lib.types.attrNamesTo{Set,Submodule}: add

lib/types.nix: Remove duplicate user documentation
lib/tests/modules: Test attrNamesToTrue
2026-06-06 05:13:37 +00:00 · 2025-05-16 15:09:31 +02:00 · 2025-05-16 15:09:25 +02:00 · 2025-05-16 15:09:24 +02:00 · 2025-05-16 12:35:16 +02:00
21391 changed files with 466419 additions and 552513 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -24,7 +24,7 @@ insert_final_newline = false
 # see https://nixos.org/nixpkgs/manual/#chap-conventions

 # Match json/lockfiles/markdown/nix/perl/python/ruby/shell/docbook files, set indent to spaces
-[*.{bash,js,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
+[*.{bash,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
 indent_style = space

 # Match docbook files, set indent width of one
@@ -32,7 +32,7 @@ indent_style = space
 indent_size = 1

 # Match json/lockfiles/markdown/nix/ruby files, set indent width of two
-[*.{js,json,lock,md,nix,rb}]
+[*.{json,lock,md,nix,rb}]
 indent_size = 2

 # Match all the Bash code in Nix files, set indent width of two
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -193,9 +193,6 @@ cffc27daf06c77c0d76bc35d24b929cb9d68c3c9
 # nixos/kanidm: inherit lib, nixfmt
 8f18393d380079904d072007fb19dc64baef0a3a

-# fetchhg: format after refactoring with lib.extendMkDerivation and make overridable (#423539)
-34a5b1eb23129f8fb62c677e3760903f6d43228f
-
 # fetchurl: nixfmt-rfc-style
 ce21e97a1f20dee15da85c084f9d1148d84f853b

@@ -269,19 +266,3 @@ a034fb50f79816c6738fb48b48503b09ea3b0132

 # treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
 05580f4b4433fda48fff30f60dfd303d6ee05d21
-
-# nixos/redmine: Get rid of global lib expansions
-d7f1102f04c58b2edfc74c9a1d577e3aebfca775
-
-# **/README.md: one sentence per line
-3d505c03610b6102af6d870ae3506a151cef1f68
-60e35e4ded6e91524364a74b3b4ec233ed9321f2
-99f2e655d9db009ee0b4ede3edced5f6c882c7f4
-b4532efe93882ae2e3fc579929a42a5a56544146
-
-# emacs: keep elpa/nongnu/melpa package overrides sorted
-9f2faf683ed48704aa17f693208a13aa64e22181
-
-# nixfmt 1.0.0
-62fe01651911043bd3db0add920af3d2935d9869 # !autorebase nix-shell --run treefmt
-5a0711127cd8b916c3d3128f473388c8c79df0da # !autorebase nix-shell --run treefmt
--- a/.github/ISSUE_TEMPLATE/01_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on ARM Linux, your title would be as follows:
-        > ```
-        > hello: fails to launch on aarch64-linux
-        > ```
+        > `hello: fails to launch on aarch64-linux`

        ---
  - type: "dropdown"
@@ -32,11 +30,13 @@ body:
      description: |
        What version of Nixpkgs are you using?

-        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
+        > [!IMPORTANT]
+        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
@@ -100,7 +100,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
+++ b/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on Apple Silicon, your title would be as follows:
-        > ```
-        > hello: fails to launch on aarch64-darwin
-        > ```
+        > `hello: fails to launch on aarch64-darwin`

        ---
  - type: "dropdown"
@@ -32,11 +30,13 @@ body:
      description: |
        What version of Nixpkgs are you using?

-        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
+        > [!IMPORTANT]
+        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
@@ -114,7 +114,7 @@ body:
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.

        If this issue is related to the Darwin packaging architecture as a whole, or is related to the core Darwin frameworks, consider mentioning the `@NixOS/darwin-core` team.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
+++ b/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing a bug against the [`systemd-boot`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.enable&from=0&size=1) module about it failing to install [`memtest86`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.memtest86.enable&from=0&size=1), your title would be as follows:
-        > ```
-        > nixos/systemd-boot: fails to install memtest86
-        > ```
+        > `nixos/systemd-boot: fails to install memtest86`

        ---
  - type: "dropdown"
@@ -32,11 +30,13 @@ body:
      description: |
        What version of Nixpkgs are you using?

-        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
+        > [!IMPORTANT]
+        > If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
@@ -104,7 +104,7 @@ body:
        Please note that the maintainer attribute name does not always match the maintainer's GitHub username. If that occurs, try looking in [`maintainers/maintainer-list.nix`](https://github.com/NixOS/nixpkgs/blob/master/maintainers/maintainer-list.nix) for the maintainer attribute name, and checking if the maintainer has a listed GitHub username.

        If in doubt, check `git blame` for whoever last touched the module, or check the associated package's maintainers. Please add the mentions above the `---` characters.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/04_build_failure.yml
+++ b/.github/ISSUE_TEMPLATE/04_build_failure.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing a build failure against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package, your title would be as follows:
-        > ```
-        > Build failure: hello
-        > ```
+        > `Build failure: hello`

        ---
  - type: "dropdown"
@@ -32,13 +30,14 @@ body:
      description: |
        In what version of Nixpkgs did the build failure occur?

-        If you are using an older version, please update to the latest stable version and check if the build failure persists before continuing this report.
-
-        If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
+        > [!IMPORTANT]
+        > If you are using an older version, please update to the latest stable version and check if the build failure persists before continuing this report.
+        > If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
@@ -110,7 +109,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/05_update_request.yml
+++ b/.github/ISSUE_TEMPLATE/05_update_request.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs is 1.0.0, but the latest version upstream is 1.0.1, your title would be as follows:
-        > ```
-        > Update Request: hello 1.0.0 → 1.0.1
-        > ```
+        > `Update Request: hello 1.0.0 → 1.0.1`

        ---
  - type: "dropdown"
@@ -32,13 +30,14 @@ body:
      description: |
        What version of Nixpkgs are you using?

-        If you are using an older or stable version, please update to the latest **unstable** version and check if the package is still out of date.
-
-        If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
+        > [!IMPORTANT]
+        > If you are using an older or stable version, please update to the latest **unstable** version and check if the package is still out of date.
+        > If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
@@ -85,7 +84,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/06_module_request.yml
+++ b/.github/ISSUE_TEMPLATE/06_module_request.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing a request against the missing `hello` module, your title would be as follows:
-        > ```
-        > Module Request: nixos/hello
-        > ```
+        > `Module Request: nixos/hello`

        ---
  - type: "dropdown"
@@ -32,11 +30,13 @@ body:
      description: |
        What version of Nixpkgs are you using?

-        If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
+        > [!IMPORTANT]
+        > If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
@@ -60,7 +60,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/07_backport_request.yml
+++ b/.github/ISSUE_TEMPLATE/07_backport_request.yml
@@ -9,27 +9,23 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>

        > [!CAUTION]
        > **Before you begin:** Be advised that backports are subject to the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
-        >
-        > Stable releases of Nixpkgs do not receive breaking changes, which include major package updates that have incompatible API changes and break backwards compatibility. In the [Semantic Versioning standard](https://semver.org/), this is the first version number (1.X.X).
-        >
+        > Stable releases of Nixpkgs do not receive breaking changes, which include major package updates that have incompatible API changes and break backwards compatibility. In the [Semantic Versioning standard](https://semver.org/), this is the first version number. (1.X.X)
        > Generally, only minor package updates, such as security patches, bug fixes and feature additions (but not removals!) will be considered for backporting. Please read the rules above carefully before filing this backport request.

        Welcome to Nixpkgs. Please replace the **`Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package in Nixpkgs Stable and the current version of the package in Nixpkgs Unstable.

        > [!TIP]
        > For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs Unstable is 1.0.1, but the current version in Nixpkgs Stable is 1.0.0, your title would be as follows:
-        > ```
-        > Backport to Stable: hello 1.0.0 → 1.0.1
-        > ```
+        > `Backport to Stable: hello 1.0.0 → 1.0.1`

        ---
  - type: "input"
@@ -66,7 +62,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/08_documentation_request.yml
+++ b/.github/ISSUE_TEMPLATE/08_documentation_request.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,9 +20,7 @@ body:

        > [!TIP]
        > For instance, if you were filing an issue against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it not having any NixOS-specific documentation, your title would be as follows:
-        > ```
-        > Missing Documentation: hello
-        > ```
+        > `Missing Documentation: hello`

        ---
  - type: "textarea"
@@ -48,7 +46,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/ISSUE_TEMPLATE/09_unreproducible_package.yml
+++ b/.github/ISSUE_TEMPLATE/09_unreproducible_package.yml
@@ -9,9 +9,9 @@ body:
        <p align="center">
          <a href="https://nixos.org">
            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos-white.svg">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/refs/heads/master/logo/nixos.svg" width="400px" alt="NixOS logo">
+              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
+              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
+              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
            </picture>
          </a>
        </p>
@@ -20,7 +20,6 @@ body:

        > [!NOTE]
        > This form is for reporting unreproducible packages. For more information, see the [Reproducible Builds Status](https://reproducible.nixos.org/) page.
-        >
        > To report a package that fails to build entirely, please use the "Build Failure" form instead.

        ---
@@ -120,7 +119,7 @@ body:
      label: "Notify maintainers"
      description: |
        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |2
+      value: |


        ---
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -10,34 +10,37 @@ For new packages please briefly describe the package or provide a link to its ho

 <!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->

- Built on platform:
+- Built on platform(s)
  - [ ] x86_64-linux
  - [ ] aarch64-linux
  - [ ] x86_64-darwin
  - [ ] aarch64-darwin
- Tested, as applicable:
-  - [ ] [NixOS tests] in [nixos/tests].
-  - [ ] [Package tests] at `passthru.tests`.
-  - [ ] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality.
- [ ] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage].
- [ ] Tested basic functionality of all binary files, usually in `./result/bin/`.
- Nixpkgs Release Notes
-  - [ ] Package update: when the change is major or breaking.
- NixOS Release Notes
-  - [ ] Module addition: when adding a new NixOS module.
-  - [ ] Module update: when the change is significant.
- [ ] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs.
+- For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html))
+  - [ ] `sandbox = relaxed`
+  - [ ] `sandbox = true`
+- [ ] Tested, as applicable:
+  - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
+  - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests)
+  - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
+  - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
+- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
+- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
+- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
+  - [ ] (Package updates) Added a release notes entry if the change is major or breaking
+  - [ ] (Module updates) Added a release notes entry if the change is significant
+  - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
+- [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).

-[NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests
-[Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests
-[nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage
+<!--
+To help with the large amounts of pull requests, we would appreciate your
+reviews of other pull requests, especially simple package updates. Just leave a
+comment describing what you have tested in the relevant package/service.
+Reviewing helps to reduce the average time-to-merge for everyone.
+Thanks a lot if you do!

-[CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md
-[lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests
-[maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md
-[nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests
-[pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md
-[pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test
+List of open PRs: https://github.com/NixOS/nixpkgs/pulls
+Reviewing guidelines: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#reviewing-contributions
+-->

 ---

--- a/.github/actions/get-merge-commit/action.yml
+++ b/.github/actions/get-merge-commit/action.yml
@@ -1,95 +0,0 @@
-name: Get merge commit
-
-description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
-
-inputs:
-  mergedSha:
-    description: "The merge commit SHA, previously collected."
-    type: string
-  merged-as-untrusted:
-    description: "Whether to checkout the merge commit in the ./untrusted folder."
-    type: boolean
-  targetSha:
-    description: "The target commit SHA, previously collected."
-    type: string
-  target-as-trusted:
-    description: "Whether to checkout the target commit in the ./trusted folder."
-    type: boolean
-
-outputs:
-  mergedSha:
-    description: "The merge commit SHA"
-    value: ${{ steps.commits.outputs.mergedSha }}
-  targetSha:
-    description: "The target commit SHA"
-    value: ${{ steps.commits.outputs.targetSha }}
-
-runs:
-  using: composite
-  steps:
-    - id: commits
-      if: ${{ !inputs.mergedSha && !inputs.targetSha }}
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-      with:
-        script: |
-          if (context.eventName == 'push') return core.setOutput('mergedSha', context.sha)
-
-          for (const retryInterval of [5, 10, 20, 40, 80]) {
-            console.log("Checking whether the pull request can be merged...")
-            const prInfo = (await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number
-            })).data
-
-            if (prInfo.state != 'open') throw new Error ("PR is not open anymore.")
-
-            if (prInfo.mergeable == null) {
-              console.log(`GitHub is still computing whether this PR can be merged, waiting ${retryInterval} seconds before trying again...`)
-              await new Promise(resolve => setTimeout(resolve, retryInterval * 1000))
-              continue
-            }
-
-            let mergedSha, targetSha
-
-            if (prInfo.mergeable) {
-              console.log("The PR can be merged.")
-
-              mergedSha = prInfo.merge_commit_sha
-              targetSha = (await github.rest.repos.getCommit({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: prInfo.merge_commit_sha
-              })).data.parents[0].sha
-            } else {
-              console.log("The PR has a merge conflict.")
-
-              mergedSha = prInfo.head.sha
-              targetSha = (await github.rest.repos.compareCommitsWithBasehead({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                basehead: `${prInfo.base.sha}...${prInfo.head.sha}`
-              })).data.merge_base_commit.sha
-            }
-
-            console.log(`Checking the commits:\nmerged:${mergedSha}\ntarget:${targetSha}`)
-            core.setOutput('mergedSha', mergedSha)
-            core.setOutput('targetSha', targetSha)
-            return
-          }
-          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
-
-    - if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha)
-      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
-      # but Nix is broken with them:
-      # https://github.com/NixOS/nix/issues/6073
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }}
-        path: untrusted
-
-    - if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha)
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }}
-        path: trusted
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,4 +4,4 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
-    labels: []
+    labels: [ ]
--- a/.github/labeler-development-branches.yml
+++ b/.github/labeler-development-branches.yml
@@ -3,21 +3,21 @@

 "4.workflow: package set update":
  - any:
-      - head-branch:
-          - '-updates$'
+    - head-branch:
+      - '-updates$'

 "4.workflow: staging":
  - any:
-      - head-branch:
-          - '^staging-next$'
-          - '^staging-next-'
+    - head-branch:
+      - '^staging-next$'
+      - '^staging-next-'

 "6.topic: haskell":
  - any:
-      - head-branch:
-          - '^haskell-updates$'
+    - head-branch:
+      - '^haskell-updates$'

 "6.topic: python":
  - any:
-      - head-branch:
-          - '^python-updates$'
+    - head-branch:
+      - '^python-updates$'
--- a/.github/labeler-no-sync.yml
+++ b/.github/labeler-no-sync.yml
@@ -5,28 +5,28 @@

 "6.topic: policy discussion":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - .github/**/*
-              - CONTRIBUTING.md
-              - pkgs/README.md
-              - nixos/README.md
-              - maintainers/README.md
-              - lib/README.md
-              - doc/README.md
+    - changed-files:
+      - any-glob-to-any-file:
+        - .github/**/*
+        - CONTRIBUTING.md
+        - pkgs/README.md
+        - nixos/README.md
+        - maintainers/README.md
+        - lib/README.md
+        - doc/README.md

 "8.has: documentation":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/**/*
-              - nixos/doc/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/**/*
+        - nixos/doc/**/*

-"backport release-25.05":
+"backport release-24.11":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - .github/workflows/*
-              - ci/**/*.*
+    - changed-files:
+      - any-glob-to-any-file:
+        - .github/workflows/*
+        - ci/**/*.*

 # keep-sorted end
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -5,600 +5,599 @@

 "4.workflow: backport":
  - any:
-      - base-branch:
-          - '^release-'
-          - '^staging-\d'
-          - '^staging-next-\d'
+    - base-branch:
+      - '^release-'
+      - '^staging-\d'
+      - '^staging-next-\d'

 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/agda.section.md
-              - nixos/tests/agda.nix
-              - pkgs/build-support/agda/**/*
-              - pkgs/development/libraries/agda/**/*
-              - pkgs/top-level/agda-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/agda.section.md
+        - nixos/tests/agda.nix
+        - pkgs/build-support/agda/**/*
+        - pkgs/development/libraries/agda/**/*
+        - pkgs/top-level/agda-packages.nix

 "6.topic: cinnamon":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/x11/desktop-managers/cinnamon.nix
-              - nixos/tests/cinnamon.nix
-              - nixos/tests/cinnamon-wayland.nix
-              - pkgs/by-name/ci/cinnamon-*/**/*
-              - pkgs/by-name/cj/cjs/**/*
-              - pkgs/by-name/mu/muffin/**/*
-              - pkgs/by-name/ne/nemo/**/*
-              - pkgs/by-name/ne/nemo-*/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/x11/desktop-managers/cinnamon.nix
+        - nixos/tests/cinnamon.nix
+        - nixos/tests/cinnamon-wayland.nix
+        - pkgs/by-name/ci/cinnamon-*/**/*
+        - pkgs/by-name/cj/cjs/**/*
+        - pkgs/by-name/mu/muffin/**/*
+        - pkgs/by-name/ne/nemo/**/*
+        - pkgs/by-name/ne/nemo-*/**/*

 "6.topic: continuous integration":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - .github/**/*
-              - ci/**/*.*
+    - changed-files:
+      - any-glob-to-any-file:
+        - .github/**/*
+        - ci/**/*.*

 "6.topic: coq":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/applications/science/logic/coq/**/*
-              - pkgs/development/coq-modules/**/*
-              - pkgs/top-level/coq-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/applications/science/logic/coq/**/*
+        - pkgs/development/coq-modules/**/*
+        - pkgs/top-level/coq-packages.nix

 "6.topic: COSMIC":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/desktop-managers/cosmic.nix
-              - nixos/modules/services/display-managers/cosmic-greeter.nix
-              - nixos/tests/cosmic.nix
-              - pkgs/by-name/co/cosmic-*/**/*
-              - pkgs/by-name/xd/xdg-desktop-portal-cosmic/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/desktop-managers/cosmic.nix
+        - nixos/modules/services/display-managers/cosmic-greeter.nix
+        - nixos/tests/cosmic.nix
+        - pkgs/by-name/co/cosmic-*/**/*
+        - pkgs/by-name/xd/xdg-desktop-portal-cosmic/*

 "6.topic: crystal":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/compilers/crystal/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/compilers/crystal/**/*

 "6.topic: cuda":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/cuda-modules/**/*
-              - pkgs/top-level/cuda-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/cuda-modules/**/*
+        - pkgs/top-level/cuda-packages.nix

 "6.topic: deepin":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/desktops/deepin/**/*
-              - pkgs/desktops/deepin/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/desktops/deepin/**/*
+        - pkgs/desktops/deepin/**/*

 "6.topic: docker tools":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/applications/virtualization/docker/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/applications/virtualization/docker/**/*

 "6.topic: dotnet":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/dotnet.section.md
-              - maintainers/scripts/update-dotnet-lockfiles.nix
-              - pkgs/build-support/dotnet/**/*
-              - pkgs/development/compilers/dotnet/**/*
-              - pkgs/test/dotnet/**/*
-              - pkgs/top-level/dotnet-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/dotnet.section.md
+        - maintainers/scripts/update-dotnet-lockfiles.nix
+        - pkgs/build-support/dotnet/**/*
+        - pkgs/development/compilers/dotnet/**/*
+        - pkgs/test/dotnet/**/*
+        - pkgs/top-level/dotnet-packages.nix

 "6.topic: emacs":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/editors/emacs.nix
-              - nixos/modules/services/editors/emacs.xml
-              - nixos/tests/emacs-daemon.nix
-              - pkgs/applications/editors/emacs/build-support/**/*
-              - pkgs/applications/editors/emacs/elisp-packages/**/*
-              - pkgs/applications/editors/emacs/**/*
-              - pkgs/top-level/emacs-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/editors/emacs.nix
+        - nixos/modules/services/editors/emacs.xml
+        - nixos/tests/emacs-daemon.nix
+        - pkgs/applications/editors/emacs/build-support/**/*
+        - pkgs/applications/editors/emacs/elisp-packages/**/*
+        - pkgs/applications/editors/emacs/**/*
+        - pkgs/top-level/emacs-packages.nix

 "6.topic: Enlightenment DE":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/x11/desktop-managers/enlightenment.nix
-              - pkgs/desktops/enlightenment/**/*
-              - pkgs/development/python-modules/python-efl/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/x11/desktop-managers/enlightenment.nix
+        - pkgs/desktops/enlightenment/**/*
+        - pkgs/development/python-modules/python-efl/*

 "6.topic: erlang":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/beam.section.md
-              - pkgs/development/beam-modules/**/*
-              - pkgs/development/interpreters/elixir/**/*
-              - pkgs/development/interpreters/erlang/**/*
-              - pkgs/development/tools/build-managers/rebar/**/*
-              - pkgs/development/tools/build-managers/rebar3/**/*
-              - pkgs/development/tools/erlang/**/*
-              - pkgs/top-level/beam-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/beam.section.md
+        - pkgs/development/beam-modules/**/*
+        - pkgs/development/interpreters/elixir/**/*
+        - pkgs/development/interpreters/erlang/**/*
+        - pkgs/development/tools/build-managers/rebar/**/*
+        - pkgs/development/tools/build-managers/rebar3/**/*
+        - pkgs/development/tools/erlang/**/*
+        - pkgs/top-level/beam-packages.nix

 "6.topic: fetch":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/build-support/fetch*/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/build-support/fetch*/**/*

 "6.topic: flakes":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - '**/flake.nix'
-              - lib/systems/flake-systems.nix
-              - nixos/modules/config/nix-flakes.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - '**/flake.nix'
+        - lib/systems/flake-systems.nix
+        - nixos/modules/config/nix-flakes.nix

 "6.topic: flutter":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/build-support/flutter/*.nix
-              - pkgs/development/compilers/flutter/**/*.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/build-support/flutter/*.nix
+        - pkgs/development/compilers/flutter/**/*.nix

 "6.topic: games":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/games/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/games/**/*

 "6.topic: GNOME":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/gnome.section.md
-              - nixos/modules/services/desktops/gnome/**/*
-              - nixos/modules/services/desktop-managers/gnome.nix
-              - nixos/tests/gnome-xorg.nix
-              - nixos/tests/gnome.nix
-              - pkgs/desktops/gnome/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/gnome.section.md
+        - nixos/modules/services/desktops/gnome/**/*
+        - nixos/modules/services/x11/desktop-managers/gnome.nix
+        - nixos/tests/gnome-xorg.nix
+        - nixos/tests/gnome.nix
+        - pkgs/desktops/gnome/**/*

 "6.topic: golang":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/go.section.md
-              - pkgs/build-support/go/**/*
-              - pkgs/development/compilers/go/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/go.section.md
+        - pkgs/build-support/go/**/*
+        - pkgs/development/compilers/go/**/*

 "6.topic: hardware":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/hardware/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/hardware/**/*

 "6.topic: haskell":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/haskell.section.md
-              - maintainers/scripts/haskell/**/*
-              - pkgs/development/compilers/ghc/**/*
-              - pkgs/development/haskell-modules/**/*
-              - pkgs/development/tools/haskell/**/*
-              - pkgs/test/haskell/**/*
-              - pkgs/top-level/haskell-packages.nix
-              - pkgs/top-level/release-haskell.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/haskell.section.md
+        - maintainers/scripts/haskell/**/*
+        - pkgs/development/compilers/ghc/**/*
+        - pkgs/development/haskell-modules/**/*
+        - pkgs/development/tools/haskell/**/*
+        - pkgs/test/haskell/**/*
+        - pkgs/top-level/haskell-packages.nix
+        - pkgs/top-level/release-haskell.nix

