lib.types.attrNamesTo{Set,Submodule}: add

lib/types.nix: Remove duplicate user documentation
lib/tests/modules: Test attrNamesToTrue
2026-06-06 21:33:45 +00:00 · 2025-05-16 15:09:31 +02:00 · 2025-05-16 15:09:25 +02:00 · 2025-05-16 15:09:24 +02:00 · 2025-05-16 12:35:16 +02:00
5721 changed files with 143864 additions and 120010 deletions
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -266,6 +266,3 @@ a034fb50f79816c6738fb48b48503b09ea3b0132

 # treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
 05580f4b4433fda48fff30f60dfd303d6ee05d21
-
-# nixos/redmine: Get rid of global lib expansions
-d7f1102f04c58b2edfc74c9a1d577e3aebfca775
--- a/.github/ISSUE_TEMPLATE/01_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
+++ b/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
+++ b/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/04_build_failure.yml
+++ b/.github/ISSUE_TEMPLATE/04_build_failure.yml
@@ -35,9 +35,9 @@ body:
        > If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/05_update_request.yml
+++ b/.github/ISSUE_TEMPLATE/05_update_request.yml
@@ -35,9 +35,9 @@ body:
        > If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/06_module_request.yml
+++ b/.github/ISSUE_TEMPLATE/06_module_request.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -25,9 +25,8 @@ For new packages please briefly describe the package or provide a link to its ho
  - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [Nixpkgs 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/doc/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/doc/manual/release-notes/rl-2505.section.md) Nixpkgs Release notes)
+- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
  - [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [NixOS 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) NixOS Release notes)
  - [ ] (Module updates) Added a release notes entry if the change is significant
  - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
--- a/.github/actions/get-merge-commit/action.yml
+++ b/.github/actions/get-merge-commit/action.yml
@@ -1,88 +0,0 @@
-name: Get merge commit
-
-description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
-
-inputs:
-  merged-as-untrusted:
-    description: "Whether to checkout the merge commit in the ./untrusted folder."
-    type: boolean
-  target-as-trusted:
-    description: "Whether to checkout the target commit in the ./trusted folder."
-    type: boolean
-
-outputs:
-  mergedSha:
-    description: "The merge commit SHA"
-    value: ${{ steps.commits.outputs.mergedSha }}
-  targetSha:
-    description: "The target commit SHA"
-    value: ${{ steps.commits.outputs.targetSha }}
-
-runs:
-  using: composite
-  steps:
-    - id: commits
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-      with:
-        script: |
-          if (context.eventName == 'push') return core.setOutput('mergedSha', context.sha)
-
-          for (const retryInterval of [5, 10, 20, 40, 80]) {
-            console.log("Checking whether the pull request can be merged...")
-            const prInfo = (await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number
-            })).data
-
-            if (prInfo.state != 'open') throw new Error ("PR is not open anymore.")
-
-            if (prInfo.mergeable == null) {
-              console.log(`GitHub is still computing whether this PR can be merged, waiting ${retryInterval} seconds before trying again...`)
-              await new Promise(resolve => setTimeout(resolve, retryInterval * 1000))
-              continue
-            }
-
-            let mergedSha, targetSha
-
-            if (prInfo.mergeable) {
-              console.log("The PR can be merged.")
-
-              mergedSha = prInfo.merge_commit_sha
-              targetSha = (await github.rest.repos.getCommit({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: prInfo.merge_commit_sha
-              })).data.parents[0].sha
-            } else {
-              console.log("The PR has a merge conflict.")
-
-              mergedSha = prInfo.head.sha
-              targetSha = (await github.rest.repos.compareCommitsWithBasehead({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                basehead: `${prInfo.base.sha}...${prInfo.head.sha}`
-              })).data.merge_base_commit.sha
-            }
-
-            console.log(`Checking the commits:\nmerged:${mergedSha}\ntarget:${targetSha}`)
-            core.setOutput('mergedSha', mergedSha)
-            core.setOutput('targetSha', targetSha)
-            return
-          }
-          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
-
-      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
-      # but Nix is broken with them:
-      # https://github.com/NixOS/nix/issues/6073
-    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.mergedSha }}
-        path: untrusted
-
-    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.targetSha }}
-        path: trusted
--- a/.github/labeler-no-sync.yml
+++ b/.github/labeler-no-sync.yml
@@ -22,7 +22,7 @@
        - doc/**/*
        - nixos/doc/**/*

-"backport release-25.05":
+"backport release-24.11":
  - any:
    - changed-files:
      - any-glob-to-any-file:
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -162,7 +162,7 @@
      - any-glob-to-any-file:
        - doc/languages-frameworks/gnome.section.md
        - nixos/modules/services/desktops/gnome/**/*
-        - nixos/modules/services/desktop-managers/gnome.nix
+        - nixos/modules/services/x11/desktop-managers/gnome.nix
        - nixos/tests/gnome-xorg.nix
        - nixos/tests/gnome.nix
        - pkgs/desktops/gnome/**/*
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -9,9 +9,7 @@ on:
  pull_request_target:
    types: [closed, labeled]

-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}

 jobs:
  backport:
@@ -50,8 +48,7 @@ jobs:
      - name: "Add 'has: port to stable' label"
        if: steps.backport.outputs.created_pull_numbers != ''
        env:
-          # Not the app on purpose to avoid triggering another workflow run after adding this label
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          REPOSITORY: ${{ github.repository }}
          NUMBER: ${{ github.event.number }}
        run: |
--- a/.github/workflows/check-cherry-picks.yml
+++ b/.github/workflows/check-cherry-picks.yml
@@ -20,12 +20,11 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
-          filter: tree:0
-          path: trusted
+          filter: blob:none

      - name: Check cherry-picks
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
-          ./trusted/ci/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
+          ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -5,21 +5,23 @@ on:
    paths:
      - .github/workflows/check-format.yml
  pull_request_target:
+    types: [opened, synchronize, reopened, edited]

 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  nixos:
    name: fmt-check
    runs-on: ubuntu-24.04-arm
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -30,7 +32,7 @@ jobs:
          # Note that it's fine to run this on untrusted code because:
          # - There's no secrets accessible here
          # - The build is sandboxed
-          if ! nix-build untrusted/ci -A fmt.check; then
+          if ! nix-build ci -A fmt.check; then
            echo "Some files are not properly formatted"
            echo "Please format them by going to the Nixpkgs root directory and running one of:"
            echo "  nix-shell --run treefmt"
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -32,13 +32,9 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      - name: Build shell
-        run: nix-build untrusted/ci -A shell
+        run: nix-build ci -A shell
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -27,7 +27,7 @@ on:
    paths:
      - .github/workflows/codeowners-v2.yml
  pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
+    types: [opened, ready_for_review, synchronize, reopened, edited]

 permissions: {}

@@ -37,21 +37,17 @@ env:
  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

 jobs:
+  get-merge-commit:
+    if: github.repository_owner == 'NixOS'
+    uses: ./.github/workflows/get-merge-commit.yml
+
  # Check that code owners is valid
  check:
    name: Check
    runs-on: ubuntu-24.04-arm
-    if: github.repository_owner == 'NixOS'
+    needs: get-merge-commit
+    if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
-
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
@@ -60,8 +56,15 @@ jobs:
          name: nixpkgs-ci
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

+      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+      # We later build and run code from the base branch with access to secrets,
+      # so it's important this is not the PRs code.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+
      - name: Build codeowners validator
-        run: nix-build trusted/ci -A codeownersValidator
+        run: nix-build base/ci -A codeownersValidator

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        if: vars.OWNER_RO_APP_ID
@@ -72,16 +75,21 @@ jobs:
          permission-administration: read
          permission-members: read

+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: pr
+
      - name: Validate codeowners
        if: steps.app-token.outputs.token
+        run: result/bin/codeowners-validator
        env:
-          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
+          OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: untrusted
+          REPOSITORY_PATH: pr
          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
          EXPERIMENTAL_CHECKS: "avoid-shadowing"
-        run: result/bin/codeowners-validator

  # Request reviews from code owners
  request:
@@ -94,8 +102,6 @@ jobs:
      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
      # This is intentional, because we need to request the review of owners as declared in the base branch.
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        if: vars.OWNER_APP_ID
@@ -108,10 +114,10 @@ jobs:
          permission-pull-requests: write

      - name: Build review request package
-        run: nix-build trusted/ci -A requestReviews
+        run: nix-build ci -A requestReviews

      - name: Request reviews
        if: steps.app-token.outputs.token
+        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
--- a/.github/workflows/edited.yml
+++ b/.github/workflows/edited.yml
@@ -1,49 +0,0 @@
-# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-# Instead it causes an `edited` event.
-# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
-# There are already feature requests for adding a `base_changed` event:
-# - https://github.com/orgs/community/discussions/35058
-# - https://github.com/orgs/community/discussions/64119
-#
-# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
-# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
-# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
-# This is much simpler and reliable than other approaches.
-
-name: "Edited base branch"
-
-on:
-  pull_request_target:
-    types: [edited]
-
-permissions: {}
-
-jobs:
-  base:
-    name: Trigger jobs
-    runs-on: ubuntu-24.04
-    if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-        run: |
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=closed"
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=open"
--- a/.github/workflows/eval-aliases.yml
+++ b/.github/workflows/eval-aliases.yml
@@ -9,17 +9,19 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  eval-aliases:
    name: Eval nixpkgs with aliases enabled
    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit ]
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs

      - name: Install Nix
        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -27,8 +29,8 @@ jobs:
          extra_nix_config: sandbox = true

      - name: Ensure flake outputs on all systems still evaluate
-        run: nix flake check --all-systems --no-build ./untrusted
+        run: nix flake check --all-systems --no-build ./nixpkgs

      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
        run: |
-          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
+          time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -4,8 +4,8 @@ on:
  pull_request:
    paths:
      - .github/workflows/eval.yml
-      - .github/workflows/reviews.yml # needs eval results from the same event type
  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened]
  push:
    # Keep this synced with ci/request-reviews/dev-branches.txt
    branches:
@@ -19,36 +19,17 @@ on:
 permissions: {}

 jobs:
-  prepare:
-    name: Prepare
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
-      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: |
-            .github/actions
-            ci/supportedSystems.json
-      - name: Check if the PR can be merged and get the test merge commit
-        uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml

  outpaths:
    name: Outpaths
    runs-on: ubuntu-24.04-arm
-    needs: [ prepare ]
+    needs: [ get-merge-commit ]
    strategy:
      fail-fast: false
      matrix:
-        system: ${{ fromJSON(needs.prepare.outputs.systems) }}
+        system: ${{ fromJSON(needs.get-merge-commit.outputs.systems) }}
    steps:
      - name: Enable swap
        run: |
@@ -60,8 +41,8 @@ jobs:
      - name: Check out the PR at the test merge commit
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ needs.prepare.outputs.mergedSha }}
-          path: untrusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs

      - name: Install Nix
        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -72,26 +53,57 @@ jobs:
        env:
          MATRIX_SYSTEM: ${{ matrix.system }}
        run: |
-          nix-build untrusted/ci -A eval.singleSystem \
+          nix-build nixpkgs/ci -A eval.singleSystem \
            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --arg chunkSize 10000 \
-            --out-link merged
+            --arg chunkSize 10000
          # If it uses too much memory, slightly decrease chunkSize

      - name: Upload the output paths and eval stats
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: merged-${{ matrix.system }}
-          path: merged/*
+          name: intermediate-${{ matrix.system }}
+          path: result/*
+
+  process:
+    name: Process
+    runs-on: ubuntu-24.04-arm
+    needs: [ outpaths, get-merge-commit ]
+    outputs:
+      targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
+    steps:
+      - name: Download output paths and eval stats for all systems
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          pattern: intermediate-*
+          path: intermediate
+
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          fetch-depth: 2
+          path: nixpkgs
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Combine all output paths and eval stats
+        run: |
+          nix-build nixpkgs/ci -A eval.combine \
+            --arg resultsDir ./intermediate \
+            -o prResult
+
+      - name: Upload the combined results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: result
+          path: prResult/*

      - name: Get target run id
-        if: needs.prepare.outputs.targetSha
+        if: needs.get-merge-commit.outputs.targetSha
        id: targetRunId
-        env:
-          GH_TOKEN: ${{ github.token }}
-          MATRIX_SYSTEM: ${{ matrix.system }}
-          REPOSITORY: ${{ github.repository }}
-          TARGET_SHA: ${{ needs.prepare.outputs.targetSha }}
        run: |
          # Get the latest eval.yml workflow run for the PR's target commit
          if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
@@ -103,124 +115,106 @@ jobs:
          fi
          echo "Comparing against $(jq .html_url <<< "$run")"
          runId=$(jq .id <<< "$run")
-
-          if ! job=$(gh api --method GET /repos/"$REPOSITORY"/actions/runs/"$runId"/jobs \
-            --jq ".jobs[] | select (.name == \"Outpaths ($MATRIX_SYSTEM)\")") \
-            || [[ -z "$job" ]]; then
-            echo "Could not find the Outpaths ($MATRIX_SYSTEM) job for workflow run $runId, cannot make comparison"
-            exit 1
-          fi
-          jobId=$(jq .id <<< "$job")
-          conclusion=$(jq -r .conclusion <<< "$job")
+          conclusion=$(jq -r .conclusion <<< "$run")

          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
-            echo "Job not done, waiting 10 seconds before checking again"
+            echo "Workflow not done, waiting 10 seconds before checking again"
            sleep 10
-            conclusion=$(gh api /repos/"$REPOSITORY"/actions/jobs/"$jobId" --jq '.conclusion')
+            conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
          done

          if [[ "$conclusion" != "success" ]]; then
-            echo "Job was not successful (conclusion: $conclusion), cannot make comparison"
+            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
            exit 1
          fi

          echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
+        env:
+          REPOSITORY: ${{ github.repository }}
+          TARGET_SHA: ${{ needs.get-merge-commit.outputs.targetSha }}
+          GH_TOKEN: ${{ github.token }}

      - uses: actions/download-artifact@v4
        if: steps.targetRunId.outputs.targetRunId
        with:
-          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
-          name: merged-${{ matrix.system }}
-          path: target
+          name: result
+          path: targetResult
          github-token: ${{ github.token }}
-          merge-multiple: true
-
-      - name: Compare outpaths against the target branch
-        if: steps.targetRunId.outputs.targetRunId
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build untrusted/ci -A eval.diff \
-            --arg beforeDir ./target \
-            --arg afterDir "$(readlink ./merged)" \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --out-link diff
-
-      - name: Upload outpaths diff and stats
-        if: steps.targetRunId.outputs.targetRunId
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: diff-${{ matrix.system }}
-          path: diff/*
-
-  compare:
-    name: Comparison
-    runs-on: ubuntu-24.04-arm
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    permissions:
-      issues: write # needed to create *new* labels
-      pull-requests: write
-      statuses: write
-    steps:
-      - name: Download output paths and eval stats for all systems
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: diff-*
-          path: diff
-          merge-multiple: true
-
-      - name: Check out the PR at the target commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.prepare.outputs.targetSha }}
-          path: trusted
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Combine all output paths and eval stats
-        run: |
-          nix-build trusted/ci -A eval.combine \
-            --arg diffDir ./diff \
-            --out-link combined
+          run-id: ${{ steps.targetRunId.outputs.targetRunId }}

      - name: Compare against the target branch
-        env:
-          AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+        if: steps.targetRunId.outputs.targetRunId
        run: |
-          git -C trusted fetch --depth 1 origin ${{ needs.prepare.outputs.mergedSha }}
-          git -C trusted diff --name-only ${{ needs.prepare.outputs.mergedSha }} \
+          git -C nixpkgs worktree add ../target ${{ needs.get-merge-commit.outputs.targetSha }}
+          git -C nixpkgs diff --name-only ${{ needs.get-merge-commit.outputs.targetSha }} \
            | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json

          # Use the target branch to get accurate maintainer info
-          nix-build trusted/ci -A eval.compare \
-            --arg combinedDir "$(realpath ./combined)" \
+          nix-build target/ci -A eval.compare \
+            --arg beforeResultDir ./targetResult \
+            --arg afterResultDir "$(realpath prResult)" \
            --arg touchedFilesJson ./touched-files.json \
-            --argstr githubAuthorId "$AUTHOR_ID" \
-            --out-link comparison
+            -o comparison

          cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"

-      - name: Upload the comparison results
+      - name: Upload the combined results
+        if: steps.targetRunId.outputs.targetRunId
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: comparison
          path: comparison/*

+  # Separate job to have a very tightly scoped PR write token
+  tag:
+    name: Tag
+    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit, process ]
+    if: needs.process.outputs.targetRunId
+    permissions:
+      pull-requests: write
+      statuses: write
+    steps:
+      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
+      # Can't use the token received from permissions above, because it can't get enough permissions
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: vars.OWNER_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+          permission-pull-requests: write
+
+      - name: Download process result
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: comparison
+          path: comparison
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+
+      # Important: This workflow job runs with extra permissions,
+      # so we need to make sure to not run untrusted code from PRs
+      - name: Check out Nixpkgs at the base commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.targetSha }}
+          path: base
+          sparse-checkout: ci
+
+      - name: Build the requestReviews derivation
+        run: nix-build base/ci -A requestReviews
+
      - name: Labelling pull request
-        if: ${{ github.event_name == 'pull_request_target' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
        run: |
-          # Get all currently set labels that we manage
+          # Get all currently set rebuild labels
          gh api \
            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            --jq '.[].name | select(startswith("10.rebuild") or . == "11.by: package-maintainer")' \
+            --jq '.[].name | select(startswith("10.rebuild"))' \
            | sort > before

          # And the labels that should be there
@@ -244,12 +238,13 @@ jobs:
              -f "labels[]=$toAdd"
          done < <(comm -13 before after)

