Revert "zlib: 1.3.1 -> 1.3.1.2"

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "nixpkgs",
-  "image": "mcr.microsoft.com/devcontainers/universal:5-linux",
+  "image": "mcr.microsoft.com/devcontainers/universal:2-linux",
   "features": {
     "ghcr.io/devcontainers/features/nix:1": {
       // fails in the devcontainer sandbox, enable sandbox via config instead

.gitattributes

@@ -1,26 +1,7 @@
-# node/js lock files
-**/package-lock.json linguist-generated
-**/yarn.nix linguist-generated
-**/yarn.lock linguist-generated
-
-# Rust lock files
-**/Cargo.lock linguist-generated
-pkgs/build-support/rust/**/Cargo.lock -linguist-generated
-
-# NuGet, Gradle and others
-**/deps.json linguist-generated
-
-# Ruby lock files
-**/gemset.nix linguist-generated
-**/Gemfile.lock linguist-generated
-
-# PHP lock files
-**/composer.lock linguist-generated
-
-# various package managers and tools
 **/deps.nix linguist-generated
+**/deps.json linguist-generated
 **/deps.toml linguist-generated
-
+**/node-packages.nix linguist-generated
 
 pkgs/applications/editors/emacs-modes/*-generated.nix linguist-generated
 pkgs/development/r-modules/*-packages.nix linguist-generated

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,6 @@
+<!--
+    Please note: This blank issue template is meant for extraordinary issues
+    that do not fit the templates. Unless you know your issue is relevant to
+    Nixpkgs and requires the free-form blank issue, please use the issue
+    templates instead.
+-->

.github/ISSUE_TEMPLATE/01_bug_report.yml

@@ -35,8 +35,7 @@ body:
         If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
       options:
         - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
         - "- Stable (25.11)"
       default: 0
     validations:
@@ -55,7 +54,7 @@ body:
       description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
     validations:
       required: true
-  - type: "textarea"
+  - type: "input"
     id: "expected-behaviour"
     attributes:
       label: "Expected behaviour"
@@ -122,8 +121,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml

@@ -35,8 +35,7 @@ body:
         If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
       options:
         - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
         - "- Stable (25.11)"
       default: 0
     validations:
@@ -55,7 +54,7 @@ body:
       description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
     validations:
       required: true
-  - type: "textarea"
+  - type: "input"
     id: "expected-behaviour"
     attributes:
       label: "Expected behaviour"
@@ -100,7 +99,7 @@ body:
     attributes:
       label: "Are you using nix-darwin?"
       description: |
-        [`nix-darwin`](https://github.com/nix-darwin/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
+        [`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
       options:
         - "Yes, I am using nix-darwin."
         - "No, I am not using nix-darwin."
@@ -136,8 +135,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml

@@ -35,8 +35,7 @@ body:
         If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
       options:
         - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
         - "- Stable (25.11)"
       default: 0
     validations:
@@ -55,7 +54,7 @@ body:
       description: "Please include a step-by-step guide for reproducing this issue. Consider writing in concise, numbered bullet points to ensure that Nixpkgs developers can retrace your steps."
     validations:
       required: true
-  - type: "textarea"
+  - type: "input"
     id: "expected-behaviour"
     attributes:
       label: "Expected behaviour"
@@ -126,8 +125,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/04_build_failure.yml

@@ -37,8 +37,7 @@ body:
         If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
       options:
         - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
         - "- Stable (25.11)"
       default: 0
     validations:
@@ -132,8 +131,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/05_update_request.yml

@@ -37,8 +37,7 @@ body:
         If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
       options:
         - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
         - "- Stable (25.11)"
       default: 0
     validations:
@@ -105,8 +104,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/06_module_request.yml

@@ -35,8 +35,7 @@ body:
         If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
       options:
         - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
         - "- Stable (25.11)"
       default: 0
     validations:
@@ -80,8 +79,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/07_backport_request.yml

@@ -85,8 +85,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/08_documentation_request.yml

@@ -67,8 +67,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/ISSUE_TEMPLATE/09_unreproducible_package.yml

@@ -137,8 +137,6 @@ body:
           required: true
         - label: "I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it."
           required: true
-        - label: "I assert that I have read the [automation/AI policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy) and that this issue report complies with it."
-          required: true
   - type: "markdown"
     attributes:
       value: |

.github/PULL_REQUEST_TEMPLATE.md

@@ -27,14 +27,12 @@ For new packages please briefly describe the package or provide a link to its ho
   - [ ] Module addition: when adding a new NixOS module.
   - [ ] Module update: when the change is significant.
 - [ ] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs.
-- [ ] Follows the [automation/AI policy].
 
 [NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests
 [Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests
 [nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage
 
 [CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md
-[automation/AI policy]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#automationai-policy
 [lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests
 [maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md
 [nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests

.github/actions/checkout/action.yml

@@ -13,7 +13,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       env:
         MERGED_SHA: ${{ inputs.merged-as-untrusted-at }}
         TARGET_SHA: ${{ inputs.target-as-trusted-at }}
@@ -95,22 +95,25 @@ runs:
           // This would fail without --refetch, because the we had a partial clone before, but changed it above.
           await run('git', 'fetch', '--depth=1', '--refetch', 'origin', ...(commits.map(({ sha }) => sha)))
 
-          // On Linux, checking out onto tmpfs takes 1s and is faster by at least 10x.
-          // Currently, on Darwin we can only allocate 3.5GB, which isn't enough.
-          // See https://github.com/NixOS/nixpkgs/pull/506437
+          // Checking out onto tmpfs takes 1s and is faster by at least factor 10x.
           await run('mkdir', 'nixpkgs')
-          if (process.env.RUNNER_OS === 'Linux') {
-            await run('sudo', 'mount', '-t', 'tmpfs', 'tmpfs', 'nixpkgs')
+          switch (process.env.RUNNER_OS) {
+            case 'macOS':
+              await run('sudo', 'mount_tmpfs', 'nixpkgs')
+              break
+            case 'Linux':
+              await run('sudo', 'mount', '-t', 'tmpfs', 'tmpfs', 'nixpkgs')
+              break
           }
 
-          // Git worktree setup can race when multiple worktrees are created and
-          // initialized at the same time against one repository. See #511286.
-          // Keep the setup sequential so shared repo config updates cannot contend.
-          for (const { sha, path } of commits) {
-            await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
-            await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
-            await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
-          }
+          // Create all worktrees in parallel.
+          await Promise.all(
+            commits.map(async ({ sha, path }) => {
+              await run('git', 'worktree', 'add', join('nixpkgs', path), sha, '--no-checkout')
+              await run('git', '-C', join('nixpkgs', path), 'sparse-checkout', 'disable')
+              await run('git', '-C', join('nixpkgs', path), 'checkout', '--progress')
+            })
+          )
 
           // Apply pin bump to untrusted worktree
           if (pin_bump_sha) {
@@ -131,6 +134,3 @@ runs:
               await rm('pin-bump.patch')
             }
           }
-
-          console.log('final disk usage:')
-          await run('df', '-h')

.github/dependabot.yml

@@ -5,5 +5,3 @@ updates:
     schedule:
       interval: "weekly"
     labels: []
-    commit-message:
-      prefix: ".github"

.github/labeler-no-sync.yml

@@ -33,15 +33,4 @@
               - maintainers/github-teams.json
       - base-branch: ['master']
 
-"backport release-26.05":
-  - all:
-      - changed-files:
-          - any-glob-to-any-file:
-              - .github/actions/**/*
-              - .github/workflows/*
-              - .github/labeler*.yml
-              - ci/**/*.*
-              - maintainers/github-teams.json
-      - base-branch: ['master']
-
 # keep-sorted end

.github/labeler.yml

@@ -270,14 +270,8 @@
   - any:
       - changed-files:
           - any-glob-to-any-file:
-              - doc/packages/linux.section.md
-              - lib/kernel.nix
-              - nixos/doc/manual/configuration/linux-kernel.chapter.md
-              - nixos/modules/system/boot/kernel.nix
-              - nixos/tests/kernel-generic/**/*
               - pkgs/build-support/kernel/**/*
               - pkgs/os-specific/linux/kernel/**/*
-              - pkgs/top-level/linux-kernels.nix
 
 "6.topic: lib":
   - any:
@@ -551,6 +545,7 @@
               - pkgs/by-name/*/*tree-sitter*/**/*
               - pkgs/by-name/ne/neovim-unwrapped/treesitter-parsers.nix
               - pkgs/development/python-modules/*tree-sitter*/**/*
+              - pkgs/development/tools/parsing/tree-sitter/**/*
 
 "6.topic: updaters":
   - any:

.github/workflows/backport.yml

@@ -11,8 +11,8 @@ on:
 
 permissions:
   contents: read
-  issues: write # adding the 'has: port to stable' and 'has: backport failed' label
-  pull-requests: write # creating backport pull requests
+  issues: write
+  pull-requests: write
 
 defaults:
   run:
@@ -21,16 +21,16 @@ defaults:
 jobs:
   backport:
     name: Backport Pull Request
-    if: vars.NIXPKGS_CI_CLIENT_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
+    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-contents: write
           permission-pull-requests: write
@@ -49,10 +49,9 @@ jobs:
 
       - name: Create backport PRs
         id: backport
-        uses: korthout/backport-action@66065406958f46e82238fd59546f5a99e69e22aa # v4.5.2
+        uses: korthout/backport-action@c656f5d5851037b2b38fb5db2691a03fa229e3b2 # v4.0.1
         with:
           # Config README: https://github.com/korthout/backport-action#backport-action
-          add_author_as_reviewer: true
           copy_labels_pattern: 'severity:\ssecurity'
           github_token: ${{ steps.app-token.outputs.token }}
           pull_description: |-
@@ -72,7 +71,7 @@ jobs:
 
       - name: "Add 'has: port to stable' label"
         if: steps.backport.outputs.created_pull_numbers != ''
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           # Not using the app on purpose to avoid triggering another workflow run after adding this label.
           script: |
@@ -82,16 +81,3 @@ jobs:
               issue_number: context.payload.pull_request.number,
               labels: [ '8.has: port to stable' ]
             })
-
-      - name: "Add 'has: failed backport' label"
-        if: steps.backport.outputs.was_successful == 'false'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          # Not using the app on purpose to avoid triggering another workflow run after adding this label.
-          script: |
-            await github.rest.issues.addLabels({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.payload.pull_request.number,
-              labels: [ '8.has: failed backport' ]
-            })

.github/workflows/bot.yml

@@ -30,8 +30,8 @@ concurrency:
 # This is used as fallback without app only.
 # This happens when testing in forks without setting up that app.
 permissions:
-  issues: write # managing issue labels and comments
-  pull-requests: write # managing pull request labels and comments
+  issues: write
+  pull-requests: write
 
 defaults:
   run:
@@ -53,14 +53,14 @@ jobs:
             ci/github-script
 
       - name: Install dependencies
-        run: npm install @actions/artifact@6.2.1 bottleneck@2.19.5
+        run: npm install @actions/artifact@5.0.3 bottleneck@2.19.5
 
       # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-administration: read
           permission-contents: write
@@ -74,7 +74,7 @@ jobs:
         run: gh api /rate_limit | jq
 
       - name: Run bot
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token || github.token }}
           retries: 3
@@ -91,7 +91,7 @@ jobs:
           GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
         run: gh api /rate_limit | jq
 
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         name: Labels from touched files
         if: |
           github.event_name == 'pull_request_target' &&
@@ -101,7 +101,7 @@ jobs:
           configuration-path: .github/labeler.yml # default
           sync-labels: true
 
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         name: Labels from touched files (no sync)
         if: |
           github.event_name == 'pull_request_target' &&
@@ -111,7 +111,7 @@ jobs:
           configuration-path: .github/labeler-no-sync.yml
           sync-labels: false
 
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         name: Labels from touched files (development branches)
         # Development branches like staging-next, haskell-updates and python-updates get special labels.
         # This is to avoid the mass of labels there, which is mostly useless - and really annoying for

.github/workflows/build.yml

@@ -62,12 +62,12 @@ jobs:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
           target-as-trusted-at: ${{ inputs.targetSha }}
 
-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
         with:
           # Sandbox is disabled on MacOS by default.
           extra_nix_config: sandbox = true
 
-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
         continue-on-error: true
         with:
           # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -85,9 +85,7 @@ jobs:
       - name: Build NixOS manual
         if: |
           contains(matrix.builds, 'manual-nixos') && !cancelled() &&
-          (contains(fromJSON(inputs.baseBranch).type, 'primary')
-            || startsWith(fromJSON(inputs.baseBranch).branch, 'staging-nixos')
-          )
+          contains(fromJSON(inputs.baseBranch).type, 'primary')
         run: nix-build-uncached nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A manual-nixos --out-link nixos-manual
 
       - name: Build Nixpkgs manual
@@ -106,7 +104,7 @@ jobs:
         if: |
           contains(matrix.builds, 'manual-nixos') && !cancelled() &&
           contains(fromJSON(inputs.baseBranch).type, 'primary')
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ inputs.artifact-prefix }}nixos-manual-${{ matrix.name }}
           path: nixos-manual

.github/workflows/check.yml

@@ -16,14 +16,6 @@ on:
         required: true
         type: string
     secrets:
-      # Can be provided in pull requests because the job it is used in does
-      # not evaluate untrusted code.
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
-        required: false
-      # Can be provided in pull requests because the job it is used in does
-      # not evaluate untrusted code.
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
-        required: false
       # Should only be provided in the merge queue, not in pull requests,
       # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN_GHA:
@@ -39,7 +31,7 @@ jobs:
   commits:
     if: inputs.baseBranch && inputs.headBranch
     permissions:
-      pull-requests: write # submitting PR reviews
+      pull-requests: write
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
@@ -53,26 +45,17 @@ jobs:
       - name: Install dependencies
         run: npm install bottleneck@2.19.5
 
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_COMMIT_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: gh api /rate_limit | jq
 
       - name: Check commits
         id: check
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           TARGETS_STABLE: ${{ fromJSON(inputs.baseBranch).stable && !contains(fromJSON(inputs.headBranch).type, 'development') }}
         with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const targetsStable = JSON.parse(process.env.TARGETS_STABLE)
             require('./trusted/ci/github-script/commits.js')({
@@ -85,52 +68,7 @@ jobs:
 
       - name: Log current API rate limits
         env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
-
-  manual-file-edits:
-    if: inputs.baseBranch && inputs.headBranch
-    permissions:
-      pull-requests: write
-    runs-on: ubuntu-slim
-    timeout-minutes: 3
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          path: trusted
-          sparse-checkout: |
-            ci/github-script
-
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_MANUAL_EDIT_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
-        run: gh api /rate_limit | jq
-
-      - name: Discourage manual edits to certain files
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
-          script: |
-            require('./trusted/ci/github-script/manual-file-edits.js')({
-              github,
-              context,
-              core,
-              dry: context.eventName == 'pull_request',
-              repoPath: 'trusted',
-            })
-
-      - name: Log current API rate limits
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
+          GH_TOKEN: ${{ github.token }}
         run: gh api /rate_limit | jq
 
   owners:
@@ -147,9 +85,9 @@ jobs:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
           target-as-trusted-at: ${{ inputs.targetSha }}
 
-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
         continue-on-error: true
         with:
           # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.

.github/workflows/comment.yml

@@ -7,7 +7,7 @@ on:
 # This is used as fallback without app only.
 # This happens when testing in forks without setting up that app.
 permissions:
-  pull-requests: write # adding reactions to comments
+  pull-requests: write
 
 defaults:
   run:
@@ -30,15 +30,15 @@ jobs:
             ci/github-script
 
       # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-pull-requests: write
 
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token || github.token }}
           retries: 3

.github/workflows/edited.yml

@@ -36,14 +36,14 @@ jobs:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
       # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-pull-requests: write
 
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           script: |

.github/workflows/eval.yml

@@ -23,10 +23,6 @@ on:
         default: false
         type: boolean
     secrets:
-      # Can be provided in pull requests because the job it is used in does
-      # not evaluate untrusted code.
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
-        required: false
       # Should only be provided in the merge queue, not in pull requests,
       # where we're evaluating untrusted code.
       CACHIX_AUTH_TOKEN_GHA:
@@ -65,7 +61,7 @@ jobs:
 
       - name: Find commit that touched ci/pinned.json
         id: find-pinned-commit
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           TARGET_SHA: ${{ inputs.targetSha }}
           HEAD_SHA: ${{ inputs.headSha }}
@@ -136,7 +132,7 @@ jobs:
             core.info(`Found pinned.json commit: ${ciPinBumpCommit}`)
 
       - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
       - name: Load supported versions
         id: versions
@@ -158,7 +154,7 @@ jobs:
     # to not interrupt main Eval's compare step.
     continue-on-error: ${{ matrix.version != '' }}
     name: ${{ matrix.system }}${{ matrix.version && format(' @ {0} ({1})', matrix.version, needs.versions.outputs.ciPinBumpCommitShort) || '' }}
-    timeout-minutes: 20
+    timeout-minutes: 15
     steps:
       # This is not supposed to be used and just acts as a fallback.
       # Without swap, when Eval runs OOM, it will fail badly with a
@@ -184,9 +180,9 @@ jobs:
           target-as-trusted-at: ${{ inputs.targetSha }}
 
       - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
         continue-on-error: true
         with:
           # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -242,7 +238,7 @@ jobs:
             --out-link diff
 
       - name: Upload outpaths diff and stats
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ inputs.artifact-prefix }}${{ matrix.version && format('{0}-', matrix.version) || '' }}diff-${{ matrix.system }}
           path: diff/*
@@ -252,8 +248,8 @@ jobs:
     needs: [eval]
     if: ${{ !cancelled() && !failure() }}
     permissions:
-      pull-requests: write # submitting 'wrong branch' reviews
-      statuses: write # creating 'Eval Summary' commit statuses
+      pull-requests: write
+      statuses: write
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -267,14 +263,14 @@ jobs:
           target-as-trusted-at: ${{ inputs.targetSha }}
 
       - name: Download output paths and eval stats for all systems
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           pattern: ${{ inputs.artifact-prefix }}diff-*
           path: diff
           merge-multiple: true
 
       - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
       - name: Combine all output paths and eval stats
         run: |
@@ -283,7 +279,7 @@ jobs:
             --out-link combined
 
       - name: Upload the maintainer list
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ inputs.artifact-prefix }}maintainers
           path: combined/maintainers.json
@@ -304,24 +300,18 @@ jobs:
           cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload the comparison results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ${{ inputs.artifact-prefix }}comparison
           path: comparison/*
 
       - name: Add eval summary to commit statuses
         if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { readFile } = require('node:fs/promises')
             const changed = JSON.parse(await readFile('comparison/changed-paths.json', 'utf-8'))
-            const removedByKernel = Object.fromEntries(
-              Object.entries(changed.attrdiffByKernel ?? {}).map(([kernel, diff]) => [
-                kernel,
-                diff.removed.length,
-              ]),
-            )
             const description =
               'Package: ' + [
                 `added ${changed.attrdiff.added.length}`,
@@ -331,15 +321,7 @@ jobs:
               ' — Rebuild: ' + [
                 `linux ${changed.rebuildCountByKernel.linux}`,
                 `darwin ${changed.rebuildCountByKernel.darwin}`
-              ].join(', ') +
-              (
-                Object.values(removedByKernel).some((count) => count > 0)
-                  ? ' — Removed: ' + [
-                      `linux ${removedByKernel.linux ?? 0}`,
-                      `darwin ${removedByKernel.darwin ?? 0}`
-                    ].join(', ')
-                  : ''
-              )
+              ].join(', ')
 
             const { serverUrl, repo, runId, payload } = context
             const target_url =
@@ -353,22 +335,10 @@ jobs:
               description,
               target_url
             })
-
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name == 'pull_request_target' && vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      # It's fine to reuse this app in the 'pull-request-target / prepare' job,
-      # because that job has to run before this one.
       - name: Request changes if PR is against an inappropriate branch
         if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             require('./nixpkgs/trusted/ci/github-script/check-target-branch.js')({
               github,
@@ -383,13 +353,13 @@ jobs:
     needs: [versions, eval]
     steps:
       - name: Download output paths and eval stats for all versions
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           pattern: "*-diff-*"
           path: versions
 
       - name: Add version comparison table to job summary
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           ARTIFACT_PREFIX: ${{ inputs.artifact-prefix }}
           SYSTEMS: ${{ inputs.systems }}
@@ -481,7 +451,7 @@ jobs:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
 
       - name: Install Nix
-        uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
       - name: Ensure flake outputs on all systems still evaluate
         run: nix flake check --all-systems --no-build './nixpkgs/untrusted?shallow=1'

.github/workflows/lint.yml

@@ -35,7 +35,7 @@ jobs:
         with:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
 
-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
       # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
       # because the cache would be invalidated on every commit - treefmt checks every file.
@@ -70,9 +70,9 @@ jobs:
         with:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
 
-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
         continue-on-error: true
         with:
           # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -100,9 +100,9 @@ jobs:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
           target-as-trusted-at: ${{ inputs.targetSha }}
 
-      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
 
-      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
+      - uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
         continue-on-error: true
         with:
           # The nixpkgs-gha cache should not be trusted or used outside of Nixpkgs and its forks' CI.
@@ -139,7 +139,7 @@ jobs:
           persist-credentials: true # Needed to run git fetch for large PRs.
           path: trusted
       - name: Check commit messages
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const checkCommitMessages = require('./trusted/ci/github-script/lint-commits.js')

.github/workflows/merge-group.yml

@@ -29,18 +29,16 @@ jobs:
         with:
           persist-credentials: false
           sparse-checkout: |
-            ci/github-script/supportedSystems.js
+            ci/supportedSystems.json
 
       - id: prepare
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           MERGED_SHA: ${{ inputs.mergedSha }}
           TARGET_SHA: ${{ inputs.targetSha }}
         with:
           script: |
             const { classify } = require('./ci/supportedBranches.js')
-            const supportedSystems = require('./ci/github-script/supportedSystems.js')
-
             const baseBranch = (
               context.payload.merge_group?.base_ref ??
               context.payload.pull_request.base.ref
@@ -49,23 +47,19 @@ jobs:
             core.setOutput('base', baseClassification)
             core.info('base classification:', baseClassification)
 
-            const mergedSha = context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA
-            core.setOutput('mergedSha', mergedSha)
-            core.info(`mergedSha: ${mergedSha}`)
-
-            const targetSha = context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA
-            core.setOutput('targetSha', targetSha)
-            core.info(`targetSha: ${targetSha}`)
-
-            const systems = await supportedSystems({ github, context, targetSha })
-            core.setOutput('systems', systems)
+            core.setOutput('mergedSha', context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA)
+            core.info(`mergedSha: ${context.payload.merge_group?.head_sha ?? process.env.MERGED_SHA}`)
+            core.setOutput('targetSha', context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA)
+            core.info(`targetSha: ${context.payload.merge_group?.base_sha ?? process.env.TARGET_SHA}`)
+            core.setOutput('systems', require('./ci/supportedSystems.json'))
 
   check:
     name: Check
     needs: [prepare]
     uses: ./.github/workflows/check.yml
     permissions:
-      pull-requests: write # cherry-picks: unused in merge queue but required for check workflow
+      # cherry-picks; formality right now, but unused
+      pull-requests: write
     secrets:
       CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
     with:
@@ -89,8 +83,9 @@ jobs:
     # The eval workflow requests these permissions so we must explicitly allow them,
     # even though they are unused when working with the merge queue.
     permissions:
-      pull-requests: write # compare: unused in merge queue but required by eval workflow
-      statuses: write # compare: unused in merge queue but required by eval workflow
+      # compare
+      pull-requests: write
+      statuses: write
     secrets:
       CACHIX_AUTH_TOKEN_GHA: ${{ secrets.CACHIX_AUTH_TOKEN_GHA }}
     with:
@@ -123,9 +118,9 @@ jobs:
       - build
     runs-on: ubuntu-slim
     permissions:
-      statuses: write # creating 'no PR failures' commit status
+      statuses: write
     steps:
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           RESULTS: ${{ toJSON(needs.*.result) }}
         with:

.github/workflows/periodic-merge-24h.yml

@@ -22,7 +22,7 @@ defaults:
 
 jobs:
   periodic-merge:
-    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
+    if: github.repository_owner == 'NixOS'
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -35,14 +35,6 @@ jobs:
             into: staging-next-25.11
           - from: staging-next-25.11
             into: staging-25.11
-          - from: release-25.11
-            into: staging-nixos-25.11
-          - from: release-26.05
-            into: staging-next-26.05
-          - from: staging-next-26.05
-            into: staging-26.05
-          - from: release-26.05
-            into: staging-nixos-26.05
           - name: merge-base(master,staging) → haskell-updates
             from: master staging
             into: haskell-updates
@@ -53,34 +45,3 @@ jobs:
     name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-
-  # Resets the target branch of the current haskell-updates PR.
-  # This makes GitHub hide all the commits that are already part of staging and gives us a much clearer PR view.
-  haskell-updates:
-    needs: periodic-merge
-    runs-on: ubuntu-slim
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Find PR and update target branch
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            // There will at most be a single haskell-updates PR anyway, so no need to paginate.
-            await Promise.all(
-              (
-                await github.rest.pulls.list({
-                  ...context.repo,
-                  state: 'open',
-                  head: `${context.repo.owner}:haskell-updates`,
-                })
-              ).data.map((pr) =>
-                github.rest.pulls.update({
-                  ...context.repo,
-                  pull_number: pr.number,
-                  // Just updating to the same branch to trigger a UI update.
-                  // This is staging most of the time, but could be staging-next in rare cases.
-                  base: pr.base.ref,
-                }),
-              ),
-            )

