath pkg.path pkgs) then
-      (
-        let
-          value = lib.attrsets.attrByPath pkg.path null pkgs;
-        in
-        if (builtins.tryEval value).success then
-          if value != null then true else builtins.trace "${pkg.name} exists but is null" false
-        else
-          builtins.trace "Failed to access ${pkg.name} even though it exists" false
-      )
-    else
-      builtins.trace "Failed to locate ${pkg.name}." false
-  ) enrichedAttrs;
-
-  attrsWithPackages = builtins.map (
-    pkg: pkg // { package = lib.attrsets.attrByPath pkg.path null pkgs; }
-  ) validPackageAttributes;
-
-  attrsWithMaintainers = builtins.map (
-    pkg:
-    let
-      meta = pkg.package.meta or { };
-    in
-    pkg
-    // {
-      # TODO: Refactor this so we can ping entire teams instead of the individual members.
-      # Note that this will require keeping track of GH team IDs in "maintainers/teams.nix".
-      maintainers = meta.maintainers or [ ];
-    }
-  ) attrsWithPackages;
-
-  relevantFilenames =
-    drv:
-    (lib.lists.unique (
-      builtins.map (pos: lib.strings.removePrefix (toString ../..) pos.file) (
-        builtins.filter (x: x != null) [
-          ((drv.meta or { }).maintainersPosition or null)
-          ((drv.meta or { }).teamsPosition or null)
-          (builtins.unsafeGetAttrPos "src" drv)
-          # broken because name is always set by stdenv:
-          #    # A hack to make `nix-env -qa` and `nix search` ignore broken packages.
-          #    # TODO(@oxij): remove this assert when something like NixOS/nix#1771 gets merged into nix.
-          #    name = assert validity.handled; name + lib.optionalString
-          #(builtins.unsafeGetAttrPos "name" drv)
-          (builtins.unsafeGetAttrPos "pname" drv)
-          (builtins.unsafeGetAttrPos "version" drv)
-
-          # Use ".meta.position" for cases when most of the package is
-          # defined in a "common" section and the only place where
-          # reference to the file with a derivation the "pos"
-          # attribute.
-          #
-          # ".meta.position" has the following form:
-          #   "pkgs/tools/package-management/nix/default.nix:155"
-          # We transform it to the following:
-          #   { file = "pkgs/tools/package-management/nix/default.nix"; }
-          { file = lib.head (lib.splitString ":" (drv.meta.position or "")); }
-        ]
-      )
-    ));
-
-  attrsWithFilenames = builtins.map (
-    pkg: pkg // { filenames = relevantFilenames pkg.package; }
-  ) attrsWithMaintainers;
-
-  attrsWithModifiedFiles = builtins.filter (pkg: anyMatchingFiles pkg.filenames) attrsWithFilenames;
-
-  listToPing = lib.concatMap (
-    pkg:
-    builtins.map (maintainer: {
-      id = maintainer.githubId;
-      inherit (maintainer) github;
-      packageName = pkg.name;
-      dueToFiles = pkg.filenames;
-    }) pkg.maintainers
-  ) attrsWithModifiedFiles;
-
-  byMaintainer = lib.groupBy (ping: toString ping.${if byName then "github" else "id"}) listToPing;
-
-  packagesPerMaintainer = lib.attrsets.mapAttrs (
-    maintainer: packages: builtins.map (pkg: pkg.packageName) packages
-  ) byMaintainer;
-in
-packagesPerMaintainer

ci/eval/compare/utils.nix

@@ -1,238 +0,0 @@
-{ lib, ... }:
-rec {
-  # Borrowed from https://github.com/NixOS/nixpkgs/pull/355616
-  uniqueStrings = list: builtins.attrNames (builtins.groupBy lib.id list);
-
-  /*
-    Converts a `packagePlatformPath` into a `packagePlatformAttr`
-
-    Turns
-      "hello.aarch64-linux"
-    into
-      {
-        name = "hello";
-        packagePath = [ "hello" ];
-        platform = "aarch64-linux";
-      }
-  */
-  convertToPackagePlatformAttr =
-    packagePlatformPath:
-    let
-      # python312Packages.numpy.aarch64-linux -> ["python312Packages" "numpy" "aarch64-linux"]
-      splittedPath = lib.splitString "." packagePlatformPath;
-
-      # ["python312Packages" "numpy" "aarch64-linux"] -> ["python312Packages" "numpy"]
-      packagePath = lib.sublist 0 (lib.length splittedPath - 1) splittedPath;
-
-      # "python312Packages.numpy"
-      name = lib.concatStringsSep "." packagePath;
-    in
-    if name == "" then
-      null
-    else
-      {
-        # [ "python312Packages" "numpy" ]
-        inherit packagePath;
-
-        # python312Packages.numpy
-        inherit name;
-
-        # "aarch64-linux"
-        platform = lib.last splittedPath;
-      };
-
-  /*
-    Converts a list of `packagePlatformPath`s into a list of `packagePlatformAttr`s
-
-    Turns
-      [
-        "hello.aarch64-linux"
-        "hello.x86_64-linux"
-        "hello.aarch64-darwin"
-        "hello.x86_64-darwin"
-        "bye.x86_64-darwin"
-        "bye.aarch64-darwin"
-        "release-checks"  <- Will be dropped
-      ]
-    into
-      [
-        { name = "hello"; platform = "aarch64-linux"; packagePath = [ "hello" ]; }
-        { name = "hello"; platform = "x86_64-linux"; packagePath = [ "hello" ]; }
-        { name = "hello"; platform = "aarch64-darwin"; packagePath = [ "hello" ]; }
-        { name = "hello"; platform = "x86_64-darwin"; packagePath = [ "hello" ]; }
-        { name = "bye"; platform = "aarch64-darwin"; packagePath = [ "hello" ]; }
-        { name = "bye"; platform = "x86_64-darwin"; packagePath = [ "hello" ]; }
-      ]
-  */
-  convertToPackagePlatformAttrs =
-    packagePlatformPaths:
-    builtins.filter (x: x != null) (builtins.map convertToPackagePlatformAttr packagePlatformPaths);
-
-  /*
-    Converts a list of `packagePlatformPath`s directly to a list of (unique) package names
-
-    Turns
-      [
-        "hello.aarch64-linux"
-        "hello.x86_64-linux"
-        "hello.aarch64-darwin"
-        "hello.x86_64-darwin"
-        "bye.x86_64-darwin"
-        "bye.aarch64-darwin"
-      ]
-    into
-      [
-        "hello"
-        "bye"
-      ]
-  */
-  extractPackageNames =
-    packagePlatformPaths:
-    let
-      packagePlatformAttrs = convertToPackagePlatformAttrs (uniqueStrings packagePlatformPaths);
-    in
-    uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);
-
-  /*
-    Computes the key difference between two attrs
-
-    {
-      added: [ <keys only in the second object> ],
-      removed: [ <keys only in the first object> ],
-      changed: [ <keys with different values between the two objects> ],
-    }
-  */
-  diff =
-    let
-      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
-    in
-    old: new: {
-      added = filterKeys (n: _: !(old ? ${n})) new;
-      removed = filterKeys (n: _: !(new ? ${n})) old;
-      changed = filterKeys (
-        n: v:
-        # Filter out attributes that don't exist anymore
-        (new ? ${n})
-
-        # Filter out attributes that are the same as the new value
-        && (v != (new.${n}))
-      ) old;
-    };
-
-  /*
-    Group a list of `packagePlatformAttr`s by platforms
-
-    Turns
-      [
-        { name = "hello"; platform = "aarch64-linux"; ... }
-        { name = "hello"; platform = "x86_64-linux"; ... }
-        { name = "hello"; platform = "aarch64-darwin"; ... }
-        { name = "hello"; platform = "x86_64-darwin"; ... }
-        { name = "bye"; platform = "aarch64-darwin"; ... }
-        { name = "bye"; platform = "x86_64-darwin"; ... }
-      ]
-    into
-      {
-        aarch64-linux = [ "hello" ];
-        x86_64-linux = [ "hello" ];
-        aarch64-darwin = [ "hello" "bye" ];
-        x86_64-darwin = [ "hello" "bye" ];
-      }
-  */
-  groupByPlatform =
-    packagePlatformAttrs:
-    let
-      packagePlatformAttrsByPlatform = builtins.groupBy (p: p.platform) packagePlatformAttrs;
-      extractPackageNames = map (p: p.name);
-    in
-    lib.mapAttrs (_: extractPackageNames) packagePlatformAttrsByPlatform;
-
-  # Turns
-  # [
-  #   { name = "hello"; platform = "aarch64-linux"; ... }
-  #   { name = "hello"; platform = "x86_64-linux"; ... }
-  #   { name = "hello"; platform = "aarch64-darwin"; ... }
-  #   { name = "hello"; platform = "x86_64-darwin"; ... }
-  #   { name = "bye"; platform = "aarch64-darwin"; ... }
-  #   { name = "bye"; platform = "x86_64-darwin"; ... }
-  # ]
-  #
-  # into
-  #
-  # {
-  #   linux = [ "hello" ];
-  #   darwin = [ "hello" "bye" ];
-  # }
-  groupByKernel =
-    packagePlatformAttrs:
-    let
-      filterKernel =
-        kernel:
-        builtins.attrNames (
-          builtins.groupBy (p: p.name) (
-            builtins.filter (p: lib.hasSuffix kernel p.platform) packagePlatformAttrs
-          )
-        );
-    in
-    lib.genAttrs [ "linux" "darwin" ] filterKernel;
-
-  /*
-    Maps an attrs of `kernel - rebuild counts` mappings to a list of labels
-
-    Turns
-      {
-        linux = 56;
-        darwin = 1;
-      }
-    into
-      [
-        "10.rebuild-darwin: 1"
-        "10.rebuild-darwin: 1-10"
-        "10.rebuild-linux: 11-100"
-      ]
-  */
-  getLabels =
-    rebuildCountByKernel:
-    lib.concatLists (
-      lib.mapAttrsToList (
-        kernel: rebuildCount:
-        let
-          numbers =
-            if rebuildCount == 0 then
-              [ "0" ]
-            else if rebuildCount == 1 then
-              [
-                "1"
-                "1-10"
-              ]
-            else if rebuildCount <= 10 then
-              [ "1-10" ]
-            else if rebuildCount <= 100 then
-              [ "11-100" ]
-            else if rebuildCount <= 500 then
-              [ "101-500" ]
-            else if rebuildCount <= 1000 then
-              [
-                "501-1000"
-                "501+"
-              ]
-            else if rebuildCount <= 2500 then
-              [
-                "1001-2500"
-                "501+"
-              ]
-            else if rebuildCount <= 5000 then
-              [
-                "2501-5000"
-                "501+"
-              ]
-            else
-              [
-                "5001+"
-                "501+"
-              ];
-        in
-        lib.forEach numbers (number: "10.rebuild-${kernel}: ${number}")
-      ) rebuildCountByKernel
-    );
-}