-      - name: Add eval summary to commit statuses
-        if: ${{ github.event_name == 'pull_request_target' }}
        env:
          GH_TOKEN: ${{ github.token }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          REPOSITORY: ${{ github.repository }}
          NUMBER: ${{ github.event.number }}
+
+      - name: Add eval summary to commit statuses
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
        run: |
          description=$(jq -r '
          "Package: added " + (.attrdiff.added | length | tostring) +
@@ -263,13 +258,24 @@ jobs:
            -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
            "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
            -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          NUMBER: ${{ github.event.number }}

-  reviewers:
-    name: Reviewers
-    # No dependency on "compare", so that it can start at the same time.
-    # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time
-    # for the eval workflow considerably faster.
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    uses: ./.github/workflows/reviewers.yml
-    secrets: inherit
+      - name: Requesting maintainer reviews
+        if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }}
+        run: |
+          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
+          # There appears to be no API to request reviews based on GitHub IDs
+          jq -r 'keys[]' comparison/maintainers.json \
+            | while read -r id; do gh api /user/"$id" --jq .login; done \
+            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          # Don't request reviewers on draft PRs
+          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
--- a/.github/workflows/get-merge-commit.yml
+++ b/.github/workflows/get-merge-commit.yml
@@ -0,0 +1,58 @@
+name: Get merge commit
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/get-merge-commit.yml
+  workflow_call:
+    outputs:
+      mergedSha:
+        description: "The merge commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
+      targetSha:
+        description: "The target commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.targetSha }}
+      systems:
+        description: "The supported systems"
+        value: ${{ jobs.resolve-merge-commit.outputs.systems }}
+
+permissions: {}
+
+jobs:
+  resolve-merge-commit:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      mergedSha: ${{ steps.merged.outputs.mergedSha }}
+      targetSha: ${{ steps.merged.outputs.targetSha }}
+      systems: ${{ steps.systems.outputs.systems }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+          sparse-checkout: ci
+
+      - name: Check if the PR can be merged and get the test merge commit
+        id: merged
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_EVENT: ${{ github.event_name }}
+        run: |
+          case "$GH_EVENT" in
+            push)
+              echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+              ;;
+            pull_request*)
+              if commits=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+                echo -e "Checking the commits:\n$commits"
+                echo "$commits" >> "$GITHUB_OUTPUT"
+              else
+                # Skipping so that no notifications are sent
+                echo "Skipping the rest..."
+              fi
+              ;;
+          esac
+
+      - name: Load supported systems
+        id: systems
+        run: |
+          echo "systems=$(jq -c <base/ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -7,17 +7,17 @@ name: "Label PR"

 on:
  pull_request_target:
+    types: [edited, opened, synchronize, reopened]

 permissions:
  contents: read
-  issues: write # needed to create *new* labels
  pull-requests: write

 jobs:
  labels:
    name: label-pr
    runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
        if: |
--- a/.github/workflows/lib-tests.yml
+++ b/.github/workflows/lib-tests.yml
@@ -12,17 +12,18 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  nixpkgs-lib-tests:
    name: nixpkgs-lib-tests
    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -30,4 +31,4 @@ jobs:

      - name: Building Nixpkgs lib-tests
        run: |
-          nix-build untrusted/ci -A lib-tests
+          nix-build ci -A lib-tests
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@@ -34,11 +34,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -52,7 +48,7 @@ jobs:

      - name: Build NixOS manual
        id: build-manual
-        run: NIX_PATH=nixpkgs=$(pwd)/untrusted nix-build --option restrict-eval true untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }}
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixos --argstr system ${{ matrix.system }}

      - name: Upload NixOS manual
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@@ -5,6 +5,8 @@ on:
    paths:
      - .github/workflows/manual-nixpkgs-v2.yml
  pull_request_target:
+    branches:
+      - master
    paths:
      - 'doc/**'
      - 'lib/**'
@@ -19,11 +21,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -36,4 +34,4 @@ jobs:
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Building Nixpkgs manual
-        run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixpkgs -A manual-nixpkgs-tests
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@@ -9,18 +9,18 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  tests:
    name: nix-files-parseable-check
    runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -30,4 +30,4 @@ jobs:
      - name: Parse all nix files
        run: |
          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
-          nix-build untrusted/ci -A parse --keep-going
+          nix-build ci -A parse --keep-going
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -10,6 +10,11 @@ on:
    paths:
      - .github/workflows/nixpkgs-vet.yml
  pull_request_target:
+    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here.
+    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
+    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
+    types: [opened, synchronize, reopened, edited]

 permissions: {}

@@ -17,29 +22,51 @@ permissions: {}
 # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  check:
    name: nixpkgs-vet
-    runs-on: ubuntu-24.04-arm
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
+    runs-on: ubuntu-24.04
    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
    timeout-minutes: 10
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout merged and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+
+      - name: Checking out target branch
+        run: |
+          target=$(mktemp -d)
+          git worktree add "$target" "$(git rev-parse HEAD^1)"
+          echo "target=$target" >> "$GITHUB_ENV"

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

+      - name: Fetching the pinned tool
+        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
+        run: |
+          # The pinned version of the tooling to use.
+          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
+
+          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+            | gzip -cd | nix-store --import | tail -1)
+
+          # Adds a result symlink as a GC root.
+          nix-store --realise "$toolPath" --add-root result
+
      - name: Running nixpkgs-vet
        env:
          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
          CLICOLOR_FORCE: 1
        run: |
-          if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
+          if result/bin/nixpkgs-vet --base "$target" .; then
            exit 0
          else
            exitCode=$?
--- a/.github/workflows/no-channel.yml
+++ b/.github/workflows/no-channel.yml
@@ -5,6 +5,8 @@ on:
    paths:
      - .github/workflows/no-channel.yml
  pull_request_target:
+    # Re-run should be triggered when the base branch is updated, instead of silently failing
+    types: [opened, synchronize, reopened, edited]

 permissions: {}

--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -31,16 +31,14 @@ jobs:
            into: staging-next-24.11
          - from: staging-next-24.11
            into: staging-24.11
-          - from: release-25.05
+          - from: master
            into: staging-next-25.05
          - from: staging-next-25.05
            into: staging-25.05
-          - name: merge-base(master,staging) → haskell-updates
-            from: master staging
+          - from: master staging
            into: haskell-updates
    uses: ./.github/workflows/periodic-merge.yml
    with:
      from: ${{ matrix.pairs.from }}
      into: ${{ matrix.pairs.into }}
-    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets: inherit
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -35,5 +35,4 @@ jobs:
    with:
      from: ${{ matrix.pairs.from }}
      into: ${{ matrix.pairs.into }}
-    name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets: inherit
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -15,6 +15,7 @@ on:
 jobs:
  merge:
    runs-on: ubuntu-24.04-arm
+    name: ${{ inputs.from }} → ${{ inputs.into }}
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
--- a/.github/workflows/reviewers.yml
+++ b/.github/workflows/reviewers.yml
@@ -1,98 +0,0 @@
-# This workflow will request reviews from the maintainers of each package
-# listed in the PR's most recent eval comparison artifact.
-
-name: Reviewers
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/reviewers.yml
-  pull_request_target:
-    types: [ready_for_review]
-  workflow_call:
-
-permissions: {}
-
-jobs:
-  request:
-    name: Request
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Check out the PR at the base commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
-          sparse-checkout: ci
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Build the requestReviews derivation
-        run: nix-build trusted/ci -A requestReviews
-
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-
-      # In the regular case, this workflow is called via workflow_call from the eval workflow directly.
-      # In the more special case, when a PR is undrafted an eval run will have started already.
-      - name: Wait for comparison to be done
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const run_id = (await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'eval.yml',
-              event: context.eventName,
-              head_sha: context.payload.pull_request.head.sha
-            })).data.workflow_runs[0].id
-
-            // Waiting 120 * 5 sec = 10 min. max.
-            // The extreme case is an Eval run that just started when the PR is undrafted.
-            // Eval takes max 5-6 minutes, normally.
-            for (let i = 0; i < 120; i++) {
-              const result = await github.rest.actions.listWorkflowRunArtifacts({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                run_id,
-                name: 'comparison'
-              })
-              if (result.data.total_count > 0) return
-              await new Promise(resolve => setTimeout(resolve, 5000))
-            }
-            throw new Error("No comparison artifact found.")
-
-      - name: Download the comparison results
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: comparison
-          path: comparison
-          merge-multiple: true
-
-      - name: Requesting maintainer reviews
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-          # Don't request reviewers on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-        run: |
-          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
-          # There appears to be no API to request reviews based on GitHub IDs
-          jq -r 'keys[]' comparison/maintainers.json \
-            | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
 Here's a brief overview of the main Git branches and what channels they're used for:

 - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
- `release-YY.MM` (e.g. `release-25.11`): The NixOS release branches, used for the stable channels such as `nixos-25.11`, `nixos-25.11-small` and `nixpkgs-25.11-darwin`.
+- `release-YY.MM` (e.g. `release-25.05`): The NixOS release branches, used for the stable channels such as `nixos-25.05`, `nixos-25.05-small` and `nixpkgs-25.05-darwin`.

 When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
 So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).
@@ -533,7 +533,7 @@ Names of files and directories should be in lowercase, with dashes between words

 ### Formatting

-CI [enforces](./.github/workflows/check-format.yml) all Nix files to be
+CI [enforces](./.github/workflows/check-nix-format.yml) all Nix files to be
 formatted using the [official Nix formatter](https://github.com/NixOS/nixfmt).

 You can ensure this locally using either of these commands:
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 <p align="center">
  <a href="https://nixos.org">
    <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg">
+      <source media="(prefers-color-scheme: light)" srcset="https://nixos.org/logo/nixos-hires.png">
      <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg" width="500px" alt="NixOS logo">
+      <img src="https://nixos.org/logo/nixos-hires.png" width="500px" alt="NixOS logo">
    </picture>
  </a>
 </p>
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -15,7 +15,6 @@

 # CI
 /.github/*_TEMPLATE*                    @SigmaSquadron
-/.github/actions                        @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
 /.github/workflows                      @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
 /.github/workflows/check-format.yml     @infinisil @wolfgangwalther
 /.github/workflows/codeowners-v2.yml    @infinisil @wolfgangwalther
@@ -131,8 +130,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka

 # Limine
-/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi @johnrtitor
-/nixos/tests/limine                             @johnrtitor
+/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi

 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
@@ -165,13 +163,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 ## common-updater-scripts
 /pkgs/common-updater/scripts/update-source-version    @jtojnar

-# Android tools, libraries, and environments
-/pkgs/development/android*                    @NixOS/android
-/pkgs/development/mobile/android*             @NixOS/android
-/pkgs/applications/editors/android-studio*    @NixOS/android
-/doc/languages-frameworks/android*            @NixOS/android
-/pkgs/by-name/an/android*                     @NixOS/android
-
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
@@ -220,7 +211,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/development/compilers/gcc
 /pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
 /pkgs/development/compilers/emscripten @raitobezarius
-/doc/toolchains/llvm.chapter.md @alyssais @RossComputerGuy @NixOS/llvm
 /doc/languages-frameworks/emscripten.section.md @raitobezarius

 # Audio
@@ -250,7 +240,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara

 # Licenses
-/lib/licenses.nix @alyssais @emilazy
+/lib/licenses.nix @alyssais

 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -477,14 +467,11 @@ pkgs/development/interpreters/erlang/   @NixOS/beam
 pkgs/development/interpreters/elixir/   @NixOS/beam
 pkgs/development/interpreters/lfe/      @NixOS/beam

-# Authelia
-pkgs/servers/authelia/ @06kellyjac @dit7ya @nicomem
-
 # OctoDNS
 pkgs/by-name/oc/octodns/ @anthonyroussel

 # Teleport
-pkgs/by-name/te/teleport*   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
+pkgs/servers/teleport   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger

 # Warp-terminal
 pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @donteatoreo @johnrtitor
--- a/ci/README.md
+++ b/ci/README.md
@@ -40,3 +40,46 @@ Why not just build the tooling right from the PRs Nixpkgs version?
 - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
 - Because it improves security, since we don't have to build potentially untrusted code from PRs.
  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
+
+## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
+
+Check whether a PR is mergeable and return the test merge commit as
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests) and its parent.
+
+Arguments:
+- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
+- `PR_NUMBER`: The PR number, e.g. `1234`
+
+Exit codes:
+- 0: The PR can be merged, the hashes of the test merge commit and the target commit are returned on stdout
+- 1: The PR cannot be merged because it's not open anymore
+- 2: The PR cannot be merged because it has a merge conflict
+- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
+
+### Usage
+
+This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
+
+```yaml
+on: pull_request_target
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    # use the relative path of the get-merge-commit workflow yaml here
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    steps:
+      - uses: actions/checkout@<VERSION>
+        # Add this to _all_ subsequent steps to skip them
+        if: needs.get-merge-commit.outputs.mergedSha
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - ...
+```
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -82,9 +82,8 @@ in
  # CI jobs
  lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
  manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
-  manual-nixpkgs = (import ../doc { });
-  manual-nixpkgs-tests = (import ../doc { }).tests;
-  nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
+  manual-nixpkgs = (import ../pkgs/top-level/release.nix { }).manual;
+  manual-nixpkgs-tests = (import ../pkgs/top-level/release.nix { }).manual.tests;
  parse = pkgs.lib.recurseIntoAttrs {
    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
--- a/ci/eval/compare/default.nix
+++ b/ci/eval/compare/default.nix
@@ -1,15 +1,15 @@
 {
-  callPackage,
  lib,
  jq,
  runCommand,
  writeText,
  python3,
+  ...
 }:
 {
-  combinedDir,
+  beforeResultDir,
+  afterResultDir,
  touchedFilesJson,
-  githubAuthorId,
  byName ? false,
 }:
 let
@@ -19,7 +19,7 @@ let

    ---
    Inputs:
-    - beforeDir, afterDir: The evaluation result from before and after the change.
+    - beforeResultDir, afterResultDir: The evaluation result from before and after the change.
      They can be obtained by running `nix-build -A ci.eval.full` on both revisions.

    ---
@@ -65,6 +65,7 @@ let
      Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
  */
  inherit (import ./utils.nix { inherit lib; })
+    diff
    groupByKernel
    convertToPackagePlatformAttrs
    groupByPlatform
@@ -72,10 +73,22 @@ let
    getLabels
    ;

+  getAttrs =
+    dir:
+    let
+      raw = builtins.readFile "${dir}/outpaths.json";
+      # The file contains Nix paths; we need to ignore them for evaluation purposes,
+      # else there will be a "is not allowed to refer to a store path" error.
+      data = builtins.unsafeDiscardStringContext raw;
+    in
+    builtins.fromJSON data;
+  beforeAttrs = getAttrs beforeResultDir;
+  afterAttrs = getAttrs afterResultDir;
+
  # Attrs
  # - keys: "added", "changed" and "removed"
  # - values: lists of `packagePlatformPath`s
-  diffAttrs = builtins.fromJSON (builtins.readFile "${combinedDir}/combined-diff.json");
+  diffAttrs = diff beforeAttrs afterAttrs;

  rebuilds = diffAttrs.added ++ diffAttrs.changed;
  rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
@@ -101,19 +114,11 @@ let
          # Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
          ++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
            lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
-          )
-          # Adds the "11.by: package-maintainer" label if all of the packages directly
-          # changed are maintained by the PR's author. (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
-          ++ lib.optional (
-            maintainers ? ${githubAuthorId}
-            && lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
-              lib.flatten (lib.attrValues maintainers)
-            )
-          ) "11.by: package-maintainer";
+          );
      }
    );

-  maintainers = callPackage ./maintainers.nix { } {
+  maintainers = import ./maintainers.nix {
    changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
    changedpathsjson = touchedFilesJson;
    inherit byName;
@@ -135,8 +140,8 @@ runCommand "compare"
    maintainers = builtins.toJSON maintainers;
    passAsFile = [ "maintainers" ];
    env = {
-      BEFORE_DIR = "${combinedDir}/before";
-      AFTER_DIR = "${combinedDir}/after";
+      BEFORE_DIR = "${beforeResultDir}";
+      AFTER_DIR = "${afterResultDir}";
    };
  }
  ''
--- a/ci/eval/compare/maintainers.nix
+++ b/ci/eval/compare/maintainers.nix
@@ -1,6 +1,3 @@
-{
-  lib,
-}:
 # Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
 {
  changedattrs,
@@ -13,6 +10,7 @@ let
    config = { };
    overlays = [ ];
  };
+  inherit (pkgs) lib;

  changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);

--- a/ci/eval/compare/utils.nix
+++ b/ci/eval/compare/utils.nix
@@ -93,6 +93,32 @@ rec {
    in
    uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);

+  /*
+    Computes the key difference between two attrs
+
+    {
+      added: [ <keys only in the second object> ],
+      removed: [ <keys only in the first object> ],
+      changed: [ <keys with different values between the two objects> ],
+    }
+  */
+  diff =
+    let
+      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
+    in
+    old: new: {
+      added = filterKeys (n: _: !(old ? ${n})) new;
+      removed = filterKeys (n: _: !(new ? ${n})) old;
+      changed = filterKeys (
+        n: v:
+        # Filter out attributes that don't exist anymore
+        (new ? ${n})
+
+        # Filter out attributes that are the same as the new value
+        && (v != (new.${n}))
+      ) old;
+    };
+
  /*
    Group a list of `packagePlatformAttr`s by platforms

--- a/ci/eval/default.nix
+++ b/ci/eval/default.nix
@@ -1,14 +1,14 @@
 {
-  callPackage,
  lib,
  runCommand,
  writeShellScript,
  writeText,
-  symlinkJoin,
+  linkFarm,
  time,
  procps,
  nixVersions,
  jq,
+  sta,
  python3,
 }:

@@ -31,14 +31,11 @@ let
      );
    };

-  nix = nixVersions.latest;
+  nix = nixVersions.nix_2_24;

  supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);

  attrpathsSuperset =
-    {
-      evalSystem,
-    }:
    runCommand "attrpaths-superset.json"
      {
        src = nixpkgs;
@@ -58,7 +55,6 @@ let
            -I "$src" \
            --option restrict-eval true \
            --option allow-import-from-derivation false \
-            --option eval-system "${evalSystem}" \
            --arg enableWarnings false > $out/paths.json
      '';

@@ -69,13 +65,11 @@ let
      # because `--argstr system` would only be passed to the ci/default.nix file!
      evalSystem,
      # The path to the `paths.json` file from `attrpathsSuperset`
-      attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
+      attrpathFile ? "${attrpathsSuperset}/paths.json",
      # The number of attributes per chunk, see ./README.md for more info.
      chunkSize,
      checkMeta ? true,
-
-      # Don't try to eval packages marked as broken.
-      includeBroken ? false,
+      includeBroken ? true,
      # Whether to just evaluate a single chunk for quick testing
      quickTest ? false,
    }:
@@ -98,7 +92,7 @@ let
          --option restrict-eval true \
          --option allow-import-from-derivation false \
          --query --available \
-          --out-path --json \
+          --no-name --attr-path --out-path \
          --show-trace \
          --arg chunkSize "$chunkSize" \
          --arg myChunk "$myChunk" \
@@ -150,7 +144,7 @@ let
        chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
        echo "Chunk count: $chunkCount"

-        mkdir -p $out/${evalSystem}
+        mkdir $out

        # Record and print stats on free memory and swap in the background
        (
@@ -159,11 +153,11 @@ let
            freeSwap=$(free -b | grep Swap | awk '{print $4}')
            echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"

-            if [[ ! -f "$out/${evalSystem}/min-avail-memory" ]] || (( availMemory < $(<$out/${evalSystem}/min-avail-memory) )); then
-              echo "$availMemory" > $out/${evalSystem}/min-avail-memory
+            if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
+              echo "$availMemory" > $out/min-avail-memory
            fi
-            if [[ ! -f $out/${evalSystem}/min-free-swap ]] || (( availMemory < $(<$out/${evalSystem}/min-free-swap) )); then
-              echo "$freeSwap" > $out/${evalSystem}/min-free-swap
+            if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
+              echo "$freeSwap" > $out/min-free-swap
            fi
            sleep 4
          done
@@ -179,56 +173,104 @@ let
        mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}

        seq -w 0 "$seq_end" |
-          command time -f "%e" -o "$out/${evalSystem}/total-time" \
+          command time -f "%e" -o "$out/total-time" \
          xargs -I{} -P"$cores" \
          ${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"

-        cp -r "$chunkOutputDir"/stats $out/${evalSystem}/stats-by-chunk
+        cp -r "$chunkOutputDir"/stats $out/stats-by-chunk

        if (( chunkSize * chunkCount != attrCount )); then
          # A final incomplete chunk would mess up the stats, don't include it
          rm "$chunkOutputDir"/stats/"$seq_end"
        fi

-        cat "$chunkOutputDir"/result/* | jq -s 'add | map_values(.outputs)' > $out/${evalSystem}/paths.json
+        # Make sure the glob doesn't break when there's no files
+        shopt -s nullglob
+        cat "$chunkOutputDir"/result/* > $out/paths
+        cat "$chunkOutputDir"/stats/* > $out/stats.jsonstream
      '';

-  diff = callPackage ./diff.nix { };
-
  combine =
    {
-      diffDir,
+      resultsDir,
    }:
-    runCommand "combined-eval"
+    runCommand "combined-result"
      {
        nativeBuildInputs = [
          jq
+          sta
        ];
      }
      ''
        mkdir -p $out

-        # Combine output paths from all systems
-        cat ${diffDir}/*/diff.json | jq -s '
-          reduce .[] as $item ({}; {
-            added: (.added + $item.added),
-            changed: (.changed + $item.changed),
-            removed: (.removed + $item.removed)
-          })
-        ' > $out/combined-diff.json
+        # Transform output paths to JSON
+        cat ${resultsDir}/*/paths |
+          jq --sort-keys --raw-input --slurp '
+            split("\n") |
+            map(select(. != "") | split(" ") | map(select(. != ""))) |
+            map(
+              {
+                key: .[0],
+                value: .[1] | split(";") | map(split("=") |
+                  if length == 1 then
+                    { key: "out", value: .[0] }
+                  else
+                    { key: .[0], value: .[1] }
+                  end) | from_entries}
+            ) | from_entries
+          ' > $out/outpaths.json

-        mkdir -p $out/before/stats
-        for d in ${diffDir}/before/*; do
-          cp -r "$d"/stats-by-chunk $out/before/stats/$(basename "$d")
-        done
+        # Computes min, mean, error, etc. for a list of values and outputs a JSON from that
+        statistics() {
+          local stat=$1
+          sta --transpose |
+            jq --raw-input --argjson stat "$stat" -n '
+              [
+                inputs |
+                  split("\t") |
+                  { key: .[0], value: (.[1] | fromjson) }
+              ] |
+                from_entries |
+                {
+                  key: ($stat | join(".")),
+                  value: .
+                }'
+        }

-        mkdir -p $out/after/stats
-        for d in ${diffDir}/after/*; do
-          cp -r "$d"/stats-by-chunk $out/after/stats/$(basename "$d")
+        # Gets all available number stats (without .sizes because those are constant and not interesting)
+        readarray -t stats < <(jq -cs '.[0] | del(.sizes) | paths(type == "number")' ${resultsDir}/*/stats.jsonstream)
+
+        # Combines the statistics from all evaluations
+        {
+          echo "{ \"key\": \"minAvailMemory\", \"value\": $(cat ${resultsDir}/*/min-avail-memory | sta --brief --min) }"
+          echo "{ \"key\": \"minFreeSwap\", \"value\": $(cat ${resultsDir}/*/min-free-swap | sta --brief --min) }"
+          cat ${resultsDir}/*/total-time | statistics '["totalTime"]'
+          for stat in "''${stats[@]}"; do
+            cat ${resultsDir}/*/stats.jsonstream |
+              jq --argjson stat "$stat" 'getpath($stat)' |
+              statistics "$stat"
+          done
+        } |
+          jq -s from_entries > $out/stats.json
+
+        mkdir -p $out/stats
+
+        for d in ${resultsDir}/*; do
+          cp -r "$d"/stats-by-chunk $out/stats/$(basename "$d")
        done
      '';

-  compare = callPackage ./compare { };
+  compare = import ./compare {
+    inherit
+      lib
+      jq
+      runCommand
+      writeText
+      supportedSystems
+      python3
+      ;
+  };

  full =
    {
@@ -239,26 +281,17 @@ let
      quickTest ? false,
    }:
    let
-      diffs = symlinkJoin {
-        name = "diffs";
-        paths = map (
-          evalSystem:
-          let
-            eval = singleSystem {
-              inherit quickTest evalSystem chunkSize;
-            };
-          in
-          diff {
-            inherit evalSystem;
-            # Local "full" evaluation doesn't do a real diff.
-            beforeDir = eval;
-            afterDir = eval;
-          }
-        ) evalSystems;
-      };
+      results = linkFarm "results" (
+        map (evalSystem: {
+          name = evalSystem;
+          path = singleSystem {
+            inherit quickTest evalSystem chunkSize;
+          };
+        }) evalSystems
+      );
    in
    combine {
-      diffDir = diffs;
+      resultsDir = results;
    };

 in
@@ -266,7 +299,6 @@ in
  inherit
    attrpathsSuperset
    singleSystem
-    diff
    combine
    compare
    # The above three are used by separate VMs in a GitHub workflow,
--- a/ci/eval/diff.nix
+++ b/ci/eval/diff.nix
@@ -1,61 +0,0 @@
-{
-  lib,
-  runCommand,
-  writeText,
-}:
-
-{
-  beforeDir,
-  afterDir,
-  evalSystem,
-}:
-
-let
-  /*
-    Computes the key difference between two attrs
-
-    {
-      added: [ <keys only in the second object> ],
-      removed: [ <keys only in the first object> ],
-      changed: [ <keys with different values between the two objects> ],
-    }
-  */
-  diff =
-    let
-      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
-    in
-    old: new: {
-      added = filterKeys (n: _: !(old ? ${n})) new;
-      removed = filterKeys (n: _: !(new ? ${n})) old;
-      changed = filterKeys (
-        n: v:
-        # Filter out attributes that don't exist anymore
-        (new ? ${n})
-
-        # Filter out attributes that are the same as the new value
-        && (v != (new.${n}))
-      ) old;
-    };
-
-  getAttrs =
-    dir:
-    let
-      raw = builtins.readFile "${dir}/${evalSystem}/paths.json";
-      # The file contains Nix paths; we need to ignore them for evaluation purposes,
-      # else there will be a "is not allowed to refer to a store path" error.
-      data = builtins.unsafeDiscardStringContext raw;
-    in
-    builtins.fromJSON data;
-
-  beforeAttrs = getAttrs beforeDir;
-  afterAttrs = getAttrs afterDir;
-  diffAttrs = diff beforeAttrs afterAttrs;
-  diffJson = writeText "diff.json" (builtins.toJSON diffAttrs);
-in
-runCommand "diff" { } ''
-  mkdir -p $out/${evalSystem}
-
-  cp -r ${beforeDir} $out/before
-  cp -r ${afterDir} $out/after
-  cp ${diffJson} $out/${evalSystem}/diff.json
-''
--- a/ci/get-merge-commit.sh
+++ b/ci/get-merge-commit.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# See ./README.md for docs
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( $# < 2 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER"
+    exit 99
+fi
+repo=$1
+prNumber=$2
+
+# Retry the API query this many times
+retryCount=5
+# Start with 5 seconds, but double every retry
+retryInterval=5
+
+while true; do
+    log "Checking whether the pull request can be merged"
+    prInfo=$(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$repo/pulls/$prNumber")
+
+    # Non-open PRs won't have their mergeability computed no matter what
+    state=$(jq -r .state <<< "$prInfo")
+    if [[ "$state" != open ]]; then
+        log "PR is not open anymore"
+        exit 1
+    fi
+
+    mergeable=$(jq -r .mergeable <<< "$prInfo")
+    if [[ "$mergeable" == "null" ]]; then
+        if (( retryCount == 0 )); then
+            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+            exit 3
+        else
+            (( retryCount -= 1 )) || true
+
+            # null indicates that GitHub is still computing whether it's mergeable
+            # Wait a couple seconds before trying again
+            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+            sleep "$retryInterval"
+
+            (( retryInterval *= 2 )) || true
+        fi
+    else
+        break
+    fi
+done
+
+if [[ "$mergeable" == "true" ]]; then
+    log "The PR can be merged"
+    mergedSha="$(jq -r .merge_commit_sha <<< "$prInfo")"
+    echo "mergedSha=$mergedSha"
+    targetSha="$(gh api "/repos/$repo/commits/$mergedSha" --jq '.parents[0].sha')"
+    echo "targetSha=$targetSha"
+else
+    log "The PR has a merge conflict"
+    exit 2
+fi
--- a/ci/nixpkgs-vet.nix
+++ b/ci/nixpkgs-vet.nix
@@ -1,31 +0,0 @@
-{
-  lib,
-  nix,
-  nixpkgs-vet,
-  runCommand,
-}:
-{
-  base ? ../.,
-  head ? ../.,
-}:
-let
-  filtered =
-    with lib.fileset;
-    path:
-    toSource {
-      fileset = (gitTracked path);
-      root = path;
-    };
-in
-runCommand "nixpkgs-vet"
-  {
-    nativeBuildInputs = [
-      nixpkgs-vet
-    ];
-    env.NIXPKGS_VET_NIX_PACKAGE = nix;
-  }
-  ''
-    nixpkgs-vet --base ${filtered base} ${filtered head}
-
-    touch $out
-  ''
--- a/ci/nixpkgs-vet.sh
+++ b/ci/nixpkgs-vet.sh
@@ -65,5 +65,7 @@ trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
 toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
 trace -e "\e[34m$toolVersion\e[0m"

+trace -n "Building tool.. "
+nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
 trace "Running nixpkgs-vet.."
-nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"
+"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"
--- a/ci/pinned-nixpkgs.json
+++ b/ci/pinned-nixpkgs.json
@@ -1,4 +1,4 @@
 {
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
+  "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
+  "sha256": "132nimgi1g88fbhddk4b8b1qk68jly494x2mnphyk3xa1d2wy9q7"
 }
--- a/doc/README.md
+++ b/doc/README.md
@@ -34,27 +34,7 @@ $ nix-build doc

 If the build succeeds, the manual will be in `./result/share/doc/nixpkgs/manual.html`.

-### Development environment
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the Nixpkgs documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/doc
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-#### `devmode`
+### devmode

 The shell in the manual source directory makes available a command, `devmode`.
 It is a daemon, that:
--- a/doc/build-helpers/fetchers.chapter.md
+++ b/doc/build-helpers/fetchers.chapter.md
@@ -795,10 +795,6 @@ Additionally, the following optional arguments can be given:
 : Clone the entire repository as opposing to just creating a shallow clone.
  This implies `leaveDotGit`.

-*`fetchTags`* (Boolean)
-
-: Whether to fetch all tags from the remote repository. This is useful when the build process needs to run `git describe` or other commands that require tag information to be available. This parameter implies `leaveDotGit`, as tags are stored in the `.git` directory.
-
 *`sparseCheckout`* (List of String)

 : Prevent git from fetching unnecessary blobs from server.
--- a/doc/build-helpers/special/checkpoint-build.section.md
+++ b/doc/build-helpers/special/checkpoint-build.section.md
@@ -37,7 +37,7 @@ let
  helloCheckpoint = prepareCheckpointBuild pkgs.hello;
  changedHello = pkgs.hello.overrideAttrs (_: {
    doCheck = false;
-    postPatch = ''
+    patchPhase = ''
      sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
    '';
  });
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -1,6 +1,6 @@
 {
-  pkgs ? (import ../ci { }).pkgs,
+  pkgs ? (import ./.. { }),
  nixpkgs ? { },
 }:

-pkgs.callPackage ./doc-support/package.nix { inherit nixpkgs; }
+pkgs.nixpkgs-manual.override { inherit nixpkgs; }
--- a/doc/doc-support/lib-function-docs.nix
+++ b/doc/doc-support/lib-function-docs.nix
@@ -102,8 +102,6 @@ stdenvNoCC.mkDerivation {
  ];

  installPhase = ''
-    runHook preInstall
-
    cd ..

    export NIX_STATE_DIR=$(mktemp -d)
@@ -145,7 +143,5 @@ stdenvNoCC.mkDerivation {
    ) libsets}

    echo '```' >> "$out/index.md"
-
-    runHook postInstall
  '';
 }
--- a/doc/doc-support/package.nix
+++ b/doc/doc-support/package.nix
@@ -14,8 +14,8 @@
  nixpkgs ? { },
  markdown-code-runner,
  roboto,
-  treefmt,
 }:
+
 stdenvNoCC.mkDerivation (
  finalAttrs:
  let
@@ -47,8 +47,6 @@ stdenvNoCC.mkDerivation (

    postPatch = ''
      ln -s ${optionsJSON}/share/doc/nixos/options.json ./config-options.json
-      ln -s ${treefmt.functionsDoc.markdown} ./packages/treefmt-functions.section.md
-      ln -s ${treefmt.optionsDoc.optionsJSON}/share/doc/nixos/options.json ./treefmt-options.json
    '';

    buildPhase = ''
@@ -99,14 +97,14 @@ stdenvNoCC.mkDerivation (
      dest="$out/share/doc/nixpkgs"
      mkdir -p "$(dirname "$dest")"
      mv out "$dest"
-      cp "$dest/index.html" "$dest/manual.html"
+      mv "$dest/index.html" "$dest/manual.html"

      cp ${roboto.src}/web/Roboto\[ital\,wdth\,wght\].ttf "$dest/Roboto.ttf"

      cp ${epub} "$dest/nixpkgs-manual.epub"

      mkdir -p $out/nix-support/
-      echo "doc manual $dest index.html" >> $out/nix-support/hydra-build-products
+      echo "doc manual $dest manual.html" >> $out/nix-support/hydra-build-products
      echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products

      runHook postInstall
@@ -125,7 +123,7 @@ stdenvNoCC.mkDerivation (
        let
          devmode' = devmode.override {
            buildArgs = toString ../.;
-            open = "/share/doc/nixpkgs/index.html";
+            open = "/share/doc/nixpkgs/manual.html";
          };
          nixos-render-docs-redirects' = writeShellScriptBin "redirects" "${lib.getExe nixos-render-docs-redirects} --file ${toString ../redirects.json} $@";
        in
--- a/doc/hooks/tauri.section.md
+++ b/doc/hooks/tauri.section.md
@@ -30,37 +30,35 @@ rustPlatform.buildRustPackage (finalAttrs: {

  # Assuming our app's frontend uses `npm` as a package manager
  npmDeps = fetchNpmDeps {
-    name = "${finalAttrs.pname}-${finalAttrs.version}-npm-deps";
-    inherit (finalAttrs) src;
+    name = "${finalAttrs.pname}-npm-deps-${finalAttrs.version}";
+    inherit src;
    hash = "...";
  };

-  nativeBuildInputs =
-    [
-      # Pull in our main hook
-      cargo-tauri.hook
+  nativeBuildInputs = [
+    # Pull in our main hook
+    cargo-tauri.hook

-      # Setup npm
-      nodejs
-      npmHooks.npmConfigHook
+    # Setup npm
+    nodejs
+    npmHooks.npmConfigHook

-      # Make sure we can find our libraries
-      pkg-config
-    ]
-    ++ lib.optionals stdenv.hostPlatform.isLinux [
-      wrapGAppsHook4
-    ];
-
-  buildInputs = lib.optionals stdenv.hostPlatform.isLinux [
-    glib-networking # Most Tauri apps need networking
-    openssl
-    webkitgtk_4_1
+    # Make sure we can find our libraries
+    pkg-config
+    wrapGAppsHook4
  ];

+  buildInputs =
+    [ openssl ]
+    ++ lib.optionals stdenv.hostPlatform.isLinux [
+      glib-networking # Most Tauri apps need networking
+      webkitgtk_4_1
+    ];
+
  # Set our Tauri source directory
  cargoRoot = "src-tauri";
  # And make sure we build there too
-  buildAndTestSubdir = finalAttrs.cargoRoot;
+  buildAndTestSubdir = cargoRoot;

  # ...
 })
--- a/doc/languages-frameworks/agda.section.md
+++ b/doc/languages-frameworks/agda.section.md
@@ -121,8 +121,6 @@ agda.withPackages {
 }
 ```

-To install Agda without GHC, use `ghc = null;`.
-
 ## Writing Agda packages {#writing-agda-packages}

 To write a nix derivation for an Agda library, first check that the library has a `*.agda-lib` file.
--- a/doc/languages-frameworks/bower.section.md
+++ b/doc/languages-frameworks/bower.section.md
@@ -118,13 +118,7 @@ pkgs.stdenv.mkDerivation {
    runHook postBuild
  '';

-  installPhase = ''
-    runHook preInstall
-
-    mv gulpdist $out
-
-    runHook postInstall
-  '';
+  installPhase = "mv gulpdist $out";
 }
 ```

--- a/doc/languages-frameworks/cuda.section.md
+++ b/doc/languages-frameworks/cuda.section.md
@@ -115,8 +115,8 @@ All new projects should use the CUDA redistributables available in [`cudaPackage

 ### Updating supported compilers and GPUs {#updating-supported-compilers-and-gpus}

-1. Update `nvccCompatibilities` in `pkgs/development/cuda-modules/_cuda/data/nvcc.nix` to include the newest release of NVCC, as well as any newly supported host compilers.
-2. Update `cudaCapabilityToInfo` in `pkgs/development/cuda-modules/_cuda/data/cuda.nix` to include any new GPUs supported by the new release of CUDA.
+1. Update `nvcc-compatibilities.nix` in `pkgs/development/cuda-modules/` to include the newest release of NVCC, as well as any newly supported host compilers.
+2. Update `gpus.nix` in `pkgs/development/cuda-modules/` to include any new GPUs supported by the new release of CUDA.