.github/workflows/periodic-merge-6h.yml

@@ -22,7 +22,7 @@ defaults:
 
 jobs:
   periodic-merge:
-    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
+    if: github.repository_owner == 'NixOS'
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false

.github/workflows/periodic-merge.yml

@@ -26,10 +26,10 @@ jobs:
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-contents: write
           permission-pull-requests: write
@@ -60,10 +60,10 @@ jobs:
           github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: ${{ failure() }}
-        env:
-          BODY_TEXT: |
+        with:
+          issue-number: 105153
+          body: |
             Periodic merge from `${{ inputs.from }}` into [`${{ inputs.into }}`](https://github.com/NixOS/nixpkgs/tree/${{ inputs.into }}) has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          gh pr comment 105153 --body "$BODY_TEXT"
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/pull-request-target.yml

@@ -10,12 +10,6 @@ on:
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY:
         required: true
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY:
-        required: true
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY:
-        required: true
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY:
-        required: true
 
 concurrency:
   group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
@@ -27,7 +21,8 @@ jobs:
   prepare:
     runs-on: ubuntu-slim
     permissions:
-      pull-requests: write # submitting 'wrong branch' reviews
+      # wrong branch review comment
+      pull-requests: write
     outputs:
       baseBranch: ${{ steps.prepare.outputs.base }}
       headBranch: ${{ steps.prepare.outputs.head }}
@@ -42,21 +37,9 @@ jobs:
           sparse-checkout-cone-mode: true # default, for clarity
           sparse-checkout: |
             ci/github-script
-
-      # It's fine to reuse this app in the 'eval / compare' job,
-      # because this job has to run before that one.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID && github.actor != 'dependabot[bot]'
-        id: app-token
-        with:
-          client-id: ${{ vars.NIXPKGS_BRANCH_CHECK_CLIENT_ID }}
-          private-key: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
       - id: prepare
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.app-token.outputs.token || github.token }}
           retries: 10
           # The default for this includes code 422, which happens regularly for us when comparing commits:
           #   422 - Server Error: Sorry, this diff is taking too long to generate.
@@ -78,9 +61,6 @@ jobs:
     permissions:
       # cherry-picks
       pull-requests: write
-    secrets:
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
     with:
       baseBranch: ${{ needs.prepare.outputs.baseBranch }}
       headBranch: ${{ needs.prepare.outputs.headBranch }}
@@ -103,8 +83,6 @@ jobs:
       # compare
       pull-requests: write
       statuses: write
-    secrets:
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
     with:
       artifact-prefix: ${{ inputs.artifact-prefix }}
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -149,7 +127,7 @@ jobs:
     permissions:
       statuses: write
     steps:
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           RESULTS: ${{ toJSON(needs.*.result) }}
         with:

.github/workflows/review.yml

@@ -9,7 +9,7 @@ on:
 # This is used as fallback without app only.
 # This happens when testing in forks without setting up that app.
 permissions:
-  pull-requests: write # minimizing dismissed reviews and adding reactions
+  pull-requests: write
 
 defaults:
   run:
@@ -27,15 +27,15 @@ jobs:
             ci/github-script
 
       # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-pull-requests: write
 
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token || github.token }}
           retries: 3

.github/workflows/teams.yml

@@ -19,10 +19,10 @@ jobs:
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered and to
       # request team member lists.
-      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
           private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
           permission-administration: read
           permission-contents: write
@@ -41,7 +41,7 @@ jobs:
         run: npm install bottleneck@2.19.5
 
       - name: Synchronise teams
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           script: |
@@ -64,7 +64,7 @@ jobs:
           echo "git-string=$name <$email>" >> "$GITHUB_OUTPUT"
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ steps.app-token.outputs.token }}
           add-paths: maintainers/github-teams.json

.github/workflows/test.yml

@@ -26,7 +26,7 @@ jobs:
           sparse-checkout: |
             ci/github-script
       - id: prepare
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           retries: 10
           # The default for this includes code 422, which happens regularly for us when comparing commits:
@@ -45,7 +45,7 @@ jobs:
 
       - name: Determine changed files
         id: files
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const files = (await github.paginate(github.rest.pulls.listFiles, {
@@ -55,15 +55,10 @@ jobs:
             })).map(file => file.filename)
 
             if (files.some(file => [
-              '.github/workflows/build.yml',
-              '.github/workflows/check.yml',
               '.github/workflows/eval.yml',
               '.github/workflows/lint.yml',
               '.github/workflows/merge-group.yml',
               '.github/workflows/test.yml',
-              'ci/github-script/supportedSystems.js',
-              'ci/pinned.json',
-              'ci/supportedBranches.js',
             ].includes(file))) core.setOutput('merge-group', true)
 
             if (files.some(file => [
@@ -76,18 +71,8 @@ jobs:
               '.github/workflows/pull-request-target.yml',
               '.github/workflows/test.yml',
               'ci/github-script/bot.js',
-              'ci/github-script/check-target-branch.js',
-              'ci/github-script/commits.js',
-              'ci/github-script/get-pr-commit-details.js',
-              'ci/github-script/lint-commits.js',
               'ci/github-script/merge.js',
-              'ci/github-script/prepare.js',
-              'ci/github-script/reviewers.js',
-              'ci/github-script/reviews.js',
-              'ci/github-script/supportedSystems.js',
               'ci/github-script/withRateLimit.js',
-              'ci/pinned.json',
-              'ci/supportedBranches.js',
             ].includes(file))) core.setOutput('pr', true)
 
   merge-group:
@@ -97,8 +82,8 @@ jobs:
     uses: ./.github/workflows/merge-group.yml
     # Those are actually only used on the merge_group event, but will throw an error if not set.
     permissions:
-      pull-requests: write # unused on pull_request, required by merge-group workflow
-      statuses: write # unused on pull_request, required by merge-group workflow
+      pull-requests: write
+      statuses: write
     with:
       artifact-prefix: mg-
       mergedSha: ${{ needs.prepare.outputs.mergedSha }}
@@ -111,13 +96,10 @@ jobs:
     uses: ./.github/workflows/pull-request-target.yml
     # Those are actually only used on the pull_request_target event, but will throw an error if not set.
     permissions:
-      issues: write # unused on pull_request, required by bot workflow
-      pull-requests: write # unused on pull_request, required by PR workflow
-      statuses: write # unused on pull_request, required by PR workflow
+      issues: write
+      pull-requests: write
+      statuses: write
     secrets:
       NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-      NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_BRANCH_CHECK_APP_PRIVATE_KEY }}
-      NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_COMMIT_CHECK_APP_PRIVATE_KEY }}
-      NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_MANUAL_EDIT_CHECK_APP_PRIVATE_KEY }}
     with:
       artifact-prefix: pr-

.github/zizmor.yml

@@ -10,5 +10,3 @@
 rules:
   dangerous-triggers:
     disable: true
-  secrets-outside-env:
-    disable: true

.mailmap

@@ -22,7 +22,6 @@ Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>
 Martin Weinelt <hexa@darmstadt.ccc.de> <mweinelt@users.noreply.github.com>
 Martin Häcker <spamfaenger@gmx.de> <spamfaenger@gmx.de>
 moni <lythe1107@gmail.com> <lythe1107@icloud.com>
-Noah Biewesch <dev@noahbiewesch.com> <90870942+trueNAHO@users.noreply.github.com>
 quantenzitrone <nix@dev.quantenzitrone.eu>
 quantenzitrone <nix@dev.quantenzitrone.eu> <74491719+Quantenzitrone@users.noreply.github.com>
 quantenzitrone <nix@dev.quantenzitrone.eu> <74491719+quantenzitrone@users.noreply.github.com>

CONTRIBUTING.md

@@ -206,7 +206,7 @@ For example, if you make a change to `texlive`, you probably would only check th
 
 #### Meets Nixpkgs contribution standards
 
-The last two checkboxes are about whether it fits the guidelines in this `CONTRIBUTING.md` file.
+The last checkbox is about whether it fits the guidelines in this `CONTRIBUTING.md` file.
 This document details our standards for commit messages, reviews, licensing of contributions, etc...
 Everyone should read and understand these standards before submitting a pull request.
 
@@ -442,7 +442,6 @@ The staging workflow is used for all stable branches with corresponding names:
 - `master`/`release-YY.MM`
 - `staging`/`staging-YY.MM`
 - `staging-next`/`staging-next-YY.MM`
-- `staging-nixos`/`staging-nixos-YY.MM`
 
 [^1]: Except changes that cause no more rebuilds than kernel updates
 
@@ -506,7 +505,7 @@ These PRs go to `staging-nixos`, see [the next section for more context](#change
 Changes causing a rebuild of all NixOS tests get a special [`10.rebuild-nixos-tests`](https://github.com/NixOS/nixpkgs/issues?q=state%3Aopen%20label%3A10.rebuild-nixos-tests) label.
 These changes pose a significant impact on the build infrastructure.
 
-Hence, these PRs should either target a `staging`-branch or `staging-nixos`-branch, provided one of following conditions applies:
+Hence, these PRs should either target a `staging`-branch or `staging-nixos`, provided one of following conditions applies:
 
 * The label `10.rebuild-nixos-tests` is set, or
 * The PR is a change affecting the Linux kernel.
@@ -889,77 +888,3 @@ As mentioned previously, it is unfortunately perfectly normal for a PR to sit ar
 
 Please don't blow up situations where progress is happening but is merely not going fast enough for your tastes.
 Honking in a traffic jam will not make you go any faster.
-
-# Automation/AI policy
-
-Every contribution to Nixpkgs and related development venues, including code, documentation, and communication on GitHub and Matrix, must have a **responsible person in the loop** who is accountable for that contribution and reviews it before submission, and must **transparently disclose** any non‐trivial use of automation to produce it, including but not limited to LLM‐based AI tools.
-
-The following sections give more detail.
-
-## Scope
-
-Any use of automated tools to generate non‐trivial amounts of output as part of a contribution, in whole or in part, verbatim or edited, is covered by this policy, except as listed in the Exemptions section.
-Both LLM‐based AI tools and hand‐written automation are covered.
-Contributions include code and documentation in commits, commit messages, pull request summaries and reviews, issue and vulnerability reports, GitHub comments, Matrix messages, and Discourse posts.
-The covered venues are the GitHub repositories for Nixpkgs and [related projects](https://github.com/orgs/NixOS/teams/nixpkgs-core/repositories) under the jurisdiction of the Nixpkgs core team, Matrix rooms that are focused on development of those projects, and Discourse topics about Nixpkgs development.
-
-## Accountability
-
-Everyone who submits a contribution to Nixpkgs is responsible for it, regardless of the use of automated tooling.
-Before submission, they must establish a reasonable level of understanding of the contribution and expectation of its correctness.
-A contributor submitting a contribution intended for inclusion in Nixpkgs is also responsible for ensuring that it is [appropriately licensed](https://github.com/NixOS/nixpkgs/blob/master/COPYING) and credited, and not encumbered by any incompatible copyright.
-
-When output from automated tooling is used in contributions, a contributor must establish confidence in that output.
-This can be achieved by establishing confidence in the correctness of the tooling’s logic, manual review of the included output, or using further automation to verify the output (e.g. programmatically checking whether a refactor avoids causing rebuilds).
-As the inner workings of LLM‐based AI tools cannot be sufficiently understood at present, only the latter two options are available when those are used; vibe coding without review is not permitted.
-When automation is used to verify output, the verification tooling itself must be disclosed and reviewed in line with this policy.
-
-This policy applies equally to any further discussion of a contribution.
-Comments and reviews must separately satisfy the same requirements of understanding, review, and disclosure.
-Contributors are expected to be able to answer questions about their contribution and respond to feedback appropriately, without simply forwarding messages back and forth to automated tools.
-
-It is not permitted to submit automated contributions without any manual review or intervention, outside of standard community automation.
-Automation without any manual review must not be used as the sole arbiter of whether to merge a change.
-
-## Transparency
-
-All covered use of automated tooling for a contribution must be disclosed as part of that contribution.
-
-In the case of LLM‐based AI tooling used for commits, this **must** be in the form of an `Assisted-by:` Git commit trailer, including at least the tool name and the primary model name and version used for the contribution.
-A `Co-authored-by:` trailer does not satisfy this policy.
-
-Any adequate form of disclosure is permitted for other kinds of tooling and contribution.
-Pull request summaries and review comments must be disclosed separately to commits.
-
-## Exemptions
-
-The following situations are fully or partially exempt:
-
-* Use of standard deterministic editor/IDE/formatter/text transformation tooling to produce changes that the author manually reviews and understands is exempt, including inline “auto‐completion” (even if LLM‐based) of short, rote snippets of text that do not contribute anything beyond boilerplate the author would have written anyway.
-
-* Use of standard community automation is exempt, such as `nix-update`, the official Nixpkgs CI bots, the @r-ryantm update bot, other maintainer‐approved bots that run update scripts, and the Nixpkgs security tracker bot.
-
-* Use of AI tools for research, testing, debugging, or private review is out of scope, if no substantial amount of their output is included in the resulting contribution.
-  However, if these tools had a significant technical influence on your contribution, you are still responsible for it per the Accountability section, and are expected to disclose this where relevant.
-
-* Use of machine translation is exempt from the requirement to understand the translated output.
-  However, the requirements of appropriate confidence in the original text, responsibility, and disclosure still apply, and you are encouraged to additionally include the original untranslated contribution.
-
-* Use of automation in a contribution clearly marked as not being ready for merge (e.g. a draft pull request) is exempt from the requirement for full self‐review, as long as some amount of review has been done and it is expected that the requirements will be met by the time it is marked as ready.
-  This does not waive any other requirement.
-
-* Use of automated tools to develop upstream software packaged inside Nixpkgs is not in scope.
-
-## Enforcement
-
-If you believe that someone is using automation without appropriate disclosure and review, you can politely ask them if that’s the case and point them to this policy as appropriate.
-Please assume good faith and remain civil; it’s not always possible to determine, and it is more likely that someone overlooked this policy than deliberately violated it.
-If you think someone is continuing to break the policy after this, please escalate to the [Nixpkgs core team](https://nixos.org/community/teams/nixpkgs-core/) rather than fighting over it.
-
-If a contribution is clearly in violation of the policy (e.g. the contributor admits it was not followed, or there are AI tool attributions that do not meet our required format), it can be closed or hidden, preferably after informing the contributor of the policy and giving them a chance to address the violations.
-Deliberate violations of this policy are considered to break the [Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) clause against “Wasting other people’s time with low quality contributions, including but not limited to LLM and bot spam”.
-Repeated violations are grounds for further moderation action.
-
-## Credits
-
-This policy takes inspiration from similar policies in [LLVM](https://llvm.org/docs/AIToolPolicy.html), [Mesa](https://gitlab.freedesktop.org/mesa/mesa/-/blob/mesa-26.1.0-rc1/docs/submittingpatches.rst?ref_type=tags), [Fedora](https://docs.fedoraproject.org/en-US/council/policy/ai-contribution-policy/), and the [Linux kernel](https://docs.kernel.org/7.0/process/coding-assistants.html), along with [a proposal by the author of Anubis](https://xeiaso.net/notes/2025/assisted-by-footer/).

ci/OWNERS

@@ -21,15 +21,15 @@
 /ci/OWNERS                              @infinisil @philiptaron
 
 # Development support
-/.editorconfig @Mic92
+/.editorconfig @Mic92 @zowoq
 /shell.nix @infinisil @NixOS/Security
 
 # Libraries
 /lib                        @infinisil @hsjobeki
-/lib/generators.nix         @infinisil @hsjobeki
-/lib/cli.nix                @infinisil @hsjobeki
-/lib/debug.nix              @infinisil @hsjobeki
-/lib/asserts.nix            @infinisil @hsjobeki
+/lib/generators.nix         @infinisil @hsjobeki @Profpatsch
+/lib/cli.nix                @infinisil @hsjobeki @Profpatsch
+/lib/debug.nix              @infinisil @hsjobeki @Profpatsch
+/lib/asserts.nix            @infinisil @hsjobeki @Profpatsch
 /lib/path/*                 @infinisil @hsjobeki
 /lib/fileset                @infinisil @hsjobeki
 /maintainers/github-teams.json @infinisil
@@ -58,10 +58,8 @@
 /pkgs/top-level/by-name-overlay.nix              @infinisil @philiptaron
 /pkgs/stdenv                                     @philiptaron @NixOS/stdenv
 /pkgs/stdenv/generic                             @Ericson2314 @NixOS/stdenv
-/pkgs/stdenv/generic/problems.nix                @infinisil
-/pkgs/test/problems                              @infinisil
-/pkgs/stdenv/generic/check-meta.nix              @infinisil @Ericson2314 @adisbladis @NixOS/stdenv
-/pkgs/stdenv/generic/meta-types.nix              @infinisil @adisbladis @NixOS/stdenv
+/pkgs/stdenv/generic/check-meta.nix              @Ericson2314 @adisbladis @NixOS/stdenv
+/pkgs/stdenv/generic/meta-types.nix              @adisbladis @NixOS/stdenv
 /pkgs/stdenv/cross                               @Ericson2314 @NixOS/stdenv
 /pkgs/build-support                              @philiptaron
 /pkgs/build-support/cc-wrapper                   @Ericson2314
@@ -75,7 +73,7 @@
 /pkgs/pkgs-lib                                   @Stunkymonkey @h7x4
 
 # Nixpkgs build-support
-/pkgs/build-support/writers @lassulus
+/pkgs/build-support/writers @lassulus @Profpatsch
 
 # Nixpkgs make-disk-image
 /doc/build-helpers/images/makediskimage.section.md  @raitobezarius
@@ -124,7 +122,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo
 
 # NixOS integration test driver
 /nixos/lib/test-driver  @tfc
-/nixos/lib/testing      @tfc
 
 # NixOS QEMU virtualisation
 /nixos/modules/virtualisation/qemu-vm.nix                 @raitobezarius
@@ -220,10 +217,10 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo
 /pkgs/development/r-modules         @jbedo
 
 # Rust
-/pkgs/development/compilers/rust @alyssais @Mic92 @winterqt
-/pkgs/build-support/rust @winterqt
+/pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt
+/pkgs/build-support/rust @zowoq @winterqt
 /pkgs/build-support/rust/fetch-cargo-vendor* @TomaSajt
-/doc/languages-frameworks/rust.section.md @winterqt
+/doc/languages-frameworks/rust.section.md @zowoq @winterqt
 
 # Tcl
 /pkgs/development/interpreters/tcl  @fgaz
@@ -269,7 +266,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @leona-ya @theCapypara
 
 # Licenses
-/lib/licenses @alyssais @emilazy @jopejoe1
+/lib/licenses.nix @alyssais @emilazy @jopejoe1
 
 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -295,6 +292,13 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/modules/services/databases/mysql.nix     @6543
 /nixos/modules/services/backup/mysql-backup.nix @6543
 
+# Hardened profile & related modules
+/nixos/modules/profiles/hardened.nix                       @joachifm
+/nixos/modules/security/lock-kernel-modules.nix            @joachifm
+/nixos/modules/security/misc.nix                           @joachifm
+/nixos/tests/hardened.nix                                  @joachifm
+/pkgs/os-specific/linux/kernel/hardened/        @fabianhjr @joachifm
+
 # Home Automation
 /nixos/modules/services/home-automation/home-assistant.nix @mweinelt
 /nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt
@@ -304,14 +308,8 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/by-name/es/esphome @mweinelt
 
 # Linux kernel
-/doc/packages/linux.section.md @NixOS/linux-kernel
-/lib/kernel.nix @NixOS/linux-kernel
-/nixos/doc/manual/configuration/linux-kernel.chapter.md @NixOS/linux-kernel
-/nixos/modules/system/boot/kernel.nix @NixOS/linux-kernel
-/nixos/tests/kernel-generic/ @NixOS/linux-kernel
-/pkgs/build-support/kernel/ @NixOS/linux-kernel
-/pkgs/os-specific/linux/kernel/ @NixOS/linux-kernel
 /pkgs/top-level/linux-kernels.nix @NixOS/linux-kernel
+/pkgs/os-specific/linux/kernel/ @NixOS/linux-kernel
 
 # Network Time Daemons
 /pkgs/by-name/ch/chrony @thoughtpolice
@@ -339,8 +337,8 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/build-support/dlang @jtbx @TomaSajt
 
 # Dhall
-/pkgs/development/dhall-modules      @Gabriella439
-/pkgs/development/interpreters/dhall @Gabriella439
+/pkgs/development/dhall-modules      @Gabriella439 @Profpatsch
+/pkgs/development/interpreters/dhall @Gabriella439 @Profpatsch
 
 # Agda
 /pkgs/build-support/agda                  @NixOS/agda
@@ -353,6 +351,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/development/idris-modules @Infinisil
 /pkgs/development/compilers/idris2 @mattpolzin
 
+# Bazel
+/pkgs/by-name/ba/bazel_7 @Profpatsch
+
 # NixOS modules for e-mail and dns services
 /nixos/modules/services/mail/mailman.nix    @peti
 /nixos/modules/services/mail/postfix.nix    @peti
@@ -377,9 +378,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 
 # VimPlugins
 /pkgs/applications/editors/vim/plugins         @NixOS/neovim
-## nvim-treesitter
-/pkgs/applications/editors/vim/plugins/nvim-treesitter/overrides.nix @NixOS/neovim @figsoda
-/pkgs/applications/editors/vim/plugins/utils/nvim-treesitter         @NixOS/neovim @figsoda
 
 # VsCode Extensions
 /pkgs/applications/editors/vscode/extensions
@@ -481,7 +479,7 @@ pkgs/by-name/lx/lxc*                    @adamcstephens
 /pkgs/desktops/expidus              @RossComputerGuy
 
 # GNU Tar & Zip
-/pkgs/by-name/gn/gnutar        @RossComputerGuy
+/pkgs/tools/archivers/gnutar        @RossComputerGuy
 /pkgs/by-name/zi/zip           @RossComputerGuy
 
 # SELinux
@@ -496,7 +494,7 @@ pkgs/by-name/lx/lxc*                    @adamcstephens
 
 # Darwin
 /pkgs/by-name/ap/apple-sdk                     @NixOS/darwin-core
-/pkgs/os-specific/darwin                       @NixOS/darwin-core
+/pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
 /pkgs/stdenv/darwin                            @NixOS/darwin-core
 
 # BEAM
@@ -506,7 +504,7 @@ pkgs/development/interpreters/elixir/   @NixOS/beam
 pkgs/development/interpreters/lfe/      @NixOS/beam
 
 # Authelia
-pkgs/by-name/au/authelia/ @06kellyjac @nicomem
+pkgs/by-name/au/authelia/ @06kellyjac @dit7ya @nicomem
 
 # OctoDNS
 pkgs/by-name/oc/octodns/ @anthonyroussel
@@ -523,10 +521,3 @@ pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @FlameFlag @johnrtitor
 /pkgs/build-support/build-nim-package.nix @NixOS/nim
 /pkgs/build-support/build-nim-sbom.nix    @NixOS/nim
 /pkgs/top-level/nim-overrides.nix         @NixOS/nim
-
-# Radicle
-/pkgs/build-support/fetchradicle/      @NixOS/radicle
-/pkgs/build-support/fetchradiclepatch/ @NixOS/radicle
-
-# Zellij plugins
-/pkgs/by-name/ze/zellij/plugins/   @PerchunPak

ci/default.nix

@@ -184,10 +184,9 @@ rec {
     nix = pkgs.nixVersions.latest;
   };
   parse = pkgs.lib.recurseIntoAttrs {
-    nix_latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
-    nix_2_28 = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_28; };
+    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
     lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
-    lix_latest = pkgs.callPackage ./parse.nix { nix = pkgs.lixPackageSets.latest.lix; };
+    nix_2_28 = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.nix_2_28; };
   };
   shell = import ../shell.nix { inherit nixpkgs system; };
   tarball = import ../pkgs/top-level/make-tarball.nix {

ci/eval/README.md

@@ -10,14 +10,14 @@ nix-build ci -A eval.baseline
 
 The two most important arguments are:
 - `--arg evalSystems`: The set of systems for which `nixpkgs` should be evaluated.
-  Defaults to the [supported systems](../../pkgs/top-level/release-supported-systems.json) for the branch.
+  Defaults to the four official platforms (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin` and `aarch64-darwin`).
   Example: `--arg evalSystems '["x86_64-linux" "aarch64-darwin"]'`
 - `--arg quickTest`: Enables testing a single chunk of the current system only for quick iteration.
   Example: `--arg quickTest true`
 
 The following arguments can be used to fine-tune performance:
 - `--max-jobs`: The maximum number of derivations to run at the same time.
-  Only each supported system gets a separate derivation, so it doesn't make sense to set this higher than that number.
+  Only each [supported system](../supportedSystems.json) gets a separate derivation, so it doesn't make sense to set this higher than that number.
 - `--cores`: The number of cores to use for each job.
   Recommended to set this to the number of cores on your system divided by `--max-jobs`.
 - `--arg chunkSize`: The number of attributes that are evaluated simultaneously on a single core.