ci/eval/default.nix

@@ -1,274 +0,0 @@
-{
-  lib,
-  runCommand,
-  writeShellScript,
-  writeText,
-  linkFarm,
-  time,
-  procps,
-  nixVersions,
-  jq,
-  python3,
-}:
-
-let
-  nixpkgs =
-    with lib.fileset;
-    toSource {
-      root = ../..;
-      fileset = unions (
-        map (lib.path.append ../..) [
-          "default.nix"
-          "doc"
-          "lib"
-          "maintainers"
-          "nixos"
-          "pkgs"
-          ".version"
-          "ci/supportedSystems.json"
-        ]
-      );
-    };
-
-  nix = nixVersions.latest;
-
-  supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);
-
-  attrpathsSuperset =
-    {
-      evalSystem,
-    }:
-    runCommand "attrpaths-superset.json"
-      {
-        src = nixpkgs;
-        nativeBuildInputs = [
-          nix
-          time
-        ];
-      }
-      ''
-        export NIX_STATE_DIR=$(mktemp -d)
-        mkdir $out
-        export GC_INITIAL_HEAP_SIZE=4g
-        command time -f "Attribute eval done [%MKB max resident, %Es elapsed] %C" \
-          nix-instantiate --eval --strict --json --show-trace \
-            "$src/pkgs/top-level/release-attrpaths-superset.nix" \
-            -A paths \
-            -I "$src" \
-            --option restrict-eval true \
-            --option allow-import-from-derivation false \
-            --option eval-system "${evalSystem}" \
-            --arg enableWarnings false > $out/paths.json
-      '';
-
-  singleSystem =
-    {
-      # The system to evaluate.
-      # Note that this is intentionally not called `system`,
-      # because `--argstr system` would only be passed to the ci/default.nix file!
-      evalSystem,
-      # The path to the `paths.json` file from `attrpathsSuperset`
-      attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
-      # The number of attributes per chunk, see ./README.md for more info.
-      chunkSize,
-      checkMeta ? true,
-      includeBroken ? true,
-      # Whether to just evaluate a single chunk for quick testing
-      quickTest ? false,
-    }:
-    let
-      singleChunk = writeShellScript "single-chunk" ''
-        set -euo pipefail
-        chunkSize=$1
-        myChunk=$2
-        system=$3
-        outputDir=$4
-
-        export NIX_SHOW_STATS=1
-        export NIX_SHOW_STATS_PATH="$outputDir/stats/$myChunk"
-        echo "Chunk $myChunk on $system start"
-        set +e
-        command time -o "$outputDir/timestats/$myChunk" \
-          -f "Chunk $myChunk on $system done [%MKB max resident, %Es elapsed] %C" \
-          nix-env -f "${nixpkgs}/pkgs/top-level/release-attrpaths-parallel.nix" \
-          --eval-system "$system" \
-          --option restrict-eval true \
-          --option allow-import-from-derivation false \
-          --query --available \
-          --no-name --attr-path --out-path \
-          --show-trace \
-          --arg chunkSize "$chunkSize" \
-          --arg myChunk "$myChunk" \
-          --arg attrpathFile "${attrpathFile}" \
-          --arg systems "[ \"$system\" ]" \
-          --arg checkMeta ${lib.boolToString checkMeta} \
-          --arg includeBroken ${lib.boolToString includeBroken} \
-          -I ${nixpkgs} \
-          -I ${attrpathFile} \
-          > "$outputDir/result/$myChunk" \
-          2> "$outputDir/stderr/$myChunk"
-        exitCode=$?
-        set -e
-        cat "$outputDir/stderr/$myChunk"
-        cat "$outputDir/timestats/$myChunk"
-        if (( exitCode != 0 )); then
-          echo "Evaluation failed with exit code $exitCode"
-          # This immediately halts all xargs processes
-          kill $PPID
-        elif [[ -s "$outputDir/stderr/$myChunk" ]]; then
-          echo "Nixpkgs on $system evaluated with warnings, aborting"
-          kill $PPID
-        fi
-      '';
-    in
-    runCommand "nixpkgs-eval-${evalSystem}"
-      {
-        nativeBuildInputs = [
-          nix
-          time
-          procps
-          jq
-        ];
-        env = {
-          inherit evalSystem chunkSize;
-        };
-      }
-      ''
-        export NIX_STATE_DIR=$(mktemp -d)
-        nix-store --init
-
-        echo "System: $evalSystem"
-        cores=$NIX_BUILD_CORES
-        echo "Cores: $cores"
-        attrCount=$(jq length "${attrpathFile}")
-        echo "Attribute count: $attrCount"
-        echo "Chunk size: $chunkSize"
-        # Same as `attrCount / chunkSize` but rounded up
-        chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
-        echo "Chunk count: $chunkCount"
-
-        mkdir $out
-
-        # Record and print stats on free memory and swap in the background
-        (
-          while true; do
-            availMemory=$(free -b | grep Mem | awk '{print $7}')
-            freeSwap=$(free -b | grep Swap | awk '{print $4}')
-            echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"
-
-            if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
-              echo "$availMemory" > $out/min-avail-memory
-            fi
-            if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
-              echo "$freeSwap" > $out/min-free-swap
-            fi
-            sleep 4
-          done
-        ) &
-
-        seq_end=$(( chunkCount - 1 ))
-
-        ${lib.optionalString quickTest ''
-          seq_end=0
-        ''}
-
-        chunkOutputDir=$(mktemp -d)
-        mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}
-
-        seq -w 0 "$seq_end" |
-          command time -f "%e" -o "$out/total-time" \
-          xargs -I{} -P"$cores" \
-          ${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"
-
-        cp -r "$chunkOutputDir"/stats $out/stats-by-chunk
-
-        if (( chunkSize * chunkCount != attrCount )); then
-          # A final incomplete chunk would mess up the stats, don't include it
-          rm "$chunkOutputDir"/stats/"$seq_end"
-        fi
-
-        cat "$chunkOutputDir"/result/* > $out/paths
-      '';
-
-  combine =
-    {
-      resultsDir,
-    }:
-    runCommand "combined-result"
-      {
-        nativeBuildInputs = [
-          jq
-        ];
-      }
-      ''
-        mkdir -p $out
-
-        # Transform output paths to JSON
-        cat ${resultsDir}/*/paths |
-          jq --sort-keys --raw-input --slurp '
-            split("\n") |
-            map(select(. != "") | split(" ") | map(select(. != ""))) |
-            map(
-              {
-                key: .[0],
-                value: .[1] | split(";") | map(split("=") |
-                  if length == 1 then
-                    { key: "out", value: .[0] }
-                  else
-                    { key: .[0], value: .[1] }
-                  end) | from_entries}
-            ) | from_entries
-          ' > $out/outpaths.json
-
-        mkdir -p $out/stats
-
-        for d in ${resultsDir}/*; do
-          cp -r "$d"/stats-by-chunk $out/stats/$(basename "$d")
-        done
-      '';
-
-  compare = import ./compare {
-    inherit
-      lib
-      jq
-      runCommand
-      writeText
-      supportedSystems
-      python3
-      ;
-  };
-
-  full =
-    {
-      # Whether to evaluate on a specific set of systems, by default all are evaluated
-      evalSystems ? if quickTest then [ "x86_64-linux" ] else supportedSystems,
-      # The number of attributes per chunk, see ./README.md for more info.
-      chunkSize,
-      quickTest ? false,
-    }:
-    let
-      results = linkFarm "results" (
-        map (evalSystem: {
-          name = evalSystem;
-          path = singleSystem {
-            inherit quickTest evalSystem chunkSize;
-          };
-        }) evalSystems
-      );
-    in
-    combine {
-      resultsDir = results;
-    };
-
-in
-{
-  inherit
-    attrpathsSuperset
-    singleSystem
-    combine
-    compare
-    # The above three are used by separate VMs in a GitHub workflow,
-    # while the below is intended for testing on a single local machine
-    full
-    ;
-}

ci/get-merge-commit.sh

@@ -55,10 +55,7 @@ done
 
 if [[ "$mergeable" == "true" ]]; then
     log "The PR can be merged"
-    mergedSha="$(jq -r .merge_commit_sha <<< "$prInfo")"
-    echo "mergedSha=$mergedSha"
-    targetSha="$(gh api "/repos/$repo/commits/$mergedSha" --jq '.parents[0].sha')"
-    echo "targetSha=$targetSha"
+    jq -r .merge_commit_sha <<< "$prInfo"
 else
     log "The PR has a merge conflict"
     exit 2

ci/parse.nix

@@ -1,43 +0,0 @@
-{
-  lib,
-  nix,
-  runCommand,
-}:
-let
-  nixpkgs =
-    with lib.fileset;
-    toSource {
-      root = ../.;
-      fileset = (fileFilter (file: file.hasExt "nix") ../.);
-    };
-in
-runCommand "nix-parse-${nix.name}"
-  {
-    nativeBuildInputs = [
-      nix
-    ];
-  }
-  ''
-    export NIX_STORE_DIR=$TMPDIR/store
-    export NIX_STATE_DIR=$TMPDIR/state
-
-    cd "${nixpkgs}"
-
-    # Passes all files to nix-instantiate at once.
-    # Much faster, but will only show first error.
-    parse-all() {
-      find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse >/dev/null 2>/dev/null
-    }
-
-    # Passes each file separately to nix-instantiate with -n1.
-    # Much slower, but will show all errors.
-    parse-each() {
-      find . -type f -iname '*.nix' | xargs -n1 -P $(nproc) nix-instantiate --parse >/dev/null
-    }
-
-    if ! parse-all; then
-      parse-each
-    fi
-
-    touch $out
-  ''

ci/pinned-nixpkgs.json

@@ -1,4 +1,4 @@
 {
-  "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
-  "sha256": "132nimgi1g88fbhddk4b8b1qk68jly494x2mnphyk3xa1d2wy9q7"
+  "rev": "4de4818c1ffa76d57787af936e8a23648bda6be4",
+  "sha256": "0l3b9jr5ydzqgvd10j12imc9jqb6jv5v2bdi1gyy5cwkwplfay67"
 }

ci/request-reviews/default.nix

@@ -14,9 +14,8 @@ stdenvNoCC.mkDerivation {
   src = lib.fileset.toSource {
     root = ./.;
     fileset = lib.fileset.unions [
-      ./get-code-owners.sh
-      ./request-reviewers.sh
-      ./request-code-owner-reviews.sh
+      ./get-reviewers.sh
+      ./request-reviews.sh
       ./verify-base-branch.sh
       ./dev-branches.txt
     ];

ci/request-reviews/dev-branches.txt

@@ -1,9 +1,7 @@
 # Trusted development branches:
 # These generally require PRs to update and are built by Hydra.
-# Keep this synced with the branches in .github/workflows/eval.yml
 master
 staging
 release-*
 staging-*
 haskell-updates
-python-updates

ci/request-reviews/get-code-owners.sh

@@ -1,97 +0,0 @@
-#!/usr/bin/env bash
-
-# Get the code owners of the files changed by a PR, returning one username per line
-
-set -euo pipefail
-
-log() {
-    echo "$@" >&2
-}
-
-if (( "$#" < 4 )); then
-    log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REF HEAD_REF"
-    exit 1
-fi
-
-gitRepo=$1
-ownersFile=$2
-baseRef=$3
-headRef=$4
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files"
-readarray -t touchedFiles < "$tmp/touched-files"
-log "This PR touches ${#touchedFiles[@]} files"
-
-# Get the owners file from the base, because we don't want to allow PRs to
-# remove code owners to avoid pinging them
-git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
-
-# Associative array with the user as the key for easy de-duplication
-# Make sure to always lowercase keys to avoid duplicates with different casings
-declare -A users=()
-
-for file in "${touchedFiles[@]}"; do
-    result=$(codeowners --file "$tmp"/codeowners "$file")
-
-    # Remove the file prefix and trim the surrounding spaces
-    read -r owners <<< "${result#"$file"}"
-    if [[ "$owners" == "(unowned)" ]]; then
-        log "File $file is unowned"
-        continue
-    fi
-    log "File $file is owned by $owners"
-
-    # Split up multiple owners, separated by arbitrary amounts of spaces
-    IFS=" " read -r -a entries <<< "$owners"
-
-    for entry in "${entries[@]}"; do
-        # GitHub technically also supports Emails as code owners,
-        # but we can't easily support that, so let's not
-        if [[ ! "$entry" =~ @(.*) ]]; then
-            warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2
-            # Don't fail, because the PR for which this script runs can't fix it,
-            # it has to be fixed in the base branch
-            continue
-        fi
-        # The first regex match is everything after the @
-        entry=${BASH_REMATCH[1]}
-
-        if [[ "$entry" =~ (.*)/(.*) ]]; then
-            # Teams look like $org/$team
-            org=${BASH_REMATCH[1]}
-            team=${BASH_REMATCH[2]}
-
-            # Instead of requesting a review from the team itself,
-            # we request reviews from the individual users.
-            # This is because once somebody from a team reviewed the PR,
-            # the API doesn't expose that the team was already requested for a review,
-            # so we wouldn't be able to avoid rerequesting reviews
-            # without saving some some extra state somewhere
-
-            # We could also consider implementing a more advanced heuristic
-            # in the future that e.g. only pings one team member,
-            # but escalates to somebody else if that member doesn't respond in time.
-            gh api \
-                --cache=1h \
-                -H "Accept: application/vnd.github+json" \
-                -H "X-GitHub-Api-Version: 2022-11-28" \
-                "/orgs/$org/teams/$team/members" \
-                --jq '.[].login' > "$tmp/team-members"
-            readarray -t members < "$tmp/team-members"
-            log "Team $entry has these members: ${members[*]}"
-
-            for user in "${members[@]}"; do
-                users[${user,,}]=
-            done
-        else
-            # Everything else is a user
-            users[${entry,,}]=
-        fi
-    done
-
-done
-
-printf "%s\n" "${!users[@]}"