 ### Updating the CUDA Toolkit runfile installer {#updating-the-cuda-toolkit}

--- a/doc/languages-frameworks/emscripten.section.md
+++ b/doc/languages-frameworks/emscripten.section.md
@@ -192,7 +192,6 @@ pkgs.buildEmscriptenPackage {
    cp *.json $out/share
    cp *.rng $out/share
    cp README.md $doc/share/${name}
-
    runHook postInstall
  '';

--- a/doc/languages-frameworks/java.section.md
+++ b/doc/languages-frameworks/java.section.md
@@ -69,13 +69,9 @@ script to run it using a JRE. You can use `makeWrapper` for this:
  nativeBuildInputs = [ makeWrapper ];

  installPhase = ''
-    runHook preInstall
-
    mkdir -p $out/bin
    makeWrapper ${jre}/bin/java $out/bin/foo \
      --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
-
-    runHook postInstall
  '';
 }
 ```
--- a/doc/languages-frameworks/javascript.section.md
+++ b/doc/languages-frameworks/javascript.section.md
@@ -690,11 +690,7 @@ The configure phase can sometimes fail because it makes many assumptions which m
 ```nix
 {
  configurePhase = ''
-    runHook preConfigure
-
    ln -s $node_modules node_modules
-
-    runHook postConfigure
  '';
 }
 ```
@@ -704,12 +700,8 @@ or if you need a writeable node_modules directory:
 ```nix
 {
  configurePhase = ''
-    runHook preConfigure
-
    cp -r $node_modules node_modules
    chmod +w node_modules
-
-    runHook postConfigure
  '';
 }
 ```
--- a/doc/languages-frameworks/lisp.section.md
+++ b/doc/languages-frameworks/lisp.section.md
@@ -59,11 +59,7 @@ Such a Lisp can be now used e.g. to compile your sources:
 ```nix
 {
  buildPhase = ''
-    runHook preBuild
-
    ${sbcl'}/bin/sbcl --load my-build-file.lisp
-
-    runHook postBuild
  '';
 }
 ```
--- a/doc/languages-frameworks/neovim.section.md
+++ b/doc/languages-frameworks/neovim.section.md
@@ -59,7 +59,7 @@ For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs
 - `neovimRcContent`: Extra vimL code sourced by the generated `init.lua`.
 - `wrapperArgs`: Extra arguments forwarded to the `makeWrapper` call.
 - `wrapRc`: Nix, not being able to write in your `$HOME`, loads the
-  generated Neovim configuration via the `$VIMINIT` environment variable, i.e. : `export VIMINIT='lua dofile("/nix/store/…-init.lua")'`. This has side effects like preventing Neovim from sourcing your `init.lua` in `$XDG_CONFIG_HOME/nvim` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#startup) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse the generated vimscript init code via `neovim.passthru.initRc`.
+  generated Neovim configuration via its  `-u` argument, i.e. : `-u /nix/store/...generatedInit.lua`. This has side effects like preventing Neovim from reading your config in `$XDG_CONFIG_HOME` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#_initialization) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse while reusing the logic of the nixpkgs wrapper and access the generated config via `neovim.passthru.initRc`.
 - `plugins`: A list of plugins to add to the wrapper.

 ```
--- a/doc/languages-frameworks/swift.section.md
+++ b/doc/languages-frameworks/swift.section.md
@@ -103,13 +103,7 @@ stdenv.mkDerivation (finalAttrs: {

  # The helper provides a configure snippet that will prepare all dependencies
  # in the correct place, where SwiftPM expects them.
-  configurePhase = ''
-    runHook preConfigure
-
-    ${generated.configure}
-
-    runHook postConfigure
-  '';
+  configurePhase = generated.configure;

  installPhase = ''
    runHook preInstall
@@ -174,17 +168,11 @@ with a writable copy:

 ```nix
 {
-  configurePhase = ''
-    runHook preConfigure
-
-    ${generated.configure}
-
+  configurePhase = generated.configure ++ ''
    # Replace the dependency symlink with a writable copy.
    swiftpmMakeMutable swift-crypto
    # Now apply a patch.
    patch -p1 -d .build/checkouts/swift-crypto -i ${./some-fix.patch}
-
-    runHook postConfigure
  '';
 }
 ```
--- a/doc/languages-frameworks/vim.section.md
+++ b/doc/languages-frameworks/vim.section.md
@@ -177,7 +177,7 @@ Finally, there are some plugins that are also packaged in nodePackages because t
 Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).

 ```sh
-nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_TOKEN environment variable
+nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_API_TOKEN environment variable
 ```

 Alternatively, set the number of processes to a lower count to avoid rate-limiting.
--- a/doc/manual.md.in
+++ b/doc/manual.md.in
@@ -9,7 +9,6 @@ preface.chapter.md
 using-nixpkgs.md
 lib.md
 stdenv.md
-toolchains.md
 build-helpers.md
 development.md
 contributing.md
--- a/doc/packages/index.md
+++ b/doc/packages/index.md
@@ -25,7 +25,6 @@ nginx.section.md
 opengl.section.md
 shell-helpers.section.md
 python-tree-sitter.section.md
-treefmt.section.md
 steam.section.md
 cataclysm-dda.section.md
 urxvt.section.md
--- a/doc/packages/treefmt.section.md
+++ b/doc/packages/treefmt.section.md
@@ -1,23 +0,0 @@
-# treefmt {#treefmt}
-
-[treefmt](https://github.com/numtide/treefmt) streamlines the process of applying formatters to your project, making it a breeze with just one command line.
-
-The [`treefmt` package](https://search.nixos.org/packages?channel=unstable&show=treefmt)
-provides functions for configuring treefmt using the module system, which are [documented below](#sec-functions-library-treefmt), along with [their options](#sec-treefmt-options-reference).
-
-Alternatively, treefmt can be configured using [treefmt-nix](https://github.com/numtide/treefmt-nix).
-
-```{=include=} sections auto-id-prefix=auto-generated-treefmt-functions
-treefmt-functions.section.md
-```
-
-## Options Reference {#sec-treefmt-options-reference}
-
-The following attributes can be passed to [`withConfig`](#pkgs.treefmt.withConfig) or [`evalConfig`](#pkgs.treefmt.evalConfig):
-
-```{=include=} options
-id-prefix: opt-treefmt-
-list-id: configuration-variable-list
-source: ../treefmt-options.json
-```
-
--- a/doc/packages/weechat.section.md
+++ b/doc/packages/weechat.section.md
@@ -113,13 +113,9 @@ stdenv.mkDerivation {
    "bar.lua"
  ];
  installPhase = ''
-    runHook preInstall
-
    mkdir $out/share
    cp foo.py $out/share
    cp bar.lua $out/share
-
-    runHook postInstall
  '';
 }
 ```
--- a/doc/redirects.json
+++ b/doc/redirects.json
@@ -5,9 +5,6 @@
  "chap-release-notes": [
    "release-notes.html#chap-release-notes"
  ],
-  "chap-toolchains": [
-    "index.html#chap-toolchains"
-  ],
  "cmake-ctest": [
    "index.html#cmake-ctest"
  ],
@@ -69,18 +66,6 @@
  "pkgs-replacevarswith": [
    "index.html#pkgs-replacevarswith"
  ],
-  "part-toolchains": [
-    "index.html#part-toolchains"
-  ],
-  "pkgs.treefmt.buildConfig": [
-    "index.html#pkgs.treefmt.buildConfig"
-  ],
-  "pkgs.treefmt.evalConfig": [
-    "index.html#pkgs.treefmt.evalConfig"
-  ],
-  "pkgs.treefmt.withConfig": [
-    "index.html#pkgs.treefmt.withConfig"
-  ],
  "preface": [
    "index.html#preface"
  ],
@@ -114,15 +99,6 @@
  "sec-build-helper-extendMkDerivation": [
    "index.html#sec-build-helper-extendMkDerivation"
  ],
-  "sec-building-packages-with-llvm": [
-    "index.html#sec-building-packages-with-llvm"
-  ],
-  "sec-building-packages-with-llvm-using-clang-stdenv": [
-    "index.html#sec-building-packages-with-llvm-using-clang-stdenv"
-  ],
-  "sec-functions-library-treefmt": [
-    "index.html#sec-functions-library-treefmt"
-  ],
  "sec-inkscape": [
    "index.html#sec-inkscape"
  ],
@@ -150,30 +126,6 @@
  "chap-overlays": [
    "index.html#chap-overlays"
  ],
-  "sec-nixpkgs-release-25.11": [
-    "release-notes.html#sec-nixpkgs-release-25.11"
-  ],
-  "sec-nixpkgs-release-25.11-highlights": [
-    "release-notes.html#sec-nixpkgs-release-25.11-highlights"
-  ],
-  "sec-nixpkgs-release-25.11-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.11-incompatibilities"
-  ],
-  "sec-nixpkgs-release-25.11-lib": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib"
-  ],
-  "sec-nixpkgs-release-25.11-lib-breaking": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-breaking"
-  ],
-  "sec-nixpkgs-release-25.11-lib-deprecations": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-deprecations"
-  ],
-  "sec-nixpkgs-release-25.11-lib-additions-improvements": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-additions-improvements"
-  ],
-  "sec-nixpkgs-release-25.11-notable-changes": [
-    "release-notes.html#sec-nixpkgs-release-25.11-notable-changes"
-  ],
  "sec-nixpkgs-release-25.05": [
    "release-notes.html#sec-nixpkgs-release-25.05"
  ],
@@ -181,8 +133,7 @@
    "release-notes.html#sec-nixpkgs-release-25.05-highlights"
  ],
  "sec-nixpkgs-release-25.05-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities",
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities"
  ],
  "sec-nixpkgs-release-25.05-incompatibilities-titanium-removed": [
    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed",
@@ -190,6 +141,9 @@
    "index.html#building-a-titanium-app",
    "index.html#emulating-or-simulating-the-app"
  ],
+  "sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded": [
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
+  ],
  "sec-nixpkgs-release-25.05-lib": [
    "release-notes.html#sec-nixpkgs-release-25.05-lib"
  ],
@@ -406,9 +360,6 @@
  "chap-stdenv": [
    "index.html#chap-stdenv"
  ],
-  "sec-using-llvm": [
-    "index.html#sec-using-llvm"
-  ],
  "sec-using-stdenv": [
    "index.html#sec-using-stdenv"
  ],
@@ -418,9 +369,6 @@
  "sec-tools-of-stdenv": [
    "index.html#sec-tools-of-stdenv"
  ],
-  "sec-treefmt-options-reference": [
-    "index.html#sec-treefmt-options-reference"
-  ],
  "ssec-cosmic-common-issues": [
    "index.html#ssec-cosmic-common-issues"
  ],
@@ -496,9 +444,6 @@
  "tester-testEqualArrayOrMap-return": [
    "index.html#tester-testEqualArrayOrMap-return"
  ],
-  "treefmt": [
-    "index.html#treefmt"
-  ],
  "typst": [
    "index.html#typst",
    "doc/languages-frameworks/typst.section.md#typst"
--- a/doc/release-notes/release-notes.md
+++ b/doc/release-notes/release-notes.md
@@ -3,6 +3,5 @@
 This section lists the release notes for each stable version of Nixpkgs and current unstable revision.

