Change llvm packages for gcc offload

But it cannot target gfx1103 - that probably requires the
rocmPackages.llvm that is broken.

.devcontainer/devcontainer.json

@@ -1,34 +0,0 @@
-{
-  "name": "nixpkgs",
-  "image": "mcr.microsoft.com/devcontainers/universal:2-linux",
-  "features": {
-    "ghcr.io/devcontainers/features/nix:1": {
-      // fails in the devcontainer sandbox, enable sandbox via config instead
-      "multiUser": false,
-      "packages": "nixpkgs.nixd,nixpkgs.nixfmt-rfc-style",
-      "useAttributePath": true,
-      "extraNixConfig": "experimental-features = nix-command flakes,sandbox = true"
-    }
-  },
-  // Fixup permissions inside container.
-  // https://github.com/NixOS/nix/issues/6680#issuecomment-1230902525
-  "postCreateCommand": "sudo apt-get install -y acl",
-  "postStartCommand": "sudo setfacl -k /tmp; if [ -e /dev/kvm ]; then sudo chgrp $(id -g) /dev/kvm; fi",
-  "customizations": {
-    "vscode": {
-      "extensions": [
-        "jnoortheen.nix-ide"
-      ],
-      "settings": {
-        "[nix]": {
-            "editor.formatOnSave": true
-        },
-        "nix.enableLanguageServer": true,
-        "nix.serverPath": "nixd"
-      }
-    }
-  },
-  "remoteEnv": {
-    "NIXPKGS": "/workspaces/nixpkgs"
-  }
-}

.editorconfig

@@ -24,7 +24,7 @@ insert_final_newline = false
 # see https://nixos.org/nixpkgs/manual/#chap-conventions
 
 # Match json/lockfiles/markdown/nix/perl/python/ruby/shell/docbook files, set indent to spaces
-[*.{bash,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
+[*.{json,lock,md,nix,pl,pm,py,rb,sh,xml}]
 indent_style = space
 
 # Match docbook files, set indent width of one
@@ -35,12 +35,8 @@ indent_size = 1
 [*.{json,lock,md,nix,rb}]
 indent_size = 2
 
-# Match all the Bash code in Nix files, set indent width of two
-[*.{bash,sh}]
-indent_size = 2
-
-# Match Perl and Python scripts, set indent width of four
-[*.{pl,pm,py}]
+# Match perl/python/shell scripts, set indent width of four
+[*.{pl,pm,py,sh}]
 indent_size = 4
 
 # Match gemfiles, set indent to spaces with width of two
@@ -48,10 +44,9 @@ indent_size = 4
 indent_size = 2
 indent_style = space
 
-# Match package.json and package-lock.json, which are generally pulled from upstream and accept them as they are
-[package{,-lock}.json]
+# Match package.json, which are generally pulled from upstream and accept them as they are
+[package.json]
 indent_style = unset
-insert_final_newline = unset
 
 # Disable file types or individual files
 # some of these files may be auto-generated and/or require significant changes
@@ -86,10 +81,42 @@ charset = unset
 [eggs.nix]
 trim_trailing_whitespace = unset
 
-[registry.dat]
+[nixos/modules/services/networking/ircd-hybrid/*.{conf,in}]
+trim_trailing_whitespace = unset
+
+[pkgs/build-support/dotnetenv/Wrapper/**]
+end_of_line = unset
+indent_style = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+
+[pkgs/development/compilers/elm/registry.dat]
 end_of_line = unset
 insert_final_newline = unset
 
-# Keep this hint at the bottom:
-# Please don't add entries for subfolders here.
-# Create <subfolder>/.editorconfig instead.
+[pkgs/development/haskell-modules/hackage-packages.nix]
+indent_style = unset
+trim_trailing_whitespace = unset
+
+[pkgs/misc/documentation-highlighter/**]
+insert_final_newline = unset
+
+[pkgs/servers/dict/wordnet_structures.py]
+trim_trailing_whitespace = unset
+
+[pkgs/tools/misc/timidity/timidity.cfg]
+trim_trailing_whitespace = unset
+
+[pkgs/tools/virtualization/ovftool/*.ova]
+end_of_line = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset
+charset = unset
+
+[lib/tests/*.plist]
+indent_style = tab
+insert_final_newline = unset
+
+[pkgs/kde/generated/**]
+insert_final_newline = unset
+end_of_line = unset

.git-blame-ignore-revs

@@ -1,11 +1,5 @@
 # This file contains a list of commits that are not likely what you
 # are looking for in a blame, such as mass reformatting or renaming.
-#
-# If a commit's line ends with `# !autorebase <command>`,
-# where <command> is an idempotent bash command that reapplies the changes from the commit,
-# the `maintainers/scripts/auto-rebase/run.sh` script can be used to rebase
-# across that commit while automatically resolving merge conflicts caused by the commit.
-#
 # You can set this file as a default ignore file for blame by running
 # the following command.
 #
@@ -227,45 +221,3 @@ adb9714bd909df283c66bbd641bd631ff50a4260
 667d42c00d566e091e6b9a19b365099315d0e611
 84d4f874c2bac9f3118cb6907d7113b3318dcb5e
 
-# tmuxPlugins sha-to-sri.py script
-516b1e74c358a9c4b06e5591f8c1a2897aad0c33
-
-# treewide: migrate comments in lib to rfc145 style
-ef85e0daa092c9eae0d32c7ce16b889728a5fbc0
-d89ad6c70e0e89aaae75e9f886878ea4e103965a
-e0fe216f4912dd88a021d12a44155fd2cfeb31c8
-80d5b411f6397d5c3e755a0635d95742f76f3c75
-
-# nixos/movim: format with nixfmt-rfc-style
-43c1654cae47cbf987cb63758c06245fa95c1e3b
-
-# nixos/iso-image.nix: nixfmt
-da9a092c34cef6947d7aee2b134f61df45171631
-
-# python-packages: format with nixfmt-rfc-style
-5f6f5e13ae0b6960cbf1be8aeb3d0048285a08d1
-
-# python-packages: sort with keep-sorted
-fd14c067813572afc03ddbf7cdedc3eab5a59954
-783add849cbca228a36ffdf407e5d380dc2fe6c4
-
-# treewide format of all Nix files
-374e6bcc403e02a35e07b650463c01a52b13a7c8 # !autorebase nix-shell --run treefmt
-
-# nix: nixfmt-rfc-style
-a4f7e161b380b35b2f7bc432659a95fd71254ad8
-0812c9a321003c924868051d2b2e1934e8880f3f
-34f269c14ac18d89ddee9a8f54b1ca92a85bbcc6
-062c34cdace499aa44f0fa6ca6f2ca71769f6c43
-
-# haskellPackages.hercules-ci-agent (cabal2nix -> nixfmt-rfc-style)
-9314da7ee8d2aedfb15193b8c489da51efe52bb5
-
-# nix-builder-vm: nixfmt-rfc-style
-a034fb50f79816c6738fb48b48503b09ea3b0132
-
-# treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
-05580f4b4433fda48fff30f60dfd303d6ee05d21
-
-# nixos/redmine: Get rid of global lib expansions
-d7f1102f04c58b2edfc74c9a1d577e3aebfca775

.github/ISSUE_TEMPLATE.md

@@ -1,6 +1,11 @@
-<!--
-    Please note: This blank issue template is meant for extraordinary issues
-    that do not fit the templates. Unless you know your issue is relevant to
-    Nixpkgs and requires the free-form blank issue, please use the issue
-    templates instead.
--->
+## Issue description
+
+
+
+### Steps to reproduce
+
+
+
+## Technical details
+
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->

.github/ISSUE_TEMPLATE/01_bug_report.yml

@@ -1,143 +0,0 @@
-name: "Bug report (package)"
-description: "Create a generic bug report against a package."
-title: "PACKAGENAME: BUG TITLE"
-labels: ["0.kind: bug"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`PACKAGENAME: BUG TITLE`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) and a short title summarising what the bug entails.
-
-        > [!TIP]
-        > For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on ARM Linux, your title would be as follows:
-        > `hello: fails to launch on aarch64-linux`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the bug"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "input"
-    id: "expected-behaviour"
-    attributes:
-      label: "Expected behaviour"
-      description: "Please write a concise description of what was supposed to happen."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "screenshots"
-    attributes:
-      label: "Screenshots"
-      description: |
-        If applicable, add screenshots to help explain your problem.
-        If you need help uploading images to GitHub, please review the [relevant documentation](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#uploading-assets).
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        If applicable, copy and paste any relevant log output.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+-label%3A%226.topic%3A+darwin%22+-label%3A%226.topic%3A+nixos%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml

@@ -1,157 +0,0 @@
-name: "Bug report (macOS)"
-description: "Create a bug report against a package where the issue only occurs on macOS."
-title: "PACKAGENAME: BUG TITLE"
-labels: ["0.kind: bug", "6.topic: darwin"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`PACKAGENAME: BUG TITLE`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) and a short title summarising what the bug entails.
-
-        > [!TIP]
-        > For instance, if you were filing a bug against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it failing to launch on Apple Silicon, your title would be as follows:
-        > `hello: fails to launch on aarch64-darwin`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the bug"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "input"
-    id: "expected-behaviour"
-    attributes:
-      label: "Expected behaviour"
-      description: "Please write a concise description of what was supposed to happen."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "screenshots"
-    attributes:
-      label: "Screenshots"
-      description: |
-        If applicable, add screenshots to help explain your problem.
-        If you need help uploading images to GitHub, please review the [relevant documentation](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#uploading-assets).
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        If applicable, copy and paste any relevant log output.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "dropdown"
-    id: "nix-darwin"
-    attributes:
-      label: "Are you using nix-darwin?"
-      description: |
-        [`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
-      options:
-        - "Yes, I am using nix-darwin."
-        - "No, I am not using nix-darwin."
-      default: 1
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-
-        If this issue is related to the Darwin packaging architecture as a whole, or is related to the core Darwin frameworks, consider mentioning the `@NixOS/darwin-core` team.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs/NixOS, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+label%3A%226.topic%3A+darwin%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml

@@ -1,147 +0,0 @@
-name: "Bug report (NixOS module)"
-description: "Create a bug report against a NixOS Module."
-title: "nixos/MODULENAME: BUG TITLE"
-labels: ["0.kind: bug", "6.topic: nixos"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`nixos/MODULENAME: BUG TITLE`** template above with the correct module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)) and a short title summarising what the bug entails.
-
-        > [!TIP]
-        > For instance, if you were filing a bug against the [`systemd-boot`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.enable&from=0&size=1) module about it failing to install [`memtest86`](https://search.nixos.org/options?channel=unstable&show=boot.loader.systemd-boot.memtest86.enable&from=0&size=1), your title would be as follows:
-        > `nixos/systemd-boot: fails to install memtest86`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the bug"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "input"
-    id: "expected-behaviour"
-    attributes:
-      label: "Expected behaviour"
-      description: "Please write a concise description of what was supposed to happen."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "screenshots"
-    attributes:
-      label: "Screenshots"
-      description: |
-        If applicable, add screenshots to help explain your problem.
-        If you need help uploading images to GitHub, please review the [relevant documentation](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#uploading-assets).
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        If applicable, copy and paste any relevant log output.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the `meta.maintainers` list of the offending module. This is done by prefixing the person's username with an '@' character. You can quickly go to the source code of a module by searching for it on the [NixOS Option Search](https://search.nixos.org/options) and clicking the "Declared in..." button.
-
-        Please note that the maintainer attribute name does not always match the maintainer's GitHub username. If that occurs, try looking in [`maintainers/maintainer-list.nix`](https://github.com/NixOS/nixpkgs/blob/master/maintainers/maintainer-list.nix) for the maintainer attribute name, and checking if the maintainer has a listed GitHub username.
-
-        If in doubt, check `git blame` for whoever last touched the module, or check the associated package's maintainers. Please add the mentions above the `---` characters.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+label%3A%226.topic%3A+nixos%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/04_build_failure.yml

@@ -1,152 +0,0 @@
-name: "Build failure"
-description: "Report a package that is failing to build."
-title: "Build failure: PACKAGENAME"
-labels: ["0.kind: build failure"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Build failure: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
-
-        > [!TIP]
-        > For instance, if you were filing a build failure against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package, your title would be as follows:
-        > `Build failure: hello`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        In what version of Nixpkgs did the build failure occur?
-
-        > [!IMPORTANT]
-        > If you are using an older version, please update to the latest stable version and check if the build failure persists before continuing this report.
-        > If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
-      options:
-        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: "Please include a step-by-step guide for reproducing this build failure. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
-    validations:
-      required: true
-  - type: "dropdown"
-    id: "hydra"
-    attributes:
-      label: "Can Hydra reproduce this build failure?"
-      description: |
-        Can [Hydra](https://hydra.nixos.org), Nixpkgs' Continuous Integration system, reproduce this build failure?
-        Please use the search function in the header bar to locate the last build job for the package in question.
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-red-x-274c.svg" width="20px" align="top" alt="Red X"> icon near the package entry, say '**Yes, Hydra can reproduce this build failure.**'
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-gray-x-2716.svg" width="20px" align="top" alt="Dark Gray X"> icon near the package entry, then the build failure occurs with another package, and you need to track the original failing package by going down the chain of 'Cached failures' until you reach the final package in the failing dependency chain. Once you locate the failing package, re-write this report against that package and say '**Yes, Hydra can reproduce this build failure.**'
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-check-2714.svg" width="20px" align="top" alt="Green Check Mark"> icon near the package entry, then it most likely means it's a local issue with your system. (Maybe you ran out of space?)
-          You can still open a build failure report, but please say '**No, Hydra cannot reproduce this build failure.**' below.
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-question-2754.svg" width="20px" align="top" alt="Gray Question Mark"> icon near the package entry, say '**Hydra is currently rebuilding this package.**'
-        - If there's a <img src="https://raw.githubusercontent.com/NixOS/hydra/refs/heads/master/src/root/static/images/emojione-stopsign-1f6d1.svg" width="20px" align="top" alt="Red Stop Sign"> icon near the package entry, then the build job was stopped manually. If this occurs, please coordinate with the [Infrastructure Team](https://matrix.to/#/#infra:nixos.org), and say '**The last build job was manually cancelled.**'
-        - If Hydra isn't supposed to build the package at all, say '**Hydra doesn’t try to build the package.**'
-      options:
-        - "Please select the Hydra Status."
-        - "Yes, Hydra can reproduce this build failure."
-        - "No, Hydra cannot reproduce this build failure."
-        - "Hydra is currently rebuilding this package."
-        - "The last build job was manually cancelled."
-        - "Hydra doesn’t try to build the package."
-      default: 0
-    validations:
-      required: true
-  - type: "input"
-    id: "hydra-logs"
-    attributes:
-      label: "Link to Hydra build job"
-      description: "If you answered 'yes' in the question above, please copy-and-paste the link to the failing Hydra job here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Relevant log output"
-      description: |
-        Please copy and paste the logs from the failed build.
-        This will be automatically formatted into code, so no need for backticks.
-      render: "console"
-    validations:
-      required: true
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "metadata"
-    attributes:
-      label: "System metadata"
-      description: "Please run `nix-shell -p nix-info --run \"nix-info -m\"` on a terminal and paste the output of that command here."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      description: |
-        This bug tracker is for actionable issues that are not the result of user error. If you need help using your system and are unsure if this is a bug with Nixpkgs, please consider asking for help on the [NixOS Discourse](https://discourse.nixos.org/) or the [NixOS Matrix Space](https://matrix.to/#/#community:nixos.org) before opening an issue.
-      options:
-        - label: "I assert that this is a bug and not a support request."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+build+failure%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/05_update_request.yml

@@ -1,125 +0,0 @@
-name: "Request: package update"
-description: "Create an update request for an existing, but outdated package."
-title: "Update Request: PACKAGENAME OLDVERSION → NEWVERSION"
-labels: ["0.kind: enhancement", "9.needs: package (update)"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Update Request: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package, and the latest version of the package.
-
-        > [!TIP]
-        > For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs is 1.0.0, but the latest version upstream is 1.0.1, your title would be as follows:
-        > `Update Request: hello 1.0.0 → 1.0.1`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older or stable version, please update to the latest **unstable** version and check if the package is still out of date.
-        > If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
-      default: 0
-    validations:
-      required: true
-  - type: "input"
-    id: "name"
-    attributes:
-      label: "Package name"
-      description: "Please indicate the name of the package."
-    validations:
-      required: true
-  - type: "input"
-    id: "upstream-version"
-    attributes:
-      label: "Upstream version"
-      description: "Please indicate the latest version of the package."
-    validations:
-      required: true
-  - type: "input"
-    id: "nixpkgs-version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        Please indicate the current version number in Nixpkgs' **unstable** channel. You can check this by setting the [NixOS Package Search](https://search.nixos.org/packages?channel=unstable) channel to 'unstable' and searching for the package.
-        If you meant to request an upgrade in the stable channel, please file the '**Request: backport to stable**' form instead.
-    validations:
-      required: true
-  - type: "input"
-    id: "changelog"
-    attributes:
-      label: "Changelog"
-      description: "If applicable, please link the upstream changelog for the latest version."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the update here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this package update does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+package+%28update%29%22) or in [Nixpkgs Unstable](https://search.nixos.org/packages?channel=unstable)."
-          required: true
-        - label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+package+%28update%29%22)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/06_module_request.yml

@@ -1,101 +0,0 @@
-name: "Request: NixOS module"
-description: "Create a new NixOS Module request for an existing package."
-title: "Module Request: nixos/MODULENAME"
-labels: ["0.kind: enhancement", "6.topic: nixos", "9.needs: module (new)"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Module Request: nixos/MODULENAME`** template above with the correct module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
-
-        > [!TIP]
-        > For instance, if you were filing a request against the missing `hello` module, your title would be as follows:
-        > `Module Request: nixos/hello`
-
-        ---
-  - type: "dropdown"
-    id: "version"
-    attributes:
-      label: "Nixpkgs version"
-      description: |
-        What version of Nixpkgs are you using?
-
-        > [!IMPORTANT]
-        > If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
-      options:
-        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
-      default: 0
-    validations:
-      required: true
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the proposed module"
-      description: "Please include a clear and concise description of what the module should accomplish."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the proposed module here."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this module does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+module+%28new%29%22) or in [NixOS Unstable](https://search.nixos.org/options?channel=unstable)."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%229.needs%3A+module+%28new%29%22). "
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve NixOS!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/07_backport_request.yml

@@ -1,103 +0,0 @@
-name: "Request: backport to stable"
-description: "Create a backport request for a package that is up-to-date in the unstable channel, but outdated in the stable channel."
-title: "Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION"
-labels: ["0.kind: enhancement", "9.needs: port to stable"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        > [!CAUTION]
-        > **Before you begin:** Be advised that backports are subject to the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
-        > Stable releases of Nixpkgs do not receive breaking changes, which include major package updates that have incompatible API changes and break backwards compatibility. In the [Semantic Versioning standard](https://semver.org/), this is the first version number. (1.X.X)
-        > Generally, only minor package updates, such as security patches, bug fixes and feature additions (but not removals!) will be considered for backporting. Please read the rules above carefully before filing this backport request.
-
-        Welcome to Nixpkgs. Please replace the **`Backport to Stable: PACKAGENAME OLDVERSION → NEWVERSION`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)), the current version of the package in Nixpkgs Stable and the current version of the package in Nixpkgs Unstable.
-
-        > [!TIP]
-        > For instance, if you were filing a request against the out of date `hello` package, where the current version in Nixpkgs Unstable is 1.0.1, but the current version in Nixpkgs Stable is 1.0.0, your title would be as follows:
-        > `Backport to Stable: hello 1.0.0 → 1.0.1`
-
-        ---
-  - type: "input"
-    id: "name"
-    attributes:
-      label: "Package name"
-      description: "Please indicate the name of the package."
-    validations:
-      required: true
-  - type: "input"
-    id: "unstable-version"
-    attributes:
-      label: "Version in unstable"
-      description: "Please indicate the current version of the package in the unstable channel."
-    validations:
-      required: true
-  - type: "input"
-    id: "stable-version"
-    attributes:
-      label: "Version in stable"
-      description: "Please indicate the current version of the package in the stable channel."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "reasoning"
-    attributes:
-      label: "Reasoning for backport"
-      description: "Please briefly explain why this backport fits the [release suitability guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases) and why you think this update should be backported."
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this backport does not yet exist in an [open pull request](https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+in%3Atitle+backport)."
-          required: true
-        - label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+port+to+stable%22+)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/08_documentation_request.yml

@@ -1,87 +0,0 @@
-name: "Request: documentation"
-description: "Report missing or incorrect documentation in the NixOS or Nixpkgs manuals."
-title: "Missing Documentation: PACKAGENAME"
-labels: ["0.kind: enhancement", "9.needs: documentation"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Missing Documentation: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)) or module name (As seen in the [NixOS Option Search](https://search.nixos.org/options)).
-
-        > [!TIP]
-        > For instance, if you were filing an issue against the [`hello`](https://search.nixos.org/packages?channel=unstable&from=0&size=1&buckets=%7B%22package_attr_set%22%3A%5B%22No%20package%20set%22%5D%2C%22package_license_set%22%3A%5B%22GNU%20General%20Public%20License%20v3.0%20or%20later%22%5D%2C%22package_maintainers_set%22%3A%5B%5D%2C%22package_platforms%22%3A%5B%5D%7D&sort=relevance&type=packages&query=hello) package about it not having any NixOS-specific documentation, your title would be as follows:
-        > `Missing Documentation: hello`
-
-        ---
-  - type: "textarea"
-    id: "description"
-    attributes:
-      label: "Describe the problem"
-      description: "Please include a clear and concise description of what the issue is."
-    validations:
-      required: true
-  - type: "textarea"
-    id: "proposal"
-    attributes:
-      label: "Proposed solution"
-      description: |
-        If possible, please draft a tentative documentation chapter to resolve this issue.
-        Your proposal should be written in CommonMark Markdown, optionally enhanced with [Nix-specific extensions](https://github.com/NixOS/nixpkgs/tree/master/doc#syntax).
-      render: "markdown"
-    validations:
-      required: false
-  - type: "textarea"
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this request is not already implemented in the latest [NixOS](https://nixos.org/manual/nixos/unstable/) or [Nixpkgs](https://nixos.org/manual/nixpkgs/unstable/) manuals."
-          required: true
-        - label: "I assert that this is not a [duplicate of an existing documentation issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "priorisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/09_unreproducible_package.yml