 "6.topic: java":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              # Distributions
-              - pkgs/development/compilers/adoptopenjdk-icedtea-web/**/*
-              - pkgs/development/compilers/corretto/**/*
-              - pkgs/development/compilers/graalvm/**/*
-              - pkgs/development/compilers/openjdk/**/*
-              - pkgs/by-name/op/openjfx/**/*
-              - pkgs/development/compilers/semeru-bin/**/*
-              - pkgs/development/compilers/temurin-bin/**/*
-              - pkgs/development/compilers/zulu/**/*
-              # Documentation
-              - doc/languages-frameworks/java.section.md
-              # Gradle
-              - doc/languages-frameworks/gradle.section.md
-              - pkgs/development/tools/build-managers/gradle/**/*
-              - pkgs/by-name/gr/gradle-completion/**/*
-              # Maven
-              - pkgs/by-name/ma/maven/**/*
-              - doc/languages-frameworks/maven.section.md
-              # Ant
-              - pkgs/by-name/an/ant/**/*
-              # javaPackages attrset
-              - pkgs/development/java-modules/**/*
-              - pkgs/top-level/java-packages.nix
-              # Maintainer tooling
-              - pkgs/by-name/ni/nixpkgs-openjdk-updater/**/*
-              # Misc
-              - nixos/modules/programs/java.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        # Distributions
+        - pkgs/development/compilers/adoptopenjdk-icedtea-web/**/*
+        - pkgs/development/compilers/corretto/**/*
+        - pkgs/development/compilers/graalvm/**/*
+        - pkgs/development/compilers/openjdk/**/*
+        - pkgs/by-name/op/openjfx/**/*
+        - pkgs/development/compilers/semeru-bin/**/*
+        - pkgs/development/compilers/temurin-bin/**/*
+        - pkgs/development/compilers/zulu/**/*
+        # Documentation
+        - doc/languages-frameworks/java.section.md
+        # Gradle
+        - doc/languages-frameworks/gradle.section.md
+        - pkgs/development/tools/build-managers/gradle/**/*
+        - pkgs/by-name/gr/gradle-completion/**/*
+        # Maven
+        - pkgs/by-name/ma/maven/**/*
+        - doc/languages-frameworks/maven.section.md
+        # Ant
+        - pkgs/by-name/an/ant/**/*
+        # javaPackages attrset
+        - pkgs/development/java-modules/**/*
+        - pkgs/top-level/java-packages.nix
+        # Maintainer tooling
+        - pkgs/by-name/ni/nixpkgs-openjdk-updater/**/*
+        # Misc
+        - nixos/modules/programs/java.nix

 "6.topic: jitsi":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/networking/jitsi-videobridge.nix
-              - nixos/modules/services/web-apps/jitsi-meet.nix
-              - pkgs/servers/web-apps/jitsi-meet/**/*
-              - pkgs/servers/jitsi-videobridge/**/*
-              - pkgs/applications/networking/instant-messengers/jitsi/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/networking/jitsi-videobridge.nix
+        - nixos/modules/services/web-apps/jitsi-meet.nix
+        - pkgs/servers/web-apps/jitsi-meet/**/*
+        - pkgs/servers/jitsi-videobridge/**/*
+        - pkgs/applications/networking/instant-messengers/jitsi/**/*

 "6.topic: julia":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/julia.section.md
-              - pkgs/development/compilers/julia/**/*
-              - pkgs/development/julia-modules/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/julia.section.md
+        - pkgs/development/compilers/julia/**/*
+        - pkgs/development/julia-modules/**/*

 "6.topic: jupyter":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/python-modules/jupyter*/**/*
-              - pkgs/development/python-modules/mkdocs-jupyter/*
-              - nixos/modules/services/development/jupyter/**/*
-              - pkgs/applications/editors/jupyter-kernels/**/*
-              - pkgs/applications/editors/jupyter/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/python-modules/jupyter*/**/*
+        - pkgs/development/python-modules/mkdocs-jupyter/*
+        - nixos/modules/services/development/jupyter/**/*
+        - pkgs/applications/editors/jupyter-kernels/**/*
+        - pkgs/applications/editors/jupyter/**/*

 "6.topic: k3s":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/cluster/k3s/**/*
-              - nixos/tests/k3s/**/*
-              - pkgs/applications/networking/cluster/k3s/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/cluster/k3s/**/*
+        - nixos/tests/k3s/**/*
+        - pkgs/applications/networking/cluster/k3s/**/*

 "6.topic: kernel":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/build-support/kernel/**/*
-              - pkgs/os-specific/linux/kernel/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/build-support/kernel/**/*
+        - pkgs/os-specific/linux/kernel/**/*

 "6.topic: lib":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - lib/**
+    - changed-files:
+      - any-glob-to-any-file:
+        - lib/**

 "6.topic: llvm/clang":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/compilers/llvm/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/compilers/llvm/**/*

 "6.topic: lua":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/tools/misc/luarocks/*
-              - pkgs/development/interpreters/lua-5/**/*
-              - pkgs/development/interpreters/luajit/**/*
-              - pkgs/development/lua-modules/**/*
-              - pkgs/top-level/lua-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/tools/misc/luarocks/*
+        - pkgs/development/interpreters/lua-5/**/*
+        - pkgs/development/interpreters/luajit/**/*
+        - pkgs/development/lua-modules/**/*
+        - pkgs/top-level/lua-packages.nix

 "6.topic: Lumina DE":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/x11/desktop-managers/lumina.nix
-              - pkgs/desktops/lumina/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/x11/desktop-managers/lumina.nix
+        - pkgs/desktops/lumina/**/*

 "6.topic: LXQt":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/x11/desktop-managers/lxqt.nix
-              - pkgs/desktops/lxqt/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/x11/desktop-managers/lxqt.nix
+        - pkgs/desktops/lxqt/**/*

 "6.topic: mate":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/x11/desktop-managers/mate.nix
-              - nixos/tests/mate.nix
-              - pkgs/desktops/mate/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/x11/desktop-managers/mate.nix
+        - nixos/tests/mate.nix
+        - pkgs/desktops/mate/**/*

 "6.topic: module system":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - lib/modules.nix
-              - lib/types.nix
-              - lib/options.nix
-              - lib/tests/modules.sh
-              - lib/tests/modules/**
+    - changed-files:
+      - any-glob-to-any-file:
+        - lib/modules.nix
+        - lib/types.nix
+        - lib/options.nix
+        - lib/tests/modules.sh
+        - lib/tests/modules/**

 "6.topic: musl":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/os-specific/linux/musl/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/os-specific/linux/musl/**/*

 "6.topic: nim":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/nim.section.md
-              - pkgs/build-support/build-nim-package.nix
-              - pkgs/build-support/build-nim-sbom.nix
-              - pkgs/by-name/ni/nim*
-              - pkgs/top-level/nim-overrides.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/nim.section.md
+        - pkgs/build-support/build-nim-package.nix
+        - pkgs/build-support/build-nim-sbom.nix
+        - pkgs/by-name/ni/nim*
+        - pkgs/top-level/nim-overrides.nix

 "6.topic: nixos":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/**/*
-              - pkgs/by-name/sw/switch-to-configuration-ng/**/*
-              - pkgs/by-name/ni/nixos-rebuild-ng/**/*
-              - pkgs/os-specific/linux/nixos-rebuild/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/**/*
+        - pkgs/by-name/sw/switch-to-configuration-ng/**/*
+        - pkgs/by-name/ni/nixos-rebuild-ng/**/*
+        - pkgs/os-specific/linux/nixos-rebuild/**/*

 "6.topic: nixos-container":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/virtualisation/nixos-containers.nix
-              - pkgs/tools/virtualization/nixos-container/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/virtualisation/nixos-containers.nix
+        - pkgs/tools/virtualization/nixos-container/**/*

 "6.topic: nodejs":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/javascript.section.md
-              - pkgs/build-support/node/**/*
-              - pkgs/development/node-packages/**/*
-              - pkgs/development/tools/yarn/*
-              - pkgs/development/tools/yarn2nix-moretea/**/*
-              - pkgs/development/tools/pnpm/**/*
-              - pkgs/development/web/nodejs/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/javascript.section.md
+        - pkgs/build-support/node/**/*
+        - pkgs/development/node-packages/**/*
+        - pkgs/development/tools/yarn/*
+        - pkgs/development/tools/yarn2nix-moretea/**/*
+        - pkgs/development/tools/pnpm/**/*
+        - pkgs/development/web/nodejs/*

 "6.topic: nvidia":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/hardware/video/nvidia.nix
-              - nixos/modules/services/hardware/nvidia-container-toolkit/**/*
-              - nixos/modules/services/hardware/nvidia-optimus.nix
-              - pkgs/os-specific/linux/nvidia-x11/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/hardware/video/nvidia.nix
+        - nixos/modules/services/hardware/nvidia-container-toolkit/**/*
+        - nixos/modules/services/hardware/nvidia-optimus.nix
+        - pkgs/os-specific/linux/nvidia-x11/**/*

 "6.topic: ocaml":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/ocaml.section.md
-              - pkgs/development/compilers/ocaml/**/*
-              - pkgs/development/compilers/reason/**/*
-              - pkgs/development/ocaml-modules/**/*
-              - pkgs/development/tools/ocaml/**/*
-              - pkgs/top-level/ocaml-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/ocaml.section.md
+        - pkgs/development/compilers/ocaml/**/*
+        - pkgs/development/compilers/reason/**/*
+        - pkgs/development/ocaml-modules/**/*
+        - pkgs/development/tools/ocaml/**/*
+        - pkgs/top-level/ocaml-packages.nix

 "6.topic: pantheon":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/desktops/pantheon/**/*
-              - nixos/modules/services/x11/desktop-managers/pantheon.nix
-              - nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
-              - nixos/tests/pantheon.nix
-              - pkgs/desktops/pantheon/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/desktops/pantheon/**/*
+        - nixos/modules/services/x11/desktop-managers/pantheon.nix
+        - nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
+        - nixos/tests/pantheon.nix
+        - pkgs/desktops/pantheon/**/*

 "6.topic: php":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/php.section.md
-              - nixos/tests/php/**/*
-              - pkgs/build-support/php/**/*
-              - pkgs/development/interpreters/php/**/*
-              - pkgs/development/php-packages/**/*
-              - pkgs/test/php/default.nix
-              - pkgs/top-level/php-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/php.section.md
+        - nixos/tests/php/**/*
+        - pkgs/build-support/php/**/*
+        - pkgs/development/interpreters/php/**/*
+        - pkgs/development/php-packages/**/*
+        - pkgs/test/php/default.nix
+        - pkgs/top-level/php-packages.nix

 "6.topic: printing":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/services/printing/cupsd.nix
-              - pkgs/misc/cups/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/services/printing/cupsd.nix
+        - pkgs/misc/cups/**/*

 "6.topic: python":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/python.section.md
-              - pkgs/development/interpreters/python/**/*
-              - pkgs/development/python-modules/**/*
-              - pkgs/top-level/python-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/python.section.md
+        - pkgs/development/interpreters/python/**/*
+        - pkgs/development/python-modules/**/*
+        - pkgs/top-level/python-packages.nix

 "6.topic: qt/kde":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/qt.section.md
-              - nixos/modules/services/x11/desktop-managers/plasma5.nix
-              - nixos/tests/plasma5.nix
-              - pkgs/applications/kde/**/*
-              - pkgs/desktops/plasma-5/**/*
-              - pkgs/development/libraries/kde-frameworks/**/*
-              - pkgs/development/libraries/qt-5/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/qt.section.md
+        - nixos/modules/services/x11/desktop-managers/plasma5.nix
+        - nixos/tests/plasma5.nix
+        - pkgs/applications/kde/**/*
+        - pkgs/desktops/plasma-5/**/*
+        - pkgs/development/libraries/kde-frameworks/**/*
+        - pkgs/development/libraries/qt-5/**/*

 "6.topic: R":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/applications/science/math/R/**/*
-              - pkgs/development/r-modules/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/applications/science/math/R/**/*
+        - pkgs/development/r-modules/**/*

 "6.topic: rocm":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/rocm-modules/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/rocm-modules/**/*

 "6.topic: ruby":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/ruby.section.md
-              - pkgs/development/interpreters/ruby/**/*
-              - pkgs/development/ruby-modules/**/*
-              - pkgs/top-level/ruby-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/ruby.section.md
+        - pkgs/development/interpreters/ruby/**/*
+        - pkgs/development/ruby-modules/**/*
+        - pkgs/top-level/ruby-packages.nix

 "6.topic: rust":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/rust.section.md
-              - pkgs/build-support/rust/**/*
-              - pkgs/development/compilers/rust/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/rust.section.md
+        - pkgs/build-support/rust/**/*
+        - pkgs/development/compilers/rust/**/*

 "6.topic: stdenv":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/stdenv/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/stdenv/**/*

 "6.topic: steam":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/games/steam/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/games/steam/**/*

 "6.topic: systemd":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/os-specific/linux/systemd/**/*
-              - nixos/modules/system/boot/systemd*/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/os-specific/linux/systemd/**/*
+        - nixos/modules/system/boot/systemd*/**/*

 "6.topic: tcl":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/tcl.section.md
-              - pkgs/development/interpreters/tcl/*
-              - pkgs/development/tcl-modules/**/*
-              - pkgs/top-level/tcl-packages.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/tcl.section.md
+        - pkgs/development/interpreters/tcl/*
+        - pkgs/development/tcl-modules/**/*
+        - pkgs/top-level/tcl-packages.nix

 "6.topic: teams":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - maintainers/team-list.nix
+    - changed-files:
+      - any-glob-to-any-file:
+          - maintainers/team-list.nix

 "6.topic: testing":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              # NOTE: Let's keep the scope limited to test frameworks that are
-              #       *developed in this repo*;
-              #       - not individual tests
-              #       - not packages for test frameworks
-              - pkgs/build-support/testers/**
-              - nixos/lib/testing/**
-              - nixos/lib/test-driver/**
-              - nixos/tests/nixos-test-driver/**
-              - nixos/lib/testing-python.nix # legacy
-              - nixos/tests/make-test-python.nix # legacy
-              # lib/debug.nix has a test framework (runTests) but it's not the main focus
+    - changed-files:
+      - any-glob-to-any-file:
+        # NOTE: Let's keep the scope limited to test frameworks that are
+        #       *developed in this repo*;
+        #       - not individual tests
+        #       - not packages for test frameworks
+        - pkgs/build-support/testers/**
+        - nixos/lib/testing/**
+        - nixos/lib/test-driver/**
+        - nixos/tests/nixos-test-driver/**
+        - nixos/lib/testing-python.nix      # legacy
+        - nixos/tests/make-test-python.nix  # legacy
+        # lib/debug.nix has a test framework (runTests) but it's not the main focus

 "6.topic: TeX":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/texlive.section.md
-              - pkgs/test/texlive/**
-              - pkgs/tools/typesetting/tex/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/texlive.section.md
+        - pkgs/test/texlive/**
+        - pkgs/tools/typesetting/tex/**/*

 "6.topic: updaters":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/common-updater/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/common-updater/**/*

 "6.topic: vim":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/languages-frameworks/vim.section.md
-              - pkgs/applications/editors/vim/**/*
-              - pkgs/applications/editors/vim/plugins/**/*
-              - nixos/modules/programs/neovim.nix
-              - pkgs/applications/editors/neovim/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/vim.section.md
+        - pkgs/applications/editors/vim/**/*
+        - pkgs/applications/editors/vim/plugins/**/*
+        - nixos/modules/programs/neovim.nix
+        - pkgs/applications/editors/neovim/**/*

 "6.topic: vscode":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/applications/editors/vscode/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/applications/editors/vscode/**/*

 "6.topic: windows":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/os-specific/windows/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/os-specific/windows/**/*

 "6.topic: xen-project":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/virtualisation/xen*
-              - pkgs/by-name/xe/xen/*
-              - pkgs/by-name/qe/qemu_xen/*
-              - pkgs/by-name/xe/xen-guest-agent/*
-              - pkgs/by-name/xt/xtf/*
-              - pkgs/build-support/xen/*
-              - pkgs/development/ocaml-modules/xen*/*
-              - pkgs/development/ocaml-modules/vchan/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/virtualisation/xen*
+        - pkgs/by-name/xe/xen/*
+        - pkgs/by-name/qe/qemu_xen/*
+        - pkgs/by-name/xe/xen-guest-agent/*
+        - pkgs/by-name/xt/xtf/*
+        - pkgs/build-support/xen/*
+        - pkgs/development/ocaml-modules/xen*/*
+        - pkgs/development/ocaml-modules/vchan/*

 "6.topic: xfce":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/doc/manual/configuration/xfce.xml
-              - nixos/modules/services/x11/desktop-managers/xfce.nix
-              - nixos/tests/xfce.nix
-              - pkgs/desktops/xfce/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/doc/manual/configuration/xfce.xml
+        - nixos/modules/services/x11/desktop-managers/xfce.nix
+        - nixos/tests/xfce.nix
+        - pkgs/desktops/xfce/**/*

 "6.topic: zig":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - pkgs/development/compilers/zig/**/*
-              - doc/hooks/zig.section.md
+    - changed-files:
+      - any-glob-to-any-file:
+        - pkgs/development/compilers/zig/**/*
+        - doc/hooks/zig.section.md

 "8.has: changelog":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - doc/release-notes/**/*
-              - nixos/doc/manual/release-notes/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/doc/manual/release-notes/**/*

 "8.has: maintainer-list (update)":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - maintainers/maintainer-list.nix
+    - changed-files:
+      - any-glob-to-any-file:
+        - maintainers/maintainer-list.nix

 "8.has: module (update)":
  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - nixos/modules/**/*
+    - changed-files:
+      - any-glob-to-any-file:
+        - nixos/modules/**/*

 # keep-sorted end
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,9 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+daysUntilStale: 180
+daysUntilClose: false
+exemptLabels:
+  - "1.severity: security"
+  - "2.status: never-stale"
+staleLabel: "2.status: stale"
+markComment: false
+closeComment: false
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -2,62 +2,19 @@

 Some architectural notes about key decisions and concepts in our workflows:

- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows.
-  This has the advantage that those workflows will run without prior approval for external contributors.
+- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors.

- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches.
-  **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible.
-  Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.
+- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.

- By definition `pull_request_target` runs in the context of the **base** of the pull request.
-  This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default.
-  To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.
+- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.

- To test the pull request's contents, we checkout the "test merge commit".
-  This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?".
-  The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore).
-  This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout.
-  Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.
+- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.

- Various workflows need to make comparisons against the base branch.
-  In this case, we checkout the parent of the "test merge commit" for best results.
-  Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.
+- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.

 ## Terminology

- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions.
-  Same as `github.event.pull_request.base.sha`.
- **head commit**: The HEAD commit in the pull request's branch.
-  Same as `github.event.pull_request.head.sha`.
- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request.
-  Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
+- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`.
+- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`.
+- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
 - **target commit**: The base branch's parent of the "test merge commit" to compare against.
-
-## Concurrency Groups
-
-We use [GitHub's Concurrency Groups](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs) to cancel older jobs on pushes to Pull Requests.
-When two workflows are in the same group, a newer workflow cancels an older workflow.
-Thus, it is important how to construct the group keys:
-
- Because we want to run jobs for different events at same time, we add `github.event_name` to the key.
-  This is the case for the `pull_request` which runs on changes to the workflow files to test the new files and the same workflow from the base branch run via `pull_request_event`.
-
- We don't want workflows of different Pull Requests to cancel each other, so we include `github.event.pull_request.number`.
-  The [GitHub docs](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/control-the-concurrency-of-workflows-and-jobs#example-using-a-fallback-value) show using `github.head_ref` for this purpose, but this doesn't work well with forks: Different users could have the same head branch name in their forks and run CI for their PRs at the same time.
-
- Sometimes, there is no `pull_request.number`.
-  To ensure non-PR runs are never cancelled, we add a fallback of `github.run_id`.
-  This is a unique value for each workflow run.
-
- Of course, we run multiple workflows at the same time, so we add `github.workflow` to the key.
-  Otherwise workflows would cancel each other.
-
- There is a special case for reusable workflows called via `workflow_call` - they will have `github.workflow` set to their parent workflow's name.
-  Thus, they would cancel each other.
-  That's why we additionally hardcode the name of the workflow as well.
-
-This results in a key with the following semantics:
-
-```
-<running-workflow>-<triggering-workflow>-<triggered-event>-<pull-request/fallback>
-```
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -9,14 +9,7 @@ on:
  pull_request_target:
    types: [closed, labeled]

-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
-
-defaults:
-  run:
-    shell: bash
+permissions: {}

 jobs:
  backport:
@@ -39,14 +32,9 @@ jobs:
          ref: ${{ github.event.pull_request.head.sha }}
          token: ${{ steps.app-token.outputs.token }}

-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
      - name: Create backport PRs
        id: backport
-        uses: korthout/backport-action@0193454f0c5947491d348f33a275c119f30eb736 # v3.2.1
+        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
        with:
          # Config README: https://github.com/korthout/backport-action#backport-action
          copy_labels_pattern: 'severity:\ssecurity'
@@ -57,20 +45,14 @@ jobs:
            * [ ] Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
              * Even as a non-committer, if you find that it is not acceptable, leave a comment.