 ```{=include=} sections
-rl-2511.section.md
 rl-2505.section.md
 ```
--- a/doc/release-notes/rl-2505.section.md
+++ b/doc/release-notes/rl-2505.section.md
@@ -1,4 +1,4 @@
-# Nixpkgs 25.05 (2025.05/23) {#sec-nixpkgs-release-25.05}
+# Nixpkgs 25.05 (2025.05/??) {#sec-nixpkgs-release-25.05}

 ## Highlights {#sec-nixpkgs-release-25.05-highlights}

@@ -17,26 +17,17 @@

 - The default GHC version has been updated from 9.6 to 9.8.
  `haskellPackages` also uses Stackage LTS 23 (instead of LTS 22) as a baseline.
-  We aim to remove the old GHC versions 8.10, 9.0 and 9.2 in the next release in accordance with [the new GHC deprecation policy](https://discourse.nixos.org/t/nixpkgs-ghc-deprecation-policy-user-feedback-necessary/64153).

 - LLVM has been updated from LLVM 16 (on Darwin) and LLVM 18 (on other platforms) to LLVM 19.
  This introduces some backwards‐incompatible changes; see the [upstream release notes](https://releases.llvm.org/) for details.

 - The Factor programming language packages were reworked. `factor-lang-scope` is now named `factorPackages` and provides a `buildFactorApplication` function to deploy Factor programs as binaries. It has also received proper documentation in the Nixpkgs manual.

- The packaging of Mesa graphics drivers has been significantly reworked, in particular:
-  - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
-  - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively
-
- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
-
 - Emacs has been updated to 30.1.
  This introduces some backwards‐incompatible changes; see the NEWS for details.
  NEWS can been viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar.
  It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30).

- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.
-
 - The default openexr version has been updated to 3.2.4.

 - The default PHP version has been updated to 8.4.
@@ -45,6 +36,8 @@

 - The default Elixir version has been updated to 1.18.

+- `buildPythonPackage`, `buildPythonApplication` and the Python building setup hooks now support both `__structuredAttrs = true` and `__structuredAttrs = false`.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Backward Incompatibilities {#sec-nixpkgs-release-25.05-incompatibilities}
@@ -64,8 +57,6 @@
  The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.
  For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

- `gkraken` has been removed. The recommended alternative is `coolercontrol`.
-
 - `opensmtpd-extras` has been deprecated by upstream and is not compatible with
  OpenSMTPD 7.6.0 or later. The package has been removed in favor of a set of new
  `opensmtpd-table-*` packages.
@@ -74,42 +65,20 @@
  configuration settings. Notably, it now defaults to listening on a socket
  rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details.

- `renovate` was updated to v39. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/39.0.0) for breaking changes.
-  Like upstream's docker images, renovate now runs on NodeJS 22.
-
 - The hand written `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible)
  `perlPackages.Xapian`.

- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
-[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).
-
 - The `config` triple for `aarch64-darwin` has been changed from `aarch64-apple-darwin` to `arm64-apple-darwin` to match the Apple toolchain and LLVM’s expectations.

 - The `electron` packages will now provide their headers (available via `electron.headers`) in extracted form instead of in a tarball.

- The udev rules of the `libjaylink` package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.
-
 - The `ephemeral` package was removed due to upstream archival in early 2022.

- The `gotenberg` package has been updated to 8.16.0, which brings breaking changes to the configuration from version 8.13.0. See the [upstream release notes](https://github.com/gotenberg/gotenberg/releases/tag/v8.13.0) for that release to get all the details.
-
- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
-
 - The `vocal` package was removed due to upstream archival. The upstream developer suggests using `gnome-podcasts` or `kasts` instead.

- `timescaledb` requires manual upgrade steps.
-    After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
-    PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
-
- `paperless-ngx` has been updated to minor version 2.15 which switched the web server from Gunicorn to Granian. If you set Gunicorn specific envs (usually contain GUNICORN) they must be updated.
-
 - [testers.shellcheck](https://nixos.org/manual/nixpkgs/unstable/#tester-shellcheck) now warns when `name` is not provided.
  The `name` argument will become mandatory in a future release.

- `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`.
-
- `aws-workspaces` has dropped support for PCoiP networking.
-
 - [GIMP 3.0](https://www.gimp.org/news/2025/03/16/gimp-3-0-released/) available as `gimp3`.

 - `grafana-agent` and `services.grafana-agent` have been removed in favor of
@@ -118,35 +87,10 @@
  Grafana recommends migrating to `grafana-alloy` (`services.alloy`).
  See https://grafana.com/docs/alloy/latest/set-up/migrate/ for details.

- `slskd` has been updated to v0.22.3, which includes breaking changes to `script` integrations. Please review the [changelog](https://github.com/slskd/slskd/releases/tag/0.22.3)
-  and the accompanying [pull request](https://github.com/slskd/slskd/pull/1292).
-
- `forgejo` and `forgejo-lts` have been updated to v11.
-  See upstreams [release blog post](https://forgejo.org/2025-04-release-v11-0/) for more information.
-
- `unifi` has been updated to v9.1.
-  This version should be backward compatible with v8.x, however as a result, `unifi8` package has been removed.
-
 - `xdragon` package has been renamed to `dragon-drop`.
  `xdragon` is an alias to `dragon-drop` and the package still provides `bin/xdragon`.
  `bin/dragon` is no longer supplied.

- `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
-
- `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.
-
- `rocmPackages_6` has been updated to ROCm 6.3.
-
- `rocmPackages_5` has been removed.
-
- `rocmPackages.rocm-thunk` has been removed and its functionality has been integrated with the ROCm CLR. Use `rocmPackages.clr` instead.
-
- `rocmPackages.clang-ocl` has been removed. [It was deprecated by AMD in 2023.](https://github.com/ROCm/clang-ocl)
-
- `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
-
- The default version of `z3` has been updated from 4.8 to 4.13. There are still a few packages that need specific older versions; those will continue to be maintained as long as other packages depend on them but may be removed in the future.
-
 - The `nixLog*` family of functions made available through the standard environment have been rewritten to prefix messages with both the debug level and the function name of the caller.
  The `nixLog` function, which logs unconditionally, was also re-introduced and modified to prefix messages with the function name of the caller.
  For more information, [see this PR](https://github.com/NixOS/nixpkgs/pull/370742).
@@ -169,10 +113,6 @@
  and the [4.2 release](https://github.com/netbox-community/netbox/releases/tag/v4.2.0),
  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_2;` in your configuration.

- `nodePackages.expo-cli` has been removed, as it was deprecated by upstream. The suggested replacement is the `npx expo` command.
-
- The `conduwuit` matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.
-
 - NetBox version 4.0.X available as `netbox_4_0` was removed. Please upgrade to `4.2`.

 - `golangci-lint` has reached `v2`. Please read the changes and view the migration guide [here](https://golangci-lint.run/product/changelog/#200).
@@ -187,8 +127,6 @@

 - Default ICU version updated from 74 to 76

- The packages `signald`, `signaldctl` and `purple-signald` have been dropped as they are unmaintained upstream and have been incompatible with the official Signal servers for a long while.
-
 - Apache Kafka was updated to `>= 4.0.0`. Please note that this is the first release which operates
  entirely without Apache ZooKeeper support, and all clusters need to be migrated to KRaft mode. See
  the [release announcement](https://kafka.apache.org/blog#apache_kafka_400_release_announcement)
@@ -247,10 +185,6 @@
 - `strawberry` has been updated to 1.2, which drops support for the VLC backend and Qt 5. The `strawberry-qt5` package
  and `withGstreamer`/`withVlc` override options have been removed due to this.

- `nexusmods-app` has been upgraded from version 0.6.3. If you were running a version older than 0.7.0, then before upgrading, you **must reset all app state** (mods, games, settings, etc). Otherwise, NexusMods.App will crash due to app state files incompatibility.
-  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
-  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).
-
 - `nezha` and its agent `nezha-agent` have been updated to v1, which contains breaking changes. See the [official wiki](https://nezha.wiki/en_US/) for more details.

 - `ps3-disc-dumper` was updated to 4.2.5, which removed the CLI project and now exclusively offers the GUI
@@ -298,8 +232,6 @@

 - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest.

- `tpm2-pkcs11` now is compiled without abrmd (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with abrmd support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`.
-
 - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead.

 - `webpack-cli` was updated to major version 6, which has breaking changes from the previous version 5.1.4. See the [upstream release notes](https://github.com/webpack/webpack-cli/releases/tag/webpack-cli%406.0.0) for details on these changes.
@@ -327,6 +259,9 @@

 - `tldr` now uses [`tldr-python-client`](https://github.com/tldr-pages/tldr-python-client) instead of [`tldr-c-client`](https://github.com/tldr-pages/tldr-c-client) which is unmaintained.

+- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
+  Like upstream's docker images, renovate now runs on NodeJS 22.
+
 - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.

 - `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
@@ -335,7 +270,7 @@

 - `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.

- The default version of `z3` has been updated from 4.8 to 4.15, and all old versions have been dropped. Note that `fstar` still depends on specific versions, and maintains them as overrides.
+- The default version of `z3` has been updated from 4.8 to 4.14, and all old versions have been dropped. Note that `fstar` still depends on specific versions, and maintains them as overrides.

 - `prometheus` has been updated from 2.55.0 to 3.1.0.
  Read the [release blog post](https://prometheus.io/blog/2024/11/14/prometheus-3-0/) and
@@ -393,22 +328,12 @@
 - `docker_24` has been removed, as it was EOL with vulnerabilities since June 08, 2024.

 - Emacs 28 and 29 have been removed.
-
 - Emacs 28 Macport has been removed, while CVEs of Emacs 29 Macport are patched.

 - `containerd` has been updated to v2, which contains breaking changes. See the [containerd
  2.0](https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md) documentation for more
  details.

- The `tinycc` package now has the `dev`, `doc` and `lib` outputs, thus,
-`tinycc.out` may now only provide the tcc and cross compilers binaries.
-
- The `testTarget` argument of `haskellPackages.mkDerivation` has been deprecated in favour of `testTargets`.
-  `testTarget` took a space separated string of targets, whereas the new `testTargets` argument takes a list of targets.
-  For instance, `testTarget = "foo bar baz"` should become `testTargets = [ "foo" "bar" "baz" ]`.
-
- `rustPlatform.buildRustPackage` stops handling the deprecated argument `cargoSha256`. Out-of-tree packages that haven't migrated from `cargoSha256` to `cargoHash` now receive errors.
-
 - `nodePackages.stackdriver-statsd-backend` has been removed, as the StackDriver service has been discontinued by Google, and therefore the package no longer works.

 - `python3Packages.opentracing` has been removed due to being unmaintained upstream. [OpenTelemetry](https://opentelemetry.io/) is the recommended replacement.
@@ -441,10 +366,6 @@
  There is also a breaking change in the handling of CUDA. Instead of using a CUDA compatible jaxlib
  as before, you can use plugins like `python3Packages.jax-cuda12-plugin`.

- Added `allowVariants` to gate availability of package sets like `pkgsLLVM`, `pkgsMusl`, `pkgsZig`, etc. This was done in an effort to
-  decrease evaluation times by limiting the number of instances of nixpkgs to evaluate. The option will be removed in the future as a
-  new mechanism is in the works for handling cross compilation.
-
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Other Notable Changes {#sec-nixpkgs-release-25.05-notable-changes}
@@ -453,16 +374,9 @@
  - `i18n.extraLocales` should now be the preferred way to install additional locales.
  - `i18n.supportedLocales` is now considered an implementation detail and will be hidden from the documentation. But the option will still continue to work.
  - `i18n.supportedLocales` will now trigger a warning when it omits any locale set in `i18n.defaultLocale`, `i18n.extraLocales` or `i18n.extraLocaleSettings`.
-  - The options `i18n.defaultCharset` & `i18n.localeCharsets` were added, and they complement `i18n.defaultLocale` & `i18n.extraLocaleSettings` respectively - allowing to control the character set used per locale setting.
-
- Plasma 5 and Qt 5 based versions of associated software are deprecated in NixOS 25.05, and will be removed in NixOS 25.11. Users are encouraged to upgrade to Plasma 6.

 - `titaniumenv`, `titanium`, and `titanium-alloy` have been removed due to lack of maintenance in Nixpkgs []{#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed}.

- [Cursor](https://cursor.com/) — a vscode-based editor that uses AI to help you write code faster — has been packaged as `cursor`.
-
- `octave` (and `octaveFull`) was updated to version `10.x`. The update broke a few `octavePackages`, and `librsb`. See [the PR's commits](https://github.com/NixOS/nixpkgs/pull/394495/commits) for more details.
-
 - androidenv has been improved:
  - All versions specified in composeAndroidPackages now track the latest. Android packages are automatically updated on unstable, and run the androidenv test suite on every update.
  - Many androidenv packages are now searchable on [search.nixos.org](https://search.nixos.org).
@@ -472,76 +386,28 @@

 - `gerbera` now has wavpack support.

- `buildPythonPackage`, `buildPythonApplication` and the Python building setup hooks now support both `__structuredAttrs = true` and `__structuredAttrs = false`.
-
- `buildGoModule` now supports a self-referencing `finalAttrs:` parameter
-  containing the final arguments including overrides.
-  This allows packaging configuration to be overridden in a consistent manner by
-  providing an alternative to `rec {}` syntax.
-
- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
-
-  Example:
-  ```nix
-  let
-    pkgs = import <nixpkgs> { };
-  in
-
-  pkgs.caddy.withPlugins {
-    plugins = [
-      # tagged upstream
-      "github.com/caddy-dns/powerdns@v1.0.1"
-      # pseudo-version number generated by Go
-      "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
-      "github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d"
-    ];
-    hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
-  }
-  ```
-
-  To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
-
-  Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get <plugin>` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.
-
- The `godot-export-templates` package now has its content at `share/godot/export_templates/$version` instead of the output root. This makes it more convenient for for symlinking into `~/.local`, but scripts expecting the old layout will need to be changed.
-
 - GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.

 - `tpm2-pkcs11` now has the variant `tpm2-pkcs11-fapi`, which has been patched to default to the Feature API backend. It has also been split into `tpm2-pkcs11-esapi`, which _only_ supports the older Enhanced System API backend. Note the [differences](https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.1/docs/FAPI.md), and that `tpm2-pkcs11` itself still needs `TPM2_PKCS11_BACKEND=fapi` exported in order to use the Feature API, whereas `tpm2-pkcs11-fapi` does not, and `tpm2-pkcs11-esapi` just does not support fapi entirely.

 - For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.

- Mattermost, a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.
-  - A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixos/unstable#sec-mattermost-plugins-build) for an example.
-  - The Mattermost frontend is now built from source and can be overridden. Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now.
-  - `pkgs.mattermost` has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
-  - `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`.
-
- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
-
- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
-
 - In `dovecot` package removed hard coding path to module directory.

- `authelia` version 4.39.0 has made some changes which deprecate older configurations.
-  They are still expected to be working until future version 5.0.0, but will generate warnings in logs.
-  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes.
-
- `hddfancontrol` has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.
-
- `nextcloud-news-updater` is unmaintained and was removed from nixpkgs.
-
- KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed.
-  ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and
-  [is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0)
-  in Linux 6.13.
-
- `gerbera` now has wavpack support.
-
 - `signal-desktop` has been migrated to a from source build. No state migration is necessary. In case there's no working source build available (like on Darwin), the the binary build is still available at `signal-desktop-bin`.

 - `ddclient` was updated from 3.11.2 to 4.0.0 [Release notes](https://github.com/ddclient/ddclient/releases/tag/v4.0.0)

+### NexusMods.App upgraded {#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded}
+
+- `nexusmods-app` has been upgraded from version 0.6.3 to 0.10.2.
+
+  - Before upgrading, you **must reset all app state** (mods, games, settings, etc). NexusMods.App will crash if any state from a version older than 0.7.0 is still present.
+
+  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
+
+  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).
+
 ## Nixpkgs Library {#sec-nixpkgs-release-25.05-lib}

 ### Breaking changes {#sec-nixpkgs-release-25.05-lib-breaking}
@@ -550,7 +416,15 @@
  - [`lib.types.enum`](https://nixos.org/manual/nixos/unstable/#sec-option-types-basic): Previously the `functor.payload` was the list of enum values directly. Now it is an attribute set containing the values in the `values` attribute.
  - [`lib.types.separatedString`](https://nixos.org/manual/nixos/unstable/#sec-option-types-string): Previously the `functor.payload` was the separator directly. Now it is an attribute set containing the separator in the `sep` attribute.

- [`lib.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive) now rejects unknown arguments.
+- The `tinycc` package now has the `dev`, `doc` and `lib` outputs, thus,
+`tinycc.out` may now only provide the tcc and cross compilers binaries.
+
+- The `virtualisation.hypervGuest.videoMode` option has been removed. Standard tooling can now be used to configure display modes for Hyper-V VMs.
+
+- [`lib.packagesFromDirectoryRecursive`] now rejects unknown arguments.
+  [`lib.packagesFromDirectoryRecursive`]: https://nixos.org/manual/nixpkgs/stable/#function-library-lib.filesystem.packagesFromDirectoryRecursive
+
+- The `godot-export-templates` package now has its content at `share/godot/export_templates/$version` instead of the output root. This makes it more convenient for for symlinking into `~/.local`, but scripts expecting the old layout will need to be changed.

 ### Deprecations {#sec-nixpkgs-release-25.05-lib-deprecations}

@@ -564,6 +438,14 @@
    - `lib.types.coercedTo`
    - `lib.types.either`

+- The `testTarget` argument of `haskellPackages.mkDerivation` has been deprecated in favour of `testTargets`.
+  `testTarget` took a space separated string of targets, whereas the new `testTargets` argument takes a list of targets.
+  For instance, `testTarget = "foo bar baz"` should become `testTargets = [ "foo" "bar" "baz" ]`.
+
+- Plasma 5 and Qt 5 based versions of associated software are deprecated in NixOS 25.05, and will be removed in NixOS 25.11. Users are encouraged to upgrade to Plasma 6.
+
+- `rustPlatform.buildRustPackage` stops handling the deprecated argument `cargoSha256`. Out-of-tree packages that haven't migrated from `cargoSha256` to `cargoHash` now receive errors.
+
 ### Additions and Improvements {#sec-nixpkgs-release-25.05-lib-additions-improvements}

- [`lib.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive) can now construct nested scopes matching the directory tree passed as input.
+- [`lib.packagesFromDirectoryRecursive`] can now construct nested scopes matching the directory tree passed as input.
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@@ -1,13 +1,9 @@
-# Nixpkgs 25.11 ("Xantusia", 2025.11/??) {#sec-nixpkgs-release-25.11}
+# Nixpkgs 25.11 (2025.11/??) {#sec-nixpkgs-release-25.11}

 ## Highlights {#sec-nixpkgs-release-25.11-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- The initial work to support native compilation on LoongArch64 has completed, with further changes currently
-  in preparation. In accordance with the [Software Development and Build Convention for LoongArch Architectures](https://github.com/loongson/la-softdev-convention),
-  this release sets the default march level to `la64v1.0`, covering the desktop and server processors of 3X5000
-  and newer series. However, embedded chips without LSX (Loongson SIMD eXtension), such as 2K0300 SoC, are not
-  supported. `pkgsCross.loongarch64-linux-embedded` can be used to build software and systems for these platforms.
+- Create the first release note entry in this section!

 ## Backward Incompatibilities {#sec-nixpkgs-release-25.11-incompatibilities}

@@ -37,6 +33,5 @@

 ### Additions and Improvements {#sec-nixpkgs-release-25.11-lib-additions-improvements}

- `neovim`: Added support for the `vim.o.exrc` option, the `VIMINIT` environment variable, and sourcing of `sysinit.vim`.
+- Create the first release note entry in this section!

-  See the neovim help page [`:help startup`](https://neovim.io/doc/user/starting.html#startup) for more information, as well as [the nixpkgs neovim wrapper documentation](#neovim-custom-configuration).
--- a/doc/shell.nix
+++ b/doc/shell.nix
@@ -1 +1,7 @@
-(import ./default.nix { }).shell
+let
+  pkgs = import ../. {
+    config = { };
+    overlays = [ ];
+  };
+in
+pkgs.nixpkgs-manual.shell
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -261,7 +261,7 @@ stdenv.mkDerivation (finalAttrs: {
    util-linux
    qemu
  ];
-  # `checkPhase` elided
+  checkPhase = ''[elided]'';
 })
 ```