@@ -1,158 +0,0 @@
-name: "Unreproducible Package"
-description: "Report a package that does not produce a bit-by-bit reproducible result each time it is built."
-title: "Unreproducible Package: PACKAGENAME"
-labels: ["0.kind: enhancement", "6.topic: reproducible builds"]
-body:
-  - type: "markdown"
-    attributes:
-      value: |
-        <p align="center">
-          <a href="https://nixos.org">
-            <picture>
-              <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-              <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-              <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="400px" alt="NixOS logo">
-            </picture>
-          </a>
-        </p>
-
-        Welcome to Nixpkgs. Please replace the **`Unreproducible Package: PACKAGENAME`** template above with the correct package name (As seen in the [NixOS Package Search](https://search.nixos.org/packages)).
-
-        > [!NOTE]
-        > This form is for reporting unreproducible packages. For more information, see the [Reproducible Builds Status](https://reproducible.nixos.org/) page.
-        > To report a package that fails to build entirely, please use the "Build Failure" form instead.
-
-        ---
-  - type: "input"
-    id: "version"
-    attributes:
-      label: "Nixpkgs Revision"
-      description: "In which commit of Nixpkgs is this package displaying unreproducibility?"
-  - type: "textarea"
-    id: "introduction"
-    attributes:
-      label: "Introduction"
-      description: |
-        This is a generic introduction to build reproducibility.
-        Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the title above.
-      value: |
-        Building **PACKAGENAME** multiple times does not yield bit-by-bit identical
-        results, complicating the detection of Continuous Integration (CI) breaches. For
-        more information on this issue, visit [reproducible-builds.org](https://reproducible-builds.org/).
-
-        Fixing bit-by-bit reproducibility also has additional advantages, such as
-        avoiding hard-to-reproduce bugs, making content-addressed storage more effective
-        and reducing rebuilds in such systems.
-    validations:
-      required: true
-  - type: "textarea"
-    id: "how-to-reproduce"
-    attributes:
-      label: "Steps to reproduce"
-      description: |
-        This is a step-by-step instruction set meant for maintainers to debug the package that is failing to reproduce. You should also follow it to gather the `diffoscope` logs that will be needed below.
-        Please replace **PACKAGENAME** below with the canonical package name of the package, as you have done for the introduction and the title above.
-      value: |
-        ### 1. Build the package
-
-        This step will build the package. Specific arguments are passed to the command
-        to keep the build artifacts so we can compare them in case of differences.
-
-        Execute the following command:
-
-        ```
-        nix-build '<nixpkgs>' -A PACKAGENAME && nix-build '<nixpkgs>' -A PACKAGENAME --check --keep-failed
-        ```
-
-        Or using the new command line style:
-
-        ```
-        nix build nixpkgs#PACKAGENAME && nix build nixpkgs#PACKAGENAME --rebuild --keep-failed
-        ```
-
-        ### 2. Compare the build artifacts
-
-        If the previous command completes successfully, no differences were found and
-        there's nothing to do, builds are reproducible.
-        If it terminates with the error message `error: derivation '<X>' may not be
-        deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
-        the discrepancies between the two build outputs. You may need to add the
-        `--exclude-directory-metadata recursive` option to ignore files and directories
-        metadata (*e.g. timestamp*) differences.
-
-        ```
-        nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
-        ```
-
-        ### 3. Examine the build log
-
-        To examine the build log, use:
-
-        ```
-        nix-store --read-log $(nix-instantiate '<nixpkgs>' -A PACKAGENAME)
-        ```
-
-        Or with the new command line style:
-
-        ```
-        nix log $(nix path-info --derivation nixpkgs#PACKAGENAME)
-        ```
-    validations:
-      required: true
-  - type: "textarea"
-    id: "logs"
-    attributes:
-      label: "Diffoscope log"
-      description: |
-        Please copy and paste the relevant `diffoscope` log output, gathered from the steps above.
-        This will be automatically formatted into a monospaced text block, so no need for backticks.
-      render: "console"
-  - type: "textarea"
-    id: "additional-context"
-    attributes:
-      label: "Additional context"
-      description: "Add any other context about the problem here."
-    validations:
-      required: false
-    id: "maintainers"
-    attributes:
-      label: "Notify maintainers"
-      description: |
-        Please mention the people who are in the **Maintainers** list of the offending package. This is done by by searching for the package on the [NixOS Package Search](https://search.nixos.org/packages) and mentioning the people listed under **Maintainers** by prefixing their GitHub usernames with an '@' character. Please add the mentions above the `---` characters in the template below.
-      value: |
-
-
-        ---
-
-        **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)
-    validations:
-      required: false
-  - type: "checkboxes"
-    id: "sanity-check"
-    attributes:
-      label: "I assert that this issue is relevant for Nixpkgs"
-      options:
-        - label: "I assert that this is not a [duplicate of any known issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22)."
-          required: true
-        - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
-          required: true
-  - type: "markdown"
-    attributes:
-      value: |
-        # Thank you for helping improve Nixpkgs!
-
-        ---
-  - type: "textarea"
-    id: "prioritisation"
-    attributes:
-      label: "Is this issue important to you?"
-      description: |
-        **Please do not modify this text area!**
-
-        This template helps Nixpkgs developers know which issues should be prioritised by allowing users to vote with a :+1: reaction.
-        This is not a guarantee that highly-requested issues will be fixed first, but it helps us to figure out what's important to users. Please react on other users' issues if you find them important.
-      value: |
-        Add a :+1: [reaction] to [issues you find important].
-
-        [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
-        [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,54 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: '0.kind: bug'
+assignees: ''
+
+---
+
+## Describe the bug
+
+<!-- A clear and concise description of what the bug is. -->
+
+## Steps To Reproduce
+
+Steps to reproduce the behavior:
+
+1. ...
+2. ...
+3. ...
+
+## Expected behavior
+
+<!-- A clear and concise description of what you expected to happen. -->
+
+## Screenshots
+
+<!-- If applicable, add screenshots to help explain your problem: -->
+
+## Additional context
+
+<!-- Add any other context about the problem here. -->
+
+## Metadata
+
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
+
+## Notify maintainers
+
+<!--
+Please @ people who are in the `meta.maintainers` list of the offending package or module.
+If in doubt, check `git blame` for whoever last touched something.
+-->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/build_failure.md

@@ -0,0 +1,53 @@
+---
+name: Build failure
+about: Create a report to help us improve
+title: 'Build failure: PACKAGENAME'
+labels: '0.kind: build failure'
+assignees: ''
+
+---
+
+## Steps To Reproduce
+
+Steps to reproduce the behavior:
+
+1. build *X*
+
+## Build log
+
+<!-- insert build log in code block in collapsable section -->
+
+<details>
+
+<summary>Build Log</summary>
+
+```
+```
+
+</details>
+
+## Additional context
+
+<!-- Add any other context about the problem here. -->
+
+## Metadata
+
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
+
+## Notify maintainers
+
+<!--
+Please @ people who are in the `meta.maintainers` list of the offending package or module.
+If in doubt, check `git blame` for whoever last touched something.
+-->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -0,0 +1,41 @@
+---
+name: Missing or incorrect documentation
+about: Help us improve the Nixpkgs and NixOS reference manuals
+title: 'Documentation: '
+labels: '9.needs: documentation'
+assignees: ''
+
+---
+
+## Problem
+
+<!-- describe your problem -->
+
+## Proposal
+
+<!-- propose a solution (optional) -->
+
+## Checklist
+
+<!-- make sure this issue is not redundant or obsolete -->
+
+- [ ] checked [latest Nixpkgs manual] \([source][nixpkgs-source]) and [latest NixOS manual] \([source][nixos-source])
+- [ ] checked [open documentation issues] for possible duplicates
+- [ ] checked [open documentation pull requests] for possible solutions
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
+[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
+[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
+[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
+[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
+[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
+[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22

.github/ISSUE_TEMPLATE/module_request.md

@@ -0,0 +1,27 @@
+---
+name: Module requests
+about: For NixOS modules that you would like to see
+title: 'Module request: MODULENAME'
+labels: '9.needs: module (new)'
+assignees: ''
+
+---
+
+## Description
+
+<!-- Describe what the module should accomplish: -->
+
+## Notify maintainers
+
+<!-- If applicable, tag the maintainers of the package that corresponds to the module. If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
+
+-----
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/out_of_date_package_report.md

@@ -0,0 +1,42 @@
+---
+name: Out-of-date package reports
+about: For packages that are out-of-date
+title: 'Update request: PACKAGENAME OLDVERSION → NEWVERSION'
+labels: '9.needs: package (update)'
+assignees: ''
+
+---
+
+## Package Information
+
+<!-- Search for the package here: https://search.nixos.org/packages?channel=unstable -->
+
+- Package name:
+- Latest released version:
+- Current version on the unstable channel:
+- Current version on the stable/release channel:
+
+## Checklist
+
+<!--
+Type the name of your package and try to find an open pull request for the package
+If you find an open pull request, you can review it!
+There's a high chance that you'll have the new version right away while helping the community!
+-->
+
+- [ ] Checked the [nixpkgs pull requests](https://github.com/NixOS/nixpkgs/pulls)
+
+## Notify maintainers
+
+<!-- If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/packaging_request.md

@@ -0,0 +1,30 @@
+---
+name: Packaging requests
+about: For packages that are missing
+title: 'Package request: PACKAGENAME'
+labels: '0.kind: packaging request'
+assignees: ''
+
+---
+
+## Project description
+
+<!-- Describe the project a little: -->
+
+## Metadata
+
+* homepage URL:
+* source URL:
+* license: mit, bsd, gpl2+ , ...
+* platforms: unix, linux, darwin, ...
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/tracking_issue.md

@@ -0,0 +1,39 @@
+---
+name: Tracking issue
+about: Provide an overview on a multi-step effort
+title: 'Tracking issue: ISSUENAME'
+labels: '5.scope: tracking'
+assignees: ''
+
+---
+
+### Tracking description
+
+<!--
+Provide a brief summary of the project or multi-step effort. Explain why it is
+necessary and what the goals are.
+
+You may include way to reproduce the problem, screenshots or any information
+that you find relevant.
+-->
+
+#### Reference Issue(s)/PR(s)
+
+- ...
+
+### Follow-up issues/notes
+
+<!--
+List any follow-up issues that need to be addressed after the main tasks are
+completed, or any notes related to the project.
+-->
+
+#### Additional context
+Add any other context about the problem here.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/ISSUE_TEMPLATE/unreproducible_package.md

@@ -0,0 +1,104 @@
+---
+name: Unreproducible package
+about: A package that does not produce a bit-by-bit reproducible result each time it is built
+title: ''
+labels: [ '0.kind: enhancement', '6.topic: reproducible builds' ]
+assignees: ''
+
+---
+
+<!--
+Hello dear reporter,
+
+Thank you for bringing attention to this issue. Your insights are valuable to
+us, and we appreciate the time you took to document the problem.
+
+I wanted to kindly point out that in this issue template, it would be beneficial
+to replace the placeholder `<package>` with the actual, canonical name of the
+package you're reporting the issue for. Doing so will provide better context and
+facilitate quicker troubleshooting for anyone who reads this issue in the
+future.
+
+Best regards
+-->
+
+Building this package multiple times does not yield bit-by-bit identical
+results, complicating the detection of Continuous Integration (CI) breaches. For
+more information on this issue, visit
+[reproducible-builds.org](https://reproducible-builds.org/).
+
+Fixing bit-by-bit reproducibility also has additional advantages, such as
+avoiding hard-to-reproduce bugs, making content-addressed storage more effective
+and reducing rebuilds in such systems.
+
+## Steps To Reproduce
+
+In the following steps, replace `<package>` with the canonical name of the
+package.
+
+### 1. Build the package
+
+This step will build the package. Specific arguments are passed to the command
+to keep the build artifacts so we can compare them in case of differences.
+
+Execute the following command:
+
+```
+nix-build '<nixpkgs>' -A <package> && nix-build '<nixpkgs>' -A <package> --check --keep-failed
+```
+
+Or using the new command line style:
+
+```
+nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed
+```
+
+### 2. Compare the build artifacts
+
+If the previous command completes successfully, no differences were found and
+there's nothing to do, builds are reproducible.
+If it terminates with the error message `error: derivation '<X>' may not be
+deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
+the discrepancies between the two build outputs. You may need to add the
+`--exclude-directory-metadata recursive` option to ignore files and directories
+metadata (*e.g. timestamp*) differences.
+
+```
+nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
+```
+
+### 3. Examine the build log
+
+To examine the build log, use:
+
+```
+nix-store --read-log $(nix-instantiate '<nixpkgs>' -A <package>)
+```
+
+Or with the new command line style:
+
+```
+nix log $(nix path-info --derivation nixpkgs#<package>)
+```
+
+## Additional context
+
+(please share the relevant fragment of the diffoscope output here, and any additional analysis you may have done)
+
+## Notify maintainers
+
+<!--
+Please @ people who are in the `meta.maintainers` list of the offending package or module.
+If in doubt, check `git blame` for whoever last touched something.
+-->
+
+---
+
+Note for maintainers: Please tag this issue in your PR.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,9 +25,8 @@ For new packages please briefly describe the package or provide a link to its ho
   - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
-- [Nixpkgs 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/doc/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/doc/manual/release-notes/rl-2505.section.md) Nixpkgs Release notes)
+- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
   - [ ] (Package updates) Added a release notes entry if the change is major or breaking
-- [NixOS 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) NixOS Release notes)
   - [ ] (Module updates) Added a release notes entry if the change is significant
   - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).

.github/actions/get-merge-commit/action.yml

@@ -1,88 +0,0 @@
-name: Get merge commit
-
-description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
-
-inputs:
-  merged-as-untrusted:
-    description: "Whether to checkout the merge commit in the ./untrusted folder."
-    type: boolean
-  target-as-trusted:
-    description: "Whether to checkout the target commit in the ./trusted folder."
-    type: boolean
-
-outputs:
-  mergedSha:
-    description: "The merge commit SHA"
-    value: ${{ steps.commits.outputs.mergedSha }}
-  targetSha:
-    description: "The target commit SHA"
-    value: ${{ steps.commits.outputs.targetSha }}
-
-runs:
-  using: composite
-  steps:
-    - id: commits
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-      with:
-        script: |
-          if (context.eventName == 'push') return core.setOutput('mergedSha', context.sha)
-
-          for (const retryInterval of [5, 10, 20, 40, 80]) {
-            console.log("Checking whether the pull request can be merged...")
-            const prInfo = (await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number
-            })).data
-
-            if (prInfo.state != 'open') throw new Error ("PR is not open anymore.")
-
-            if (prInfo.mergeable == null) {
-              console.log(`GitHub is still computing whether this PR can be merged, waiting ${retryInterval} seconds before trying again...`)
-              await new Promise(resolve => setTimeout(resolve, retryInterval * 1000))
-              continue
-            }
-
-            let mergedSha, targetSha
-
-            if (prInfo.mergeable) {
-              console.log("The PR can be merged.")
-
-              mergedSha = prInfo.merge_commit_sha
-              targetSha = (await github.rest.repos.getCommit({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: prInfo.merge_commit_sha
-              })).data.parents[0].sha
-            } else {
-              console.log("The PR has a merge conflict.")
-
-              mergedSha = prInfo.head.sha
-              targetSha = (await github.rest.repos.compareCommitsWithBasehead({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                basehead: `${prInfo.base.sha}...${prInfo.head.sha}`
-              })).data.merge_base_commit.sha
-            }
-
-            console.log(`Checking the commits:\nmerged:${mergedSha}\ntarget:${targetSha}`)
-            core.setOutput('mergedSha', mergedSha)
-            core.setOutput('targetSha', targetSha)
-            return
-          }
-          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
-
-      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
-      # but Nix is broken with them:
-      # https://github.com/NixOS/nix/issues/6073
-    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.mergedSha }}
-        path: untrusted
-
-    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.targetSha }}
-        path: trusted

.github/dependabot.yml

@@ -4,4 +4,3 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    labels: [ ]

.github/labeler-development-branches.yml

@@ -1,23 +0,0 @@
-# This file is used by .github/workflows/labels.yml
-# This version is only run for Pull Requests from development branches like staging-next, haskell-updates or python-updates.
-
-"4.workflow: package set update":
-  - any:
-    - head-branch:
-      - '-updates$'
-
-"4.workflow: staging":
-  - any:
-    - head-branch:
-      - '^staging-next$'
-      - '^staging-next-'
-
-"6.topic: haskell":
-  - any:
-    - head-branch:
-      - '^haskell-updates$'
-
-"6.topic: python":
-  - any:
-    - head-branch:
-      - '^python-updates$'

.github/labeler-no-sync.yml

@@ -1,32 +0,0 @@
-# This file is used by .github/workflows/labels.yml
-# This version uses `sync-labels: false`, meaning that a non-match will NOT remove the label
-
-# keep-sorted start case=no numeric=yes newline_separated=yes skip_lines=1
-
-"6.topic: policy discussion":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - .github/**/*
-        - CONTRIBUTING.md
-        - pkgs/README.md
-        - nixos/README.md
-        - maintainers/README.md
-        - lib/README.md
-        - doc/README.md
-
-"8.has: documentation":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/**/*
-        - nixos/doc/**/*
-
-"backport release-25.05":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - .github/workflows/*
-        - ci/**/*.*
-
-# keep-sorted end

.github/labeler.yml

@@ -1,15 +1,3 @@
-# This file is used by .github/workflows/labels.yml
-# This version uses `sync-labels: true`, meaning that a non-match will remove the label
-
-# keep-sorted start case=no numeric=yes newline_separated=yes skip_lines=1
-
-"4.workflow: backport":
-  - any:
-    - base-branch:
-      - '^release-'
-      - '^staging-\d'
-      - '^staging-next-\d'
-
 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":
   - any:
@@ -39,7 +27,7 @@
     - changed-files:
       - any-glob-to-any-file:
         - .github/**/*
-        - ci/**/*.*
+        - ci/**/*
 
 "6.topic: coq":
   - any:
@@ -49,16 +37,6 @@
         - pkgs/development/coq-modules/**/*
         - pkgs/top-level/coq-packages.nix
 
-"6.topic: COSMIC":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/desktop-managers/cosmic.nix
-        - nixos/modules/services/display-managers/cosmic-greeter.nix
-        - nixos/tests/cosmic.nix
-        - pkgs/by-name/co/cosmic-*/**/*
-        - pkgs/by-name/xd/xdg-desktop-portal-cosmic/*
-
 "6.topic: crystal":
   - any:
     - changed-files:
@@ -162,7 +140,7 @@
       - any-glob-to-any-file:
         - doc/languages-frameworks/gnome.section.md
         - nixos/modules/services/desktops/gnome/**/*
-        - nixos/modules/services/desktop-managers/gnome.nix
+        - nixos/modules/services/x11/desktop-managers/gnome.nix
         - nixos/tests/gnome-xorg.nix
         - nixos/tests/gnome.nix
         - pkgs/desktops/gnome/**/*
@@ -203,7 +181,6 @@
         - pkgs/development/compilers/corretto/**/*
         - pkgs/development/compilers/graalvm/**/*
         - pkgs/development/compilers/openjdk/**/*
-        - pkgs/by-name/op/openjfx/**/*
         - pkgs/development/compilers/semeru-bin/**/*
         - pkgs/development/compilers/temurin-bin/**/*
         - pkgs/development/compilers/zulu/**/*
@@ -329,16 +306,6 @@
       - any-glob-to-any-file:
         - pkgs/os-specific/linux/musl/**/*
 
-"6.topic: nim":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/nim.section.md
-        - pkgs/build-support/build-nim-package.nix
-        - pkgs/build-support/build-nim-sbom.nix
-        - pkgs/by-name/ni/nim*
-        - pkgs/top-level/nim-overrides.nix
-
 "6.topic: nixos":
   - any:
     - changed-files:
@@ -355,6 +322,16 @@
         - nixos/modules/virtualisation/nixos-containers.nix
         - pkgs/tools/virtualization/nixos-container/**/*
 
+"6.topic: nim":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - doc/languages-frameworks/nim.section.md
+        - pkgs/build-support/build-nim-package.nix
+        - pkgs/build-support/build-nim-sbom.nix
+        - pkgs/by-name/ni/nim*
+        - pkgs/top-level/nim-overrides.nix
+
 "6.topic: nodejs":
   - any:
     - changed-files:
@@ -409,6 +386,18 @@
         - pkgs/test/php/default.nix
         - pkgs/top-level/php-packages.nix
 
+"6.topic: policy discussion":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - .github/**/*
+        - CONTRIBUTING.md
+        - pkgs/README.md
+        - nixos/README.md
+        - maintainers/README.md
+        - lib/README.md
+        - doc/README.md
+
 "6.topic: printing":
   - any:
     - changed-files:
@@ -495,11 +484,13 @@
         - pkgs/development/tcl-modules/**/*
         - pkgs/top-level/tcl-packages.nix
 
-"6.topic: teams":
+"6.topic: TeX":
   - any:
     - changed-files:
       - any-glob-to-any-file:
-          - maintainers/team-list.nix
+        - doc/languages-frameworks/texlive.section.md
+        - pkgs/test/texlive/**
+        - pkgs/tools/typesetting/tex/**/*
 
 "6.topic: testing":
   - any:
@@ -517,14 +508,6 @@
         - nixos/tests/make-test-python.nix  # legacy
         # lib/debug.nix has a test framework (runTests) but it's not the main focus
 
-"6.topic: TeX":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/texlive.section.md
-        - pkgs/test/texlive/**
-        - pkgs/tools/typesetting/tex/**/*
-
 "6.topic: updaters":
   - any:
     - changed-files:
@@ -588,16 +571,20 @@
       - any-glob-to-any-file:
         - nixos/doc/manual/release-notes/**/*
 
-"8.has: maintainer-list (update)":
+"8.has: documentation":
   - any:
     - changed-files:
       - any-glob-to-any-file:
-        - maintainers/maintainer-list.nix
+        - doc/**/*
+        - nixos/doc/**/*
 
 "8.has: module (update)":
   - any:
     - changed-files:
       - any-glob-to-any-file:
         - nixos/modules/**/*
-
-# keep-sorted end
+"8.has: maintainer-list (update)":
+  - any:
+    - changed-files:
+      - any-glob-to-any-file:
+        - maintainers/maintainer-list.nix

.github/workflows/README.md

@@ -1,20 +0,0 @@
-# GitHub Actions Workflows
-
-Some architectural notes about key decisions and concepts in our workflows:
-
-- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors.
-
-- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.
-
-- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.
-
-- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.
-
-- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.
-
-## Terminology
-
-- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`.
-- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`.
-- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
-- **target commit**: The base branch's parent of the "test merge commit" to compare against.

.github/workflows/backport.yml

@@ -1,42 +1,34 @@
+name: Backport
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
 # WARNING:
 # When extending this action, be aware that $GITHUB_TOKEN allows write access to
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
-name: Backport
-
-on:
-  pull_request_target:
-    types: [closed, labeled]
-
-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}
 
 jobs:
   backport:
     name: Backport Pull Request
-    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
-    runs-on: ubuntu-24.04-arm
+    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+    runs-on: ubuntu-latest
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token
         with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-contents: write
-          permission-pull-requests: write
-
+          app-id: ${{ vars.BACKPORT_APP_ID }}
+          private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}
-
       - name: Create backport PRs
-        id: backport
-        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
+        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
         with:
           # Config README: https://github.com/korthout/backport-action#backport-action
           copy_labels_pattern: 'severity:\ssecurity'
@@ -45,17 +37,4 @@ jobs:
             Bot-based backport to `${target_branch}`, triggered by a label in #${pull_number}.
 
             * [ ] Before merging, ensure that this backport is [acceptable for the release](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases).
-              * Even as a non-committer, if you find that it is not acceptable, leave a comment.
-
-      - name: "Add 'has: port to stable' label"
-        if: steps.backport.outputs.created_pull_numbers != ''
-        env:
-          # Not the app on purpose to avoid triggering another workflow run after adding this label
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-        run: |
-          gh api \
-            --method POST \
-            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            -f "labels[]=8.has: port to stable"
+              * Even as a non-commiter, if you find that it is not acceptable, leave a comment.