ci/request-reviews/get-reviewers.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+
+# Get the code owners of the files changed by a PR,
+# suitable to be consumed by the API endpoint to request reviews:
+# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( "$#" < 7 )); then
+    log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REPO BASE_REF HEAD_REF PR_NUMBER PR_AUTHOR"
+    exit 1
+fi
+
+gitRepo=$1
+ownersFile=$2
+baseRepo=$3
+baseRef=$4
+headRef=$5
+prNumber=$6
+prAuthor=$7
+
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' exit
+
+git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files"
+readarray -t touchedFiles < "$tmp/touched-files"
+log "This PR touches ${#touchedFiles[@]} files"
+
+# Get the owners file from the base, because we don't want to allow PRs to
+# remove code owners to avoid pinging them
+git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
+
+# Associative array with the user as the key for easy de-duplication
+# Make sure to always lowercase keys to avoid duplicates with different casings
+declare -A users=()
+
+for file in "${touchedFiles[@]}"; do
+    result=$(codeowners --file "$tmp"/codeowners "$file")
+
+    read -r file owners <<< "$result"
+    if [[ "$owners" == "(unowned)" ]]; then
+        log "File $file is unowned"
+        continue
+    fi
+    log "File $file is owned by $owners"
+
+    # Split up multiple owners, separated by arbitrary amounts of spaces
+    IFS=" " read -r -a entries <<< "$owners"
+
+    for entry in "${entries[@]}"; do
+        # GitHub technically also supports Emails as code owners,
+        # but we can't easily support that, so let's not
+        if [[ ! "$entry" =~ @(.*) ]]; then
+            warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2
+            # Don't fail, because the PR for which this script runs can't fix it,
+            # it has to be fixed in the base branch
+            continue
+        fi
+        # The first regex match is everything after the @
+        entry=${BASH_REMATCH[1]}
+
+        if [[ "$entry" =~ (.*)/(.*) ]]; then
+            # Teams look like $org/$team
+            org=${BASH_REMATCH[1]}
+            team=${BASH_REMATCH[2]}
+
+            # Instead of requesting a review from the team itself,
+            # we request reviews from the individual users.
+            # This is because once somebody from a team reviewed the PR,
+            # the API doesn't expose that the team was already requested for a review,
+            # so we wouldn't be able to avoid rerequesting reviews
+            # without saving some some extra state somewhere
+
+            # We could also consider implementing a more advanced heuristic
+            # in the future that e.g. only pings one team member,
+            # but escalates to somebody else if that member doesn't respond in time.
+            gh api \
+                --cache=1h \
+                -H "Accept: application/vnd.github+json" \
+                -H "X-GitHub-Api-Version: 2022-11-28" \
+                "/orgs/$org/teams/$team/members" \
+                --jq '.[].login' > "$tmp/team-members"
+            readarray -t members < "$tmp/team-members"
+            log "Team $entry has these members: ${members[*]}"
+
+            for user in "${members[@]}"; do
+                users[${user,,}]=
+            done
+        else
+            # Everything else is a user
+            users[${entry,,}]=
+        fi
+    done
+
+done
+
+# Cannot request a review from the author
+if [[ -v users[${prAuthor,,}] ]]; then
+    log "One or more files are owned by the PR author, ignoring"
+    unset 'users[${prAuthor,,}]'
+fi
+
+gh api \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/$baseRepo/pulls/$prNumber/reviews" \
+    --jq '.[].user.login' > "$tmp/already-reviewed-by"
+
+# And we don't want to rerequest reviews from people who already reviewed
+while read -r user; do
+    if [[ -v users[${user,,}] ]]; then
+        log "User $user is a code owner but has already left a review, ignoring"
+        unset 'users[${user,,}]'
+    fi
+done < "$tmp/already-reviewed-by"
+
+# Turn it into a JSON for the GitHub API call to request PR reviewers
+jq -n \
+    --arg users "${!users[*]}" \
+    '{
+      reviewers: $users | split(" "),
+    }'

ci/request-reviews/request-code-owner-reviews.sh

@@ -1,82 +0,0 @@
-#!/usr/bin/env bash
-
-# Requests reviews for a PR after verifying that the base branch is correct
-
-set -euo pipefail
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-SCRIPT_DIR=$(dirname "$0")
-
-log() {
-    echo "$@" >&2
-}
-
-effect() {
-    if [[ -n "${DRY_MODE:-}" ]]; then
-        log "Skipping in dry mode:" "${@@Q}"
-    else
-        "$@"
-    fi
-}
-
-if (( $# < 3 )); then
-    log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE"
-    exit 1
-fi
-baseRepo=$1
-prNumber=$2
-ownersFile=$3
-
-log "Fetching PR info"
-prInfo=$(gh api \
-  -H "Accept: application/vnd.github+json" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  "/repos/$baseRepo/pulls/$prNumber")
-
-baseBranch=$(jq -r .base.ref <<< "$prInfo")
-log "Base branch: $baseBranch"
-prRepo=$(jq -r .head.repo.full_name <<< "$prInfo")
-log "PR repo: $prRepo"
-prBranch=$(jq -r .head.ref <<< "$prInfo")
-log "PR branch: $prBranch"
-prAuthor=$(jq -r .user.login <<< "$prInfo")
-log "PR author: $prAuthor"
-
-extraArgs=()
-if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then
-    # Speedup for local runs
-    extraArgs+=(--reference-if-able "$pwdRepo")
-fi
-
-log "Fetching Nixpkgs commit history"
-# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0
-# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary
-git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git
-
-log "Fetching the PR commit history"
-# Fetch the PR
-git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git
-# This remote config is the same as --filter=tree:0 when cloning
-git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0
-git -C "$tmp/nixpkgs.git" config remote.fork.promisor true
-
-git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch"
-headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch")
-
-log "Checking correctness of the base branch"
-if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then
-    log "Posting error as comment"
-    if ! response=$(effect gh api \
-        --method POST \
-        -H "Accept: application/vnd.github+json" \
-        -H "X-GitHub-Api-Version: 2022-11-28" \
-        "/repos/$baseRepo/issues/$prNumber/comments" \
-        -F "body=@$tmp/invalid-base-error"); then
-        log "Failed to post the comment: $response"
-    fi
-    exit 1
-fi
-
-log "Requesting reviews from code owners"
-"$SCRIPT_DIR"/get-code-owners.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseBranch" "$headRef" | \
-    "$SCRIPT_DIR"/request-reviewers.sh "$baseRepo" "$prNumber" "$prAuthor"

ci/request-reviews/request-reviewers.sh

@@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-
-# Request reviewers for a PR, reading line-separated usernames on stdin,
-# filtering for valid reviewers before using the API endpoint to request reviews:
-# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request
-
-set -euo pipefail
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-log() {
-    echo "$@" >&2
-}
-
-effect() {
-    if [[ -n "${DRY_MODE:-}" ]]; then
-        log "Skipping in dry mode:" "${@@Q}"
-    else
-        "$@"
-    fi
-}
-
-if (( "$#" < 3 )); then
-    log "Usage: $0 BASE_REPO PR_NUMBER PR_AUTHOR"
-    exit 1
-fi
-
-baseRepo=$1
-prNumber=$2
-prAuthor=$3
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-declare -A users=()
-while read -r handle && [[ -n "$handle" ]]; do
-    users[${handle,,}]=
-done
-
-# Cannot request a review from the author
-if [[ -v users[${prAuthor,,}] ]]; then
-    log "One or more files are owned by the PR author, ignoring"
-    unset 'users[${prAuthor,,}]'
-fi
-
-gh api \
-    -H "Accept: application/vnd.github+json" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
-    "/repos/$baseRepo/pulls/$prNumber/reviews" \
-    --jq '.[].user.login' > "$tmp/already-reviewed-by"
-
-# And we don't want to rerequest reviews from people who already reviewed
-while read -r user; do
-    if [[ -v users[${user,,}] ]]; then
-        log "User $user is a potential reviewer, but has already left a review, ignoring"
-        unset 'users[${user,,}]'
-    fi
-done < "$tmp/already-reviewed-by"
-
-for user in "${!users[@]}"; do
-    if ! gh api \
-        -H "Accept: application/vnd.github+json" \
-        -H "X-GitHub-Api-Version: 2022-11-28" \
-        "/repos/$baseRepo/collaborators/$user" >&2; then
-        log "User $user is not a repository collaborator, probably missed the automated invite to the maintainers team (see <https://github.com/NixOS/nixpkgs/issues/234293>), ignoring"
-        unset 'users[$user]'
-    fi
-done
-
-if [[ "${#users[@]}" -gt 10 ]]; then
-    log "Too many reviewers (${!users[*]}), skipping review requests"
-    exit 0
-fi
-
-for user in "${!users[@]}"; do
-    log "Requesting review from: $user"
-
-    if ! response=$(jq -n --arg user "$user" '{ reviewers: [ $user ] }' | \
-        effect gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \
-            --input -); then
-        log "Failed to request review from $user: $response"
-    fi
-done

ci/request-reviews/request-reviews.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+# Requests reviews for a PR after verifying that the base branch is correct
+
+set -euo pipefail
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' exit
+SCRIPT_DIR=$(dirname "$0")
+
+log() {
+    echo "$@" >&2
+}
+
+effect() {
+    if [[ -n "${DRY_MODE:-}" ]]; then
+        log "Skipping in dry mode:" "${@@Q}"
+    else
+        "$@"
+    fi
+}
+
+if (( $# < 3 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE"
+    exit 1
+fi
+baseRepo=$1
+prNumber=$2
+ownersFile=$3
+
+log "Fetching PR info"
+prInfo=$(gh api \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  "/repos/$baseRepo/pulls/$prNumber")
+
+baseBranch=$(jq -r .base.ref <<< "$prInfo")
+log "Base branch: $baseBranch"
+prRepo=$(jq -r .head.repo.full_name <<< "$prInfo")
+log "PR repo: $prRepo"
+prBranch=$(jq -r .head.ref <<< "$prInfo")
+log "PR branch: $prBranch"
+prAuthor=$(jq -r .user.login <<< "$prInfo")
+log "PR author: $prAuthor"
+
+extraArgs=()
+if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then
+    # Speedup for local runs
+    extraArgs+=(--reference-if-able "$pwdRepo")
+fi
+
+log "Fetching Nixpkgs commit history"
+# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0
+# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary
+git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git
+
+log "Fetching the PR commit history"
+# Fetch the PR
+git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git
+# This remote config is the same as --filter=tree:0 when cloning
+git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0
+git -C "$tmp/nixpkgs.git" config remote.fork.promisor true
+
+git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch"
+headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch")
+
+log "Checking correctness of the base branch"
+if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then
+    log "Posting error as comment"
+    if ! response=$(effect gh api \
+        --method POST \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$baseRepo/issues/$prNumber/comments" \
+        -F "body=@$tmp/invalid-base-error"); then
+        log "Failed to post the comment: $response"
+    fi
+    exit 1
+fi
+
+log "Getting code owners to request reviews from"
+"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseRepo" "$baseBranch" "$headRef" "$prNumber" "$prAuthor" > "$tmp/reviewers.json"
+
+log "Requesting reviews from: $(<"$tmp/reviewers.json")"
+
+if ! response=$(effect gh api \
+    --method POST \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \
+    --input "$tmp/reviewers.json"); then
+    log "Failed to request reviews: $response"
+    exit 1
+fi
+
+log "Successfully requested reviews"

ci/supportedSystems.json

@@ -1,6 +0,0 @@
-[
-  "aarch64-linux",
-  "aarch64-darwin",
-  "x86_64-linux",
-  "x86_64-darwin"
-]

default.nix

@@ -1,8 +1,6 @@
-let
-  requiredVersion = import ./lib/minver.nix;
-in
+let requiredVersion = import ./lib/minver.nix; in
 
-if !builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.nixVersion == 1 then
+if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.nixVersion == 1 then
 
   abort ''
 

doc/README.md

@@ -21,7 +21,7 @@ Rendered documentation:
 - [Unstable (from master)](https://nixos.org/manual/nixpkgs/unstable/)
 - [Stable (from latest release)](https://nixos.org/manual/nixpkgs/stable/)
 
-The rendering tool is [nixos-render-docs](../pkgs/by-name/ni/nixos-render-docs), sometimes abbreviated `nrd`.
+The rendering tool is [nixos-render-docs](../pkgs/tools/nix/nixos-render-docs/src/nixos_render_docs), sometimes abbreviated `nrd`.
 