ci/eval/compare/default.nix

@@ -74,38 +74,9 @@ let
         {
           attrdiff: {
             added: ["package1"],
-            changed: ["package2", "package3", "package4"],
+            changed: ["package2", "package3"],
             removed: ["package4"],
           },
-          attrdiffByKernel: {
-            darwin: {
-              added: [],
-              changed: ["package2", "package4"],
-              removed: ["package4"],
-            },
-            linux: {
-              added: ["package1"],
-              changed: ["package3", "package4"],
-              removed: [],
-            },
-          },
-          attrdiffByPlatform: {
-            aarch64-darwin: {
-              added: [],
-              changed: ["package2"],
-              removed: ["package4"],
-            },
-            aarch64-linux: {
-              added: ["package1"],
-              changed: ["package3"],
-              removed: [],
-            },
-            x86_64-linux: {
-              added: [],
-              changed: ["package4"],
-              removed: [],
-            },
-          },
           labels: {
             "10.rebuild-darwin: 1-10": true,
             "10.rebuild-linux: 1-10": true
@@ -142,8 +113,6 @@ let
   inherit (import ./utils.nix { inherit lib; })
     groupByKernel
     convertToPackagePlatformAttrs
-    groupAttrdiffByKernel
-    groupAttrdiffByPlatform
     groupByPlatform
     extractPackageNames
     getLabels
@@ -154,29 +123,21 @@ let
   # - values: lists of `packagePlatformPath`s
   diffAttrs = builtins.fromJSON (builtins.readFile "${combined}/combined-diff.json");
 
+  changedPackagePlatformAttrs = convertToPackagePlatformAttrs diffAttrs.changed;
   rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs diffAttrs.rebuilds;
+  removedPackagePlatformAttrs = convertToPackagePlatformAttrs diffAttrs.removed;
 
   changed-paths =
     let
-      attrdiff = lib.mapAttrs (_: extractPackageNames) {
-        inherit (diffAttrs) added changed removed;
-      };
-      attrdiffByPlatform = groupAttrdiffByPlatform {
-        inherit (diffAttrs) added changed removed;
-      };
-      attrdiffByKernel = groupAttrdiffByKernel {
-        inherit (diffAttrs) added changed removed;
-      };
       rebuildsByPlatform = groupByPlatform rebuildsPackagePlatformAttrs;
       rebuildsByKernel = groupByKernel rebuildsPackagePlatformAttrs;
       rebuildCountByKernel = lib.mapAttrs (
         kernel: kernelRebuilds: lib.length kernelRebuilds
       ) rebuildsByKernel;
-      rebuildNames = extractPackageNames diffAttrs.rebuilds;
     in
     writeText "changed-paths.json" (
       builtins.toJSON {
-        inherit attrdiff attrdiffByKernel attrdiffByPlatform;
+        attrdiff = lib.mapAttrs (_: extractPackageNames) { inherit (diffAttrs) added changed removed; };
         inherit
           rebuildsByPlatform
           rebuildsByKernel
@@ -190,19 +151,20 @@ let
           ) rebuildsByKernel
           // {
             "10.rebuild-nixos-tests" =
-              lib.elem "nixosTests.simple-container" rebuildNames || lib.elem "nixosTests.simple-vm" rebuildNames;
+              lib.elem "nixosTests.simple" (extractPackageNames diffAttrs.rebuilds)
+              &&
+                # Only set this label when no other label with indication for staging has been set.
+                # This avoids confusion whether to target staging or batch this with kernel updates.
+                lib.last (lib.sort lib.lessThan (lib.attrValues rebuildCountByKernel)) <= 500;
           };
       }
     );
 
-  getMaintainers = callPackage ./maintainers.nix { };
-
   inherit
-    (getMaintainers {
-      affectedAttrPaths = map (a: a.packagePath) (
-        convertToPackagePlatformAttrs (diffAttrs.changed ++ diffAttrs.removed)
-      );
-      changedFiles = lib.importJSON touchedFilesJson;
+    (callPackage ./maintainers.nix {
+      changedattrs = lib.attrNames (lib.groupBy (a: a.name) changedPackagePlatformAttrs);
+      changedpathsjson = touchedFilesJson;
+      removedattrs = lib.attrNames (lib.groupBy (a: a.name) removedPackagePlatformAttrs);
     })
     users
     teams
@@ -219,7 +181,7 @@ runCommand "compare"
     ];
     users = builtins.toJSON users;
     teams = builtins.toJSON teams;
-    packages = builtins.toJSON (lib.map (lib.concatStringsSep ".") packages);
+    packages = builtins.toJSON packages;
     passAsFile = [
       "users"
       "teams"

ci/eval/compare/maintainers.nix

@@ -1,59 +1,70 @@
-# Figure out which maintainers (users/teams) are relevant for a PR:
-# - All maintainers that can be linked directly to changedFiles
-# - Maintainers of affectedAttrPaths if a file directly related to the attribute is in changedFiles
-#
-# Files and attributes are linked in various ways:
-# - pkgs/by-name/<attr>/* is linked to pkgs.<attr>
-# - The file position of various attributes of pkgs.<attr>
-# - Explicitly specified file positions in derivations
-#
-# Test with
-#   nix-instantiate --eval --strict --json test.nix -A result | jq
-#
-# Empty list as an output means success
-
-# Dependencies coming from the CI-pinned Nixpkgs
 {
   lib,
+  changedattrs,
+  changedpathsjson,
+  removedattrs,
 }:
-# Function arguments
-{
-  # Files that were changed
-  # Type: ListOf (Nixpkgs-root-relative path)
-  changedFiles,
-  # Attributes whose value was affected by the change
-  # Type: ListOf (ListOf String)
-  affectedAttrPaths,
-  # Nixpkgs used to check maintainers. Customisable for testing
-  pkgs ? import ../../.. {
+let
+  pkgs = import ../../.. {
     system = "x86_64-linux";
     # We should never try to ping maintainers through package aliases, this can only lead to errors.
     # One example case is, where an attribute is a throw alias, but then re-introduced in a PR.
     # This would trigger the throw. By disabling aliases, we can fallback gracefully below.
     config.allowAliases = false;
-    overlays = [ ];
-  },
-}:
-let
-  nixpkgsRoot = toString ../../.. + "/";
-  stripNixpkgsRootFromKeys = lib.mapAttrs' (
-    file: value: lib.nameValuePair (lib.removePrefix nixpkgsRoot file) value
-  );
+  };
 
-  moduleMeta = (pkgs.nixos { }).config.meta;
+  changedpaths = lib.importJSON changedpathsjson;
 
-  # Currently just nixos module maintainers, but in the future we can use this for code owners too
-  fileUsers = stripNixpkgsRootFromKeys moduleMeta.maintainers;
-  fileTeams = stripNixpkgsRootFromKeys moduleMeta.teams;
+  # Extract attributes that changed from by-name paths.
+  # This allows pinging reviewers for pure refactors.
+  touchedattrs = lib.pipe changedpaths [
+    (lib.filter (changed: lib.hasPrefix "pkgs/by-name/" changed && changed != "pkgs/by-name/README.md"))
+    (map (lib.splitString "/"))
+    (map (path: lib.elemAt path 3))
+    lib.unique
+  ];
 
-  anyMatchingFile = filename: lib.any (lib.hasPrefix filename) changedFiles;
+  anyMatchingFile = filename: lib.any (lib.hasPrefix filename) changedpaths;
 
   anyMatchingFiles = files: lib.any anyMatchingFile files;
 
+  sharded = name: "${lib.substring 0 2 name}/${name}";
+
+  attrsWithMaintainers = lib.pipe (changedattrs ++ removedattrs ++ touchedattrs) [
+    # An attribute can appear in changed/removed *and* touched
+    lib.unique
+    (map (
+      name:
+      let
+        path = lib.splitString "." name;
+        # Some packages might be reported as changed on a different platform, but
+        # not even have an attribute on the platform the maintainers are requested on.
+        # Fallback to `null` for these to filter them out below.
+        package = lib.attrByPath path null pkgs;
+      in
+      {
+        inherit name package;
+        # Adds all files in by-name to each package, no matter whether they are discoverable
+        # via meta attributes below. For example, this allows pinging maintainers for
+        # updates to .json files.
+        # TODO: Support by-name package sets.
+        filenames = lib.optional (lib.length path == 1) "pkgs/by-name/${sharded (lib.head path)}/";
+        # meta.maintainers also contains all individual team members.
+        # We only want to ping individuals if they're added individually as maintainers, not via teams.
+        users = package.meta.nonTeamMaintainers or [ ];
+        teams = package.meta.teams or [ ];
+      }
+    ))
+    # No need to match up packages without maintainers with their files.
+    # This also filters out attributes where `packge = null`, which is the
+    # case for libintl, for example.
+    (lib.filter (pkg: pkg.users != [ ] || pkg.teams != [ ]))
+  ];
+
   relevantFilenames =
     drv:
     (lib.unique (
-      map (pos: lib.removePrefix nixpkgsRoot pos.file) (
+      map (pos: lib.removePrefix "${toString ../../..}/" pos.file) (
         lib.filter (x: x != null) [
           (drv.meta.maintainersPosition or null)
           (drv.meta.teamsPosition or null)
@@ -76,84 +87,50 @@ let
       )
     ));
 
-  relevantAffectedAttrPaths = lib.filter (
-    attrPath:
-    # Some packages might be reported as changed on a different platform, but
-    # not even have an attribute on the platform the maintainers are requested on.
-    # Fallback to `null` for these to filter them out
-    let
-      package = lib.attrByPath attrPath null pkgs;
-    in
-    package != null && anyMatchingFiles (relevantFilenames package)
-  ) affectedAttrPaths;
+  attrsWithFilenames = map (
+    pkg: pkg // { filenames = pkg.filenames ++ relevantFilenames pkg.package; }
+  ) attrsWithMaintainers;
 
-  # Extract attributes that changed from by-name paths.
-  # This allows pinging reviewers for pure refactors.
-  changedByNameAttrPaths = lib.pipe changedFiles [
-    (lib.filter (changed: lib.hasPrefix "pkgs/by-name/" changed))
-    (map (lib.splitString "/"))
-    # Filters out e.g. pkgs/by-name/README.md
-    (lib.filter (path: lib.length path > 3))
-    (map (path: lib.elemAt path 3))
-    (map lib.singleton)
-    # Filter out new packages
-    (lib.filter (attrPath: lib.hasAttrByPath attrPath pkgs))
-  ];
-
-  # An attribute can appear in affected *and* touched
-  attrPathsToGetMaintainersFor = lib.unique (relevantAffectedAttrPaths ++ changedByNameAttrPaths);
-
-  attrPathEntities = lib.concatMap (
-    attrPath:
-    let
-      package = lib.getAttrFromPath attrPath pkgs;
-    in
-    # meta.maintainers also contains all individual team members.
-    # We only want to ping individuals if they're added individually as maintainers, not via teams.
-    userPings { inherit attrPath; } (package.meta.nonTeamMaintainers or [ ])
-    ++ lib.concatMap (teamPings { inherit attrPath; }) (package.meta.teams or [ ])
-  ) attrPathsToGetMaintainersFor;
-
-  changedFileEntities = lib.concatMap (
-    file:
-    userPings { inherit file; } (fileUsers.${file} or [ ])
-    ++ lib.concatMap (teamPings { inherit file; }) (fileTeams.${file} or [ ])
-  ) changedFiles;
+  attrsWithModifiedFiles = lib.filter (pkg: anyMatchingFiles pkg.filenames) attrsWithFilenames;
 
   userPings =
-    context:
+    pkg:
     map (maintainer: {
       type = "user";
       userId = maintainer.githubId;
-      inherit context;
+      packageName = pkg.name;
     });
 
   teamPings =
-    context: team:
-    if team ? githubId then
+    pkg: team:
+    if team ? github then
       [
         {
           type = "team";
           teamId = team.githubId;
-          inherit context;
+          packageName = pkg.name;
         }
       ]
     else
-      userPings context team.members;
+      userPings pkg team.members;
 
-  byType = lib.groupBy (ping: ping.type) (attrPathEntities ++ changedFileEntities);
+  maintainersToPing = lib.concatMap (
+    pkg: userPings pkg pkg.users ++ lib.concatMap (teamPings pkg) pkg.teams
+  ) attrsWithModifiedFiles;
+
+  byType = lib.groupBy (ping: ping.type) maintainersToPing;
 
   byUser = lib.pipe (byType.user or [ ]) [
     (lib.groupBy (ping: toString ping.userId))
-    (lib.mapAttrs (_user: lib.map (pkg: pkg.context)))
+    (lib.mapAttrs (_user: lib.map (pkg: pkg.packageName)))
   ];
   byTeam = lib.pipe (byType.team or [ ]) [
     (lib.groupBy (ping: toString ping.teamId))
-    (lib.mapAttrs (_team: lib.map (pkg: pkg.context)))
+    (lib.mapAttrs (_team: lib.map (pkg: pkg.packageName)))
   ];
 in
 {
   users = byUser;
   teams = byTeam;
-  packages = attrPathsToGetMaintainersFor;
+  packages = lib.catAttrs "name" attrsWithModifiedFiles;
 }

ci/eval/compare/test.nix

@@ -1,311 +0,0 @@
-{
-  pkgs ? import ../../.. {
-    config = { };
-    overlays = [ ];
-  },
-  lib ? pkgs.lib,
-}:
-let
-  fun = import ./maintainers.nix { inherit lib; };
-  utils = import ./utils.nix { inherit lib; };
-
-  mockPkgs =
-    {
-      packages ? [ ],
-      modules ? [ ],
-      githubTeams ? true,
-    }:
-    lib.updateManyAttrsByPath
-      (lib.imap0 (i: p: {
-        path = p;
-        update = _: {
-          meta.maintainersPosition.file = lib.concatStringsSep "/" p;
-          meta.nonTeamMaintainers = [ { githubId = i; } ];
-          meta.teams =
-            if githubTeams then [ { githubId = i + 100; } ] else [ { members = [ { githubId = i + 100; } ]; } ];
-        };
-      }) packages)
-      {
-        nixos =
-          { }:
-          {
-            config.meta.maintainers = lib.listToAttrs (
-              lib.imap0 (i: m: lib.nameValuePair m [ { githubId = i; } ]) modules
-            );
-            config.meta.teams = lib.listToAttrs (
-              lib.imap0 (
-                i: m:
-                lib.nameValuePair m (
-                  if githubTeams then [ { githubId = i + 100; } ] else [ { members = [ { githubId = i + 100; } ]; } ]
-                )
-              ) modules
-            );
-          };
-      };
-
-  tests = {
-    testEmpty = {
-      expr = fun {
-        pkgs = mockPkgs { };
-        changedFiles = [ ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testNonExistentAffected = {
-      expr = fun {
-        pkgs = mockPkgs { };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testIrrelevantAffected = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "b" ] ];
-        };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testRelevantAffected = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "b" ] ];
-        };
-        # Also tests that subpaths work
-        changedFiles = [ "b/c" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ [ "b" ] ];
-        teams."100" = [
-          { attrPath = [ "b" ]; }
-        ];
-        users."0" = [
-          { attrPath = [ "b" ]; }
-        ];
-      };
-    };
-    testRelevantAffectedNonGitHub = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "b" ] ];
-          githubTeams = false;
-        };
-        changedFiles = [ "b/c" ];
-        affectedAttrPaths = [ [ "b" ] ];
-      };
-      expected = {
-        packages = [ [ "b" ] ];
-        teams = { };
-        users."0" = [
-          { attrPath = [ "b" ]; }
-        ];
-        users."100" = [
-          { attrPath = [ "b" ]; }
-        ];
-      };
-    };
-    testByNameChanged = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "hello" ] ];
-        };
-        changedFiles = [ "pkgs/by-name/he/hello/sources.json" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ [ "hello" ] ];
-        teams."100" = [
-          { attrPath = [ "hello" ]; }
-        ];
-        users."0" = [
-          { attrPath = [ "hello" ]; }
-        ];
-      };
-    };
-    testByNameNonExistentChanged = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ ];
-        };
-        # Happens when a new package was added to pkgs/by-name
-        changedFiles = [ "pkgs/by-name/he/hello/sources.json" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testByNameReadmeChanged = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "hello" ] ];
-        };
-        changedFiles = [ "pkgs/by-name/README.md" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users = { };
-      };
-    };
-    testNoDuplicates = {
-      expr = fun {
-        pkgs = mockPkgs {
-          packages = [ [ "hello" ] ];
-        };
-        changedFiles = [
-          "hello"
-          "pkgs/by-name/he/hello/sources.json"
-        ];
-        affectedAttrPaths = [ [ "hello" ] ];
-      };
-      expected = {
-        packages = [ [ "hello" ] ];
-        teams."100" = [
-          { attrPath = [ "hello" ]; }
-        ];
-        users."0" = [
-          { attrPath = [ "hello" ]; }
-        ];
-      };
-    };
-    testModuleMaintainers = {
-      expr = fun {
-        pkgs = mockPkgs {
-          modules = [ "a" ];
-        };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams."100" = [
-          { file = "a"; }
-        ];
-        users."0" = [
-          { file = "a"; }
-        ];
-      };
-    };
-    testModuleMaintainersNonGithub = {
-      expr = fun {
-        pkgs = mockPkgs {
-          modules = [ "a" ];
-          githubTeams = false;
-        };
-        changedFiles = [ "a" ];
-        affectedAttrPaths = [ ];
-      };
-      expected = {
-        packages = [ ];
-        teams = { };
-        users."100" = [
-          { file = "a"; }
-        ];
-        users."0" = [
-          { file = "a"; }
-        ];
-      };
-    };
-    testGroupAttrdiffByPlatform = {
-      expr = utils.groupAttrdiffByPlatform {
-        added = [
-          "new-tool.aarch64-linux"
-          "new-tool.x86_64-darwin"
-        ];
-        changed = [
-          "updated-tool.x86_64-darwin"
-          "shared-tool.x86_64-darwin"
-        ];
-        removed = [
-          "removed-tool.aarch64-darwin"
-          "shared-tool.aarch64-darwin"
-        ];
-      };
-      expected = {
-        aarch64-darwin = {
-          added = [ ];
-          changed = [ ];
-          removed = [
-            "removed-tool"
-            "shared-tool"
-          ];
-        };
-        aarch64-linux = {
-          added = [ "new-tool" ];
-          changed = [ ];
-          removed = [ ];
-        };
-        x86_64-darwin = {
-          added = [ "new-tool" ];
-          changed = [
-            "shared-tool"
-            "updated-tool"
-          ];
-          removed = [ ];
-        };
-      };
-    };
-    testGroupAttrdiffByKernel = {
-      expr =
-        let
-          grouped = utils.groupAttrdiffByKernel {
-            added = [
-              "new-tool.aarch64-linux"
-              "new-tool.x86_64-darwin"
-            ];
-            changed = [
-              "updated-tool.x86_64-darwin"
-              "shared-tool.x86_64-darwin"
-            ];
-            removed = [
-              "removed-tool.aarch64-darwin"
-              "shared-tool.aarch64-darwin"
-            ];
-          };
-        in
-        lib.mapAttrs (_: diff: lib.mapAttrs (_: lib.sort lib.lessThan) diff) grouped;
-      expected = {
-        darwin = {
-          added = [ "new-tool" ];
-          changed = [
-            "shared-tool"
-            "updated-tool"
-          ];
-          removed = [
-            "removed-tool"
-            "shared-tool"
-          ];
-        };
-        linux = {
-          added = [ "new-tool" ];
-          changed = [ ];
-          removed = [ ];
-        };
-      };
-    };
-  };
-in
-{
-  result = lib.runTests tests;
-}

ci/eval/compare/utils.nix

@@ -150,50 +150,6 @@ rec {
     in
     lib.genAttrs [ "linux" "darwin" ] filterKernel;
 
-  /*
-    Group an attrdiff-style mapping by a derived key such as platform or kernel.
-
-    Turns
-      {
-        added = [ "new-tool.aarch64-linux" "new-tool.x86_64-darwin" ];
-        changed = [ "updated-tool.x86_64-darwin" "shared-tool.x86_64-darwin" ];
-        removed = [ "removed-tool.aarch64-darwin" "shared-tool.aarch64-darwin" ];
-      }
-    into
-      {
-        aarch64-darwin = {
-          added = [ ];
-          changed = [ ];
-          removed = [ "removed-tool" "shared-tool" ];
-        };
-        aarch64-linux = {
-          added = [ "new-tool" ];
-          changed = [ ];
-          removed = [ ];
-        };
-        x86_64-darwin = {
-          added = [ "new-tool" ];
-          changed = [ "shared-tool" "updated-tool" ];
-          removed = [ ];
-        };
-      }
-    when used with `groupByPlatform`.
-  */
-  groupAttrdiffBy =
-    grouper: attrdiff:
-    let
-      groupedByKind = lib.mapAttrs (
-        _: packagePlatformPaths:
-        grouper (convertToPackagePlatformAttrs (uniqueStrings packagePlatformPaths))
-      ) attrdiff;
-      groups = uniqueStrings (lib.flatten (map builtins.attrNames (lib.attrValues groupedByKind)));
-    in
-    lib.genAttrs groups (group: lib.mapAttrs (_: byGroup: byGroup.${group} or [ ]) groupedByKind);
-
-  groupAttrdiffByPlatform = groupAttrdiffBy groupByPlatform;
-
-  groupAttrdiffByKernel = groupAttrdiffBy groupByKernel;
-
   /*
     Maps an attrs of `kernel - rebuild counts` mappings to an attrs of labels
 

ci/eval/default.nix

@@ -38,6 +38,7 @@ let
       fileset = unions (
         map (lib.path.append ../..) [
           ".version"
+          "ci/supportedSystems.json"
           "ci/eval/attrpaths.nix"
           "ci/eval/chunk.nix"
           "ci/eval/outpaths.nix"
@@ -52,9 +53,7 @@ let
       );
     };
 
-  supportedSystems = builtins.fromJSON (
-    builtins.readFile ../../pkgs/top-level/release-supported-systems.json
-  );
+  supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);
 
   attrpathsSuperset =
     {

ci/eval/outpaths.nix

@@ -10,9 +10,7 @@
   attrNamesOnly ? false,
 
   # Set this to `null` to build for builtins.currentSystem only
-  systems ? builtins.fromJSON (
-    builtins.readFile (path + "/pkgs/top-level/release-supported-systems.json")
-  ),
+  systems ? builtins.fromJSON (builtins.readFile ../supportedSystems.json),
 
   # Customize the config used to evaluate nixpkgs
   extraNixpkgsConfig ? { },
@@ -35,9 +33,6 @@ let
             allowVariants = !attrNamesOnly;
             checkMeta = true;
 
-            # Silence the `x86_64-darwin` deprecation warning.
-            allowDeprecatedx86_64Darwin = true;
-
             handleEvalIssue =
               reason: errormsg:
               let
@@ -72,9 +67,7 @@ let
 
   nixosJobs = import (path + "/nixos/release.nix") {
     inherit attrNamesOnly;
-    supportedSystems = lib.filter (lib.hasSuffix "-linux") (
-      if systems == null then [ builtins.currentSystem ] else systems
-    );
+    supportedSystems = if systems == null then [ builtins.currentSystem ] else systems;
   };
 
   recurseIntoAttrs = attrs: attrs // { recurseForDerivations = true; };
@@ -108,8 +101,6 @@ in
 tweak (
   (removeAttrs nixpkgsJobs blacklist)
   // {
-    nixosTests = lib.filterAttrs (
-      name: _: name == "simple-container" || name == "simple-vm"
-    ) nixosJobs.tests;
+    nixosTests.simple = nixosJobs.tests.simple;
   }
 )

ci/github-script/bot.js

@@ -1,6 +1,6 @@
 module.exports = async ({ github, context, core, dry }) => {
   const path = require('node:path')
-  const { DefaultArtifactClient } = await import('@actions/artifact')
+  const { DefaultArtifactClient } = require('@actions/artifact')
   const { readFile, writeFile } = require('node:fs/promises')
   const withRateLimit = require('./withRateLimit.js')
   const { classify } = require('../supportedBranches.js')

ci/github-script/check-target-branch.js

@@ -25,16 +25,6 @@ async function checkTargetBranch({ github, context, core, dry }) {
    *   changed: string[],
    *   removed: string[],
    *  },
-   *  attrdiffByKernel: Record<string, {
-   *   added: string[],
-   *   changed: string[],
-   *   removed: string[],
-   *  }>,
-   *  attrdiffByPlatform: Record<string, {
-   *   added: string[],
-   *   changed: string[],
-   *   removed: string[],
-   *  }>,
    *  labels: Record<string, boolean>,
    *  rebuildCountByKernel: Record<string, number>,
    *  rebuildsByKernel: Record<string, string[]>,
@@ -99,13 +89,13 @@ async function checkTargetBranch({ github, context, core, dry }) {
     ...Object.values(changed.rebuildCountByKernel),
   )
   const rebuildsAllTests =
-    changed.attrdiff.changed.includes('nixosTests.simple-container') ||
-    changed.attrdiff.changed.includes('nixosTests.simple-vm')
+    changed.attrdiff.changed.includes('nixosTests.simple')
 
-  // https://github.com/NixOS/nixpkgs/pull/521157
-  // These should go to master and release-xx.xx when backported
+  // https://github.com/NixOS/nixpkgs/pull/481205#issuecomment-3790123921
+  // These should go to staging-nixos instead of master,
+  // but release-xx.xx (not staging-xx.xx) when backported
   let isExemptKernelUpdate = false
-  if (prInfo.changed_files === 1) {
+  if (prInfo.changed_files === 1 && base.startsWith('release-')) {
     const changedFiles = (
       await github.rest.pulls.listFiles({
         ...context.repo,
@@ -115,7 +105,7 @@ async function checkTargetBranch({ github, context, core, dry }) {
     isExemptKernelUpdate =
       changedFiles.length === 1 &&
       changedFiles[0].filename ===
-        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix'
+        'pkgs/os-specific/linux/kernel/kernels-org.json'
   }
 