-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
      - name: "Add 'has: port to stable' label"
        if: steps.backport.outputs.created_pull_numbers != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          # Not using the app on purpose to avoid triggering another workflow run after adding this label.
-          script: |
-            await github.rest.issues.addLabels({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              labels: [ '8.has: port to stable' ]
-            })
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+        run: |
+          gh api \
+            --method POST \
+            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
+            -f "labels[]=8.has: port to stable"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,100 +0,0 @@
-name: Build
-
-on:
-  workflow_call:
-    inputs:
-      baseBranch:
-        required: true
-        type: string
-      mergedSha:
-        required: true
-        type: string
-    secrets:
-      CACHIX_AUTH_TOKEN:
-        required: true
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            system: x86_64-linux
-            builds: [shell, manual-nixos, lib-tests, tarball]
-            desc: shell, docs, lib, tarball
-          - runner: ubuntu-24.04-arm
-            system: aarch64-linux
-            builds: [shell, manual-nixos, manual-nixpkgs, manual-nixpkgs-tests]
-            desc: shell, docs
-          - runner: macos-13
-            system: x86_64-darwin
-            builds: [shell]
-            desc: shell
-          - runner: macos-14
-            system: aarch64-darwin
-            builds: [shell]
-            desc: shell
-    name: '${{ matrix.system }}: ${{ matrix.desc }}'
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          mergedSha: ${{ inputs.mergedSha }}
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
-        with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
-
-      - name: Build shell
-        if: contains(matrix.builds, 'shell')
-        run: nix-build untrusted/ci -A shell
-
-      - name: Build NixOS manual
-        if: |
-          contains(matrix.builds, 'manual-nixos') && !cancelled() &&
-          contains(fromJSON(inputs.baseBranch).type, 'primary')
-        run: nix-build untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }} --out-link nixos-manual
-
-      - name: Build Nixpkgs manual
-        if: contains(matrix.builds, 'manual-nixpkgs') && !cancelled()
-        run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests
-
-      - name: Build Nixpkgs manual tests
-        if: contains(matrix.builds, 'manual-nixpkgs-tests') && !cancelled()
-        run: nix-build untrusted/ci -A manual-nixpkgs-tests
-
-      - name: Build lib tests
-        if: contains(matrix.builds, 'lib-tests') && !cancelled()
-        run: nix-build untrusted/ci -A lib-tests
-
-      - name: Build tarball
-        if: contains(matrix.builds, 'tarball') && !cancelled()
-        run: nix-build untrusted/ci -A tarball
-
-      - name: Upload NixOS manual
-        if: |
-          contains(matrix.builds, 'manual-nixos') && !cancelled() &&
-          contains(fromJSON(inputs.baseBranch).type, 'primary')
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: nixos-manual-${{ matrix.system }}
-          path: nixos-manual
-          if-no-files-found: error
--- a/.github/workflows/check-cherry-picks.yml
+++ b/.github/workflows/check-cherry-picks.yml
@@ -0,0 +1,30 @@
+name: "Check cherry-picks"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/check-cherry-picks.yml
+  pull_request_target:
+    branches:
+      - 'release-**'
+      - 'staging-**'
+      - '!staging-next'
+
+permissions: {}
+
+jobs:
+  check:
+    name: cherry-pick-check
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          filter: blob:none
+
+      - name: Check cherry-picks
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -0,0 +1,44 @@
+name: Check that files are formatted
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/check-format.yml
+  pull_request_target:
+    types: [opened, synchronize, reopened, edited]
+
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixos:
+    name: fmt-check
+    runs-on: ubuntu-24.04-arm
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Check that files are formatted
+        run: |
+          # Note that it's fine to run this on untrusted code because:
+          # - There's no secrets accessible here
+          # - The build is sandboxed
+          if ! nix-build ci -A fmt.check; then
+            echo "Some files are not properly formatted"
+            echo "Please format them by going to the Nixpkgs root directory and running one of:"
+            echo "  nix-shell --run treefmt"
+            echo "  nix develop --command treefmt"
+            echo "  nix fmt"
+            echo "Make sure your branch is up to date with master; rebase if not."
+            echo "If you're having trouble, please ping @NixOS/nix-formatting"
+            exit 1
+          fi
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -0,0 +1,40 @@
+name: "Check shell"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/check-shell.yml
+  pull_request_target:
+    paths:
+      - 'shell.nix'
+      - 'ci/**'
+
+permissions: {}
+
+jobs:
+  shell-check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            system: x86_64-linux
+          - runner: ubuntu-24.04-arm
+            system: aarch64-linux
+          - runner: macos-13
+            system: x86_64-darwin
+          - runner: macos-14
+            system: aarch64-darwin
+
+    name: shell-check-${{ matrix.system }}
+    runs-on: ${{ matrix.runner }}
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+
+      - name: Build shell
+        run: nix-build ci -A shell
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -1,71 +0,0 @@
-name: Check
-
-on:
-  workflow_call:
-    inputs:
-      baseBranch:
-        required: true
-        type: string
-      headBranch:
-        required: true
-        type: string
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  no-channel-base:
-    name: no channel base
-    if: contains(fromJSON(inputs.baseBranch).type, 'channel')
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - run: |
-          cat <<EOF
-          The nixos-* and nixpkgs-* branches are pushed to by the channel
-          release script and should not be merged into directly.
-
-          Please target the equivalent release-* branch or master instead.
-          EOF
-          exit 1
-
-  cherry-pick:
-    if: |
-      github.event_name == 'pull_request' ||
-      (fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development'))
-    permissions:
-      pull-requests: write
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          filter: tree:0
-          path: trusted
-
-      - name: Install dependencies
-        run: npm install bottleneck
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Check cherry-picks
-        id: check
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            require('./trusted/ci/github-script/commits.js')({
-              github,
-              context,
-              core,
-              dry: context.eventName == 'pull_request',
-            })
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -27,39 +27,28 @@ on:
    paths:
      - .github/workflows/codeowners-v2.yml
  pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
-
-concurrency:
-  group: codeowners-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
+    types: [opened, ready_for_review, synchronize, reopened, edited]

 permissions: {}

-defaults:
-  run:
-    shell: bash
-
 env:
  OWNERS_FILE: ci/OWNERS
  # Don't do anything on draft PRs
  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

 jobs:
+  get-merge-commit:
+    if: github.repository_owner == 'NixOS'
+    uses: ./.github/workflows/get-merge-commit.yml
+
  # Check that code owners is valid
  check:
    name: Check
    runs-on: ubuntu-24.04-arm
+    needs: get-merge-commit
+    if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
-
-      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
        with:
@@ -67,11 +56,18 @@ jobs:
          name: nixpkgs-ci
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

+      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+      # We later build and run code from the base branch with access to secrets,
+      # so it's important this is not the PRs code.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+
      - name: Build codeowners validator
-        run: nix-build trusted/ci -A codeownersValidator
+        run: nix-build base/ci -A codeownersValidator

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
+        if: vars.OWNER_RO_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_RO_APP_ID }}
@@ -79,47 +75,36 @@ jobs:
          permission-administration: read
          permission-members: read

-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: pr

      - name: Validate codeowners
        if: steps.app-token.outputs.token
+        run: result/bin/codeowners-validator
        env:
-          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
+          OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: untrusted
+          REPOSITORY_PATH: pr
          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
          EXPERIMENTAL_CHECKS: "avoid-shadowing"
-        run: result/bin/codeowners-validator
-
-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq

  # Request reviews from code owners
  request:
    name: Request
    runs-on: ubuntu-24.04-arm
+    if: github.repository_owner == 'NixOS'
    steps:
-      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
      # This is intentional, because we need to request the review of owners as declared in the base branch.
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
-
-      - name: Build review request package
-        run: nix-build trusted/ci -A requestReviews

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
+        if: vars.OWNER_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_APP_ID }}
@@ -128,20 +113,11 @@ jobs:
          permission-members: read
          permission-pull-requests: write

-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
+      - name: Build review request package
+        run: nix-build ci -A requestReviews

      - name: Request reviews
        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
-
-      - name: Log current API rate limits
-        if: steps.app-token.outputs.token
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
--- a/.github/workflows/dismissed-review.yml
+++ b/.github/workflows/dismissed-review.yml
@@ -1,65 +0,0 @@
-name: Dismissed review
-
-on:
-  workflow_run:
-    workflows:
-      - Review dismissed
-    types: [completed]
-
-concurrency:
-  group: dismissed-review-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-permissions:
-  pull-requests: write
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  # The `check-cherry-picks` workflow creates review comments which reviewers
-  # are encouraged to manually dismiss if they're not relevant.
-  # When a CI-generated review is dismissed, this job automatically minimizes
-  # it, preventing it from cluttering the PR.
-  minimize:
-    name: Minimize as resolved
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            // PRs from forks don't have any PRs associated by default.
-            // Thus, we request the PR number with an API call *to* the fork's repo.
-            // Multiple pull requests can be open from the same head commit, either via
-            // different base branches or head branches.
-            const { head_repository, head_sha, repository } = context.payload.workflow_run
-            await Promise.all(
-              (await github.paginate(github.rest.repos.listPullRequestsAssociatedWithCommit, {
-                owner: head_repository.owner.login,
-                repo: head_repository.name,
-                commit_sha: head_sha
-              }))
-              .filter(pull_request => pull_request.base.repo.id == repository.id)
-              .map(async (pull_request) =>
-                Promise.all(
-                  (await github.paginate(github.rest.pulls.listReviews, {
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    pull_number: pull_request.number
-                  })).filter(review =>
-                    review.user.login == 'github-actions[bot]' &&
-                    review.state == 'DISMISSED'
-                  ).map(review => github.graphql(`
-                    mutation($node_id:ID!) {
-                      minimizeComment(input: {
-                        classifier: RESOLVED,
-                        subjectId: $node_id
-                      })
-                      { clientMutationId }
-                    }`,
-                    { node_id: review.node_id }
-                  ))
-                )
-              )
-            )
--- a/.github/workflows/edited.yml
+++ b/.github/workflows/edited.yml
@@ -1,58 +0,0 @@
-# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-# Instead it causes an `edited` event.
-# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
-# There are already feature requests for adding a `base_changed` event:
-# - https://github.com/orgs/community/discussions/35058
-# - https://github.com/orgs/community/discussions/64119
-#
-# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
-# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
-# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
-# This is much simpler and reliable than other approaches.
-
-name: "Edited base branch"
-
-on:
-  pull_request_target:
-    types: [edited]
-
-concurrency:
-  group: edited-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  base:
-    name: Trigger jobs
-    runs-on: ubuntu-24.04
-    if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ steps.app-token.outputs.token }}
-          script: |
-            function changeState(state) {
-              return github.rest.pulls.update({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                pull_number: context.payload.pull_request.number,
-                state
-              })
-            }
-            await changeState('closed')
-            await changeState('open')
--- a/.github/workflows/eval-aliases.yml
+++ b/.github/workflows/eval-aliases.yml
@@ -0,0 +1,36 @@
+name: Eval aliases
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/eval-aliases.yml
+  pull_request_target:
+
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  eval-aliases:
+    name: Eval nixpkgs with aliases enabled
+    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit ]
+    steps:
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Ensure flake outputs on all systems still evaluate
+        run: nix flake check --all-systems --no-build ./nixpkgs
+
+      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
+        run: |
+          time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -1,36 +1,35 @@
 name: Eval

 on:
-  workflow_call:
-    inputs:
-      mergedSha:
-        required: true
-        type: string
-      targetSha:
-        type: string
-      systems:
-        required: true
-        type: string
-    secrets:
-      OWNER_APP_PRIVATE_KEY:
-        required: false
+  pull_request:
+    paths:
+      - .github/workflows/eval.yml
+  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened]
+  push:
+    # Keep this synced with ci/request-reviews/dev-branches.txt
+    branches:
+      - master
+      - staging
+      - release-*
+      - staging-*
+      - haskell-updates
+      - python-updates

 permissions: {}

-defaults:
-  run:
-    shell: bash
-
 jobs:
-  eval:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  outpaths:
+    name: Outpaths
    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit ]
    strategy:
      fail-fast: false
      matrix:
-        system: ${{ fromJSON(inputs.systems) }}
-    name: ${{ matrix.system }}
-    outputs:
-      targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
+        system: ${{ fromJSON(needs.get-merge-commit.outputs.systems) }}
    steps:
      - name: Enable swap
        run: |
@@ -42,11 +41,11 @@ jobs:
      - name: Check out the PR at the test merge commit
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ inputs.mergedSha }}
-          path: untrusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs

      - name: Install Nix
-        uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
          extra_nix_config: sandbox = true

@@ -54,202 +53,229 @@ jobs:
        env:
          MATRIX_SYSTEM: ${{ matrix.system }}
        run: |
-          nix-build untrusted/ci -A eval.singleSystem \
+          nix-build nixpkgs/ci -A eval.singleSystem \
            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --arg chunkSize 10000 \
-            --out-link merged
+            --arg chunkSize 10000
          # If it uses too much memory, slightly decrease chunkSize

      - name: Upload the output paths and eval stats
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: merged-${{ matrix.system }}
-          path: merged/*
+          name: intermediate-${{ matrix.system }}
+          path: result/*

-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Get target run id
-        if: inputs.targetSha
-        id: targetRunId
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-          TARGET_SHA: ${{ inputs.targetSha }}
-        with:
-          script: |
-            const system = process.env.MATRIX_SYSTEM
-            const targetSha = process.env.TARGET_SHA
-
-            let run_id
-            try {
-              run_id = (await github.rest.actions.listWorkflowRuns({
-                ...context.repo,
-                workflow_id: 'push.yml',
-                event: 'push',
-                head_sha: targetSha
-              })).data.workflow_runs[0].id
-            } catch {
-              throw new Error(`Could not find a push.yml workflow run for ${targetSha}.`)
-            }
-
-            // Waiting 120 * 5 sec = 10 min. max.
-            // Eval takes max 5-6 minutes, normally.
-            for (let i = 0; i < 120; i++) {
-              const result = await github.rest.actions.listWorkflowRunArtifacts({
-                ...context.repo,
-                run_id,
-                name: `merged-${system}`
-              })
-              if (result.data.total_count > 0) {
-                core.setOutput('targetRunId', run_id)
-                return
-              }
-              await new Promise(resolve => setTimeout(resolve, 5000))
-            }
-            // No artifact found at this stage. This usually means that Eval failed on the target branch.
-            // This should only happen when Eval is broken on the target branch and this PR fixes it.
-            // Continue without targetRunId to skip the remaining steps, but pass the job.
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
-
-      - uses: actions/download-artifact@v4
-        if: steps.targetRunId.outputs.targetRunId
-        with:
-          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
-          name: merged-${{ matrix.system }}
-          path: target
-          github-token: ${{ github.token }}
-          merge-multiple: true
-
-      - name: Compare outpaths against the target branch
-        if: steps.targetRunId.outputs.targetRunId
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build untrusted/ci -A eval.diff \
-            --arg beforeDir ./target \
-            --arg afterDir "$(readlink ./merged)" \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --out-link diff
-
-      - name: Upload outpaths diff and stats
-        if: steps.targetRunId.outputs.targetRunId
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: diff-${{ matrix.system }}
-          path: diff/*
-
-  compare:
+  process:
+    name: Process
    runs-on: ubuntu-24.04-arm
-    needs: [eval]
-    if: needs.eval.outputs.targetRunId
-    permissions:
-      statuses: write
+    needs: [ outpaths, get-merge-commit ]
+    outputs:
+      targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
    steps:
      - name: Download output paths and eval stats for all systems
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          pattern: diff-*
-          path: diff
-          merge-multiple: true
+          pattern: intermediate-*
+          path: intermediate

-      - name: Check out the PR at the target commit
+      - name: Check out the PR at the test merge commit
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ inputs.targetSha }}
-          path: trusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          fetch-depth: 2
+          path: nixpkgs

      - name: Install Nix
-        uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
          extra_nix_config: sandbox = true

      - name: Combine all output paths and eval stats
        run: |
-          nix-build trusted/ci -A eval.combine \
-            --arg diffDir ./diff \
-            --out-link combined
+          nix-build nixpkgs/ci -A eval.combine \
+            --arg resultsDir ./intermediate \
+            -o prResult
+
+      - name: Upload the combined results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: result
+          path: prResult/*
+
+      - name: Get target run id
+        if: needs.get-merge-commit.outputs.targetSha
+        id: targetRunId
+        run: |
+          # Get the latest eval.yml workflow run for the PR's target commit
+          if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
+            -f head_sha="$TARGET_SHA" -f event=push \
+            --jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \
+            || [[ -z "$run" ]]; then
+            echo "Could not find an eval.yml workflow run for $TARGET_SHA, cannot make comparison"
+            exit 1
+          fi
+          echo "Comparing against $(jq .html_url <<< "$run")"
+          runId=$(jq .id <<< "$run")
+          conclusion=$(jq -r .conclusion <<< "$run")
+
+          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
+            echo "Workflow not done, waiting 10 seconds before checking again"
+            sleep 10
+            conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
+          done
+
+          if [[ "$conclusion" != "success" ]]; then
+            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
+            exit 1
+          fi
+
+          echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
+        env:
+          REPOSITORY: ${{ github.repository }}
+          TARGET_SHA: ${{ needs.get-merge-commit.outputs.targetSha }}
+          GH_TOKEN: ${{ github.token }}
+
+      - uses: actions/download-artifact@v4
+        if: steps.targetRunId.outputs.targetRunId
+        with:
+          name: result
+          path: targetResult
+          github-token: ${{ github.token }}
+          run-id: ${{ steps.targetRunId.outputs.targetRunId }}

      - name: Compare against the target branch
-        env:
-          AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+        if: steps.targetRunId.outputs.targetRunId
        run: |
-          git -C trusted fetch --depth 1 origin ${{ inputs.mergedSha }}
-          git -C trusted diff --name-only ${{ inputs.mergedSha }} \
+          git -C nixpkgs worktree add ../target ${{ needs.get-merge-commit.outputs.targetSha }}
+          git -C nixpkgs diff --name-only ${{ needs.get-merge-commit.outputs.targetSha }} \
            | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json

          # Use the target branch to get accurate maintainer info
-          nix-build trusted/ci -A eval.compare \
-            --arg combinedDir "$(realpath ./combined)" \
+          nix-build target/ci -A eval.compare \
+            --arg beforeResultDir ./targetResult \
+            --arg afterResultDir "$(realpath prResult)" \
            --arg touchedFilesJson ./touched-files.json \
-            --argstr githubAuthorId "$AUTHOR_ID" \
-            --out-link comparison
+            -o comparison

          cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"

-      - name: Upload the comparison results
+      - name: Upload the combined results
+        if: steps.targetRunId.outputs.targetRunId
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: comparison
          path: comparison/*

-      - name: Add eval summary to commit statuses
-        if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const { readFile } = require('node:fs/promises')
-            const changed = JSON.parse(await readFile('comparison/changed-paths.json', 'utf-8'))
-            const description =
-              'Package: ' + [
-                `added ${changed.attrdiff.added.length}`,
-                `removed ${changed.attrdiff.removed.length}`,
-                `changed ${changed.attrdiff.changed.length}`
-              ].join(', ') +
-              ' — Rebuild: ' + [
-                `linux ${changed.rebuildCountByKernel.linux}`,
-                `darwin ${changed.rebuildCountByKernel.darwin}`
-              ].join(', ')
-
-            const { serverUrl, repo, runId, payload } = context
-            const target_url =
-              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
-
-            await github.rest.repos.createCommitStatus({
-              ...repo,
-              sha: payload.pull_request.head.sha,
-              context: 'Eval Summary',
-              state: 'success',
-              description,
-              target_url
-            })
-
-  misc:
-    if: ${{ github.event_name != 'push' }}
+  # Separate job to have a very tightly scoped PR write token
+  tag:
+    name: Tag
    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit, process ]
+    if: needs.process.outputs.targetRunId
+    permissions:
+      pull-requests: write
+      statuses: write
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
+      # Can't use the token received from permissions above, because it can't get enough permissions
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: vars.OWNER_APP_ID
+        id: app-token
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+          permission-pull-requests: write
+
+      - name: Download process result
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
-          merged-as-untrusted: true
+          name: comparison
+          path: comparison

      - name: Install Nix
-        uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+
+      # Important: This workflow job runs with extra permissions,
+      # so we need to make sure to not run untrusted code from PRs
+      - name: Check out Nixpkgs at the base commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          extra_nix_config: sandbox = true
+          ref: ${{ needs.get-merge-commit.outputs.targetSha }}
+          path: base
+          sparse-checkout: ci

-      - name: Ensure flake outputs on all systems still evaluate
-        run: nix flake check --all-systems --no-build ./untrusted
+      - name: Build the requestReviews derivation
+        run: nix-build base/ci -A requestReviews

-      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
+      - name: Labelling pull request
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
        run: |
-          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
+          # Get all currently set rebuild labels
+          gh api \
+            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
+            --jq '.[].name | select(startswith("10.rebuild"))' \
+            | sort > before
+
+          # And the labels that should be there
+          jq -r '.labels[]' comparison/changed-paths.json \
+            | sort > after
+
+          # Remove the ones not needed anymore
+          while read -r toRemove; do
+            echo "Removing label $toRemove"
+            gh api \
+              --method DELETE \
+              /repos/"$REPOSITORY"/issues/"$NUMBER"/labels/"$toRemove"
+          done < <(comm -23 before after)
+
+          # And add the ones that aren't set already
+          while read -r toAdd; do
+            echo "Adding label $toAdd"
+            gh api \
+              --method POST \
+              /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
+              -f "labels[]=$toAdd"
+          done < <(comm -13 before after)
+
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+
+      - name: Add eval summary to commit statuses
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
+        run: |
+          description=$(jq -r '
+          "Package: added " + (.attrdiff.added | length | tostring) +
+          ", removed " + (.attrdiff.removed | length | tostring) +
+          ", changed " + (.attrdiff.changed | length | tostring) +
+          ", Rebuild: linux " + (.rebuildCountByKernel.linux | tostring) +
+          ", darwin " + (.rebuildCountByKernel.darwin | tostring)
+          ' <comparison/changed-paths.json)
+          target_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID?pr=$NUMBER"
+          gh api --method POST \
+            -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
+            -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          NUMBER: ${{ github.event.number }}
+
+      - name: Requesting maintainer reviews
+        if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }}
+        run: |
+          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
+          # There appears to be no API to request reviews based on GitHub IDs
+          jq -r 'keys[]' comparison/maintainers.json \
+            | while read -r id; do gh api /user/"$id" --jq .login; done \
+            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          # Don't request reviewers on draft PRs
+          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
--- a/.github/workflows/get-merge-commit.yml
+++ b/.github/workflows/get-merge-commit.yml
@@ -0,0 +1,58 @@
+name: Get merge commit
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/get-merge-commit.yml
+  workflow_call:
+    outputs:
+      mergedSha:
+        description: "The merge commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
+      targetSha:
+        description: "The target commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.targetSha }}
+      systems:
+        description: "The supported systems"
+        value: ${{ jobs.resolve-merge-commit.outputs.systems }}
+
+permissions: {}
+
+jobs:
+  resolve-merge-commit:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      mergedSha: ${{ steps.merged.outputs.mergedSha }}
+      targetSha: ${{ steps.merged.outputs.targetSha }}
+      systems: ${{ steps.systems.outputs.systems }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+          sparse-checkout: ci
+
+      - name: Check if the PR can be merged and get the test merge commit
+        id: merged
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_EVENT: ${{ github.event_name }}
+        run: |
+          case "$GH_EVENT" in
+            push)
+              echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+              ;;
+            pull_request*)
+              if commits=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+                echo -e "Checking the commits:\n$commits"
+                echo "$commits" >> "$GITHUB_OUTPUT"
+              else
+                # Skipping so that no notifications are sent
+                echo "Skipping the rest..."
+              fi
+              ;;
+          esac
+
+      - name: Load supported systems
+        id: systems
+        run: |
+          echo "systems=$(jq -c <base/ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -3,118 +3,58 @@
 # access to the GitHub API. This means that it should not evaluate user input in
 # a way that allows code injection.