.github/workflows/basic-eval.yml

@@ -0,0 +1,31 @@
+name: Basic evaluation checks
+
+on:
+  workflow_dispatch
+  # pull_request:
+  #   branches:
+  #    - master
+  #    - release-**
+  # push:
+  #   branches:
+  #    - master
+  #    - release-**
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    name: basic-eval-checks
+    runs-on: ubuntu-latest
+    # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      with:
+        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+        name: nixpkgs-ci
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+    - run: nix --experimental-features 'nix-command flakes' flake check --all-systems --no-build
+    # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset
+    - run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin"  ]'

.github/workflows/check-cherry-picks.yml

@@ -1,31 +1,26 @@
 name: "Check cherry-picks"
-
 on:
-  pull_request:
-    paths:
-      - .github/workflows/check-cherry-picks.yml
   pull_request_target:
     branches:
-      - 'release-**'
-      - 'staging-**'
-      - '!staging-next'
+     - 'release-**'
+     - 'staging-**'
+     - '!staging-next'
 
 permissions: {}
 
 jobs:
   check:
     name: cherry-pick-check
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          filter: tree:0
-          path: trusted
-
-      - name: Check cherry-picks
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        run: |
-          ./trusted/ci/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        fetch-depth: 0
+        filter: blob:none
+    - name: Check cherry-picks
+      env:
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      run: |
+        ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"

.github/workflows/check-format.yml

@@ -1,42 +0,0 @@
-name: Check that files are formatted
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/check-format.yml
-  pull_request_target:
-
-permissions: {}
-
-jobs:
-  nixos:
-    name: fmt-check
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Check that files are formatted
-        run: |
-          # Note that it's fine to run this on untrusted code because:
-          # - There's no secrets accessible here
-          # - The build is sandboxed
-          if ! nix-build untrusted/ci -A fmt.check; then
-            echo "Some files are not properly formatted"
-            echo "Please format them by going to the Nixpkgs root directory and running one of:"
-            echo "  nix-shell --run treefmt"
-            echo "  nix develop --command treefmt"
-            echo "  nix fmt"
-            echo "Make sure your branch is up to date with master; rebase if not."
-            echo "If you're having trouble, please ping @NixOS/nix-formatting"
-            exit 1
-          fi

.github/workflows/check-maintainers-sorted.yaml

@@ -0,0 +1,29 @@
+name: "Check that maintainer list is sorted"
+
+on:
+  pull_request_target:
+    paths:
+      - 'maintainers/maintainer-list.nix'
+permissions:
+  contents: read
+
+jobs:
+  nixos:
+    name: maintainer-list-check
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          # Only these directories to perform the check
+          sparse-checkout: |
+            lib
+            maintainers
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - name: Check that maintainer-list.nix is sorted
+        run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix

.github/workflows/check-nix-format.yml

@@ -0,0 +1,95 @@
+# This file was copied mostly from check-maintainers-sorted.yaml.
+# NOTE: Formatting with the RFC-style nixfmt command is not yet stable. See
+# https://github.com/NixOS/rfcs/pull/166.
+# Because of this, this action is not yet enabled for all files -- only for
+# those who have opted in.
+name: Check that Nix files are formatted
+
+on:
+  pull_request_target:
+    # See the comment at the same location in ./nixpkgs-vet.yml
+    types: [opened, synchronize, reopened, edited]
+permissions:
+  contents: read
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixos:
+    name: nixfmt-check
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+      - name: Checking out base branch
+        run: |
+          base=$(mktemp -d)
+          baseRev=$(git rev-parse HEAD^1)
+          git worktree add "$base" "$baseRev"
+          echo "baseRev=$baseRev" >> "$GITHUB_ENV"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - name: Get Nixpkgs revision for nixfmt
+        run: |
+          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
+          # from staging
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+          nix_path: nixpkgs=${{ env.url }}
+      - name: Install nixfmt
+        run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
+      - name: Check that Nix files are formatted according to the RFC style
+        run: |
+          unformattedFiles=()
+
+          # TODO: Make this more parallel
+
+          # Loop through all Nix files touched by the PR
+          while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
+            type=${entry[0]}
+            file=${entry[1]}
+            case $type in
+              A*)
+                source=""
+                dest=$file
+                ;;
+              M*)
+                source=$file
+                dest=$file
+                ;;
+              C*|R*)
+                source=$file
+                read -r -d '' dest
+                ;;
+              *)
+                echo "Ignoring file $file with type $type"
+                continue
+            esac
+
+            # Ignore files that weren't already formatted
+            if [[ -n "$source" ]] && ! nixfmt --check ${{ env.base }}/"$source" 2>/dev/null; then
+              echo "Ignoring file $file because it's not formatted in the base commit"
+            elif ! nixfmt --check "$dest"; then
+              unformattedFiles+=("$dest")
+            fi
+          done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix')
+
+          if (( "${#unformattedFiles[@]}" > 0 )); then
+            echo "Some new/changed Nix files are not properly formatted"
+            echo "Please format them using the Nixpkgs-specific \`nixfmt\` by going to the Nixpkgs root directory, running \`nix-shell\`, then:"
+            echo "nixfmt ${unformattedFiles[*]@Q}"
+            echo "Make sure your branch is up to date with master, rebase if not."
+            echo "If you're having trouble, please ping @NixOS/nix-formatting"
+            exit 1
+          fi

.github/workflows/check-nixf-tidy.yml

@@ -0,0 +1,129 @@
+name: Check changed Nix files with nixf-tidy (experimental)
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, edited]
+permissions:
+  contents: read
+
+jobs:
+  nixos:
+    name: exp-nixf-tidy-check
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+      - name: Checking out base branch
+        run: |
+          base=$(mktemp -d)
+          baseRev=$(git rev-parse HEAD^1)
+          git worktree add "$base" "$baseRev"
+          echo "baseRev=$baseRev" >> "$GITHUB_ENV"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - name: Get Nixpkgs revision for nixf
+        run: |
+          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
+          # from staging
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+          nix_path: nixpkgs=${{ env.url }}
+      - name: Install nixf and jq
+        # provided jq is incompatible with our expression
+        run: "nix-env -f '<nixpkgs>' -iAP nixf jq"
+      - name: Check that Nix files pass nixf-tidy
+        run: |
+          # Filtering error messages we don't like
+          nixf_wrapper(){
+            nixf-tidy --variable-lookup < "$1" | jq -r '
+              [
+                "sema-escaping-with"
+              ]
+              as $ignored_errors|[.[]|select(.sname as $s|$ignored_errors|index($s)|not)]
+            '
+          }
+
+          failedFiles=()
+
+          # Don't report errors to file overview
+          # to avoid duplicates when editing title and description
+          if [[ "${{ github.event.action }}" == 'edited' ]] && [[ -z "${{ github.event.edited.changes.base }}" ]]; then
+            DONT_REPORT_ERROR=1
+          else
+            DONT_REPORT_ERROR=
+          fi
+          # TODO: Make this more parallel
+
+          # Loop through all Nix files touched by the PR
+          while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
+            type=${entry[0]}
+            file=${entry[1]}
+            case $type in
+              A*)
+                source=""
+                dest=$file
+                ;;
+              M*)
+                source=$file
+                dest=$file
+                ;;
+              C*|R*)
+                source=$file
+                read -r -d '' dest
+                ;;
+              *)
+                echo "Ignoring file $file with type $type"
+                continue
+            esac
+
+            if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.base }}/"$source")" != '[]' ]] 2>/dev/null; then
+              echo "Ignoring file $file because it doesn't pass nixf-tidy in the base commit"
+              echo # insert blank line
+            else
+              nixf_report="$(nixf_wrapper "$dest")"
+              if [[ "$nixf_report" != '[]' ]]; then
+                echo "$dest doesn't pass nixf-tidy. Reported by nixf-tidy:"
+                errors=$(echo "$nixf_report" | jq -r --arg dest "$dest" '
+                  def getLCur: "line=" + (.line+1|tostring) + ",col=" + (.column|tostring);
+                  def getRCur: "endLine=" + (.line+1|tostring) + ",endColumn=" + (.column|tostring);
+                  def getRange: "file=\($dest)," + (.lCur|getLCur) + "," + (.rCur|getRCur);
+                  def getBody: . as $top|(.range|getRange) + ",title="+ .sname + "::" +
+                    (.message|sub("{}" ; ($top.args.[]|tostring)));
+                  def getNote: "\n::notice " + (.|getBody);
+                  def getMessage: "::error " + (.|getBody) + (if (.notes|length)>0 then
+                    ([.notes.[]|getNote]|add) else "" end);
+                  .[]|getMessage
+                ')
+                if [[ -z "$DONT_REPORT_ERROR" ]]; then
+                  echo "$errors"
+                else
+                  # just print in plain text
+                  echo "${errors/::/}"
+                  echo # add one empty line
+                fi
+                failedFiles+=("$dest")
+              fi
+            fi
+          done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix')
+
+          if [[ -n "$DONT_REPORT_ERROR" ]]; then
+            echo "Edited the PR but didn't change the base branch, only the description/title."
+            echo "Not reporting errors again to avoid duplication."
+            echo # add one empty line
+          fi
+
+          if (( "${#failedFiles[@]}" > 0 )); then
+            echo "Some new/changed Nix files don't pass nixf-tidy."
+            echo "See ${{ github.event.pull_request.html_url }}/files for reported errors."
+            echo "If you believe this is a false positive, ping @Aleksanaa and @inclyc in this PR."
+            exit 1
+          fi

.github/workflows/check-shell.yml

@@ -1,9 +1,6 @@
 name: "Check shell"
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/check-shell.yml
   pull_request_target:
     paths:
       - 'shell.nix'
@@ -12,33 +9,26 @@ on:
 permissions: {}
 
 jobs:
-  shell-check:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            system: x86_64-linux
-          - runner: ubuntu-24.04-arm
-            system: aarch64-linux
-          - runner: macos-13
-            system: x86_64-darwin
-          - runner: macos-14
-            system: aarch64-darwin
-
-    name: shell-check-${{ matrix.system }}
-    runs-on: ${{ matrix.runner }}
-
+  x86_64-linux:
+    name: shell-check-x86_64-linux
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       - name: Build shell
-        run: nix-build untrusted/ci -A shell
+        run: nix-build shell.nix
+
+  aarch64-darwin:
+    name: shell-check-aarch64-darwin
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - name: Build shell
+        run: nix-build shell.nix

.github/workflows/codeowners-v2.yml

@@ -1,3 +1,5 @@
+name: Codeowners v2
+
 # This workflow depends on two GitHub Apps with the following permissions:
 # - For checking code owners:
 #   - Permissions:
@@ -17,18 +19,12 @@
 #
 # This split is done because checking code owners requires handling untrusted PR input,
 # while requesting code owners requires PR write access, and those shouldn't be mixed.
-#
-# Note that the latter is also used for ./eval.yml requesting reviewers.
-
-name: Codeowners v2
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/codeowners-v2.yml
   pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
+    types: [opened, ready_for_review, synchronize, reopened, edited]
 
+# We don't need any default GitHub token
 permissions: {}
 
 env:
@@ -37,81 +33,77 @@ env:
   DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   # Check that code owners is valid
   check:
     name: Check
-    runs-on: ubuntu-24.04-arm
-    if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      if: github.repository_owner == 'NixOS'
+      with:
+        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+        name: nixpkgs-ci
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
-        with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+    # We later build and run code from the base branch with access to secrets,
+    # so it's important this is not the PRs code.
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        path: base
 
-      - name: Build codeowners validator
-        run: nix-build trusted/ci -A codeownersValidator
+    - name: Build codeowners validator
+      run: nix-build base/ci -A codeownersValidator
 
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_RO_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_RO_APP_ID }}
-          private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
-      - name: Validate codeowners
-        if: steps.app-token.outputs.token
-        env:
-          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
-          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: untrusted
-          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
-          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
-          EXPERIMENTAL_CHECKS: "avoid-shadowing"
-        run: result/bin/codeowners-validator
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+        path: pr
+
+    - name: Validate codeowners
+      run: result/bin/codeowners-validator
+      env:
+        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
+        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        REPOSITORY_PATH: pr
+        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+        EXPERIMENTAL_CHECKS: "avoid-shadowing"
 
   # Request reviews from code owners
   request:
     name: Request
-    runs-on: ubuntu-24.04-arm
-    if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
     steps:
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
-      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
-      # This is intentional, because we need to request the review of owners as declared in the base branch.
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
+    # This is intentional, because we need to request the review of owners as declared in the base branch.
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
 
-      - name: Build review request package
-        run: nix-build trusted/ci -A requestReviews
+    - name: Build review request package
+      run: nix-build ci -A requestReviews
 
-      - name: Request reviews
-        if: steps.app-token.outputs.token
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+    - name: Request reviews
+      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+      env:
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/edited.yml

@@ -1,49 +0,0 @@
-# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-# Instead it causes an `edited` event.
-# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
-# There are already feature requests for adding a `base_changed` event:
-# - https://github.com/orgs/community/discussions/35058
-# - https://github.com/orgs/community/discussions/64119
-#
-# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
-# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
-# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
-# This is much simpler and reliable than other approaches.
-
-name: "Edited base branch"
-
-on:
-  pull_request_target:
-    types: [edited]
-
-permissions: {}
-
-jobs:
-  base:
-    name: Trigger jobs
-    runs-on: ubuntu-24.04
-    if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-        run: |
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=closed"
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=open"

.github/workflows/editorconfig-v2.yml

@@ -0,0 +1,48 @@
+name: "Checking EditorConfig v2"
+
+permissions:
+  pull-requests: read
+  contents: read
+
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  tests:
+    name: editorconfig-check
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq '.[] | select(.status != "removed") | .filename' \
+          > "$HOME/changed_files"
+    - name: print list of changed files
+      run: |
+        cat "$HOME/changed_files"
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      with:
+        # nixpkgs commit is pinned so that it doesn't break
+        # editorconfig-checker 2.4.0
+        nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz
+    - name: Checking EditorConfig
+      run: |
+        < "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'
+    - if: ${{ failure() }}
+      run: |
+        echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."

.github/workflows/eval-aliases.yml

@@ -1,34 +0,0 @@
-name: Eval aliases
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/eval-aliases.yml
-  pull_request_target:
-
-permissions: {}
-
-jobs:
-  eval-aliases:
-    name: Eval nixpkgs with aliases enabled
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Ensure flake outputs on all systems still evaluate
-        run: nix flake check --all-systems --no-build ./untrusted
-
-      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
-        run: |
-          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

.github/workflows/eval-lib-tests.yml

@@ -0,0 +1,30 @@
+name: "Building Nixpkgs lib-tests"
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target:
+    paths:
+      - 'lib/**'
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixpkgs-lib-tests:
+    name: nixpkgs-lib-tests
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - name: Building Nixpkgs lib-tests
+        run: |
+          nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix

.github/workflows/eval.yml

@@ -1,10 +1,6 @@
 name: Eval
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/eval.yml
-      - .github/workflows/reviews.yml # needs eval results from the same event type
   pull_request_target:
   push:
     # Keep this synced with ci/request-reviews/dev-branches.txt
@@ -16,211 +12,223 @@ on:
       - haskell-updates
       - python-updates
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
-  prepare:
-    name: Prepare
-    runs-on: ubuntu-24.04-arm
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  attrs:
+    name: Attributes
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    # Skip this and dependent steps if the PR can't be merged
+    if: needs.get-merge-commit.outputs.mergedSha
     outputs:
-      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
-      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
+      baseSha: ${{ steps.baseSha.outputs.baseSha }}
       systems: ${{ steps.systems.outputs.systems }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: |
-            .github/actions
-            ci/supportedSystems.json
-      - name: Check if the PR can be merged and get the test merge commit
-        uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          fetch-depth: 2
+          path: nixpkgs
 
-      - name: Load supported systems
+      - name: Determine base commit
+        if: github.event_name == 'pull_request_target'
+        id: baseSha
+        run: |
+          baseSha=$(git -C nixpkgs rev-parse HEAD^1)
+          echo "baseSha=$baseSha" >> "$GITHUB_OUTPUT"
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+      - name: Evaluate the list of all attributes and get the systems matrix
         id: systems
         run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+          nix-build nixpkgs/ci -A eval.attrpathsSuperset
+          echo "systems=$(<result/systems.json)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload the list of all attributes
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: paths
+          path: result/*
+
+  eval-aliases:
+    name: Eval nixpkgs with aliases enabled
+    runs-on: ubuntu-latest
+    needs: [ attrs, get-merge-commit ]
+    steps:
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
+        run: |
+          time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
 
   outpaths:
     name: Outpaths
-    runs-on: ubuntu-24.04-arm
-    needs: [ prepare ]
+    runs-on: ubuntu-latest
+    needs: [ attrs, get-merge-commit ]
     strategy:
-      fail-fast: false
       matrix:
-        system: ${{ fromJSON(needs.prepare.outputs.systems) }}
+        system: ${{ fromJSON(needs.attrs.outputs.systems) }}
     steps:
-      - name: Enable swap
-        run: |
-          sudo fallocate -l 10G /swap
-          sudo chmod 600 /swap
-          sudo mkswap /swap
-          sudo swapon /swap
+      - name: Download the list of all attributes
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: paths
+          path: paths
 
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.prepare.outputs.mergedSha }}
-          path: untrusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs
 
       - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
       - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes
         env:
           MATRIX_SYSTEM: ${{ matrix.system }}
         run: |
-          nix-build untrusted/ci -A eval.singleSystem \
+          nix-build nixpkgs/ci -A eval.singleSystem \
             --argstr evalSystem "$MATRIX_SYSTEM" \
-            --arg chunkSize 10000 \
-            --out-link merged
+            --arg attrpathFile ./paths/paths.json \
+            --arg chunkSize 10000
           # If it uses too much memory, slightly decrease chunkSize
 
       - name: Upload the output paths and eval stats
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
-          name: merged-${{ matrix.system }}
-          path: merged/*
+          name: intermediate-${{ matrix.system }}
+          path: result/*
 
-      - name: Get target run id
-        if: needs.prepare.outputs.targetSha
-        id: targetRunId
-        env:
-          GH_TOKEN: ${{ github.token }}
-          MATRIX_SYSTEM: ${{ matrix.system }}
-          REPOSITORY: ${{ github.repository }}
-          TARGET_SHA: ${{ needs.prepare.outputs.targetSha }}
-        run: |
-          # Get the latest eval.yml workflow run for the PR's target commit
-          if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
-            -f head_sha="$TARGET_SHA" -f event=push \
-            --jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \
-            || [[ -z "$run" ]]; then
-            echo "Could not find an eval.yml workflow run for $TARGET_SHA, cannot make comparison"
-            exit 1
-          fi
-          echo "Comparing against $(jq .html_url <<< "$run")"
-          runId=$(jq .id <<< "$run")
-
-          if ! job=$(gh api --method GET /repos/"$REPOSITORY"/actions/runs/"$runId"/jobs \
-            --jq ".jobs[] | select (.name == \"Outpaths ($MATRIX_SYSTEM)\")") \
-            || [[ -z "$job" ]]; then
-            echo "Could not find the Outpaths ($MATRIX_SYSTEM) job for workflow run $runId, cannot make comparison"
-            exit 1
-          fi
-          jobId=$(jq .id <<< "$job")
-          conclusion=$(jq -r .conclusion <<< "$job")
-
-          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
-            echo "Job not done, waiting 10 seconds before checking again"
-            sleep 10
-            conclusion=$(gh api /repos/"$REPOSITORY"/actions/jobs/"$jobId" --jq '.conclusion')
-          done
-
-          if [[ "$conclusion" != "success" ]]; then
-            echo "Job was not successful (conclusion: $conclusion), cannot make comparison"
-            exit 1
-          fi
-
-          echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
-
-      - uses: actions/download-artifact@v4
-        if: steps.targetRunId.outputs.targetRunId
-        with:
-          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
-          name: merged-${{ matrix.system }}
-          path: target
-          github-token: ${{ github.token }}
-          merge-multiple: true
-
-      - name: Compare outpaths against the target branch
-        if: steps.targetRunId.outputs.targetRunId
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build untrusted/ci -A eval.diff \
-            --arg beforeDir ./target \
-            --arg afterDir "$(readlink ./merged)" \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --out-link diff
-
-      - name: Upload outpaths diff and stats
-        if: steps.targetRunId.outputs.targetRunId
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: diff-${{ matrix.system }}
-          path: diff/*
-
-  compare:
-    name: Comparison
-    runs-on: ubuntu-24.04-arm
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    permissions:
-      issues: write # needed to create *new* labels
-      pull-requests: write
-      statuses: write
+  process:
+    name: Process
+    runs-on: ubuntu-latest
+    needs: [ outpaths, attrs, get-merge-commit ]
+    outputs:
+      baseRunId: ${{ steps.baseRunId.outputs.baseRunId }}
     steps:
       - name: Download output paths and eval stats for all systems
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          pattern: diff-*
-          path: diff
-          merge-multiple: true
+          pattern: intermediate-*
+          path: intermediate
 
-      - name: Check out the PR at the target commit
+      - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.prepare.outputs.targetSha }}
-          path: trusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs
 
       - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
       - name: Combine all output paths and eval stats
         run: |
-          nix-build trusted/ci -A eval.combine \
-            --arg diffDir ./diff \
-            --out-link combined
+          nix-build nixpkgs/ci -A eval.combine \
+            --arg resultsDir ./intermediate \
+            -o prResult
 
-      - name: Compare against the target branch
-        env:
-          AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+      - name: Upload the combined results
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: result
+          path: prResult/*
+
+      - name: Get base run id
+        if: needs.attrs.outputs.baseSha
+        id: baseRunId
         run: |
-          git -C trusted fetch --depth 1 origin ${{ needs.prepare.outputs.mergedSha }}
-          git -C trusted diff --name-only ${{ needs.prepare.outputs.mergedSha }} \
-            | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
+          # Get the latest eval.yml workflow run for the PR's base commit
+          if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
+            -f head_sha="$BASE_SHA" -f event=push \
+            --jq '.workflow_runs | sort_by(.run_started_at) | .[-1]') \
+            || [[ -z "$run" ]]; then
+            echo "Could not find an eval.yml workflow run for $BASE_SHA, cannot make comparison"
+            exit 0
+          fi
+          echo "Comparing against $(jq .html_url <<< "$run")"
+          runId=$(jq .id <<< "$run")
+          conclusion=$(jq -r .conclusion <<< "$run")
 
-          # Use the target branch to get accurate maintainer info
-          nix-build trusted/ci -A eval.compare \
-            --arg combinedDir "$(realpath ./combined)" \
-            --arg touchedFilesJson ./touched-files.json \
-            --argstr githubAuthorId "$AUTHOR_ID" \
-            --out-link comparison
+          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
+            echo "Workflow not done, waiting 10 seconds before checking again"
+            sleep 10
+            conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
+          done
 
+          if [[ "$conclusion" != "success" ]]; then
+            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
+            exit 0
+          fi
+
+          echo "baseRunId=$runId" >> "$GITHUB_OUTPUT"
+        env:
+          REPOSITORY: ${{ github.repository }}
+          BASE_SHA: ${{ needs.attrs.outputs.baseSha }}
+          GH_TOKEN: ${{ github.token }}
+
+      - uses: actions/download-artifact@v4
+        if: steps.baseRunId.outputs.baseRunId
+        with:
+          name: result
+          path: baseResult
+          github-token: ${{ github.token }}
+          run-id: ${{ steps.baseRunId.outputs.baseRunId }}
+
+      - name: Compare against the base branch
+        if: steps.baseRunId.outputs.baseRunId
+        run: |
+          nix-build nixpkgs/ci -A eval.compare \
+            --arg beforeResultDir ./baseResult \
+            --arg afterResultDir ./prResult \
+            -o comparison
           cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
+          # TODO: Request reviews from maintainers for packages whose files are modified in the PR
 
-      - name: Upload the comparison results
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - name: Upload the combined results
+        if: steps.baseRunId.outputs.baseRunId
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: comparison
           path: comparison/*
 
-      - name: Labelling pull request
-        if: ${{ github.event_name == 'pull_request_target' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
+  # Separate job to have a very tightly scoped PR write token
+  tag:
+    name: Tag
+    runs-on: ubuntu-latest
+    needs: process
+    if: needs.process.outputs.baseRunId
+    permissions:
+      pull-requests: write
+      statuses: write
+    steps:
+      - name: Download process result
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: comparison
+          path: comparison
+
+      - name: Tagging pull request
         run: |
-          # Get all currently set labels that we manage
+          # Get all currently set rebuild labels
           gh api \
             /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            --jq '.[].name | select(startswith("10.rebuild") or . == "11.by: package-maintainer")' \
+            --jq '.[].name | select(startswith("10.rebuild"))' \
             | sort > before
 
           # And the labels that should be there
@@ -243,13 +251,13 @@ jobs:
               /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
               -f "labels[]=$toAdd"
           done < <(comm -13 before after)
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
 
       - name: Add eval summary to commit statuses
         if: ${{ github.event_name == 'pull_request_target' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          NUMBER: ${{ github.event.number }}
         run: |
           description=$(jq -r '
           "Package: added " + (.attrdiff.added | length | tostring) +
@@ -263,13 +271,7 @@ jobs:
             -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
             "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
             -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
-
-  reviewers:
-    name: Reviewers
-    # No dependency on "compare", so that it can start at the same time.
-    # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time
-    # for the eval workflow considerably faster.
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    uses: ./.github/workflows/reviewers.yml
-    secrets: inherit
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          NUMBER: ${{ github.event.number }}

.github/workflows/get-merge-commit.yml

@@ -0,0 +1,43 @@
+name: Get merge commit
+
+on:
+  workflow_call:
+    outputs:
+      mergedSha:
+        description: "The merge commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  resolve-merge-commit:
+    runs-on: ubuntu-latest
+    outputs:
+      mergedSha: ${{ steps.merged.outputs.mergedSha }}
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        path: base
+        sparse-checkout: ci
+    - name: Check if the PR can be merged and get the test merge commit
+      id: merged
+      env:
+        GH_TOKEN: ${{ github.token }}
+        GH_EVENT: ${{ github.event_name }}
+      run: |
+        case "$GH_EVENT" in
+          push)
+            echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+            ;;
+          pull_request_target)
+            if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+              echo "Checking the merge commit $mergedSha"
+              echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT"
+            else
+              # Skipping so that no notifications are sent
+              echo "Skipping the rest..."
+            fi
+            ;;
+        esac
+        rm -rf base

.github/workflows/labels.yml

@@ -1,60 +1,25 @@
+name: "Label PR"
+
+on:
+  pull_request_target:
+    types: [edited, opened, synchronize, reopened]
+
 # WARNING:
 # When extending this action, be aware that $GITHUB_TOKEN allows some write
 # access to the GitHub API. This means that it should not evaluate user input in
 # a way that allows code injection.
 