 ## Contributing to this documentation
 
@@ -42,12 +42,6 @@ It is a daemon, that:
 2. HTTP serves the manual, injecting a script that triggers reload on changes
 3. opens the manual in the default browser
 
-### Testing redirects
-
-Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
-
-Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.
-
 ## Syntax
 
 As per [RFC 0072](https://github.com/NixOS/rfcs/pull/72), all new documentation content should be written in [CommonMark](https://commonmark.org/) Markdown dialect.
@@ -95,7 +89,6 @@ Inlining HTML is not allowed. Parts of the documentation gets rendered to variou
 #### Roles
 
 If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``. The references will turn into links when a mapping exists in [`doc/manpage-urls.json`](./manpage-urls.json).
-Please keep the `manpage-urls.json` file alphabetically sorted.
 
 A few markups for other kinds of literals are also available:
 
@@ -108,7 +101,6 @@ A few markups for other kinds of literals are also available:
 These literal kinds are used mostly in NixOS option documentation.
 
 This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point). Though, the feature originates from [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage) with slightly different syntax.
-They are handled by `myst_role` defined per renderer. <!-- reverse references in code -->
 
 #### Admonitions
 

doc/build-helpers.md

@@ -17,7 +17,6 @@ There is no uniform interface for build helpers.
 [Language- or framework-specific build helpers](#chap-language-support) usually follow the style of `stdenv.mkDerivation`, which accepts an attribute set or a fixed-point function taking an attribute set.
 
 ```{=include=} chapters
-build-helpers/fixed-point-arguments.chapter.md
 build-helpers/fetchers.chapter.md
 build-helpers/trivial-build-helpers.chapter.md
 build-helpers/testers.chapter.md

doc/build-helpers/dev-shell-tools.chapter.md

@@ -20,12 +20,12 @@ Converts Nix values to strings in the way the [`derivation` built-in function](h
 
 ```nix
 devShellTools.valueToString (builtins.toFile "foo" "bar")
-# => "/nix/store/...-foo"
+=> "/nix/store/...-foo"
 ```
 
 ```nix
 devShellTools.valueToString false
-# => ""
+=> ""
 ```
 
 :::
@@ -42,22 +42,16 @@ This function does not support `__structuredAttrs`, but does support `passAsFile
 devShellTools.unstructuredDerivationInputEnv {
   drvAttrs = {
     name = "foo";
-    buildInputs = [
-      hello
-      figlet
-    ];
+    buildInputs = [ hello figlet ];
     builder = bash;
-    args = [
-      "-c"
-      "${./builder.sh}"
-    ];
+    args = [ "-c" "${./builder.sh}" ];
   };
 }
-# => {
-#  name = "foo";
-#  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
-#  builder = "/nix/store/...-bash";
-#}
+=> {
+  name = "foo";
+  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
+  builder = "/nix/store/...-bash";
+}
 ```
 
 Note that `args` is not included, because Nix does not added it to the builder process environment.
@@ -75,10 +69,7 @@ Takes the relevant parts of a derivation and returns a set of environment variab
 let
   pkg = hello;
 in
-devShellTools.derivationOutputEnv {
-  outputList = pkg.outputs;
-  outputMap = pkg;
-}
+devShellTools.derivationOutputEnv { outputList = pkg.outputs; outputMap = pkg; }
 ```
 
 :::

doc/build-helpers/fetchers.chapter.md

@@ -491,11 +491,7 @@ It might be useful to manipulate the content downloaded by `fetchurl` directly i
 In this example, we'll adapt [](#ex-fetchers-fetchurl-nixpkgs-version) to append the result of running the `hello` package to the contents we download, purely to illustrate how to manipulate the content.
 
 ```nix
-{
-  fetchurl,
-  hello,
-  lib,
-}:
+{ fetchurl, hello, lib }:
 fetchurl {
   url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
 