--- a/doc/toolchains.md
+++ b/doc/toolchains.md
@@ -1,5 +0,0 @@
-# Toolchains {#part-toolchains}
-
-```{=include=} chapters
-toolchains/llvm.chapter.md
-```
--- a/doc/toolchains/llvm.chapter.md
+++ b/doc/toolchains/llvm.chapter.md
@@ -1,35 +0,0 @@
-# The LLVM Toolchain {#chap-toolchains}
-
-LLVM is a target-independent optimizer and code generator and serves as the basis for many compilers such as Haskell's GHC, rustc, Zig, and many others. It forms the base tools for Apple's Darwin platform.
-
-## Using LLVM {#sec-using-llvm}
-
-LLVM has two ways of being used. One is by using it across all of Nixpkgs and the other is to compile and build individual packages.
-
-### Building packages with LLVM {#sec-building-packages-with-llvm}
-
-Nixpkgs supports two methods of compiling the world with LLVM. One is via setting `useLLVM` in `crossSystem` while importing. This is the recommended way when cross compiling as it is more expressive. An example of doing `aarch64-linux` cross compilation from `x86_64-linux` with LLVM on the target is the following:
-
-```nix
-import <nixpkgs> {
-  localSystem = {
-    system = "x86_64-linux";
-  };
-  crossSystem = {
-    useLLVM = true;
-    linker = "lld";
-  };
-}
-```
-
-Note that we set `linker` to `lld`. This is because LLVM has its own linker called "lld". By setting it, we utilize Clang and lld within this new instance of Nixpkgs. There is a shorthand method for building everything with LLVM: `pkgsLLVM`. This is easier to use with `nix-build` (or `nix build`):
-
-```bash
-nix-build -A pkgsLLVM.hello
-```
-
-This will compile the GNU hello package with LLVM and the lld linker like previously mentioned.
-
-#### Using `clangStdenv` {#sec-building-packages-with-llvm-using-clang-stdenv}
-
-Another simple way is to override the stdenv with `clangStdenv`. This causes a single package to be built with Clang. However, this `stdenv` does not override platform defaults to use compiler-rt, libc++, and libunwind. This is the preferred way to make a single package in Nixpkgs build with Clang. There are cases where just Clang isn't enough. For these situations, there is `libcxxStdenv`, which uses Clang with libc++ and compiler-rt.
--- a/flake.nix
+++ b/flake.nix
@@ -20,24 +20,6 @@
      );
    in
    {
-      /**
-        The Nixpkgs repository/flake houses multiple components that provide functions.
-
-        These include the Nixpkgs `lib` library, with a larger number of functions for various purposes, as well as the `nixpkgs` (TBD) and `nixos` libraries whose main purpose is to provide configurability for those respective components.
-       */
-      # This attribute set is intentionally not extensible. Its purpose is not dependency injection.
-      libs = {
-        /**
-          [The Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4)
-         */
-        lib = import ./lib;
-
-        /**
-          Entrypoints into [NixOS](https://nixos.org/manual/nixos/unstable/), including [`runTest`](https://nixos.org/manual/nixos/unstable/#sec-call-nixos-test-outside-nixos).
-        */
-        nixos = import ./nixos/lib { };
-      };
-
      /**
        `nixpkgs.lib` is a combination of the [Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4), and other attributes
        that are _not_ part of the Nixpkgs library, but part of the Nixpkgs flake:
--- a/lib/.version
+++ b/lib/.version
@@ -1 +1 @@
-25.11
+25.05
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -309,7 +309,6 @@ let
        stringLength
        substring
        isString
-        replaceString
        replaceStrings
        intersperse
        concatStringsSep
@@ -346,7 +345,6 @@ let
        upperChars
        toLower
        toUpper
-        toCamelCase
        toSentenceCase
        addContextFrom
        splitString
--- a/lib/fileset/default.nix
+++ b/lib/fileset/default.nix
@@ -703,7 +703,7 @@ in
    # Type

    ```
-    difference :: FileSet -> FileSet -> FileSet
+    union :: FileSet -> FileSet -> FileSet
    ```

    # Examples
--- a/lib/gvariant.nix
+++ b/lib/gvariant.nix
@@ -18,7 +18,7 @@ let
    concatStrings
    escape
    head
-    replaceString
+    replaceStrings
    ;

  mkPrimitive = t: v: {
@@ -451,7 +451,7 @@ rec {
  mkString =
    v:
    let
-      sanitize = s: replaceString "\n" "\\n" (escape [ "'" "\\" ] s);
+      sanitize = s: replaceStrings [ "\n" ] [ "\\n" ] (escape [ "'" "\\" ] s);
    in
    mkPrimitive type.string v
    // {
--- a/lib/meta.nix
+++ b/lib/meta.nix
@@ -289,7 +289,8 @@ rec {
  */
  availableOn =
    platform: pkg:
-    ((!pkg ? meta.platforms) || any (platformMatch platform) pkg.meta.platforms)
+    pkg != null
+    && ((!pkg ? meta.platforms) || any (platformMatch platform) pkg.meta.platforms)
    && all (elem: !platformMatch platform elem) (pkg.meta.badPlatforms or [ ]);

  /**
--- a/lib/strings.nix
+++ b/lib/strings.nix
@@ -332,41 +332,6 @@ rec {
  */
  concatLines = concatMapStrings (s: s + "\n");

-  /**
-    Given string `s`, replace every occurrence of the string `from` with the string `to`.
-
-    # Inputs
-
-    `from`
-    : The string to be replaced
-
-    `to`
-    : The string to replace with
-
-    `s`
-    : The original string where replacements will be made
-
-    # Type
-
-    ```
-    replaceString :: string -> string -> string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.replaceString` usage example
-
-    ```nix
-    replaceString "world" "Nix" "Hello, world!"
-    => "Hello, Nix!"
-    replaceString "." "_" "v1.2.3"
-    => "v1_2_3"
-    ```
-
-    :::
-  */
-  replaceString = from: to: replaceStrings [ from ] [ to ];
-
  /**
    Repeat a string `n` times,
    and concatenate the parts into a new string.
@@ -1173,7 +1138,7 @@ rec {
      string = toString arg;
    in
    if match "[[:alnum:],._+:@%/-]+" string == null then
-      "'${replaceString "'" "'\\''" string}'"
+      "'${replaceStrings [ "'" ] [ "'\\''" ] string}'"
    else
      string;

@@ -1535,63 +1500,6 @@ rec {
        addContextFrom str (toUpper firstChar + toLower rest)
      );

-  /**
-    Converts a string to camelCase. Handles snake_case, PascalCase,
-    kebab-case strings as well as strings delimited by spaces.
-
-    # Inputs
-
-    `string`
-    : The string to convert to camelCase
-
-    # Type
-
-    ```
-    toCamelCase :: string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.toCamelCase` usage example
-
-    ```nix
-    toCamelCase "hello-world"
-    => "helloWorld"
-    toCamelCase "hello_world"
-    => "helloWorld"
-    toCamelCase "hello world"
-    => "helloWorld"
-    toCamelCase "HelloWorld"
-    => "helloWorld"
-    ```
-
-    :::
-  */
-  toCamelCase =
-    str:
-    lib.throwIfNot (isString str) "toCamelCase does only accepts string values, but got ${typeOf str}" (
-      let
-        separators = splitStringBy (
-          prev: curr:
-          elem curr [
-            "-"
-            "_"
-            " "
-          ]
-        ) false str;
-
-        parts = lib.flatten (
-          map (splitStringBy (
-            prev: curr: match "[a-z]" prev != null && match "[A-Z]" curr != null
-          ) true) separators
-        );
-
-        first = if length parts > 0 then toLower (head parts) else "";
-        rest = if length parts > 1 then map toSentenceCase (tail parts) else [ ];
-      in
-      concatStrings (map (addContextFrom str) ([ first ] ++ rest))
-    );
-
  /**
    Appends string context from string like object `src` to `target`.

--- a/lib/systems/architectures.nix
+++ b/lib/systems/architectures.nix
@@ -329,39 +329,6 @@ rec {
      "avx512"
      "fma"
    ];
-    # LoongArch64
-    # https://github.com/loongson/la-toolchain-conventions
-    loongarch64 = [
-      "fpu64"
-    ];
-    la464 = [
-      "fpu64"
-      "lsx"
-      "lasx"
-    ];
-    la664 = [
-      "fpu64"
-      "lsx"
-      "lasx"
-      "div32"
-      "frecipe"
-      "lam-bh"
-      "lamcas"
-      "ld-seq-sa"
-    ];
-    "la64v1.0" = [
-      "fpu64"
-      "lsx"
-    ];
-    "la64v1.1" = [
-      "fpu64"
-      "lsx"
-      "div32"
-      "frecipe"
-      "lam-bh"
-      "lamcas"
-      "ld-seq-sa"
-    ];
    # other
    armv5te = [ ];
    armv6 = [ ];
@@ -519,16 +486,6 @@ rec {
      ampere1a = [ "ampere1" ] ++ inferiors.ampere1;
      ampere1b = [ "ampere1a" ] ++ inferiors.ampere1a;

-      # LoongArch64
-      loongarch64 = [ ];
-      "la64v1.0" = [ "loongarch64" ];
-      la464 = [ "la64v1.0" ] ++ inferiors."la64v1.0";
-      "la64v1.1" = [ "la64v1.0" ] ++ inferiors."la64v1.0";
-      la664 = withInferiors [
-        "la464"
-        "la64v1.1"
-      ];
-
      # other
      armv5te = [ ];
      armv6 = [ ];
@@ -537,70 +494,6 @@ rec {
      loongson2f = [ ];
    };

-  /**
-    Check whether one GCC architecture has the the other inferior architecture.
-
-    # Inputs
-
-    `arch1`
-    : GCC architecture in string
-
-    `arch2`
-    : GCC architecture in string
-
-    # Type
-
-    ```
-    hasInferior :: string -> string -> bool
-    ```
-
-    # Examples
-    ::: {.example}
-    ## `lib.systems.architectures.hasInferior` usage example
-
-    ```nix
-    hasInferior "x86-64-v3" "x86-64"
-    => true
-    hasInferior "x86-64" "x86-64-v3"
-    => false
-    hasInferior "x86-64" "x86-64"
-    => false
-    ```
-  */
-  hasInferior = arch1: arch2: inferiors ? ${arch1} && lib.elem arch2 inferiors.${arch1};
-
-  /**
-    Check whether one GCC architecture can execute the other.
-
-    # Inputs
-
-    `arch1`
-    : GCC architecture in string
-
-    `arch2`
-    : GCC architecture in string
-
-    # Type
-
-    ```
-    canExecute :: string -> string -> bool
-    ```
-
-    # Examples
-    ::: {.example}
-    ## `lib.systems.architectures.canExecute` usage example
-
-    ```nix
-    canExecute "x86-64" "x86-64-v3"
-    => false
-    canExecute "x86-64-v3" "x86-64"
-    => true
-    canExecute "x86-64" "x86-64"
-    => true
-    ```
-  */
-  canExecute = arch1: arch2: arch1 == arch2 || hasInferior arch1 arch2;
-
  predicates =
    let
      featureSupport = feature: x: builtins.elem feature features.${x} or [ ];
@@ -617,7 +510,5 @@ rec {
      aesSupport = featureSupport "aes";
      fmaSupport = featureSupport "fma";
      fma4Support = featureSupport "fma4";
-      lsxSupport = featureSupport "lsx";
-      lasxSupport = featureSupport "lasx";
    };
 }
--- a/lib/systems/default.nix
+++ b/lib/systems/default.nix
@@ -14,7 +14,7 @@ let
    optionalAttrs
    optionalString
    removeSuffix
-    replaceString
+    replaceStrings
    toUpper
    ;

@@ -97,21 +97,7 @@ let
            platform:
            final.isAndroid == platform.isAndroid
            && parse.isCompatible final.parsed.cpu platform.parsed.cpu
-            && final.parsed.kernel == platform.parsed.kernel
-            && (
-              # Only perform this check when cpus have the same type;
-              # assume compatible cpu have all the instructions included
-              final.parsed.cpu == platform.parsed.cpu
-              ->
-                # if both have gcc.arch defined, check whether final can execute the given platform
-                (
-                  (final ? gcc.arch && platform ? gcc.arch)
-                  -> architectures.canExecute final.gcc.arch platform.gcc.arch
-                )
-                # if platform has gcc.arch defined but final doesn't, don't assume it can be executed
-                || (platform ? gcc.arch -> !(final ? gcc.arch))
-            );
-
+            && final.parsed.kernel == platform.parsed.kernel;
          isCompatible =
            _:
            throw "2022-05-23: isCompatible has been removed in favor of canExecute, refer to the 22.11 changelog for details";
@@ -522,7 +508,7 @@ let
            #
            # https://github.com/rust-lang/cargo/pull/9169
            # https://github.com/rust-lang/cargo/issues/8285#issuecomment-634202431
-            cargoEnvVarTarget = replaceString "-" "_" (toUpper final.rust.cargoShortTarget);
+            cargoEnvVarTarget = replaceStrings [ "-" ] [ "_" ] (toUpper final.rust.cargoShortTarget);

            # True if the target is no_std
            # https://github.com/rust-lang/rust/blob/2e44c17c12cec45b6a682b1e53a04ac5b5fcc9d2/src/bootstrap/config.rs#L415-L421
@@ -556,7 +542,7 @@ let
                "x86_64" = "amd64";
                "wasm32" = "wasm";
              }
-              .${final.parsed.cpu.name} or null;
+              .${final.parsed.cpu.name} or (throw "Unknown CPU variant ${final.parsed.cpu.name} by Go");
            GOOS = if final.isWasi then "wasip1" else final.parsed.kernel.name;

            # See https://go.dev/wiki/GoArm
--- a/lib/systems/examples.nix
+++ b/lib/systems/examples.nix
@@ -170,17 +170,9 @@ rec {
    libc = "newlib";
  };

-  # https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#10-operating-system-package-build-requirements
-  loongarch64-linux = lib.recursiveUpdate platforms.loongarch64-multiplatform {
+  loongarch64-linux = {
    config = "loongarch64-unknown-linux-gnu";
  };
-  loongarch64-linux-embedded = lib.recursiveUpdate platforms.loongarch64-multiplatform {
-    config = "loongarch64-unknown-linux-gnu";
-    gcc = {
-      arch = "loongarch64";
-      strict-align = true;
-    };
-  };

  mmix = {
    config = "mmix-unknown-mmixware";
--- a/lib/systems/platforms.nix
+++ b/lib/systems/platforms.nix
@@ -572,27 +572,6 @@ rec {
    };
  };

-  loongarch64-multiplatform = {
-    gcc = {
-      # https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#10-operating-system-package-build-requirements
-      arch = "la64v1.0";
-      strict-align = false;
-      # Avoid text sections of large apps exceeding default code model
-      # Will be default behavior in LLVM 21 and hopefully GCC16
-      # https://github.com/loongson-community/discussions/issues/43
-      # https://github.com/llvm/llvm-project/pull/132173
-      cmodel = "medium";
-    };
-    linux-kernel = {
-      name = "loongarch-multiplatform";
-      target = "vmlinuz.efi";
-      autoModules = true;
-      preferBuiltin = true;
-      baseConfig = "defconfig";
-      DTB = true;
-    };
-  };
-
  # This function takes a minimally-valid "platform" and returns an
  # attrset containing zero or more additional attrs which should be
  # included in the platform in order to further elaborate it.
@@ -619,9 +598,6 @@ rec {
    else if platform.isAarch64 then
      if platform.isDarwin then apple-m1 else aarch64-multiplatform

-    else if platform.isLoongArch64 then
-      loongarch64-multiplatform
-
    else if platform.isRiscV then
      riscv-multiplatform

@@ -631,8 +607,6 @@ rec {
    else if platform.parsed.cpu == lib.systems.parse.cpuTypes.powerpc64le then
      powernv

-    else if platform.isLoongArch64 then
-      loongarch64-multiplatform
    else
      { };
 }
--- a/lib/tests/maintainers.nix
+++ b/lib/tests/maintainers.nix
@@ -1,6 +1,6 @@
 # to run these tests (and the others)
 # nix-build nixpkgs/lib/tests/release.nix
-# These tests should stay in sync with the comment in maintainers/maintainer-list.nix
+# These tests should stay in sync with the comment in maintainers/maintainers-list.nix
 {
  # The pkgs used for dependencies for the testing itself
  pkgs ? import ../.. { },
--- a/lib/tests/misc.nix
+++ b/lib/tests/misc.nix
@@ -91,7 +91,6 @@ let
    range
    recursiveUpdateUntil
    removePrefix
-    replaceString
    replicate
    runTests
    setFunctionArgs
@@ -498,11 +497,6 @@ runTests {
    expected = "/usr/include:/usr/local/include";
  };

-  testReplaceStringString = {
-    expr = strings.replaceString "." "_" "v1.2.3";
-    expected = "v1_2_3";
-  };
-
  testReplicateString = {
    expr = strings.replicate 5 "hello";
    expected = "hellohellohellohellohello";
@@ -975,28 +969,6 @@ runTests {

  testToSentenceCasePath = testingThrow (strings.toSentenceCase ./.);

-  testToCamelCase = {
-    expr = strings.toCamelCase "hello world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromKebab = {
-    expr = strings.toCamelCase "hello-world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromSnake = {
-    expr = strings.toCamelCase "hello_world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromPascal = {
-    expr = strings.toCamelCase "HelloWorld";
-    expected = "helloWorld";
-  };
-
-  testToCamelCasePath = testingThrow (strings.toCamelCase ./.);
-
  testToInt = testAllTrue [
    # Naive
    (123 == toInt "123")
@@ -1734,11 +1706,6 @@ runTests {
    ];
  };

-  testReplaceString = {
-    expr = replaceString "world" "Nix" "Hello, world!";
-    expected = "Hello, Nix!";
-  };
-
  testReplicate = {
    expr = replicate 3 "a";
    expected = [
--- a/lib/tests/modules.sh
+++ b/lib/tests/modules.sh
@@ -160,6 +160,9 @@ checkConfigError 'A definition for option .intStrings\.badTagTypeError\.left. is
 checkConfigError 'A definition for option .nested\.right\.left. is not of type .signed integer.' config.nested.right.left ./types-attrTag.nix
 checkConfigError 'In attrTag, each tag value must be an option, but tag int was a bare type, not wrapped in mkOption.' config.opt.int ./types-attrTag-wrong-decl.nix