-name: "Label PR"
-
-on:
-  pull_request_target:
-
 permissions:
   contents: read
-  issues: write # needed to create *new* labels
   pull-requests: write
 
 jobs:
   labels:
     name: label-pr
-    runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    runs-on: ubuntu-latest
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        if: |
-          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
-            github.head_ref == 'haskell-updates' ||
-            github.head_ref == 'python-updates' ||
-            github.head_ref == 'staging-next' ||
-            startsWith(github.head_ref, 'staging-next-')
-          )
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          configuration-path: .github/labeler.yml # default
-          sync-labels: true
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        if: |
-          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
-            github.head_ref == 'haskell-updates' ||
-            github.head_ref == 'python-updates' ||
-            github.head_ref == 'staging-next' ||
-            startsWith(github.head_ref, 'staging-next-')
-          )
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          configuration-path: .github/labeler-no-sync.yml
-          sync-labels: false
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
-        # Development branches like staging-next, haskell-updates and python-updates get special labels.
-        # This is to avoid the mass of labels there, which is mostly useless - and really annoying for
-        # the backport labels.
-        if: |
-          github.event.pull_request.head.repo.owner.login == 'NixOS' && (
-            github.head_ref == 'haskell-updates' ||
-            github.head_ref == 'python-updates' ||
-            github.head_ref == 'staging-next' ||
-            startsWith(github.head_ref, 'staging-next-')
-          )
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          configuration-path: .github/labeler-development-branches.yml
-          sync-labels: true
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        sync-labels: true

.github/workflows/lib-tests.yml

@@ -1,33 +0,0 @@
-name: "Building Nixpkgs lib-tests"
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/lib-tests.yml
-  pull_request_target:
-    paths:
-      - 'lib/**'
-      - 'maintainers/**'
-
-permissions: {}
-
-jobs:
-  nixpkgs-lib-tests:
-    name: nixpkgs-lib-tests
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Building Nixpkgs lib-tests
-        run: |
-          nix-build untrusted/ci -A lib-tests

.github/workflows/lint-actions.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash actionlint shellcheck -I nixpkgs=../..
+set -euo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+cd "$SCRIPT_DIR/../.."
+actionlint

.github/workflows/manual-nixos-v2.yml

@@ -1,62 +1,33 @@
 name: "Build NixOS manual v2"
 
+permissions:
+  contents: read
+
 on:
-  pull_request:
-    paths:
-      - .github/workflows/manual-nixos-v2.yml
   pull_request_target:
     branches:
       - master
     paths:
-      - "nixos/**"
-      # Also build when the nixpkgs doc changed, since we take things like
-      # the release notes and some css and js files from there.
-      # See nixos/doc/manual/default.nix
-      - "doc/**"
-      # Build when something in lib changes
-      # Since the lib functions are used to 'massage' the options before producing the manual
-      - "lib/**"
-
-permissions: {}
+      - 'nixos/**'
 
 jobs:
   nixos:
     name: nixos-manual-build
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            system: x86_64-linux
-          - runner: ubuntu-24.04-arm
-            system: aarch64-linux
-    runs-on: ${{ matrix.runner }}
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
+          # explicitly enable sandbox
           extra_nix_config: sandbox = true
-
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
-          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
-
-      - name: Build NixOS manual
-        id: build-manual
-        run: NIX_PATH=nixpkgs=$(pwd)/untrusted nix-build --option restrict-eval true untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }}
-
-      - name: Upload NixOS manual
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: nixos-manual-${{ matrix.system }}
-          path: result/
-          if-no-files-found: error
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - name: Building NixOS manual
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixpkgs-v2.yml

@@ -1,39 +1,35 @@
 name: "Build Nixpkgs manual v2"
 
+permissions:
+  contents: read
+
 on:
-  pull_request:
-    paths:
-      - .github/workflows/manual-nixpkgs-v2.yml
   pull_request_target:
+    branches:
+      - master
     paths:
       - 'doc/**'
       - 'lib/**'
-      - 'pkgs/by-name/ni/nixdoc/**'
-
-permissions: {}
+      - 'pkgs/tools/nix/nixdoc/**'
 
 jobs:
   nixpkgs:
     name: nixpkgs-manual-build
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
+          # explicitly enable sandbox
           extra_nix_config: sandbox = true
-
-      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-
       - name: Building Nixpkgs manual
-        run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests

.github/workflows/nix-parse-v2.yml

@@ -1,33 +1,49 @@
 name: "Check whether nix files are parseable v2"
 
-on:
-  pull_request:
-    paths:
-      - .github/workflows/nix-parse-v2.yml
-  pull_request_target:
+permissions:
+  pull-requests: read
+  contents: read
 
-permissions: {}
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   tests:
     name: nix-files-parseable-check
-    runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-          nix_path: nixpkgs=channel:nixpkgs-unstable
-
-      - name: Parse all nix files
-        run: |
-          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
-          nix-build untrusted/ci -A parse --keep-going
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
+          > "$HOME/changed_files"
+        if [[ -s "$HOME/changed_files" ]]; then
+          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
+        fi
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      with:
+        nix_path: nixpkgs=channel:nixpkgs-unstable
+    - name: Parse all changed or added nix files
+      run: |
+        ret=0
+        while IFS= read -r file; do
+          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
+        done < "$HOME/changed_files"
+        exit "$ret"
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}

.github/workflows/nixpkgs-vet.yml

@@ -2,14 +2,16 @@
 # Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
 # When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
 # See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
-
 name: Vet nixpkgs
 
 on:
-  pull_request:
-    paths:
-      - .github/workflows/nixpkgs-vet.yml
+  # Using pull_request_target instead of pull_request avoids having to approve first time contributors.
   pull_request_target:
+    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here.
+    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
+    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
+    types: [opened, synchronize, reopened, edited]
 
 permissions: {}
 
@@ -17,29 +19,48 @@ permissions: {}
 # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   check:
     name: nixpkgs-vet
-    runs-on: ubuntu-24.04-arm
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
+    runs-on: ubuntu-latest
     # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
     timeout-minutes: 10
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout merged and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
+          # pull_request_target checks out the base branch by default
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+      - name: Checking out base branch
+        run: |
+          base=$(mktemp -d)
+          git worktree add "$base" "$(git rev-parse HEAD^1)"
+          echo "base=$base" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      - name: Fetching the pinned tool
+        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
+        run: |
+          # The pinned version of the tooling to use.
+          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
 
-      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+            | gzip -cd | nix-store --import | tail -1)
 
+          # Adds a result symlink as a GC root.
+          nix-store --realise "$toolPath" --add-root result
       - name: Running nixpkgs-vet
         env:
           # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
           CLICOLOR_FORCE: 1
         run: |
-          if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
+          if result/bin/nixpkgs-vet --base "$base" .; then
             exit 0
           else
             exitCode=$?

.github/workflows/no-channel.yml

@@ -2,25 +2,25 @@ name: "No channel PR"
 
 on:
   pull_request:
-    paths:
-      - .github/workflows/no-channel.yml
-  pull_request_target:
+    branches:
+      - 'nixos-**'
+      - 'nixpkgs-**'
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   fail:
-    if: |
-      startsWith(github.event.pull_request.base.ref, 'nixos-') ||
-      startsWith(github.event.pull_request.base.ref, 'nixpkgs-')
-    name: "This PR is targeting a channel branch"
-    runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: none
+    name: "This PR is is targeting a channel branch"
+    runs-on: ubuntu-latest
     steps:
-      - run: |
-          cat <<EOF
-          The nixos-* and nixpkgs-* branches are pushed to by the channel
-          release script and should not be merged into directly.
+    - run: |
+        cat <<EOF
+        The nixos-* and nixpkgs-* branches are pushed to by the channel
+        release script and should not be merged into directly.
 
-          Please target the equivalent release-* branch or master instead.
-          EOF
-          exit 1
+        Please target the equivalent release-* branch or master instead.
+        EOF
+        exit 1

.github/workflows/ofborg-pending.yml

@@ -0,0 +1,34 @@
+name: "Set pending OfBorg status"
+on:
+  pull_request_target:
+
+# Sets the ofborg-eval status to "pending" to signal that we are waiting for
+# OfBorg even if it is running late. The status will be overwritten by OfBorg
+# once it starts evaluation.
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows (restricted) write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
+permissions:
+  contents: read
+
+jobs:
+  action:
+    name: set-ofborg-pending
+    if: github.repository_owner == 'NixOS'
+    permissions:
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Set pending OfBorg status"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        curl \
+          -X POST \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -d '{"context": "ofborg-eval", "state": "pending", "description": "Waiting for OfBorg..."}' \
+          "https://api.github.com/repos/NixOS/nixpkgs/commits/${{ github.event.pull_request.head.sha }}/statuses"

.github/workflows/periodic-merge-24h.yml

@@ -7,6 +7,7 @@
 
 name: "Periodic Merges (24h)"
 
+
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
@@ -14,11 +15,16 @@ on:
     - cron:  '0 0 * * *'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -27,20 +33,32 @@ jobs:
       max-parallel: 1
       matrix:
         pairs:
+          - from: master
+            into: haskell-updates
+          - from: release-24.05
+            into: staging-next-24.05
+          - from: staging-next-24.05
+            into: staging-24.05
           - from: release-24.11
             into: staging-next-24.11
           - from: staging-next-24.11
             into: staging-24.11
-          - from: release-25.05
-            into: staging-next-25.05
-          - from: staging-next-25.05
-            into: staging-25.05
-          - name: merge-base(master,staging) → haskell-updates
-            from: master staging
-            into: haskell-updates
-    uses: ./.github/workflows/periodic-merge.yml
-    with:
-      from: ${{ matrix.pairs.from }}
-      into: ${{ matrix.pairs.into }}
-    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        with:
+          type: now
+          from_branch: ${{ matrix.pairs.from }}
+          target_branch: ${{ matrix.pairs.into }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: ${{ failure() }}
+        with:
+          issue-number: 105153
+          body: |
+            Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

.github/workflows/periodic-merge-6h.yml

@@ -7,6 +7,7 @@
 
 name: "Periodic Merges (6h)"
 
+
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
@@ -14,11 +15,16 @@ on:
     - cron:  '0 */6 * * *'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
+    runs-on: ubuntu-latest
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -31,9 +37,22 @@ jobs:
             into: staging-next
           - from: staging-next
             into: staging
-    uses: ./.github/workflows/periodic-merge.yml
-    with:
-      from: ${{ matrix.pairs.from }}
-      into: ${{ matrix.pairs.into }}
-    name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
+        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        with:
+          type: now
+          from_branch: ${{ matrix.pairs.from }}
+          target_branch: ${{ matrix.pairs.into }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: ${{ failure() }}
+        with:
+          issue-number: 105153
+          body: |
+            Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

.github/workflows/periodic-merge.yml

@@ -1,59 +0,0 @@
-name: "Merge"
-
-on:
-  workflow_call:
-    inputs:
-      from:
-        description: Branch to merge into target branch. Can also be two branches separated by space to find the merge base between them.
-        required: true
-        type: string
-      into:
-        description: Target branch to merge into.
-        required: true
-        type: string
-
-jobs:
-  merge:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-contents: write
-          permission-pull-requests: write
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Find merge base between two branches
-        if: contains(inputs.from, ' ')
-        id: merge_base
-        env:
-          branches: ${{ inputs.from }}
-        run: |
-          # turn into bash array, split on space
-          read -ra branches <<< "$branches"
-          git fetch --shallow-since="1 month ago" origin "${branches[@]}"
-          merge_base="$(git merge-base "refs/remotes/origin/${branches[0]}" "refs/remotes/origin/${branches[1]}")"
-          echo "Found merge base: $merge_base" >&2
-          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
-
-      - name: ${{ inputs.from }} → ${{ inputs.into }}
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
-        with:
-          type: now
-          from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }}
-          target_branch: ${{ inputs.into }}
-          github_token: ${{ steps.app-token.outputs.token }}
-
-      - name: Comment on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-        if: ${{ failure() }}
-        with:
-          issue-number: 105153
-          body: |
-            Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
-          token: ${{ steps.app-token.outputs.token }}

.github/workflows/reviewers.yml

@@ -1,98 +0,0 @@
-# This workflow will request reviews from the maintainers of each package
-# listed in the PR's most recent eval comparison artifact.
-
-name: Reviewers
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/reviewers.yml
-  pull_request_target:
-    types: [ready_for_review]
-  workflow_call:
-
-permissions: {}
-
-jobs:
-  request:
-    name: Request
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Check out the PR at the base commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
-          sparse-checkout: ci
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Build the requestReviews derivation
-        run: nix-build trusted/ci -A requestReviews
-
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-
-      # In the regular case, this workflow is called via workflow_call from the eval workflow directly.
-      # In the more special case, when a PR is undrafted an eval run will have started already.
-      - name: Wait for comparison to be done
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const run_id = (await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'eval.yml',
-              event: context.eventName,
-              head_sha: context.payload.pull_request.head.sha
-            })).data.workflow_runs[0].id
-
-            // Waiting 120 * 5 sec = 10 min. max.
-            // The extreme case is an Eval run that just started when the PR is undrafted.
-            // Eval takes max 5-6 minutes, normally.
-            for (let i = 0; i < 120; i++) {
-              const result = await github.rest.actions.listWorkflowRunArtifacts({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                run_id,
-                name: 'comparison'
-              })
-              if (result.data.total_count > 0) return
-              await new Promise(resolve => setTimeout(resolve, 5000))
-            }
-            throw new Error("No comparison artifact found.")
-
-      - name: Download the comparison results
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: comparison
-          path: comparison
-          merge-multiple: true
-
-      - name: Requesting maintainer reviews
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-          # Don't request reviewers on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-        run: |
-          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
-          # There appears to be no API to request reviews based on GitHub IDs
-          jq -r 'keys[]' comparison/maintainers.json \
-            | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"

.gitignore

@@ -33,10 +33,6 @@ __pycache__
 
 # generated by pkgs/common-updater/update-script.nix
 update-git-commits.txt
-/*.log
 
 # JetBrains IDEA module declaration file
 /nixpkgs.iml
-
-# Usually used for manual backports
-.worktree/

.mailmap

@@ -5,15 +5,11 @@ Christina Sørensen <christina@cafkafk.com>
 Christina Sørensen <christina@cafkafk.com> <christinaafk@gmail.com>
 Christina Sørensen <christina@cafkafk.com> <89321978+cafkafk@users.noreply.github.com>
 Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
-Ethan Carter Edwards <ethan@ethancedwards.com> Ethan Edwards <ethancarteredwards@gmail.com>
 Fabian Affolter <mail@fabian-affolter.ch> <fabian@affolter-engineering.ch>
 Fiona Behrens <me@kloenk.dev>
 Fiona Behrens <me@kloenk.dev> <me@kloenk.de>
 goatastronaut0212 <goatastronaut0212@outlook.com> <goatastronaut0212@proton.me>
 Janne Heß <janne@hess.ooo> <dasJ@users.noreply.github.com>
-jopejoe1 <nixpkgs@missing.ninja>
-jopejoe1 <nixpkgs@missing.ninja> <johannes@joens.email>
-jopejoe1 <nixpkgs@missing.ninja> <34899572+jopejoe1@users.noreply.github.com>
 Jörg Thalheim <joerg@thalheim.io> <Mic92@users.noreply.github.com>
 Lin Jian <me@linj.tech> <linj.dev@outlook.com>
 Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>

CONTRIBUTING.md

@@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
 Here's a brief overview of the main Git branches and what channels they're used for:
 
 - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
-- `release-YY.MM` (e.g. `release-25.11`): The NixOS release branches, used for the stable channels such as `nixos-25.11`, `nixos-25.11-small` and `nixpkgs-25.11-darwin`.
+- `release-YY.MM` (e.g. `release-25.05`): The NixOS release branches, used for the stable channels such as `nixos-25.05`, `nixos-25.05-small` and `nixpkgs-25.05-darwin`.
 
 When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
 So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).
@@ -531,31 +531,14 @@ If you removed packages or made some major NixOS changes, write about it in the
 
 Names of files and directories should be in lowercase, with dashes between words — not in camel case. For instance, it should be `all-packages.nix`, not `allPackages.nix` or `AllPackages.nix`.
 
-### Formatting
-
-CI [enforces](./.github/workflows/check-format.yml) all Nix files to be
-formatted using the [official Nix formatter](https://github.com/NixOS/nixfmt).
-
-You can ensure this locally using either of these commands:
-```
-nix-shell --run treefmt
-nix develop --command treefmt
-nix fmt
-```
-
-If you're starting your editor in `nix-shell` or `nix develop`,
-you can also set it up to automatically format the file with `treefmt` on save.
-
-If you have any problems with formatting, please ping the
-[formatting team](https://nixos.org/community/teams/formatting/) via
-[@NixOS/nix-formatting](https://github.com/orgs/NixOS/teams/nix-formatting).
-
 ### Syntax
 
 - Set up [editorconfig](https://editorconfig.org/) for your editor, such that [the settings](./.editorconfig) are automatically applied.
 
 - Use `lowerCamelCase` for variable names, not `UpperCamelCase`. Note, this rule does not apply to package attribute names, which instead follow the rules in [package naming](./pkgs/README.md#package-naming).
 
+- New files must be formatted by entering the `nix-shell` from the repository root and running `nixfmt`.
+
 - Functions should list their expected arguments as precisely as possible. That is, write
 