@@ -718,10 +714,9 @@ A wrapper around `fetchpatch`, which takes:
 Here is an example of `fetchDebianPatch` in action:
 
 ```nix
-{
-  lib,
-  fetchDebianPatch,
-  buildPythonPackage,
+{ lib
+, fetchDebianPatch
+, buildPythonPackage
 }:
 
 buildPythonPackage rec {
@@ -733,7 +728,7 @@ buildPythonPackage rec {
     (fetchDebianPatch {
       inherit pname version;
       debianRevision = "5";
-      patch = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
+      name = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
       hash = "sha256-xA8Wnrpr31H8wy3zHSNfezFNjUJt1HbSXn3qUMzeKc0=";
     })
   ];
@@ -760,71 +755,25 @@ Used with Subversion. Expects `url` to a Subversion directory, `rev`, and `hash`
 
 Used with Git. Expects `url` to a Git repo, `rev`, and `hash`. `rev` in this case can be full the git commit id (SHA1 hash) or a tag name like `refs/tags/v1.0`.
 
-If you want to fetch a tag you should pass the `tag` parameter instead of `rev` which has the same effect as setting `rev = "refs/tags"/${version}"`.
-This is safer than just setting `rev = version` w.r.t. possible branch and tag name conflicts.
+Additionally, the following optional arguments can be given: `fetchSubmodules = true` makes `fetchgit` also fetch the submodules of a repository. If `deepClone` is set to true, the entire repository is cloned as opposing to just creating a shallow clone. `deepClone = true` also implies `leaveDotGit = true` which means that the `.git` directory of the clone won't be removed after checkout.
 
-Additionally, the following optional arguments can be given:
+If only parts of the repository are needed, `sparseCheckout` can be used. This will prevent git from fetching unnecessary blobs from server, see [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information:
 
-*`fetchSubmodules`* (Boolean)
+```nix
+{ stdenv, fetchgit }:
 
-: Whether to also fetch the submodules of a repository.
-
-*`fetchLFS`* (Boolean)
-
-: Whether to fetch LFS objects.
-
-*`preFetch`* (String)
-
-: Shell code to be executed before the repository has been fetched, to allow
-  changing the environment the fetcher runs in.
-
-*`postFetch`* (String)
-
-: Shell code executed after the repository has been fetched successfully.
-  This can do things like check or transform the file.
-
-*`leaveDotGit`* (Boolean)
-
-: Whether the `.git` directory of the clone should *not* be removed after checkout.
-
-  Be warned though that the git repository format is not stable and this flag is therefore not suitable for actual use by itself.
-  Only use this for testing purposes or in conjunction with removing the `.git` directory in `postFetch`.
-
-*`deepClone`* (Boolean)
-
-: Clone the entire repository as opposing to just creating a shallow clone.
-  This implies `leaveDotGit`.
-
-*`sparseCheckout`* (List of String)
-
-: Prevent git from fetching unnecessary blobs from server.
-  This is useful if only parts of the repository are needed.
-
-  ::: {.example #ex-fetchgit-sparseCheckout}
-
-  # Use `sparseCheckout` to only include some directories:
-
-  ```nix
-  { stdenv, fetchgit }:
-
-  stdenv.mkDerivation {
-    name = "hello";
-    src = fetchgit {
-      url = "https://...";
-      sparseCheckout = [
-        "directory/to/be/included"
-        "another/directory"
-      ];
-      hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
-    };
-  }
-  ```
-  :::
-
-  See [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information.
-
-Some additional parameters for niche use-cases can be found listed in the function parameters in the declaration of `fetchgit`: `pkgs/build-support/fetchgit/default.nix`.
-Future parameters additions might also happen without immediately being documented here.
+stdenv.mkDerivation {
+  name = "hello";
+  src = fetchgit {
+    url = "https://...";
+    sparseCheckout = [
+      "directory/to/be/included"
+      "another/directory"
+    ];
+    hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+  };
+}
+```
 
 ## `fetchfossil` {#fetchfossil}
 
@@ -846,7 +795,7 @@ A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are m
 
 ## `fetchFromGitHub` {#fetchfromgithub}
 
-`fetchFromGitHub` expects four arguments. `owner` is a string corresponding to the GitHub user or organization that controls this repository. `repo` corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as `owner`/`repo`. `rev` corresponds to the Git commit hash or tag (e.g `v1.0`) that will be downloaded from Git. If you need to fetch a tag however, you should prefer to use the `tag` parameter which achieves this in a safer way with less boilerplate. Finally, `hash` corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but `hash` is currently preferred.
+`fetchFromGitHub` expects four arguments. `owner` is a string corresponding to the GitHub user or organization that controls this repository. `repo` corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as `owner`/`repo`. `rev` corresponds to the Git commit hash or tag (e.g `v1.0`) that will be downloaded from Git. Finally, `hash` corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but `hash` is currently preferred.
 
 To use a different GitHub instance, use `githubBase` (defaults to `"github.com"`).
 
@@ -924,9 +873,7 @@ It produces packages that cannot be built automatically.
 { fetchtorrent }:
 
 fetchtorrent {
-  config = {
-    peer-limit-global = 100;
-  };
+  config = { peer-limit-global = 100; };
   url = "magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c";
   hash = "";
 }

doc/build-helpers/fixed-point-arguments.chapter.md

@@ -1,74 +0,0 @@
-# Fixed-point arguments of build helpers {#chap-build-helpers-finalAttrs}
-
-As mentioned in the beginning of this part, `stdenv.mkDerivation` could alternatively accept a fixed-point function. The input of such function, typically named `finalAttrs`, is expected to be the final state of the attribute set.
-A build helper like this is said to accept **fixed-point arguments**.
-
-Build helpers don't always support fixed-point arguments yet, as support in [`stdenv.mkDerivation`](#mkderivation-recursive-attributes) was first included in Nixpkgs 22.05.
-
-## Defining a build helper with `lib.extendMkDerivation` {#sec-build-helper-extendMkDerivation}
-
-Developers can use the Nixpkgs library function [`lib.customisation.extendMkDerivation`](#function-library-lib.customisation.extendMkDerivation) to define a build helper supporting fixed-point arguments from an existing one with such support, with an attribute overlay similar to the one taken by [`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs).
-
-Beside overriding, `lib.extendMkDerivation` also supports `excludeDrvArgNames` to optionally exclude some arguments in the input fixed-point arguments from passing down the base build helper (specified as `constructDrv`).
-
-:::{.example #ex-build-helpers-extendMkDerivation}
-
-# Example definition of `mkLocalDerivation` extended from `stdenv.mkDerivation` with `lib.extendMkDerivation`
-
-We want to define a build helper named `mkLocalDerivation` that builds locally without using substitutes by default.
-
-Instead of taking a plain attribute set,
-
-```nix
-{
-  preferLocalBuild ? true,
-  allowSubstitute ? false,
-  specialArg ? (_: false),
-  ...
-}@args:
-
-stdenv.mkDerivation (
-  removeAttrs [
-    # Don't pass specialArg into mkDerivation.
-    "specialArg"
-  ] args
-  // {
-    # Arguments to pass
-    inherit preferLocalBuild allowSubstitute;
-    # Some expressions involving specialArg
-    greeting = if specialArg "hi" then "hi" else "hello";
-  }
-)
-```
-
-we could define with `lib.extendMkDerivation` an attribute overlay to make the result build helper also accepts the the attribute set's fixed point passing to the underlying `stdenv.mkDerivation`, named `finalAttrs` here:
-
-```nix
-lib.extendMkDerivation {
-  constructDrv = stdenv.mkDerivation;
-  excludeDrvArgNames = [
-    # Don't pass specialArg into mkDerivation.
-    "specialArg"
-  ];
-  extendDrvArgs =
-    finalAttrs:
-    {
-      preferLocalBuild ? true,
-      allowSubstitute ? false,
-      specialArg ? (_: false),
-      ...
-    }@args:
-    {
-      # Arguments to pass
-      inherit
-        preferLocalBuild
-        allowSubstitute
-        ;
-      # Some expressions involving specialArg
-      greeting = if specialArg "hi" then "hi" else "hello";
-    };
-}
-```
-:::
-
-If one needs to apply extra changes to the result derivation, pass the derivation transformation function to `lib.extendMkDerivation` as `lib.customisation.extendMkDerivation { transformDrv = drv: ...; }`.

doc/build-helpers/images/appimagetools.section.md

@@ -33,7 +33,7 @@ let
   version = "0.6.30";
 
   src = fetchurl {
-    url = "https://github.com/nukeop/nuclear/releases/download/v${version}/nuclear-v${version}.AppImage";
+    url = "https://github.com/nukeop/nuclear/releases/download/v${version}/${pname}-v${version}.AppImage";
     hash = "sha256-he1uGC1M/nFcKpMM9JKY4oeexJcnzV0ZRxhTjtJz6xw=";
   };
 in
@@ -66,8 +66,7 @@ let
     url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
     hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
   };
-in
-appimageTools.wrapType2 {
+in appimageTools.wrapType2 {
   inherit pname version src;
   extraPkgs = pkgs: [ pkgs.at-spi2-core ];
 }
@@ -107,8 +106,7 @@ let
   appimageContents = appimageTools.extract {
     inherit pname version src;
   };
-in
-appimageTools.wrapType2 {
+in appimageTools.wrapType2 {
   inherit pname version src;
 
   extraPkgs = pkgs: [ pkgs.at-spi2-core ];
@@ -152,8 +150,7 @@ let
       substituteInPlace $out/irccloud.desktop --replace-fail 'Exec=AppRun' 'Exec=${pname}'
     '';
   };
-in
-appimageTools.wrapType2 {
+in appimageTools.wrapType2 {
   inherit pname version src;
 
   extraPkgs = pkgs: [ pkgs.at-spi2-core ];

doc/build-helpers/images/binarycache.section.md

@@ -11,14 +11,6 @@ It can also be a convenient way to make some Nix packages available inside a con
 `rootPaths` must be a list of derivations.
 The transitive closure of these derivations' outputs will be copied into the cache.
 
-## Optional arguments {#sec-pkgs-binary-cache-arguments}
-
-`compression` (`"none"` or `"xz"` or `"zstd"`; _optional_)
-
-: The compression algorithm to use.
-
-  _Default value:_ `zstd`.
-
 ::: {.note}
 This function is meant for advanced use cases.
 The more idiomatic way to work with flat-file binary caches is via the [nix-copy-closure](https://nixos.org/manual/nix/stable/command-ref/nix-copy-closure.html) command.
@@ -35,7 +27,7 @@ The following derivation will construct a flat-file binary cache containing the
 ```nix
 { mkBinaryCache, hello }:
 mkBinaryCache {
-  rootPaths = [ hello ];
+  rootPaths = [hello];
 }
 ```
 

doc/build-helpers/images/dockertools.section.md

@@ -235,11 +235,7 @@ The following package builds a Docker image that runs the `redis-server` executa
 The Docker image will have name `redis` and tag `latest`.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  redis,
-}:
+{ dockerTools, buildEnv, redis }:
 dockerTools.buildImage {
   name = "redis";
   tag = "latest";
@@ -257,9 +253,7 @@ dockerTools.buildImage {
   config = {
     Cmd = [ "/bin/redis-server" ];
     WorkingDir = "/data";
-    Volumes = {
-      "/data" = { };
-    };
+    Volumes = { "/data" = { }; };
   };
 }
 ```
@@ -292,11 +286,7 @@ It uses `runAsRoot` to create a directory and a file inside the image.
 This works the same as [](#ex-dockerTools-buildImage-extraCommands), but uses `runAsRoot` instead of `extraCommands`.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  hello,
-}:
+{ dockerTools, buildEnv, hello }:
 dockerTools.buildImage {
   name = "hello";
   tag = "latest";
@@ -330,11 +320,7 @@ This works the same as [](#ex-dockerTools-buildImage-runAsRoot), but uses `extra
 Note that with `extraCommands`, we can't directly reference `/` and must create files and directories as if we were already on `/`.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  hello,
-}:
+{ dockerTools, buildEnv, hello }:
 dockerTools.buildImage {
   name = "hello";
   tag = "latest";
@@ -364,11 +350,7 @@ dockerTools.buildImage {
 Note that using a value of `"now"` in the `created` attribute will break reproducibility.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  hello,
-}:
+{ dockerTools, buildEnv, hello }:
 dockerTools.buildImage {
   name = "hello";
   tag = "latest";
@@ -784,11 +766,7 @@ The closure of `config` is automatically included in the generated image.
 The following package shows a more compact way to create the same output generated in [](#ex-dockerTools-streamLayeredImage-hello).
 
 ```nix
-{
-  dockerTools,
-  hello,
-  lib,
-}:
+{ dockerTools, hello, lib }:
 dockerTools.streamLayeredImage {
   name = "hello";
   tag = "latest";
@@ -903,7 +881,7 @@ dockerTools.pullImage {
   imageDigest = "sha256:b8ea88f763f33dfda2317b55eeda3b1a4006692ee29e60ee54ccf6d07348c598";
   finalImageName = "nix";
   finalImageTag = "2.19.3";
-  hash = "sha256-zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
+  sha256 = "zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
 }
 ```
 :::
@@ -920,7 +898,7 @@ dockerTools.pullImage {
   imageDigest = "sha256:24a23053f29266fb2731ebea27f915bb0fb2ae1ea87d42d890fe4e44f2e27c5d";
   finalImageName = "etcd";
   finalImageTag = "v3.5.11";
-  hash = "sha256-Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
+  sha256 = "Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
 }
 ```
 :::
@@ -944,7 +922,7 @@ Writing manifest to image destination
 {
   imageName = "nixos/nix";
   imageDigest = "sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634";
-  hash = "sha256-OEgs3uRPMb4Y629FJXAWZW9q9LqHS/A/GUqr3K5wzOA=";
+  sha256 = "1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q";
   finalImageName = "nixos/nix";
   finalImageTag = "latest";
 }
@@ -1569,15 +1547,11 @@ The Docker image generated will have a name like `hello-<version>-env` and tag `
 This example uses [](#ex-dockerTools-streamNixShellImage-hello) as a starting point.
 
 ```nix
-{
-  dockerTools,
-  cowsay,
-  hello,
-}:
+{ dockerTools, cowsay, hello }:
 dockerTools.streamNixShellImage {
   tag = "latest";
   drv = hello.overrideAttrs (old: {
-    nativeBuildInputs = old.nativeBuildInputs or [ ] ++ [
+    nativeBuildInputs = old.nativeBuildInputs or [] ++ [
       cowsay
     ];
   });

doc/build-helpers/images/makediskimage.section.md

@@ -52,23 +52,23 @@ A `deterministic` flag is available for best efforts determinism.
 To produce a Nix-store only image:
 ```nix
 let
-  pkgs = import <nixpkgs> { };
+  pkgs = import <nixpkgs> {};
   lib = pkgs.lib;
   make-disk-image = import <nixpkgs/nixos/lib/make-disk-image.nix>;
 in
-make-disk-image {
-  inherit pkgs lib;
-  config = { };
-  additionalPaths = [ ];
-  format = "qcow2";
-  onlyNixStore = true;
-  partitionTableType = "none";
-  installBootLoader = false;
-  touchEFIVars = false;
-  diskSize = "auto";
-  additionalSpace = "0M"; # Defaults to 512M.
-  copyChannel = false;
-}
+  make-disk-image {
+    inherit pkgs lib;
+    config = {};
+    additionalPaths = [ ];
+    format = "qcow2";
+    onlyNixStore = true;
+    partitionTableType = "none";
+    installBootLoader = false;
+    touchEFIVars = false;
+    diskSize = "auto";
+    additionalSpace = "0M"; # Defaults to 512M.
+    copyChannel = false;
+  }
 ```
 
 Some arguments can be left out, they are shown explicitly for the sake of the example.
@@ -78,36 +78,29 @@ Building this derivation will provide a QCOW2 disk image containing only the Nix
 To produce a NixOS installation image disk with UEFI and bootloader installed:
 ```nix
 let
-  pkgs = import <nixpkgs> { };
+  pkgs = import <nixpkgs> {};
   lib = pkgs.lib;
   make-disk-image = import <nixpkgs/nixos/lib/make-disk-image.nix>;
   evalConfig = import <nixpkgs/nixos/lib/eval-config.nix>;
 in
-make-disk-image {
-  inherit pkgs lib;
-  inherit
-    (evalConfig {
+  make-disk-image {
+    inherit pkgs lib;
+    inherit (evalConfig {
       modules = [
         {
-          fileSystems."/" = {
-            device = "/dev/vda";
-            fsType = "ext4";
-            autoFormat = true;
-          };
+          fileSystems."/" = { device = "/dev/vda"; fsType = "ext4"; autoFormat = true; };
           boot.grub.device = "/dev/vda";
         }
       ];
-    })
-    config
-    ;
-  format = "qcow2";
-  onlyNixStore = false;
-  partitionTableType = "legacy+gpt";
-  installBootLoader = true;
-  touchEFIVars = true;
-  diskSize = "auto";
-  additionalSpace = "0M"; # Defaults to 512M.
-  copyChannel = false;
-  memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
-}
+    }) config;
+    format = "qcow2";
+    onlyNixStore = false;
+    partitionTableType = "legacy+gpt";
+    installBootLoader = true;
+    touchEFIVars = true;
+    diskSize = "auto";
+    additionalSpace = "0M"; # Defaults to 512M.
+    copyChannel = false;
+    memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
+  }
 ```

doc/build-helpers/images/ocitools.section.md

@@ -76,11 +76,7 @@ Note that no user namespace is created, which means that you won't be able to ru
 This example uses `ociTools.buildContainer` to create a simple container that runs `bash`.
 
 ```nix
-{
-  ociTools,
-  lib,
-  bash,
-}:
+{ ociTools, lib, bash }:
 ociTools.buildContainer {
   args = [
     (lib.getExe bash)

doc/build-helpers/images/portableservice.section.md

@@ -91,12 +91,7 @@ See [](#ex-portableService-hello) to understand how to use the output of `portab
 The following example builds a Portable Service image with the `hello` package, along with a service unit that runs it.
 