-name: Labels
+name: "Label PR"

 on:
-  schedule:
-    - cron: '07,17,27,37,47,57 * * * *'
-  workflow_call:
-    inputs:
-      headBranch:
-        required: true
-        type: string
-    secrets:
-      NIXPKGS_CI_APP_PRIVATE_KEY:
-        required: true
-  workflow_dispatch:
+  pull_request_target:
+    types: [edited, opened, synchronize, reopened]

-concurrency:
-  # This explicitly avoids using `run_id` for the concurrency key to make sure that only
-  # *one* scheduled run can run at a time.
-  group: labels-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number }}
-  # PR-triggered runs will be cancelled, but scheduled runs will be queued.
-  cancel-in-progress: ${{ github.event_name != 'schedule' }}
-
-# This is used as fallback without app only.
-# This happens when testing in forks without setting up that app.
 permissions:
-  issues: write
+  contents: read
  pull-requests: write

-defaults:
-  run:
-    shell: bash
-
 jobs:
-  update:
+  labels:
+    name: label-pr
    runs-on: ubuntu-24.04-arm
-    if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: |
-            ci/github-script
-
-      - name: Install dependencies
-        run: npm install @actions/artifact bottleneck
-
-      # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.NIXPKGS_CI_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-issues: write
-          permission-pull-requests: write
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Labels from API data and Eval results
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
-          retries: 3
-          script: |
-            require('./ci/github-script/labels.js')({
-              github,
-              context,
-              core,
-              dry: context.eventName == 'pull_request'
-            })
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
-
      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        name: Labels from touched files
        if: |
-          github.event_name == 'pull_request_target' &&
-          !contains(fromJSON(inputs.headBranch).type, 'development')
+          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
+            github.head_ref == 'haskell-updates' ||
+            github.head_ref == 'python-updates' ||
+            github.head_ref == 'staging-next' ||
+            startsWith(github.head_ref, 'staging-next-')
+          )
        with:
-          repo-token: ${{ steps.app-token.outputs.token }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          configuration-path: .github/labeler.yml # default
          sync-labels: true
-
      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        name: Labels from touched files (no sync)
        if: |
-          github.event_name == 'pull_request_target' &&
-          !contains(fromJSON(inputs.headBranch).type, 'development')
+          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
+            github.head_ref == 'haskell-updates' ||
+            github.head_ref == 'python-updates' ||
+            github.head_ref == 'staging-next' ||
+            startsWith(github.head_ref, 'staging-next-')
+          )
        with:
-          repo-token: ${{ steps.app-token.outputs.token }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          configuration-path: .github/labeler-no-sync.yml
          sync-labels: false
-
      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        name: Labels from touched files (development branches)
        # Development branches like staging-next, haskell-updates and python-updates get special labels.
        # This is to avoid the mass of labels there, which is mostly useless - and really annoying for
        # the backport labels.
        if: |
-          github.event_name == 'pull_request_target' &&
-          contains(fromJSON(inputs.headBranch).type, 'development')
+          github.event.pull_request.head.repo.owner.login == 'NixOS' && (
+            github.head_ref == 'haskell-updates' ||
+            github.head_ref == 'python-updates' ||
+            github.head_ref == 'staging-next' ||
+            startsWith(github.head_ref, 'staging-next-')
+          )
        with:
-          repo-token: ${{ steps.app-token.outputs.token }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
          configuration-path: .github/labeler-development-branches.yml
          sync-labels: true
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
--- a/.github/workflows/lib-tests.yml
+++ b/.github/workflows/lib-tests.yml
@@ -0,0 +1,34 @@
+name: "Building Nixpkgs lib-tests"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/lib-tests.yml
+  pull_request_target:
+    paths:
+      - 'lib/**'
+      - 'maintainers/**'
+
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixpkgs-lib-tests:
+    name: nixpkgs-lib-tests
+    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Building Nixpkgs lib-tests
+        run: |
+          nix-build ci -A lib-tests
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,105 +0,0 @@
-name: Lint
-
-on:
-  workflow_call:
-    inputs:
-      mergedSha:
-        required: true
-        type: string
-      targetSha:
-        required: true
-        type: string
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  treefmt:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          mergedSha: ${{ inputs.mergedSha }}
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Check that files are formatted
-        run: |
-          # Note that it's fine to run this on untrusted code because:
-          # - There's no secrets accessible here
-          # - The build is sandboxed
-          if ! nix-build untrusted/ci -A fmt.check; then
-            echo "Some files are not properly formatted"
-            echo "Please format them by going to the Nixpkgs root directory and running one of:"
-            echo "  nix-shell --run treefmt"
-            echo "  nix develop --command treefmt"
-            echo "  nix fmt"
-            echo "Make sure your branch is up to date with master; rebase if not."
-            echo "If you're having trouble, please ping @NixOS/nix-formatting"
-            exit 1
-          fi
-
-  parse:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          mergedSha: ${{ inputs.mergedSha }}
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Parse all nix files
-        run: |
-          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
-          nix-build untrusted/ci -A parse --keep-going
-
-  nixpkgs-vet:
-    runs-on: ubuntu-24.04-arm
-    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout merged and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          mergedSha: ${{ inputs.mergedSha }}
-          merged-as-untrusted: true
-          targetSha: ${{ inputs.targetSha }}
-          target-as-trusted: true
-
-      - uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Running nixpkgs-vet
-        env:
-          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
-          CLICOLOR_FORCE: 1
-        run: |
-          if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
-            exit 0
-          else
-            exitCode=$?
-            echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
-            echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
-            exit "$exitCode"
-          fi
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@@ -0,0 +1,58 @@
+name: "Build NixOS manual v2"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/manual-nixos-v2.yml
+  pull_request_target:
+    branches:
+      - master
+    paths:
+      - "nixos/**"
+      # Also build when the nixpkgs doc changed, since we take things like
+      # the release notes and some css and js files from there.
+      # See nixos/doc/manual/default.nix
+      - "doc/**"
+      # Build when something in lib changes
+      # Since the lib functions are used to 'massage' the options before producing the manual
+      - "lib/**"
+
+permissions: {}
+
+jobs:
+  nixos:
+    name: nixos-manual-build
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            system: x86_64-linux
+          - runner: ubuntu-24.04-arm
+            system: aarch64-linux
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+
+      - name: Build NixOS manual
+        id: build-manual
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixos --argstr system ${{ matrix.system }}
+
+      - name: Upload NixOS manual
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: nixos-manual-${{ matrix.system }}
+          path: result/
+          if-no-files-found: error
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@@ -0,0 +1,37 @@
+name: "Build Nixpkgs manual v2"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/manual-nixpkgs-v2.yml
+  pull_request_target:
+    branches:
+      - master
+    paths:
+      - 'doc/**'
+      - 'lib/**'
+      - 'pkgs/by-name/ni/nixdoc/**'
+
+permissions: {}
+
+jobs:
+  nixpkgs:
+    name: nixpkgs-manual-build
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+      - name: Building Nixpkgs manual
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixpkgs -A manual-nixpkgs-tests
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@@ -0,0 +1,33 @@
+name: "Check whether nix files are parseable v2"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/nix-parse-v2.yml
+  pull_request_target:
+
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  tests:
+    name: nix-files-parseable-check
+    runs-on: ubuntu-24.04-arm
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+          nix_path: nixpkgs=channel:nixpkgs-unstable
+
+      - name: Parse all nix files
+        run: |
+          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
+          nix-build ci -A parse --keep-going
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -0,0 +1,76 @@
+# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more.
+# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
+# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
+# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
+
+name: Vet nixpkgs
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/nixpkgs-vet.yml
+  pull_request_target:
+    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here.
+    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
+    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
+    types: [opened, synchronize, reopened, edited]
+
+permissions: {}
+
+# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.
+# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  check:
+    name: nixpkgs-vet
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
+    runs-on: ubuntu-24.04
+    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
+    timeout-minutes: 10
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+
+      - name: Checking out target branch
+        run: |
+          target=$(mktemp -d)
+          git worktree add "$target" "$(git rev-parse HEAD^1)"
+          echo "target=$target" >> "$GITHUB_ENV"
+
+      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+
+      - name: Fetching the pinned tool
+        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
+        run: |
+          # The pinned version of the tooling to use.
+          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
+
+          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+            | gzip -cd | nix-store --import | tail -1)
+
+          # Adds a result symlink as a GC root.
+          nix-store --realise "$toolPath" --add-root result
+
+      - name: Running nixpkgs-vet
+        env:
+          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
+          CLICOLOR_FORCE: 1
+        run: |
+          if result/bin/nixpkgs-vet --base "$target" .; then
+            exit 0
+          else
+            exitCode=$?
+            echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
+            echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
+            exit "$exitCode"
+          fi
--- a/.github/workflows/no-channel.yml
+++ b/.github/workflows/no-channel.yml
@@ -0,0 +1,28 @@
+name: "No channel PR"
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/no-channel.yml
+  pull_request_target:
+    # Re-run should be triggered when the base branch is updated, instead of silently failing
+    types: [opened, synchronize, reopened, edited]
+
+permissions: {}
+
+jobs:
+  fail:
+    if: |
+      startsWith(github.event.pull_request.base.ref, 'nixos-') ||
+      startsWith(github.event.pull_request.base.ref, 'nixpkgs-')
+    name: "This PR is targeting a channel branch"
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - run: |
+          cat <<EOF
+          The nixos-* and nixpkgs-* branches are pushed to by the channel
+          release script and should not be merged into directly.
+
+          Please target the equivalent release-* branch or master instead.
+          EOF
+          exit 1
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -11,15 +11,11 @@ on:
  schedule:
    # * is a special character in YAML so you have to quote this string
    # Merge every 24 hours
-    - cron: '0 0 * * *'
+    - cron:  '0 0 * * *'
  workflow_dispatch:

 permissions: {}

-defaults:
-  run:
-    shell: bash
-
 jobs:
  periodic-merge:
    if: github.repository_owner == 'NixOS'
@@ -31,16 +27,18 @@ jobs:
      max-parallel: 1
      matrix:
        pairs:
-          - from: release-25.05
+          - from: release-24.11
+            into: staging-next-24.11
+          - from: staging-next-24.11
+            into: staging-24.11
+          - from: master
            into: staging-next-25.05
          - from: staging-next-25.05
            into: staging-25.05
-          - name: merge-base(master,staging) → haskell-updates
-            from: master staging
+          - from: master staging
            into: haskell-updates
    uses: ./.github/workflows/periodic-merge.yml
    with:
      from: ${{ matrix.pairs.from }}
      into: ${{ matrix.pairs.into }}
-    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets: inherit
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -11,15 +11,11 @@ on:
  schedule:
    # * is a special character in YAML so you have to quote this string
    # Merge every 6 hours
-    - cron: '0 */6 * * *'
+    - cron:  '0 */6 * * *'
  workflow_dispatch:

 permissions: {}

-defaults:
-  run:
-    shell: bash
-
 jobs:
  periodic-merge:
    if: github.repository_owner == 'NixOS'
@@ -39,5 +35,4 @@ jobs:
    with:
      from: ${{ matrix.pairs.from }}
      into: ${{ matrix.pairs.into }}
-    name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets: inherit
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -12,13 +12,10 @@ on:
        required: true
        type: string

-defaults:
-  run:
-    shell: bash
-
 jobs:
  merge:
    runs-on: ubuntu-24.04-arm
+    name: ${{ inputs.from }} → ${{ inputs.into }}
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -1,149 +0,0 @@
-name: PR
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/build.yml
-      - .github/workflows/check.yml
-      - .github/workflows/eval.yml
-      - .github/workflows/lint.yml
-      - .github/workflows/pr.yml
-      - .github/workflows/labels.yml
-      - .github/workflows/reviewers.yml # needs eval results from the same event type
-  pull_request_target:
-
-concurrency:
-  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  prepare:
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      baseBranch: ${{ steps.branches.outputs.base }}
-      headBranch: ${{ steps.branches.outputs.head }}
-      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
-      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: |
-            .github/actions
-            ci/supportedBranches.js
-            ci/supportedSystems.json
-      - name: Check if the PR can be merged and get the test merge commit
-        uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
-
-      - name: Determine branch type
-        id: branches
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const { classify } = require('./ci/supportedBranches.js')
-            const { base, head } = context.payload.pull_request
-
-            const baseClassification = classify(base.ref)
-            core.setOutput('base', baseClassification)
-            core.info('base classification:', baseClassification)
-
-            const headClassification =
-              (base.repo.full_name == head.repo.full_name) ?
-              classify(head.ref) :
-              // PRs from forks are always considered WIP.
-              { type: ['wip'] }
-            core.setOutput('head', headClassification)
-            core.info('head classification:', headClassification)
-
-  check:
-    name: Check
-    needs: [prepare]
-    uses: ./.github/workflows/check.yml
-    permissions:
-      # cherry-picks
-      pull-requests: write
-    with:
-      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
-      headBranch: ${{ needs.prepare.outputs.headBranch }}
-
-  lint:
-    name: Lint
-    needs: [prepare]
-    uses: ./.github/workflows/lint.yml
-    with:
-      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
-      targetSha: ${{ needs.prepare.outputs.targetSha }}
-
-  eval:
-    name: Eval
-    needs: [prepare]
-    uses: ./.github/workflows/eval.yml
-    permissions:
-      # compare
-      statuses: write
-    secrets:
-      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-    with:
-      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
-      targetSha: ${{ needs.prepare.outputs.targetSha }}
-      systems: ${{ needs.prepare.outputs.systems }}
-
-  labels:
-    name: Labels
-    needs: [prepare, eval]
-    uses: ./.github/workflows/labels.yml
-    permissions:
-      issues: write
-      pull-requests: write
-    secrets:
-      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-    with:
-      headBranch: ${{ needs.prepare.outputs.headBranch }}
-
-  reviewers:
-    name: Reviewers
-    needs: [prepare, eval]
-    if: |
-      needs.prepare.outputs.targetSha &&
-      !contains(fromJSON(needs.prepare.outputs.headBranch).type, 'development')
-    uses: ./.github/workflows/reviewers.yml
-    secrets:
-      OWNER_APP_PRIVATE_KEY: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-
-  build:
-    name: Build
-    needs: [prepare]
-    uses: ./.github/workflows/build.yml
-    secrets:
-      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
-    with:
-      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
-      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
-
-  # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
-  # It "needs" all the jobs that should block merging a PR.
-  # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
-  # However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
-  no-pr-failures:
-    # Modify this list to add or remove jobs from required status checks.
-    needs:
-      - check
-      - lint
-      - eval
-      - build
-    # WARNING:
-    # Do NOT change the name of this job, otherwise the rule will not catch it anymore.
-    # This would prevent all PRs from merging.
-    name: no PR failures
-    if: ${{ failure() }}
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - run: exit 1
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -1,48 +0,0 @@
-name: Push
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/push.yml
-      # eval is tested via pr.yml
-  push:
-    # Keep this synced with ci/request-reviews/dev-branches.txt
-    branches:
-      - master
-      - staging
-      - release-*
-      - staging-*
-      - haskell-updates
-      - python-updates
-
-permissions: {}
-
-jobs:
-  prepare:
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: |
-            ci/supportedSystems.json
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
-
-  eval:
-    name: Eval
-    needs: [prepare]
-    uses: ./.github/workflows/eval.yml
-    # Those are not actually used on push, but will throw an error if not set.
-    permissions:
-      # compare
-      issues: write
-      pull-requests: write
-      statuses: write
-    with:
-      mergedSha: ${{ github.sha }}
-      systems: ${{ needs.prepare.outputs.systems }}
--- a/.github/workflows/review-dismissed.yml
+++ b/.github/workflows/review-dismissed.yml
@@ -1,17 +0,0 @@
-name: Review dismissed
-
-on:
-  pull_request_review:
-    types: [dismissed]
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  trigger:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - run: echo This is a no-op only used as a trigger for workflow_run.
--- a/.github/workflows/reviewers.yml
+++ b/.github/workflows/reviewers.yml
@@ -1,144 +0,0 @@
-# This workflow will request reviews from the maintainers of each package
-# listed in the PR's most recent eval comparison artifact.
-
-name: Reviewers
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/reviewers.yml
-  pull_request_target:
-    types: [ready_for_review]
-  workflow_call:
-    secrets:
-      OWNER_APP_PRIVATE_KEY:
-        required: true
-
-concurrency:
-  group: reviewers-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  request:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Check out the PR at the base commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
-          sparse-checkout: ci
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@f0fe604f8a612776892427721526b4c7cfb23aba # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Build the requestReviews derivation
-        run: nix-build trusted/ci -A requestReviews
-
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-      - name: Log current API rate limits (github.token)
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
-
-      # In the regular case, this workflow is called via workflow_call from the eval workflow directly.
-      # In the more special case, when a PR is undrafted an eval run will have started already.
-      - name: Wait for comparison to be done
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        id: eval
-        with:
-          script: |
-            const run_id = (await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'pr.yml',
-              event: context.eventName,
-              head_sha: context.payload.pull_request.head.sha
-            })).data.workflow_runs[0].id
-
-            core.setOutput('run-id', run_id)
-
-            // Waiting 120 * 5 sec = 10 min. max.
-            // The extreme case is an Eval run that just started when the PR is undrafted.
-            // Eval takes max 5-6 minutes, normally.
-            for (let i = 0; i < 120; i++) {
-              const result = await github.rest.actions.listWorkflowRunArtifacts({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                run_id,
-                name: 'comparison'
-              })
-              if (result.data.total_count > 0) return
-              await new Promise(resolve => setTimeout(resolve, 5000))
-            }
-            throw new Error("No comparison artifact found.")
-
-      - name: Log current API rate limits (github.token)
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Download the comparison results
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          run-id: ${{ steps.eval.outputs.run-id }}
-          github-token: ${{ github.token }}
-          pattern: comparison
-          path: comparison
-          merge-multiple: true
-
-      - name: Log current API rate limits (app-token)
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Log current API rate limits (github.token)
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Requesting maintainer reviews
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-          # Don't request reviewers on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-        run: |
-          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
-          # There appears to be no API to request reviews based on GitHub IDs
-          jq -r 'keys[]' comparison/maintainers.json \
-            | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
-
-      - name: Log current API rate limits (app-token)
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Log current API rate limits (github.token)
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh api /rate_limit | jq
--- a/.mailmap
+++ b/.mailmap
@@ -18,7 +18,6 @@ Jörg Thalheim <joerg@thalheim.io> <Mic92@users.noreply.github.com>
 Lin Jian <me@linj.tech> <linj.dev@outlook.com>
 Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>
 Martin Weinelt <hexa@darmstadt.ccc.de> <mweinelt@users.noreply.github.com>
-Martin Häcker <spamfaenger@gmx.de> <spamfaenger@gmx.de>
 moni <lythe1107@gmail.com> <lythe1107@icloud.com>
 R. RyanTM <ryantm-bot@ryantm.com>
 Robert Hensing <robert@roberthensing.nl> <roberth@users.noreply.github.com>
@@ -28,7 +27,5 @@ superherointj <5861043+superherointj@users.noreply.github.com>
 Tomodachi94 <tomodachi94@protonmail.com> Tomo <68489118+Tomodachi94@users.noreply.github.com>
 Vladimír Čunát <v@cunat.cz> <vcunat@gmail.com>
 Vladimír Čunát <v@cunat.cz> <vladimir.cunat@nic.cz>
-Yifei Sun <ysun@hey.com>
-Yifei Sun <ysun@hey.com> StepBroBD <ysun@hey.com>
 Yifei Sun <ysun@hey.com> StepBroBD <Hi@StepBroBD.com>
 Yifei Sun <ysun@hey.com> <ysun+git@stepbrobd.com>
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -0,0 +1,21 @@
+queue_rules:
+  # This rule is for https://docs.mergify.com/commands/queue/
+  # and can be triggered with: @mergifyio queue
+  - name: default
+    merge_conditions:
+      # all github action checks in this list are required to merge a pull request
+      - check-success=Attributes
+      - check-success=Check
+      - check-success=Outpaths (aarch64-darwin)
+      - check-success=Outpaths (aarch64-linux)
+      - check-success=Outpaths (x86_64-darwin)
+      - check-success=Outpaths (x86_64-linux)
+      - check-success=Process
+      - check-success=Request
+      - check-success=editorconfig-check
+      - check-success=label-pr
+      - check-success=nix-files-parseable-check
+      - check-success=nixfmt-check
+      - check-success=nixpkgs-vet
+    # queue up to 5 pull requests at a time
+    batch_size: 5
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 <p align="center">
  <a href="https://nixos.org">
    <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg">
+      <source media="(prefers-color-scheme: light)" srcset="https://nixos.org/logo/nixos-hires.png">
      <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg" width="500px" alt="NixOS logo">
+      <img src="https://nixos.org/logo/nixos-hires.png" width="500px" alt="NixOS logo">
    </picture>
  </a>
 </p>
@@ -13,8 +13,10 @@
  <a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a>
 </p>

-[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 120,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
-It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
+[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over
+120,000 software packages that can be installed with the
+[Nix](https://nixos.org/nix/) package manager. It also implements
+[NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.

 # Manuals

@@ -32,8 +34,9 @@ It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux

 # Other Project Repositories

-The sources of all official Nix-related projects are in the [NixOS organization on GitHub](https://github.com/NixOS/).
-Here are some of the main ones:
+The sources of all official Nix-related projects are in the [NixOS
+organization on GitHub](https://github.com/NixOS/). Here are some of
+the main ones:

 * [Nix](https://github.com/NixOS/nix) - the purely functional package manager
 * [NixOps](https://github.com/NixOS/nixops) - the tool to remotely deploy NixOS machines
@@ -45,33 +48,44 @@ Here are some of the main ones:

 # Continuous Integration and Distribution

-Nixpkgs and NixOS are built and tested by our continuous integration system, [Hydra](https://hydra.nixos.org/).
+Nixpkgs and NixOS are built and tested by our continuous integration
+system, [Hydra](https://hydra.nixos.org/).

 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 25.05 release](https://hydra.nixos.org/jobset/nixos/release-25.05)
+* [Continuous package builds for the NixOS 24.11 release](https://hydra.nixos.org/jobset/nixos/release-24.11)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 25.05 release](https://hydra.nixos.org/job/nixos/release-25.05/tested#tabs-constituents)
+* [Tests for the NixOS 24.11 release](https://hydra.nixos.org/job/nixos/release-24.11/tested#tabs-constituents)

-Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/.
-When successful build and test criteria are met, the Nixpkgs expressions are distributed via [Nix channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
+Artifacts successfully built with Hydra are published to cache at
+https://cache.nixos.org/. When successful build and test criteria are
+met, the Nixpkgs expressions are distributed via [Nix
+channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).

 # Contributing

-Nixpkgs is among the most active projects on GitHub.
-While thousands of open issues and pull requests might seem a lot at first, it helps consider it in the context of the scope of the project.
-Nixpkgs describes how to build tens of thousands of pieces of software and implements a Linux distribution.
-The [GitHub Insights](https://github.com/NixOS/nixpkgs/pulse) page gives a sense of the project activity.
+Nixpkgs is among the most active projects on GitHub. While thousands
+of open issues and pull requests might seem a lot at first, it helps
+consider it in the context of the scope of the project. Nixpkgs
+describes how to build tens of thousands of pieces of software and implements a
+Linux distribution. The [GitHub Insights](https://github.com/NixOS/nixpkgs/pulse)
+page gives a sense of the project activity.

-Community contributions are always welcome through GitHub Issues and Pull Requests.
+Community contributions are always welcome through GitHub Issues and
+Pull Requests.

-For more information about contributing to the project, please visit the [contributing page](CONTRIBUTING.md).
+For more information about contributing to the project, please visit
+the [contributing page](CONTRIBUTING.md).

 # Donations

-The infrastructure for NixOS and related projects is maintained by a nonprofit organization, the [NixOS Foundation](https://nixos.org/nixos/foundation.html).
-To ensure the continuity and expansion of the NixOS infrastructure, we are looking for donations to our organization.
+The infrastructure for NixOS and related projects is maintained by a
+nonprofit organization, the [NixOS
+Foundation](https://nixos.org/nixos/foundation.html). To ensure the
+continuity and expansion of the NixOS infrastructure, we are looking
+for donations to our organization.

-You can donate to the NixOS foundation through [SEPA bank transfers](https://nixos.org/donate.html) or by using Open Collective:
+You can donate to the NixOS foundation through [SEPA bank
+transfers](https://nixos.org/donate.html) or by using Open Collective:

 <a href="https://opencollective.com/nixos#support"><img src="https://opencollective.com/nixos/tiers/supporter.svg?width=890" /></a>

@@ -79,7 +93,9 @@ You can donate to the NixOS foundation through [SEPA bank transfers](https://nix

 Nixpkgs is licensed under the [MIT License](COPYING).