   ```nix
@@ -667,7 +650,7 @@ If you want your PR to get merged quickly and smoothly, it is in your best inter
 
 For the committer to judge your intention, it's best to explain why you've made your change.
 This does not apply to trivial changes like version updates because the intention is obvious (though linking the changelog is appreciated).
-For any more nuanced changes or even major version upgrades, it helps if you explain the background behind your change a bit.
+For any more nuanced changed or even major version upgrades, it helps if you explain the background behind your change a bit.
 E.g. if you're adding a package, explain what it is and why it should be in Nixpkgs.
 This goes hand in hand with [Writing good commit messages](#writing-good-commit-messages).
 

COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2003-2025 Eelco Dolstra and the Nixpkgs/NixOS contributors
+Copyright (c) 2003-2024 Eelco Dolstra and the Nixpkgs/NixOS contributors
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -1,9 +1,9 @@
 <p align="center">
   <a href="https://nixos.org">
     <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg">
+      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
       <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg" width="500px" alt="NixOS logo">
+      <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="500px" alt="NixOS logo">
     </picture>
   </a>
 </p>
@@ -14,7 +14,7 @@
 </p>
 
 [Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over
-120,000 software packages that can be installed with the
+100,000 software packages that can be installed with the
 [Nix](https://nixos.org/nix/) package manager. It also implements
 [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
 
@@ -27,7 +27,7 @@
 # Community
 
 * [Discourse Forum](https://discourse.nixos.org/)
-* [Matrix Chat](https://matrix.to/#/#space:nixos.org)
+* [Matrix Chat](https://matrix.to/#/#community:nixos.org)
 * [NixOS Weekly](https://weekly.nixos.org/)
 * [Official wiki](https://wiki.nixos.org/)
 * [Community-maintained list of ways to get in touch](https://wiki.nixos.org/wiki/Get_In_Touch#Chat) (Discord, Telegram, IRC, etc.)
@@ -59,7 +59,7 @@ system, [Hydra](https://hydra.nixos.org/).
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are
 met, the Nixpkgs expressions are distributed via [Nix
-channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
+channels](https://nixos.org/manual/nix/stable/package-management/channels.html).
 
 # Contributing
 

ci/OWNERS

@@ -14,34 +14,32 @@
 # Processing of this file is implemented in workflows/codeowners-v2.yml
 
 # CI
-/.github/*_TEMPLATE*                    @SigmaSquadron
-/.github/actions                        @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
-/.github/workflows                      @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
-/.github/workflows/check-format.yml     @infinisil @wolfgangwalther
-/.github/workflows/codeowners-v2.yml    @infinisil @wolfgangwalther
-/.github/workflows/nixpkgs-vet.yml      @infinisil @philiptaron @wolfgangwalther
-/ci                                     @infinisil @philiptaron @NixOS/Security @wolfgangwalther
-/ci/OWNERS                              @infinisil @philiptaron
+/.github/workflows @NixOS/Security @Mic92 @zowoq @infinisil @azuwis
+/.github/workflows/check-nix-format.yml @infinisil
+/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
+/.github/workflows/codeowners-v2.yml @infinisil
+/ci @infinisil @philiptaron @NixOS/Security
+/ci/OWNERS @infinisil @philiptaron
 
 # Development support
 /.editorconfig @Mic92 @zowoq
 /shell.nix @infinisil @NixOS/Security
 
 # Libraries
-/lib                        @infinisil @hsjobeki
+/lib                        @infinisil
 /lib/systems                @alyssais @ericson2314 @NixOS/stdenv
-/lib/generators.nix         @infinisil @hsjobeki @Profpatsch
-/lib/cli.nix                @infinisil @hsjobeki @Profpatsch
-/lib/debug.nix              @infinisil @hsjobeki @Profpatsch
-/lib/asserts.nix            @infinisil @hsjobeki @Profpatsch
-/lib/path/*                 @infinisil @hsjobeki
-/lib/fileset                @infinisil @hsjobeki
+/lib/generators.nix         @infinisil @Profpatsch
+/lib/cli.nix                @infinisil @Profpatsch
+/lib/debug.nix              @infinisil @Profpatsch
+/lib/asserts.nix            @infinisil @Profpatsch
+/lib/path/*                 @infinisil
+/lib/fileset                @infinisil
 ## Libraries / Module system
-/lib/modules.nix            @infinisil @roberth @hsjobeki
-/lib/types.nix              @infinisil @roberth @hsjobeki
-/lib/options.nix            @infinisil @roberth @hsjobeki
-/lib/tests/modules.sh       @infinisil @roberth @hsjobeki
-/lib/tests/modules          @infinisil @roberth @hsjobeki
+/lib/modules.nix            @infinisil @roberth
+/lib/types.nix              @infinisil @roberth
+/lib/options.nix            @infinisil @roberth
+/lib/tests/modules.sh       @infinisil @roberth
+/lib/tests/modules          @infinisil @roberth
 
 # Nixpkgs Internals
 /default.nix                                     @Ericson2314
@@ -61,9 +59,10 @@
 /pkgs/build-support/setup-hooks                  @Ericson2314
 /pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
 /pkgs/by-name/au/auto-patchelf                   @layus
-
+/pkgs/pkgs-lib                                   @infinisil
 ## Format generators/serializers
-/pkgs/pkgs-lib                                   @Stunkymonkey @h7x4
+/pkgs/pkgs-lib/formats/libconfig                 @h7x4
+/pkgs/pkgs-lib/formats/hocon                     @h7x4
 
 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus @Profpatsch
@@ -103,7 +102,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/default.nix                                    @infinisil
 /nixos/lib/from-env.nix                               @infinisil
 /nixos/lib/eval-config.nix                            @infinisil
-/nixos/modules/misc/ids.nix                           @R-VdP
 /nixos/modules/system/activation/bootspec.nix         @grahamc @cole-h @raitobezarius
 /nixos/modules/system/activation/bootspec.cue         @grahamc @cole-h @raitobezarius
 
@@ -130,34 +128,25 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Systemd-boot
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
 
-# Limine
-/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi @johnrtitor
-/nixos/tests/limine                             @johnrtitor
-
 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
 /nixos/modules/installer/cd-dvd/                @ElvishJerricco
 /nixos/modules/installer/sd-card/
 
 # Amazon
-/nixos/modules/virtualisation/amazon-init.nix                  @arianvp
-/nixos/modules/virtualisation/ec2-data.nix                     @arianvp
-/nixos/modules/virtualisation/amazon-options.nix               @arianvp
-/nixos/modules/virtualisation/amazon-image.nix                 @arianvp
-/nixos/maintainers/scripts/ec2/                                @arianvp
-/nixos/modules/services/misc/amazon-ssm-agent.nix              @arianvp
-/nixos/tests/amazon-ssm-agent.nix                              @arianvp
-/nixos/modules/system/boot/grow-partition.nix                  @arianvp
-/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix @philipmw
-/nixos/tests/amazon-cloudwatch-agent.nix                       @philipmw
-
-# Monitoring
-/nixos/modules/services/monitoring/fluent-bit.nix @arianvp
-/nixos/tests/fluent-bit.nix                       @arianvp
+/nixos/modules/virtualisation/amazon-init.nix     @arianvp
+/nixos/modules/virtualisation/ec2-data.nix        @arianvp
+/nixos/modules/virtualisation/amazon-options.nix  @arianvp
+/nixos/modules/virtualisation/amazon-image.nix    @arianvp
+/nixos/maintainers/scripts/ec2/                   @arianvp
+/nixos/modules/services/misc/amazon-ssm-agent.nix @arianvp
+/nixos/tests/amazon-ssm-agent.nix                 @arianvp
+/nixos/modules/system/boot/grow-partition.nix     @arianvp
 
 # nixos-rebuild-ng
 /pkgs/by-name/ni/nixos-rebuild-ng                 @thiagokokada
 
+
 # Updaters
 ## update.nix
 /maintainers/scripts/update.nix   @jtojnar
@@ -165,13 +154,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 ## common-updater-scripts
 /pkgs/common-updater/scripts/update-source-version    @jtojnar
 
-# Android tools, libraries, and environments
-/pkgs/development/android*                    @NixOS/android
-/pkgs/development/mobile/android*             @NixOS/android
-/pkgs/applications/editors/android-studio*    @NixOS/android
-/doc/languages-frameworks/android*            @NixOS/android
-/pkgs/by-name/an/android*                     @NixOS/android
-
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
@@ -180,19 +162,14 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/top-level/python-packages.nix                     @natsukium
 /pkgs/top-level/release-python.nix                      @natsukium
 
-# CUDA
-/pkgs/top-level/cuda-packages.nix             @NixOS/cuda-maintainers
-/pkgs/top-level/release-cuda.nix              @NixOS/cuda-maintainers
-/pkgs/development/cuda-modules                @NixOS/cuda-maintainers
-
 # Haskell
-/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn @wolfgangwalther
-/maintainers/scripts/haskell                  @sternenseemann @maralorn @wolfgangwalther
-/pkgs/development/compilers/ghc               @sternenseemann @maralorn @wolfgangwalther
-/pkgs/development/haskell-modules             @sternenseemann @maralorn @wolfgangwalther
-/pkgs/test/haskell                            @sternenseemann @maralorn @wolfgangwalther
-/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn @wolfgangwalther
-/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn @wolfgangwalther
+/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn
+/maintainers/scripts/haskell                  @sternenseemann @maralorn
+/pkgs/development/compilers/ghc               @sternenseemann @maralorn
+/pkgs/development/haskell-modules             @sternenseemann @maralorn
+/pkgs/test/haskell                            @sternenseemann @maralorn
+/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn
+/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn
 
 # Perl
 /pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
@@ -220,7 +197,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/development/compilers/gcc
 /pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
 /pkgs/development/compilers/emscripten @raitobezarius
-/doc/toolchains/llvm.chapter.md @alyssais @RossComputerGuy @NixOS/llvm
 /doc/languages-frameworks/emscripten.section.md @raitobezarius
 
 # Audio
@@ -235,7 +211,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/tests/chromium.nix @emilylange @networkException
 
 # Certificate Authorities
-pkgs/by-name/ca/cacert @ajs124 @lukegb @mweinelt
+pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt
 pkgs/development/libraries/nss/ @ajs124 @lukegb @mweinelt
 pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 
@@ -250,7 +226,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara
 
 # Licenses
-/lib/licenses.nix @alyssais @emilazy
+/lib/licenses.nix @alyssais
 
 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -266,18 +242,12 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
 
 # PostgreSQL and related stuff
-/pkgs/by-name/po/postgresqlTestHook @NixOS/postgres
-/pkgs/by-name/ps/psqlodbc @NixOS/postgres
 /pkgs/servers/sql/postgresql @NixOS/postgres
 /pkgs/development/tools/rust/cargo-pgrx @NixOS/postgres
 /nixos/modules/services/databases/postgresql.md @NixOS/postgres
 /nixos/modules/services/databases/postgresql.nix @NixOS/postgres
 /nixos/tests/postgresql @NixOS/postgres
 
-# MySQL/MariaDB and related stuff
-/nixos/modules/services/databases/mysql.nix     @6543
-/nixos/modules/services/backup/mysql-backup.nix @6543
-
 # Hardened profile & related modules
 /nixos/modules/profiles/hardened.nix                       @joachifm
 /nixos/modules/security/lock-kernel-modules.nix            @joachifm
@@ -291,7 +261,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/tests/home-assistant.nix @mweinelt
 /nixos/tests/zigbee2mqtt.nix @mweinelt
 /pkgs/servers/home-assistant @mweinelt
-/pkgs/by-name/es/esphome @mweinelt
+/pkgs/tools/misc/esphome @mweinelt
 
 # Network Time Daemons
 /pkgs/by-name/ch/chrony @thoughtpolice
@@ -315,12 +285,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/servers/http/nginx/ @raitobezarius
 /nixos/modules/services/web-servers/nginx/ @raitobezarius
 
-# D
-/pkgs/build-support/dlang @jtbx @TomaSajt
-
 # Dhall
-/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch
-/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch
+/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch @ehmry
+/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch @ehmry
 
 # Idris
 /pkgs/development/idris-modules @Infinisil
@@ -345,9 +312,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 # Kakoune
 /pkgs/applications/editors/kakoune     @philiptaron
 
-# LuaPackages
-/pkgs/development/lua-modules         @NixOS/lua
-
 # Neovim
 /pkgs/applications/editors/neovim      @NixOS/neovim
 
@@ -394,6 +358,12 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 # Xfce
 /doc/hooks/xfce4-dev-tools.section.md @NixOS/xfce
 
+# nim
+/doc/languages-frameworks/nim.section.md  @ehmry
+/pkgs/build-support/build-nim-package.nix @ehmry
+/pkgs/build-support/build-nim-sbom.nix    @ehmry
+/pkgs/top-level/nim-overrides.nix         @ehmry
+
 # terraform providers
 /pkgs/applications/networking/cluster/terraform-providers @zowoq
 
@@ -419,13 +389,14 @@ pkgs/by-name/fo/forgejo/                @adamcstephens @bendlas @emilylange
 /pkgs/development/ocaml-modules     @ulrikstrid
 
 # ZFS
-/nixos/modules/tasks/filesystems/zfs.nix @adamcstephens @amarshall
-/nixos/tests/zfs.nix                     @adamcstephens @amarshall
-/pkgs/os-specific/linux/zfs              @adamcstephens @amarshall
+pkgs/os-specific/linux/zfs/2_1.nix        @raitobezarius
+pkgs/os-specific/linux/zfs/generic.nix    @raitobezarius
+nixos/modules/tasks/filesystems/zfs.nix   @raitobezarius
+nixos/tests/zfs.nix                       @raitobezarius
 
 # Zig
-/pkgs/development/compilers/zig @figsoda @RossComputerGuy
-/doc/hooks/zig.section.md       @figsoda @RossComputerGuy
+/pkgs/development/compilers/zig @figsoda
+/doc/hooks/zig.section.md       @figsoda
 
 # Buildbot
 nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq
@@ -470,21 +441,3 @@ pkgs/by-name/lx/lxc*                    @adamcstephens
 /pkgs/by-name/ap/apple-sdk                     @NixOS/darwin-core
 /pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
 /pkgs/stdenv/darwin                            @NixOS/darwin-core
-
-# BEAM
-pkgs/development/beam-modules/          @NixOS/beam
-pkgs/development/interpreters/erlang/   @NixOS/beam
-pkgs/development/interpreters/elixir/   @NixOS/beam
-pkgs/development/interpreters/lfe/      @NixOS/beam
-
-# Authelia
-pkgs/servers/authelia/ @06kellyjac @dit7ya @nicomem
-
-# OctoDNS
-pkgs/by-name/oc/octodns/ @anthonyroussel
-
-# Teleport
-pkgs/by-name/te/teleport*   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
-
-# Warp-terminal
-pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @donteatoreo @johnrtitor

ci/README.md

@@ -40,3 +40,46 @@ Why not just build the tooling right from the PRs Nixpkgs version?
 - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
 - Because it improves security, since we don't have to build potentially untrusted code from PRs.
   The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
+
+## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
+
+Check whether a PR is mergeable and return the test merge commit as
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests).
+
+Arguments:
+- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
+- `PR_NUMBER`: The PR number, e.g. `1234`
+
+Exit codes:
+- 0: The PR can be merged, the test merge commit hash is returned on stdout
+- 1: The PR cannot be merged because it's not open anymore
+- 2: The PR cannot be merged because it has a merge conflict
+- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
+
+### Usage
+
+This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
+
+```yaml
+on: pull_request_target
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    # use the relative path of the get-merge-commit workflow yaml here
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    steps:
+      - uses: actions/checkout@<VERSION>
+        # Add this to _all_ subsequent steps to skip them
+        if: needs.get-merge-commit.outputs.mergedSha
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - ...
+```

ci/check-cherry-picks.sh

@@ -1,114 +0,0 @@
-#!/usr/bin/env bash
-# Find alleged cherry-picks
-
-set -eo pipefail
-
-if [ $# != "2" ] ; then
-  echo "usage: check-cherry-picks.sh base_rev head_rev"
-  exit 2
-fi
-
-# Make sure we are inside the nixpkgs repo, even when called from outside
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-PICKABLE_BRANCHES="master staging release-??.?? staging-??.?? haskell-updates python-updates staging-next staging-next-??.??"
-problem=0
-
-# Not everyone calls their remote "origin"
-remote="$(git remote -v | grep -i 'NixOS/nixpkgs' | head -n1 | cut -f1 || true)"
-
-commits="$(git rev-list --reverse "$1..$2")"
-
-while read -r new_commit_sha ; do
-  if [ -z "$new_commit_sha" ] ; then
-    continue  # skip empty lines
-  fi
-  if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-    echo "::group::Commit $new_commit_sha"
-  else
-    echo "================================================="
-  fi
-  git rev-list --max-count=1 --format=medium "$new_commit_sha"
-  echo "-------------------------------------------------"
-
-  original_commit_sha=$(
-    git rev-list --max-count=1 --format=format:%B "$new_commit_sha" \
-    | grep -Ei -m1 "cherry.*[0-9a-f]{40}" \
-    | grep -Eoi -m1 '[0-9a-f]{40}' || true
-  )
-  if [ -z "$original_commit_sha" ] ; then
-    if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-      echo ::endgroup::
-      echo -n "::error ::"
-    else
-      echo -n "  ✘ "
-    fi
-    echo "Couldn't locate original commit hash in message"
-    echo "Note this should not necessarily be treated as a hard fail, but a reviewer's attention should" \
-      "be drawn to it and github actions have no way of doing that but to raise a 'failure'"
-    problem=1
-    continue
-  fi
-
-  set -f # prevent pathname expansion of patterns
-  for pattern in $PICKABLE_BRANCHES ; do
-    set +f # re-enable pathname expansion
-
-    # Reverse sorting by refname and taking one match only means we can only backport
-    # from unstable and the latest stable. That makes sense, because even right after
-    # branch-off, when we have two supported stable branches, we only ever want to cherry-pick
-    # **to** the older one, but never **from** it.
-    # This makes the job significantly faster in the case when commits can't be found,
-    # because it doesn't need to iterate through 20+ branches, which all need to be fetched.
-    branches="$(git for-each-ref --sort=-refname --format="%(refname)" \
-      "refs/remotes/${remote:-origin}/$pattern" | head -n1)"
-
-    while read -r picked_branch ; do
-      if git merge-base --is-ancestor "$original_commit_sha" "$picked_branch" ; then
-        echo "  ✔ $original_commit_sha present in branch $picked_branch"
-
-        range_diff_common='git --no-pager range-diff
-          --no-notes
-          --creation-factor=100
-          '"$original_commit_sha~..$original_commit_sha"'
-          '"$new_commit_sha~..$new_commit_sha"'
-        '
-
-        if $range_diff_common --no-color 2> /dev/null | grep -E '^ {4}[+-]{2}' > /dev/null ; then
-          if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-            echo ::endgroup::
-            echo -n "::warning ::"
-          else
-            echo -n "  ⚠ "
-          fi
-          echo "Difference between $new_commit_sha and original $original_commit_sha may warrant inspection:"
-
-          $range_diff_common --color
-
-          echo "Note this should not necessarily be treated as a hard fail, but a reviewer's attention should" \
-            "be drawn to it and github actions have no way of doing that but to raise a 'failure'"
-          problem=1
-        else
-          echo "  ✔ $original_commit_sha highly similar to $new_commit_sha"
-          $range_diff_common --color
-          [ "$GITHUB_ACTIONS" = 'true' ] && echo ::endgroup::
-        fi
-
-        # move on to next commit
-        continue 3
-      fi
-    done <<< "$branches"
-  done
-
-  if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-    echo ::endgroup::
-    echo -n "::error ::"
-  else
-    echo -n "  ✘ "
-  fi
-  echo "$original_commit_sha not found in any pickable branch"
-
-  problem=1
-done <<< "$commits"
-
-exit $problem

ci/default.nix

@@ -21,74 +21,10 @@ let
     config = { };
     overlays = [ ];
   };
-
-  fmt =
-    let
-      treefmtNixSrc = fetchTarball {
-        # Master at 2025-02-12
-        url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
-        sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
-      };
-      treefmtEval = (import treefmtNixSrc).evalModule pkgs {
-        # Important: The auto-rebase script uses `git filter-branch --tree-filter`,
-        # which creates trees within the Git repository under `.git-rewrite/t`,
-        # notably without having a `.git` themselves.
-        # So if this projectRootFile were the default `.git/config`,
-        # having the auto-rebase script use treefmt on such a tree would make it
-        # format all files in the _parent_ Git tree as well.
-        projectRootFile = ".git-blame-ignore-revs";
-
-        # Be a bit more verbose by default, so we can see progress happening
-        settings.verbose = 1;
-
-        # By default it's info, which is too noisy since we have many unmatched files
-        settings.on-unmatched = "debug";
-
-        programs.actionlint.enable = true;
-
-        programs.keep-sorted.enable = true;
-
-        # This uses nixfmt-rfc-style underneath,
-        # the default formatter for Nix code.
-        # See https://github.com/NixOS/nixfmt
-        programs.nixfmt.enable = true;
-
-        settings.formatter.editorconfig-checker = {
-          command = "${pkgs.lib.getExe pkgs.editorconfig-checker}";
-          options = [ "-disable-indent-size" ];
-          includes = [ "*" ];
-          priority = 1;
-        };
-      };
-      fs = pkgs.lib.fileset;
-      nixFilesSrc = fs.toSource {
-        root = ../.;
-        fileset = fs.difference ../. (fs.maybeMissing ../.git);
-      };
-    in
-    {
-      shell = treefmtEval.config.build.devShell;
-      pkg = treefmtEval.config.build.wrapper;
-      check = treefmtEval.config.build.check nixFilesSrc;
-    };
-
 in
 {
-  inherit pkgs fmt;
+  inherit pkgs;
   requestReviews = pkgs.callPackage ./request-reviews { };
   codeownersValidator = pkgs.callPackage ./codeowners-validator { };
   eval = pkgs.callPackage ./eval { };
-
-  # CI jobs
-  lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
-  manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
-  manual-nixpkgs = (import ../doc { });
-  manual-nixpkgs-tests = (import ../doc { }).tests;
-  nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
-  parse = pkgs.lib.recurseIntoAttrs {
-    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
-    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
-    minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.minimum; };
-  };
-  shell = import ../shell.nix { inherit nixpkgs system; };
 }

ci/eval/README.md

@@ -11,7 +11,7 @@ nix-build ci -A eval.full \
   --arg evalSystems '["x86_64-linux" "aarch64-darwin"]'
 ```
 
-- `--max-jobs`: The maximum number of derivations to run at the same time. Only each [supported system](../supportedSystems.json) gets a separate derivation, so it doesn't make sense to set this higher than that number.
+- `--max-jobs`: The maximum number of derivations to run at the same time. Only each [supported system](../supportedSystems.nix) gets a separate derivation, so it doesn't make sense to set this higher than that number.
 - `--cores`: The number of cores to use for each job. Recommended to set this to the amount of cores on your system divided by `--max-jobs`.
 - `chunkSize`: The number of attributes that are evaluated simultaneously on a single core. Lowering this decreases memory usage at the cost of increased evaluation time. If this is too high, there won't be enough chunks to process them in parallel, and will also increase evaluation time.
 - `evalSystems`: The set of systems for which `nixpkgs` should be evaluated. Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).

ci/eval/compare/cmp-stats.py

@@ -1,154 +0,0 @@
-import json
-import os
-from scipy.stats import ttest_rel
-import pandas as pd
-import numpy as np
-from pathlib import Path
-
-# Define metrics of interest (can be expanded as needed)
-METRIC_PREFIXES = ("nr", "gc")
-
-def flatten_data(json_data: dict) -> dict:
-    """
-    Extracts and flattens metrics from JSON data.
-    This is needed because the JSON data can be nested.
-    For example, the JSON data entry might look like this:
-
-    "gc":{"cycles":13,"heapSize":5404549120,"totalBytes":9545876464}
-
-    Flattened:
-
-    "gc.cycles": 13
-    "gc.heapSize": 5404549120
-    ...
-
-    Args:
-        json_data (dict): JSON data containing metrics.
-    Returns:
-        dict: Flattened metrics with keys as metric names.
-    """
-    flat_metrics = {}
-    for k, v in json_data.items():
-        if isinstance(v, (int, float)):
-            flat_metrics[k] = v
-        elif isinstance(v, dict):
-            for sub_k, sub_v in v.items():
-                flat_metrics[f"{k}.{sub_k}"] = sub_v
-    return flat_metrics
-
-
-
-
-def load_all_metrics(directory: Path) -> dict:
-    """
-    Loads all stats JSON files in the specified directory and extracts metrics.
-
-    Args:
-        directory (Path): Directory containing JSON files.
-    Returns:
-        dict: Dictionary with filenames as keys and extracted metrics as values.
-    """
-    metrics = {}
-    for system_dir in directory.iterdir():
-        assert system_dir.is_dir()
-
-        for chunk_output in system_dir.iterdir():
-                with chunk_output.open() as f:
-                    data = json.load(f)
-                metrics[f"{system_dir.name}/${chunk_output.name}"] = flatten_data(data)
-
-    return metrics
-
-def dataframe_to_markdown(df: pd.DataFrame) -> str:
-    df = df.sort_values(by=df.columns[0], ascending=True)
-    markdown_lines = []
-
-    # Header (get column names and format them)
-    header = '\n| ' + ' | '.join(df.columns) + ' |'
-    markdown_lines.append(header)
-    markdown_lines.append("| - " * (len(df.columns)) + "|")  # Separator line
-
-    # Iterate over rows to build Markdown rows
-    for _, row in df.iterrows():
-        # TODO: define threshold for highlighting
-        highlight = False
-
-        fmt = lambda x: f"**{x}**" if highlight else f"{x}"
-
-        # Check for no change and NaN in p_value/t_stat
-        row_values = []
-        for val in row:
-            if isinstance(val, float) and np.isnan(val):  # For NaN values in p-value or t-stat
-                row_values.append("-")  # Custom symbol for NaN
-            elif isinstance(val, float) and val == 0:  # For no change (mean_diff == 0)
-                row_values.append("-")  # Custom symbol for no change
-            else:
-                row_values.append(fmt(f"{val:.4f}" if isinstance(val, float) else str(val)))
-
-        markdown_lines.append('| ' + ' | '.join(row_values) + ' |')
-
-    return '\n'.join(markdown_lines)
-
-
-def perform_pairwise_tests(before_metrics: dict, after_metrics: dict) -> pd.DataFrame:
-    common_files = sorted(set(before_metrics) & set(after_metrics))
-    all_keys = sorted({ metric_keys for file_metrics in before_metrics.values() for metric_keys in file_metrics.keys() })
-
-    results = []
-
-    for key in all_keys:
-        before_vals, after_vals = [], []
-
-        for fname in common_files:
-            if key in before_metrics[fname] and key in after_metrics[fname]:
-                before_vals.append(before_metrics[fname][key])
-                after_vals.append(after_metrics[fname][key])
-
-        if len(before_vals) >= 2:
-            before_arr = np.array(before_vals)
-            after_arr = np.array(after_vals)
-
-            diff = after_arr - before_arr
-            pct_change = 100 * diff / before_arr
-            t_stat, p_val = ttest_rel(after_arr, before_arr)
-
-            results.append({
-                "metric": key,
-                "mean_before": np.mean(before_arr),
-                "mean_after": np.mean(after_arr),
-                "mean_diff": np.mean(diff),
-                "mean_%_change": np.mean(pct_change),
-                "p_value": p_val,
-                "t_stat": t_stat
-            })
-
-    df = pd.DataFrame(results).sort_values("p_value")
-    return df
-
-
-if __name__ == "__main__":
-    before_dir = os.environ.get("BEFORE_DIR")
-    after_dir = os.environ.get("AFTER_DIR")
-
-    if not before_dir or not after_dir:
-        print("Error: Environment variables 'BEFORE_DIR' and 'AFTER_DIR' must be set.")
-        exit(1)
-
-    before_stats = Path(before_dir) / "stats"
-    after_stats = Path(after_dir) / "stats"
-
-    # This may happen if the pull request target does not include PR#399720 yet.
-    if not before_stats.exists():
-        print("⚠️  Skipping comparison: stats directory is missing in the target commit.")
-        exit(0)
-
-    # This should never happen, but we're exiting gracefully anyways
-    if not after_stats.exists():
-        print("⚠️  Skipping comparison: stats directory missing in current PR evaluation.")
-        exit(0)
-
-    before_metrics = load_all_metrics(before_stats)
-    after_metrics = load_all_metrics(after_stats)
-    df1 = perform_pairwise_tests(before_metrics, after_metrics)
-    markdown_table = dataframe_to_markdown(df1)
-    print(markdown_table)

ci/eval/compare/default.nix

@@ -1,17 +1,11 @@
 {
-  callPackage,
   lib,
   jq,
   runCommand,
   writeText,
-  python3,
-}:
-{
-  combinedDir,
-  touchedFilesJson,
-  githubAuthorId,
-  byName ? false,
+  ...
 }:
+{ beforeResultDir, afterResultDir }:
 let
   /*
     Derivation that computes which packages are affected (added, changed or removed) between two revisions of nixpkgs.
@@ -19,7 +13,7 @@ let
 
     ---
     Inputs:
-    - beforeDir, afterDir: The evaluation result from before and after the change.
+    - beforeResultDir, afterResultDir: The evaluation result from before and after the change.
       They can be obtained by running `nix-build -A ci.eval.full` on both revisions.
 