   // https://github.com/NixOS/nixpkgs/pull/483194#issuecomment-3793393218
@@ -151,19 +141,19 @@ async function checkTargetBranch({ github, context, core, dry }) {
       core,
       dry,
       body,
-      event: 'REQUEST_CHANGES',
+      event: 'COMMENT',
       reviewKey,
     })
+
+    throw new Error('This PR is against the wrong branch.')
   } else if (rebuildsAllTests && !isExemptKernelUpdate) {
     let branchText
     if (base === 'master' && maxRebuildCount >= 500) {
       branchText = '(probably either `staging-nixos` or `staging`)'
     } else if (base === 'master') {
       branchText = '(probably `staging-nixos`)'
-    } else if (maxRebuildCount >= 500) {
-      branchText = `(probably either \`staging-nixos-${split(base).version}\` or \`staging-${split(base).version}\`)`
     } else {
-      branchText = `(probably \`staging-nixos-${split(base).version}\`)`
+      branchText = `(probably \`staging-${split(base).version}\`)`
     }
     const body = [
       `The PR's base branch is set to \`${base}\`, but this PR rebuilds all NixOS tests.`,
@@ -179,9 +169,11 @@ async function checkTargetBranch({ github, context, core, dry }) {
       core,
       dry,
       body,
-      event: 'REQUEST_CHANGES',
+      event: 'COMMENT',
       reviewKey,
     })
+
+    throw new Error('This PR is against the wrong branch.')
   } else if (
     maxRebuildCount >= 500 &&
     !isExemptKernelUpdate &&
@@ -202,7 +194,7 @@ async function checkTargetBranch({ github, context, core, dry }) {
       core,
       dry,
       body,
-      event: 'REQUEST_CHANGES',
+      event: 'COMMENT',
       reviewKey,
     })
   } else {

ci/github-script/get-pr-commit-details.js

@@ -1,117 +0,0 @@
-// @ts-check
-const { promisify } = require('node:util')
-const execFile = promisify(require('node:child_process').execFile)
-
-/**
- * @typedef {{
- *  subject: string,
- *  sha: string,
- *  author: { name: string, email: string },
- *  committer: { name: string, email: string}
- *  changedPaths: string[],
- *  changedPathSegments: Set<string>,
- * }} Commit
- */
-
-/**
- * @param {{
- *  args: string[]
- *  core: import('@actions/core'),
- *  quiet?: boolean,
- *  repoPath?: string,
- * }} RunGitProps
- */
-async function runGit({ args, repoPath, core, quiet }) {
-  if (repoPath) {
-    args = ['-C', repoPath, ...args]
-  }
-
-  if (!quiet) {
-    core.info(`About to run \`git ${args.map((s) => `'${s}'`).join(' ')}\``)
-  }
-
-  return await execFile('git', args)
-}
-
-/**
- * Gets the SHA, subject and changed files for each commit in the given PR.
- *
- * Don't use GitHub API at all: the "list commits on PR" endpoint has a limit
- * of 250 commits and doesn't return the changed files.
- *
- * @param {{
- *  core: import('@actions/core'),
- *  pr: Awaited<ReturnType<InstanceType<import('@actions/github/lib/utils').GitHub>["rest"]["pulls"]["get"]>>["data"]
- *  repoPath?: string,
- * }} GetCommitMessagesForPRProps
- *
- * @returns {Promise<Commit[]>}
- */
-async function getCommitDetailsForPR({ core, pr, repoPath }) {
-  await runGit({
-    args: ['fetch', `--depth=1`, 'origin', pr.base.sha],
-    repoPath,
-    core,
-  })
-  await runGit({
-    args: ['fetch', `--depth=${pr.commits + 1}`, 'origin', pr.head.sha],
-    repoPath,
-    core,
-  })
-
-  const shas = (
-    await runGit({
-      args: [
-        'rev-list',
-        `--max-count=${pr.commits}`,
-        `${pr.base.sha}..${pr.head.sha}`,
-      ],
-      repoPath,
-      core,
-    })
-  ).stdout
-    .split('\n')
-    .map((s) => s.trim())
-    .filter(Boolean)
-
-  return Promise.all(
-    shas.map(async (sha) => {
-      // Subject, author name, author email, committer name, committer email (all tab-seperated)
-      // then a blank line, then filenames.
-      const result = (
-        await runGit({
-          args: [
-            'log',
-            '--format=%s\t%aN\t%aE\t%cN\t%cE',
-            '--name-only',
-            '-1',
-            sha,
-          ],
-          repoPath,
-          core,
-          quiet: true,
-        })
-      ).stdout.split('\n')
-
-      const [subject, authorName, authorEmail, committerName, committerEmail] =
-        result[0].split('\t')
-
-      const changedPaths = result.slice(2, -1)
-
-      const changedPathSegments = new Set(
-        changedPaths.flatMap((path) => path.split('/')),
-      )
-
-      return {
-        sha,
-        subject,
-        author: { name: authorName, email: authorEmail },
-        committer: { name: committerName, email: committerEmail },
-        changedPaths,
-        changedPathSegments,
-      }
-    }),
-  )
-}
-
-module.exports = { getCommitDetailsForPR }

ci/github-script/lint-commits.js

@@ -1,18 +1,37 @@
 // @ts-check
 const { classify } = require('../supportedBranches.js')
-const { getCommitDetailsForPR } = require('./get-pr-commit-details.js')
+const { promisify } = require('node:util')
+const execFile = promisify(require('node:child_process').execFile)
 
-/** @typedef {import('./get-pr-commit-details.js').Commit} Commit */
+/**
+ * @param {{
+ *  args: string[]
+ *  core: import('@actions/core'),
+ *  quiet?: boolean,
+ *  repoPath?: string,
+ * }} RunGitProps
+ */
+async function runGit({ args, repoPath, core, quiet }) {
+  if (repoPath) {
+    args = ['-C', repoPath, ...args]
+  }
+
+  if (!quiet) {
+    core.info(`About to run \`git ${args.map((s) => `'${s}'`).join(' ')}\``)
+  }
+
+  return await execFile('git', args)
+}
 
 /**
  * @param {{
  *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
- *  context: typeof import('@actions/github').context,
+ *  context: import('@actions/github/lib/context').Context,
  *  core: import('@actions/core'),
  *  repoPath?: string,
- * }} LintCommitsProps
+ * }} CheckCommitMessagesProps
  */
-async function lintCommits({ github, context, core, repoPath }) {
+async function checkCommitMessages({ github, context, core, repoPath }) {
   // This check should only be run when we have the pull_request context.
   const pull_number = context.payload.pull_request?.number
   if (!pull_number) {
@@ -48,81 +67,84 @@ async function lintCommits({ github, context, core, repoPath }) {
     return
   }
 
-  const commits = await getCommitDetailsForPR({ core, pr, repoPath })
-
-  await checkCommitMessages({ commits, core })
-  await checkCommitMetadata({ commits, core })
-}
-
-/**
- * @param {{
- *  commits: Commit[],
- *  core: import('@actions/core'),
- * }} CheckCommitMessagesProps
- */
-async function checkCommitMessages({ commits, core }) {
-  const failures = new Set()
-
-  const conventionalCommitTypes = [
-    'build',
-    'chore',
-    'ci',
-    'doc',
-    'docs',
-    'feat',
-    'feature',
-    'fix',
-    'perf',
-    'refactor',
-    'style',
-    'test',
-  ]
-
   /**
-   * @param {string[]} types e.g. ["fix", "feat"]
-   * @param {string?} sha commit hash
+   * GitHub's API will return a maximum of 250 commits.
+   * We will use it if we can, but fall back to using git locally.
+   * This type is used to abstract over the differences between the two.
+   * @type {{
+   *  message: string,
+   *  sha: string,
+   * }[]}
    */
-  function makeConventionalCommitRegex(types, sha = null) {
-    core.info(
-      `${
-        sha
-          ? `Conventional commit types for ${sha?.slice(0, 16)}`
-          : 'Default conventional commit types'
-      }: ${JSON.stringify(types)}`,
-    )
+  let commits
 
-    return new RegExp(`^(${types.join('|')})!?(\\(.*\\))?!?:`)
+  if (pr.commits < 250) {
+    commits = (
+      await github.paginate(github.rest.pulls.listCommits, {
+        ...context.repo,
+        pull_number,
+      })
+    ).map((commit) => ({ message: commit.commit.message, sha: commit.sha }))
+  } else {
+    await runGit({
+      args: ['fetch', `--depth=1`, 'origin', pr.base.sha],
+      repoPath,
+      core,
+    })
+    await runGit({
+      args: ['fetch', `--depth=${pr.commits + 1}`, 'origin', pr.head.sha],
+      repoPath,
+      core,
+    })
+
+    const shas = (
+      await runGit({
+        args: [
+          'rev-list',
+          `--max-count=${pr.commits}`,
+          `${pr.base.sha}..${pr.head.sha}`,
+        ],
+        repoPath,
+        core,
+      })
+    ).stdout
+      .split('\n')
+      .map((s) => s.trim())
+      .filter(Boolean)
+
+    commits = await Promise.all(
+      shas.map(async (sha) => ({
+        sha,
+        message: (
+          await runGit({
+            args: ['log', '--format=%s', '-1', sha],
+            repoPath,
+            core,
+            quiet: true,
+          })
+        ).stdout,
+      })),
+    )
   }
 
-  // Optimize for the common case that we don't have path segments with the
-  // same name as a conventional commit type.
-  const fullConventionalCommitRegex = makeConventionalCommitRegex(
-    conventionalCommitTypes,
-  )
+  const failures = new Set()
 
   for (const commit of commits) {
-    const logMsgStart = `Commit ${commit.sha}'s message's subject ("${commit.subject}")`
+    const message = commit.message
+    const firstLine = message.split('\n')[0]
 
-    // If we have a commit `perf: ...`, and we touch a file containing the path
-    // segment "perf", we don't want to flag this.
-    const filteredTypes = conventionalCommitTypes.filter(
-      (type) => !commit.changedPathSegments.has(type),
-    )
-    const conventionalCommitRegex =
-      filteredTypes.length === conventionalCommitTypes.length
-        ? fullConventionalCommitRegex
-        : makeConventionalCommitRegex(filteredTypes, commit.sha)
+    const logMsgStart = `Commit ${commit.sha}'s message's subject ("${firstLine}")`
 
-    if (!commit.subject.includes(': ')) {
+    if (!firstLine.includes(': ')) {
       core.error(
         `${logMsgStart} was detected as not meeting our guidelines because ` +
-          'it does not contain a colon followed by a whitespace. ' +
+          'it does not contain a colon followed by a whitespace.' +
           'There are likely other issues as well.',
       )
       failures.add(commit.sha)
     }
 
-    if (commit.subject.endsWith('.')) {
+    if (firstLine.endsWith('.')) {
       core.error(
         `${logMsgStart} was detected as not meeting our guidelines because ` +
           'it ends in a period. There may be other issues as well.',
@@ -131,25 +153,15 @@ async function checkCommitMessages({ commits, core }) {
     }
 
     const fixups = ['amend!', 'fixup!', 'squash!']
-    if (fixups.some((s) => commit.subject.startsWith(s))) {
+    if (fixups.some((s) => firstLine.startsWith(s))) {
       core.error(
         `${logMsgStart} was detected as not meeting our guidelines because ` +
-          `it begins with "${fixups.find((s) => commit.subject.startsWith(s))}". ` +
+          `it begins with "${fixups.find((s) => firstLine.startsWith(s))}". ` +
           'Did you forget to run `git rebase -i --autosquash`?',
       )
       failures.add(commit.sha)
     }
 
-    if (conventionalCommitRegex.test(commit.subject)) {
-      core.error(
-        `${logMsgStart} was detected as not meeting our guidelines because ` +
-          'it seems to use conventional commit (conventionalcommits.org) ' +
-          'formatting. Nixpkgs has its own, different, commit message ' +
-          'formatting standards.',
-      )
-      failures.add(commit.sha)
-    }
-
     if (!failures.has(commit.sha)) {
       core.info(`${logMsgStart} passed our automated checks!`)
     }
@@ -158,66 +170,11 @@ async function checkCommitMessages({ commits, core }) {
   if (failures.size !== 0) {
     core.error(
       'Please review the guidelines at ' +
-        '<https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#commit-conventions>, ' +
+        'https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#commit-conventions, ' +
         'as well as the applicable area-specific guidelines linked there.',
     )
     core.setFailed('Committers: merging is discouraged.')
   }
 }
 
-/**
- * @param {{
- *  commits: Commit[],
- *  core: import('@actions/core'),
- * }} CheckGitFieldsProps
- */
-async function checkCommitMetadata({ commits, core }) {
-  const failures = new Set()
-
-  /** @type {(s: string) => boolean} */
-  const isEmail = (s) => /^.+@.*$/.test(s)
-
-  for (const commit of commits) {
-    if (!commit.author.name) {
-      core.error(`Commit ${commit.sha} author's name field is missing`)
-      failures.add(commit.sha)
-    }
-
-    if (!commit.author.email || !isEmail(commit.author.email)) {
-      core.error(
-        `Commit ${commit.sha} author's email field is missing or invalid`,
-      )
-      failures.add(commit.sha)
-    }
-
-    if (!commit.committer.name) {
-      core.error(`Commit ${commit.sha} committer's name field is missing`)
-      failures.add(commit.sha)
-    }
-
-    if (!commit.committer.email || !isEmail(commit.committer.email)) {
-      core.error(
-        `Commit ${commit.sha} committer's email field is missing or invalid`,
-      )
-      failures.add(commit.sha)
-    }
-
-    if (!failures.has(commit.sha)) {
-      core.info(
-        `Commit ${commit.sha}'s git fields passed our automated checks!`,
-      )
-    }
-  }
-
-  if (failures.size !== 0) {
-    core.error(
-      'Please add the missing commit fields. ' +
-        'You can use the noreply email address generated for you by GitHub ' +
-        '(https://docs.github.com/en/account-and-profile/reference/email-addresses-reference#your-noreply-email-address) ' +
-        "if you'd like.",
-    )
-    core.setFailed('Committers: merging is discouraged.')
-  }
-}
-
-module.exports = lintCommits
+module.exports = checkCommitMessages

ci/github-script/manual-file-edits.js

@@ -1,95 +0,0 @@
-// @ts-check
-const { classify } = require('../supportedBranches.js')
-const { getCommitDetailsForPR } = require('./get-pr-commit-details')
-
-/**
- * @param {{
- *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
- *  context: import('@actions/github/lib/context').Context,
- *  core: import('@actions/core'),
- *  repoPath?: string,
- *  dry: boolean,
- * }} CheckManualFileEditsProps
- */
-async function checkManualFileEdits({ github, context, core, repoPath, dry }) {
-  const { dismissReviews, postReview } = require('./reviews.js')
-  const reviewKey = 'manual-file-edits'
-
-  const pull_number = context.payload.pull_request?.number
-  if (!pull_number) {
-    core.info('This is not a pull request. Skipping checks.')
-    return
-  }
-
-  const pr = (
-    await github.rest.pulls.get({
-      ...context.repo,
-      pull_number,
-    })
-  ).data
-
-  if (pr.user.login.endsWith('[bot]')) {
-    core.info('This is a bot, so these checks do not apply.')
-    return
-  }
-
-  const baseBranchType = classify(
-    pr.base.ref.replace(/^refs\/heads\//, ''),
-  ).type
-  const headBranchType = classify(
-    pr.head.ref.replace(/^refs\/heads\//, ''),
-  ).type
-
-  if (
-    baseBranchType.includes('development') &&
-    headBranchType.includes('development') &&
-    pr.base.repo.id === pr.head.repo?.id
-  ) {
-    // This matches, for example, PRs from NixOS:staging-next to NixOS:master, or vice versa.
-    // Ignore them: we should only care about PRs introducing *new* commits.
-    // We still want to run on PRs from, e.g., Someone:master to NixOS:master, though.
-    core.info(
-      'This PR is from one development branch to another. Skipping checks.',
-    )
-    return
-  }
-
-  const details = await getCommitDetailsForPR({ core, pr, repoPath })
-
-  if (
-    details.some(({ changedPaths }) =>
-      changedPaths.includes('maintainers/github-teams.json'),
-    )
-  ) {
-    postReview({
-      github,
-      context,
-      core,
-      dry,
-      event: 'REQUEST_CHANGES',
-      body: [
-        'maintainers/github-teams.json is supposed to accurately reflect the state of the teams in GitHub.\n',
-        'Therefore, it should not be edited manually.\n',
-        'All changes to teams listed in maintainers/github-teams.json should be performed in GitHub by a team maintainer.\n',
-        "Team maintainers are listed in the github-teams.json file and in GitHub's UI.\n",
-        'If there is no team maintainer available, an org owner can make the needed change, please contact one by',
-        'following the instructions at https://github.com/NixOS/org/blob/main/doc/github-org-owners.md#how-to-contact-the-team.\n',
-        'Thank you!',
-      ].reduce(
-        (prev, curr) => prev + (!prev || prev.endsWith('\n') ? '' : ' ') + curr,
-        '',
-      ),
-      reviewKey,
-    })
-  } else {
-    dismissReviews({
-      github,
-      context,
-      core,
-      dry,
-      reviewKey,
-    })
-  }
-}
-
-module.exports = checkManualFileEdits

ci/github-script/merge.js

@@ -46,17 +46,13 @@ function runChecklist({
       classify(pull_request.base.ref).type.includes('development'),
     'PR touches only files of packages in `pkgs/by-name/`.': allByName,
     'PR is at least one of:': {
-      'Approved by a [committer](https://github.com/orgs/NixOS/teams/nixpkgs-committers).':
-        committers.intersection(approvals).size > 0,
+      'Approved by a committer.': committers.intersection(approvals).size > 0,
       'Backported via label.':
         pull_request.user.login === 'nixpkgs-ci[bot]' &&
         pull_request.head.ref.startsWith('backport-'),
-      'Opened by a [committer](https://github.com/orgs/NixOS/teams/nixpkgs-committers).':
-        committers.has(pull_request.user.id),
-      'Opened by [@r-ryantm](https://nix-community.github.io/nixpkgs-update/r-ryantm/).':
-        pull_request.user.login === 'r-ryantm',
+      'Opened by a committer.': committers.has(pull_request.user.id),
+      'Opened by r-ryantm.': pull_request.user.login === 'r-ryantm',
     },
-    'PR is not a draft': !pull_request.draft,
   }
 
   if (user) {
@@ -66,9 +62,8 @@ function runChecklist({
     if (allByName) {
       // We can only determine the below, if all packages are in by-name, since
       // we can't reliably relate changed files to packages outside by-name.
-      checklist[
-        `${user.login} is a maintainer of all touched packages on the ${pull_request.base.ref} branch.`
-      ] = eligible.has(user.id)
+      checklist[`${user.login} is a maintainer of all touched packages.`] =
+        eligible.has(user.id)
     }
   } else {
     // This is only used when no user is passed, i.e. for labeling.
@@ -196,12 +191,11 @@ async function handleMerge({
         }`,
         { node_id: pull_request.node_id, sha: pull_request.head.sha },
       )
-      log('merge', 'Queued for merge')
       return [
         `:heavy_check_mark: [Queued](${resp.enqueuePullRequest.mergeQueueEntry.mergeQueue.url}) for merge (#306934)`,
       ]
     } catch (e) {
-      log('Enqueuing failed', e.response.errors[0].message)
+      log('Enqueing failed', e.response.errors[0].message)
     }
 
     // If required status checks are not satisfied, yet, the above will fail. In this case
@@ -218,7 +212,6 @@ async function handleMerge({
         }`,
         { node_id: pull_request.node_id, sha: pull_request.head.sha },
       )
-      log('merge', 'Auto-merge enabled')
       return [
         `:heavy_check_mark: Enabled Auto Merge (#306934)`,
         '',