 ```nix
-{
-  lib,
-  writeText,
-  portableService,
-  hello,
-}:
+{ lib, writeText, portableService, hello }:
 let
   hello-service = writeText "hello.service" ''
     [Unit]
@@ -156,13 +151,7 @@ To make things available globally, you must specify the `symlinks` attribute whe
 The following package builds on the package from [](#ex-portableService-hello) to make `/etc/ssl` available globally (this is only for illustrative purposes, because `hello` doesn't use `/etc/ssl`).
 
 ```nix
-{
-  lib,
-  writeText,
-  portableService,
-  hello,
-  cacert,
-}:
+{ lib, writeText, portableService, hello, cacert }:
 let
   hello-service = writeText "hello.service" ''
     [Unit]
@@ -178,10 +167,7 @@ portableService {
   inherit (hello) version;
   units = [ hello-service ];
   symlinks = [
-    {
-      object = "${cacert}/etc/ssl";
-      symlink = "/etc/ssl";
-    }
+    { object = "${cacert}/etc/ssl"; symlink = "/etc/ssl"; }
   ];
 }
 ```

doc/build-helpers/special/checkpoint-build.section.md

@@ -26,9 +26,7 @@ To change a normal derivation to a checkpoint based build, these steps must be t
 
 ## Example {#sec-checkpoint-build-example}
 ```nix
-{
-  pkgs ? import <nixpkgs> { },
-}:
+{ pkgs ? import <nixpkgs> {} }:
 let
   inherit (pkgs.checkpointBuildTools)
     prepareCheckpointBuild
@@ -41,6 +39,5 @@ let
       sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
     '';
   });
-in
-mkCheckpointBuild changedHello helloCheckpoint
+in mkCheckpointBuild changedHello helloCheckpoint
 ```

doc/build-helpers/special/fakenss.section.md

@@ -48,19 +48,12 @@ It is useful with functions in `dockerTools` to allow building Docker images tha
 This example includes the `hello` binary in the image so it can do something besides just have the extra files.
 
 ```nix
-{
-  dockerTools,
-  fakeNss,
-  hello,
-}:
+{ dockerTools, fakeNss, hello }:
 dockerTools.buildImage {
   name = "image-with-passwd";
   tag = "latest";
 
-  copyToRoot = [
-    fakeNss
-    hello
-  ];
+  copyToRoot = [ fakeNss hello ];
 
   config = {
     Cmd = [ "/bin/hello" ];
@@ -77,8 +70,8 @@ The following code uses `override` to add extra lines to `/etc/passwd` and `/etc
 ```nix
 { fakeNss }:
 fakeNss.override {
-  extraPasswdLines = [ "newuser:x:9001:9001:new user:/var/empty:/bin/sh" ];
-  extraGroupLines = [ "newuser:x:9001:" ];
+  extraPasswdLines = ["newuser:x:9001:9001:new user:/var/empty:/bin/sh"];
+  extraGroupLines = ["newuser:x:9001:"];
 }
 ```
 :::

doc/build-helpers/special/fhs-environments.section.md

@@ -6,13 +6,11 @@ It uses Linux' namespaces feature to create temporary lightweight environments w
 Accepted arguments are:
 
 - `name`
-        The name of the environment.
+        The name of the environment, and the wrapper executable if `pname` is unset.
 - `pname`
-        The pname of the environment.
+        The pname of the environment and the wrapper executable.
 - `version`
         The version of the environment.
-- `executableName`
-        The name of the wrapper executable. Defaults to `pname` if set, or `name` otherwise.
 - `targetPkgs`
         Packages to be installed for the main host's architecture (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also installed.
 - `multiPkgs`
@@ -36,29 +34,22 @@ Accepted arguments are:
 You can create a simple environment using a `shell.nix` like this:
 
 ```nix
-{
-  pkgs ? import <nixpkgs> { },
-}:
+{ pkgs ? import <nixpkgs> {} }:
 
 (pkgs.buildFHSEnv {
   name = "simple-x11-env";
-  targetPkgs =
-    pkgs:
-    (with pkgs; [
-      udev
-      alsa-lib
-    ])
-    ++ (with pkgs.xorg; [
-      libX11
-      libXcursor
-      libXrandr
-    ]);
-  multiPkgs =
-    pkgs:
-    (with pkgs; [
-      udev
-      alsa-lib
-    ]);
+  targetPkgs = pkgs: (with pkgs; [
+    udev
+    alsa-lib
+  ]) ++ (with pkgs.xorg; [
+    libX11
+    libXcursor
+    libXrandr
+  ]);
+  multiPkgs = pkgs: (with pkgs; [
+    udev
+    alsa-lib
+  ]);
   runScript = "bash";
 }).env
 ```

doc/build-helpers/special/makesetuphook.section.md

@@ -9,7 +9,7 @@ pkgs.makeSetupHook {
   name = "something-hook";
   propagatedBuildInputs = [ pkgs.commandsomething ];
   depsTargetTargetPropagated = [ pkgs.libsomething ];
-} ./script.sh
+} ./script.sh;
 ```
 
 ### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
@@ -42,7 +42,7 @@ pkgs.makeSetupHook
       }
       preConfigureHooks+=(_printHelloHook)
     ''
-  )
+  );
 ```
 
 ## Attributes {#sec-pkgs.makeSetupHook-attributes}

doc/build-helpers/special/mkshell.section.md

@@ -8,16 +8,11 @@ repetition when using it with `nix-shell` (or `nix develop`).
 Here is a common usage example:
 
 ```nix
-{
-  pkgs ? import <nixpkgs> { },
-}:
+{ pkgs ? import <nixpkgs> {} }:
 pkgs.mkShell {
   packages = [ pkgs.gnumake ];
 
-  inputsFrom = [
-    pkgs.hello
-    pkgs.gnutar
-  ];
+  inputsFrom = [ pkgs.hello pkgs.gnutar ];
 
   shellHook = ''
     export DEBUG=1

doc/build-helpers/special/vm-tools.section.md

@@ -31,34 +31,25 @@ If the build fails and Nix is run with the `-K/--keep-failed` option, a script `
 
 Build the derivation hello inside a VM:
 ```nix
-{ pkgs }: with pkgs; with vmTools; runInLinuxVM hello
+{ pkgs }: with pkgs; with vmTools;
+runInLinuxVM hello
 ```
 
 Build inside a VM with extra memory:
 ```nix
-{ pkgs }:
-with pkgs;
-with vmTools;
-runInLinuxVM (
-  hello.overrideAttrs (_: {
-    memSize = 1024;
-  })
-)
+{ pkgs }: with pkgs; with vmTools;
+runInLinuxVM (hello.overrideAttrs (_: { memSize = 1024; }))
 ```
 
 Use VM with a disk image (implicitly sets `diskImage`, see [`vmTools.createEmptyImage`](#vm-tools-createEmptyImage)):
 ```nix
-{ pkgs }:
-with pkgs;
-with vmTools;
-runInLinuxVM (
-  hello.overrideAttrs (_: {
-    preVM = createEmptyImage {
-      size = 1024;
-      fullName = "vm-image";
-    };
-  })
-)
+{ pkgs }: with pkgs; with vmTools;
+runInLinuxVM (hello.overrideAttrs (_: {
+  preVM = createEmptyImage {
+    size = 1024;
+    fullName = "vm-image";
+  };
+}))
 ```
 
 ## `vmTools.extractFs` {#vm-tools-extractFs}
@@ -75,7 +66,8 @@ Takes a file, such as an ISO, and extracts its contents into the store.
 
 Extract the contents of an ISO file:
 ```nix
-{ pkgs }: with pkgs; with vmTools; extractFs { file = ./image.iso; }
+{ pkgs }: with pkgs; with vmTools;
+extractFs { file = ./image.iso; }
 ```
 
 ## `vmTools.extractMTDfs` {#vm-tools-extractMTDfs}
@@ -94,12 +86,14 @@ Generate a script that can be used to run an interactive session in the given im
 
 Create a script for running a Fedora 27 VM:
 ```nix
-{ pkgs }: with pkgs; with vmTools; makeImageTestScript diskImages.fedora27x86_64
+{ pkgs }: with pkgs; with vmTools;
+makeImageTestScript diskImages.fedora27x86_64
 ```
 
 Create a script for running an Ubuntu 20.04 VM:
 ```nix
-{ pkgs }: with pkgs; with vmTools; makeImageTestScript diskImages.ubuntu2004x86_64
+{ pkgs }: with pkgs; with vmTools;
+makeImageTestScript diskImages.ubuntu2004x86_64
 ```
 
 ## `vmTools.diskImageFuns` {#vm-tools-diskImageFuns}
@@ -143,13 +137,8 @@ A set of functions that build a predefined set of minimal Linux distributions im
 
 8GiB image containing Firefox in addition to the default packages:
 ```nix
-{ pkgs }:
-with pkgs;
-with vmTools;
-diskImageFuns.ubuntu2004x86_64 {
-  extraPackages = [ "firefox" ];
-  size = 8192;
-}
+{ pkgs }: with pkgs; with vmTools;
+diskImageFuns.ubuntu2004x86_64 { extraPackages = [ "firefox" ]; size = 8192; }
 ```
 
 ## `vmTools.diskImageExtraFuns` {#vm-tools-diskImageExtraFuns}

doc/build-helpers/testers.chapter.md

@@ -98,8 +98,7 @@ It has two modes:
   ```nix
   {
     "https://nix\\.dev/manual/nix/[a-z0-9.-]*" = "${nix.doc}/share/doc/nix/manual";
-    "https://nixos\\.org/manual/nix/(un)?stable" =
-      "${emptyDirectory}/placeholder-to-disallow-old-nix-docs-urls";
+    "https://nixos\\.org/manual/nix/(un)?stable" = "${emptyDirectory}/placeholder-to-disallow-old-nix-docs-urls";
   }
   ```
 
@@ -119,7 +118,7 @@ It has two modes:
 
 ## `shellcheck` {#tester-shellcheck}
 
-Run files through `shellcheck`, a static analysis tool for shell scripts, failing if there are any issues.
+Runs files through `shellcheck`, a static analysis tool for shell scripts.
 
 :::{.example #ex-shellcheck}
 # Run `testers.shellcheck`
@@ -128,7 +127,7 @@ A single script
 
 ```nix
 testers.shellcheck {
-  name = "script";
+  name = "shellcheck";
   src = ./script.sh;
 }
 ```
@@ -140,7 +139,7 @@ let
   inherit (lib) fileset;
 in
 testers.shellcheck {
-  name = "nixbsd-activate";
+  name = "shellcheck";
   src = fileset.toSource {
     root = ./.;
     fileset = fileset.unions [
@@ -155,85 +154,22 @@ testers.shellcheck {
 
 ### Inputs {#tester-shellcheck-inputs}
 
-`name` (string, optional)
-: The name of the test.
-  `name` will be required at a future point because it massively improves traceability of test failures, but is kept optional for now to avoid breaking existing usages.
-  Defaults to `run-shellcheck`.
-  The name of the derivation produced by the tester is `shellcheck-${name}` when `name` is supplied.
+[`src` (path or string)]{#tester-shellcheck-param-src}
 
-`src` (path-like)
 : The path to the shell script(s) to check.
   This can be a single file or a directory containing shell files.
   All files in `src` will be checked, so you may want to provide `fileset`-based source instead of a whole directory.
 
 ### Return value {#tester-shellcheck-return}
 
-A derivation that runs `shellcheck` on the given script(s), producing an empty output if no issues are found.
+A derivation that runs `shellcheck` on the given script(s).
 The build will fail if `shellcheck` finds any issues.
 