     ---
@@ -65,23 +59,29 @@ let
       Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
   */
   inherit (import ./utils.nix { inherit lib; })
+    diff
     groupByKernel
     convertToPackagePlatformAttrs
     groupByPlatform
     extractPackageNames
     getLabels
+    uniqueStrings
     ;
 
+  getAttrs = dir: builtins.fromJSON (builtins.readFile "${dir}/outpaths.json");
+  beforeAttrs = getAttrs beforeResultDir;
+  afterAttrs = getAttrs afterResultDir;
+
   # Attrs
   # - keys: "added", "changed" and "removed"
   # - values: lists of `packagePlatformPath`s
-  diffAttrs = builtins.fromJSON (builtins.readFile "${combinedDir}/combined-diff.json");
-
-  rebuilds = diffAttrs.added ++ diffAttrs.changed;
-  rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
+  diffAttrs = diff beforeAttrs afterAttrs;
 
   changed-paths =
     let
+      rebuilds = uniqueStrings (diffAttrs.added ++ diffAttrs.changed);
+      rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
+
       rebuildsByPlatform = groupByPlatform rebuildsPackagePlatformAttrs;
       rebuildsByKernel = groupByKernel rebuildsPackagePlatformAttrs;
       rebuildCountByKernel = lib.mapAttrs (
@@ -96,84 +96,19 @@ let
           rebuildsByKernel
           rebuildCountByKernel
           ;
-        labels =
-          (getLabels rebuildCountByKernel)
-          # Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
-          ++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
-            lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
-          )
-          # Adds the "11.by: package-maintainer" label if all of the packages directly
-          # changed are maintained by the PR's author. (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
-          ++ lib.optional (
-            maintainers ? ${githubAuthorId}
-            && lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
-              lib.flatten (lib.attrValues maintainers)
-            )
-          ) "11.by: package-maintainer";
+        labels = getLabels rebuildCountByKernel;
       }
     );
-
-  maintainers = callPackage ./maintainers.nix { } {
-    changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
-    changedpathsjson = touchedFilesJson;
-    inherit byName;
-  };
 in
 runCommand "compare"
   {
-    nativeBuildInputs = [
-      jq
-      (python3.withPackages (
-        ps: with ps; [
-          numpy
-          pandas
-          scipy
-        ]
-      ))
-
-    ];
-    maintainers = builtins.toJSON maintainers;
-    passAsFile = [ "maintainers" ];
-    env = {
-      BEFORE_DIR = "${combinedDir}/before";
-      AFTER_DIR = "${combinedDir}/after";
-    };
+    nativeBuildInputs = [ jq ];
   }
   ''
     mkdir $out
 
     cp ${changed-paths} $out/changed-paths.json
 
-
-    if jq -e '(.attrdiff.added | length == 0) and (.attrdiff.removed | length == 0)' "${changed-paths}" > /dev/null; then
-      # Chunks have changed between revisions
-      # We cannot generate a performance comparison
-      {
-        echo
-        echo "# Performance comparison"
-        echo
-        echo "This compares the performance of this branch against its pull request base branch (e.g., 'master')"
-        echo
-        echo "For further help please refer to: [ci/README.md](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md)"
-        echo
-      } >> $out/step-summary.md
-
-      python3 ${./cmp-stats.py} >> $out/step-summary.md
-
-    else
-      # Package chunks are the same in both revisions
-      # We can use the to generate a performance comparison
-      {
-        echo
-        echo "# Performance Comparison"
-        echo
-        echo "Performance stats were skipped because the package sets differ between the two revisions."
-        echo
-        echo "For further help please refer to: [ci/README.md](https://github.com/NixOS/nixpkgs/blob/master/ci/README.md)"
-      } >> $out/step-summary.md
-    fi
-
-    jq -r -f ${./generate-step-summary.jq} < ${changed-paths} >> $out/step-summary.md
-
-    cp "$maintainersPath" "$out/maintainers.json"
+    jq -r -f ${./generate-step-summary.jq} < ${changed-paths} > $out/step-summary.md
+    # TODO: Compare eval stats
   ''

ci/eval/compare/maintainers.nix

@@ -1,114 +0,0 @@
-{
-  lib,
-}:
-# Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
-{
-  changedattrs,
-  changedpathsjson,
-  byName ? false,
-}:
-let
-  pkgs = import ../../.. {
-    system = "x86_64-linux";
-    config = { };
-    overlays = [ ];
-  };
-
-  changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);
-
-  anyMatchingFile =
-    filename: builtins.any (changed: lib.strings.hasSuffix changed filename) changedpaths;
-
-  anyMatchingFiles = files: builtins.any anyMatchingFile files;
-
-  enrichedAttrs = builtins.map (name: {
-    path = lib.splitString "." name;
-    name = name;
-  }) changedattrs;
-
-  validPackageAttributes = builtins.filter (
-    pkg:
-    if (lib.attrsets.hasAttrByPath pkg.path pkgs) then
-      (
-        let
-          value = lib.attrsets.attrByPath pkg.path null pkgs;
-        in
-        if (builtins.tryEval value).success then
-          if value != null then true else builtins.trace "${pkg.name} exists but is null" false
-        else
-          builtins.trace "Failed to access ${pkg.name} even though it exists" false
-      )
-    else
-      builtins.trace "Failed to locate ${pkg.name}." false
-  ) enrichedAttrs;
-
-  attrsWithPackages = builtins.map (
-    pkg: pkg // { package = lib.attrsets.attrByPath pkg.path null pkgs; }
-  ) validPackageAttributes;
-
-  attrsWithMaintainers = builtins.map (
-    pkg:
-    let
-      meta = pkg.package.meta or { };
-    in
-    pkg
-    // {
-      # TODO: Refactor this so we can ping entire teams instead of the individual members.
-      # Note that this will require keeping track of GH team IDs in "maintainers/teams.nix".
-      maintainers = meta.maintainers or [ ];
-    }
-  ) attrsWithPackages;
-
-  relevantFilenames =
-    drv:
-    (lib.lists.unique (
-      builtins.map (pos: lib.strings.removePrefix (toString ../..) pos.file) (
-        builtins.filter (x: x != null) [
-          ((drv.meta or { }).maintainersPosition or null)
-          ((drv.meta or { }).teamsPosition or null)
-          (builtins.unsafeGetAttrPos "src" drv)
-          # broken because name is always set by stdenv:
-          #    # A hack to make `nix-env -qa` and `nix search` ignore broken packages.
-          #    # TODO(@oxij): remove this assert when something like NixOS/nix#1771 gets merged into nix.
-          #    name = assert validity.handled; name + lib.optionalString
-          #(builtins.unsafeGetAttrPos "name" drv)
-          (builtins.unsafeGetAttrPos "pname" drv)
-          (builtins.unsafeGetAttrPos "version" drv)
-
-          # Use ".meta.position" for cases when most of the package is
-          # defined in a "common" section and the only place where
-          # reference to the file with a derivation the "pos"
-          # attribute.
-          #
-          # ".meta.position" has the following form:
-          #   "pkgs/tools/package-management/nix/default.nix:155"
-          # We transform it to the following:
-          #   { file = "pkgs/tools/package-management/nix/default.nix"; }
-          { file = lib.head (lib.splitString ":" (drv.meta.position or "")); }
-        ]
-      )
-    ));
-
-  attrsWithFilenames = builtins.map (
-    pkg: pkg // { filenames = relevantFilenames pkg.package; }
-  ) attrsWithMaintainers;
-
-  attrsWithModifiedFiles = builtins.filter (pkg: anyMatchingFiles pkg.filenames) attrsWithFilenames;
-
-  listToPing = lib.concatMap (
-    pkg:
-    builtins.map (maintainer: {
-      id = maintainer.githubId;
-      inherit (maintainer) github;
-      packageName = pkg.name;
-      dueToFiles = pkg.filenames;
-    }) pkg.maintainers
-  ) attrsWithModifiedFiles;
-
-  byMaintainer = lib.groupBy (ping: toString ping.${if byName then "github" else "id"}) listToPing;
-
-  packagesPerMaintainer = lib.attrsets.mapAttrs (
-    maintainer: packages: builtins.map (pkg: pkg.packageName) packages
-  ) byMaintainer;
-in
-packagesPerMaintainer

ci/eval/compare/utils.nix

@@ -11,7 +11,6 @@ rec {
     into
       {
         name = "hello";
-        packagePath = [ "hello" ];
         platform = "aarch64-linux";
       }
   */
@@ -31,9 +30,6 @@ rec {
       null
     else
       {
-        # [ "python312Packages" "numpy" ]
-        inherit packagePath;
-
         # python312Packages.numpy
         inherit name;
 
@@ -56,12 +52,12 @@ rec {
       ]
     into
       [
-        { name = "hello"; platform = "aarch64-linux"; packagePath = [ "hello" ]; }
-        { name = "hello"; platform = "x86_64-linux"; packagePath = [ "hello" ]; }
-        { name = "hello"; platform = "aarch64-darwin"; packagePath = [ "hello" ]; }
-        { name = "hello"; platform = "x86_64-darwin"; packagePath = [ "hello" ]; }
-        { name = "bye"; platform = "aarch64-darwin"; packagePath = [ "hello" ]; }
-        { name = "bye"; platform = "x86_64-darwin"; packagePath = [ "hello" ]; }
+        { name = "hello"; platform = "aarch64-linux"; }
+        { name = "hello"; platform = "x86_64-linux"; }
+        { name = "hello"; platform = "aarch64-darwin"; }
+        { name = "hello"; platform = "x86_64-darwin"; }
+        { name = "bye"; platform = "aarch64-darwin"; }
+        { name = "bye"; platform = "x86_64-darwin"; }
       ]
   */
   convertToPackagePlatformAttrs =
@@ -93,17 +89,43 @@ rec {
     in
     uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);
 
+  /*
+    Computes the key difference between two attrs
+
+    {
+      added: [ <keys only in the second object> ],
+      removed: [ <keys only in the first object> ],
+      changed: [ <keys with different values between the two objects> ],
+    }
+  */
+  diff =
+    let
+      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
+    in
+    old: new: {
+      added = filterKeys (n: _: !(old ? ${n})) new;
+      removed = filterKeys (n: _: !(new ? ${n})) old;
+      changed = filterKeys (
+        n: v:
+        # Filter out attributes that don't exist anymore
+        (new ? ${n})
+
+        # Filter out attributes that are the same as the new value
+        && (v != (new.${n}))
+      ) old;
+    };
+
   /*
     Group a list of `packagePlatformAttr`s by platforms
 
     Turns
       [
-        { name = "hello"; platform = "aarch64-linux"; ... }
-        { name = "hello"; platform = "x86_64-linux"; ... }
-        { name = "hello"; platform = "aarch64-darwin"; ... }
-        { name = "hello"; platform = "x86_64-darwin"; ... }
-        { name = "bye"; platform = "aarch64-darwin"; ... }
-        { name = "bye"; platform = "x86_64-darwin"; ... }
+        { name = "hello"; platform = "aarch64-linux"; }
+        { name = "hello"; platform = "x86_64-linux"; }
+        { name = "hello"; platform = "aarch64-darwin"; }
+        { name = "hello"; platform = "x86_64-darwin"; }
+        { name = "bye"; platform = "aarch64-darwin"; }
+        { name = "bye"; platform = "x86_64-darwin"; }
       ]
     into
       {
@@ -123,12 +145,12 @@ rec {
 
   # Turns
   # [
-  #   { name = "hello"; platform = "aarch64-linux"; ... }
-  #   { name = "hello"; platform = "x86_64-linux"; ... }
-  #   { name = "hello"; platform = "aarch64-darwin"; ... }
-  #   { name = "hello"; platform = "x86_64-darwin"; ... }
-  #   { name = "bye"; platform = "aarch64-darwin"; ... }
-  #   { name = "bye"; platform = "x86_64-darwin"; ... }
+  #   { name = "hello"; platform = "aarch64-linux"; }
+  #   { name = "hello"; platform = "x86_64-linux"; }
+  #   { name = "hello"; platform = "aarch64-darwin"; }
+  #   { name = "hello"; platform = "x86_64-darwin"; }
+  #   { name = "bye"; platform = "aarch64-darwin"; }
+  #   { name = "bye"; platform = "x86_64-darwin"; }
   # ]
   #
   # into
@@ -156,57 +178,36 @@ rec {
     Turns
       {
         linux = 56;
-        darwin = 1;
+        darwin = 8;
       }
     into
       [
-        "10.rebuild-darwin: 1"
         "10.rebuild-darwin: 1-10"
         "10.rebuild-linux: 11-100"
       ]
   */
-  getLabels =
-    rebuildCountByKernel:
-    lib.concatLists (
-      lib.mapAttrsToList (
-        kernel: rebuildCount:
-        let
-          numbers =
-            if rebuildCount == 0 then
-              [ "0" ]
-            else if rebuildCount == 1 then
-              [
-                "1"
-                "1-10"
-              ]
-            else if rebuildCount <= 10 then
-              [ "1-10" ]
-            else if rebuildCount <= 100 then
-              [ "11-100" ]
-            else if rebuildCount <= 500 then
-              [ "101-500" ]
-            else if rebuildCount <= 1000 then
-              [
-                "501-1000"
-                "501+"
-              ]
-            else if rebuildCount <= 2500 then
-              [
-                "1001-2500"
-                "501+"
-              ]
-            else if rebuildCount <= 5000 then
-              [
-                "2501-5000"
-                "501+"
-              ]
-            else
-              [
-                "5001+"
-                "501+"
-              ];
-        in
-        lib.forEach numbers (number: "10.rebuild-${kernel}: ${number}")
-      ) rebuildCountByKernel
-    );
+  getLabels = lib.mapAttrsToList (
+    kernel: rebuildCount:
+    let
+      number =
+        if rebuildCount == 0 then
+          "0"
+        else if rebuildCount <= 10 then
+          "1-10"
+        else if rebuildCount <= 100 then
+          "11-100"
+        else if rebuildCount <= 500 then
+          "101-500"
+        else if rebuildCount <= 1000 then
+          "501-1000"
+        else if rebuildCount <= 2500 then
+          "1001-2500"
+        else if rebuildCount <= 5000 then
+          "2501-5000"
+        else
+          "5001+";
+
+    in
+    "10.rebuild-${kernel}: ${number}"
+  );
 }

ci/eval/default.nix

@@ -1,15 +1,14 @@
 {
-  callPackage,
   lib,
   runCommand,
   writeShellScript,
   writeText,
-  symlinkJoin,
+  linkFarm,
   time,
   procps,
   nixVersions,
   jq,
-  python3,
+  sta,
 }:
 
 let
@@ -26,19 +25,16 @@ let
           "nixos"
           "pkgs"
           ".version"
-          "ci/supportedSystems.json"
+          "ci/supportedSystems.nix"
         ]
       );
     };
 
-  nix = nixVersions.latest;
+  nix = nixVersions.nix_2_24;
 
-  supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);
+  supportedSystems = import ../supportedSystems.nix;
 
   attrpathsSuperset =
-    {
-      evalSystem,
-    }:
     runCommand "attrpaths-superset.json"
       {
         src = nixpkgs;
@@ -46,6 +42,8 @@ let
           nix
           time
         ];
+        env.supportedSystems = builtins.toJSON supportedSystems;
+        passAsFile = [ "supportedSystems" ];
       }
       ''
         export NIX_STATE_DIR=$(mktemp -d)
@@ -58,8 +56,8 @@ let
             -I "$src" \
             --option restrict-eval true \
             --option allow-import-from-derivation false \
-            --option eval-system "${evalSystem}" \
             --arg enableWarnings false > $out/paths.json
+        mv "$supportedSystemsPath" $out/systems.json
       '';
 
   singleSystem =
@@ -69,13 +67,11 @@ let
       # because `--argstr system` would only be passed to the ci/default.nix file!
       evalSystem,
       # The path to the `paths.json` file from `attrpathsSuperset`
-      attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
+      attrpathFile,
       # The number of attributes per chunk, see ./README.md for more info.
       chunkSize,
       checkMeta ? true,
-
-      # Don't try to eval packages marked as broken.
-      includeBroken ? false,
+      includeBroken ? true,
       # Whether to just evaluate a single chunk for quick testing
       quickTest ? false,
     }:
@@ -91,14 +87,12 @@ let
         export NIX_SHOW_STATS_PATH="$outputDir/stats/$myChunk"
         echo "Chunk $myChunk on $system start"
         set +e
-        command time -o "$outputDir/timestats/$myChunk" \
-          -f "Chunk $myChunk on $system done [%MKB max resident, %Es elapsed] %C" \
+        command time -f "Chunk $myChunk on $system done [%MKB max resident, %Es elapsed] %C" \
           nix-env -f "${nixpkgs}/pkgs/top-level/release-attrpaths-parallel.nix" \
-          --eval-system "$system" \
           --option restrict-eval true \
           --option allow-import-from-derivation false \
           --query --available \
-          --out-path --json \
+          --no-name --attr-path --out-path \
           --show-trace \
           --arg chunkSize "$chunkSize" \
           --arg myChunk "$myChunk" \
@@ -108,19 +102,13 @@ let
           --arg includeBroken ${lib.boolToString includeBroken} \
           -I ${nixpkgs} \
           -I ${attrpathFile} \
-          > "$outputDir/result/$myChunk" \
-          2> "$outputDir/stderr/$myChunk"
+          > "$outputDir/result/$myChunk"
         exitCode=$?
         set -e
-        cat "$outputDir/stderr/$myChunk"
-        cat "$outputDir/timestats/$myChunk"
         if (( exitCode != 0 )); then
           echo "Evaluation failed with exit code $exitCode"
           # This immediately halts all xargs processes
           kill $PPID
-        elif [[ -s "$outputDir/stderr/$myChunk" ]]; then
-          echo "Nixpkgs on $system evaluated with warnings, aborting"
-          kill $PPID
         fi
       '';
     in
@@ -150,7 +138,7 @@ let
         chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
         echo "Chunk count: $chunkCount"
 
-        mkdir -p $out/${evalSystem}
+        mkdir $out
 
         # Record and print stats on free memory and swap in the background
         (
@@ -159,11 +147,11 @@ let
             freeSwap=$(free -b | grep Swap | awk '{print $4}')
             echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"
 
-            if [[ ! -f "$out/${evalSystem}/min-avail-memory" ]] || (( availMemory < $(<$out/${evalSystem}/min-avail-memory) )); then
-              echo "$availMemory" > $out/${evalSystem}/min-avail-memory
+            if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
+              echo "$availMemory" > $out/min-avail-memory
             fi
-            if [[ ! -f $out/${evalSystem}/min-free-swap ]] || (( availMemory < $(<$out/${evalSystem}/min-free-swap) )); then
-              echo "$freeSwap" > $out/${evalSystem}/min-free-swap
+            if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
+              echo "$freeSwap" > $out/min-free-swap
             fi
             sleep 4
           done
@@ -176,59 +164,98 @@ let
         ''}
 
         chunkOutputDir=$(mktemp -d)
-        mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}
+        mkdir "$chunkOutputDir"/{result,stats}
 
         seq -w 0 "$seq_end" |
-          command time -f "%e" -o "$out/${evalSystem}/total-time" \
+          command time -f "%e" -o "$out/total-time" \
           xargs -I{} -P"$cores" \
           ${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"
 
-        cp -r "$chunkOutputDir"/stats $out/${evalSystem}/stats-by-chunk
-
         if (( chunkSize * chunkCount != attrCount )); then
           # A final incomplete chunk would mess up the stats, don't include it
           rm "$chunkOutputDir"/stats/"$seq_end"
         fi
 
-        cat "$chunkOutputDir"/result/* | jq -s 'add | map_values(.outputs)' > $out/${evalSystem}/paths.json
+        # Make sure the glob doesn't break when there's no files
+        shopt -s nullglob
+        cat "$chunkOutputDir"/result/* > $out/paths
+        cat "$chunkOutputDir"/stats/* > $out/stats.jsonstream
       '';
 
-  diff = callPackage ./diff.nix { };
-
   combine =
     {
-      diffDir,
+      resultsDir,
     }:
-    runCommand "combined-eval"
+    runCommand "combined-result"
       {
         nativeBuildInputs = [
           jq
+          sta
         ];
       }
       ''
         mkdir -p $out
 
-        # Combine output paths from all systems
-        cat ${diffDir}/*/diff.json | jq -s '
-          reduce .[] as $item ({}; {
-            added: (.added + $item.added),
-            changed: (.changed + $item.changed),
-            removed: (.removed + $item.removed)
-          })
-        ' > $out/combined-diff.json
+        # Transform output paths to JSON
+        cat ${resultsDir}/*/paths |
+          jq --sort-keys --raw-input --slurp '
+            split("\n") |
+            map(select(. != "") | split(" ") | map(select(. != ""))) |
+            map(
+              {
+                key: .[0],
+                value: .[1] | split(";") | map(split("=") |
+                  if length == 1 then
+                    { key: "out", value: .[0] }
+                  else
+                    { key: .[0], value: .[1] }
+                  end) | from_entries}
+            ) | from_entries
+          ' > $out/outpaths.json
 