ci/github-script/package-lock.json

@@ -4,107 +4,55 @@
   "requires": true,
   "packages": {
     "": {
-      "name": "github-script",
       "dependencies": {
-        "@actions/artifact": "6.2.1",
-        "@actions/core": "1.10.1",
-        "@actions/github": "9.1.0",
+        "@actions/artifact": "5.0.3",
+        "@actions/core": "1.11.1",
+        "@actions/github": "6.0.1",
         "bottleneck": "2.19.5",
         "commander": "14.0.3"
       }
     },
     "node_modules/@actions/artifact": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/@actions/artifact/-/artifact-6.2.1.tgz",
-      "integrity": "sha512-sJGH0mhEbEjBCw7o6SaLhUU66u27aFW8HTfkIb5Tk2/Wy0caUDc+oYQEgnuFN7a0HCpAbQyK0U6U7XUJDgDWrw==",
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/artifact/-/artifact-5.0.3.tgz",
+      "integrity": "sha512-FIEG8Kum0wABZnktJvFi1xuVPc31xrunhZwLCvjrCGISQOm0ifyo7cjqf6PHiEeqoWMa5HIGOsB+lGM4aKCseA==",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^3.0.0",
-        "@actions/github": "^9.0.0",
-        "@actions/http-client": "^4.0.0",
-        "@azure/storage-blob": "^12.30.0",
-        "@octokit/core": "^7.0.6",
-        "@octokit/plugin-request-log": "^6.0.0",
-        "@octokit/plugin-retry": "^8.0.0",
-        "@octokit/request": "^10.0.7",
-        "@octokit/request-error": "^7.1.0",
+        "@actions/core": "^2.0.0",
+        "@actions/github": "^6.0.1",
+        "@actions/http-client": "^3.0.2",
+        "@azure/storage-blob": "^12.29.1",
+        "@octokit/core": "^5.2.1",
+        "@octokit/plugin-request-log": "^1.0.4",
+        "@octokit/plugin-retry": "^3.0.9",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
         "@protobuf-ts/plugin": "^2.2.3-alpha.1",
-        "@protobuf-ts/runtime": "^2.9.4",
         "archiver": "^7.0.1",
-        "jwt-decode": "^4.0.0",
+        "jwt-decode": "^3.1.2",
         "unzip-stream": "^0.3.1"
       }
     },
     "node_modules/@actions/artifact/node_modules/@actions/core": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.1.tgz",
-      "integrity": "sha512-a6d/Nwahm9fliVGRhdhofo40HjHQasUPusmc7vBfyky+7Z+P2A1J68zyFVaNcEclc/Se+eO595oAr5nwEIoIUA==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-2.0.3.tgz",
+      "integrity": "sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==",
       "license": "MIT",
       "dependencies": {
-        "@actions/exec": "^3.0.0",
-        "@actions/http-client": "^4.0.0"
+        "@actions/exec": "^2.0.0",
+        "@actions/http-client": "^3.0.2"
       }
     },
     "node_modules/@actions/artifact/node_modules/@actions/exec": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
-      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz",
+      "integrity": "sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==",
       "license": "MIT",
       "dependencies": {
-        "@actions/io": "^3.0.2"
+        "@actions/io": "^2.0.0"
       }
     },
     "node_modules/@actions/artifact/node_modules/@actions/http-client": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.1.tgz",
-      "integrity": "sha512-+Nvd1ImaOZBSoPbsUtEhv+1z99H12xzncCkz0a3RuehINE81FZSe2QTj3uvAPTcJX/SCzUQHQ0D1GrPMbrPitg==",
-      "license": "MIT",
-      "dependencies": {
-        "tunnel": "^0.0.6",
-        "undici": "^6.23.0"
-      }
-    },
-    "node_modules/@actions/artifact/node_modules/@actions/io": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
-      "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
-      "license": "MIT"
-    },
-    "node_modules/@actions/artifact/node_modules/undici": {
-      "version": "6.25.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
-      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.17"
-      }
-    },
-    "node_modules/@actions/core": {
-      "version": "1.10.1",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz",
-      "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==",
-      "license": "MIT",
-      "dependencies": {
-        "@actions/http-client": "^2.0.1",
-        "uuid": "^8.3.2"
-      }
-    },
-    "node_modules/@actions/github": {
-      "version": "9.1.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-9.1.0.tgz",
-      "integrity": "sha512-u0hDGQeCS+7VNoLA8hYG65RLdPLMaPGfka0sZ0up7P0AiShqfX6xcuXNteGkQ7X7Tod7AMNwHd4p7DS63i8zzA==",
-      "license": "MIT",
-      "dependencies": {
-        "@actions/http-client": "^3.0.2",
-        "@octokit/core": "^7.0.6",
-        "@octokit/plugin-paginate-rest": "^14.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
-        "@octokit/request": "^10.0.7",
-        "@octokit/request-error": "^7.1.0",
-        "undici": "^6.23.0"
-      }
-    },
-    "node_modules/@actions/github/node_modules/@actions/http-client": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
       "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
@@ -114,15 +62,115 @@
         "undici": "^6.23.0"
       }
     },
-    "node_modules/@actions/github/node_modules/undici": {
-      "version": "6.25.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
-      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
+    "node_modules/@actions/artifact/node_modules/@actions/io": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
+      "integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/artifact/node_modules/undici": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
+      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
       "license": "MIT",
       "engines": {
         "node": ">=18.17"
       }
     },
+    "node_modules/@actions/core": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
+      "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/exec": "^1.1.1",
+        "@actions/http-client": "^2.0.1"
+      }
+    },
+    "node_modules/@actions/exec": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/io": "^1.0.1"
+      }
+    },
+    "node_modules/@actions/github": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.1.tgz",
+      "integrity": "sha512-xbZVcaqD4XnQAe35qSQqskb3SqIAfRyLBrHMd/8TuL7hJSz2QtbDwnNM8zWx4zO5l2fnGtseNE3MbEvD7BxVMw==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/http-client": "^2.2.0",
+        "@octokit/core": "^5.0.1",
+        "@octokit/plugin-paginate-rest": "^9.2.2",
+        "@octokit/plugin-rest-endpoint-methods": "^10.4.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "undici": "^5.28.5"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-9.2.2.tgz",
+      "integrity": "sha512-u3KYkGF7GcZnSD/3UP0S7K5XUFT2FkOQdcfXZGZQPGv3lm4F2Xbf71lvjldr8c1H3nNbF+33cLEkWYbokGWqiQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/types": "^12.6.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@octokit/core": "5"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/node_modules/@octokit/openapi-types": {
+      "version": "20.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-20.0.0.tgz",
+      "integrity": "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-paginate-rest/node_modules/@octokit/types": {
+      "version": "12.6.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.6.0.tgz",
+      "integrity": "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^20.0.0"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods": {
+      "version": "10.4.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.4.1.tgz",
+      "integrity": "sha512-xV1b+ceKV9KytQe3zCVqjg+8GTGfDYwaT1ATU5isiUyVtlVAO3HNdzpS4sr4GBx4hxQ46s7ITtZrAsxG22+rVg==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/types": "^12.6.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@octokit/core": "5"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/node_modules/@octokit/openapi-types": {
+      "version": "20.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-20.0.0.tgz",
+      "integrity": "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/github/node_modules/@octokit/plugin-rest-endpoint-methods/node_modules/@octokit/types": {
+      "version": "12.6.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.6.0.tgz",
+      "integrity": "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^20.0.0"
+      }
+    },
     "node_modules/@actions/http-client": {
       "version": "2.2.3",
       "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
@@ -133,6 +181,12 @@
         "undici": "^5.25.4"
       }
     },
+    "node_modules/@actions/io": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
+      "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
+      "license": "MIT"
+    },
     "node_modules/@azure/abort-controller": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/@azure/abort-controller/-/abort-controller-2.1.2.tgz",
@@ -164,6 +218,7 @@
       "resolved": "https://registry.npmjs.org/@azure/core-client/-/core-client-1.10.1.tgz",
       "integrity": "sha512-Nh5PhEOeY6PrnxNPsEHRr9eimxLwgLlpmguQaHKBinFYA/RU9+kOYVOQqOrTsCL+KSxrLLl1gD8Dk5BFW/7l/w==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@azure/abort-controller": "^2.1.2",
         "@azure/core-auth": "^1.10.0",
@@ -225,6 +280,7 @@
       "resolved": "https://registry.npmjs.org/@azure/core-rest-pipeline/-/core-rest-pipeline-1.22.2.tgz",
       "integrity": "sha512-MzHym+wOi8CLUlKCQu12de0nwcq9k9Kuv43j4Wa++CsCpJwps2eeBQwD2Bu8snkxTtDKDx4GwjuR9E8yC8LNrg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@azure/abort-controller": "^2.1.2",
         "@azure/core-auth": "^1.10.0",
@@ -391,174 +447,197 @@
         "node": ">=12"
       }
     },
-    "node_modules/@nodable/entities": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.0.tgz",
-      "integrity": "sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/nodable"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/@octokit/auth-token": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
-      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
+      "integrity": "sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==",
       "license": "MIT",
       "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
       }
     },
     "node_modules/@octokit/core": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
-      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz",
+      "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
-        "@octokit/auth-token": "^6.0.0",
-        "@octokit/graphql": "^9.0.3",
-        "@octokit/request": "^10.0.6",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "before-after-hook": "^4.0.0",
-        "universal-user-agent": "^7.0.0"
+        "@octokit/auth-token": "^4.0.0",
+        "@octokit/graphql": "^7.1.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "@octokit/types": "^13.0.0",
+        "before-after-hook": "^2.2.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/core/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/core/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
     "node_modules/@octokit/endpoint": {
-      "version": "11.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.3.tgz",
-      "integrity": "sha512-FWFlNxghg4HrXkD3ifYbS/IdL/mDHjh9QcsNyhQjN8dplUoZbejsdpmuqdA76nxj2xoWPs7p8uX2SNr9rYu0Ag==",
+      "version": "9.0.6",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
+      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/endpoint/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/endpoint/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
     "node_modules/@octokit/graphql": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
-      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
+      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/request": "^10.0.6",
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.0"
+        "@octokit/request": "^8.4.1",
+        "@octokit/types": "^13.0.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/graphql/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/graphql/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
     "node_modules/@octokit/openapi-types": {
-      "version": "27.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
-      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
+      "version": "12.11.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz",
+      "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ==",
       "license": "MIT"
     },
-    "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
-      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
     "node_modules/@octokit/plugin-request-log": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-request-log/-/plugin-request-log-6.0.0.tgz",
-      "integrity": "sha512-UkOzeEN3W91/eBq9sPZNQ7sUBvYCqYbrrD8gTbBuGtHEuycE4/awMXcYvx6sVYo7LypPhmQwwpUe4Yyu4QZN5Q==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-request-log/-/plugin-request-log-1.0.4.tgz",
+      "integrity": "sha512-mLUsMkgP7K/cnFEw07kWqXGF5LKrOkD+lhCrKvPHXWDywAwuDUeDwWBpc69XK3pNX0uKiVt8g5z96PJ6z9xCFA==",
       "license": "MIT",
-      "engines": {
-        "node": ">= 20"
-      },
       "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "17.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
-      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
+        "@octokit/core": ">=3"
       }
     },
     "node_modules/@octokit/plugin-retry": {
-      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-8.1.0.tgz",
-      "integrity": "sha512-O1FZgXeiGb2sowEr/hYTr6YunGdSAFWnr2fyW39Ah85H8O33ELASQxcvOFF5LE6Tjekcyu2ms4qAzJVhSaJxTw==",
+      "version": "3.0.9",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-3.0.9.tgz",
+      "integrity": "sha512-r+fArdP5+TG6l1Rv/C9hVoty6tldw6cE2pRHNGmFPdyfrc696R6JjrQ3d7HdVqGwuzfyrcaLAKD7K8TX8aehUQ==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
+        "@octokit/types": "^6.0.3",
         "bottleneck": "^2.15.3"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=7"
       }
     },
     "node_modules/@octokit/request": {
-      "version": "10.0.9",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.9.tgz",
-      "integrity": "sha512-o8Bi3f608eyM+7BmBiUWxFsdjLb3/ym1cQek5LZOv9KkZcxRrHCPhhRzm6xjO6HVZ85ItD6+sTsjxo821SVa/A==",
+      "version": "8.4.1",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.1.tgz",
+      "integrity": "sha512-qnB2+SY3hkCmBxZsR/MPCybNmbJe4KAlfWErXq+rBKkQJlbjdJeS85VI9r8UqeLYLvnAenU8Q1okM/0MBsAGXw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/endpoint": "^11.0.3",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "content-type": "^2.0.0",
-        "fast-content-type-parse": "^3.0.0",
-        "json-with-bigint": "^3.5.3",
-        "universal-user-agent": "^7.0.2"
+        "@octokit/endpoint": "^9.0.6",
+        "@octokit/request-error": "^5.1.1",
+        "@octokit/types": "^13.1.0",
+        "universal-user-agent": "^6.0.0"
       },
       "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
       }
     },
     "node_modules/@octokit/request-error": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
-      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.1.tgz",
+      "integrity": "sha512-v9iyEQJH6ZntoENr9/yXxjuezh4My67CBSu9r6Ve/05Iu5gNgnisNWOsoJHTP6k0Rr0+HQIpnH+kyammu90q/g==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^16.0.0"
+        "@octokit/types": "^13.1.0",
+        "deprecation": "^2.0.0",
+        "once": "^1.4.0"
       },
       "engines": {
-        "node": ">= 20"
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/request-error/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
+      }
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/openapi-types": {
+      "version": "24.2.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-24.2.0.tgz",
+      "integrity": "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg==",
+      "license": "MIT"
+    },
+    "node_modules/@octokit/request/node_modules/@octokit/types": {
+      "version": "13.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.10.0.tgz",
+      "integrity": "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA==",
+      "license": "MIT",
+      "dependencies": {
+        "@octokit/openapi-types": "^24.2.0"
       }
     },
     "node_modules/@octokit/types": {
-      "version": "16.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
-      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
+      "version": "6.41.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz",
+      "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^27.0.0"
+        "@octokit/openapi-types": "^12.11.0"
       }
     },
     "node_modules/@pkgjs/parseargs": {
@@ -766,9 +845,9 @@
       "license": "MIT"
     },
     "node_modules/before-after-hook": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
-      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
+      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==",
       "license": "Apache-2.0"
     },
     "node_modules/binary": {
@@ -791,9 +870,9 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
-      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
@@ -895,19 +974,6 @@
         "node": ">= 14"
       }
     },
-    "node_modules/content-type": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-2.0.0.tgz",
-      "integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
     "node_modules/core-util-is": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
@@ -970,6 +1036,12 @@
         }
       }
     },
+    "node_modules/deprecation": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
+      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==",
+      "license": "ISC"
+    },
     "node_modules/eastasianwidth": {
       "version": "0.2.0",
       "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
@@ -1000,48 +1072,16 @@
         "node": ">=0.8.x"
       }
     },
-    "node_modules/fast-content-type-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-3.0.0.tgz",
-      "integrity": "sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/fastify"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fastify"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/fast-fifo": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/fast-fifo/-/fast-fifo-1.3.2.tgz",
       "integrity": "sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ==",
       "license": "MIT"
     },
-    "node_modules/fast-xml-builder": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz",
-      "integrity": "sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "path-expression-matcher": "^1.5.0",
-        "xml-naming": "^0.1.0"
-      }
-    },
     "node_modules/fast-xml-parser": {
-      "version": "5.8.0",
-      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.8.0.tgz",
-      "integrity": "sha512-6bIM7fsJxeo3uXv7OncQYsBAMPJ7V16Slahl/6M98C/i2q+vB1+4a0MtrvYwDFEUrwDSbAmeLDRXsOBwrL7yAg==",
+      "version": "5.3.6",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz",
+      "integrity": "sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==",
       "funding": [
         {
           "type": "github",
@@ -1050,11 +1090,7 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "@nodable/entities": "^2.1.0",
-        "fast-xml-builder": "^1.2.0",
-        "path-expression-matcher": "^1.5.0",
-        "strnum": "^2.3.0",
-        "xml-naming": "^0.1.0"
+        "strnum": "^2.1.2"
       },
       "bin": {
         "fxparser": "src/cli/cli.js"
@@ -1203,20 +1239,11 @@
         "@pkgjs/parseargs": "^0.11.0"
       }
     },
-    "node_modules/json-with-bigint": {
-      "version": "3.5.8",
-      "resolved": "https://registry.npmjs.org/json-with-bigint/-/json-with-bigint-3.5.8.tgz",
-      "integrity": "sha512-eq/4KP6K34kwa7TcFdtvnftvHCD9KvHOGGICWwMFc4dOOKF5t4iYqnfLK8otCRCRv06FXOzGGyqE8h8ElMvvdw==",
-      "license": "MIT"
-    },
     "node_modules/jwt-decode": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz",
-      "integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      }
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-3.1.2.tgz",
+      "integrity": "sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==",
+      "license": "MIT"
     },
     "node_modules/lazystream": {
       "version": "1.0.1",
@@ -1261,9 +1288,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "version": "4.17.23",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
+      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
       "license": "MIT"
     },
     "node_modules/lru-cache": {
@@ -1273,12 +1300,12 @@
       "license": "ISC"
     },
     "node_modules/minimatch": {
-      "version": "9.0.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
-      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.2"
+        "brace-expansion": "^2.0.1"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -1332,27 +1359,21 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "license": "ISC",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
     "node_modules/package-json-from-dist": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
       "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
       "license": "BlueOak-1.0.0"
     },
-    "node_modules/path-expression-matcher": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz",
-      "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
     "node_modules/path-key": {
       "version": "3.1.1",
       "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
@@ -1419,9 +1440,9 @@
       }
     },
     "node_modules/readdir-glob/node_modules/minimatch": {
-      "version": "5.1.9",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.9.tgz",
-      "integrity": "sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==",
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
+      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
       "license": "ISC",
       "dependencies": {
         "brace-expansion": "^2.0.1"
@@ -1602,9 +1623,9 @@
       }
     },
     "node_modules/strnum": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.3.0.tgz",
-      "integrity": "sha512-ums3KNd42PGyx5xaoVTO1mjU1bH3NpY4vsrVlnv9PNGqQj8wd7rJ6nEypLrJ7z5vxK5RP0yMLo6J/Gsm62DI5Q==",
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.2.tgz",
+      "integrity": "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ==",
       "funding": [
         {
           "type": "github",
@@ -1662,6 +1683,7 @@
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.10.tgz",
       "integrity": "sha512-w6fIxVE/H1PkLKcCPsFqKE7Kv7QUwhU8qQY2MueZXWx5cPZdwFupLgKK3vntcK98BtNHZtAF4LA/yl2a7k8R6Q==",
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -1683,9 +1705,9 @@
       }
     },
     "node_modules/universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
+      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==",
       "license": "ISC"
     },
     "node_modules/unzip-stream": {
@@ -1704,16 +1726,6 @@
       "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
       "license": "MIT"
     },
-    "node_modules/uuid": {
-      "version": "8.3.2",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
-      "deprecated": "uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).",
-      "license": "MIT",
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
     "node_modules/which": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
@@ -1820,20 +1832,11 @@
         "node": ">=8"
       }
     },
-    "node_modules/xml-naming": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/xml-naming/-/xml-naming-0.1.0.tgz",
-      "integrity": "sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/NaturalIntelligence"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": ">=16.0.0"
-      }
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "license": "ISC"
     },
     "node_modules/zip-stream": {
       "version": "6.0.1",

ci/github-script/package.json

@@ -7,9 +7,9 @@
     "`.github/workflows/bot.yml`."
   ],
   "dependencies": {
-    "@actions/artifact": "6.2.1",
-    "@actions/core": "1.10.1",
-    "@actions/github": "9.1.0",
+    "@actions/artifact": "5.0.3",
+    "@actions/core": "1.11.1",
+    "@actions/github": "6.0.1",
     "bottleneck": "2.19.5",
     "commander": "14.0.3"
   }

ci/github-script/prepare.js

@@ -1,7 +1,6 @@
 const { classify } = require('../supportedBranches.js')
 const { postReview, dismissReviews } = require('./reviews.js')
 const reviewKey = 'prepare'
-const supportedSystems = require('./supportedSystems.js')
 
 module.exports = async ({ github, context, core, dry }) => {
   const pull_number = context.payload.pull_request.number
@@ -172,20 +171,14 @@ module.exports = async ({ github, context, core, dry }) => {
           '  ```',
         ].join('\n')
 
-        await postReview({
-          github,
-          context,
-          core,
-          dry,
-          body,
-          event: 'REQUEST_CHANGES',
-          reviewKey,
-        })
-      } else {
-        await dismissReviews({ github, context, core, dry, reviewKey })
+        await postReview({ github, context, core, dry, body, reviewKey })
+
+        throw new Error(`The PR contains commits from a different base.`)
       }
     }
 
+    await dismissReviews({ github, context, core, dry, reviewKey })
+
     let mergedSha, targetSha
 
     if (prInfo.mergeable) {
@@ -216,8 +209,7 @@ module.exports = async ({ github, context, core, dry }) => {
     core.setOutput('mergedSha', mergedSha)
     core.setOutput('targetSha', targetSha)
 
-    const systems = await supportedSystems({ github, context, targetSha })
-    core.setOutput('systems', systems)
+    core.setOutput('systems', require('../supportedSystems.json'))
 
     const files = (
       await github.paginate(github.rest.pulls.listFiles, {

ci/github-script/reviews.js

@@ -5,28 +5,10 @@ const eventToState = {
   REQUEST_CHANGES: 'CHANGES_REQUESTED',
 }
 
-// Use substring checks in order to allow testing in forks
-// Usernames must also end in "[bot]"
-const reviewUsers = [
-  'github-actions',
-  'nixpkgs-ci',
-  'branch-check',
-  'commit-check',
-  'manual-edit',
-]
-
-/**
- * @typedef {InstanceType<import('@actions/github/lib/utils').GitHub>} GitHub
- * @typedef {typeof import('@actions/github').context} Context
- *
- * @typedef {Awaited<ReturnType<GitHub['rest']['pulls']['listReviews']>>['data'][number]} Review
- * @typedef {Review & { user: NonNullable<Review['user']> }} ReviewWithNonNullUser
- */
-
 /**
  * @param {{
- *  github: GitHub,
- *  context: Context,
+ *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
+ *  context: import('@actions/github/lib/context').Context,
  *  core: import('@actions/core'),
  *  dry: boolean,
  *  reviewKey?: string,
@@ -43,32 +25,18 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
     return
   }
 
-  const allReviews = await github.paginate(github.rest.pulls.listReviews, {
-    ...context.repo,
-    pull_number,
-  })
-
-  const reviews = /** @type {ReviewWithNonNullUser[]} */ (
-    allReviews.filter(
-      (review) =>
-        review.user &&
-        review.state !== 'DISMISSED' &&
-        review.user.login.endsWith('[bot]') &&
-        reviewUsers.some((substr) => review.user?.login.includes(substr)),
-    )
+  const reviews = (
+    await github.paginate(github.rest.pulls.listReviews, {
+      ...context.repo,
+      pull_number,
+    })
+  ).filter(
+    (review) =>
+      review.user?.login === 'github-actions[bot]' &&
+      review.state !== 'DISMISSED',
   )
-
-  const reviewsByUser = reviews.reduce(
-    (prev, curr) => {
-      if (!(curr.user.login in prev)) {
-        prev[curr.user.login] = []
-      }
-
-      prev[curr.user.login].push(curr)
-
-      return prev
-    },
-    /** @type {Record<string, ReviewWithNonNullUser[]> } */ ({}),
+  const changesRequestedReviews = reviews.filter(
+    (review) => review.state === 'CHANGES_REQUESTED',
   )
 
   const commentRegex = new RegExp(
@@ -82,8 +50,8 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
   )
 
   let reviewsToMinimize = reviews
-  const /** @type {ReviewWithNonNullUser[]} */ reviewsToDismiss = []
-  const /** @type {ReviewWithNonNullUser[]} */ reviewsToResolve = []
+  let /** @type {typeof reviews} */ reviewsToDismiss = []
+  let /** @type {typeof reviews} */ reviewsToResolve = []
 
   if (reviewKey && reviews.every((review) => commentRegex.test(review.body))) {
     reviewsToMinimize = reviews.filter((review) =>
@@ -91,39 +59,29 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
     )
   }
 
-  for (const reviewsForUser of Object.values(reviewsByUser)) {
-    // Make sure that we don't dismiss all reviews by a user if they
-    // have any reviews we don't want to dismiss.
-    if (
-      reviewsForUser.every(
-        (review) =>
-          commentResolvedRegex.test(review.body) ||
-          (reviewKey && reviewKeyRegex.test(review.body)) ||
-          // If we are called by check-commits and the review body is clearly
-          // from `commits.js`, then we can safely dismiss the review.
-          // This helps with pre-existing reviews (before the comments were added).
-          (reviewKey &&
-            reviewKey === 'check-commits' &&
-            review.body.includes('PR / Check / cherry-pick')),
-      )
-    ) {
-      reviewsToDismiss.push(
-        ...reviewsForUser.filter(
-          (review) => review.state === 'CHANGES_REQUESTED',
-        ),
-      )
-    } else {
-      reviewsToResolve.push(
-        ...reviewsForUser.filter(
-          (review) =>
-            review.state === 'CHANGES_REQUESTED' &&
-            !commentResolvedRegex.test(review.body) &&
-            reviewsToMinimize.some(
-              (toMinimize) => toMinimize.node_id === review.node_id,
-            ),
-        ),
-      )
-    }
+  // If we want to dismiss all reviews with the key reviewKey,
+  // but there are other requested changes from CI, we can't dismiss,
+  // because then the other requested changes will be dismissed too.
+  if (
+    changesRequestedReviews.every(
+      (review) =>
+        commentResolvedRegex.test(review.body) ||
+        (reviewKey && reviewKeyRegex.test(review.body)) ||
+        // If we are called by check-commits and the review body is clearly
+        // from `commits.js`, then we can safely dismiss the review.
+        // This helps with pre-existing reviews (before the comments were added).
+        (reviewKey &&
+          reviewKey === 'check-commits' &&
+          review.body.includes('PR / Check / cherry-pick')),
+    )
+  ) {
+    reviewsToDismiss = changesRequestedReviews
+  } else if (reviewsToMinimize.length) {
+    reviewsToResolve = reviewsToMinimize.filter(
+      (review) =>
+        review.state === 'CHANGES_REQUESTED' &&
+        !commentResolvedRegex.test(review.body),
+    )
   }
 
   await Promise.all([
@@ -163,8 +121,8 @@ async function dismissReviews({ github, context, core, dry, reviewKey }) {
 
 /**
  * @param {{
- *  github: GitHub,
- *  context: Context,
+ *  github: InstanceType<import('@actions/github/lib/utils').GitHub>,
+ *  context: import('@actions/github/lib/context').Context
  *  core: import('@actions/core'),
  *  dry: boolean,
  *  body: string,
@@ -200,13 +158,11 @@ async function postReview({
     })
   ).filter(
     (review) =>
-      review.user &&
-      review.state !== 'DISMISSED' &&
-      review.user.login.endsWith('[bot]') &&
-      reviewUsers.some((substr) => review.user?.login.includes(substr)),
+      review.user?.login === 'github-actions[bot]' &&
+      review.state !== 'DISMISSED',
   )
 
-  /** @type {null | Review} */
+  /** @type {null | typeof reviews[number]} */
   let pendingReview
   const matchingReviews = reviews.filter((review) =>
     reviewKeyRegex.test(review.body),

ci/github-script/run

@@ -116,15 +116,4 @@ program
     await run(checkCommitMessages, owner, repo, pr, options)
   })
 
-program
-  .command('manual-file-edits')
-  .description("Error when files that shouldn't be edited manually are")
-  .argument('<owner>', 'Owner of the GitHub repository to run on (Example: NixOS)')
-  .argument('<repo>', 'Name of the GitHub repository to run on (Example: nixpkgs)')
-  .argument('<pr>', 'Number of the Pull Request to run on')
-  .action(async (owner, repo, pr, options) => {
-    const checkManualFileEdits = (await import('./manual-file-edits.js')).default
-    await run(checkManualFileEdits, owner, repo, pr, options)
-  })
-
 await program.parse()

ci/github-script/supportedSystems.js

@@ -1,10 +0,0 @@
-module.exports = async ({ github, context, targetSha }) => {
-  const { content, encoding } = (
-    await github.rest.repos.getContent({
-      ...context.repo,
-      path: 'pkgs/top-level/release-supported-systems.json',
-      ref: targetSha,
-    })
-  ).data
-  return JSON.parse(Buffer.from(content, encoding).toString())
-}

ci/parse.nix

@@ -28,14 +28,7 @@ runCommand "nix-parse-${nix.name}"
     # the other CI jobs will report in more detail. This job is about checking parsing
     # across different implementations / versions, not about providing the best DX.
     # Returning all parse errors requires significantly more resources.
-
-    find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse 2>&1 >/dev/null | {
-      # Also fail on (deprecation) warnings printed to stderr.
-      if grep "warning"; then
-        echo "Failing due to warnings in stderr" >&2
-        exit 1
-      fi
-    }
+    find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse >/dev/null
 
     touch $out
   ''

ci/pinned.json

@@ -9,9 +9,9 @@
       },
       "branch": "nixpkgs-unstable",
       "submodules": false,
-      "revision": "02f3fa0374fa13707d42d55d58ecc76b091f223c",
-      "url": "https://github.com/NixOS/nixpkgs/archive/02f3fa0374fa13707d42d55d58ecc76b091f223c.tar.gz",
-      "hash": "0z8d33c5g0gk9a74ppqq77npisf9xx9c8ai9isxa2hyjx4lv1pki"
+      "revision": "bde09022887110deb780067364a0818e89258968",
+      "url": "https://github.com/NixOS/nixpkgs/archive/bde09022887110deb780067364a0818e89258968.tar.gz",
+      "hash": "13mi187zpa4rw680qbwp7pmykjia8cra3nwvjqmsjba3qhlzif5l"
     },
     "treefmt-nix": {
       "type": "Git",
@@ -22,9 +22,9 @@
       },
       "branch": "main",
       "submodules": false,
-      "revision": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
-      "url": "https://github.com/numtide/treefmt-nix/archive/790751ff7fd3801feeaf96d7dc416a8d581265ba.tar.gz",
-      "hash": "1zah3dmbpn3ap5acg22kq1j19dg32gj73l43yamjcxhc38sv9kd5"
+      "revision": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
+      "url": "https://github.com/numtide/treefmt-nix/archive/e96d59dff5c0d7fddb9d113ba108f03c3ef99eca.tar.gz",
+      "hash": "02gqyxila3ghw8gifq3mns639x86jcq079kvfvjm42mibx7z5fzb"
     }
   },
   "version": 5

doc/README.md

@@ -217,38 +217,6 @@ Not everything has been migrated to this format yet.
 Please always use it for new content.
 When changing existing content, update formatting if possible, but avoid excessive diffs.
 