-Note:
-MIT license does not apply to the packages built by Nixpkgs, merely to the files in this repository (the Nix expressions, build scripts, NixOS modules, etc.).
-It also might not apply to patches included in Nixpkgs, which may be derivative works of the packages to which they apply.
-The aforementioned artifacts are all covered by the licenses of the respective packages.
+Note: MIT license does not apply to the packages built by Nixpkgs,
+merely to the files in this repository (the Nix expressions, build
+scripts, NixOS modules, etc.). It also might not apply to patches
+included in Nixpkgs, which may be derivative works of the packages to
+which they apply. The aforementioned artifacts are all covered by the
+licenses of the respective packages.
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -15,9 +15,11 @@

 # CI
 /.github/*_TEMPLATE*                    @SigmaSquadron
-/.github/actions                        @NixOS/nixpkgs-ci
-/.github/workflows                      @NixOS/nixpkgs-ci
-/ci                                     @NixOS/nixpkgs-ci
+/.github/workflows                      @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
+/.github/workflows/check-format.yml     @infinisil @wolfgangwalther
+/.github/workflows/codeowners-v2.yml    @infinisil @wolfgangwalther
+/.github/workflows/nixpkgs-vet.yml      @infinisil @philiptaron @wolfgangwalther
+/ci                                     @infinisil @philiptaron @NixOS/Security @wolfgangwalther
 /ci/OWNERS                              @infinisil @philiptaron

 # Development support
@@ -26,19 +28,13 @@

 # Libraries
 /lib                        @infinisil @hsjobeki
+/lib/systems                @alyssais @ericson2314 @NixOS/stdenv
 /lib/generators.nix         @infinisil @hsjobeki @Profpatsch
 /lib/cli.nix                @infinisil @hsjobeki @Profpatsch
 /lib/debug.nix              @infinisil @hsjobeki @Profpatsch
 /lib/asserts.nix            @infinisil @hsjobeki @Profpatsch
 /lib/path/*                 @infinisil @hsjobeki
 /lib/fileset                @infinisil @hsjobeki
-## Standard environment–related libraries
-/lib/customisation.nix      @alyssais @NixOS/stdenv
-/lib/derivations.nix        @alyssais @NixOS/stdenv
-/lib/fetchers.nix           @alyssais @NixOS/stdenv
-/lib/meta.nix               @alyssais @NixOS/stdenv
-/lib/source-types.nix       @alyssais @NixOS/stdenv
-/lib/systems                @alyssais @NixOS/stdenv
 ## Libraries / Module system
 /lib/modules.nix            @infinisil @roberth @hsjobeki
 /lib/types.nix              @infinisil @roberth @hsjobeki
@@ -62,7 +58,6 @@
 /pkgs/build-support/cc-wrapper                   @Ericson2314
 /pkgs/build-support/bintools-wrapper             @Ericson2314
 /pkgs/build-support/setup-hooks                  @Ericson2314
-/pkgs/build-support/setup-hooks/arrayUtilities   @ConnorBaker
 /pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
 /pkgs/by-name/au/auto-patchelf                   @layus

@@ -135,8 +130,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka

 # Limine
-/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi @johnrtitor
-/nixos/tests/limine                             @johnrtitor
+/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi

 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
@@ -169,13 +163,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 ## common-updater-scripts
 /pkgs/common-updater/scripts/update-source-version    @jtojnar

-# Android tools, libraries, and environments
-/pkgs/development/android*                    @NixOS/android
-/pkgs/development/mobile/android*             @NixOS/android
-/pkgs/applications/editors/android-studio*    @NixOS/android
-/doc/languages-frameworks/android*            @NixOS/android
-/pkgs/by-name/an/android*                     @NixOS/android
-
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
@@ -224,7 +211,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/development/compilers/gcc
 /pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
 /pkgs/development/compilers/emscripten @raitobezarius
-/doc/toolchains/llvm.chapter.md @alyssais @RossComputerGuy @NixOS/llvm
 /doc/languages-frameworks/emscripten.section.md @raitobezarius

 # Audio
@@ -234,11 +220,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/tests/snapcast.nix @mweinelt

 # Browsers
-/pkgs/build-support/build-mozilla-mach @mweinelt
-/pkgs/applications/networking/browsers/firefox/update.nix
-/pkgs/applications/networking/browsers/firefox/packages/firefox.nix @mweinelt
-/pkgs/applications/networking/browsers/firefox/packages/firefox-esr-*.nix @mweinelt
-/pkgs/applications/networking/browsers/librewolf @squalus @DominicWrege @fpletz @LordGrimmauld
+/pkgs/applications/networking/browsers/firefox @mweinelt
 /pkgs/applications/networking/browsers/chromium @emilylange @networkException
 /nixos/tests/chromium.nix @emilylange @networkException

@@ -258,7 +240,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara

 # Licenses
-/lib/licenses.nix @alyssais @emilazy
+/lib/licenses.nix @alyssais

 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -301,10 +283,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/servers/home-assistant @mweinelt
 /pkgs/by-name/es/esphome @mweinelt

-# Linux kernel
-/pkgs/top-level/linux-kernels.nix @NixOS/linux-kernel
-/pkgs/os-specific/linux/kernel/ @NixOS/linux-kernel
-
 # Network Time Daemons
 /pkgs/by-name/ch/chrony @thoughtpolice
 /pkgs/by-name/nt/ntp @thoughtpolice
@@ -489,14 +467,11 @@ pkgs/development/interpreters/erlang/   @NixOS/beam
 pkgs/development/interpreters/elixir/   @NixOS/beam
 pkgs/development/interpreters/lfe/      @NixOS/beam

-# Authelia
-pkgs/servers/authelia/ @06kellyjac @dit7ya @nicomem
-
 # OctoDNS
 pkgs/by-name/oc/octodns/ @anthonyroussel

 # Teleport
-pkgs/by-name/te/teleport*   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
+pkgs/servers/teleport   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger

 # Warp-terminal
 pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @donteatoreo @johnrtitor
--- a/ci/README.md
+++ b/ci/README.md
@@ -6,47 +6,80 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
 ## Pinned Nixpkgs

 CI may need certain packages from Nixpkgs.
-In order to ensure that the needed packages are generally available without building, [`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
+In order to ensure that the needed packages are generally available without building,
+[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.

-Run [`update-pinned.sh`](./update-pinned.sh) to update it.
+Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.

 ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`

-Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does.
-This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
+Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
 In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.

 Arguments:

 - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
- `REPOSITORY`: The repository from which to fetch the base branch.
-  Defaults to <https://github.com/NixOS/nixpkgs.git>.
+- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.

-# Branch classification
+## `ci/nixpkgs-vet`

-For the purposes of CI, branches in the NixOS/nixpkgs repository are classified as follows:
+This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
+See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).

- **Channel** branches
-  - `nixos-` or `nixpkgs-` prefix
-  - Are only updated from `master` or `release-` branches, when hydra passes.
-  - Otherwise not worked on, Pull Requests are not allowed.
-  - Long-lived, no deletion, no force push.
- **Primary development** branches
-  - `release-` prefix and `master`
-  - Pull Requests required.
-  - Long-lived, no deletion, no force push.
- **Secondary development** branches
-  - `staging-` prefix, `haskell-updates` and `python-updates`
-  - Pull Requests normally required, except when merging development branches into each other.
-  - Long-lived, no deletion, no force push.
- **Work-In-Progress** branches
-  - `backport-`, `revert-` and `wip-` prefixes.
-  - Deprecated: All other branches, not matched by channel/development.
-  - Pull Requests are optional.
-  - Short-lived, force push allowed, deleted after merge.
+## `ci/nixpkgs-vet/update-pinned-tool.sh`

-Some branches also have a version component, which is either `unstable` or `YY.MM`.
+Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).

-`ci/supportedBranches.js` is a script imported by CI to classify the base and head branches of a Pull Request.
-This classification will then be used to skip certain jobs.
-This script can also be run locally to print basic test cases.
+Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
+
+This script currently needs to be called manually when the CI tooling needs to be updated.
+
+Why not just build the tooling right from the PRs Nixpkgs version?
+
+- Because it allows CI to check all PRs, even if they would break the CI tooling.
+- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
+- Because it improves security, since we don't have to build potentially untrusted code from PRs.
+  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
+
+## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
+
+Check whether a PR is mergeable and return the test merge commit as
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests) and its parent.
+
+Arguments:
+- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
+- `PR_NUMBER`: The PR number, e.g. `1234`
+
+Exit codes:
+- 0: The PR can be merged, the hashes of the test merge commit and the target commit are returned on stdout
+- 1: The PR cannot be merged because it's not open anymore
+- 2: The PR cannot be merged because it has a merge conflict
+- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
+
+### Usage
+
+This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
+
+```yaml
+on: pull_request_target
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    # use the relative path of the get-merge-commit workflow yaml here
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    steps:
+      - uses: actions/checkout@<VERSION>
+        # Add this to _all_ subsequent steps to skip them
+        if: needs.get-merge-commit.outputs.mergedSha
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - ...
+```
--- a/ci/codeowners-validator/default.nix
+++ b/ci/codeowners-validator/default.nix
@@ -20,7 +20,7 @@ buildGoModule {
    })
    # Undoes part of the above PR: We don't want to require write access
    # to the repository, that's only needed for GitHub's native CODEOWNERS.
-    # Furthermore, it removes an unnecessary check from the code
+    # Furthermore, it removes an unneccessary check from the code
    # that breaks tokens generated for GitHub Apps.
    ./permissions.patch
    # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -1,5 +1,5 @@
 let
-  pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
+  pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
 in
 {
  system ? builtins.currentSystem,
@@ -10,25 +10,24 @@ let
  nixpkgs' =
    if nixpkgs == null then
      fetchTarball {
-        inherit (pinned.nixpkgs) url;
-        sha256 = pinned.nixpkgs.hash;
+        url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
+        sha256 = pinnedNixpkgs.sha256;
      }
    else
      nixpkgs;

  pkgs = import nixpkgs' {
    inherit system;
-    config = {
-      permittedInsecurePackages = [ "nix-2.3.18" ];
-    };
+    config = { };
    overlays = [ ];
  };

  fmt =
    let
      treefmtNixSrc = fetchTarball {
-        inherit (pinned.treefmt-nix) url;
-        sha256 = pinned.treefmt-nix.hash;
+        # Master at 2025-02-12
+        url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
+        sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
      };
      treefmtEval = (import treefmtNixSrc).evalModule pkgs {
        # Important: The auto-rebase script uses `git filter-branch --tree-filter`,
@@ -49,26 +48,11 @@ let

        programs.keep-sorted.enable = true;

-        # This uses nixfmt underneath,
+        # This uses nixfmt-rfc-style underneath,
        # the default formatter for Nix code.
        # See https://github.com/NixOS/nixfmt
        programs.nixfmt.enable = true;

-        programs.yamlfmt = {
-          enable = true;
-          settings.formatter = {
-            retain_line_breaks = true;
-          };
-        };
-        settings.formatter.yamlfmt.excludes = [
-          # Breaks helm templating
-          "nixos/tests/k3s/k3s-test-chart/templates/*"
-          # Aligns comments with whitespace
-          "pkgs/development/haskell-modules/configuration-hackage2nix/main.yaml"
-          # TODO: Fix formatting for auto-generated file
-          "pkgs/development/haskell-modules/configuration-hackage2nix/transitive-broken.yaml"
-        ];
-
        settings.formatter.editorconfig-checker = {
          command = "${pkgs.lib.getExe pkgs.editorconfig-checker}";
          options = [ "-disable-indent-size" ];
@@ -89,43 +73,21 @@ let
    };

 in
-rec {
+{
  inherit pkgs fmt;
  requestReviews = pkgs.callPackage ./request-reviews { };
  codeownersValidator = pkgs.callPackage ./codeowners-validator { };
-
-  # FIXME(lf-): it might be useful to test other Nix implementations
-  # (nixVersions.stable and Lix) here somehow at some point to ensure we don't
-  # have eval divergence.
-  eval = pkgs.callPackage ./eval {
-    nix = pkgs.nixVersions.latest;
-  };
+  eval = pkgs.callPackage ./eval { };