+# types.nix assertions
+checkConfigOutput '"ok"' config.check ./types.nix
+
 # types.pathInStore
 checkConfigOutput '".*/store/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv"' config.pathInStore.ok1 ./types.nix
 checkConfigOutput '".*/store/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15"' config.pathInStore.ok2 ./types.nix
--- a/lib/tests/modules/types.nix
+++ b/lib/tests/modules/types.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 let
  inherit (builtins)
    storeDir
@@ -7,10 +7,24 @@ let
    types
    mkOption
    ;
+
+  m = {
+    options = {
+      enableQux = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+  };
 in
 {
  options = {
+    check = mkOption { };
+    # NB: types are tested in multiple places, so this list is far from exhaustive
    pathInStore = mkOption { type = types.lazyAttrsOf types.pathInStore; };
+    attrNamesToTrue = mkOption { type = types.lazyAttrsOf types.attrNamesToTrue; };
+    attrNamesToSet = mkOption { type = types.lazyAttrsOf types.attrNamesToSet; };
+    attrNamesToSubmodules = mkOption { type = types.lazyAttrsOf (types.attrNamesToSubmodules m); };
  };
  config = {
    pathInStore.ok1 = "${storeDir}/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv";
@@ -21,5 +35,112 @@ in
    pathInStore.bad3 = "${storeDir}/";
    pathInStore.bad4 = "${storeDir}/.links"; # technically true, but not reasonable
    pathInStore.bad5 = "/foo/bar";
+    attrNamesToTrue.justNames = [
+      "a"
+      "b"
+      "c"
+    ];
+    attrNamesToTrue.mixed = lib.mkMerge [
+      {
+        a = true;
+        b = false;
+      }
+      [ "c" ]
+    ];
+    attrNamesToTrue.trivial = {
+      a = true;
+      b = false;
+      c = true;
+    };
+    attrNamesToSet.justNames = [
+      "a"
+      "b"
+      "c"
+    ];
+    attrNamesToSet.mixed = lib.mkMerge [
+      {
+        a = { };
+        b = { };
+      }
+      [ "c" ]
+    ];
+    attrNamesToSet.trivial = {
+      a = { };
+      b = { };
+      c = { };
+    };
+    attrNamesToSubmodules.justNames = [
+      "a"
+      "b"
+      "c"
+    ];
+    attrNamesToSubmodules.mixed = lib.mkMerge [
+      {
+        a = { };
+        b.enableQux = true;
+      }
+      [ "c" ]
+    ];
+    attrNamesToSubmodules.trivial = {
+      a = { };
+      b.enableQux = true;
+      c = { };
+    };
+    check =
+      assert
+        config.attrNamesToTrue.justNames == {
+          a = true;
+          b = true;
+          c = true;
+        };
+      assert
+        config.attrNamesToTrue.mixed == {
+          a = true;
+          b = false;
+          c = true;
+        };
+      assert
+        config.attrNamesToTrue.trivial == {
+          a = true;
+          b = false;
+          c = true;
+        };
+      assert
+        config.attrNamesToSet.justNames == {
+          a = { };
+          b = { };
+          c = { };
+        };
+      assert
+        config.attrNamesToSet.mixed == {
+          a = { };
+          b = { };
+          c = { };
+        };
+      assert
+        config.attrNamesToSet.trivial == {
+          a = { };
+          b = { };
+          c = { };
+        };
+      assert
+        config.attrNamesToSubmodules.justNames == {
+          a.enableQux = false;
+          b.enableQux = false;
+          c.enableQux = false;
+        };
+      assert
+        config.attrNamesToSubmodules.mixed == {
+          a.enableQux = false;
+          b.enableQux = true;
+          c.enableQux = false;
+        };
+      assert
+        config.attrNamesToSubmodules.trivial == {
+          a.enableQux = false;
+          b.enableQux = true;
+          c.enableQux = false;
+        };
+      "ok";
  };
 }
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@@ -439,7 +439,7 @@ in
    On each release the first letter is bumped and a new animal is chosen
    starting with that new letter.
  */
-  codeName = "Xantusia";
+  codeName = "Warbler";

  /**
    Returns the current nixpkgs version suffix as string.
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -1456,6 +1456,23 @@ let
          nestedTypes.finalType = finalType;
        };

+      # Tests: lib/tests/modules/types.nix
+      # Docs: nixos/doc/manual/development/option-types.section.md
+      # Docs: https://nixos.org/manual/nixos/unstable/#sec-option-types-basic
+      attrNamesToTrue = coercedTo (types.listOf types.str) (
+        enabledList: lib.genAttrs enabledList (_attrName: true)
+      ) (types.attrsOf types.bool);
+
+      # Tests: lib/tests/modules.sh, lib/tests/modules/types.nix
+      # Docs: nixos/doc/manual/development/option-types.section.md
+      # Docs: https://nixos.org/manual/nixos/unstable/#sec-option-types-basic
+      attrNamesToSet = attrNamesToSubmodules { };
+      attrNamesToSubmodules =
+        m:
+        coercedTo (types.listOf types.str) (enabledList: lib.genAttrs enabledList (_attrName: { })) (
+          types.attrsOf (types.submodule m)
+        );
+
      # Augment the given type with an additional type check function.
      addCheck = elemType: check: elemType // { check = x: elemType.check x && check x; };

--- a/maintainers/README.md
+++ b/maintainers/README.md
@@ -40,10 +40,6 @@ In order to do so, add yourself to the
 [`maintainer-list.nix`](./maintainer-list.nix), and then to the desired
 package's `meta.maintainers` list, and send a PR with the changes.

-If you're adding yourself as a maintainer as part of another PR (in which
-you become a maintainer of a package, for example), make your change to
-`maintainer-list.nix` in a separate commit.
-
 ### How to lose maintainer status

 Maintainers who have become inactive on a given package can be removed. This
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -2135,11 +2135,6 @@
    githubId = 56650223;
    name = "Artturi N";
  };
-  artur-sannikov = {
-    name = "Artur Sannikov";
-    github = "artur-sannikov";
-    githubId = 40318410;
-  };
  arturcygan = {
    email = "arczicygan@gmail.com";
    github = "arcz";
@@ -2343,10 +2338,11 @@
    githubId = 11548989;
  };
  atalii = {
-    email = "me@tali.network";
+    email = "taliauster@gmail.com";
    github = "atalii";
    githubId = 120901234;
-    name = "Tali Auster";
+    name = "tali auster";
+    matrix = "@atalii:matrix.org";
  };
  atar13 = {
    name = "Anthony Tarbinian";
@@ -3059,12 +3055,6 @@
    github = "benhiemer";
    githubId = 16649926;
  };
-  benjajaja = {
-    name = "Benjamin Große";
-    email = "ste3ls@gmail.com";
-    github = "benjajaja";
-    githubId = 310215;
-  };
  benjaminedwardwebb = {
    name = "Ben Webb";
    email = "benjaminedwardwebb@gmail.com";
@@ -3486,11 +3476,6 @@
    githubId = 50839;
    name = "Brian Jones";
  };
-  bokicoder = {
-    github = "bokicoder";
-    githubId = 193465580;
-    name = "bokicoder";
-  };
  boldikoller = {
    email = "boldi.koller@wtss.eu";
    github = "boldikoller";
@@ -4011,18 +3996,6 @@
    githubId = 141733;
    name = "Andrew Bruce";
  };
-  Cameo007 = {
-    name = "Pascal Dietrich";
-    email = "pascal.1.dietrich@hotmail.com";
-    matrix = "@cameo007:mintux.de";
-    github = "Cameo007";
-    githubId = 80521473;
-    keys = [
-      {
-        fingerprint = "2D62 24B9 1250 86AF E318 12A0 F1D1 5228 0511 FB91";
-      }
-    ];
-  };
  camerondugan = {
    email = "cameron.dugan@protonmail.com";
    github = "camerondugan";
@@ -4438,13 +4411,6 @@
    githubId = 631802;
    keys = [ { fingerprint = "099E 3F97 FA08 3D47 8C75  EBEC E0EB AD78 F019 0BD9"; } ];
  };
-  chillcicada = {
-    email = "2210227279@qq.com";
-    name = "chillcicada";
-    github = "chillcicada";
-    githubId = 116548943;
-    keys = [ { fingerprint = "734C 20B3 33C4 FAB3 0BD0  743A 34C2 1231 0A99 754B"; } ];
-  };
  chiroptical = {
    email = "chiroptical@gmail.com";
    github = "chiroptical";
@@ -4845,12 +4811,6 @@
    name = "Coca";
    keys = [ { fingerprint = "99CB 86FF 62BB 7DA4 8903  B16D 0328 2DF8 8179 AB19"; } ];
  };
-  cococolanosugar = {
-    name = "George Xu";
-    github = "cococolanosugar";
-    githubId = 1736138;
-    email = "cococolanosugar@gmail.com";
-  };
  coconnor = {
    email = "coreyoconnor@gmail.com";
    github = "coreyoconnor";
@@ -5674,12 +5634,6 @@
    githubId = 4971975;
    name = "Janne Heß";
  };
-  dashietm = {
-    email = "fabio.lenherr@gmail.com";
-    github = "DashieTM";
-    githubId = 72016555;
-    name = "Fabio Lenherr";
-  };
  dasisdormax = {
    email = "dasisdormax@mailbox.org";
    github = "dasisdormax";
@@ -6519,12 +6473,6 @@
    githubId = 131907205;
    name = "David Thievon";
  };
-  dolphindalt = {
-    email = "dolphindalt@gmail.com";
-    github = "dolphindalt";
-    githubId = 13937320;
-    name = "Dalton Caron";
-  };
  domenkozar = {
    email = "domen@dev.si";
    github = "domenkozar";
@@ -6554,7 +6502,7 @@
    name = "DontEatOreo";
    github = "DontEatOreo";
    githubId = 57304299;
-    matrix = "@donteatoreo:matrix.org";
+    keys = [ { fingerprint = "33CD 5C0A 673C C54D 661E  5E4C 0DB5 361B EEE5 30AB"; } ];
  };
  dopplerian = {
    name = "Dopplerian";
@@ -6606,12 +6554,6 @@
    github = "dottybot";
    githubId = 12519979;
  };
-  douzebis = {
-    email = "fred@atlant.is";
-    github = "douzebis";
-    githubId = 61088438;
-    name = "Frédéric Ruget";
-  };
  dpaetzel = {
    email = "david.paetzel@posteo.de";
    github = "dpaetzel";
@@ -7247,6 +7189,7 @@
    email = "fedi.jamoussi@protonmail.ch";
    github = "eljamm";
    githubId = 83901271;
+    keys = [ { fingerprint = "FF59 E027 4EE2 E792 512B  BDC8 7630 FDF7 C8FB 1F3F"; } ];
  };
  elkowar = {
    email = "thereal.elkowar@gmail.com";
@@ -7349,13 +7292,6 @@
    githubId = 428026;
    name = "embr";
  };
-  emilia = {
-    email = "nix@emilia.codes";
-    github = "emiliaaah";
-    githubId = 55017867;
-    name = "Emilia";
-    keys = [ { fingerprint = "F772 3569 4B43 B599 73C2  A931 1EFB E941 B89B B810"; } ];
-  };
  emilioziniades = {
    email = "emilioziniades@protonmail.com";
    github = "emilioziniades";
@@ -7474,11 +7410,6 @@
    githubId = 5085029;
    name = "Emanuele Peruffo";
  };
-  epireyn = {
-    github = "epireyn";
-    githubId = 48213068;
-    name = "Edgar Pireyn";
-  };
  equirosa = {
    email = "eduardo@eduardoquiros.com";
    github = "equirosa";
@@ -7881,12 +7812,6 @@
    github = "hatch01";
    githubId = 42416805;
  };
-  ezrizhu = {
-    name = "Ezri Zhu";
-    email = "me@ezrizhu.com";
-    github = "ezrizhu";
-    githubId = 44515009;
-  };
  f--t = {
    email = "git@f-t.me";
    github = "f--t";
@@ -8156,12 +8081,6 @@
    githubId = 8182846;
    name = "Francesco Gazzetta";
  };
-  fgrcl = {
-    email = "fgrclaberge@gmail.com";
-    github = "FGRCL";
-    githubId = 35940434;
-    name = "Francois LaBerge";
-  };
  fidgetingbits = {
    name = "fidgetingbits";
    email = "nixpkgs.xe7au@passmail.net";
@@ -9263,12 +9182,6 @@
    githubId = 1621335;
    name = "Andrew Trachenko";
  };
-  goodylove = {
-    github = "goodylove";
-    email = "goodyc474@gmail.com";
-    githubId = 104577296;
-    name = "Nwachukwu Goodness";
-  };
  gordon-bp = {
    email = "gordy@hanakano.com";
    github = "Gordon-BP";
@@ -10130,12 +10043,6 @@
    githubId = 130903;
    name = "Ana Hobden";
  };
-  hpfr = {
-    email = "liam@hpfr.net";
-    github = "hpfr";
-    githubId = 44043764;
-    name = "Liam Hupfer";
-  };
  hqurve = {
    email = "hqurve@outlook.com";
    github = "hqurve";
@@ -11200,7 +11107,6 @@
    name = "Jappie Klooster";
  };
  jappie3 = {
-    email = "jappie3+git@jappie.dev";
    name = "Jappie3";
    matrix = "@jappie:jappie.dev";
    github = "Jappie3";
@@ -11531,12 +11437,6 @@
    githubId = 30251156;
    name = "Jesse Moore";
  };
-  jethair = {
-    email = "jethair@duck.com";
-    github = "JetHair";
-    githubId = 106916147;
-    name = "JetHair";
-  };
  jethro = {
    email = "jethrokuan95@gmail.com";
    github = "jethrokuan";
@@ -13037,6 +12937,12 @@
    githubId = 843652;
    name = "Kim Burgess";
  };
+  kindrowboat = {
+    email = "hello@kindrobot.ca";
+    github = "kindrowboat";
+    githubId = 777773;
+    name = "Stef Dunlap";
+  };
  kini = {
    email = "keshav.kini@gmail.com";
    github = "kini";
@@ -13643,12 +13549,6 @@
    github = "L0L1P0P1";
    githubId = 73695812;
  };
-  l0r3v = {
-    email = "l0r3v@pasqui.casa";
-    github = "l0r3v";
-    githubId = 27364685;
-    name = "Lorenzo Pasqui";
-  };
  l1npengtul = {
    email = "l1npengtul@l1npengtul.lol";
    github = "l1npengtul";
@@ -14028,12 +13928,6 @@
    github = "LogicalOverflow";
    githubId = 5919957;
  };
-  lheintzmann1 = {
-    email = "lheintzmann1@disroot.org";
-    github = "lheintzmann1";
-    githubId = 141759313;
-    name = "Lucas Heintzmann";
-  };
  lhvwb = {
    email = "nathaniel.baxter@gmail.com";
    github = "nathanielbaxter";
@@ -15720,16 +15614,6 @@
    name = "John McParland";
    keys = [ { fingerprint = "39D2 171D D733 C718 DD21  285E B326 E14B 05D8 7A4E"; } ];
  };
-  MCSeekeri = {
-    email = "mcseekeri@outlook.com";
-    github = "mcseekeri";
-    githubId = 20928094;
-    name = "MCSeekeri";
-    keys = [
-      { fingerprint = "5922 79AB D9D6 85EB 9D16  754C ECDC AD89 5A38 4A12"; }
-      { fingerprint = "0762 A387 F160 76F1 116C  BF13 3276 6666 6666 6666"; }
-    ];
-  };
  McSinyx = {
    email = "cnx@loang.net";
    github = "McSinyx";
@@ -16174,12 +16058,6 @@
    githubId = 978196;
    name = "Michaël Faille";
  };
-  mikehorn = {
-    email = "mikehornproton@proton.me";
-    github = "MikeHorn-git";
-    githubId = 123373126;
-    name = "Mike Horn";
-  };
  mikesperber = {
    email = "sperber@deinprogramm.de";
    github = "mikesperber";
@@ -16608,10 +16486,8 @@
  moraxyc = {
    name = "Moraxyc Xu";
    email = "i@qaq.li";
-    matrix = "@moraxyc:qaq.li";
    github = "Moraxyc";
    githubId = 69713071;
-    keys = [ { fingerprint = "7DD1 A4DF 7DD6 AEEB F07B  1108 8296 4F3A B1D9 DE79"; } ];
  };
  moredread = {
    email = "code@apb.name";
@@ -16836,12 +16712,6 @@
    githubId = 7026881;
    name = "Jarosław Jedynak";
  };
-  msoos = {
-    email = "soos.mate@gmail.com";
-    github = "msoos";
-    githubId = 1334841;
-    name = "Mate Soos";
-  };
  mstarzyk = {
    email = "mstarzyk@gmail.com";
    github = "mstarzyk";
@@ -16891,6 +16761,12 @@
    githubId = 72663763;
    keys = [ { fingerprint = "DB3E A12D B291 594A 79C5 F6B3 10AB 6868 37F6 FA3F"; } ];
  };
+  mtreca = {
+    email = "maxime.treca@gmail.com";
+    github = "mtreca";
+    githubId = 16440823;
+    name = "Maxime Tréca";
+  };
  mtreskin = {
    email = "zerthurd@gmail.com";
    github = "Zert";
@@ -17615,7 +17491,7 @@
  };
  nicoo = {
    email = "nicoo@debian.org";
-    github = "nicoonoclaste";
+    github = "nbraud";
    githubId = 1155801;
    name = "nicoo";
    keys = [ { fingerprint = "E44E 9EA5 4B8E 256A FB73 49D3 EC9D 3708 72BC 7A8C"; } ];
@@ -17877,12 +17753,6 @@
    githubId = 41154684;
    name = "nokazn";
  };
-  nomaterials = {
-    email = "nomaterials@gmail.com";
-    github = "no-materials";
-    githubId = 16938952;
-    name = "nomaterials";
-  };
  nomeata = {
    email = "mail@joachim-breitner.de";
    github = "nomeata";
@@ -18323,11 +18193,10 @@
    name = "Dakota";
  };
  ohheyrj = {
-    email = "richard@ohheyrj.co.uk";
+    email = "richard+nix@ohheyrj.co.uk";
    github = "ohheyrj";
    name = "ohheyrj";
    githubId = 5339261;
-    keys = [ { fingerprint = "4258 3FE7 12E9 6071 E84D  53C7 6E1D A270 0B72 746D"; } ];
  };
  oida = {
    email = "oida@posteo.de";
@@ -18746,12 +18615,6 @@
    name = "Philipp Rintz";
    matrix = "@philipp:srv.icu";
  };
-  p0lyw0lf = {
-    email = "p0lyw0lf@protonmail.com";
-    name = "PolyWolf";
-    github = "p0lyw0lf";
-    githubId = 31190026;
-  };
  p3psi = {
    name = "Elliot Boo";
    email = "p3psi.boo@gmail.com";
@@ -20881,12 +20744,6 @@
    githubId = 3302;
    name = "Renzo Carbonara";
  };
-  repparw = {
-    email = "ubritos@gmail.com";
-    github = "repparw";
-    githubId = 45952970;
-    name = "repparw";
-  };
  reputable2772 = {
    name = "Reputable2772";
    github = "Reputable2772";
@@ -21085,12 +20942,6 @@
    githubId = 807447;
    name = "Robert Scott";
  };
-  Rishabh5321 = {
-    name = "Rishabh Singh";
-    email = "rishabh98818@gmail.com";
-    github = "Rishabh5321";
-    githubId = 40533251;
-  };
  Rishik-Y = {
    name = "Rishik Yalamanchili";
    email = "202301258@daiict.ac.in";
@@ -21778,12 +21629,6 @@
    githubId = 7309170;
    name = "Ryota Kameoka";
  };
-  ryota2357 = {
-    email = "contact@ryota2357.com";
-    github = "ryota2357";
-    githubId = 61523777;
-    name = "Ryota Otsuki";
-  };
  rypervenche = {
    email = "git@ryper.org";
    github = "rypervenche";
@@ -22936,11 +22781,6 @@
    matrix = "@c3n21:matrix.org";
    githubId = 37077738;
  };
-  sinjin2300 = {
-    name = "Sinjin";
-    github = "Sinjin2300";
-    githubId = 35543336;
-  };
  sioodmy = {
    name = "Antoni Sokołowski";
    github = "sioodmy";
@@ -23454,13 +23294,6 @@
    githubId = 16364318;
    name = "Jeffrey Harmon";
  };
-  squat = {
-    matrix = "@squat:beeper.com";
-    name = "squat";
-    github = "squat";
-    githubId = 20484159;
-    keys = [ { fingerprint = "F246 425A 7650 6F37 0552  BA8D DEA9 C405 09D9 65F5"; } ];
-  };
  srghma = {
    email = "srghma@gmail.com";
    github = "srghma";
@@ -24083,12 +23916,6 @@
    githubId = 40228615;
    name = "Taha Yassine";
  };
-  tahlonbrahic = {
-    email = "tahlonbrahic@proton.me";
-    github = "tahlonbrahic";
-    githubId = 104690672;
-    name = "Tahlon Brahic";
-  };
  taikx4 = {
    email = "taikx4@taikx4szlaj2rsdupcwabg35inbny4jk322ngeb7qwbbhd5i55nf5yyd.onion";
    github = "taikx4";
@@ -24717,32 +24544,12 @@
    githubId = 6579555;
    name = "Jeroen Jetten";
  };
-  thetaoofsu = {
-    email = "TheTaoOfSu@protonmail.com";
-    github = "TheTaoOfSu";
-    githubId = 45526311;
-    name = "TheTaoOfSu";
-  };
  theuni = {
    email = "ct@flyingcircus.io";
    github = "ctheune";
    githubId = 1220572;
    name = "Christian Theune";
  };
-  thevar1able = {
-    email = "var1able+nixpkgs@var1able.network";
-    github = "thevar1able";
-    githubId = 875885;
-    name = "Konstantin Bogdanov";
-    keys = [
-      { fingerprint = "3221 7A73 EB95 0E9E E550  36A3 DB39 9448 D9FE 52F1"; }
-    ];
-  };
-  theverygaming = {
-    name = "theverygaming";
-    github = "theverygaming";
-    githubId = 18639279;
-  };
  thiagokokada = {
    email = "thiagokokada@gmail.com";
    github = "thiagokokada";
@@ -25252,12 +25059,6 @@
    github = "totoroot";
    githubId = 39650930;
  };
-  tournev = {
-    name = "Vincent Tourneur";
-    email = "vincent@pimoid.fr";
-    github = "vtourneur";
-    githubId = 48284424;
-  };
  ToxicFrog = {
    email = "toxicfrog@ancilla.ca";
    github = "ToxicFrog";
@@ -25802,11 +25603,6 @@
    github = "deviant";
    githubId = 68829907;
  };
-  vaavaav = {
-    name = "Pedro Peixoto";
-    github = "vaavaav";
-    githubId = 56087034;
-  };
  vaci = {
    email = "vaci@vaci.org";
    github = "vaci";
@@ -26396,12 +26192,6 @@
    github = "waynr";
    githubId = 1441126;
  };
-  wcarlsen = {
-    name = "Willi Carlsen";
-    email = "carlsenwilli@gmail.com";
-    github = "wcarlsen";
-    githubId = 17003032;
-  };
  wchresta = {
    email = "wchresta.nix@chrummibei.ch";
    github = "wchresta";
@@ -26741,12 +26531,6 @@
    githubId = 9132420;
    keys = [ { fingerprint = "F943 A0BC 720C 5BEF 73CD E02D B398 93FA 5F65 CAE1"; } ];
  };
-  womeier = {
-    name = "Wolfgang Meier";
-    email = "womeier@posteo.de";
-    github = "womeier";
-    githubId = 55190123;
-  };
  womfoo = {
    email = "kranium@gikos.net";
    github = "womfoo";
@@ -27506,6 +27290,12 @@
    githubId = 5986078;
    name = "Zunway Liang";
  };
+  zanculmarktum = {
+    name = "Azure Zanculmarktum";
+    email = "zanculmarktum@gmail.com";
+    github = "zanculmarktum";
+    githubId = 16958511;
+  };
  zane = {
    name = "Zane van Iperen";
    email = "zane@zanevaniperen.com";
--- a/maintainers/scripts/README.md
+++ b/maintainers/scripts/README.md
@@ -16,7 +16,7 @@ a given nixpkgs maintainer, equivalent to `lib.maintainers.${x} // { handle = x;