-### Examples first
-
-Readers look at examples first: an example communicates what something does faster than a description.
-Put examples before detailed explanations.
-
-Prefer this structure for each documented item:
-
-1. Title
-2. Abstract (optional, one sentence max, the example often speaks for itself)
-3. Example
-4. Explanation (details, edge cases, types, defaults)
-
-For instance:
-
-````markdown
-## `lib.toUpper`
-
-Converts all characters in a string to uppercase.
-
-:::{.example #ex-lib-toUpper}
-# Converting a string to uppercase
-```nix
-lib.toUpper "hello"
-=> "HELLO"
-```
-
-:::
-
-Only acts on ASCII characters.
-Unicode characters are passed through unchanged.
-````
-
 ### Writing Function Documentation
 
 Function documentation is *reference documentation*, for which

doc/build-helpers/fetchers.chapter.md

@@ -920,14 +920,14 @@ respectively. Otherwise, the fetcher uses `fetchzip`.
 
 This is used with Radicle repositories. The arguments expected are similar to `fetchgit`.
 
-Requires a `seed` argument (e.g. `seed.radicle.dev` or `rosa.radicle.network`) and a `repo` argument
+Requires a `seed` argument (e.g. `seed.radicle.xyz` or `rosa.radicle.xyz`) and a `repo` argument
 (the repository id *without* the `rad:` prefix). Also accepts an optional `node` argument which
 contains the id of the node from which to fetch the specified ref. If `node` is `null` (the
 default), a canonical ref is fetched instead.
 
 ```nix
 fetchFromRadicle {
-  seed = "seed.radicle.dev";
+  seed = "seed.radicle.xyz";
   repo = "z3gqcJUoA1n9HaHKufZs5FCSGazv5"; # heartwood
   tag = "releases/1.3.0";
   hash = "sha256-4o88BWKGGOjCIQy7anvzbA/kPOO+ZsLMzXJhE61odjw=";
@@ -942,7 +942,7 @@ contains the full revision id of the Radicle patch to fetch.
 
 ```nix
 fetchRadiclePatch {
-  seed = "rosa.radicle.network";
+  seed = "rosa.radicle.xyz";
   repo = "z4V1sjrXqjvFdnCUbxPFqd5p4DtH5"; # radicle-explorer
   revision = "d97d872386c70607beda2fb3fc2e60449e0f4ce4"; # patch: d77e064
   hash = "sha256-ttnNqj0lhlSP6BGzEhhUOejKkkPruM9yMwA5p9Di4bk=";
@@ -1003,27 +1003,3 @@ fetchtorrent {
 
 - `config`: When using `transmission` as the `backend`, a json configuration can
   be supplied to transmission. Refer to the [upstream documentation](https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md) for information on how to configure.
-
-## `fetchItchIo` {#fetchitchio}
-
-`fetchItchIo` is a fetcher for downloading game assets from [itch.io](https://itch.io/). It accepts these arguments:
-
-- `gameUrl`: The store page URL of the game.
-- `upload`: The numerical ID of the asset to download. To find the upload ID of an asset, check the basename of the request URL when you download the asset using a browser.
-- `hash`.
-- `name` (optional): The derivation name, often the filename of the asset.
-- `extraMessage` (optional): Extra message printed if the API key is not provided or if the account did not purchase the game.
-
-For this fetcher to work, the environment variable `NIX_ITCHIO_API_KEY` must be set for the nix building process (which is nix-daemon in multi-user mode), and it must belong to an account that has bought the game if it is behind a paywall.
-To get your API key, go to the ["API key" section](https://itch.io/user/settings/api-keys) of your account settings on itch.io.
-
-```nix
-{ fetchItchIo }:
-
-fetchItchIo {
-  name = "DungeonDuelMonsters-linux-x64.zip";
-  hash = "sha256-gq2nGwpaStqaVI1pL63xygxOI/z53o+zLwiKizG98Ks=";
-  gameUrl = "https://mikaygo.itch.io/ddm";
-  upload = "13371354";
-}
-```

doc/build-helpers/special.md

@@ -3,7 +3,6 @@
 This chapter describes several special build helpers.
 
 ```{=include=} sections
-special/buildenv.section.md
 special/fakenss.section.md
 special/fhs-environments.section.md
 special/makesetuphook.section.md

doc/build-helpers/special/buildenv.section.md

@@ -1,101 +0,0 @@
-# buildEnv {#sec-buildEnv}
-
-`buildEnv` constructs a derivation containing directories and symbolic links, which resembles the profile layout where a list of derivations or store paths are installed.
-
-Unlike [`symlinkJoin`](#trivial-builder-symlinkJoin), `buildEnv` takes special care of the outputs to link and checks for content collisions across the paths by default.
-A common use case for `buildEnv` is constructing environment wrappers, such as an interpreter with modules or a program with extensions.
-For example, [`python.withPackage`](#attributes-on-interpreters-packages) is based on `buildEnv`.
-
-## Arguments {#sec-buildEnv-arguments}
-
-`buildEnv` takes [fixed-point arguments (`buildEnv (finalAttrs: { })`)](#chap-build-helpers-finalAttrs) as well as a plain attribute set.
-
-Unless otherwise noted, arguments can be overridden directly using [`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs).
-
-`buildEnv` enforces [structured attributes (`{ __structuredAttrs = true; }`)](https://nix.dev/manual/nix/2.18/language/advanced-attributes.html#adv-attr-structuredAttrs).
-
-- `name` or `pname` and `version` (required):
-    The name of the environment.
-
-- `paths` (required):
-    The derivations or store paths to symlink ("install").
-
-    The elements can be any path-like object that string-interpolates to a store path.
-    The priority of each path is taken from `<path>.meta.priority` and falls back to `lib.meta.defaultPriority` if not set.
-
-    The argument `paths` is passed as attribute `passthru.paths` to prevent unexpected context pollution.
-    `passthru.paths` can be overridden with `<pkg>.overrideAttrs`.
-
--   `extraOutputsToInstall` (default to `[ ]`):
-    Package outputs to include in addition to what `meta.outputsToInstall` specifies.
-
--   `includeClosures` (default to `false`):
-    Whether to include closures of all input paths.
-    The list of the closure paths are constructed with `writeClosure`.
-    They are installed with lower priority and with build-time exceptions silenced.
-
--   `extraPrefix` (default to `""`):
-    Root the result in directory `"$out${extraPrefix}"`, e.g. `"/share"`.
-
--   `ignoreCollisions` (default: `false`):
-    Don't fail the build upon content collisions.
-
--   `checkCollisionContents` (default: `true`):
-    If there is a collision, check whether the contents and permissions match; and only if not, throw a collision error.
-
--   `ignoreSingleFileOutputs` (default: `false`):
-    Don't fail the build upon single-file outputs.
-
--   `manifest` (default: `""`):
-    The manifest file (if any). A symlink `$out/manifest` will be created to it.
-
--   `pathsToLink` (default: `[ "/" ]`):
-    The paths (relative to each element of `paths`) that we want to symlink (e.g., `["/bin"]`).
-    Any file outside the directories in this list won't be symlinked into the produced environment.
-
--   `postBuild` (default: `""`):
-    Shell commands to run after building the symlink tree.
-
--   `passthru` and `meta` (default: `{ }`):
-    `stdenv.mkDerivation`-supported attributes not passing down to `builtins.derivation`.
-
--   `derivationArgs` (default: `{ }`):
-    Additional `stdenv.mkDerivation` arguments, such as `nativeBuildInputs`/`buildInputs` for `postBuild` dependencies and setup hooks.
-
-    `derivationArgs` is not passed down to `stdenv.mkDerivation`.
-    Override its attributes directly via `<pkg>.overrideAttrs` and reference directly via `finalAttrs`.
-
-## Build-time exceptions {#sec-buildEnv-exceptions}
-
-There are situations where the specified `paths` might not produce sensible profile layout.
-By default, the builder fails early upon detecting these exceptions.
-`buildEnv` provides arguments to fine-tune or ignore certain exceptions.
-
-### Path collisions {#ssec-buildEnv-collisions}
-
-Path collisions occur when files provided by two more output paths with the same priority overlap with each other, making the result profile layout potentially affected by the order of elements of `paths`.
-This is undesirable in several use cases, such as when `paths` are determined by merging Nix modules.
-
-If the argument `checkCollisionContents` is `true`, the builder checks whether the overlapping paths share the same content and mode, and fails only if not.
-
-The argument `ignoreCollisions` silence the collision checks and allow the files to be overwritten based on the order of chosen output paths.
-
-In addition to silencing this exception with `ignoreCollisions`, one can also adjust the priority of colliding packages and store paths.
-Store paths can specify priority in the form
-
-```nix
-{
-  outPath = <path>;
-  meta.priority = <priority>;
-}
-```
-
-And [`lib.meta.setPrio`](#function-library-lib.meta.setPrio)-related Nixpkgs Library functions also apply to a string-like attribute set (`{ outPath = <path>; }`).
-
-### Single-file outputs {#ssec-buildEnv-singleFileOutputs}
-
-When an output path provides a single file instead of a directory, it inherently cannot merge into the result layout.
-All discoverable packages should configure their `meta.outputsToInstall` correctly, so that single-file outputs won't be installed into a profile.
-
-Set `ignoreSingleFileOutputs` to `true` to drop all single-file output paths silently.
-This option is useful when the specified paths contain the output paths of package tests.

doc/build-helpers/testers.chapter.md

@@ -129,13 +129,6 @@ It has two modes:
 
   Example: `{ "include_verbatim" = true; }`
 
-`extraArgs` (list of strings, optional) {#tester-lycheeLinkCheck-param-extraArgs}
-
-: Extra command line arguments to pass to the `lychee` invocation.
-  These are passed in both the offline (build) and [`online`](#tester-lycheeLinkCheck-return) modes.
-
-  Example: `[ "--format" "json" ]`
-
 `lychee` (derivation, optional) {#tester-lycheeLinkCheck-param-lychee}
 
 : The `lychee` package to use.

doc/build-helpers/trivial-build-helpers.chapter.md

@@ -734,80 +734,7 @@ Some basic Bash options are set by default (`errexit`, `nounset`, and `pipefail`
 Extra arguments may be passed to `stdenv.mkDerivation` by setting `derivationArgs`; note that variables set in this manner will be set when the shell script is _built,_ not when it's run.
 Runtime environment variables can be set with the `runtimeEnv` argument.
 
-`writeShellApplication` has the following arguments:
-
-`name` (String)
-
-: The name of the script to write.
-
-`text` (String)
-
-: The shell script's text, not including a shebang.
-
-`runtimeInputs` (List of derivations or strings, _optional_)
-
-: Inputs to add to the shell script's `$PATH` at runtime.
-
-  Each elements can either be a normal derivation, or a string containing a path, in which case it will be suffixed with `/bin` to create a `PATH` expression (see [`lib.strings.makeBinPath`](#function-library-lib.strings.makeBinPath) for more information).
-
-`runtimeEnv` (Attribute set, _optional_)
-
-: Extra environment variables to set at runtime.
-
-`checkPhase` (String, _optional_)
-
-: The `checkPhase` to run.
-
-  The script path will be given as `$target` in the `checkPhase`
-
-  _Default behavior:_ run [`shellcheck`](https://github.com/koalaman/shellcheck) (on supported platforms) and `bash -n` (check syntax but don't execute commands).
-
-`excludeShellChecks` (List of strings, _optional_)
-
-: Checks to exclude when running `shellcheck`.
-
-  For example, `excludeShellChecks = [ "SC2016" ]` would prevent `shellcheck` from reporting `SC2016`, but would still detect any other problems.
-
-  See [the `shellcheck` wiki](https://www.shellcheck.net/wiki/) for a list of checks.
-
-`extraShellCheckFlags` (List of strings, _optional_)
-
-: Extra command-line flags to pass to `shellcheck`.
-
-`bashOptions` (List of strings, _optional_)
-
-: Bash options to activate with `set -o` at the start of the script
-
-  _Default:_ `[ "errexit" "nounset" "pipefail" ]`, which means:
-  1. A failing command inside of a command list or pipeline will make the script exit, except if used as a conditional (inside a `while`, `if`, `&&`, `||`, etc.);
-  2. Any attempt to expand an undefined variable will make the script exit.
-
-`inheritPath` (Bool, _optional_)
-
-: Whether the script will inherit the PATH from its parent environment.
-
-  _Default:_ `true`
-
-`meta` (Attribute set, _optional_)
-
-: `stdenv.mkDerivation`'s [`meta`](#chap-meta) argument
-
-`passthru` (Attribute set, _optional_)
-
-: `stdenv.mkDerivation`'s [`passthru`](#chap-passthru) argument
-
-`derivationArgs` (Attribute set, _optional_)
-
-: Extra arguments to pass to [`stdenv.mkDerivation`](#chap-stdenv)
-
-  ::: {.caution}
-  Certain derivation attributes are also set internally, so overriding those could cause problems.
-  :::
-
-::: {.example #ex-writeShellApplication}
-# Usage of `writeShellApplication`
-
-The following shell application can refer to `curl` directly, rather than needing to write `${curl}/bin/curl`
+For example, the following shell application can refer to `curl` directly, rather than needing to write `${curl}/bin/curl`:
 
 ```nix
 writeShellApplication {
@@ -823,7 +750,6 @@ writeShellApplication {
   '';
 }
 ```
-:::
 
 ## `symlinkJoin` {#trivial-builder-symlinkJoin}
 

doc/doc-support/epub.nix

@@ -37,16 +37,16 @@ runCommand "manual.epub"
       </book>
     '';
 
-    __structuredAttrs = true;
+    passAsFile = [ "epub" ];
   }
   ''
     mkdir scratch
-    printf "%s" "$epub" | xsltproc \
+    xsltproc \
       --param chapter.autolabel 0 \
       --nonet \
       --output scratch/ \
       ${docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \
-      -
+      $epubPath
 
     echo "application/epub+zip" > mimetype
     zip -0Xq -b "$TMPDIR" "$out" mimetype

doc/doc-support/package.nix

@@ -54,7 +54,7 @@ stdenvNoCC.mkDerivation (
     };
   in
   {
-    version = lib.trivial.release;
+    inherit (lib.trivial) version;
     pname = "nixpkgs-manual";
 
     nativeBuildInputs = [ nixos-render-docs ];

doc/hooks/index.md

@@ -20,7 +20,6 @@ ghc.section.md
 gnome.section.md
 haredo.section.md
 installShellFiles.section.md
-installFonts.section.md
 julec.section.md
 just.section.md
 libglycin.section.md
@@ -29,11 +28,6 @@ libxml2.section.md
 meson.section.md
 mpi-check-hook.section.md
 ninja.section.md
-nodejs-install-executables.section.md
-nodejs-install-manuals.section.md
-npm-build-hook.section.md
-npm-config-hook.section.md
-npm-install-hook.section.md
 patch-rc-path-hooks.section.md
 perl.section.md
 pkg-config.section.md
@@ -48,7 +42,6 @@ unzip.section.md
 validatePkgConfig.section.md
 versionCheckHook.section.md
 waf.section.md
-writable-tmpdir-as-home-hook.section.md
 zig.section.md
 xcbuild.section.md
 xfce4-dev-tools.section.md

doc/hooks/installFonts.section.md

@@ -1,24 +0,0 @@
-# `installFonts` {#installfonts}
-
-This hook installs common font formats to the proper location. In its default state, the hook automatically handles ttf, ttc, otf, bdf, and psf. Given a `webfont` output, woff and woff2 formats will be installed under this output.
-
-The automatic behavior of the hook can be disabled by setting the `dontInstallFonts` variable to true.
-
-Additionally, it exposes the `installFont` function that can be used from your `postInstall`
-hook, to install additional formats:
-
-## `installFont` {#installfonts-installfont}
-
-The `installFont` function takes two arguments, a file extension to move (*without* a preceding dot), and the install location.
-
-### Example Usage {#installfonts-installfont-exampleusage}
-
-```nix
-{
-  nativeBuildInputs = [ installFonts ];
-
-  postInstall = ''
-    installFont svg $out/share/fonts/svg
-  '';
-}
-```

doc/hooks/juce.section.md

@@ -1,33 +0,0 @@
-# `juce.projucerHook` {#juce-projucer-hook}
-
-[Projucer](https://juce.com/tutorials/tutorial_new_projucer_project/) is a graphical project management utility and build system for the [JUCE](https://juce.com/) audio programming framework. It is available in nixpkgs under the `juce` package.
-
-The `juce.projucerHook` setup hook overrides the configure and install phases. It is only supported on Linux and requires your project's `.jucer` file to contain a `LinuxMakefile` exporter.
-
-## Example {#juce-projucer-hook-example}
-
-```nix
-{
-  juce,
-  stdenv,
-}:
-stdenv.mkDerivation {
-  # ...
-  nativeBuildInputs = [ juce.projucerHook ];
-
-  jucerFile = "Microbiome.jucer";
-
-  dontUseProjucerInstall = true;
-  # ...
-}
-```
-
-## Variables controlling `juce.projucerHook` {#juce-projucer-hook-variables}
-
-### `dontUseProjucerConfigure`
-
-Disables `projucerConfigurePhase`
-
-### `dontUseProjucerInstall`
-
-Disables `projucerInstallPhase`

doc/hooks/nodejs-install-executables.section.md

@@ -1,29 +0,0 @@
-# nodejsInstallExecutables {#nodejs-install-executables}
-
-Hook for wrapping Node.js executables.
-Primarily created for a multi-language environment.
-
-## Examples {#nodejs-install-executables-example}
-
-[](#npm-build-hook-example-snippet)
-
-## Variables controlling `nodejsInstallExecutables` {#nodejs-install-executables-variables}
-
-### `nodejsInstallExecutables` Exclusive Variables {#nodejs-install-executables-exclusive-variables}
-
-#### `makeWrapperArgs` {#nodejs-install-executables-wrapper-args}
-
-Flags to pass to the call to [`makeWrapper`](#fun-makeWrapper).
-To avoid double-wrapping, this flag can also be accessed in Bash.
-
-```nix
-stdenv.mkDerivation (finalAttrs: {
-  #...
-  dontWrapGApps = true;
-
-  postInstall = ''
-    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
-  '';
-  #...
-})
-```

doc/hooks/nodejs-install-manuals.section.md

@@ -1,12 +0,0 @@
-# nodejsInstallManuals {#nodejs-install-manuals}
-
-Detects manuals in Node.js packages, and attempts to install them in standard locations.
-This detection is done by inspecting the package.json of the project and finding any entries
-with type `man`.
-
-
-There are no ways currently to configure this hook.
-
-## Examples {#nodejs-install-manuals-example}
-
-[](#npm-build-hook-example-snippet)

doc/hooks/npm-build-hook.section.md

@@ -1,93 +0,0 @@
-# npmHooks.npmBuildHook {#npm-build-hook}
-
-Hook for building packages that use npm. Can be used in multi-language environments.
-
-## Examples {#npm-build-hook-snippet}
-
-:::{.example #npm-build-hook-example-snippet}
-
-# Using `npmHooks`
-
-```nix
-{
-  stdenv,
-  fetchFromGitHub,
-  fetchNpmDeps,
-  npmHooks,
-  nodejsInstallExecutables,
-  nodejsInstallManuals,
-  nodejs,
-}:
-stdenv.mkDerivation (finalAttrs: {
-  pname = "some-npm-project";
-  version = "1.0";
-
-  src = fetchFromGitHub {
-    owner = "JohnNpm";
-    repo = "SomeProject";
-    tag = finalAttrs.version;
-    hash = "...";
-  };
-
-  strictDeps = true;
-
-  nativeBuildInputs = [
-    nodejs
-    nodejsInstallExecutables
-    nodejsInstallManuals
-    npmHooks.npmConfigHook
-    npmHooks.npmBuildHook
-    npmHooks.npmInstallHook
-  ];
-
-  npmBuildScript = "build";
-
-  npmBuildFlags = [
-    "--prod"
-  ];
-
-  npmFlags = [
-    "--ignore-scripts"
-  ];
-
-  npmDeps = fetchNpmDeps {
-    inherit (finalAttrs) src;
-    hash = "...";
-  };
-
-  makeWrapperArgs = [
-    "--set"
-    "NODE_ENV"
-    "production"
-  ];
-
-  meta = {
-    description = "npm project";
-  };
-})
-```
-:::
-
-## Variables controlling `npmBuildHook` {#npm-build-hook-variables}
-
-### `npmBuildHook` Exclusive Variables {#npm-build-hook-exclusive-variables}
-
-#### `npmBuildScript` {#npm-build-hook-script}
-
-Controls the script ran to build the npm package within the `package.json` file.
-Required to be set, usually to `build`, but can vary between packages.
-
-#### `npmBuildFlags` {#npm-build-hook-flags}
-
-Controls the arguments to the {command}`npm run $npmBuildScript` command.
-
-#### `dontNpmBuild` {#npm-build-hook-dont}
-
-Disables `npmBuildHook` when enabled
-
-### Honored Variables {#npm-build-hook-honored-variables}
-
-The following variables are honored by the `npmBuildHook`.
-
-- [`npmWorkspace`](#javascript-buildNpmPackage-npmWorkspace)
-- [`npmFlags`](#javascript-buildNpmPackage-npmFlags)

doc/hooks/npm-config-hook.section.md

@@ -1,41 +0,0 @@
-# npmHooks.npmConfigHook {#npm-config-hook}
-
-Hook for configuring packages that use npm.
-Primarily made for a multi-language environment.
-
-## Examples {#npm-config-hook-snippet}
-
-[](#npm-build-hook-example-snippet)
-
-## Variables controlling `npmConfigHook` {#npm-config-hook-variables}
-
-### `npmConfigHook` Exclusive Variables {#npm-config-hook-exclusive-variables}
-
-#### `npmDeps` {#npm-config-hook-deps}
-
-Derivation that contains the npm package dependencies.
-Usually built with `fetchNpmDeps`.
-This attribute is required or the hook will abort the build.
-
-#### `makeCacheWritable` {#npm-config-hook-writable-cache}
-
-Whether to make the dependency cache writable prior to installing the dependencies.
-Don't set this unless npm tries to write to the cache directory.
-
-#### `npmInstallFlags` {#npm-config-hook-install-flags}
-
-Flags to pass to the {command}`npm ci` call for installing the dependencies to the build environment.
-Defaults to `--ignore-scripts`, which cannot be removed.
-This does not control anything with the `npmInstallHook`.
-
-#### `npmRebuildFlags` {#npm-config-hook-rebuild-flags}
-
-Flags to pass to the {command}`npm rebuild` command after the dependencies are installed to the environment.
-
-### Honored Variables {#npm-config-hook-honored-variables}
-
-The following variables are honored by the `npmConfigHook`.
-
-- [`npmWorkspace`](#javascript-buildNpmPackage-npmWorkspace)
-- [`npmFlags`](#javascript-buildNpmPackage-npmFlags)
-- `npmRoot`

doc/hooks/npm-install-hook.section.md

@@ -1,35 +0,0 @@
-# npmHooks.npmInstallHook {#npm-install-hook}
-
-Hook to install node_modules for npm packages.
-Does not create wrappers for executable npm projects
-Primarily made for a multi-language environment.
-
-## Examples {#npm-install-hook-snippet}
-
-[](#npm-build-hook-example-snippet)
-
-## Variables controlling `npmInstallHook` {#npm-install-hook-variables}
-
-### `npmInstallHook` Exclusive Variables {#npm-install-hook-exclusive-variables}
-
-#### `dontNpmPrune` {#npm-install-hook-dont-prune}
-
-Whether to run {command}`npm prune` on the `node_modules` or not.
-Defaults to `true`.
-
-#### `npmInstallFlags` {#npm-install-hook-prune-flags}
-
-Flags to pass to the {command}`npm prune` call for the `node_modules` of the package.
-Defaults to `--omit=dev --no-save` which cannot be modified.
-
-#### `dontNpmInstall` {#npm-install-hook-dont}
-
-Controls whether `npmInstallHook` is enabled or not.
-Defaults to `true`, so the hook will run.
-
-### Honored Variables {#npm-install-hook-honored-variables}
-
-The following variables are honored by the `npmInstallHook`.
-
-- [`npmWorkspace`](#javascript-buildNpmPackage-npmWorkspace)
-- [`npmFlags`](#javascript-buildNpmPackage-npmFlags)

doc/hooks/writable-tmpdir-as-home-hook.section.md

@@ -1,5 +0,0 @@
-# writableTmpDirAsHomeHook {#writableTmpDirAsHomeHook}
-
-This setup hook provides a writable home directory for packages that require it.
-
-To use, just add the hook to the `nativeBuildInputs` of the package.

doc/languages-frameworks/android.section.md

@@ -27,7 +27,7 @@ Alternatively, you can pass composeAndroidPackages to the `withSdk` passthrough:
 }
 ```
 
-These will export `ANDROID_HOME` and `ANDROID_NDK_ROOT` to the SDK and NDK directories
+These will export `ANDROID_SDK_ROOT` and `ANDROID_NDK_ROOT` to the SDK and NDK directories
 in the specified Android build environment.
 
 ## Deploying an Android SDK installation with plugins {#deploying-an-android-sdk-installation-with-plugins}
@@ -308,7 +308,7 @@ Ensure that your buildToolsVersion and ndkVersion match what is declared in andr
 If you are using cmake, make sure its declared version is correct too.
 