  # CI jobs
  lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
  manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
-  manual-nixpkgs = (import ../doc { });
-  manual-nixpkgs-tests = (import ../doc { }).tests;
-  nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
+  manual-nixpkgs = (import ../pkgs/top-level/release.nix { }).manual;
+  manual-nixpkgs-tests = (import ../pkgs/top-level/release.nix { }).manual.tests;
  parse = pkgs.lib.recurseIntoAttrs {
    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
-    # TODO: Raise nixVersions.minimum to 2.24 and flip back to it.
-    minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_24; };
+    minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.minimum; };
  };
  shell = import ../shell.nix { inherit nixpkgs system; };
-  tarball = import ../pkgs/top-level/make-tarball.nix {
-    # Mirrored from top-level release.nix:
-    nixpkgs = {
-      outPath = pkgs.lib.cleanSource ../.;
-      revCount = 1234;
-      shortRev = "abcdef";
-      revision = "0000000000000000000000000000000000000000";
-    };
-    officialRelease = false;
-    inherit pkgs lib-tests;
-    # 2.28 / 2.29 take 9x longer than 2.30 or Lix.
-    # TODO: Switch back to nixVersions.latest
-    nix = pkgs.lix;
-  };
 }
--- a/ci/eval/README.md
+++ b/ci/eval/README.md
@@ -11,15 +11,10 @@ nix-build ci -A eval.full \
  --arg evalSystems '["x86_64-linux" "aarch64-darwin"]'
 ```

- `--max-jobs`: The maximum number of derivations to run at the same time.
-  Only each [supported system](../supportedSystems.json) gets a separate derivation, so it doesn't make sense to set this higher than that number.
- `--cores`: The number of cores to use for each job.
-  Recommended to set this to the amount of cores on your system divided by `--max-jobs`.
- `chunkSize`: The number of attributes that are evaluated simultaneously on a single core.
-  Lowering this decreases memory usage at the cost of increased evaluation time.
-  If this is too high, there won't be enough chunks to process them in parallel, and will also increase evaluation time.
- `evalSystems`: The set of systems for which `nixpkgs` should be evaluated.
-  Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).
+- `--max-jobs`: The maximum number of derivations to run at the same time. Only each [supported system](../supportedSystems.json) gets a separate derivation, so it doesn't make sense to set this higher than that number.
+- `--cores`: The number of cores to use for each job. Recommended to set this to the amount of cores on your system divided by `--max-jobs`.
+- `chunkSize`: The number of attributes that are evaluated simultaneously on a single core. Lowering this decreases memory usage at the cost of increased evaluation time. If this is too high, there won't be enough chunks to process them in parallel, and will also increase evaluation time.
+- `evalSystems`: The set of systems for which `nixpkgs` should be evaluated. Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).

 A good default is to set `chunkSize` to 10000, which leads to about 3.6GB max memory usage per core, so suitable for fully utilising machines with 4 cores and 16GB memory, 8 cores and 32GB memory or 16 cores and 64GB memory.

--- a/ci/eval/compare/default.nix
+++ b/ci/eval/compare/default.nix
@@ -1,15 +1,15 @@
 {
-  callPackage,
  lib,
  jq,
  runCommand,
  writeText,
  python3,
+  ...
 }:
 {
-  combinedDir,
+  beforeResultDir,
+  afterResultDir,
  touchedFilesJson,
-  githubAuthorId,
  byName ? false,
 }:
 let
@@ -19,7 +19,7 @@ let

    ---
    Inputs:
-    - beforeDir, afterDir: The evaluation result from before and after the change.
+    - beforeResultDir, afterResultDir: The evaluation result from before and after the change.
      They can be obtained by running `nix-build -A ci.eval.full` on both revisions.

    ---
@@ -31,10 +31,10 @@ let
            changed: ["package2", "package3"],
            removed: ["package4"],
          },
-          labels: {
-            "10.rebuild-darwin: 1-10": true,
-            "10.rebuild-linux: 1-10": true
-          },
+          labels: [
+            "10.rebuild-darwin: 1-10",
+            "10.rebuild-linux: 1-10"
+          ],
          rebuildsByKernel: {
            darwin: ["package1", "package2"],
            linux: ["package1", "package2", "package3"]
@@ -65,6 +65,7 @@ let
      Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
  */
  inherit (import ./utils.nix { inherit lib; })
+    diff
    groupByKernel
    convertToPackagePlatformAttrs
    groupByPlatform
@@ -72,10 +73,22 @@ let
    getLabels
    ;

+  getAttrs =
+    dir:
+    let
+      raw = builtins.readFile "${dir}/outpaths.json";
+      # The file contains Nix paths; we need to ignore them for evaluation purposes,
+      # else there will be a "is not allowed to refer to a store path" error.
+      data = builtins.unsafeDiscardStringContext raw;
+    in
+    builtins.fromJSON data;
+  beforeAttrs = getAttrs beforeResultDir;
+  afterAttrs = getAttrs afterResultDir;
+
  # Attrs
  # - keys: "added", "changed" and "removed"
  # - values: lists of `packagePlatformPath`s
-  diffAttrs = builtins.fromJSON (builtins.readFile "${combinedDir}/combined-diff.json");
+  diffAttrs = diff beforeAttrs afterAttrs;

  rebuilds = diffAttrs.added ++ diffAttrs.changed;
  rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
@@ -97,25 +110,15 @@ let
          rebuildCountByKernel
          ;
        labels =
-          getLabels rebuildCountByKernel
-          # Sets "10.rebuild-*-stdenv" label to whether the "stdenv" attribute was changed.
-          // lib.mapAttrs' (
-            kernel: rebuilds: lib.nameValuePair "10.rebuild-${kernel}-stdenv" (lib.elem "stdenv" rebuilds)
-          ) rebuildsByKernel
-          # Set the "11.by: package-maintainer" label to whether all packages directly
-          # changed are maintained by the PR's author.
-          # (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
-          // {
-            "11.by: package-maintainer" =
-              maintainers ? ${githubAuthorId}
-              && lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
-                lib.flatten (lib.attrValues maintainers)
-              );
-          };
+          (getLabels rebuildCountByKernel)
+          # Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
+          ++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
+            lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
+          );
      }
    );

-  maintainers = callPackage ./maintainers.nix { } {
+  maintainers = import ./maintainers.nix {
    changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
    changedpathsjson = touchedFilesJson;
    inherit byName;
@@ -137,8 +140,8 @@ runCommand "compare"
    maintainers = builtins.toJSON maintainers;
    passAsFile = [ "maintainers" ];
    env = {
-      BEFORE_DIR = "${combinedDir}/before";
-      AFTER_DIR = "${combinedDir}/after";
+      BEFORE_DIR = "${beforeResultDir}";
+      AFTER_DIR = "${afterResultDir}";
    };
  }
  ''
@@ -175,12 +178,7 @@ runCommand "compare"
      } >> $out/step-summary.md
    fi

-    {
-      echo
-      echo "# Packages"
-      echo
-      jq -r -f ${./generate-step-summary.jq} < ${changed-paths}
-    } >> $out/step-summary.md
+    jq -r -f ${./generate-step-summary.jq} < ${changed-paths} >> $out/step-summary.md

    cp "$maintainersPath" "$out/maintainers.json"
  ''
--- a/ci/eval/compare/maintainers.nix
+++ b/ci/eval/compare/maintainers.nix
@@ -1,6 +1,3 @@
-{
-  lib,
-}:
 # Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
 {
  changedattrs,
@@ -13,6 +10,7 @@ let
    config = { };
    overlays = [ ];
  };
+  inherit (pkgs) lib;

  changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);

--- a/ci/eval/compare/utils.nix
+++ b/ci/eval/compare/utils.nix
@@ -93,6 +93,32 @@ rec {
    in
    uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);

+  /*
+    Computes the key difference between two attrs
+
+    {
+      added: [ <keys only in the second object> ],
+      removed: [ <keys only in the first object> ],
+      changed: [ <keys with different values between the two objects> ],
+    }
+  */
+  diff =
+    let
+      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
+    in
+    old: new: {
+      added = filterKeys (n: _: !(old ? ${n})) new;
+      removed = filterKeys (n: _: !(new ? ${n})) old;
+      changed = filterKeys (
+        n: v:
+        # Filter out attributes that don't exist anymore
+        (new ? ${n})
+
+        # Filter out attributes that are the same as the new value
+        && (v != (new.${n}))
+      ) old;
+    };
+
  /*
    Group a list of `packagePlatformAttr`s by platforms

@@ -151,7 +177,7 @@ rec {
    lib.genAttrs [ "linux" "darwin" ] filterKernel;

  /*
-    Maps an attrs of `kernel - rebuild counts` mappings to an attrs of labels
+    Maps an attrs of `kernel - rebuild counts` mappings to a list of labels

    Turns
      {
@@ -159,37 +185,54 @@ rec {
        darwin = 1;
      }
    into
-      {
-        "10.rebuild-darwin: 1" = true;
-        "10.rebuild-darwin: 1-10" = true;
-        "10.rebuild-darwin: 11-100" = false;
-        # [...]
-        "10.rebuild-darwin: 1" = false;
-        "10.rebuild-darwin: 1-10" = false;
-        "10.rebuild-linux: 11-100" = true;
-        # [...]
-      }
+      [
+        "10.rebuild-darwin: 1"
+        "10.rebuild-darwin: 1-10"
+        "10.rebuild-linux: 11-100"
+      ]
  */
  getLabels =
    rebuildCountByKernel:
-    lib.mergeAttrsList (
+    lib.concatLists (
      lib.mapAttrsToList (
        kernel: rebuildCount:
        let
-          range = from: to: from <= rebuildCount && (to == null || rebuildCount <= to);
+          numbers =
+            if rebuildCount == 0 then
+              [ "0" ]
+            else if rebuildCount == 1 then
+              [
+                "1"
+                "1-10"
+              ]
+            else if rebuildCount <= 10 then
+              [ "1-10" ]
+            else if rebuildCount <= 100 then
+              [ "11-100" ]
+            else if rebuildCount <= 500 then
+              [ "101-500" ]
+            else if rebuildCount <= 1000 then
+              [
+                "501-1000"
+                "501+"
+              ]
+            else if rebuildCount <= 2500 then
+              [
+                "1001-2500"
+                "501+"
+              ]
+            else if rebuildCount <= 5000 then
+              [
+                "2501-5000"
+                "501+"
+              ]
+            else
+              [
+                "5001+"
+                "501+"
+              ];
        in
-        lib.mapAttrs' (number: lib.nameValuePair "10.rebuild-${kernel}: ${number}") {
-          "0" = range 0 0;
-          "1" = range 1 1;
-          "1-10" = range 1 10;
-          "11-100" = range 11 100;
-          "101-500" = range 101 500;
-          "501-1000" = range 501 1000;
-          "501+" = range 501 null;
-          "1001-2500" = range 1001 2500;
-          "2501-5000" = range 2501 5000;
-          "5001+" = range 5001 null;
-        }
+        lib.forEach numbers (number: "10.rebuild-${kernel}: ${number}")
      ) rebuildCountByKernel
    );
 }
--- a/ci/eval/default.nix
+++ b/ci/eval/default.nix
@@ -1,23 +1,15 @@
-# Evaluates all the accessible paths in nixpkgs.
-# *This only builds on Linux* since it requires the Linux sandbox isolation to
-# be able to write in various places while evaluating inside the sandbox.
-#
-# This file is used by nixpkgs CI (see .github/workflows/eval.yml) as well as
-# being used directly as an entry point in Lix's CI (in `flake.nix` in the Lix
-# repo).
-#
-# If you know you are doing a breaking API change, please ping the nixpkgs CI
-# maintainers and the Lix maintainers (`nix eval -f . lib.teams.lix`).
 {
-  callPackage,
  lib,
  runCommand,
  writeShellScript,
-  symlinkJoin,
+  writeText,
+  linkFarm,
  time,
  procps,
-  nix,
+  nixVersions,
  jq,
+  sta,
+  python3,
 }:

 let
@@ -39,12 +31,11 @@ let
      );
    };

+  nix = nixVersions.nix_2_24;
+
  supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);

  attrpathsSuperset =
-    {
-      evalSystem,
-    }:
    runCommand "attrpaths-superset.json"
      {
        src = nixpkgs;
@@ -64,7 +55,7 @@ let
            -I "$src" \
            --option restrict-eval true \
            --option allow-import-from-derivation false \
-            --option eval-system "${evalSystem}" > $out/paths.json
+            --arg enableWarnings false > $out/paths.json
      '';

  singleSystem =
@@ -74,13 +65,11 @@ let
      # because `--argstr system` would only be passed to the ci/default.nix file!
      evalSystem,
      # The path to the `paths.json` file from `attrpathsSuperset`
-      attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
+      attrpathFile ? "${attrpathsSuperset}/paths.json",
      # The number of attributes per chunk, see ./README.md for more info.
      chunkSize,
      checkMeta ? true,
-
-      # Don't try to eval packages marked as broken.
-      includeBroken ? false,
+      includeBroken ? true,
      # Whether to just evaluate a single chunk for quick testing
      quickTest ? false,
    }:
@@ -98,12 +87,12 @@ let
        set +e
        command time -o "$outputDir/timestats/$myChunk" \
          -f "Chunk $myChunk on $system done [%MKB max resident, %Es elapsed] %C" \
-          nix-env -f "${nixpkgs}/pkgs/top-level/release-outpaths-parallel.nix" \
+          nix-env -f "${nixpkgs}/pkgs/top-level/release-attrpaths-parallel.nix" \
          --eval-system "$system" \
          --option restrict-eval true \
          --option allow-import-from-derivation false \
          --query --available \
-          --out-path --json \
+          --no-name --attr-path --out-path \
          --show-trace \
          --arg chunkSize "$chunkSize" \
          --arg myChunk "$myChunk" \
@@ -155,7 +144,7 @@ let
        chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
        echo "Chunk count: $chunkCount"

-        mkdir -p $out/${evalSystem}
+        mkdir $out

        # Record and print stats on free memory and swap in the background
        (
@@ -164,11 +153,11 @@ let
            freeSwap=$(free -b | grep Swap | awk '{print $4}')
            echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"

-            if [[ ! -f "$out/${evalSystem}/min-avail-memory" ]] || (( availMemory < $(<$out/${evalSystem}/min-avail-memory) )); then
-              echo "$availMemory" > $out/${evalSystem}/min-avail-memory
+            if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
+              echo "$availMemory" > $out/min-avail-memory
            fi
-            if [[ ! -f $out/${evalSystem}/min-free-swap ]] || (( availMemory < $(<$out/${evalSystem}/min-free-swap) )); then
-              echo "$freeSwap" > $out/${evalSystem}/min-free-swap
+            if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
+              echo "$freeSwap" > $out/min-free-swap
            fi
            sleep 4
          done
@@ -184,56 +173,104 @@ let
        mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}

        seq -w 0 "$seq_end" |
-          command time -f "%e" -o "$out/${evalSystem}/total-time" \
+          command time -f "%e" -o "$out/total-time" \
          xargs -I{} -P"$cores" \
          ${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"

-        cp -r "$chunkOutputDir"/stats $out/${evalSystem}/stats-by-chunk
+        cp -r "$chunkOutputDir"/stats $out/stats-by-chunk

        if (( chunkSize * chunkCount != attrCount )); then
          # A final incomplete chunk would mess up the stats, don't include it
          rm "$chunkOutputDir"/stats/"$seq_end"
        fi

-        cat "$chunkOutputDir"/result/* | jq -s 'add | map_values(.outputs)' > $out/${evalSystem}/paths.json
+        # Make sure the glob doesn't break when there's no files
+        shopt -s nullglob
+        cat "$chunkOutputDir"/result/* > $out/paths
+        cat "$chunkOutputDir"/stats/* > $out/stats.jsonstream
      '';

-  diff = callPackage ./diff.nix { };
-
  combine =
    {
-      diffDir,
+      resultsDir,
    }:
-    runCommand "combined-eval"
+    runCommand "combined-result"
      {
        nativeBuildInputs = [
          jq
+          sta
        ];
      }
      ''
        mkdir -p $out

-        # Combine output paths from all systems
-        cat ${diffDir}/*/diff.json | jq -s '
-          reduce .[] as $item ({}; {
-            added: (.added + $item.added),
-            changed: (.changed + $item.changed),
-            removed: (.removed + $item.removed)
-          })
-        ' > $out/combined-diff.json
+        # Transform output paths to JSON
+        cat ${resultsDir}/*/paths |
+          jq --sort-keys --raw-input --slurp '
+            split("\n") |
+            map(select(. != "") | split(" ") | map(select(. != ""))) |
+            map(
+              {
+                key: .[0],
+                value: .[1] | split(";") | map(split("=") |
+                  if length == 1 then
+                    { key: "out", value: .[0] }
+                  else
+                    { key: .[0], value: .[1] }
+                  end) | from_entries}
+            ) | from_entries
+          ' > $out/outpaths.json

-        mkdir -p $out/before/stats
-        for d in ${diffDir}/before/*; do
-          cp -r "$d"/stats-by-chunk $out/before/stats/$(basename "$d")
-        done
+        # Computes min, mean, error, etc. for a list of values and outputs a JSON from that
+        statistics() {
+          local stat=$1
+          sta --transpose |
+            jq --raw-input --argjson stat "$stat" -n '
+              [
+                inputs |
+                  split("\t") |
+                  { key: .[0], value: (.[1] | fromjson) }
+              ] |
+                from_entries |
+                {
+                  key: ($stat | join(".")),
+                  value: .
+                }'
+        }

-        mkdir -p $out/after/stats
-        for d in ${diffDir}/after/*; do
-          cp -r "$d"/stats-by-chunk $out/after/stats/$(basename "$d")
+        # Gets all available number stats (without .sizes because those are constant and not interesting)
+        readarray -t stats < <(jq -cs '.[0] | del(.sizes) | paths(type == "number")' ${resultsDir}/*/stats.jsonstream)
+
+        # Combines the statistics from all evaluations
+        {
+          echo "{ \"key\": \"minAvailMemory\", \"value\": $(cat ${resultsDir}/*/min-avail-memory | sta --brief --min) }"
+          echo "{ \"key\": \"minFreeSwap\", \"value\": $(cat ${resultsDir}/*/min-free-swap | sta --brief --min) }"
+          cat ${resultsDir}/*/total-time | statistics '["totalTime"]'
+          for stat in "''${stats[@]}"; do
+            cat ${resultsDir}/*/stats.jsonstream |
+              jq --argjson stat "$stat" 'getpath($stat)' |
+              statistics "$stat"
+          done
+        } |
+          jq -s from_entries > $out/stats.json
+
+        mkdir -p $out/stats
+
+        for d in ${resultsDir}/*; do
+          cp -r "$d"/stats-by-chunk $out/stats/$(basename "$d")
        done
      '';

-  compare = callPackage ./compare { };
+  compare = import ./compare {
+    inherit
+      lib
+      jq
+      runCommand
+      writeText
+      supportedSystems
+      python3
+      ;
+  };

  full =
    {
@@ -244,26 +281,17 @@ let
      quickTest ? false,
    }:
    let
-      diffs = symlinkJoin {
-        name = "diffs";
-        paths = map (
-          evalSystem:
-          let
-            eval = singleSystem {
-              inherit quickTest evalSystem chunkSize;
-            };
-          in
-          diff {
-            inherit evalSystem;
-            # Local "full" evaluation doesn't do a real diff.
-            beforeDir = eval;
-            afterDir = eval;
-          }
-        ) evalSystems;
-      };
+      results = linkFarm "results" (
+        map (evalSystem: {
+          name = evalSystem;
+          path = singleSystem {
+            inherit quickTest evalSystem chunkSize;
+          };
+        }) evalSystems
+      );
    in
    combine {
-      diffDir = diffs;
+      resultsDir = results;
    };

 in
@@ -271,7 +299,6 @@ in
  inherit
    attrpathsSuperset
    singleSystem
-    diff
    combine
    compare
    # The above three are used by separate VMs in a GitHub workflow,
--- a/ci/eval/diff.nix
+++ b/ci/eval/diff.nix
@@ -1,61 +0,0 @@
-{
-  lib,
-  runCommand,
-  writeText,
-}:
-
-{
-  beforeDir,
-  afterDir,
-  evalSystem,
-}:
-
-let
-  /*
-    Computes the key difference between two attrs
-
-    {
-      added: [ <keys only in the second object> ],
-      removed: [ <keys only in the first object> ],
-      changed: [ <keys with different values between the two objects> ],
-    }
-  */
-  diff =
-    let
-      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
-    in
-    old: new: {
-      added = filterKeys (n: _: !(old ? ${n})) new;
-      removed = filterKeys (n: _: !(new ? ${n})) old;
-      changed = filterKeys (
-        n: v:
-        # Filter out attributes that don't exist anymore
-        (new ? ${n})
-
-        # Filter out attributes that are the same as the new value
-        && (v != (new.${n}))
-      ) old;
-    };
-
-  getAttrs =
-    dir:
-    let
-      raw = builtins.readFile "${dir}/${evalSystem}/paths.json";
-      # The file contains Nix paths; we need to ignore them for evaluation purposes,
-      # else there will be a "is not allowed to refer to a store path" error.
-      data = builtins.unsafeDiscardStringContext raw;
-    in
-    builtins.fromJSON data;
-
-  beforeAttrs = getAttrs beforeDir;
-  afterAttrs = getAttrs afterDir;
-  diffAttrs = diff beforeAttrs afterAttrs;
-  diffJson = writeText "diff.json" (builtins.toJSON diffAttrs);
-in
-runCommand "diff" { } ''
-  mkdir -p $out/${evalSystem}
-
-  cp -r ${beforeDir} $out/before
-  cp -r ${afterDir} $out/after
-  cp ${diffJson} $out/${evalSystem}/diff.json
-''
--- a/ci/get-merge-commit.sh
+++ b/ci/get-merge-commit.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# See ./README.md for docs
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( $# < 2 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER"
+    exit 99
+fi
+repo=$1
+prNumber=$2
+
+# Retry the API query this many times
+retryCount=5
+# Start with 5 seconds, but double every retry
+retryInterval=5
+
+while true; do
+    log "Checking whether the pull request can be merged"
+    prInfo=$(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$repo/pulls/$prNumber")
+
+    # Non-open PRs won't have their mergeability computed no matter what
+    state=$(jq -r .state <<< "$prInfo")
+    if [[ "$state" != open ]]; then
+        log "PR is not open anymore"
+        exit 1
+    fi
+
+    mergeable=$(jq -r .mergeable <<< "$prInfo")
+    if [[ "$mergeable" == "null" ]]; then
+        if (( retryCount == 0 )); then
+            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+            exit 3
+        else
+            (( retryCount -= 1 )) || true
+
+            # null indicates that GitHub is still computing whether it's mergeable
+            # Wait a couple seconds before trying again
+            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+            sleep "$retryInterval"
+
+            (( retryInterval *= 2 )) || true
+        fi
+    else
+        break
+    fi
+done
+
+if [[ "$mergeable" == "true" ]]; then
+    log "The PR can be merged"
+    mergedSha="$(jq -r .merge_commit_sha <<< "$prInfo")"
+    echo "mergedSha=$mergedSha"
+    targetSha="$(gh api "/repos/$repo/commits/$mergedSha" --jq '.parents[0].sha')"
+    echo "targetSha=$targetSha"
+else
+    log "The PR has a merge conflict"
+    exit 2
+fi
--- a/ci/github-script/.editorconfig
+++ b/ci/github-script/.editorconfig
@@ -1,3 +0,0 @@
-[run]
-indent_style = space
-indent_size = 2
--- a/ci/github-script/.gitignore
+++ b/ci/github-script/.gitignore
@@ -1,2 +0,0 @@
-node_modules
-step-summary.md
--- a/ci/github-script/.npmrc
+++ b/ci/github-script/.npmrc
@@ -1,2 +0,0 @@
-package-lock-only = true
-save-exact = true
--- a/ci/github-script/README.md
+++ b/ci/github-script/README.md
@@ -1,17 +0,0 @@
-# GitHub specific CI scripts
-
-This folder contains [`actions/github-script`](https://github.com/actions/github-script)-based JavaScript code.
-It provides a `nix-shell` environment to run and test these actions locally.
-
-To run any of the scripts locally:
-
- Enter `nix-shell` in `./ci/github-script`.
- Ensure `gh` is authenticated.
-
-## Check commits
-
-Run `./run commits OWNER REPO PR`, where OWNER is your username or "NixOS", REPO is the name of your fork or "nixpkgs" and PR is the number of the pull request to check.
-
-## Labeler
-
-Run `./run labels OWNER REPO`, where OWNER is your username or "NixOS" and REPO the name of your fork or "nixpkgs".
--- a/ci/github-script/check-cherry-picks.md
+++ b/ci/github-script/check-cherry-picks.md
@@ -1,10 +0,0 @@
-This report is automatically generated by the `PR / Check / cherry-pick` CI workflow.
-
-Some of the commits in this PR require the author's and reviewer's attention.
-
-Please follow the [backporting guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#how-to-backport-pull-requests) and cherry-pick with the `-x` flag.
-This requires changes to the unstable `master` and `staging` branches first, before backporting them.
-
-Occasionally, it is not possible to cherry-pick exactly the same patch.
-This most frequently happens when resolving merge conflicts or when updating minor versions of packages which have already advanced to the next major on unstable.
-If you need to merge this PR despite the warnings, please [dismiss](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review) this review shortly before merging.
--- a/ci/github-script/commits.js
+++ b/ci/github-script/commits.js
@@ -1,281 +0,0 @@
-module.exports = async function ({ github, context, core, dry }) {
-  const { execFileSync } = require('node:child_process')
-  const { readFile } = require('node:fs/promises')
-  const { join } = require('node:path')
-  const { classify } = require('../supportedBranches.js')
-  const withRateLimit = require('./withRateLimit.js')
-
-  await withRateLimit({ github, core }, async (stats) => {
-    stats.prs = 1
-
-    const pull_number = context.payload.pull_request.number
-
-    const job_url =
-      context.runId &&
-      (
-        await github.paginate(github.rest.actions.listJobsForWorkflowRun, {
-          ...context.repo,
-          run_id: context.runId,
-          per_page: 100,
-        })
-      ).find(({ name }) => name == 'Check / cherry-pick').html_url +
-        '?pr=' +
-        pull_number
-
-    async function handle({ sha, commit }) {
-      // Using the last line with "cherry" + hash, because a chained backport
-      // can result in multiple of those lines. Only the last one counts.
-      const match = Array.from(
-        commit.message.matchAll(/cherry.*([0-9a-f]{40})/g),
-      ).at(-1)
-
-      if (!match)
-        return {
-          sha,
-          commit,
-          severity: 'warning',
-          message: `Couldn't locate original commit hash in message of ${sha}.`,
-        }
-
-      const original_sha = match[1]
-
-      let branches
-      try {
-        branches = (
-          await github.request({
-            // This is an undocumented endpoint to fetch the branches a commit is part of.
-            // There is no equivalent in neither the REST nor the GraphQL API.
-            // The endpoint itself is unlikely to go away, because GitHub uses it to display
-            // the list of branches on the detail page of a commit.
-            url: `https://github.com/${context.repo.owner}/${context.repo.repo}/branch_commits/${original_sha}`,
-            headers: {
-              accept: 'application/json',
-            },
-          })
-        ).data.branches
-          .map(({ branch }) => branch)
-          .filter((branch) => classify(branch).type.includes('development'))
-      } catch (e) {
-        // For some unknown reason a 404 error comes back as 500 without any more details in a GitHub Actions runner.
-        // Ignore these to return a regular error message below.
-        if (![404, 500].includes(e.status)) throw e
-      }
-      if (!branches?.length)
-        return {
-          sha,
-          commit,
-          severity: 'error',
-          message: `${original_sha} given in ${sha} not found in any pickable branch.`,
-        }
-
-      const diff = execFileSync('git', [
-        '-C',
-        __dirname,
-        'range-diff',
-        '--no-color',
-        '--ignore-all-space',
-        '--no-notes',
-        // 100 means "any change will be reported"; 0 means "no change will be reported"
-        '--creation-factor=100',
-        `${original_sha}~..${original_sha}`,
-        `${sha}~..${sha}`,
-      ])
-        .toString()
-        .split('\n')
-        // First line contains commit SHAs, which we'll print separately.
-        .slice(1)
-        // # The output of `git range-diff` is indented with 4 spaces, but we'll control indentation manually.
-        .map((line) => line.replace(/^ {4}/, ''))
-
-      if (!diff.some((line) => line.match(/^[+-]{2}/)))
-        return {
-          sha,
-          commit,
-          severity: 'info',
-          message: `✔ ${original_sha} is highly similar to ${sha}.`,
-        }
-
-      const colored_diff = execFileSync('git', [
-        '-C',
-        __dirname,
-        'range-diff',
-        '--color',
-        '--no-notes',
-        '--creation-factor=100',
-        `${original_sha}~..${original_sha}`,
-        `${sha}~..${sha}`,
-      ]).toString()
-
-      return {
-        sha,
-        commit,
-        diff,
-        colored_diff,
-        severity: 'warning',
-        message: `Difference between ${sha} and original ${original_sha} may warrant inspection.`,
-      }
-    }
-
-    const commits = await github.paginate(github.rest.pulls.listCommits, {
-      ...context.repo,
-      pull_number,
-    })
-
-    const results = await Promise.all(commits.map(handle))
-
-    // Log all results without truncation, with better highlighting and all whitespace changes to the job log.
-    results.forEach(({ sha, commit, severity, message, colored_diff }) => {
-      core.startGroup(`Commit ${sha}`)
-      core.info(`Author: ${commit.author.name} ${commit.author.email}`)
-      core.info(`Date: ${new Date(commit.author.date)}`)
-      core[severity](message)
-      core.endGroup()
-      if (colored_diff) core.info(colored_diff)
-    })
-
-    // Only create step summary below in case of warnings or errors.
-    // Also clean up older reviews, when all checks are good now.
-    if (results.every(({ severity }) => severity == 'info')) {
-      if (!dry) {
-        await Promise.all(
-          (
-            await github.paginate(github.rest.pulls.listReviews, {
-              ...context.repo,
-              pull_number,
-            })
-          )
-            .filter((review) => review.user.login == 'github-actions[bot]')
-            .map(async (review) => {
-              if (review.state == 'CHANGES_REQUESTED') {
-                await github.rest.pulls.dismissReview({
-                  ...context.repo,
-                  pull_number,
-                  review_id: review.id,
-                  message: 'All cherry-picks are good now, thank you!',
-                })
-              }
-              await github.graphql(
-                `mutation($node_id:ID!) {
-                  minimizeComment(input: {
-                    classifier: RESOLVED,
-                    subjectId: $node_id
-                  })
-                  { clientMutationId }
-                }`,
-                { node_id: review.node_id },
-              )
-            }),
-        )
-      }
-      return
-    }
-
-    // In the case of "error" severity, we also fail the job.
-    // Those should be considered blocking and not be dismissable via review.
-    if (results.some(({ severity }) => severity == 'error'))
-      process.exitCode = 1
-
-    core.summary.addRaw(
-      await readFile(join(__dirname, 'check-cherry-picks.md'), 'utf-8'),
-      true,
-    )
-    results.forEach(({ severity, message, diff }) => {
-      if (severity == 'info') return
-
-      // The docs for markdown alerts only show examples with markdown blockquote syntax, like this:
-      //   > [!WARNING]
-      //   > message
-      // However, our testing shows that this also works with a `<blockquote>` html tag, as long as there
-      // is an empty line:
-      //   <blockquote>
-      //
-      //   [!WARNING]
-      //   message
-      //   </blockquote>
-      // Whether this is intended or just an implementation detail is unclear.
-      core.summary.addRaw('<blockquote>')
-      core.summary.addRaw(
-        `\n\n[!${severity == 'warning' ? 'WARNING' : 'CAUTION'}]`,
-        true,
-      )
-      core.summary.addRaw(`${message}`, true)
-
-      if (diff) {
-        // Limit the output to 10k bytes and remove the last, potentially incomplete line, because GitHub
-        // comments are limited in length. The value of 10k is arbitrary with the assumption, that after
-        // the range-diff becomes a certain size, a reviewer is better off reviewing the regular diff in
-        // GitHub's UI anyway, thus treating the commit as "new" and not cherry-picked.
-        // Note: if multiple commits are close to the limit, this approach could still lead to a comment
-        // that's too long. We think this is unlikely to happen, and so don't deal with it explicitly.
-        const truncated = []
-        let total_length = 0
-        for (line of diff) {
-          total_length += line.length
-          if (total_length > 10000) {
-            truncated.push('', '[...truncated...]')
-            break
-          } else {
-            truncated.push(line)
-          }
-        }
-
-        core.summary.addRaw('<details><summary>Show diff</summary>')
-        core.summary.addRaw('\n\n``````````diff', true)
-        core.summary.addRaw(truncated.join('\n'), true)
-        core.summary.addRaw('``````````', true)
-        core.summary.addRaw('</details>')
-      }
-
-      core.summary.addRaw('</blockquote>')
-    })
-
-    if (job_url)
-      core.summary.addRaw(
-        `\n\n_Hint: The full diffs are also available in the [runner logs](${job_url}) with slightly better highlighting._`,
-      )
-
-    const body = core.summary.stringify()
-    core.summary.write()
-
-    const pendingReview = (
-      await github.paginate(github.rest.pulls.listReviews, {
-        ...context.repo,
-        pull_number,
-      })
-    ).find(
-      (review) =>
-        review.user.login == 'github-actions[bot]' &&
-        // If a review is still pending, we can just update this instead
-        // of posting a new one.
-        (review.state == 'CHANGES_REQUESTED' ||
-          // No need to post a new review, if an older one with the exact
-          // same content had already been dismissed.
-          review.body == body),
-    )
-
-    if (dry) {
-      if (pendingReview)
-        core.info('pending review found: ' + pendingReview.html_url)
-      else core.info('no pending review found')
-    } else {
-      // Either of those two requests could fail for very long comments. This can only happen
-      // with multiple commits all hitting the truncation limit for the diff. If you ever hit
-      // this case, consider just splitting up those commits into multiple PRs.
-      if (pendingReview) {
-        await github.rest.pulls.updateReview({
-          ...context.repo,
-          pull_number,
-          review_id: pendingReview.id,
-          body,
-        })
-      } else {
-        await github.rest.pulls.createReview({
-          ...context.repo,
-          pull_number,
-          event: 'REQUEST_CHANGES',
-          body,
-        })
-      }
-    }
-  })
-}
--- a/ci/github-script/labels.js
+++ b/ci/github-script/labels.js
@@ -1,414 +0,0 @@
-module.exports = async function ({ github, context, core, dry }) {
-  const path = require('node:path')
-  const { DefaultArtifactClient } = require('@actions/artifact')
-  const { readFile, writeFile } = require('node:fs/promises')
-  const withRateLimit = require('./withRateLimit.js')
-
-  const artifactClient = new DefaultArtifactClient()
-
-  async function handlePullRequest({ item, stats }) {