-## `shfmt` {#tester-shfmt}
-
-Run files through `shfmt`, a shell script formatter, failing if any files are reformatted.
-
-:::{.example #ex-shfmt}
-# Run `testers.shfmt`
-
-A single script
-
-```nix
-testers.shfmt {
-  name = "script";
-  src = ./script.sh;
-}
-```
-
-Multiple files
-
-```nix
-let
-  inherit (lib) fileset;
-in
-testers.shfmt {
-  name = "nixbsd";
-  src = fileset.toSource {
-    root = ./.;
-    fileset = fileset.unions [
-      ./lib.sh
-      ./nixbsd-activate
-    ];
-  };
-}
-```
-
-:::
-
-### Inputs {#tester-shfmt-inputs}
-
-`name` (string)
-: The name of the test.
-  `name` is required because it massively improves traceability of test failures.
-  The name of the derivation produced by the tester is `shfmt-${name}`.
-
-`src` (path-like)
-: The path to the shell script(s) to check.
-  This can be a single file or a directory containing shell files.
-  All files in `src` will be checked, so you may want to provide `fileset`-based source instead of a whole directory.
-
-`indent` (integer, optional)
-: The number of spaces to use for indentation.
-  Defaults to `2`.
-  A value of `0` indents with tabs.
-
-### Return value {#tester-shfmt-return}
-
-A derivation that runs `shfmt` on the given script(s), producing an empty output upon success.
-The build will fail if `shfmt` reformats anything.
-
 ## `testVersion` {#tester-testVersion}
 
 Checks that the output from running a command contains the specified version string in it as a whole word.
 
-NOTE: This is a check you add to `passthru.tests` which is mainly run by OfBorg, but not in Hydra. If you want a version check failure to block the build altogether, then [`versionCheckHook`](#versioncheckhook) is the tool you're looking for (and recommended for quick builds). The motivation for adding either of these checks would be:
+NOTE: In most cases, [`versionCheckHook`](#versioncheckhook) should be preferred, but this function is provided and documented here anyway. The motivation for adding either tests would be:
 
 - Catch dynamic linking errors and such and missing environment variables that should be added by wrapping.
 - Probable protection against accidentally building the wrong version, for example when using an "old" hash in a fixed-output derivation.
@@ -303,90 +239,22 @@ While `testBuildFailure` is designed to keep changes to the original builder's e
 # Check that a build fails, and verify the changes made during build
 
 ```nix
-runCommand "example"
-  {
-    failed = testers.testBuildFailure (
-      runCommand "fail" { } ''
-        echo ok-ish >$out
-        echo failing though
-        exit 3
-      ''
-    );
-  }
-  ''
-    grep -F 'ok-ish' $failed/result
-    grep -F 'failing though' $failed/testBuildFailure.log
-    [[ 3 = $(cat $failed/testBuildFailure.exit) ]]
-    touch $out
-  ''
-```
-
-:::
-
-## `testBuildFailure'` {#tester-testBuildFailurePrime}
-
-This tester wraps the functionality provided by [`testers.testBuildFailure`](#tester-testBuildFailure) to make writing checks easier by simplifying checking the exit code of the builder and asserting the existence of entries in the builder's log.
-Additionally, users may specify a script containing additional checks, accessing the result of applying `testers.testBuildFailure` through the variable `failed`.
-
-NOTE: This tester will produce an empty output and exit with success if none of the checks fail; there is no need to `touch "$out"` in `script`.
-
-:::{.example #ex-testBuildFailurePrime-doc-example}
-
-# Check that a build fails, and verify the changes made during build
-
-Re-using the example from [`testers.testBuildFailure`](#ex-testBuildFailure-showingenvironmentchanges), we can see how common checks are made easier and remove the need for `runCommand`:
-
-```nix
-testers.testBuildFailure' {
-  drv = runCommand "doc-example" { } ''
-    echo ok-ish >"$out"
+runCommand "example" {
+  failed = testers.testBuildFailure (runCommand "fail" {} ''
+    echo ok-ish >$out
     echo failing though
     exit 3
-  '';
-  expectedBuilderExitCode = 3;
-  expectedBuilderLogEntries = [ "failing though" ];
-  script = ''
-    grep --silent -F 'ok-ish' "$failed/result"
-  '';
-}
+  '');
+} ''
+  grep -F 'ok-ish' $failed/result
+  grep -F 'failing though' $failed/testBuildFailure.log
+  [[ 3 = $(cat $failed/testBuildFailure.exit) ]]
+  touch $out
+''
 ```
 
 :::
 
-### Inputs {#tester-testBuildFailurePrime-inputs}
-
-`drv` (derivation)
-
-: The failing derivation to wrap with `testBuildFailure`.
-
-`name` (string, optional)
-
-: The name of the test.
-  When not provided, this value defaults to `testBuildFailure-${(testers.testBuildFailure drv).name}`.
-
-`expectedBuilderExitCode` (integer, optional)
-
-: The expected exit code of the builder of `drv`.
-  When not provided, this value defaults to `1`.
-
-`expectedBuilderLogEntries` (array of string-like values, optional)
-
-: A list of string-like values which must be found in the builder's log by exact match.
-  When not provided, this value defaults to `[ ]`.
-
-  NOTE: Patterns and regular expressions are not supported.
-
-`script` (string, optional)
-
-: A string containing additional checks to run.
-  When not provided, this value defaults to `""`.
-  The result of `testers.testBuildFailure drv` is available through the variable `failed`.
-  As an example, the builder's log is at `"$failed/testBuildFailure.log"`.
-
-### Return value {#tester-testBuildFailurePrime-return}
-
-The tester produces an empty output and only succeeds when the checks using `expectedBuilderExitCode`, `expectedBuilderLogEntries`, and `script` succeed.
-
 ## `testEqualContents` {#tester-testEqualContents}
 
 Check that two paths have the same contents.
@@ -401,114 +269,20 @@ testers.testEqualContents {
   expected = writeText "expected" ''
     foo baz baz
   '';
-  actual =
-    runCommand "actual"
-      {
-        # not really necessary for a package that's in stdenv
-        nativeBuildInputs = [ gnused ];
-        base = writeText "base" ''
-          foo bar baz
-        '';
-      }
-      ''
-        sed -e 's/bar/baz/g' $base >$out
-      '';
-}
-```
-
-:::
-
-## `testEqualArrayOrMap` {#tester-testEqualArrayOrMap}
-
-Check that bash arrays (including associative arrays, referred to as "maps") are populated correctly.
-
-This can be used to ensure setup hooks are registered in a certain order, or to write unit tests for shell functions which transform arrays.
-
-:::{.example #ex-testEqualArrayOrMap-test-function-add-cowbell}
-
-# Test a function which appends a value to an array
-
-```nix
-testers.testEqualArrayOrMap {
-  name = "test-function-add-cowbell";
-  valuesArray = [
-    "cowbell"
-    "cowbell"
-  ];
-  expectedArray = [
-    "cowbell"
-    "cowbell"
-    "cowbell"
-  ];
-  script = ''
-    addCowbell() {
-      local -rn arrayNameRef="$1"
-      arrayNameRef+=( "cowbell" )
-    }
-
-    nixLog "appending all values in valuesArray to actualArray"
-    for value in "''${valuesArray[@]}"; do
-      actualArray+=( "$value" )
-    done
-
-    nixLog "applying addCowbell"
-    addCowbell actualArray
+  actual = runCommand "actual" {
+    # not really necessary for a package that's in stdenv
+    nativeBuildInputs = [ gnused ];
+    base = writeText "base" ''
+      foo bar baz
+    '';
+  } ''
+    sed -e 's/bar/baz/g' $base >$out
   '';
 }
 ```
 
 :::
 
-### Inputs {#tester-testEqualArrayOrMap-inputs}
-
-NOTE: Internally, this tester uses `__structuredAttrs` to handle marshalling between Nix expressions and shell variables.
-This imposes the restriction that arrays and "maps" have values which are string-like.
-
-NOTE: At least one of `expectedArray` and `expectedMap` must be provided.
-
-`name` (string)
-
-: The name of the test.
-
-`script` (string)
-
-: The singular task of `script` is to populate `actualArray` or `actualMap` (it may populate both).
-  To do this, `script` may access the following shell variables:
-
-  - `valuesArray` (available when `valuesArray` is provided to the tester)
-  - `valuesMap` (available when `valuesMap` is provided to the tester)
-  - `actualArray` (available when `expectedArray` is provided to the tester)
-  - `actualMap` (available when `expectedMap` is provided to the tester)
-
-  While both `expectedArray` and `expectedMap` are in scope during the execution of `script`, they *must not* be accessed or modified from within `script`.
-
-`valuesArray` (array of string-like values, optional)
-
-: An array of string-like values.
-  This array may be used within `script`.
-
-`valuesMap` (attribute set of string-like values, optional)
-
-: An attribute set of string-like values.
-  This attribute set may be used within `script`.
-
-`expectedArray` (array of string-like values, optional)
-
-: An array of string-like values.
-  This array *must not* be accessed or modified from within `script`.
-  When provided, `script` is expected to populate `actualArray`.
-
-`expectedMap` (attribute set of string-like values, optional)
-
-: An attribute set of string-like values.
-  This attribute set *must not* be accessed or modified from within `script`.
-  When provided, `script` is expected to populate `actualMap`.
-
-### Return value {#tester-testEqualArrayOrMap-return}
-
-The tester produces an empty output and only succeeds when `expectedArray` and `expectedMap` match `actualArray` and `actualMap`, respectively, when non-null.
-The build log will contain differences encountered.
-
 ## `testEqualDerivation` {#tester-testEqualDerivation}
 
 Checks that two packages produce the exact same build instructions.
@@ -523,11 +297,10 @@ Otherwise, the build log explains the difference via `nix-diff`.
 # Check that two packages produce the same derivation
 
 ```nix
-testers.testEqualDerivation "The hello package must stay the same when enabling checks." hello (
-  hello.overrideAttrs (o: {
-    doCheck = true;
-  })
-)
+testers.testEqualDerivation
+  "The hello package must stay the same when enabling checks."
+  hello
+  (hello.overrideAttrs(o: { doCheck = true; }))
 ```
 
 :::
@@ -591,14 +364,11 @@ including `nativeBuildInputs` to specify dependencies available to the `script`.
 ```nix
 testers.runCommand {
   name = "access-the-internet";
-  script = ''
+  command = ''
     curl -o /dev/null https://example.com
     touch $out
   '';
-  nativeBuildInputs = with pkgs; [
-    cacert
-    curl
-  ];
+  nativeBuildInputs = with pkgs; [ cacert curl ];
 }
 ```
 
@@ -615,20 +385,15 @@ If your test is part of the Nixpkgs repository, or if you need a more general en
 # Run a NixOS test using `runNixOSTest`
 
 ```nix
-pkgs.testers.runNixOSTest (
-  { lib, ... }:
-  {
-    name = "hello";
-    nodes.machine =
-      { pkgs, ... }:
-      {
-        environment.systemPackages = [ pkgs.hello ];
-      };
-    testScript = ''
-      machine.succeed("hello")
-    '';
-  }
-)
+pkgs.testers.runNixOSTest ({ lib, ... }: {
+  name = "hello";
+  nodes.machine = { pkgs, ... }: {
+    environment.systemPackages = [ pkgs.hello ];
+  };
+  testScript = ''
+    machine.succeed("hello")
+  '';
+})
 ```
 
 :::
@@ -651,17 +416,10 @@ A [NixOS VM test network](https://nixos.org/nixos/manual/index.html#sec-nixos-te
 {
   name = "my-test";
   nodes = {
-    machine1 =
-      {
-        lib,
-        pkgs,
-        nodes,
-        ...
-      }:
-      {
-        environment.systemPackages = [ pkgs.hello ];
-        services.foo.enable = true;
-      };
+    machine1 = { lib, pkgs, nodes, ... }: {
+      environment.systemPackages = [ pkgs.hello ];
+      services.foo.enable = true;
+    };
     # machine2 = ...;
   };
   testScript = ''

doc/build-helpers/trivial-build-helpers.chapter.md

@@ -66,17 +66,15 @@ runCommandWith :: {
 # Invocation of `runCommandWith`
 
 ```nix
-runCommandWith
-  {
-    name = "example";
-    derivationArgs.nativeBuildInputs = [ cowsay ];
-  }
-  ''
-    cowsay > $out <<EOMOO
-    'runCommandWith' is a bit cumbersome,
-    so we have more ergonomic wrappers.
-    EOMOO
-  ''
+runCommandWith {
+  name = "example";
+  derivationArgs.nativeBuildInputs = [ cowsay ];
+} ''
+  cowsay > $out <<EOMOO
+  'runCommandWith' is a bit cumbersome,
+  so we have more ergonomic wrappers.
+  EOMOO
+''
 ```
 
 :::
@@ -120,7 +118,7 @@ While the type signature(s) differ from [`runCommandWith`], individual arguments
 # Invocation of `runCommand`
 
 ```nix
-runCommand "my-example" { } ''
+runCommand "my-example" {} ''
   echo My example command is running
 
   mkdir $out
@@ -240,7 +238,7 @@ The following fields are either required, are of a different type than in the sp
 Write a desktop file `/nix/store/<store path>/my-program.desktop` to the Nix store.
 
 ```nix
-{ makeDesktopItem }:
+{makeDesktopItem}:
 makeDesktopItem {
   name = "my-program";
   desktopName = "My Program";
@@ -262,10 +260,7 @@ makeDesktopItem {
   mimeTypes = [ "video/mp4" ];
   categories = [ "Utility" ];
   implements = [ "org.my-program" ];
-  keywords = [
-    "Video"
-    "Player"
-  ];
+  keywords = [ "Video" "Player" ];
   startupNotify = false;
   startupWMClass = "MyProgram";
   prefersNonDefaultGPU = false;
@@ -281,22 +276,18 @@ makeDesktopItem {
 Override the `hello` package to add a desktop item.
 