-        mkdir -p $out/before/stats
-        for d in ${diffDir}/before/*; do
-          cp -r "$d"/stats-by-chunk $out/before/stats/$(basename "$d")
-        done
+        # Computes min, mean, error, etc. for a list of values and outputs a JSON from that
+        statistics() {
+          local stat=$1
+          sta --transpose |
+            jq --raw-input --argjson stat "$stat" -n '
+              [
+                inputs |
+                  split("\t") |
+                  { key: .[0], value: (.[1] | fromjson) }
+              ] |
+                from_entries |
+                {
+                  key: ($stat | join(".")),
+                  value: .
+                }'
+        }
 
-        mkdir -p $out/after/stats
-        for d in ${diffDir}/after/*; do
-          cp -r "$d"/stats-by-chunk $out/after/stats/$(basename "$d")
-        done
+        # Gets all available number stats (without .sizes because those are constant and not interesting)
+        readarray -t stats < <(jq -cs '.[0] | del(.sizes) | paths(type == "number")' ${resultsDir}/*/stats.jsonstream)
+
+        # Combines the statistics from all evaluations
+        {
+          echo "{ \"key\": \"minAvailMemory\", \"value\": $(cat ${resultsDir}/*/min-avail-memory | sta --brief --min) }"
+          echo "{ \"key\": \"minFreeSwap\", \"value\": $(cat ${resultsDir}/*/min-free-swap | sta --brief --min) }"
+          cat ${resultsDir}/*/total-time | statistics '["totalTime"]'
+          for stat in "''${stats[@]}"; do
+            cat ${resultsDir}/*/stats.jsonstream |
+              jq --argjson stat "$stat" 'getpath($stat)' |
+              statistics "$stat"
+          done
+        } |
+          jq -s from_entries > $out/stats.json
       '';
 
-  compare = callPackage ./compare { };
+  compare = import ./compare {
+    inherit
+      lib
+      jq
+      runCommand
+      writeText
+      supportedSystems
+      ;
+  };
 
   full =
     {
@@ -239,26 +266,18 @@ let
       quickTest ? false,
     }:
     let
-      diffs = symlinkJoin {
-        name = "diffs";
-        paths = map (
-          evalSystem:
-          let
-            eval = singleSystem {
-              inherit quickTest evalSystem chunkSize;
-            };
-          in
-          diff {
-            inherit evalSystem;
-            # Local "full" evaluation doesn't do a real diff.
-            beforeDir = eval;
-            afterDir = eval;
-          }
-        ) evalSystems;
-      };
+      results = linkFarm "results" (
+        map (evalSystem: {
+          name = evalSystem;
+          path = singleSystem {
+            inherit quickTest evalSystem chunkSize;
+            attrpathFile = attrpathsSuperset + "/paths.json";
+          };
+        }) evalSystems
+      );
     in
     combine {
-      diffDir = diffs;
+      resultsDir = results;
     };
 
 in
@@ -266,7 +285,6 @@ in
   inherit
     attrpathsSuperset
     singleSystem
-    diff
     combine
     compare
     # The above three are used by separate VMs in a GitHub workflow,

ci/eval/diff.nix

@@ -1,61 +0,0 @@
-{
-  lib,
-  runCommand,
-  writeText,
-}:
-
-{
-  beforeDir,
-  afterDir,
-  evalSystem,
-}:
-
-let
-  /*
-    Computes the key difference between two attrs
-
-    {
-      added: [ <keys only in the second object> ],
-      removed: [ <keys only in the first object> ],
-      changed: [ <keys with different values between the two objects> ],
-    }
-  */
-  diff =
-    let
-      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
-    in
-    old: new: {
-      added = filterKeys (n: _: !(old ? ${n})) new;
-      removed = filterKeys (n: _: !(new ? ${n})) old;
-      changed = filterKeys (
-        n: v:
-        # Filter out attributes that don't exist anymore
-        (new ? ${n})
-
-        # Filter out attributes that are the same as the new value
-        && (v != (new.${n}))
-      ) old;
-    };
-
-  getAttrs =
-    dir:
-    let
-      raw = builtins.readFile "${dir}/${evalSystem}/paths.json";
-      # The file contains Nix paths; we need to ignore them for evaluation purposes,
-      # else there will be a "is not allowed to refer to a store path" error.
-      data = builtins.unsafeDiscardStringContext raw;
-    in
-    builtins.fromJSON data;
-
-  beforeAttrs = getAttrs beforeDir;
-  afterAttrs = getAttrs afterDir;
-  diffAttrs = diff beforeAttrs afterAttrs;
-  diffJson = writeText "diff.json" (builtins.toJSON diffAttrs);
-in
-runCommand "diff" { } ''
-  mkdir -p $out/${evalSystem}
-
-  cp -r ${beforeDir} $out/before
-  cp -r ${afterDir} $out/after
-  cp ${diffJson} $out/${evalSystem}/diff.json
-''

ci/get-merge-commit.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# See ./README.md for docs
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( $# < 2 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER"
+    exit 99
+fi
+repo=$1
+prNumber=$2
+
+# Retry the API query this many times
+retryCount=5
+# Start with 5 seconds, but double every retry
+retryInterval=5
+
+while true; do
+    log "Checking whether the pull request can be merged"
+    prInfo=$(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$repo/pulls/$prNumber")
+
+    # Non-open PRs won't have their mergeability computed no matter what
+    state=$(jq -r .state <<< "$prInfo")
+    if [[ "$state" != open ]]; then
+        log "PR is not open anymore"
+        exit 1
+    fi
+
+    mergeable=$(jq -r .mergeable <<< "$prInfo")
+    if [[ "$mergeable" == "null" ]]; then
+        if (( retryCount == 0 )); then
+            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+            exit 3
+        else
+            (( retryCount -= 1 )) || true
+
+            # null indicates that GitHub is still computing whether it's mergeable
+            # Wait a couple seconds before trying again
+            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+            sleep "$retryInterval"
+
+            (( retryInterval *= 2 )) || true
+        fi
+    else
+        break
+    fi
+done
+
+if [[ "$mergeable" == "true" ]]; then
+    log "The PR can be merged"
+    jq -r .merge_commit_sha <<< "$prInfo"
+else
+    log "The PR has a merge conflict"
+    exit 2
+fi

ci/nixpkgs-vet.nix

@@ -1,31 +0,0 @@
-{
-  lib,
-  nix,
-  nixpkgs-vet,
-  runCommand,
-}:
-{
-  base ? ../.,
-  head ? ../.,
-}:
-let
-  filtered =
-    with lib.fileset;
-    path:
-    toSource {
-      fileset = (gitTracked path);
-      root = path;
-    };
-in
-runCommand "nixpkgs-vet"
-  {
-    nativeBuildInputs = [
-      nixpkgs-vet
-    ];
-    env.NIXPKGS_VET_NIX_PACKAGE = nix;
-  }
-  ''
-    nixpkgs-vet --base ${filtered base} ${filtered head}
-
-    touch $out
-  ''

ci/nixpkgs-vet.sh

@@ -65,5 +65,7 @@ trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
 toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
 trace -e "\e[34m$toolVersion\e[0m"
 
+trace -n "Building tool.. "
+nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
 trace "Running nixpkgs-vet.."
-nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"
+"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

ci/parse.nix

@@ -1,43 +0,0 @@
-{
-  lib,
-  nix,
-  runCommand,
-}:
-let
-  nixpkgs =
-    with lib.fileset;
-    toSource {
-      root = ../.;
-      fileset = (fileFilter (file: file.hasExt "nix") ../.);
-    };
-in
-runCommand "nix-parse-${nix.name}"
-  {
-    nativeBuildInputs = [
-      nix
-    ];
-  }
-  ''
-    export NIX_STORE_DIR=$TMPDIR/store
-    export NIX_STATE_DIR=$TMPDIR/state
-
-    cd "${nixpkgs}"
-
-    # Passes all files to nix-instantiate at once.
-    # Much faster, but will only show first error.
-    parse-all() {
-      find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse >/dev/null 2>/dev/null
-    }
-
-    # Passes each file separately to nix-instantiate with -n1.
-    # Much slower, but will show all errors.
-    parse-each() {
-      find . -type f -iname '*.nix' | xargs -n1 -P $(nproc) nix-instantiate --parse >/dev/null
-    }
-
-    if ! parse-all; then
-      parse-each
-    fi
-
-    touch $out
-  ''

ci/pinned-nixpkgs.json

@@ -1,4 +1,4 @@
 {
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
+  "rev": "929116e316068c7318c54eb4d827f7d9756d5e9c",
+  "sha256": "1am61kcakn9j47435k4cgsarvypb8klv4avszxza0jn362hp3ck8"
 }

ci/request-reviews/default.nix

@@ -14,9 +14,8 @@ stdenvNoCC.mkDerivation {
   src = lib.fileset.toSource {
     root = ./.;
     fileset = lib.fileset.unions [
-      ./get-code-owners.sh
-      ./request-reviewers.sh
-      ./request-code-owner-reviews.sh
+      ./get-reviewers.sh
+      ./request-reviews.sh
       ./verify-base-branch.sh
       ./dev-branches.txt
     ];

ci/request-reviews/get-code-owners.sh

@@ -1,97 +0,0 @@
-#!/usr/bin/env bash
-
-# Get the code owners of the files changed by a PR, returning one username per line
-
-set -euo pipefail
-
-log() {
-    echo "$@" >&2
-}
-
-if (( "$#" < 4 )); then
-    log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REF HEAD_REF"
-    exit 1
-fi
-
-gitRepo=$1
-ownersFile=$2
-baseRef=$3
-headRef=$4
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files"
-readarray -t touchedFiles < "$tmp/touched-files"
-log "This PR touches ${#touchedFiles[@]} files"
-
-# Get the owners file from the base, because we don't want to allow PRs to
-# remove code owners to avoid pinging them
-git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
-
-# Associative array with the user as the key for easy de-duplication
-# Make sure to always lowercase keys to avoid duplicates with different casings
-declare -A users=()
-
-for file in "${touchedFiles[@]}"; do
-    result=$(codeowners --file "$tmp"/codeowners "$file")
-
-    # Remove the file prefix and trim the surrounding spaces
-    read -r owners <<< "${result#"$file"}"
-    if [[ "$owners" == "(unowned)" ]]; then
-        log "File $file is unowned"
-        continue
-    fi
-    log "File $file is owned by $owners"
-
-    # Split up multiple owners, separated by arbitrary amounts of spaces
-    IFS=" " read -r -a entries <<< "$owners"
-
-    for entry in "${entries[@]}"; do
-        # GitHub technically also supports Emails as code owners,
-        # but we can't easily support that, so let's not
-        if [[ ! "$entry" =~ @(.*) ]]; then
-            warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2
-            # Don't fail, because the PR for which this script runs can't fix it,
-            # it has to be fixed in the base branch
-            continue
-        fi
-        # The first regex match is everything after the @
-        entry=${BASH_REMATCH[1]}
-
-        if [[ "$entry" =~ (.*)/(.*) ]]; then
-            # Teams look like $org/$team
-            org=${BASH_REMATCH[1]}
-            team=${BASH_REMATCH[2]}
-
-            # Instead of requesting a review from the team itself,
-            # we request reviews from the individual users.
-            # This is because once somebody from a team reviewed the PR,
-            # the API doesn't expose that the team was already requested for a review,
-            # so we wouldn't be able to avoid rerequesting reviews
-            # without saving some some extra state somewhere
-
-            # We could also consider implementing a more advanced heuristic
-            # in the future that e.g. only pings one team member,
-            # but escalates to somebody else if that member doesn't respond in time.
-            gh api \
-                --cache=1h \
-                -H "Accept: application/vnd.github+json" \
-                -H "X-GitHub-Api-Version: 2022-11-28" \
-                "/orgs/$org/teams/$team/members" \
-                --jq '.[].login' > "$tmp/team-members"
-            readarray -t members < "$tmp/team-members"
-            log "Team $entry has these members: ${members[*]}"
-
-            for user in "${members[@]}"; do
-                users[${user,,}]=
-            done
-        else
-            # Everything else is a user
-            users[${entry,,}]=
-        fi
-    done
-
-done
-
-printf "%s\n" "${!users[@]}"

ci/request-reviews/get-reviewers.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+
+# Get the code owners of the files changed by a PR,
+# suitable to be consumed by the API endpoint to request reviews:
+# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( "$#" < 7 )); then
+    log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REPO BASE_REF HEAD_REF PR_NUMBER PR_AUTHOR"
+    exit 1
+fi
+
+gitRepo=$1
+ownersFile=$2
+baseRepo=$3
+baseRef=$4
+headRef=$5
+prNumber=$6
+prAuthor=$7
+
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' exit
+
+git -C "$gitRepo" diff --name-only --merge-base "$baseRef" "$headRef" > "$tmp/touched-files"
+readarray -t touchedFiles < "$tmp/touched-files"
+log "This PR touches ${#touchedFiles[@]} files"
+
+# Get the owners file from the base, because we don't want to allow PRs to
+# remove code owners to avoid pinging them
+git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
+
+# Associative array with the user as the key for easy de-duplication
+# Make sure to always lowercase keys to avoid duplicates with different casings
+declare -A users=()
+
+for file in "${touchedFiles[@]}"; do
+    result=$(codeowners --file "$tmp"/codeowners "$file")
+
+    read -r file owners <<< "$result"
+    if [[ "$owners" == "(unowned)" ]]; then
+        log "File $file is unowned"
+        continue
+    fi
+    log "File $file is owned by $owners"
+
+    # Split up multiple owners, separated by arbitrary amounts of spaces
+    IFS=" " read -r -a entries <<< "$owners"
+
+    for entry in "${entries[@]}"; do
+        # GitHub technically also supports Emails as code owners,
+        # but we can't easily support that, so let's not
+        if [[ ! "$entry" =~ @(.*) ]]; then
+            warn -e "\e[33mCodeowner \"$entry\" for file $file is not valid: Must start with \"@\"\e[0m" >&2
+            # Don't fail, because the PR for which this script runs can't fix it,
+            # it has to be fixed in the base branch
+            continue
+        fi
+        # The first regex match is everything after the @
+        entry=${BASH_REMATCH[1]}
+
+        if [[ "$entry" =~ (.*)/(.*) ]]; then
+            # Teams look like $org/$team
+            org=${BASH_REMATCH[1]}
+            team=${BASH_REMATCH[2]}
+
+            # Instead of requesting a review from the team itself,
+            # we request reviews from the individual users.
+            # This is because once somebody from a team reviewed the PR,
+            # the API doesn't expose that the team was already requested for a review,
+            # so we wouldn't be able to avoid rerequesting reviews
+            # without saving some some extra state somewhere
+
+            # We could also consider implementing a more advanced heuristic
+            # in the future that e.g. only pings one team member,
+            # but escalates to somebody else if that member doesn't respond in time.
+            gh api \
+                --cache=1h \
+                -H "Accept: application/vnd.github+json" \
+                -H "X-GitHub-Api-Version: 2022-11-28" \
+                "/orgs/$org/teams/$team/members" \
+                --jq '.[].login' > "$tmp/team-members"
+            readarray -t members < "$tmp/team-members"
+            log "Team $entry has these members: ${members[*]}"
+
+            for user in "${members[@]}"; do
+                users[${user,,}]=
+            done
+        else
+            # Everything else is a user
+            users[${entry,,}]=
+        fi
+    done
+
+done
+
+# Cannot request a review from the author
+if [[ -v users[${prAuthor,,}] ]]; then
+    log "One or more files are owned by the PR author, ignoring"
+    unset 'users[${prAuthor,,}]'
+fi
+
+gh api \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/$baseRepo/pulls/$prNumber/reviews" \
+    --jq '.[].user.login' > "$tmp/already-reviewed-by"
+
+# And we don't want to rerequest reviews from people who already reviewed
+while read -r user; do
+    if [[ -v users[${user,,}] ]]; then
+        log "User $user is a code owner but has already left a review, ignoring"
+        unset 'users[${user,,}]'
+    fi
+done < "$tmp/already-reviewed-by"
+
+# Turn it into a JSON for the GitHub API call to request PR reviewers
+jq -n \
+    --arg users "${!users[*]}" \
+    '{
+      reviewers: $users | split(" "),
+    }'

ci/request-reviews/request-code-owner-reviews.sh

@@ -1,82 +0,0 @@
-#!/usr/bin/env bash
-
-# Requests reviews for a PR after verifying that the base branch is correct
-
-set -euo pipefail
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-SCRIPT_DIR=$(dirname "$0")
-
-log() {
-    echo "$@" >&2
-}
-
-effect() {
-    if [[ -n "${DRY_MODE:-}" ]]; then
-        log "Skipping in dry mode:" "${@@Q}"
-    else
-        "$@"
-    fi
-}
-
-if (( $# < 3 )); then
-    log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE"
-    exit 1
-fi
-baseRepo=$1
-prNumber=$2
-ownersFile=$3
-
-log "Fetching PR info"
-prInfo=$(gh api \
-  -H "Accept: application/vnd.github+json" \
-  -H "X-GitHub-Api-Version: 2022-11-28" \
-  "/repos/$baseRepo/pulls/$prNumber")
-
-baseBranch=$(jq -r .base.ref <<< "$prInfo")
-log "Base branch: $baseBranch"
-prRepo=$(jq -r .head.repo.full_name <<< "$prInfo")
-log "PR repo: $prRepo"
-prBranch=$(jq -r .head.ref <<< "$prInfo")
-log "PR branch: $prBranch"
-prAuthor=$(jq -r .user.login <<< "$prInfo")
-log "PR author: $prAuthor"
-
-extraArgs=()
-if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then
-    # Speedup for local runs
-    extraArgs+=(--reference-if-able "$pwdRepo")
-fi
-
-log "Fetching Nixpkgs commit history"
-# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0
-# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary
-git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git
-
-log "Fetching the PR commit history"
-# Fetch the PR
-git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git
-# This remote config is the same as --filter=tree:0 when cloning
-git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0
-git -C "$tmp/nixpkgs.git" config remote.fork.promisor true
-
-git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch"
-headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch")
-
-log "Checking correctness of the base branch"
-if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then
-    log "Posting error as comment"
-    if ! response=$(effect gh api \
-        --method POST \
-        -H "Accept: application/vnd.github+json" \
-        -H "X-GitHub-Api-Version: 2022-11-28" \
-        "/repos/$baseRepo/issues/$prNumber/comments" \
-        -F "body=@$tmp/invalid-base-error"); then
-        log "Failed to post the comment: $response"
-    fi
-    exit 1
-fi
-
-log "Requesting reviews from code owners"
-"$SCRIPT_DIR"/get-code-owners.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseBranch" "$headRef" | \
-    "$SCRIPT_DIR"/request-reviewers.sh "$baseRepo" "$prNumber" "$prAuthor"

ci/request-reviews/request-reviewers.sh

@@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-
-# Request reviewers for a PR, reading line-separated usernames on stdin,
-# filtering for valid reviewers before using the API endpoint to request reviews:
-# https://docs.github.com/en/rest/pulls/review-requests?apiVersion=2022-11-28#request-reviewers-for-a-pull-request
-
-set -euo pipefail
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-log() {
-    echo "$@" >&2
-}
-
-effect() {
-    if [[ -n "${DRY_MODE:-}" ]]; then
-        log "Skipping in dry mode:" "${@@Q}"
-    else
-        "$@"
-    fi
-}
-
-if (( "$#" < 3 )); then
-    log "Usage: $0 BASE_REPO PR_NUMBER PR_AUTHOR"
-    exit 1
-fi
-
-baseRepo=$1
-prNumber=$2
-prAuthor=$3
-
-tmp=$(mktemp -d)
-trap 'rm -rf "$tmp"' exit
-
-declare -A users=()
-while read -r handle && [[ -n "$handle" ]]; do
-    users[${handle,,}]=
-done
-
-# Cannot request a review from the author
-if [[ -v users[${prAuthor,,}] ]]; then
-    log "One or more files are owned by the PR author, ignoring"
-    unset 'users[${prAuthor,,}]'
-fi
-
-gh api \
-    -H "Accept: application/vnd.github+json" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
-    "/repos/$baseRepo/pulls/$prNumber/reviews" \
-    --jq '.[].user.login' > "$tmp/already-reviewed-by"
-
-# And we don't want to rerequest reviews from people who already reviewed
-while read -r user; do
-    if [[ -v users[${user,,}] ]]; then
-        log "User $user is a potential reviewer, but has already left a review, ignoring"
-        unset 'users[${user,,}]'
-    fi
-done < "$tmp/already-reviewed-by"
-
-for user in "${!users[@]}"; do
-    if ! gh api \
-        -H "Accept: application/vnd.github+json" \
-        -H "X-GitHub-Api-Version: 2022-11-28" \
-        "/repos/$baseRepo/collaborators/$user" >&2; then
-        log "User $user is not a repository collaborator, probably missed the automated invite to the maintainers team (see <https://github.com/NixOS/nixpkgs/issues/234293>), ignoring"
-        unset 'users[$user]'
-    fi
-done
-
-if [[ "${#users[@]}" -gt 10 ]]; then
-    log "Too many reviewers (${!users[*]}), skipping review requests"
-    exit 0
-fi
-
-for user in "${!users[@]}"; do
-    log "Requesting review from: $user"
-
-    if ! response=$(jq -n --arg user "$user" '{ reviewers: [ $user ] }' | \
-        effect gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \
-            --input -); then
-        log "Failed to request review from $user: $response"
-    fi
-done

ci/request-reviews/request-reviews.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+# Requests reviews for a PR after verifying that the base branch is correct
+
+set -euo pipefail
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' exit
+SCRIPT_DIR=$(dirname "$0")
+
+log() {
+    echo "$@" >&2
+}
+
+effect() {
+    if [[ -n "${DRY_MODE:-}" ]]; then
+        log "Skipping in dry mode:" "${@@Q}"
+    else
+        "$@"
+    fi
+}
+
+if (( $# < 3 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER OWNERS_FILE"
+    exit 1
+fi
+baseRepo=$1
+prNumber=$2
+ownersFile=$3
+
+log "Fetching PR info"
+prInfo=$(gh api \
+  -H "Accept: application/vnd.github+json" \
+  -H "X-GitHub-Api-Version: 2022-11-28" \
+  "/repos/$baseRepo/pulls/$prNumber")
+
+baseBranch=$(jq -r .base.ref <<< "$prInfo")
+log "Base branch: $baseBranch"
+prRepo=$(jq -r .head.repo.full_name <<< "$prInfo")
+log "PR repo: $prRepo"
+prBranch=$(jq -r .head.ref <<< "$prInfo")
+log "PR branch: $prBranch"
+prAuthor=$(jq -r .user.login <<< "$prInfo")
+log "PR author: $prAuthor"
+
+extraArgs=()
+if pwdRepo=$(git rev-parse --show-toplevel 2>/dev/null); then
+    # Speedup for local runs
+    extraArgs+=(--reference-if-able "$pwdRepo")
+fi
+
+log "Fetching Nixpkgs commit history"
+# We only need the commit history, not the contents, so we can do a tree-less clone using tree:0
+# https://github.blog/open-source/git/get-up-to-speed-with-partial-clone-and-shallow-clone/#user-content-quick-summary
+git clone --bare --filter=tree:0 --no-tags --origin upstream "${extraArgs[@]}" https://github.com/"$baseRepo".git "$tmp"/nixpkgs.git
+
+log "Fetching the PR commit history"
+# Fetch the PR
+git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git
+# This remote config is the same as --filter=tree:0 when cloning
+git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0
+git -C "$tmp/nixpkgs.git" config remote.fork.promisor true
+
+git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch"
+headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch")
+
+log "Checking correctness of the base branch"
+if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then
+    log "Posting error as comment"
+    if ! response=$(effect gh api \
+        --method POST \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$baseRepo/issues/$prNumber/comments" \
+        -F "body=@$tmp/invalid-base-error"); then
+        log "Failed to post the comment: $response"
+    fi
+    exit 1
+fi
+
+log "Getting code owners to request reviews from"
+"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseRepo" "$baseBranch" "$headRef" "$prNumber" "$prAuthor" > "$tmp/reviewers.json"
+
+log "Requesting reviews from: $(<"$tmp/reviewers.json")"
+
+if ! response=$(effect gh api \
+    --method POST \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/$baseRepo/pulls/$prNumber/requested_reviewers" \
+    --input "$tmp/reviewers.json"); then
+    log "Failed to request reviews: $response"
+    exit 1
+fi
+
+log "Successfully requested reviews"

ci/supportedSystems.json

@@ -1,6 +0,0 @@
-[
-  "aarch64-linux",
-  "aarch64-darwin",
-  "x86_64-linux",
-  "x86_64-darwin"
-]

ci/supportedSystems.nix

@@ -0,0 +1,6 @@
+[
+  "aarch64-linux"
+  "aarch64-darwin"
+  "x86_64-linux"
+  "x86_64-darwin"
+]

doc/README.md

@@ -34,27 +34,7 @@ $ nix-build doc
 
 If the build succeeds, the manual will be in `./result/share/doc/nixpkgs/manual.html`.
 