-    const log = (k, v) => core.info(`PR #${item.number} - ${k}: ${v}`)
-
-    const pull_number = item.number
-
-    // This API request is important for the merge-conflict label, because it triggers the
-    // creation of a new test merge commit. This is needed to actually determine the state of a PR.
-    const pull_request = (
-      await github.rest.pulls.get({
-        ...context.repo,
-        pull_number,
-      })
-    ).data
-
-    const reviews = await github.paginate(github.rest.pulls.listReviews, {
-      ...context.repo,
-      pull_number,
-    })
-
-    const approvals = new Set(
-      reviews
-        .filter((review) => review.state == 'APPROVED')
-        .map((review) => review.user?.id),
-    )
-
-    // After creation of a Pull Request, `merge_commit_sha` will be null initially:
-    // The very first merge commit will only be calculated after a little while.
-    // To avoid labeling the PR as conflicted before that, we wait a few minutes.
-    // This is intentionally less than the time that Eval takes, so that the label job
-    // running after Eval can indeed label the PR as conflicted if that is the case.
-    const merge_commit_sha_valid =
-      new Date() - new Date(pull_request.created_at) > 3 * 60 * 1000
-
-    const prLabels = {
-      // We intentionally don't use the mergeable or mergeable_state attributes.
-      // Those have an intermediate state while the test merge commit is created.
-      // This doesn't work well for us, because we might have just triggered another
-      // test merge commit creation by request the pull request via API at the start
-      // of this function.
-      // The attribute merge_commit_sha keeps the old value of null or the hash *until*
-      // the new test merge commit has either successfully been created or failed so.
-      // This essentially means we are updating the merge conflict label in two steps:
-      // On the first pass of the day, we just fetch the pull request, which triggers
-      // the creation. At this stage, the label is likely not updated, yet.
-      // The second pass will then read the result from the first pass and set the label.
-      '2.status: merge conflict':
-        merge_commit_sha_valid && !pull_request.merge_commit_sha,
-      '12.approvals: 1': approvals.size == 1,
-      '12.approvals: 2': approvals.size == 2,
-      '12.approvals: 3+': approvals.size >= 3,
-      '12.first-time contribution': [
-        'NONE',
-        'FIRST_TIMER',
-        'FIRST_TIME_CONTRIBUTOR',
-      ].includes(pull_request.author_association),
-    }
-
-    const { id: run_id, conclusion } =
-      (
-        await github.rest.actions.listWorkflowRuns({
-          ...context.repo,
-          workflow_id: 'pr.yml',
-          event: 'pull_request_target',
-          exclude_pull_requests: true,
-          head_sha: pull_request.head.sha,
-        })
-      ).data.workflow_runs[0] ??
-      // TODO: Remove this after 2025-09-17, at which point all eval.yml artifacts will have expired.
-      (
-        await github.rest.actions.listWorkflowRuns({
-          ...context.repo,
-          // In older PRs, we need eval.yml instead of pr.yml.
-          workflow_id: 'eval.yml',
-          event: 'pull_request_target',
-          status: 'success',
-          exclude_pull_requests: true,
-          head_sha: pull_request.head.sha,
-        })
-      ).data.workflow_runs[0] ??
-      {}
-
-    // Newer PRs might not have run Eval to completion, yet.
-    // Older PRs might not have an eval.yml workflow, yet.
-    // In either case we continue without fetching an artifact on a best-effort basis.
-    log('Last eval run', run_id ?? '<n/a>')
-
-    if (conclusion === 'success') {
-      Object.assign(prLabels, {
-        // We only set this label if the latest eval run was successful, because if it was not, it
-        // *could* have requested reviewers. We will let the PR author fix CI first, before "escalating"
-        // this PR to "needs: reviewer".
-        // Since the first Eval run on a PR always sets rebuild labels, the same PR will be "recently
-        // updated" for the next scheduled run. Thus, this label will still be set within a few minutes
-        // after a PR is created, if required.
-        // Note that a "requested reviewer" disappears once they have given a review, so we check
-        // existing reviews, too.
-        '9.needs: reviewer':
-          !pull_request.draft &&
-          pull_request.requested_reviewers.length == 0 &&
-          reviews.length == 0,
-      })
-    }
-
-    const artifact =
-      run_id &&
-      (
-        await github.rest.actions.listWorkflowRunArtifacts({
-          ...context.repo,
-          run_id,
-          name: 'comparison',
-        })
-      ).data.artifacts[0]
-
-    // Instead of checking the boolean artifact.expired, we will give us a minute to
-    // actually download the artifact in the next step and avoid that race condition.
-    // Older PRs, where the workflow run was already eval.yml, but the artifact was not
-    // called "comparison", yet, will skip the download.
-    const expired =
-      !artifact ||
-      new Date(artifact?.expires_at ?? 0) <
-        new Date(new Date().getTime() + 60 * 1000)
-    log('Artifact expires at', artifact?.expires_at ?? '<n/a>')
-    if (!expired) {
-      stats.artifacts++
-
-      await artifactClient.downloadArtifact(artifact.id, {
-        findBy: {
-          repositoryName: context.repo.repo,
-          repositoryOwner: context.repo.owner,
-          token: core.getInput('github-token'),
-        },
-        path: path.resolve(pull_number.toString()),
-        expectedHash: artifact.digest,
-      })
-
-      const maintainers = new Set(
-        Object.keys(
-          JSON.parse(
-            await readFile(`${pull_number}/maintainers.json`, 'utf-8'),
-          ),
-        ).map((m) => Number.parseInt(m, 10)),
-      )
-
-      const evalLabels = JSON.parse(
-        await readFile(`${pull_number}/changed-paths.json`, 'utf-8'),
-      ).labels
-
-      Object.assign(
-        prLabels,
-        // Ignore `evalLabels` if it's an array.
-        // This can happen for older eval runs, before we switched to objects.
-        // The old eval labels would have been set by the eval run,
-        // so now they'll be present in `before`.
-        // TODO: Simplify once old eval results have expired (~2025-10)
-        Array.isArray(evalLabels) ? undefined : evalLabels,
-        {
-          '12.approved-by: package-maintainer': Array.from(maintainers).some(
-            (m) => approvals.has(m),
-          ),
-        },
-      )
-    }
-
-    return prLabels
-  }
-
-  async function handle({ item, stats }) {
-    try {
-      const log = (k, v, skip) => {
-        core.info(`#${item.number} - ${k}: ${v}` + (skip ? ' (skipped)' : ''))
-        return skip
-      }
-
-      log('Last updated at', item.updated_at)
-      log('URL', item.html_url)
-
-      const issue_number = item.number
-
-      const itemLabels = {}
-
-      if (item.pull_request || context.payload.pull_request) {
-        stats.prs++
-        Object.assign(itemLabels, await handlePullRequest({ item, stats }))
-      } else {
-        stats.issues++
-      }
-
-      const latest_event_at = new Date(
-        (
-          await github.paginate(github.rest.issues.listEventsForTimeline, {
-            ...context.repo,
-            issue_number,
-            per_page: 100,
-          })
-        )
-          .filter(({ event }) =>
-            [
-              // These events are hand-picked from:
-              //   https://docs.github.com/en/rest/using-the-rest-api/issue-event-types?apiVersion=2022-11-28
-              // Each of those causes a PR/issue to *not* be considered as stale anymore.
-              // Most of these use created_at.
-              'assigned',
-              'commented', // uses updated_at, because that could be > created_at
-              'committed', // uses committer.date
-              'head_ref_force_pushed',
-              'milestoned',
-              'pinned',
-              'ready_for_review',
-              'renamed',
-              'reopened',
-              'review_dismissed',
-              'review_requested',
-              'reviewed', // uses submitted_at
-              'unlocked',
-              'unmarked_as_duplicate',
-            ].includes(event),
-          )
-          .map(
-            ({ created_at, updated_at, committer, submitted_at }) =>
-              new Date(
-                updated_at ?? created_at ?? submitted_at ?? committer.date,
-              ),
-          )
-          // Reverse sort by date value. The default sort() sorts by string representation, which is bad for dates.
-          .sort((a, b) => b - a)
-          .at(0) ?? item.created_at,
-      )
-      log('latest_event_at', latest_event_at.toISOString())
-
-      const stale_at = new Date(new Date().setDate(new Date().getDate() - 180))
-
-      // Create a map (Label -> Boolean) of all currently set labels.
-      // Each label is set to True and can be disabled later.
-      const before = Object.fromEntries(
-        (
-          await github.paginate(github.rest.issues.listLabelsOnIssue, {
-            ...context.repo,
-            issue_number,
-          })
-        ).map(({ name }) => [name, true]),
-      )
-
-      Object.assign(itemLabels, {
-        '2.status: stale':
-          !before['1.severity: security'] && latest_event_at < stale_at,
-      })
-
-      const after = Object.assign({}, before, itemLabels)
-
-      // No need for an API request, if all labels are the same.
-      const hasChanges = Object.keys(after).some(
-        (name) => (before[name] ?? false) != after[name],
-      )
-      if (log('Has changes', hasChanges, !hasChanges)) return
-
-      // Skipping labeling on a pull_request event, because we have no privileges.
-      const labels = Object.entries(after)
-        .filter(([, value]) => value)
-        .map(([name]) => name)
-      if (log('Set labels', labels, dry)) return
-
-      await github.rest.issues.setLabels({
-        ...context.repo,
-        issue_number,
-        labels,
-      })
-    } catch (cause) {
-      throw new Error(`Labeling #${item.number} failed.`, { cause })
-    }
-  }
-
-  await withRateLimit({ github, core }, async (stats) => {
-    if (context.payload.pull_request) {
-      await handle({ item: context.payload.pull_request, stats })
-    } else {
-      const lastRun = (
-        await github.rest.actions.listWorkflowRuns({
-          ...context.repo,
-          workflow_id: 'labels.yml',
-          event: 'schedule',
-          status: 'success',
-          exclude_pull_requests: true,
-          per_page: 1,
-        })
-      ).data.workflow_runs[0]
-
-      const cutoff = new Date(
-        Math.max(
-          // Go back as far as the last successful run of this workflow to make sure
-          // we are not leaving anyone behind on GHA failures.
-          // Defaults to go back 1 hour on the first run.
-          new Date(lastRun?.created_at ?? new Date().getTime() - 1 * 60 * 60 * 1000).getTime(),
-          // Go back max. 1 day to prevent hitting all API rate limits immediately,
-          // when GH API returns a wrong workflow by accident.
-          new Date().getTime() - 24 * 60 * 60 * 1000,
-        ),
-      )
-      core.info('cutoff timestamp: ' + cutoff.toISOString())
-
-      const updatedItems = await github.paginate(
-        github.rest.search.issuesAndPullRequests,
-        {
-          q: [
-            `repo:"${context.repo.owner}/${context.repo.repo}"`,
-            'is:open',
-            `updated:>=${cutoff.toISOString()}`,
-          ].join(' AND '),
-          per_page: 100,
-          // TODO: Remove in 2025-10, when it becomes the default.
-          advanced_search: true,
-        },
-      )
-
-      let cursor
-
-      // No workflow run available the first time.
-      if (lastRun) {
-        // The cursor to iterate through the full list of issues and pull requests
-        // is passed between jobs as an artifact.
-        const artifact = (
-          await github.rest.actions.listWorkflowRunArtifacts({
-            ...context.repo,
-            run_id: lastRun.id,
-            name: 'pagination-cursor',
-          })
-        ).data.artifacts[0]
-
-        // If the artifact is not available, the next iteration starts at the beginning.
-        if (artifact) {
-          stats.artifacts++
-
-          const { downloadPath } = await artifactClient.downloadArtifact(
-            artifact.id,
-            {
-              findBy: {
-                repositoryName: context.repo.repo,
-                repositoryOwner: context.repo.owner,
-                token: core.getInput('github-token'),
-              },
-              expectedHash: artifact.digest,
-            },
-          )
-
-          cursor = await readFile(path.resolve(downloadPath, 'cursor'), 'utf-8')
-        }
-      }
-
-      // From GitHub's API docs:
-      //   GitHub's REST API considers every pull request an issue, but not every issue is a pull request.
-      //   For this reason, "Issues" endpoints may return both issues and pull requests in the response.
-      //   You can identify pull requests by the pull_request key.
-      const allItems = await github.rest.issues.listForRepo({
-        ...context.repo,
-        state: 'open',
-        sort: 'created',
-        direction: 'asc',
-        per_page: 100,
-        after: cursor,
-      })
-
-      // Regex taken and comment adjusted from:
-      // https://github.com/octokit/plugin-paginate-rest.js/blob/8e5da25f975d2f31dda6b8b588d71f2c768a8df2/src/iterator.ts#L36-L41
-      // `allItems.headers.link` format:
-      //   <https://api.github.com/repositories/4542716/issues?page=3&per_page=100&after=Y3Vyc29yOnYyOpLPAAABl8qNnYDOvnSJxA%3D%3D>; rel="next",
-      //   <https://api.github.com/repositories/4542716/issues?page=1&per_page=100&before=Y3Vyc29yOnYyOpLPAAABl8xFV9DOvoouJg%3D%3D>; rel="prev"
-      // Sets `next` to undefined if "next" URL is not present or `link` header is not set.
-      const next = ((allItems.headers.link ?? '').match(
-        /<([^<>]+)>;\s*rel="next"/,
-      ) ?? [])[1]
-      if (next) {
-        cursor = new URL(next).searchParams.get('after')
-        const uploadPath = path.resolve('cursor')
-        await writeFile(uploadPath, cursor, 'utf-8')
-        if (dry) {
-          core.info(`pagination-cursor: ${cursor} (upload skipped)`)
-        } else {
-          // No stats.artifacts++, because this does not allow passing a custom token.
-          // Thus, the upload will not happen with the app token, but the default github.token.
-          await artifactClient.uploadArtifact(
-            'pagination-cursor',
-            [uploadPath],
-            path.resolve('.'),
-            {
-              retentionDays: 1,
-            },
-          )
-        }
-      }
-
-      // Some items might be in both search results, so filtering out duplicates as well.
-      const items = []
-        .concat(updatedItems, allItems.data)
-        .filter(
-          (thisItem, idx, arr) =>
-            idx ==
-            arr.findIndex((firstItem) => firstItem.number == thisItem.number),
-        )
-
-      ;(await Promise.allSettled(items.map((item) => handle({ item, stats }))))
-        .filter(({ status }) => status == 'rejected')
-        .map(({ reason }) =>
-          core.setFailed(`${reason.message}\n${reason.cause.stack}`),
-        )
-    }
-  })
-}
--- a/ci/github-script/package-lock.json
+++ b/ci/github-script/package-lock.json
--- a/ci/github-script/package.json
+++ b/ci/github-script/package.json
@@ -1,10 +0,0 @@
-{
-  "private": true,
-  "dependencies": {
-    "@actions/artifact": "2.3.2",
-    "@actions/core": "1.11.1",
-    "@actions/github": "6.0.1",
-    "bottleneck": "2.19.5",
-    "commander": "14.0.0"
-  }
-}
--- a/ci/github-script/run
+++ b/ci/github-script/run
@@ -1,72 +0,0 @@
-#!/usr/bin/env -S node --import ./run
-import { execSync } from 'node:child_process'
-import { closeSync, mkdtempSync, openSync, rmSync } from 'node:fs'
-import { tmpdir } from 'node:os'
-import { join } from 'node:path'
-import { program } from 'commander'
-import * as core from '@actions/core'
-import { getOctokit } from '@actions/github'
-
-async function run(action, owner, repo, pull_number, dry = true) {
-  const token = execSync('gh auth token', { encoding: 'utf-8' }).trim()
-
-  const github = getOctokit(token)
-
-  const payload = !pull_number ? {} : {
-    pull_request: (await github.rest.pulls.get({
-      owner,
-      repo,
-      pull_number,
-    })).data
-  }
-
-  process.env['INPUT_GITHUB-TOKEN'] = token
-
-  closeSync(openSync('step-summary.md', 'w'))
-  process.env.GITHUB_STEP_SUMMARY = 'step-summary.md'
-
-  await action({
-    github,
-    context: {
-      payload,
-      repo: {
-        owner,
-        repo,
-      },
-    },
-    core,
-    dry,
-  })
-}
-
-program
-  .command('commits')
-  .description('Check commit structure of a pull request.')
-  .argument('<owner>', 'Owner of the GitHub repository to check (Example: NixOS)')
-  .argument('<repo>', 'Name of the GitHub repository to check (Example: nixpkgs)')
-  .argument('<pr>', 'Number of the Pull Request to check')
-  .action(async (owner, repo, pr) => {
-    const commits = (await import('./commits.js')).default
-    run(commits, owner, repo, pr)
-  })
-
-program
-  .command('labels')
-  .description('Manage labels on pull requests.')
-  .argument('<owner>', 'Owner of the GitHub repository to label (Example: NixOS)')
-  .argument('<repo>', 'Name of the GitHub repository to label (Example: nixpkgs)')
-  .argument('[pr]', 'Number of the Pull Request to label')
-  .option('--no-dry', 'Make actual modifications')
-  .action(async (owner, repo, pr, options) => {
-    const labels = (await import('./labels.js')).default
-    const tmp = mkdtempSync(join(tmpdir(), 'github-script-'))
-    try {
-      process.env.GITHUB_WORKSPACE = tmp
-      process.chdir(tmp)
-      run(labels, owner, repo, pr, options.dry)
-    } finally {
-      rmSync(tmp, { recursive: true })
-    }
-  })
-
-await program.parse()
--- a/ci/github-script/shell.nix
+++ b/ci/github-script/shell.nix
@@ -1,25 +0,0 @@
-{
-  system ? builtins.currentSystem,
-  pkgs ? (import ../. { inherit system; }).pkgs,
-}:
-
-pkgs.callPackage (
-  {
-    gh,
-    importNpmLock,
-    mkShell,
-    nodejs,
-  }:
-  mkShell {
-    packages = [
-      gh
-      importNpmLock.hooks.linkNodeModulesHook
-      nodejs
-    ];
-
-    npmDeps = importNpmLock.buildNodeModules {
-      npmRoot = ./.;
-      inherit nodejs;
-    };
-  }
-) { }
--- a/ci/github-script/withRateLimit.js
+++ b/ci/github-script/withRateLimit.js
@@ -1,63 +0,0 @@
-module.exports = async function ({ github, core }, callback) {
-  const Bottleneck = require('bottleneck')
-
-  const stats = {
-    issues: 0,
-    prs: 0,
-    requests: 0,
-    artifacts: 0,
-  }
-
-  // Rate-Limiting and Throttling, see for details:
-  //   https://github.com/octokit/octokit.js/issues/1069#throttling
-  //   https://docs.github.com/en/rest/using-the-rest-api/best-practices-for-using-the-rest-api
-  const allLimits = new Bottleneck({
-    // Avoid concurrent requests
-    maxConcurrent: 1,
-    // Will be updated with first `updateReservoir()` call below.
-    reservoir: 0,
-  })
-  // Pause between mutative requests
-  const writeLimits = new Bottleneck({ minTime: 1000 }).chain(allLimits)
-  github.hook.wrap('request', async (request, options) => {
-    // Requests to a different host do not count against the rate limit.
-    if (options.url.startsWith('https://github.com')) return request(options)
-    // Requests to the /rate_limit endpoint do not count against the rate limit.
-    if (options.url == '/rate_limit') return request(options)
-    // Search requests are in a different resource group, which allows 30 requests / minute.
-    // We do less than a handful each run, so not implementing throttling for now.
-    if (options.url.startsWith('/search/')) return request(options)
-    stats.requests++
-    if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(options.method))
-      return writeLimits.schedule(request.bind(null, options))
-    else return allLimits.schedule(request.bind(null, options))
-  })
-
-  async function updateReservoir() {
-    let response
-    try {
-      response = await github.rest.rateLimit.get()
-    } catch (err) {
-      core.error(`Failed updating reservoir:\n${err}`)
-      // Keep retrying on failed rate limit requests instead of exiting the script early.
-      return
-    }
-    // Always keep 1000 spare requests for other jobs to do their regular duty.
-    // They normally use below 100, so 1000 is *plenty* of room to work with.
-    const reservoir = Math.max(0, response.data.resources.core.remaining - 1000)
-    core.info(`Updating reservoir to: ${reservoir}`)
-    allLimits.updateSettings({ reservoir })
-  }
-  await updateReservoir()
-  // Update remaining requests every minute to account for other jobs running in parallel.
-  const reservoirUpdater = setInterval(updateReservoir, 60 * 1000)
-
-  try {
-    await callback(stats)
-  } finally {
-    clearInterval(reservoirUpdater)
-    core.notice(
-      `Processed ${stats.prs} PRs, ${stats.issues} Issues, made ${stats.requests + stats.artifacts} API requests and downloaded ${stats.artifacts} artifacts.`,
-    )
-  }
-}
--- a/ci/nixpkgs-vet.nix
+++ b/ci/nixpkgs-vet.nix
@@ -1,53 +0,0 @@
-{
-  lib,
-  nix,
-  nixpkgs-vet,
-  runCommand,
-}:
-{
-  base ? ../.,
-  head ? ../.,
-}:
-let
-  filtered =
-    with lib.fileset;
-    path:
-    toSource {
-      fileset = (gitTracked path);
-      root = path;
-    };
-in
-runCommand "nixpkgs-vet"
-  {
-    nativeBuildInputs = [
-      nixpkgs-vet
-    ];
-    env.NIXPKGS_VET_NIX_PACKAGE = nix;
-  }
-  ''
-    export NIX_STATE_DIR=$(mktemp -d)
-
-    nixpkgs-vet --base ${filtered base} ${filtered head}
-
-    # TODO: Upstream into nixpkgs-vet, see:
-    # https://github.com/NixOS/nixpkgs-vet/issues/164
-    badFiles=$(find ${filtered head}/pkgs -type f -name '*.nix' -print | xargs grep -l '^[^#]*<nixpkgs/' || true)
-    if [[ -n $badFiles ]]; then
-      echo "Nixpkgs is not allowed to use <nixpkgs> to refer to itself."
-      echo "The offending files:"
-      echo "$badFiles"
-      exit 1
-    fi
-
-    # TODO: Upstream into nixpkgs-vet, see:
-    # https://github.com/NixOS/nixpkgs-vet/issues/166
-    conflictingPaths=$(find ${filtered head} | awk '{ print $1 " " tolower($1) }' | sort -k2 | uniq -D -f 1 | cut -d ' ' -f 1)
-    if [[ -n $conflictingPaths ]]; then
-      echo "Files in nixpkgs must not vary only by case."
-      echo "The offending paths:"
-      echo "$conflictingPaths"
-      exit 1
-    fi
-
-    touch $out
-  ''
--- a/ci/nixpkgs-vet.sh
+++ b/ci/nixpkgs-vet.sh
@@ -61,6 +61,11 @@ trace "Done"
 trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
 git -C "$tmp/merged" merge -q --no-edit "$baseSha"
 trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
+trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
+toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
+trace -e "\e[34m$toolVersion\e[0m"

+trace -n "Building tool.. "
+nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
 trace "Running nixpkgs-vet.."
-nix-build ci -A nixpkgs-vet --arg base "$tmp/base" --arg head "$tmp/merged"
+"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"
--- a/ci/nixpkgs-vet/pinned-version.txt
+++ b/ci/nixpkgs-vet/pinned-version.txt
@@ -0,0 +1 @@
+0.1.4
--- a/ci/nixpkgs-vet/update-pinned-tool.sh
+++ b/ci/nixpkgs-vet/update-pinned-tool.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p jq curl
+
+set -o pipefail -o errexit -o nounset
+
+trace() { echo >&2 "$@"; }
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+repository=NixOS/nixpkgs-vet
+pin_file=$SCRIPT_DIR/pinned-version.txt
+
+trace -n "Fetching latest release of $repository.. "
+latestRelease=$(curl -sSfL \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  https://api.github.com/repos/"$repository"/releases/latest)
+latestVersion=$(jq .tag_name -r <<< "$latestRelease")
+trace "$latestVersion"
+
+trace "Updating $pin_file"
+echo "$latestVersion" > "$pin_file"
--- a/ci/pinned-nixpkgs.json
+++ b/ci/pinned-nixpkgs.json
@@ -0,0 +1,4 @@
+{
+  "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
+  "sha256": "132nimgi1g88fbhddk4b8b1qk68jly494x2mnphyk3xa1d2wy9q7"
+}
--- a/ci/pinned.json
+++ b/ci/pinned.json
@@ -1,31 +0,0 @@
-{
-  "pins": {
-    "nixpkgs": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "NixOS",
-        "repo": "nixpkgs"
-      },
-      "branch": "nixpkgs-unstable",
-      "submodules": false,
-      "revision": "2baf8e1658cba84a032c3a8befb1e7b06629242a",
-      "url": "https://github.com/NixOS/nixpkgs/archive/2baf8e1658cba84a032c3a8befb1e7b06629242a.tar.gz",
-      "hash": "0l48zkf2zs7r53fjq46j770vpb5avxihyfypra3fv429akqnsmm1"
-    },
-    "treefmt-nix": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "numtide",
-        "repo": "treefmt-nix"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "421b56313c65a0815a52b424777f55acf0b56ddf",
-      "url": "https://github.com/numtide/treefmt-nix/archive/421b56313c65a0815a52b424777f55acf0b56ddf.tar.gz",
-      "hash": "1l57hzz704s7izkkcl3xsg77xjfza57cl0fchs24rdpdhmry2dmp"
-    }
-  },
-  "version": 5
-}
--- a/ci/supportedBranches.js
+++ b/ci/supportedBranches.js
@@ -1,62 +0,0 @@
-#!/usr/bin/env nix-shell
-/*
-#!nix-shell -i node -p nodejs
-*/
-
-const typeConfig = {
-  master: ['development', 'primary'],
-  release: ['development', 'primary'],
-  staging: ['development', 'secondary'],
-  'staging-next': ['development', 'secondary'],
-  'haskell-updates': ['development', 'secondary'],
-  'python-updates': ['development', 'secondary'],
-  nixos: ['channel'],
-  nixpkgs: ['channel'],
-}
-
-function split(branch) {
-  return { ...branch.match(/(?<prefix>.+?)(-(?<version>\d{2}\.\d{2}|unstable)(?:-(?<suffix>.*))?)?$/).groups }
-}
-
-function classify(branch) {
-  const { prefix, version } = split(branch)
-  return {
-    stable: (version ?? 'unstable') !== 'unstable',
-    type: typeConfig[prefix] ?? [ 'wip' ]
-  }
-}
-
-module.exports = { classify }
-
-// If called directly via CLI, runs the following tests:
-if (!module.parent) {
-  console.log('split(branch)')
-  function testSplit(branch) {
-    console.log(branch, split(branch))
-  }
-  testSplit('master')
-  testSplit('release-25.05')
-  testSplit('staging-next')
-  testSplit('staging-25.05')
-  testSplit('staging-next-25.05')
-  testSplit('nixpkgs-25.05-darwin')
-  testSplit('nixpkgs-unstable')
-  testSplit('haskell-updates')
-  testSplit('backport-123-to-release-25.05')
-
-  console.log('')
-
-  console.log('classify(branch)')
-  function testClassify(branch) {
-    console.log(branch, classify(branch))
-  }
-  testClassify('master')
-  testClassify('release-25.05')
-  testClassify('staging-next')
-  testClassify('staging-25.05')
-  testClassify('staging-next-25.05')
-  testClassify('nixpkgs-25.05-darwin')
-  testClassify('nixpkgs-unstable')
-  testClassify('haskell-updates')
-  testClassify('backport-123-to-release-25.05')
-}
--- a/ci/update-pinned-nixpkgs.sh
+++ b/ci/update-pinned-nixpkgs.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p jq
+
+set -euo pipefail
+
+# https://stackoverflow.com/a/246128
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+repo=https://github.com/nixos/nixpkgs
+branch=nixpkgs-unstable
+file=$SCRIPT_DIR/pinned-nixpkgs.json
+
+defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
+rev=${1:-$defaultRev}
+sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
+
+jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file
--- a/ci/update-pinned.sh
+++ b/ci/update-pinned.sh
@@ -1,8 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p npins
-
-set -euo pipefail
-
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-npins --lock-file pinned.json update
--- a/doc/README.md
+++ b/doc/README.md
@@ -34,43 +34,25 @@ $ nix-build doc

 If the build succeeds, the manual will be in `./result/share/doc/nixpkgs/manual.html`.

-### Development environment
+### devmode

-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the Nixpkgs documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/doc
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-#### `devmode`
-
-Use [`devmode`](../pkgs/by-name/de/devmode/README.md) for a live preview when editing the manual.
+The shell in the manual source directory makes available a command, `devmode`.
+It is a daemon, that:
+1. watches the manual's source for changes and when they occur — rebuilds
+2. HTTP serves the manual, injecting a script that triggers reload on changes
+3. opens the manual in the default browser

 ### Testing redirects

 Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.

-Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload.
-This is because browsers do not re-run client JS code when only the anchor has changed.
+Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.

 ## Syntax

 As per [RFC 0072](https://github.com/NixOS/rfcs/pull/72), all new documentation content should be written in [CommonMark](https://commonmark.org/) Markdown dialect.

-Additional syntax extensions are available, all of which can be used in NixOS option documentation.
-The following extensions are currently used:
+Additional syntax extensions are available, all of which can be used in NixOS option documentation. The following extensions are currently used:

 #### Tables

@@ -78,8 +60,7 @@ Tables, using the [GitHub-flavored Markdown syntax](https://github.github.com/gf

 #### Anchors

-Explicitly defined **anchors** on headings, to allow linking to sections.
-These should be always used, to ensure the anchors can be linked even when the heading text changes, and to prevent conflicts between [automatically assigned identifiers](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/auto_identifiers.md).
+Explicitly defined **anchors** on headings, to allow linking to sections. These should be always used, to ensure the anchors can be linked even when the heading text changes, and to prevent conflicts between [automatically assigned identifiers](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/auto_identifiers.md).

 It uses the widely compatible [header attributes](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/attributes.md) syntax:

@@ -102,21 +83,18 @@ They are defined using a hybrid of the link syntax with the attributes syntax kn

 #### Automatic links

-If you **omit a link text** for a link pointing to a section, the text will be substituted automatically.
-For example `[](#chap-contributing)`.
+If you **omit a link text** for a link pointing to a section, the text will be substituted automatically. For example `[](#chap-contributing)`.

 This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#targets-and-cross-referencing).


 #### HTML

-Inlining HTML is not allowed.
-Parts of the documentation gets rendered to various non-HTML formats, such as man pages in the case of NixOS manual.
+Inlining HTML is not allowed. Parts of the documentation gets rendered to various non-HTML formats, such as man pages in the case of NixOS manual.

 #### Roles

-If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``.
-The references will turn into links when a mapping exists in [`doc/manpage-urls.json`](./manpage-urls.json).
+If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``. The references will turn into links when a mapping exists in [`doc/manpage-urls.json`](./manpage-urls.json).
 Please keep the `manpage-urls.json` file alphabetically sorted.

 A few markups for other kinds of literals are also available:
@@ -129,8 +107,7 @@ A few markups for other kinds of literals are also available:

 These literal kinds are used mostly in NixOS option documentation.

-This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point).
-Though, the feature originates from [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage) with slightly different syntax.
+This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point). Though, the feature originates from [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage) with slightly different syntax.
 They are handled by `myst_role` defined per renderer. <!-- reverse references in code -->

 #### Admonitions
@@ -333,11 +310,8 @@ Otherwise, just describe the single argument or start the arguments' definition

 Checklist:
 - Start with a synopsis, to show the order of positional arguments.
- Metavariables are in emphasized code spans: ``` *`arg1`* ```.
-  Metavariables are placeholders where users may write arbitrary expressions.
-  This includes positional arguments.
- Attribute names are regular code spans: ``` `attr1` ```.
-  These identifiers can _not_ be picked freely by users, so they are _not_ metavariables.
+- Metavariables are in emphasized code spans: ``` *`arg1`* ```. Metavariables are placeholders where users may write arbitrary expressions. This includes positional arguments.
+- Attribute names are regular code spans: ``` `attr1` ```. These identifiers can _not_ be picked freely by users, so they are _not_ metavariables.
 - _optional_ attributes have a _`Default:`_ if it's easily described as a value.
 - _optional_ attributes have a _`Default behavior:`_ if it's not easily described using a value.
 - Nix types aren't in code spans, because they are not code
@@ -414,8 +388,7 @@ This syntax is taken from [CommonMark](https://spec.commonmark.org/0.30/#link-re

 #### Typographic replacements

-Typographic replacements are enabled.
-Check the [list of possible replacement patterns check](https://github.com/executablebooks/markdown-it-py/blob/3613e8016ecafe21709471ee0032a90a4157c2d1/markdown_it/rules_core/replacements.py#L1-L15).
+Typographic replacements are enabled. Check the [list of possible replacement patterns check](https://github.com/executablebooks/markdown-it-py/blob/3613e8016ecafe21709471ee0032a90a4157c2d1/markdown_it/rules_core/replacements.py#L1-L15).

 ## Getting help

--- a/doc/build-helpers/fetchers.chapter.md
+++ b/doc/build-helpers/fetchers.chapter.md
@@ -163,8 +163,6 @@ Nixpkgs fetchers can make use of a http(s) proxy. Each fetcher will automaticall

 The environment variable `NIX_SSL_CERT_FILE` is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors.

-To use a temporary Tor instance as a proxy for fetching from `.onion` addresses, add `nativeBuildInputs = [ tor.proxyHook ];` to the fetcher parameters.
-
 []{#fetchurl}
 ## `fetchurl` {#sec-pkgs-fetchers-fetchurl}

@@ -797,10 +795,6 @@ Additionally, the following optional arguments can be given:
 : Clone the entire repository as opposing to just creating a shallow clone.
  This implies `leaveDotGit`.

-*`fetchTags`* (Boolean)
-
-: Whether to fetch all tags from the remote repository. This is useful when the build process needs to run `git describe` or other commands that require tag information to be available. This parameter implies `leaveDotGit`, as tags are stored in the `.git` directory.
-
 *`sparseCheckout`* (List of String)

 : Prevent git from fetching unnecessary blobs from server.
@@ -842,7 +836,7 @@ Used with CVS. Expects `cvsRoot`, `tag`, and `hash`.

 ## `fetchhg` {#fetchhg}

-Used with Mercurial. Expects `url`, `rev`, `hash`, overridable with [`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs).
+Used with Mercurial. Expects `url`, `rev`, and `hash`.

 A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are mainly convenience functions intended for commonly used destinations of source code in Nixpkgs. These wrapper fetchers are listed below.

--- a/doc/build-helpers/fixed-point-arguments.chapter.md
+++ b/doc/build-helpers/fixed-point-arguments.chapter.md
@@ -60,7 +60,10 @@ lib.extendMkDerivation {
    }@args:
    {
      # Arguments to pass
-      inherit preferLocalBuild allowSubstitute;
+      inherit
+        preferLocalBuild
+        allowSubstitute
+        ;
      # Some expressions involving specialArg
      greeting = if specialArg "hi" then "hi" else "hello";
    };
--- a/doc/build-helpers/images/appimagetools.section.md
+++ b/doc/build-helpers/images/appimagetools.section.md
@@ -37,7 +37,9 @@ let
    hash = "sha256-he1uGC1M/nFcKpMM9JKY4oeexJcnzV0ZRxhTjtJz6xw=";
  };
 in
-appimageTools.wrapType2 { inherit pname version src; }
+appimageTools.wrapType2 {
+  inherit pname version src;
+}
 ```