 Otherwise, you may get cryptic errors from aapt2 and the Android Gradle plugin warning
-that it cannot install the build tools because the SDK directory is not writable.
+that it cannot install the build tools because the SDK directory is not writeable.
 
 ```gradle
 android {

doc/languages-frameworks/beam.section.md

@@ -6,68 +6,46 @@ In this document and related Nix expressions, we use the term, _BEAM_, to descri
 
 ## Available versions and deprecations schedule {#available-versions-and-deprecations-schedule}
 
-### Erlang OTP {#erlang}
-
-Nixpkgs follows upstream Erlang in their [support lifecycle](https://erlang.org/download/otp_versions_tree.html) and keeps up to the last 3 released versions of Erlang available. Due to upstream and NixOS release timings, this may mean removal of the oldest release prior to upstream fully dropping support.
-
 ### Elixir {#elixir}
 
-Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps up to the last 5 released versions of Elixir available.
+Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps the last 5 released versions of Elixir available.
 
 ## Structure {#beam-structure}
 
-All BEAM-related expressions are available via top-level package sets. It is recommended to work with a single package set to ensure consistent versions.
+All BEAM-related expressions are available via the top-level `beam` attribute, which includes:
 
-- `beamPackages` - default OTP version
-- `beamMinimalPackages` - default OTP version, without wxwidgets, which saves ~1GB in closure size
+- `interpreters`: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (`beam.interpreters.erlang_22`, etc), Elixir (`beam.interpreters.elixir`) and LFE (Lisp Flavoured Erlang) (`beam.interpreters.lfe`).
 
-There are also OTP version specific package sets, e.g. for OTP 28:
+- `packages`: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. `beam.packages.erlang22`.
 
-- `beam28Packages`
-- `beamMinimal28Packages`
+The default Erlang compiler, defined by `beam.interpreters.erlang`, is aliased as `erlang`. The default BEAM package set is defined by `beam.packages.erlang` and aliased at the top level as `beamPackages`.
 
-Inside each package set are:
+To create a package builder built with a custom Erlang version, use the lambda, `beam.packagesWith`, which accepts an Erlang/OTP derivation and produces a package builder similar to `beam.packages.erlang`.
 
-- erlang itself (version comes from package set)
-- interpreters: elixir (multiple versions, e.g. elixir_1_18) and lfe
-- packages: rebar3, hex, etc
-- builders: mixRelease, buildRebar3, etc
-- hooks: for composing builders and packages
+Many Erlang/OTP distributions available in `beam.interpreters` have versions with ODBC and/or Java enabled or without wx (no observer support). For example, there's `beam.interpreters.erlang_22_odbc_javac`, which corresponds to `beam.interpreters.erlang_22` and `beam.interpreters.erlang_22_nox`, which corresponds to `beam.interpreters.erlang_22`.
 
-To use a non-default Elixir it's important to keep the rest of the package set consistent, so it's recommended to use `.extend`. This ensures that builders like `mixRelease`, `fetchMixDeps`, and `buildMix` all pick up the overridden Elixir:
+## Build Tools {#build-tools}
 
-```nix
-let
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
-in
-beamPackages.mixRelease {
-  # ...
-}
-```
+### Rebar3 {#build-tools-rebar3}
 
-## Build Tools {#beam-build-tools}
+We provide a version of Rebar3, under `rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `fetchRebar3Deps`.
 
-### Rebar3 {#beam-build-tools-rebar3}
+We also provide a version on Rebar3 with plugins included, under `rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.
 
-We provide a version of Rebar3, under `beamPackages.rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `beamPackages.fetchRebar3Deps`.
+When adding a new plugin it is important that the `packageName` attribute is the same as the atom used by rebar3 to refer to the plugin.
 
-We also provide a version on Rebar3 with plugins included, under `beamPackages.rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `beamPackages.rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.
-
-When adding a new plugin it is important that the `name` attribute is the same as the atom used by rebar3 to refer to the plugin.
-
-### Erlang.mk {#beam-build-tools-erlangmk}
+### Mix & Erlang.mk {#build-tools-other}
 
 Erlang.mk works exactly as expected. There is a bootstrap process that needs to be run, which is supported by the `buildErlangMk` derivation.
 
-### Mix {#beam-build-tools-mix}
+For Elixir applications use `mixRelease` to make a release. See examples for more details.
 
-For Elixir applications that use [mix release](https://hexdocs.pm/mix/Mix.Release.html), use the `mixRelease` builder to make a release. See examples for more details.
-
-There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that `mixRelease` makes a release, while `buildMix` only builds the package, which is more useful for libraries and other dependencies.
+There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that mixRelease makes a release, while buildMix only builds the package, making it useful for libraries and other dependencies.
 
 ## How to Install BEAM Packages {#how-to-install-beam-packages}
 
-To use any of these builders in your environment, refer to them by their attribute path under `beamPackages` (or another BEAM package set), e.g. `beamPackages.rebar3`:
+BEAM builders are not registered at the top level, because they are not relevant to the vast majority of Nix users.
+To use any of those builders into your environment, refer to them by their attribute path under `beamPackages`, e.g. `beamPackages.rebar3`:
 
 ::: {.example #ex-beam-ephemeral-shell}
 # Ephemeral shell
@@ -97,39 +75,35 @@ pkgs.mkShell { packages = [ pkgs.beamPackages.rebar3 ]; }
 
 #### Rebar3 Packages {#rebar3-packages}
 
-The builder `beamPackages.buildRebar3` can be used to build a derivation that understands how to build a Rebar3 project.
+The Nix function, `buildRebar3`, defined in `beam.packages.erlang.buildRebar3` and aliased at the top level, can be used to build a derivation that understands how to build a Rebar3 project.
+
+If a package needs to compile native code via Rebar3's port compilation mechanism, add `compilePort = true;` to the derivation.
 
 #### Erlang.mk Packages {#erlang-mk-packages}
 
-Erlang.mk functions similarly to Rebar3, except we use `beamPackages.buildErlangMk` instead of `beamPackages.buildRebar3`.
-
-If a package needs to compile native code via Erlang.mk's port compilation mechanism, add `compilePorts = true;` to the derivation.
-
-### Elixir Applications {#packaging-elixir-applications}
+Erlang.mk functions similarly to Rebar3, except we use `buildErlangMk` instead of `buildRebar3`.
 
 #### Mix Packages {#mix-packages}
 
-`beamPackages.mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `beamPackages.fetchMixDeps` and passed to it.
+`mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `fetchMixDeps` and passed to it.
 
 #### mixRelease - Elixir Phoenix example {#mix-release-elixir-phoenix-example}
 
-There are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together.
+there are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together
 
 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps}
 
-For phoenix projects, inside of Nixpkgs you can either use `fetchYarnDeps` or `buildNpmPackage`. An example with `buildNpmPackage` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix), and an example with `fetchYarnDeps` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pi/pinchflat/package.nix).
+For phoenix projects, inside of Nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix#L39). An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage)
 
 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps}
 
-There are 2 ways to package backend dependencies: either per-dependency mix2nix or with a fixed-output-derivation (FOD).
-
-When writing an elixir project targeting `mixRelease`, you can also consider using [deps_nix](https://github.com/code-supply/deps_nix) with `mixNixDeps`. `deps_nix` supports git dependencies, but is intended to be added to the project's `mix.exs` directly.
+There are 2 ways to package backend dependencies. With mix2nix and with a fixed-output-derivation (FOD).
 
 ###### mix2nix {#mix2nix}
 
 `mix2nix` is a cli tool available in Nixpkgs. It will generate a Nix expression from a `mix.lock` file. It is quite standard in the 2nix tool series.
 
-Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/pleroma/package.nix)) or use the FOD method.
+Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method.
 
 The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won't trigger a full rebuild and download of all the dependencies, where FOD will do so.
 
@@ -177,7 +151,7 @@ You will need to run the build process once to fix the hash to correspond to you
 
 ###### FOD {#fixed-output-derivation}
 
-A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [akkoma](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ak/akkoma/package.nix) for a usage example of FOD.
+A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [elixir-ls](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/beam-modules/elixir-ls/default.nix) for a usage example of FOD.
 
 Practical steps
 
@@ -202,11 +176,12 @@ Note that if after you've replaced the value, nix suggests another hash, then mi
 Here is how your `default.nix` file would look for a Phoenix project.
 
 ```nix
-{
-  # beam27Packages or beam29Packages is available if you need a particular version
-  beamPackages,
-}:
+with import <nixpkgs> { };
+
 let
+  # beam.interpreters.erlang_26 is available if you need a particular version
+  packages = beam.packagesWith beam.interpreters.erlang;
+
   pname = "your_project";
   version = "0.0.1";
 
@@ -216,7 +191,7 @@ let
   };
 
   # if using mix2nix you can use the mixNixDeps attribute
-  mixFodDeps = beamPackages.fetchMixDeps {
+  mixFodDeps = packages.fetchMixDeps {
     pname = "mix-deps-${pname}";
     inherit src version;
     # nix will complain and tell you the right value to replace this with
@@ -225,8 +200,11 @@ let
     # if you have build time environment variables add them here
     MY_ENV_VAR = "my_value";
   };
+
+  nodeDependencies = (pkgs.callPackage ./assets/default.nix { }).shell.nodeDependencies;
+
 in
-beamPackages.mixRelease {
+packages.mixRelease {
   inherit
     src
     pname
@@ -237,6 +215,9 @@ beamPackages.mixRelease {
   MY_ENV_VAR = "my_value";
 
   postBuild = ''
+    ln -sf ${nodeDependencies}/lib/node_modules assets/node_modules
+    npm run deploy --prefix ./assets
+
     # for external task you need a workaround for the no deps check flag
     # https://github.com/phoenixframework/phoenix/issues/2690
     mix do deps.loadpaths --no-deps-check, phx.digest
@@ -248,7 +229,7 @@ beamPackages.mixRelease {
 Setup will require the following steps:
 
 - Move your secrets to runtime environment variables. For more information refer to the [runtime.exs docs](https://hexdocs.pm/mix/Mix.Tasks.Release.html#module-runtime-configuration). On a fresh Phoenix build that would mean that both `DATABASE_URL` and `SECRET_KEY` need to be moved to `runtime.exs`.
-- Generate a Nix expression for your frontend dependencies using `fetchNpmDeps`/`buildNpmPackage` or `fetchYarnDeps`, depending on whether the project uses npm or yarn
+- `cd assets` and `nix-shell -p node2nix --run "node2nix --development"` will generate a Nix expression containing your frontend dependencies
 - commit and push those changes
 - you can now `nix-build .`
 - To run the release, set the `RELEASE_TMP` environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.
@@ -267,7 +248,7 @@ in your project with the following
 }:
 
 let
-  release = pkgs.callPackage ./default.nix { };
+  release = pkgs.callPackage ./default.nix;
   release_name = "app";
   working_directory = "/home/app";
 in
@@ -339,10 +320,9 @@ Usually, we need to create a `shell.nix` file and do our development inside the
 
 with pkgs;
 let
-  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
+  elixir = beam.packages.erlang_27.elixir_1_18;
 in
-mkShell { buildInputs = [ beamPackages.elixir ]; }
+mkShell { buildInputs = [ elixir ]; }
 ```
 
 ### Using an overlay {#beam-using-overlays}
@@ -357,7 +337,7 @@ let
     self: super: {
       elixir_1_18 = super.elixir_1_18.override {
         version = "1.18.1";
-        hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+        sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
       };
     }
   );
@@ -375,17 +355,18 @@ Here is an example `shell.nix`.
 with import <nixpkgs> { };
 
 let
-  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
-
   # define packages to install
   basePackages = [
     git
-    beamPackages.elixir
+    # replace with beam.packages.erlang.elixir_1_18 if you need
+    beam.packages.erlang.elixir
     nodejs
     postgresql_14
+    # only used for frontend dependencies
+    # you are free to use yarn2nix as well
+    nodePackages.node2nix
     # formatting js file
-    prettier
+    nodePackages.prettier
   ];
 
   inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ];
@@ -398,13 +379,13 @@ let
     export HEX_HOME=$PWD/.nix-mix
     # make hex from Nixpkgs available
     # `mix local.hex` will install hex into MIX_HOME and should take precedence
-    export MIX_PATH="${beamPackages.hex}/lib/erlang/lib/hex/ebin"
+    export MIX_PATH="${beam.packages.erlang.hex}/lib/erlang/lib/hex/ebin"
     export PATH=$MIX_HOME/bin:$HEX_HOME/bin:$PATH
     export LANG=C.UTF-8
     # keep your shell history in iex
     export ERL_AFLAGS="-kernel shell_history enabled"
 
-    # postgres related
+    # postges related
     # keep all your db data in a folder inside the project
     export PGDATA="$PWD/db"
 

doc/languages-frameworks/dart.section.md

@@ -36,19 +36,19 @@ Dart supports multiple [outputs types](https://dart.dev/tools/dart-compile#types
   fetchFromGitHub,
 }:
 
-buildDartApplication (finalAttrs: {
+buildDartApplication rec {
   pname = "dart-sass";
   version = "1.62.1";
 
   src = fetchFromGitHub {
     owner = "sass";
     repo = "dart-sass";
-    tag = finalAttrs.version;
+    tag = version;
     hash = "sha256-U6enz8yJcc4Wf8m54eYIAnVg/jsGi247Wy8lp1r1wg4=";
   };
 
   pubspecLock = lib.importJSON ./pubspec.lock.json;
-})
+}
 ```
 
 ### Patching dependencies {#ssec-dart-applications-patching-dependencies}
@@ -102,14 +102,14 @@ The function `buildFlutterApplication` builds Flutter applications.
 
 See the [Dart documentation](#ssec-dart-applications) for more details on required files and arguments.
 
-`flutter` in Nixpkgs always points to `flutterPackages.stable`, which is the latest packaged version. To avoid unforeseen breakage during upgrade, packages in Nixpkgs should use a specific flutter version, such as `flutter335` and `flutter338`, instead of using `flutter` directly.
+`flutter` in Nixpkgs always points to `flutterPackages.stable`, which is the latest packaged version. To avoid unforeseen breakage during upgrade, packages in Nixpkgs should use a specific flutter version, such as `flutter319` and `flutter322`, instead of using `flutter` directly.
 
 ```nix
-{ flutter335, fetchFromGitHub }:
+{ flutter322, fetchFromGitHub }:
 
-flutter335.buildFlutterApplication (finalAttrs: {
+flutter322.buildFlutterApplication {
   pname = "firmware-updater";
-  version = "0-unstable-2025-09-09";
+  version = "0-unstable-2023-04-30";
 
   # To build for the Web, use the targetFlutterPlatform argument.
   # targetFlutterPlatform = "web";
@@ -117,17 +117,13 @@ flutter335.buildFlutterApplication (finalAttrs: {
   src = fetchFromGitHub {
     owner = "canonical";
     repo = "firmware-updater";
-    rev = "402e97254b9d63c8d962c46724995e377ff922c8";
-    hash = "sha256-nQn5mlgNj157h++67+mhez/F1ALz4yY+bxiGsi0/xX8=";
+    rev = "6e7dbdb64e344633ea62874b54ff3990bd3b8440";
+    hash = "sha256-s5mwtr5MSPqLMN+k851+pFIFFPa0N1hqz97ys050tFA=";
     fetchSubmodules = true;
   };
 
   pubspecLock = lib.importJSON ./pubspec.lock.json;
-
-  sourceRoot = "${finalAttrs.src.name}/apps/firmware_updater";
-
-  gitHashes.fwupd = "sha256-l/+HrrJk1mE2Mrau+NmoQ7bu9qhHU6wX68+m++9Hjd4=";
-})
+}
 ```
 
 ### Usage with nix-shell {#ssec-dart-flutter-nix-shell}

doc/languages-frameworks/emscripten.section.md

@@ -205,7 +205,7 @@ pkgs.buildEmscriptenPackage {
 
 ## Debugging {#declarative-debugging}
 
-Use `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz` and from there you can go through the individual steps. This makes it easy to build a good `unit test` or list the files of the project.
+Use `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz` and from there you can go trough the individual steps. This makes it easy to build a good `unit test` or list the files of the project.
 
 1. `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz`
 2. `cd /tmp/`

doc/languages-frameworks/go.section.md

@@ -101,7 +101,6 @@ If `true`, the intermediate fetcher downloads dependencies from the
 
 This is useful if your code depends on C code and `go mod tidy` does not include the needed sources to build or
 if any dependency has case-insensitive conflicts which will produce platform-dependent `vendorHash` checksums.
-It may also be needed if the module targets language version 1.16 or earlier, since vendoring compiles all dependencies against language version 1.16 in this case.
 
 Defaults to `false`.
 

doc/languages-frameworks/index.md

@@ -17,7 +17,7 @@ Each supported language or software ecosystem has its own package set named `<la
   # Navigate Java compiler variants in `javaPackages` with `nix repl`
 
   ```shell-session
-  $ nix repl -f '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable
+  $ nix repl '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable
   nix-repl> javaPackages.<tab>
   javaPackages.compiler               javaPackages.openjfx15              javaPackages.openjfx21              javaPackages.recurseForDerivations
   javaPackages.jogl_2_4_0             javaPackages.openjfx17              javaPackages.openjfx25
@@ -79,7 +79,6 @@ ios.section.md
 java.section.md
 javascript.section.md
 julia.section.md
-lean4.section.md
 lisp.section.md
 lua.section.md
 maven.section.md

doc/languages-frameworks/javascript.section.md

@@ -45,14 +45,17 @@ If a particular lock file is present, it is a strong indication of which package
 
 It's better to try to use a Nix tool that understands the lock file.
 Using a different tool might give you a hard-to-understand error because different packages have been installed.
+An example of problems that could arise can be found [here](https://github.com/NixOS/nixpkgs/pull/126629).
+Upstream use npm, but this is an attempt to package it with `yarn2nix` (that uses yarn.lock).
 
 Using a different tool forces you to commit a lock file to the repository.
 These files are fairly large, so when packaging for nixpkgs, this approach does not scale well.
 
 Exceptions to this rule are:
 
-- When you encounter one of the bugs from a Nix tool. In each of the tool-specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it's best to try another tool, even if this means you will have to re-create a lock file and commit it to Nixpkgs.
+- When you encounter one of the bugs from a Nix tool. In each of the tool-specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it's best to try another tool, even if this means you will have to re-create a lock file and commit it to Nixpkgs. In general `yarn2nix` has fewer known problems, and so a simple search in Nixpkgs will reveal many `yarn.lock` files committed.
 - Some lock files contain particular version of a package that has been pulled off npm for some reason. In that case, you can recreate upstream lock (by removing the original and `npm install`, `yarn`, ...) and commit this to nixpkgs.
+- The only tool that supports workspaces (a feature of npm that helps manage sub-directories with different package.json from a single top level package.json) is `yarn2nix`. If upstream has workspaces you should try `yarn2nix`.
 
 ### Try to use upstream package.json {#javascript-upstream-package-json}
 
@@ -89,14 +92,14 @@ Exceptions to this rule are:
 Each tool has an abstraction to just build the node_modules (dependencies) directory.
 You can always use the `stdenv.mkDerivation` with the node_modules to build the package (symlink the node_modules directory and then use the package build command).
 The node_modules abstraction can be also used to build some web framework frontends.
-For an example of this see how [plausible](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix) is built.
+For an example of this see how [plausible](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix) is built. `mkYarnModules` to make the derivation containing node_modules.
 Then when building the frontend you can just symlink the node_modules directory.
 
 ## Tool-specific instructions {#javascript-tool-specific}
 
 ### buildNpmPackage {#javascript-buildNpmPackage}
 
-`buildNpmPackage` allows you to package npm-based projects in Nixpkgs without the use of an auto-generated dependencies file.
+`buildNpmPackage` allows you to package npm-based projects in Nixpkgs without the use of an auto-generated dependencies file (as used in [node2nix](#javascript-node2nix)).
 It works by utilizing npm's cache functionality -- creating a reproducible cache that contains the dependencies of a project, and pointing npm to it.
 
 Here's an example:
@@ -144,10 +147,10 @@ If these are not defined, `npm pack` may miss some files, and no binaries will b
 * `npmDepsHash`: The output hash of the dependencies for this project. Can be calculated in advance with [`prefetch-npm-deps`](#javascript-buildNpmPackage-prefetch-npm-deps).
 * `makeCacheWritable`: Whether to make the cache writable prior to installing dependencies. Don't set this unless npm tries to write to the cache directory, as it can slow down the build.
 * `npmBuildScript`: The script to run to build the project. Defaults to `"build"`.
-* []{#javascript-buildNpmPackage-npmWorkspace} `npmWorkspace`: The workspace directory within the project to build and install.
+* `npmWorkspace`: The workspace directory within the project to build and install.
 * `dontNpmBuild`: Option to disable running the build script. Set to `true` if the package does not have a build script. Defaults to `false`. Alternatively, setting `buildPhase` explicitly also disables this.
 * `dontNpmInstall`: Option to disable running `npm install`. Defaults to `false`. Alternatively, setting `installPhase` explicitly also disables this.
-* []{#javascript-buildNpmPackage-npmFlags} `npmFlags`: Flags to pass to all npm commands.
+* `npmFlags`: Flags to pass to all npm commands.
 * `npmInstallFlags`: Flags to pass to `npm ci`.
 * `npmBuildFlags`: Flags to pass to `npm run ${npmBuildScript}`.
 * `npmPackFlags`: Flags to pass to `npm pack`.
@@ -303,9 +306,28 @@ It's recommended to set `package-lock-only = true` in your project-local [`.npmr
 
 This package puts the corepack wrappers for pnpm and yarn in your PATH, and they will honor the `packageManager` setting in the `package.json`.
 
+### node2nix {#javascript-node2nix}
+
+#### Preparation {#javascript-node2nix-preparation}
+
+You will need to generate a Nix expression for the dependencies. Don't forget the `-l package-lock.json` if there is a lock file. Most probably you will need the `--development` to include the `devDependencies`
+
+So the command will most likely be:
+```sh
+node2nix --development -l package-lock.json
+```
+
+See `node2nix` [docs](https://github.com/svanderburg/node2nix) for more info.
+
+#### Pitfalls {#javascript-node2nix-pitfalls}
+
+- If upstream package.json does not have a "version" attribute, `node2nix` will crash. You will need to add it like shown in [the package.json section](#javascript-upstream-package-json).
+- `node2nix` has some [bugs](https://github.com/svanderburg/node2nix/issues/238) related to working with lock files from npm distributed with `nodejs_16`.
+- `node2nix` does not like missing packages from npm. If you see something like `Cannot resolve version: vue-loader-v16@undefined` then you might want to try another tool. The package might have been pulled off of npm.
+
 ### pnpm {#javascript-pnpm}
 
-pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8`, `pnpm_9`, `pnpm_10`, `pnpm_10_29_2` and `pnpm_11`, which support different sets of lock file versions.
+pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8`, `pnpm_9` and `pnpm_10`, which support different sets of lock file versions.
 
 When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The function `fetchPnpmDeps` can create this pnpm store derivation. In conjunction, the setup hook `pnpmConfigHook` will prepare the build environment to install the pre-fetched dependencies store. Here is an example for a package that contains `package.json` and a `pnpm-lock.yaml` files using the fetcher and setup hook above:
 
@@ -313,18 +335,11 @@ When packaging an application that includes a `pnpm-lock.yaml`, you need to fetc
 {
   fetchPnpmDeps,
   nodejs,
-  pnpm_11,
+  pnpm,
   pnpmConfigHook,
   stdenv,
 }:
-let
-  # It is recommended to pin pnpm to a major version, due to regular breaking changes in the store format
-  # The latest major version is always available under `pkgs.pnpm`
-  # Optionally override pnpm to use a custom nodejs version
-  # Make sure that the same nodejs version is referenced in nativeBuildInputs
-  # pnpm = pnpm_11.override { nodejs = nodejs_24; };
-  pnpm = pnpm_11;
-in
+
 stdenv.mkDerivation (finalAttrs: {
   pname = "foo";
   version = "0-unstable-1980-01-01";
@@ -341,8 +356,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   pnpmDeps = fetchPnpmDeps {
     inherit (finalAttrs) pname version src;
-    inherit pnpm;
-    fetcherVersion = 4;
+    fetcherVersion = 3;
     hash = "...";
   };
 })
@@ -364,7 +378,7 @@ It is highly recommended to use a pinned version of pnpm (i.e., `pnpm_9` or `pnp
 +let
 +  # Optionally override pnpm to use a custom nodejs version
 +  # Make sure that the same nodejs version is referenced in nativeBuildInputs
-+  # pnpm = pnpm_10.override { nodejs = nodejs-slim_22; };
++  # pnpm = pnpm_10.override { nodejs = nodejs_20; };
 +in
  stdenv.mkDerivation (finalAttrs: {
    pname = "foo";
@@ -384,7 +398,7 @@ It is highly recommended to use a pinned version of pnpm (i.e., `pnpm_9` or `pnp
    pnpmDeps = fetchPnpmDeps {
      inherit (finalAttrs) pname version src;
 +    pnpm = pnpm_10;
-     fetcherVersion = 4;
+     fetcherVersion = 3;
      hash = "...";
    };
  })
@@ -491,32 +505,40 @@ In this example, `prePnpmInstall` will be run by both `pnpmConfigHook` and by th
 
 #### pnpm `fetcherVersion` {#javascript-pnpm-fetcherVersion}
 
-This is the version of the output of `fetchPnpmDeps`. New packages should use `3`:
+This is the version of the output of `fetchPnpmDeps`, if you haven't set it already, you can use `1` with your current hash:
 