-### Development environment
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the Nixpkgs documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/doc
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-#### `devmode`
+### devmode
 
 The shell in the manual source directory makes available a command, `devmode`.
 It is a daemon, that:
@@ -128,7 +108,6 @@ A few markups for other kinds of literals are also available:
 These literal kinds are used mostly in NixOS option documentation.
 
 This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point). Though, the feature originates from [reStructuredText](https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage) with slightly different syntax.
-They are handled by `myst_role` defined per renderer. <!-- reverse references in code -->
 
 #### Admonitions
 

doc/build-helpers.md

@@ -17,7 +17,6 @@ There is no uniform interface for build helpers.
 [Language- or framework-specific build helpers](#chap-language-support) usually follow the style of `stdenv.mkDerivation`, which accepts an attribute set or a fixed-point function taking an attribute set.
 
 ```{=include=} chapters
-build-helpers/fixed-point-arguments.chapter.md
 build-helpers/fetchers.chapter.md
 build-helpers/trivial-build-helpers.chapter.md
 build-helpers/testers.chapter.md

doc/build-helpers/dev-shell-tools.chapter.md

@@ -20,12 +20,12 @@ Converts Nix values to strings in the way the [`derivation` built-in function](h
 
 ```nix
 devShellTools.valueToString (builtins.toFile "foo" "bar")
-# => "/nix/store/...-foo"
+=> "/nix/store/...-foo"
 ```
 
 ```nix
 devShellTools.valueToString false
-# => ""
+=> ""
 ```
 
 :::
@@ -42,22 +42,16 @@ This function does not support `__structuredAttrs`, but does support `passAsFile
 devShellTools.unstructuredDerivationInputEnv {
   drvAttrs = {
     name = "foo";
-    buildInputs = [
-      hello
-      figlet
-    ];
+    buildInputs = [ hello figlet ];
     builder = bash;
-    args = [
-      "-c"
-      "${./builder.sh}"
-    ];
+    args = [ "-c" "${./builder.sh}" ];
   };
 }
-# => {
-#  name = "foo";
-#  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
-#  builder = "/nix/store/...-bash";
-#}
+=> {
+  name = "foo";
+  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
+  builder = "/nix/store/...-bash";
+}
 ```
 
 Note that `args` is not included, because Nix does not added it to the builder process environment.
@@ -75,10 +69,7 @@ Takes the relevant parts of a derivation and returns a set of environment variab
 let
   pkg = hello;
 in
-devShellTools.derivationOutputEnv {
-  outputList = pkg.outputs;
-  outputMap = pkg;
-}
+devShellTools.derivationOutputEnv { outputList = pkg.outputs; outputMap = pkg; }
 ```
 
 :::

doc/build-helpers/fetchers.chapter.md

@@ -491,11 +491,7 @@ It might be useful to manipulate the content downloaded by `fetchurl` directly i
 In this example, we'll adapt [](#ex-fetchers-fetchurl-nixpkgs-version) to append the result of running the `hello` package to the contents we download, purely to illustrate how to manipulate the content.
 
 ```nix
-{
-  fetchurl,
-  hello,
-  lib,
-}:
+{ fetchurl, hello, lib }:
 fetchurl {
   url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
 
@@ -718,10 +714,9 @@ A wrapper around `fetchpatch`, which takes:
 Here is an example of `fetchDebianPatch` in action:
 
 ```nix
-{
-  lib,
-  fetchDebianPatch,
-  buildPythonPackage,
+{ lib
+, fetchDebianPatch
+, buildPythonPackage
 }:
 
 buildPythonPackage rec {
@@ -733,7 +728,7 @@ buildPythonPackage rec {
     (fetchDebianPatch {
       inherit pname version;
       debianRevision = "5";
-      patch = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
+      name = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
       hash = "sha256-xA8Wnrpr31H8wy3zHSNfezFNjUJt1HbSXn3qUMzeKc0=";
     })
   ];
@@ -773,14 +768,9 @@ Additionally, the following optional arguments can be given:
 
 : Whether to fetch LFS objects.
 
-*`preFetch`* (String)
-
-: Shell code to be executed before the repository has been fetched, to allow
-  changing the environment the fetcher runs in.
-
 *`postFetch`* (String)
 
-: Shell code executed after the repository has been fetched successfully.
+: Shell code executed after the file has been fetched successfully.
   This can do things like check or transform the file.
 
 *`leaveDotGit`* (Boolean)
@@ -795,10 +785,6 @@ Additionally, the following optional arguments can be given:
 : Clone the entire repository as opposing to just creating a shallow clone.
   This implies `leaveDotGit`.
 
-*`fetchTags`* (Boolean)
-
-: Whether to fetch all tags from the remote repository. This is useful when the build process needs to run `git describe` or other commands that require tag information to be available. This parameter implies `leaveDotGit`, as tags are stored in the `.git` directory.
-
 *`sparseCheckout`* (List of String)
 
 : Prevent git from fetching unnecessary blobs from server.
@@ -928,9 +914,7 @@ It produces packages that cannot be built automatically.
 { fetchtorrent }:
 
 fetchtorrent {
-  config = {
-    peer-limit-global = 100;
-  };
+  config = { peer-limit-global = 100; };
   url = "magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c";
   hash = "";
 }

doc/build-helpers/fixed-point-arguments.chapter.md

@@ -1,74 +0,0 @@
-# Fixed-point arguments of build helpers {#chap-build-helpers-finalAttrs}
-
-As mentioned in the beginning of this part, `stdenv.mkDerivation` could alternatively accept a fixed-point function. The input of such function, typically named `finalAttrs`, is expected to be the final state of the attribute set.
-A build helper like this is said to accept **fixed-point arguments**.
-
-Build helpers don't always support fixed-point arguments yet, as support in [`stdenv.mkDerivation`](#mkderivation-recursive-attributes) was first included in Nixpkgs 22.05.
-
-## Defining a build helper with `lib.extendMkDerivation` {#sec-build-helper-extendMkDerivation}
-
-Developers can use the Nixpkgs library function [`lib.customisation.extendMkDerivation`](#function-library-lib.customisation.extendMkDerivation) to define a build helper supporting fixed-point arguments from an existing one with such support, with an attribute overlay similar to the one taken by [`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs).
-
-Beside overriding, `lib.extendMkDerivation` also supports `excludeDrvArgNames` to optionally exclude some arguments in the input fixed-point arguments from passing down the base build helper (specified as `constructDrv`).
-
-:::{.example #ex-build-helpers-extendMkDerivation}
-
-# Example definition of `mkLocalDerivation` extended from `stdenv.mkDerivation` with `lib.extendMkDerivation`
-
-We want to define a build helper named `mkLocalDerivation` that builds locally without using substitutes by default.
-
-Instead of taking a plain attribute set,
-
-```nix
-{
-  preferLocalBuild ? true,
-  allowSubstitute ? false,
-  specialArg ? (_: false),
-  ...
-}@args:
-
-stdenv.mkDerivation (
-  removeAttrs [
-    # Don't pass specialArg into mkDerivation.
-    "specialArg"
-  ] args
-  // {
-    # Arguments to pass
-    inherit preferLocalBuild allowSubstitute;
-    # Some expressions involving specialArg
-    greeting = if specialArg "hi" then "hi" else "hello";
-  }
-)
-```
-
-we could define with `lib.extendMkDerivation` an attribute overlay to make the result build helper also accepts the the attribute set's fixed point passing to the underlying `stdenv.mkDerivation`, named `finalAttrs` here:
-
-```nix
-lib.extendMkDerivation {
-  constructDrv = stdenv.mkDerivation;
-  excludeDrvArgNames = [
-    # Don't pass specialArg into mkDerivation.
-    "specialArg"
-  ];
-  extendDrvArgs =
-    finalAttrs:
-    {
-      preferLocalBuild ? true,
-      allowSubstitute ? false,
-      specialArg ? (_: false),
-      ...
-    }@args:
-    {
-      # Arguments to pass
-      inherit
-        preferLocalBuild
-        allowSubstitute
-        ;
-      # Some expressions involving specialArg
-      greeting = if specialArg "hi" then "hi" else "hello";
-    };
-}
-```
-:::
-
-If one needs to apply extra changes to the result derivation, pass the derivation transformation function to `lib.extendMkDerivation` as `lib.customisation.extendMkDerivation { transformDrv = drv: ...; }`.

doc/build-helpers/images/appimagetools.section.md

@@ -33,7 +33,7 @@ let
   version = "0.6.30";
 
   src = fetchurl {
-    url = "https://github.com/nukeop/nuclear/releases/download/v${version}/nuclear-v${version}.AppImage";
+    url = "https://github.com/nukeop/nuclear/releases/download/v${version}/${pname}-v${version}.AppImage";
     hash = "sha256-he1uGC1M/nFcKpMM9JKY4oeexJcnzV0ZRxhTjtJz6xw=";
   };
 in
@@ -66,8 +66,7 @@ let
     url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
     hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
   };
-in
-appimageTools.wrapType2 {
+in appimageTools.wrapType2 {
   inherit pname version src;
   extraPkgs = pkgs: [ pkgs.at-spi2-core ];
 }
@@ -107,8 +106,7 @@ let
   appimageContents = appimageTools.extract {
     inherit pname version src;
   };
-in
-appimageTools.wrapType2 {
+in appimageTools.wrapType2 {
   inherit pname version src;
 
   extraPkgs = pkgs: [ pkgs.at-spi2-core ];
@@ -152,8 +150,7 @@ let
       substituteInPlace $out/irccloud.desktop --replace-fail 'Exec=AppRun' 'Exec=${pname}'
     '';
   };
-in
-appimageTools.wrapType2 {
+in appimageTools.wrapType2 {
   inherit pname version src;
 
   extraPkgs = pkgs: [ pkgs.at-spi2-core ];

doc/build-helpers/images/binarycache.section.md

@@ -11,14 +11,6 @@ It can also be a convenient way to make some Nix packages available inside a con
 `rootPaths` must be a list of derivations.
 The transitive closure of these derivations' outputs will be copied into the cache.
 
-## Optional arguments {#sec-pkgs-binary-cache-arguments}
-
-`compression` (`"none"` or `"xz"` or `"zstd"`; _optional_)
-
-: The compression algorithm to use.
-
-  _Default value:_ `zstd`.
-
 ::: {.note}
 This function is meant for advanced use cases.
 The more idiomatic way to work with flat-file binary caches is via the [nix-copy-closure](https://nixos.org/manual/nix/stable/command-ref/nix-copy-closure.html) command.
@@ -35,7 +27,7 @@ The following derivation will construct a flat-file binary cache containing the
 ```nix
 { mkBinaryCache, hello }:
 mkBinaryCache {
-  rootPaths = [ hello ];
+  rootPaths = [hello];
 }
 ```
 

doc/build-helpers/images/dockertools.section.md

@@ -235,11 +235,7 @@ The following package builds a Docker image that runs the `redis-server` executa
 The Docker image will have name `redis` and tag `latest`.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  redis,
-}:
+{ dockerTools, buildEnv, redis }:
 dockerTools.buildImage {
   name = "redis";
   tag = "latest";
@@ -257,9 +253,7 @@ dockerTools.buildImage {
   config = {
     Cmd = [ "/bin/redis-server" ];
     WorkingDir = "/data";
-    Volumes = {
-      "/data" = { };
-    };
+    Volumes = { "/data" = { }; };
   };
 }
 ```
@@ -292,11 +286,7 @@ It uses `runAsRoot` to create a directory and a file inside the image.
 This works the same as [](#ex-dockerTools-buildImage-extraCommands), but uses `runAsRoot` instead of `extraCommands`.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  hello,
-}:
+{ dockerTools, buildEnv, hello }:
 dockerTools.buildImage {
   name = "hello";
   tag = "latest";
@@ -330,11 +320,7 @@ This works the same as [](#ex-dockerTools-buildImage-runAsRoot), but uses `extra
 Note that with `extraCommands`, we can't directly reference `/` and must create files and directories as if we were already on `/`.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  hello,
-}:
+{ dockerTools, buildEnv, hello }:
 dockerTools.buildImage {
   name = "hello";
   tag = "latest";
@@ -364,11 +350,7 @@ dockerTools.buildImage {
 Note that using a value of `"now"` in the `created` attribute will break reproducibility.
 
 ```nix
-{
-  dockerTools,
-  buildEnv,
-  hello,
-}:
+{ dockerTools, buildEnv, hello }:
 dockerTools.buildImage {
   name = "hello";
   tag = "latest";
@@ -784,11 +766,7 @@ The closure of `config` is automatically included in the generated image.
 The following package shows a more compact way to create the same output generated in [](#ex-dockerTools-streamLayeredImage-hello).
 
 ```nix
-{
-  dockerTools,
-  hello,
-  lib,
-}:
+{ dockerTools, hello, lib }:
 dockerTools.streamLayeredImage {
   name = "hello";
   tag = "latest";
@@ -1569,15 +1547,11 @@ The Docker image generated will have a name like `hello-<version>-env` and tag `
 This example uses [](#ex-dockerTools-streamNixShellImage-hello) as a starting point.
 
 ```nix
-{
-  dockerTools,
-  cowsay,
-  hello,
-}:
+{ dockerTools, cowsay, hello }:
 dockerTools.streamNixShellImage {
   tag = "latest";
   drv = hello.overrideAttrs (old: {
-    nativeBuildInputs = old.nativeBuildInputs or [ ] ++ [
+    nativeBuildInputs = old.nativeBuildInputs or [] ++ [
       cowsay
     ];
   });

doc/build-helpers/images/makediskimage.section.md

@@ -52,23 +52,23 @@ A `deterministic` flag is available for best efforts determinism.
 To produce a Nix-store only image:
 ```nix
 let
-  pkgs = import <nixpkgs> { };
+  pkgs = import <nixpkgs> {};
   lib = pkgs.lib;
   make-disk-image = import <nixpkgs/nixos/lib/make-disk-image.nix>;
 in
-make-disk-image {
-  inherit pkgs lib;
-  config = { };
-  additionalPaths = [ ];
-  format = "qcow2";
-  onlyNixStore = true;
-  partitionTableType = "none";
-  installBootLoader = false;
-  touchEFIVars = false;
-  diskSize = "auto";
-  additionalSpace = "0M"; # Defaults to 512M.
-  copyChannel = false;
-}
+  make-disk-image {
+    inherit pkgs lib;
+    config = {};
+    additionalPaths = [ ];
+    format = "qcow2";
+    onlyNixStore = true;
+    partitionTableType = "none";
+    installBootLoader = false;
+    touchEFIVars = false;
+    diskSize = "auto";
+    additionalSpace = "0M"; # Defaults to 512M.
+    copyChannel = false;
+  }
 ```
 
 Some arguments can be left out, they are shown explicitly for the sake of the example.
@@ -78,36 +78,29 @@ Building this derivation will provide a QCOW2 disk image containing only the Nix
 To produce a NixOS installation image disk with UEFI and bootloader installed:
 ```nix
 let
-  pkgs = import <nixpkgs> { };
+  pkgs = import <nixpkgs> {};
   lib = pkgs.lib;
   make-disk-image = import <nixpkgs/nixos/lib/make-disk-image.nix>;
   evalConfig = import <nixpkgs/nixos/lib/eval-config.nix>;
 in
-make-disk-image {
-  inherit pkgs lib;
-  inherit
-    (evalConfig {
+  make-disk-image {
+    inherit pkgs lib;
+    inherit (evalConfig {
       modules = [
         {
-          fileSystems."/" = {
-            device = "/dev/vda";
-            fsType = "ext4";
-            autoFormat = true;
-          };
+          fileSystems."/" = { device = "/dev/vda"; fsType = "ext4"; autoFormat = true; };
           boot.grub.device = "/dev/vda";
         }
       ];
-    })
-    config
-    ;
-  format = "qcow2";
-  onlyNixStore = false;
-  partitionTableType = "legacy+gpt";
-  installBootLoader = true;
-  touchEFIVars = true;
-  diskSize = "auto";
-  additionalSpace = "0M"; # Defaults to 512M.
-  copyChannel = false;
-  memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
-}
+    }) config;
+    format = "qcow2";
+    onlyNixStore = false;
+    partitionTableType = "legacy+gpt";
+    installBootLoader = true;
+    touchEFIVars = true;
+    diskSize = "auto";
+    additionalSpace = "0M"; # Defaults to 512M.
+    copyChannel = false;
+    memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
+  }
 ```

doc/build-helpers/images/ocitools.section.md

@@ -76,11 +76,7 @@ Note that no user namespace is created, which means that you won't be able to ru
 This example uses `ociTools.buildContainer` to create a simple container that runs `bash`.
 
 ```nix
-{
-  ociTools,
-  lib,
-  bash,
-}:
+{ ociTools, lib, bash }:
 ociTools.buildContainer {
   args = [
     (lib.getExe bash)

doc/build-helpers/images/portableservice.section.md

@@ -91,12 +91,7 @@ See [](#ex-portableService-hello) to understand how to use the output of `portab
 The following example builds a Portable Service image with the `hello` package, along with a service unit that runs it.
 
 ```nix
-{
-  lib,
-  writeText,
-  portableService,
-  hello,
-}:
+{ lib, writeText, portableService, hello }:
 let
   hello-service = writeText "hello.service" ''
     [Unit]
@@ -156,13 +151,7 @@ To make things available globally, you must specify the `symlinks` attribute whe
 The following package builds on the package from [](#ex-portableService-hello) to make `/etc/ssl` available globally (this is only for illustrative purposes, because `hello` doesn't use `/etc/ssl`).
 
 ```nix
-{
-  lib,
-  writeText,
-  portableService,
-  hello,
-  cacert,
-}:
+{ lib, writeText, portableService, hello, cacert }:
 let
   hello-service = writeText "hello.service" ''
     [Unit]
@@ -178,10 +167,7 @@ portableService {
   inherit (hello) version;
   units = [ hello-service ];
   symlinks = [
-    {
-      object = "${cacert}/etc/ssl";
-      symlink = "/etc/ssl";
-    }
+    { object = "${cacert}/etc/ssl"; symlink = "/etc/ssl"; }
   ];
 }
 ```

doc/build-helpers/special/checkpoint-build.section.md

@@ -26,9 +26,7 @@ To change a normal derivation to a checkpoint based build, these steps must be t
 
 ## Example {#sec-checkpoint-build-example}
 ```nix
-{
-  pkgs ? import <nixpkgs> { },
-}:
+{ pkgs ? import <nixpkgs> {} }:
 let
   inherit (pkgs.checkpointBuildTools)
     prepareCheckpointBuild
@@ -37,10 +35,9 @@ let
   helloCheckpoint = prepareCheckpointBuild pkgs.hello;
   changedHello = pkgs.hello.overrideAttrs (_: {
     doCheck = false;
-    postPatch = ''
+    patchPhase = ''
       sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
     '';
   });
-in
-mkCheckpointBuild changedHello helloCheckpoint
+in mkCheckpointBuild changedHello helloCheckpoint
 ```

doc/build-helpers/special/fakenss.section.md

@@ -48,19 +48,12 @@ It is useful with functions in `dockerTools` to allow building Docker images tha
 This example includes the `hello` binary in the image so it can do something besides just have the extra files.
 
 ```nix
-{
-  dockerTools,
-  fakeNss,
-  hello,
-}:
+{ dockerTools, fakeNss, hello }:
 dockerTools.buildImage {
   name = "image-with-passwd";
   tag = "latest";
 
-  copyToRoot = [
-    fakeNss
-    hello
-  ];
+  copyToRoot = [ fakeNss hello ];
 
   config = {
     Cmd = [ "/bin/hello" ];
@@ -77,8 +70,8 @@ The following code uses `override` to add extra lines to `/etc/passwd` and `/etc
 ```nix
 { fakeNss }:
 fakeNss.override {
-  extraPasswdLines = [ "newuser:x:9001:9001:new user:/var/empty:/bin/sh" ];
-  extraGroupLines = [ "newuser:x:9001:" ];
+  extraPasswdLines = ["newuser:x:9001:9001:new user:/var/empty:/bin/sh"];
+  extraGroupLines = ["newuser:x:9001:"];
 }
 ```
 :::

doc/build-helpers/special/fhs-environments.section.md

@@ -6,13 +6,11 @@ It uses Linux' namespaces feature to create temporary lightweight environments w
 Accepted arguments are:
 
 - `name`
-        The name of the environment.
+        The name of the environment, and the wrapper executable if `pname` is unset.
 - `pname`
-        The pname of the environment.
+        The pname of the environment and the wrapper executable.
 - `version`
         The version of the environment.
-- `executableName`
-        The name of the wrapper executable. Defaults to `pname` if set, or `name` otherwise.
 - `targetPkgs`
         Packages to be installed for the main host's architecture (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also installed.
 - `multiPkgs`
@@ -36,29 +34,22 @@ Accepted arguments are:
 You can create a simple environment using a `shell.nix` like this:
 
 ```nix
-{
-  pkgs ? import <nixpkgs> { },
-}:
+{ pkgs ? import <nixpkgs> {} }:
 
 (pkgs.buildFHSEnv {
   name = "simple-x11-env";
-  targetPkgs =
-    pkgs:
-    (with pkgs; [
-      udev
-      alsa-lib
-    ])
-    ++ (with pkgs.xorg; [
-      libX11
-      libXcursor
-      libXrandr
-    ]);
-  multiPkgs =
-    pkgs:
-    (with pkgs; [
-      udev
-      alsa-lib
-    ]);
+  targetPkgs = pkgs: (with pkgs; [
+    udev
+    alsa-lib
+  ]) ++ (with pkgs.xorg; [
+    libX11
+    libXcursor
+    libXrandr
+  ]);
+  multiPkgs = pkgs: (with pkgs; [
+    udev
+    alsa-lib
+  ]);
   runScript = "bash";
 }).env
 ```

doc/build-helpers/special/makesetuphook.section.md

@@ -9,7 +9,7 @@ pkgs.makeSetupHook {
   name = "something-hook";
   propagatedBuildInputs = [ pkgs.commandsomething ];
   depsTargetTargetPropagated = [ pkgs.libsomething ];
-} ./script.sh
+} ./script.sh;
 ```
 
 ### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
@@ -42,7 +42,7 @@ pkgs.makeSetupHook
       }
       preConfigureHooks+=(_printHelloHook)
     ''
-  )
+  );
 ```
 
 ## Attributes {#sec-pkgs.makeSetupHook-attributes}