 ```nix
-{
-  copyDesktopItems,
-  hello,
-  makeDesktopItem,
-}:
+{ copyDesktopItems
+, hello
+, makeDesktopItem }:
 
 hello.overrideAttrs {
   nativeBuildInputs = [ copyDesktopItems ];
 
-  desktopItems = [
-    (makeDesktopItem {
-      name = "hello";
-      desktopName = "Hello";
-      exec = "hello";
-    })
-  ];
+  desktopItems = [(makeDesktopItem {
+    name = "hello";
+    desktopName = "Hello";
+    exec = "hello";
+  })];
 }
 ```
 
@@ -455,9 +446,10 @@ The store path will include the name, and it will be a file.
 Write the string `Contents of File` to `/nix/store/<store path>`:
 
 ```nix
-writeText "my-file" ''
+writeText "my-file"
+  ''
   Contents of File
-''
+  ''
 ```
 :::
 
@@ -494,9 +486,10 @@ The store path will be a directory.
 Write the string `Contents of File` to `/nix/store/<store path>/share/my-file`:
 
 ```nix
-writeTextDir "share/my-file" ''
+writeTextDir "share/my-file"
+  ''
   Contents of File
-''
+  ''
 ```
 :::
 
@@ -535,9 +528,10 @@ The store path will include the name, and it will be a file.
 Write the string `Contents of File` to `/nix/store/<store path>` and make the file executable.
 
 ```nix
-writeScript "my-file" ''
+writeScript "my-file"
+  ''
   Contents of File
-''
+  ''
 ```
 
 This is equivalent to:
@@ -576,9 +570,10 @@ The store path will include the name, and it will be a directory.
 # Usage of `writeScriptBin`
 
 ```nix
-writeScriptBin "my-script" ''
+writeScriptBin "my-script"
+  ''
   echo "hi"
-''
+  ''
 ```
 :::
 
@@ -619,9 +614,10 @@ This function is almost exactly like [](#trivial-builder-writeScript), except th
 # Usage of `writeShellScript`
 
 ```nix
-writeShellScript "my-script" ''
+writeShellScript "my-script"
+  ''
   echo "hi"
-''
+  ''
 ```
 :::
 
@@ -661,9 +657,10 @@ This function is a combination of [](#trivial-builder-writeShellScript) and [](#
 # Usage of `writeShellScriptBin`
 
 ```nix
-writeShellScriptBin "my-script" ''
+writeShellScriptBin "my-script"
+  ''
   echo "hi"
-''
+  ''
 ```
 :::
 
@@ -688,40 +685,26 @@ These functions concatenate `files` to the Nix store in a single file. This is u
 
 Here are a few examples:
 ```nix
+
 # Writes my-file to /nix/store/<store path>
-concatTextFile
-  {
-    name = "my-file";
-    files = [
-      drv1
-      "${drv2}/path/to/file"
-    ];
-  }
-  # See also the `concatText` helper function below.
+concatTextFile {
+  name = "my-file";
+  files = [ drv1 "${drv2}/path/to/file" ];
+}
+# See also the `concatText` helper function below.
 
-  # Writes executable my-file to /nix/store/<store path>/bin/my-file
-  concatTextFile
-  {
-    name = "my-file";
-    files = [
-      drv1
-      "${drv2}/path/to/file"
-    ];
-    executable = true;
-    destination = "/bin/my-file";
-  }
-  # Writes contents of files to /nix/store/<store path>
-  concatText
-  "my-file"
-  [ file1 file2 ]
+# Writes executable my-file to /nix/store/<store path>/bin/my-file
+concatTextFile {
+  name = "my-file";
+  files = [ drv1 "${drv2}/path/to/file" ];
+  executable = true;
+  destination = "/bin/my-file";
+}
+# Writes contents of files to /nix/store/<store path>
+concatText "my-file" [ file1 file2 ]
 
-  # Writes contents of files to /nix/store/<store path>
-  concatScript
-  "my-file"
-  [
-    file1
-    file2
-  ]
+# Writes contents of files to /nix/store/<store path>
+concatScript "my-file" [ file1 file2 ]
 ```
 
 ## `writeShellApplication` {#trivial-builder-writeShellApplication}
@@ -739,10 +722,7 @@ For example, the following shell application can refer to `curl` directly, rathe
 writeShellApplication {
   name = "show-nixos-org";
 
-  runtimeInputs = [
-    curl
-    w3m
-  ];
+  runtimeInputs = [ curl w3m ];
 
   text = ''
     curl -s 'https://nixos.org' | w3m -dump -T text/html
@@ -756,14 +736,7 @@ This can be used to put many derivations into the same directory structure. It w
 Here is an example:
 ```nix
 # adds symlinks of hello and stack to current build and prints "links added"
-symlinkJoin {
-  name = "myexample";
-  paths = [
-    pkgs.hello
-    pkgs.stack
-  ];
-  postBuild = "echo links added";
-}
+symlinkJoin { name = "myexample"; paths = [ pkgs.hello pkgs.stack ]; postBuild = "echo links added"; }
 ```
 This creates a derivation with a directory structure like the following:
 ```
@@ -781,6 +754,10 @@ This creates a derivation with a directory structure like the following:
 ...
 ```
 
+## `writeReferencesToFile` {#trivial-builder-writeReferencesToFile}
+
+Deprecated. Use [`writeClosure`](#trivial-builder-writeClosure) instead.
+
 ## `writeClosure` {#trivial-builder-writeClosure}
 
 Given a list of [store paths](https://nixos.org/manual/nix/stable/glossary#gloss-store-path) (or string-like expressions coercible to store paths), write their collective [closure](https://nixos.org/manual/nix/stable/glossary#gloss-closure) to a text file.

doc/doc-support/lib-function-docs.nix

@@ -48,10 +48,6 @@
       name = "path";
       description = "path functions";
     }
-    {
-      name = "fetchers";
-      description = "functions which can be reused across fetchers";
-    }
     {
       name = "filesystem";
       description = "filesystem functions";
@@ -94,16 +90,17 @@
 stdenvNoCC.mkDerivation {
   name = "nixpkgs-lib-docs";
 
-  src = ../../lib;
+  src = lib.fileset.toSource {
+    root = ../..;
+    fileset = ../../lib;
+  };
 
-  nativeBuildInputs = [
+  buildInputs = [
     nixdoc
     nix
   ];
 
   installPhase = ''
-    cd ..
-
     export NIX_STATE_DIR=$(mktemp -d)
     nix-instantiate --eval --strict --json ${./lib-function-locations.nix} \
       --arg nixpkgsPath "./." \

doc/doc-support/lib-function-locations.nix

@@ -1,82 +1,74 @@
-{
-  nixpkgsPath,
-  revision,
-  libsetsJSON,
-}:
+{ nixpkgsPath, revision, libsetsJSON }:
 let
   lib = import (nixpkgsPath + "/lib");
   libsets = builtins.fromJSON libsetsJSON;
 
-  libDefPos =
-    prefix: set:
-    builtins.concatMap (
-      name:
-      [
-        {
-          name = builtins.concatStringsSep "." (prefix ++ [ name ]);
-          location = builtins.unsafeGetAttrPos name set;
-        }
-      ]
-      ++ lib.optionals (builtins.length prefix == 0 && builtins.isAttrs set.${name}) (
-        libDefPos (prefix ++ [ name ]) set.${name}
-      )
-    ) (builtins.attrNames set);
+  libDefPos = prefix: set:
+    builtins.concatMap
+      (name: [{
+        name = builtins.concatStringsSep "." (prefix ++ [name]);
+        location = builtins.unsafeGetAttrPos name set;
+      }] ++ lib.optionals
+        (builtins.length prefix == 0 && builtins.isAttrs set.${name})
+        (libDefPos (prefix ++ [name]) set.${name})
+      ) (builtins.attrNames set);
 
-  libset =
-    toplib:
-    builtins.map (subsetname: {
-      subsetname = subsetname;
-      functions = libDefPos [ ] toplib.${subsetname};
-    }) (builtins.map (x: x.name) libsets);
+  libset = toplib:
+    builtins.map
+      (subsetname: {
+        subsetname = subsetname;
+        functions = libDefPos [] toplib.${subsetname};
+      })
+      (builtins.map (x: x.name) libsets);
 
-  flattenedLibSubset =
-    { subsetname, functions }:
-    builtins.map (fn: {
+  flattenedLibSubset = { subsetname, functions }:
+  builtins.map
+    (fn: {
       name = "lib.${subsetname}.${fn.name}";
       value = fn.location;
-    }) functions;
+    })
+    functions;
 
   locatedlibsets = libs: builtins.map flattenedLibSubset (libset libs);
-  removeFilenamePrefix =
-    prefix: filename:
+  removeFilenamePrefix = prefix: filename:
     let
-      prefixLen = (builtins.stringLength prefix) + 1; # +1 to remove the leading /
+    prefixLen = (builtins.stringLength prefix) + 1; # +1 to remove the leading /
       filenameLen = builtins.stringLength filename;
       substr = builtins.substring prefixLen filenameLen filename;
-    in
-    substr;
+      in substr;
 
   removeNixpkgs = removeFilenamePrefix (builtins.toString nixpkgsPath);
 
-  liblocations = builtins.filter (elem: elem.value != null) (lib.lists.flatten (locatedlibsets lib));
+  liblocations =
+    builtins.filter
+      (elem: elem.value != null)
+      (lib.lists.flatten
+        (locatedlibsets lib));
 
-  fnLocationRelative =
-    { name, value }:
+  fnLocationRelative = { name, value }:
     {
       inherit name;
-      value = value // {
-        file = removeNixpkgs value.file;
-      };
+      value = value // { file = removeNixpkgs value.file; };
     };
 
   relativeLocs = (builtins.map fnLocationRelative liblocations);
-  sanitizeId = builtins.replaceStrings [ "'" ] [ "-prime" ];
+  sanitizeId = builtins.replaceStrings
+    [ "'"      ]
+    [ "-prime" ];
 
   urlPrefix = "https://github.com/NixOS/nixpkgs/blob/${revision}";
-  jsonLocs = builtins.listToAttrs (
-    builtins.map (
-      { name, value }:
-      {
+  jsonLocs = builtins.listToAttrs
+    (builtins.map
+      ({ name, value }: {
         name = sanitizeId name;
         value =
           let
             text = "${value.file}:${builtins.toString value.line}";
             target = "${urlPrefix}/${value.file}#L${builtins.toString value.line}";
           in
-          "[${text}](${target}) in `<nixpkgs>`";
-      }
-    ) relativeLocs
-  );
+            "[${text}](${target}) in `<nixpkgs>`";
+      })
+    relativeLocs);
 
 in
 jsonLocs