 This allows looking up a maintainer's attrset (including GitHub and Matrix
 handles, email address etc.) based on any of their handles, more correctly and
-robustly than text search through `maintainer-list.nix`.
+robustly than text search through `maintainers-list.nix`.

 ```
 ❯ ./get-maintainer.sh nicoo
--- a/maintainers/scripts/check-cherry-picks.sh
+++ b/maintainers/scripts/check-cherry-picks.sh
@@ -1,25 +1,17 @@
 #!/usr/bin/env bash
 # Find alleged cherry-picks

-set -eo pipefail
+set -e

 if [ $# != "2" ] ; then
  echo "usage: check-cherry-picks.sh base_rev head_rev"
  exit 2
 fi

-# Make sure we are inside the nixpkgs repo, even when called from outside
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-PICKABLE_BRANCHES="master staging release-??.?? staging-??.?? haskell-updates python-updates staging-next staging-next-??.??"
+PICKABLE_BRANCHES=${PICKABLE_BRANCHES:-master staging release-??.?? staging-??.??}
 problem=0

-# Not everyone calls their remote "origin"
-remote="$(git remote -v | grep -i 'NixOS/nixpkgs' | head -n1 | cut -f1 || true)"
-
-commits="$(git rev-list --reverse "$1..$2")"
-
-while read -r new_commit_sha ; do
+while read new_commit_sha ; do
  if [ -z "$new_commit_sha" ] ; then
    continue  # skip empty lines
  fi
@@ -34,47 +26,30 @@ while read -r new_commit_sha ; do
  original_commit_sha=$(
    git rev-list --max-count=1 --format=format:%B "$new_commit_sha" \
    | grep -Ei -m1 "cherry.*[0-9a-f]{40}" \
-    | grep -Eoi -m1 '[0-9a-f]{40}' || true
+    | grep -Eoi -m1 '[0-9a-f]{40}'
  )
-  if [ -z "$original_commit_sha" ] ; then
-    if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-      echo ::endgroup::
-      echo -n "::error ::"
-    else
-      echo -n "  ✘ "
-    fi
-    echo "Couldn't locate original commit hash in message"
-    echo "Note this should not necessarily be treated as a hard fail, but a reviewer's attention should" \
-      "be drawn to it and github actions have no way of doing that but to raise a 'failure'"
-    problem=1
+  if [ "$?" != "0" ] ; then
+    echo "  ? Couldn't locate original commit hash in message"
+    [ "$GITHUB_ACTIONS" = 'true' ] && echo ::endgroup::
    continue
  fi

  set -f # prevent pathname expansion of patterns
-  for pattern in $PICKABLE_BRANCHES ; do
+  for branch_pattern in $PICKABLE_BRANCHES ; do
    set +f # re-enable pathname expansion

-    # Reverse sorting by refname and taking one match only means we can only backport
-    # from unstable and the latest stable. That makes sense, because even right after
-    # branch-off, when we have two supported stable branches, we only ever want to cherry-pick
-    # **to** the older one, but never **from** it.
-    # This makes the job significantly faster in the case when commits can't be found,
-    # because it doesn't need to iterate through 20+ branches, which all need to be fetched.
-    branches="$(git for-each-ref --sort=-refname --format="%(refname)" \
-      "refs/remotes/${remote:-origin}/$pattern" | head -n1)"
-
    while read -r picked_branch ; do
      if git merge-base --is-ancestor "$original_commit_sha" "$picked_branch" ; then
        echo "  ✔ $original_commit_sha present in branch $picked_branch"

-        range_diff_common='git --no-pager range-diff
+        range_diff_common='git range-diff
          --no-notes
          --creation-factor=100
          '"$original_commit_sha~..$original_commit_sha"'
          '"$new_commit_sha~..$new_commit_sha"'
        '

-        if $range_diff_common --no-color 2> /dev/null | grep -E '^ {4}[+-]{2}' > /dev/null ; then
+        if $range_diff_common --no-color | grep -E '^ {4}[+-]{2}' > /dev/null ; then
          if [ "$GITHUB_ACTIONS" = 'true' ] ; then
            echo ::endgroup::
            echo -n "::warning ::"
@@ -97,7 +72,11 @@ while read -r new_commit_sha ; do
        # move on to next commit
        continue 3
      fi
-    done <<< "$branches"
+    done <<< "$(
+      git for-each-ref \
+      --format="%(refname)" \
+      "refs/remotes/origin/$branch_pattern"
+    )"
  done

  if [ "$GITHUB_ACTIONS" = 'true' ] ; then
@@ -109,6 +88,10 @@ while read -r new_commit_sha ; do
  echo "$original_commit_sha not found in any pickable branch"

  problem=1
-done <<< "$commits"
+done <<< "$(
+  git rev-list \
+    -E -i --grep="cherry.*[0-9a-f]{40}" --reverse \
+    "$1..$2"
+)"

 exit $problem
--- a/maintainers/scripts/pluginupdate-py/pluginupdate.py
+++ b/maintainers/scripts/pluginupdate-py/pluginupdate.py
@@ -558,16 +558,7 @@ class Editor:
        }

        for plugin_desc, plugin, redirect in fetched:
-            # Check if plugin is a Plugin object and has normalized_name attribute
-            if isinstance(plugin, Plugin) and hasattr(plugin, 'normalized_name'):
-                result[plugin.normalized_name] = (plugin_desc, plugin, redirect)
-            elif isinstance(plugin, Exception):
-                # For exceptions, we can't determine the normalized_name
-                # Just log the error and continue
-                log.error(f"Error fetching plugin {plugin_desc.name}: {plugin!r}")
-            else:
-                # For unexpected types, log the issue
-                log.error(f"Unexpected plugin type for {plugin_desc.name}: {type(plugin)}")
+            result[plugin.normalized_name] = (plugin_desc, plugin, redirect)

        return list(result.values())

@@ -624,9 +615,9 @@ class Editor:
            "--github-token",
            "-t",
            type=str,
-            default=os.getenv("GITHUB_TOKEN"),
+            default=os.getenv("GITHUB_API_TOKEN"),
            help="""Allows to set --proc to higher values.
-            Uses GITHUB_TOKEN environment variables as the default value.""",
+            Uses GITHUB_API_TOKEN environment variables as the default value.""",
        )
        common.add_argument(
            "--no-commit",
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@@ -63,6 +63,7 @@ with lib.maintainers;
    shortName = "apm employees";
    # Edits to this list should only be done by an already existing member.
    members = [
+      wolfgangwalther
      DutchGerman
    ];
  };
@@ -868,7 +869,6 @@ with lib.maintainers;
      qyriad
      _9999years
      lf-
-      alois31
    ];
    scope = "Maintain the Lix package manager inside of Nixpkgs.";
    shortName = "Lix ecosystem";
@@ -1119,17 +1119,9 @@ with lib.maintainers;
  };

  sdl = {
-    members = [
-      evythedemon
-      grimmauld
-      jansol
-      marcin-serwin
-      pbsds
-    ];
-    githubTeams = [ "SDL" ];
-    scope = "Maintain core SDL libraries.";
+    members = [ ];
+    scope = "Maintain SDL libraries.";
    shortName = "SDL";
-    enableFeatureFreezePing = true;
  };

  sphinx = {
@@ -1191,12 +1183,7 @@ with lib.maintainers;
  };

  systemd = {
-    members = [
-      flokli
-      arianvp
-      elvishjerricco
-      aanderse
-    ];
+    members = [ ];
    githubTeams = [ "systemd" ];
    scope = "Maintain systemd for NixOS.";
    shortName = "systemd";
--- a/nixos/doc/manual/configuration/x-windows.chapter.md
+++ b/nixos/doc/manual/configuration/x-windows.chapter.md
@@ -29,7 +29,7 @@ Thus you should pick one or more of the following lines:
 {
  services.xserver.desktopManager.plasma5.enable = true;
  services.xserver.desktopManager.xfce.enable = true;
-  services.desktopManager.gnome.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.desktopManager.mate.enable = true;
  services.xserver.windowManager.xmonad.enable = true;
  services.xserver.windowManager.twm.enable = true;
@@ -46,7 +46,7 @@ alternative one by picking one of the following lines:
 ```nix
 {
  services.displayManager.sddm.enable = true;
-  services.displayManager.gdm.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
 }
 ```

--- a/nixos/doc/manual/contributing-to-this-manual.chapter.md
+++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md
@@ -17,28 +17,6 @@ There's also [a convenient development daemon](https://nixos.org/manual/nixpkgs/

 The above instructions don't deal with the appendix of available `configuration.nix` options, and the manual pages related to NixOS. These are built, and written in a different location and in a different format, as explained in the next sections.

-## Development environment {#sec-contributing-development-env}
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the NixOS documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/nixos/doc/manual
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-You might want to also use [`devmode`](https://github.com/NixOS/nixpkgs/blob/master/doc/README.md#devmode) while editing the manual.
-
 ## Testing redirects {#sec-contributing-redirects}

 Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
--- a/nixos/doc/manual/development/option-types.section.md
+++ b/nixos/doc/manual/development/option-types.section.md
@@ -135,6 +135,79 @@ merging is handled.
    problems.
    :::

+`types.attrNamesToTrue`
+
+:   Either a list of attribute names, or an attribute set of
+    booleans. A list will be coerced into an attribute set with those
+    names, whose values are set to `true`. This is useful when it is
+    convenient to be able to write definitions as a simple list, but
+    still need to be able to override and disable individual values.
+
+    If configurability of the items is needed or `false` is not a
+    desirable value, prefer `types.attrNamesToSubmodule` or `types.attrNamesToSet`.
+
+    ::: {#ex-types-attrNamesToTrue .example}
+    ### `types.attrNamesToTrue`
+    ```
+    {
+      foo = [ "bar" ];
+    }
+    ```
+
+    ```
+    {
+      foo.bar = true;
+    }
+    ```
+    :::
+
+`types.attrNamesToSet`
+
+:   Either a list of attribute names, or an attribute set of `{ }`.
+    This is similar to `types.attrNamesToTrue`, but `false` is not a permitted
+    value. This is useful when that's not an expected value, and by using this
+    type, you have the option to upgrade the type to `types.attrNamesToSubmodule`
+    without breaking anything.
+
+    ::: {#ex-types-attrNamesToSet .example}
+    ### `types.attrNamesToSet`
+    ```
+    {
+      foo = [ "bar" ];
+    }
+    ```
+
+    ```
+    {
+      foo.bar = { };
+    }
+    ```
+    :::
+
+`types.attrNamesToSubmodule` *`submodule`*
+
+:   Either a list of attribute names, or an attribute set of submodules.
+    This is similar to `types.attrNamesToSet`, but the values are submodules
+    instead of empty sets. This is useful when the values of this type are
+    optionally configurable.
+
+    ::: {#ex-types-attrNamesToSubmodule .example}
+    ### `types.attrNamesToSubmodule`
+    ```
+    {
+      foo = [ "bar" ];
+    }
+    ```
+
+    ```
+    {
+      foo.bar = { };
+      foo.baz.enableQux = true;
+    }
+    ```
+    :::
+
+
 `types.pkgs`

 :   A type for the top level Nixpkgs package set.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Robert Hensing	2513e2f1f0	lib.types.attrNamesTo{Set,Submodule}: add	2025-05-16 15:09:31 +02:00
Robert Hensing	e938d5b77a	lib/types.nix: Remove duplicate user documentation	2025-05-16 15:09:25 +02:00
Robert Hensing	1980e9a444	lib/tests/modules: Test attrNamesToTrue	2025-05-16 15:09:24 +02:00
Will Fancher	851d4f4f2b	lib.types.attrNamesToTrue: add (cherry picked from commit `98652f9a90`)	2025-05-16 12:35:16 +02:00
@@ -1 +1 @@
 .11
 .05