 :::
@@ -102,7 +104,9 @@ let
    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
  };

-  appimageContents = appimageTools.extract { inherit pname version src; };
+  appimageContents = appimageTools.extract {
+    inherit pname version src;
+  };
 in
 appimageTools.wrapType2 {
  inherit pname version src;
--- a/doc/build-helpers/images/binarycache.section.md
+++ b/doc/build-helpers/images/binarycache.section.md
@@ -33,7 +33,10 @@ You may also want to consider [dockerTools](#sec-pkgs-dockerTools) for your cont
 The following derivation will construct a flat-file binary cache containing the closure of `hello`.

 ```nix
-{ mkBinaryCache, hello }: mkBinaryCache { rootPaths = [ hello ]; }
+{ mkBinaryCache, hello }:
+mkBinaryCache {
+  rootPaths = [ hello ];
+}
 ```

 Build the cache on a machine.
--- a/doc/build-helpers/images/dockertools.section.md
+++ b/doc/build-helpers/images/dockertools.section.md
@@ -145,14 +145,14 @@ Similarly, if you encounter errors similar to `Error_Protocol ("certificate has

 `diskSize` (Number; _optional_)

-: Controls the disk size in MiB (1024x1024 bytes) of the VM used to run the script specified in `runAsRoot`.
+: Controls the disk size (in megabytes) of the VM used to run the script specified in `runAsRoot`.
  This attribute is ignored if `runAsRoot` is `null`.

  _Default value:_ 1024.

 `buildVMMemorySize` (Number; _optional_)

-: Controls the amount of memory in MiB (1024x1024 bytes) provisioned for the VM used to run the script specified in `runAsRoot`.
+: Controls the amount of memory (in megabytes) provisioned for the VM used to run the script specified in `runAsRoot`.
  This attribute is ignored if `runAsRoot` is `null`.

  _Default value:_ 512.
@@ -1577,7 +1577,9 @@ This example uses [](#ex-dockerTools-streamNixShellImage-hello) as a starting po
 dockerTools.streamNixShellImage {
  tag = "latest";
  drv = hello.overrideAttrs (old: {
-    nativeBuildInputs = old.nativeBuildInputs or [ ] ++ [ cowsay ];
+    nativeBuildInputs = old.nativeBuildInputs or [ ] ++ [
+      cowsay
+    ];
  });
 }
 ```
--- a/doc/build-helpers/images/makediskimage.section.md
+++ b/doc/build-helpers/images/makediskimage.section.md
@@ -108,6 +108,6 @@ make-disk-image {
  diskSize = "auto";
  additionalSpace = "0M"; # Defaults to 512M.
  copyChannel = false;
-  memSize = 2048; # Qemu VM memory size in MiB (1024*1024 bytes). Defaults to 1024M.
+  memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
 }
 ```
--- a/doc/build-helpers/images/ocitools.section.md
+++ b/doc/build-helpers/images/ocitools.section.md
@@ -82,7 +82,9 @@ This example uses `ociTools.buildContainer` to create a simple container that ru
  bash,
 }:
 ociTools.buildContainer {
-  args = [ (lib.getExe bash) ];
+  args = [
+    (lib.getExe bash)
+  ];

  readonly = false;
 }
--- a/doc/build-helpers/special/checkpoint-build.section.md
+++ b/doc/build-helpers/special/checkpoint-build.section.md
@@ -7,18 +7,20 @@ For hermeticity, Nix derivations do not allow any state to be carried over betwe
 However, we can tell Nix explicitly what the previous build state was, by representing that previous state as a derivation output. This allows the passed build state to be used for an incremental build.

 To change a normal derivation to a checkpoint based build, these steps must be taken:
-  ```nix
-  {
-    checkpointArtifacts = (pkgs.checkpointBuildTools.prepareCheckpointBuild pkgs.virtualbox);
-  }
-  ```
-  ```nix
-  {
-    changedVBox = pkgs.virtualbox.overrideAttrs (old: {
-      src = path/to/vbox/sources;
-    });
-  }
-  ```
+  - apply `prepareCheckpointBuild` on the desired derivation, e.g.
+```nix
+{
+  checkpointArtifacts = (pkgs.checkpointBuildTools.prepareCheckpointBuild pkgs.virtualbox);
+}
+```
+  - change something you want in the sources of the package, e.g. use a source override:
+```nix
+{
+  changedVBox = pkgs.virtualbox.overrideAttrs (old: {
+    src = path/to/vbox/sources;
+  });
+}
+```
  - use `mkCheckpointBuild changedVBox checkpointArtifacts`
  - enjoy shorter build times

@@ -28,11 +30,14 @@ To change a normal derivation to a checkpoint based build, these steps must be t
  pkgs ? import <nixpkgs> { },
 }:
 let
-  inherit (pkgs.checkpointBuildTools) prepareCheckpointBuild mkCheckpointBuild;
+  inherit (pkgs.checkpointBuildTools)
+    prepareCheckpointBuild
+    mkCheckpointBuild
+    ;
  helloCheckpoint = prepareCheckpointBuild pkgs.hello;
  changedHello = pkgs.hello.overrideAttrs (_: {
    doCheck = false;
-    postPatch = ''
+    patchPhase = ''
      sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
    '';
  });
--- a/doc/build-helpers/special/vm-tools.section.md
+++ b/doc/build-helpers/special/vm-tools.section.md
@@ -23,7 +23,7 @@ If the build fails and Nix is run with the `-K/--keep-failed` option, a script `
 ### Attributes {#vm-tools-runInLinuxVM-attributes}

 * `preVM` (optional). Shell command to be evaluated *before* the VM is started (i.e., on the host).
-* `memSize` (optional, default `512`). The memory size of the VM in MiB (1024×1024 bytes).
+* `memSize` (optional, default `512`). The memory size of the VM in MiB.
 * `diskImage` (optional). A file system image to be attached to `/dev/sda`.
  Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.

--- a/doc/build-helpers/testers.chapter.md
+++ b/doc/build-helpers/testers.chapter.md
@@ -15,7 +15,9 @@ If the `moduleNames` argument is omitted, `hasPkgConfigModules` will use `meta.p

 ```nix
 {
-  passthru.tests.pkg-config = testers.hasPkgConfigModules { package = finalAttrs.finalPackage; };
+  passthru.tests.pkg-config = testers.hasPkgConfigModules {
+    package = finalAttrs.finalPackage;
+  };

  meta.pkgConfigModules = [ "libfoo" ];
 }
@@ -38,26 +40,6 @@ If the `moduleNames` argument is omitted, `hasPkgConfigModules` will use `meta.p

 :::

-## `hasCmakeConfigModules` {#tester-hasCmakeConfigModules}
-
-Checks whether a package exposes a given list of `*config.cmake` modules.
-Note the moduleNames used in cmake find_package are case sensitive.
-
-:::{.example #ex-hascmakeconfigmodules}
-
-# Check that `*config.cmake` modules are exposed using explicit module names
-
-```nix
-{
-  passthru.tests.cmake-config = testers.hasCmakeConfigModules {
-    package = finalAttrs.finalPackage;
-    moduleNames = [ "Foo" ];
-  };
-}
-```
-
-:::
-
 ## `lycheeLinkCheck` {#tester-lycheeLinkCheck}

 Check a packaged static site's links with the [`lychee` package](https://search.nixos.org/packages?show=lychee&type=packages&query=lychee).
@@ -72,7 +54,9 @@ If you have a static site that can be built with Nix, you can use `lycheeLinkChe
 # Check hyperlinks in the `nix` documentation

 ```nix
-testers.lycheeLinkCheck { site = nix.doc + "/share/doc/nix/manual"; }
+testers.lycheeLinkCheck {
+  site = nix.doc + "/share/doc/nix/manual";
+}
 ```

 :::
@@ -265,7 +249,9 @@ The default argument to the command is `--version`, and the version to be checke
 This example will run the command `hello --version`, and then check that the version of the `hello` package is in the output of the command.

 ```nix
-{ passthru.tests.version = testers.testVersion { package = hello; }; }
+{
+  passthru.tests.version = testers.testVersion { package = hello; };
+}
 ```

 :::
--- a/doc/build-helpers/trivial-build-helpers.chapter.md
+++ b/doc/build-helpers/trivial-build-helpers.chapter.md
@@ -152,7 +152,9 @@ runCommandWith {

 Likewise, `runCommandCC name derivationArgs buildCommand` is equivalent to
 ```nix
-runCommandWith { inherit name derivationArgs; } buildCommand
+runCommandWith {
+  inherit name derivationArgs;
+} buildCommand
 ```
 :::

@@ -711,10 +713,7 @@ concatTextFile
  # Writes contents of files to /nix/store/<store path>
  concatText
  "my-file"
-  [
-    file1
-    file2
-  ]
+  [ file1 file2 ]

  # Writes contents of files to /nix/store/<store path>
  concatScript
@@ -791,7 +790,7 @@ The result is equivalent to the output of `nix-store -q --requisites`.
 For example,

 ```nix
-writeClosure [ (writeScriptBin "hi" "${hello}/bin/hello") ]
+writeClosure [ (writeScriptBin "hi" ''${hello}/bin/hello'') ]
 ```

 produces an output path `/nix/store/<hash>-runtime-deps` containing
@@ -817,7 +816,7 @@ This produces the equivalent of `nix-store -q --references`.
 For example,

 ```nix
-writeDirectReferencesToFile (writeScriptBin "hi" "${hello}/bin/hello")
+writeDirectReferencesToFile (writeScriptBin "hi" ''${hello}/bin/hello'')
 ```

 produces an output path `/nix/store/<hash>-runtime-references` containing
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -1,6 +1,6 @@
 {
-  pkgs ? (import ../ci { }).pkgs,
+  pkgs ? (import ./.. { }),
  nixpkgs ? { },
 }:

-pkgs.callPackage ./doc-support/package.nix { inherit nixpkgs; }
+pkgs.nixpkgs-manual.override { inherit nixpkgs; }
--- a/doc/doc-support/lib-function-docs.nix
+++ b/doc/doc-support/lib-function-docs.nix
@@ -102,8 +102,6 @@ stdenvNoCC.mkDerivation {
  ];

  installPhase = ''
-    runHook preInstall
-
    cd ..

    export NIX_STATE_DIR=$(mktemp -d)
@@ -145,7 +143,5 @@ stdenvNoCC.mkDerivation {
    ) libsets}

    echo '```' >> "$out/index.md"
-
-    runHook postInstall
  '';
 }
--- a/doc/doc-support/package.nix
+++ b/doc/doc-support/package.nix
@@ -14,8 +14,8 @@
  nixpkgs ? { },
  markdown-code-runner,
  roboto,
-  treefmt,
 }:
+
 stdenvNoCC.mkDerivation (
  finalAttrs:
  let
@@ -47,8 +47,6 @@ stdenvNoCC.mkDerivation (

    postPatch = ''
      ln -s ${optionsJSON}/share/doc/nixos/options.json ./config-options.json
-      ln -s ${treefmt.functionsDoc.markdown} ./packages/treefmt-functions.section.md
-      ln -s ${treefmt.optionsDoc.optionsJSON}/share/doc/nixos/options.json ./treefmt-options.json
    '';

    buildPhase = ''
@@ -57,8 +55,10 @@ stdenvNoCC.mkDerivation (
      substituteInPlace ./languages-frameworks/python.section.md \
        --subst-var-by python-interpreter-table "$(<"${pythonInterpreterTable}")"

-      cat ./functions/library.md.in ${lib-docs}/index.md > ./functions/library.md
-
+      cat \
+        ./functions/library.md.in \
+        ${lib-docs}/index.md \
+        > ./functions/library.md
      substitute ./manual.md.in ./manual.md \
        --replace-fail '@MANUAL_VERSION@' '${lib.version}'

@@ -97,14 +97,14 @@ stdenvNoCC.mkDerivation (
      dest="$out/share/doc/nixpkgs"
      mkdir -p "$(dirname "$dest")"
      mv out "$dest"
-      cp "$dest/index.html" "$dest/manual.html"
+      mv "$dest/index.html" "$dest/manual.html"

      cp ${roboto.src}/web/Roboto\[ital\,wdth\,wght\].ttf "$dest/Roboto.ttf"

      cp ${epub} "$dest/nixpkgs-manual.epub"

      mkdir -p $out/nix-support/
-      echo "doc manual $dest index.html" >> $out/nix-support/hydra-build-products
+      echo "doc manual $dest manual.html" >> $out/nix-support/hydra-build-products
      echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products

      runHook postInstall
@@ -123,7 +123,7 @@ stdenvNoCC.mkDerivation (
        let
          devmode' = devmode.override {
            buildArgs = toString ../.;
-            open = "/share/doc/nixpkgs/index.html";
+            open = "/share/doc/nixpkgs/manual.html";
          };
          nixos-render-docs-redirects' = writeShellScriptBin "redirects" "${lib.getExe nixos-render-docs-redirects} --file ${toString ../redirects.json} $@";
        in
--- a/doc/functions/generators.section.md
+++ b/doc/functions/generators.section.md
@@ -27,8 +27,8 @@ let
    } ":";
  };

-  # the INI file can now be given as plain old nix values
 in
+# the INI file can now be given as plain old nix values
 customToINI {
  main = {
    pushinfo = true;
--- a/doc/functions/nix-gitignore.section.md
+++ b/doc/functions/nix-gitignore.section.md
@@ -15,24 +15,13 @@
  src = nix-gitignore.gitignoreSource [ ] ./source;
  # Simplest version

-  src = nix-gitignore.gitignoreSource ''
-    supplemental-ignores
-  '' ./source;
+  src = nix-gitignore.gitignoreSource "supplemental-ignores\n" ./source;
  # This one reads the ./source/.gitignore and concats the auxiliary ignores

-  src = nix-gitignore.gitignoreSourcePure ''
-    ignore-this
-    ignore-that
-  '' ./source;
+  src = nix-gitignore.gitignoreSourcePure "ignore-this\nignore-that\n" ./source;
  # Use this string as gitignore, don't read ./source/.gitignore.

-  src = nix-gitignore.gitignoreSourcePure [
-    ''
-      ignore-this
-      ignore-that
-    ''
-    ~/.gitignore
-  ] ./source;
+  src = nix-gitignore.gitignoreSourcePure [ "ignore-this\nignore-that\n" ~/.gitignore ] ./source;
  # It also accepts a list (of strings and paths) that will be concatenated
  # once the paths are turned to strings via readFile.
 }
@@ -52,7 +41,9 @@ Those filter functions accept the same arguments the `builtins.filterSource` fun
 If you want to make your own filter from scratch, you may use

 ```nix
-{ gitignoreFilter = ign: root: filterPattern (gitignoreToPatterns ign) root; }
+{
+  gitignoreFilter = ign: root: filterPattern (gitignoreToPatterns ign) root;
+}
 ```

 ## gitignore files in subdirectories {#sec-pkgs-nix-gitignore-usage-recursive}
--- a/doc/hooks/breakpoint.section.md
+++ b/doc/hooks/breakpoint.section.md
@@ -3,7 +3,9 @@
 This hook makes a build pause instead of stopping when a failure occurs. It prevents Nix from cleaning up the build environment immediately and allows the user to attach to the build environment. Upon a build error, it will print instructions that can be used to enter the environment for debugging. breakpointHook is only available on Linux. To use it, add `breakpointHook` to `nativeBuildInputs` in the package to be inspected.

 ```nix
-{ nativeBuildInputs = [ breakpointHook ]; }
+{
+  nativeBuildInputs = [ breakpointHook ];
+}
 ```

 When a build failure occurs, an instruction will be printed showing how to attach to the build sandbox.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Robert Hensing	2513e2f1f0	lib.types.attrNamesTo{Set,Submodule}: add	2025-05-16 15:09:31 +02:00
Robert Hensing	e938d5b77a	lib/types.nix: Remove duplicate user documentation	2025-05-16 15:09:25 +02:00
Robert Hensing	1980e9a444	lib/tests/modules: Test attrNamesToTrue	2025-05-16 15:09:24 +02:00
Will Fancher	851d4f4f2b	lib.types.attrNamesToTrue: add (cherry picked from commit `98652f9a90`)	2025-05-16 12:35:16 +02:00