 ```nix
 {
   # ...
   pnpmDeps = fetchPnpmDeps {
     # ...
-    fetcherVersion = 4;
-    hash = "..."; # clear this hash and generate a new one
+    fetcherVersion = 1;
+    hash = "..."; # you can use your already set hash here
   };
 }
 ```
 
-When upgrading to a newer `fetcherVersion`, you need to regenerate the hash.
+After upgrading to a newer `fetcherVersion`, you need to regenerate the hash:
+
+```nix
+{
+  # ...
+  pnpmDeps = fetchPnpmDeps {
+    # ...
+    fetcherVersion = 2;
+    hash = "..."; # clear this hash and generate a new one
+  };
+}
+```
 
 This variable ensures that we can make changes to the output of `fetchPnpmDeps` without breaking existing hashes.
 Changes can include workarounds or bug fixes to existing PNPM issues.
 
 ##### Version history {#javascript-pnpm-fetcherVersion-versionHistory}
 
-Version 3 is the recommended value for new packages. Versions 1 and 2 are deprecated and scheduled for removal in the 26.11 release; existing packages must migrate.
-
-- 1: Initial version, nothing special.
+- 1: Initial version, nothing special
 - 2: [Ensure consistent permissions](https://github.com/NixOS/nixpkgs/pull/422975)
 - 3: [Build a reproducible tarball](https://github.com/NixOS/nixpkgs/pull/469950)
-- 4: [Dump SQLite database to an SQL file](https://github.com/NixOS/nixpkgs/pull/522703)
 
 ### Yarn {#javascript-yarn}
 
@@ -595,6 +617,139 @@ To install the package `yarnInstallHook` uses both `npm` and `yarn` to cleanup p
 
 - `yarnKeepDevDeps`: Disables the removal of devDependencies from `node_modules` before installation.
 
+#### yarn2nix {#javascript-yarn2nix}
+
+> [!WARNING]
+> The `yarn2nix` functions have been deprecated in favor of `yarnConfigHook`, `yarnBuildHook` and `yarnInstallHook` (for Yarn v1) and `yarn-berry_*.*` tooling (Yarn v3 and v4). Documentation for `yarn2nix` functions still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
+
+##### Preparation {#javascript-yarn2nix-preparation}
+
+You will need at least a `yarn.lock` file. If upstream does not have one you need to generate it and reference it in your package definition.
+
+If the downloaded files contain the `package.json` and `yarn.lock` files they can be used like this:
+
+```nix
+{
+  offlineCache = fetchYarnDeps {
+    yarnLock = src + "/yarn.lock";
+    hash = "....";
+  };
+}
+```
+
+##### mkYarnPackage {#javascript-yarn2nix-mkYarnPackage}
+
+> [!WARNING]
+> The `mkYarnPackage` functions have been deprecated in favor of `yarnConfigHook`, `yarnBuildHook` and `yarnInstallHook` (for Yarn v1) and `yarn-berry_*.*` tooling (Yarn v3 and v4). Documentation for `mkYarnPackage` functions still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
+
+`mkYarnPackage` will by default try to generate a binary. For packages only generating static assets (Svelte, Vue, React, Webpack, ...), you will need to explicitly override the build step with your instructions.
+
+It's important to use the `--offline` flag. For example if you script is `"build": "something"` in `package.json` use:
+
+```nix
+{
+  nativeBuildInputs = [ writableTmpDirAsHomeHook ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    yarn --offline build
+
+    runHook postBuild
+  '';
+}
+```
+
+The `distPhase` is packing the package's dependencies in a tarball using `yarn pack`. You can disable it using:
+
+```nix
+{ doDist = false; }
+```
+
+The configure phase can sometimes fail because it makes many assumptions that may not always apply. One common override is:
+
+```nix
+{
+  configurePhase = ''
+    runHook preConfigure
+
+    ln -s $node_modules node_modules
+
+    runHook postConfigure
+  '';
+}
+```
+
+or if you need a writeable node_modules directory:
+
+```nix
+{
+  configurePhase = ''
+    runHook preConfigure
+
+    cp -r $node_modules node_modules
+    chmod +w node_modules
+
+    runHook postConfigure
+  '';
+}
+```
+
+##### mkYarnModules {#javascript-yarn2nix-mkYarnModules}
+
+This will generate a derivation including the `node_modules` directory.
+If you have to build a derivation for an integrated web framework (Rails, Phoenix, etc.), this is probably the easiest way.
+
+#### Overriding dependency behavior {#javascript-mkYarnPackage-overriding-dependencies}
+
+In the `mkYarnPackage` record the property `pkgConfig` can be used to override packages when you encounter problems building.
+
+For instance, say your package is throwing errors when trying to invoke node-sass:
+
+```
+ENOENT: no such file or directory, scandir '/build/source/node_modules/node-sass/vendor'
+```
+
+To fix this we will specify different versions of build inputs to use, as well as some post install steps to get the software built the way we want:
+
+```nix
+mkYarnPackage rec {
+  pkgConfig = {
+    node-sass = {
+      buildInputs = with final; [
+        python
+        libsass
+        pkg-config
+      ];
+      postInstall = ''
+        LIBSASS_EXT=auto yarn --offline run build
+        rm build/config.gypi
+      '';
+    };
+  };
+}
+```
+
+##### Pitfalls {#javascript-yarn2nix-pitfalls}
+
+- If version is missing from upstream package.json, yarn will silently install nothing. In that case, you will need to override package.json as shown in the [package.json section](#javascript-upstream-package-json)
+- Having trouble with `node-gyp`? Try adding these lines to the `yarnPreBuild` steps:
+
+  ```nix
+  {
+    yarnPreBuild = ''
+      mkdir -p $HOME/.node-gyp/${nodejs.version}
+      echo 9 > $HOME/.node-gyp/${nodejs.version}/installVersion
+      ln -sfv ${nodejs}/include $HOME/.node-gyp/${nodejs.version}
+      export npm_config_nodedir=${nodejs}
+    '';
+  }
+  ```
+
+  - The `echo 9` steps comes from this answer: <https://stackoverflow.com/a/49139496>
+  - Exporting the headers in `npm_config_nodedir` comes from this issue: <https://github.com/nodejs/node-gyp/issues/1191#issuecomment-301243919>
+- `offlineCache` (described [above](#javascript-yarn2nix-preparation)) must be specified to avoid [Import From Derivation](#ssec-import-from-derivation) (IFD) when used inside Nixpkgs.
+
 #### Yarn Berry v3/v4 {#javascript-yarn-v3-v4}
 Yarn Berry (v3 / v4) have similar formats, they start with blocks like these:
 

doc/languages-frameworks/lean4.section.md

@@ -1,51 +0,0 @@
-# Lean 4 {#sec-language-lean4}
-
-Lean 4 is a strict functional language with dependent types. `leanPackages` provides the toolchain and a curated set of libraries — including the full mathlib dependency tree — with its own Lean toolchain. A standalone compiler is also available as `pkgs.lean4` for use outside the package set.
-
-## Building Lean 4 projects with `buildLakePackage` {#lean4-buildLakePackage}
-
-```nix
-leanPackages.buildLakePackage {
-  pname = "my-project";
-  version = "0.1.0";
-  src = ./.;
-  leanDeps = with leanPackages; [ mathlib ];
-  lakeHash = null; # all deps nix-managed; set to lib.fakeHash for Lake-managed deps
-}
-```
-
-Dependencies are declared in the lakefile for Lake and in the Nix expression for Nix. `leanDeps` provides Nix-managed libraries whose `.olean` files — the default build artifact of the Lake library facet — are reused without recompilation. `buildLakePackage` injects them via `lake --packages`, which takes precedence over Lake's own dependency resolution, producing a hermetic build.
-
-Sui generis among nixpkgs builders, `buildLakePackage` supports heterogeneous dependency resolution, in that Nix transparently substitutes for upstream-managed dependencies at per-package granularity: Nix-managed dependencies via `leanDeps` and Lake-managed dependencies via `lakeHash` compose in the same derivation. Setting `lakeHash = lib.fakeHash` and building will report the expected hash for a fixed-output derivation that pins what Lake would normally fetch, less Nix-managed dependencies. Nix-managed dependencies take precedence by name — so moving a dependency from `lakeHash` to `leanDeps` will change the expected hash — providing an on-ramp for projects to incrementally adopt nix-managed libraries. Setting `lakeHash = null` (the default) declares that all dependencies are Nix-managed and no fixed-output fetch is performed during the build.
-
-A `lake-manifest.json` is required at the project root. If all dependencies are Nix-managed, an empty manifest suffices:
-
-```json
-{"version":"1.1.0","packagesDir":".lake/packages","packages":[]}
-```
-
-## Development shells {#lean4-dev-shells}
-
-In `nix develop`, the scoped `lean4` and `buildLakePackage` provide the same toolchain used for hermetic builds. Note that Lake's normal dependency resolution is available in the shell — Lake may fetch dependencies not covered by `leanDeps` from the network, as is standard for Nix development shells.
-
-## The `leanPackages` scope {#lean4-leanPackages}
-
-`leanPackages` is a `lib.makeScope` with its own `lean4`. Overriding it propagates to all packages and to `buildLakePackage`:
-
-```nix
-leanPackages.overrideScope (
-  self: super: {
-    lean4 = myCustomLean4;
-  }
-)
-```
-
-The `lean4` supplied by `leanPackages` is binary-patched to ensure that the Lean language server discovers the wrapped `lake` rather than an unwrapped one. This is necessary because Lake's `serve` subcommand has a vexing invocation pattern: it derives `LAKE` from `IO.appPath` and unconditionally sets it in the spawned environment, bypassing any wrapper. The binary patch rewrites store path references so that this discovery mechanism finds the correct binary, enabling LSP integration — including the InfoView, which requires Lean-specific protocol extensions — without improper mutation of the user's project directory.
-
-Note that `leanPackages.lean4` supplants Lake's built-in cache invalidation for dependencies in `/nix/store/`, deferring entirely to Nix's bespoke dependency model. Lake's trace validation — which checks compiler "hash," platform, and package identity — is gracefully subsumed by guarantees Nix already provides. Cache coherence responsibilities are delegated to the orchestrator of streamlined Nix integration.
-
-For Emacs, `emacsPackages.nael` and `emacsPackages.nael-lsp` (eglot-based and lsp-mode-based respectively, available via MELPA) provide Lean 4 support including proof state display via eldoc. For VSCode (unfree) / VSCodium, `vscode-extensions.leanprover.lean4` is available. Editor packages discover the toolchain from `PATH`.
-
-## Relationship to earlier Lean 4 Nix support {#lean4-history}
-
-Users familiar with the per-module derivation approach (2020–2025) should note that `buildLakePackage` follows a different architecture. The earlier integration discovered dependencies at evaluation time via import-from-derivation — an ambitious attempt to reconcile declarative package management with fine-grained build semantics, ultimately undermined by Nix's own evaluation model. It was [removed upstream](https://github.com/leanprover/lean4/commit/535435955b482176e8d62a54deebcacdec0827db). `buildLakePackage` treats Lake as a build driver and uses Nix for package-level boundaries, while `nix develop` and `nix-shell` achieve feature parity with the vanilla Lake development experience.

doc/languages-frameworks/lua.section.md

@@ -232,7 +232,7 @@ The following is an example:
         vyp
         lblasc
       ];
-      license = lib.licenses.mit;
+      license.fullName = "MIT/X11";
     };
   };
 }

doc/languages-frameworks/maven.section.md

@@ -17,14 +17,14 @@ Consider the following package:
   maven,
 }:
 
-maven.buildMavenPackage (finalAttrs: {
+maven.buildMavenPackage rec {
   pname = "jd-cli";
   version = "1.2.1";
 
   src = fetchFromGitHub {
     owner = "intoolswetrust";
     repo = "jd-cli";
-    tag = "jd-cli-${finalAttrs.version}";
+    tag = "jd-cli-${version}";
     hash = "sha256-rRttA5H0A0c44loBzbKH7Waoted3IsOgxGCD2VM0U/Q=";
   };
 
@@ -50,7 +50,7 @@ maven.buildMavenPackage (finalAttrs: {
     license = lib.licenses.gpl3Plus;
     maintainers = with lib.maintainers; [ majiir ];
   };
-})
+}
 ```
 
 This package calls `maven.buildMavenPackage` to do its work. The primary difference from `stdenv.mkDerivation` is the `mvnHash` variable, which is a hash of all of the Maven dependencies.
@@ -133,7 +133,7 @@ step 2 which will most probably fail the build. The `go-offline` plugin cannot
 handle these so-called [dynamic dependencies](https://github.com/qaware/go-offline-maven-plugin?tab=readme-ov-file#dynamic-dependencies).
 In that case you must add these dynamic dependencies manually with:
 ```nix
-maven.buildMavenPackage {
+maven.buildMavenPackage rec {
   manualMvnArtifacts = [
     # add dynamic test dependencies here
     "org.apache.maven.surefire:surefire-junit-platform:3.1.2"

doc/languages-frameworks/neovim.section.md

@@ -20,12 +20,9 @@ You can configure the former via:
 
 ```nix
 neovim.override {
-  withPython3 = true; # see `:h g:python3_host_prog`
-  withNodeJs = false;
-  withRuby = false;
   configure = {
     customRC = ''
-      # here your custom viml configuration goes!
+      # here your custom configuration goes!
     '';
     packages.myVimPackage = with pkgs.vimPlugins; {
       # See examples below on how to use custom packages.
@@ -47,7 +44,7 @@ neovim-qt.override {
   neovim = neovim.override {
     configure = {
       customRC = ''
-        # your custom viml configuration
+        # your custom configuration
       '';
     };
   };
@@ -64,9 +61,6 @@ For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs
 - `wrapRc`: Nix, not being able to write in your `$HOME`, loads the
   generated Neovim configuration via the `$VIMINIT` environment variable, i.e. : `export VIMINIT='lua dofile("/nix/store/…-init.lua")'`. This has side effects like preventing Neovim from sourcing your `init.lua` in `$XDG_CONFIG_HOME/nvim` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#startup) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse the generated vimscript init code via `neovim.passthru.initRc`.
 - `plugins`: A list of plugins to add to the wrapper.
-- `extraLuaPackages`: A function passed on to `lua.withPackages`
-- `withPython3`, `withNodeJs`, `withRuby` control when to enable neovim
-  providers (see `:h provider`).
 
 ```
 wrapNeovimUnstable neovim-unwrapped {
@@ -91,10 +85,6 @@ wrapNeovimUnstable neovim-unwrapped {
     (nvim-treesitter.withPlugins (p: [ p.nix p.python ]))
     hex-nvim
   ];
-  extraLuaPackages = lp: [ lp.mpack ];
-  withPython3 = true;
-  withNodeJs = false;
-  withRuby = false;
 }
 ```
 
@@ -115,25 +105,6 @@ patch those plugins but expose the necessary configuration under
 `PLUGIN.passthru.initLua` for neovim plugins. For instance, the `unicode-vim` plugin
 needs the path towards a unicode database so we expose the following snippet `vim.g.Unicode_data_directory="${self.unicode-vim}/autoload/unicode"` under `vimPlugins.unicode-vim.passthru.initLua`.
 
-### Plugin license overrides {#neovim-plugin-license-overrides}
-
-Generated Vim and Neovim plugins get their `meta.license` from GitHub license metadata when possible.
-Some upstream repositories do not expose a license file that GitHub can detect, or only mention the license in a README.
-In those cases, add a manual `meta.license` override in [overrides.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/overrides.nix).
-
-For example, if upstream documents that a plugin uses the Vim license but GitHub does not detect it:
-
-```nix
-{
-  foo-nvim = super.foo-nvim.overrideAttrs (old: {
-    meta = old.meta // {
-      # README says this plugin is distributed under the Vim license.
-      license = lib.licenses.vim;
-    };
-  });
-}
-```
-
 ## LuaRocks based plugins {#neovim-luarocks-based-plugins}
 
 In order to automatically handle plugin dependencies, several Neovim plugins

doc/languages-frameworks/octave.section.md

@@ -76,17 +76,6 @@ See [Symbolic](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/oct
 `requiredOctavePackages`
 : This is a special dependency that ensures the specified Octave packages are dependent on others, and are made available simultaneously when loading them in Octave.
 
-### Testing Octave packages {#sssec-testing-octave-packages}
-
-Octave packages built using the `buildOctavePackage` function do not have a `checkPhase` or `installCheckPhase`.
-Instead, the tests `testOctaveBuildEnv` and `testOctavePkgTests` are added to the package's `passthru.tests`.
-
-`passthru.tests.testOctaveBuildEnv` tests whether the package can be used by `octave.withPackages` successfully.
-
-`passthru.tests.testOctavePkgTests` runs a `pkg test` command for the package.
-If the package needs additional inputs to successfully run the tests, the `nativeOctavePkgTestInputs` attribute can be specified.
-If the package needs environment variables to be set to successfully run the tests, ensure that `__structuredAttrs = true;` in the package, then set the environment variables you need in `octavePkgTestEnv` (which should be an attrset where the key is the name of the variable and the value is its value (as a string)).
-
 ### Installing Octave Packages {#sssec-installing-octave-packages}
 
 By default, the `buildOctavePackage` function does _not_ install the requested package into Octave for use.

doc/languages-frameworks/php.section.md

@@ -214,6 +214,12 @@ code, while others choose not to.
 
 In Nix, there are multiple approaches to building a Composer-based project.
 
+::: {.warning}
+`buildComposerProject2` has a [known bug](https://github.com/NixOS/nixpkgs/issues/451395)
+where the `vendorHash` changes every time a Composer release happens that changes the
+`autoload.php` or vendored composer code.
+:::
+
 One such method is the `php.buildComposerProject2` helper function, which serves
 as a wrapper around `mkDerivation`.
 

doc/languages-frameworks/python.section.md

@@ -207,62 +207,6 @@ following are specific to `buildPythonPackage`:
 * `setupPyGlobalFlags ? []`: List of flags passed to `setup.py` command.
 * `setupPyBuildFlags ? []`: List of flags passed to `setup.py build_ext` command.
 
-##### Using fixed-point arguments {#buildpythonpackage-fixed-point-arguments}
-
-Both `buildPythonPackage` and `buildPythonApplication` support [fixed-point arguments](#chap-build-helpers-finalAttrs), similar to `stdenv.mkDerivation`.
-This allows you to reference the final attributes of the derivation.
-
-Instead of using `rec`:
-
-```nix
-buildPythonPackage rec {
-  pname = "pyspread";
-  version = "2.4";
-  src = fetchPypi {
-    inherit pname version;
-    hash = "sha256-...";
-  };
-}
-```
-
-You can use the `finalAttrs` pattern:
-
-```nix
-buildPythonPackage (finalAttrs: {
-  pname = "pyspread";
-  version = "2.4";
-  src = fetchPypi {
-    pname = "pyspread";
-    inherit (finalAttrs) version;
-    hash = "sha256-...";
-  };
-})
-```
-
-See the [general documentation on fixed-point arguments](#chap-build-helpers-finalAttrs) for more details on the benefits of this pattern.
-
-::: {.note}
-
-Some `buildPythonPackage`/`buildPythonApplication` arguments are passed down indirectly to `stdenv.mkDerivation` via `passthru`.
-Therefore the final state of these attributes can be accessed via `finalAttrs.passthru.${name}`.
-[`<pkg>.overrideAttrs`](#sec-pkg-overrideAttrs) can override them using the `passthru = prevAttrs.passthru // { foo = "bar"; }` pattern.
-Such arguments include:
-
-- `disabled`
-- `pyproject`
-- `format`
-- `build-system`
-- `dependencies`
-- `optional-dependencies`
-
-<!--
-TODO(@doronbehar): When `.overridePythonAttrs` will be removed, the above text might need to be revised. See:
-
-- https://github.com/NixOS/nixpkgs/pull/379637
-- https://github.com/NixOS/nixpkgs/pull/469804
--->
-:::
-
 The [`stdenv.mkDerivation`](#sec-using-stdenv) function accepts various parameters for describing
 build inputs (see "Specifying dependencies"). The following are of special
 interest for Python packages, either because these are primarily used, or
@@ -293,23 +237,29 @@ the overrides for packages in the package set.
 ```nix
 with import <nixpkgs> { };
 
-let
-  python = pkgs.python3.override {
-    packageOverrides = self: super: {
-      pandas = super.pandas.overridePythonAttrs (
-        finalAttrs: prevAttrs: {
-          version = "0.19.1";
-          src = fetchPypi {
-            pname = "pandas";
-            inherit (finalAttrs) version;
-            hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
-          };
-        }
-      );
-    };
-  };
-in
-(python.withPackages (ps: [ ps.blaze ])).env
+(
+  let
+    python =
+      let
+        packageOverrides = self: super: {
+          pandas = super.pandas.overridePythonAttrs (old: rec {
+            version = "0.19.1";
+            src = fetchPypi {
+              pname = "pandas";
+              inherit version;
+              hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
+            };
+          });
+        };
+      in
+      pkgs.python3.override {
+        inherit packageOverrides;
+        self = python;
+      };
+
+  in
+  python.withPackages (ps: [ ps.blaze ])
+).env
 ```
 
 The next example shows a non trivial overriding of the `blas` implementation to
@@ -600,7 +550,6 @@ are used in [`buildPythonPackage`](#buildpythonpackage-function).
 - `pythonRemoveBinBytecode` to remove bytecode from the `/bin` folder.
 - `setuptoolsBuildHook` to build a wheel using `setuptools`.
 - `sphinxHook` to build documentation and manpages using Sphinx.
-- `stestrCheckHook` to run tests with `stestr`.
 - `venvShellHook` to source a Python 3 `venv` at the `venvDir` location. A
   `venv` is created if it does not yet exist. `postVenvCreation` can be used to
   to run commands only after venv is first created.
@@ -1093,57 +1042,57 @@ Our example, `toolz`, does not have any dependencies on other Python packages or
 Dependencies can belong to multiple arguments, for example if something is both a build time requirement & a runtime dependency.
 
 The following example shows which arguments are given to [`buildPythonPackage`](#buildpythonpackage-function) in
-order to build [`dirigera`](https://github.com/Leggin/dirigera).
+order to build [`datashape`](https://github.com/blaze/datashape).
 
 ```nix
 {
   lib,
   buildPythonPackage,
-  fetchFromGitHub,
-  pydantic,
-  pytestCheckHook,
-  requests,
+  fetchPypi,
+
+  # build dependencies
   setuptools,
-  websocket-client,
+
+  # dependencies
+  numpy,
+  multipledispatch,
+  python-dateutil,
+
+  # tests
+  pytestCheckHook,
 }:
 
 buildPythonPackage (finalAttrs: {
-  pname = "dirigera";
-  version = "1.2.6";
+  pname = "datashape";
+  version = "0.4.7";
   pyproject = true;
 
-  src = fetchFromGitHub {
-    owner = "Leggin";
-    repo = "dirigera";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-5pfzmaIkIEtxDtkhG1lOLSTjWahEDgQKLJKbAG5rBjE=";
+  src = fetchPypi {
+    inherit (finalAttrs) pname version;
+    hash = "sha256-FLLvdm1MllKrgTGC6Gb0k0deZeVYvtCCLji/B7uhong=";
   };
 
   build-system = [ setuptools ];
 
   dependencies = [
-    pydantic
-    requests
-    websocket-client
+    multipledispatch
+    numpy
+    python-dateutil
   ];
 
   nativeCheckInputs = [ pytestCheckHook ];
 
-  pythonImportsCheck = [ "dirigera" ];
-
   meta = {
-    description = "Module for controlling the IKEA Dirigera Smart Home Hub";
-    homepage = "https://github.com/Leggin/dirigera";
-    changelog = "https://github.com/Leggin/dirigera/releases/tag/${finalAttrs.src.tag}";
-    license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ fab ];
-    mainProgram = "generate-token";
+    changelog = "https://github.com/blaze/datashape/releases/tag/${finalAttrs.version}";
+    homepage = "https://github.com/ContinuumIO/datashape";
+    description = "Data description language";
+    license = lib.licenses.bsd2;
   };
 })
 ```
 
-We can see several runtime dependencies, `pydantic`, `requests`, and
-`websocket-client`. Furthermore, we have [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs) with `pytestCheckHook`.
+We can see several runtime dependencies, `numpy`, `multipledispatch`, and
+`python-dateutil`. Furthermore, we have [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs) with `pytestCheckHook`.
 `pytestCheckHook` is a test runner hook and is only used during the [`checkPhase`](#ssec-check-phase) and is
 therefore not added to `dependencies`.
 

doc/languages-frameworks/rust.section.md

@@ -254,7 +254,7 @@ By default, it takes the `stdenv.hostPlatform.config` and replaces components
 where they are known to differ. But there are ways to customize the argument:
 
  - To choose a different target by name, define
-   `stdenv.hostPlatform.rust.rustcTargetSpec` as that name (a string), and that
+   `stdenv.hostPlatform.rust.rustcTarget` as that name (a string), and that
    name will be used instead.
 
    For example:
@@ -262,7 +262,7 @@ where they are known to differ. But there are ways to customize the argument:
    ```nix
    import <nixpkgs> {
      crossSystem = (import <nixpkgs/lib>).systems.examples.armhf-embedded // {
-       rust.rustcTargetSpec = "thumbv7em-none-eabi";
+       rust.rustcTarget = "thumbv7em-none-eabi";
      };
    }
    ```
@@ -274,24 +274,22 @@ where they are known to differ. But there are ways to customize the argument:
    ```
 
  - To pass a completely custom target, define
-   `stdenv.hostPlatform.rust.rustcTargetSpec` with the path to the custom
-   target specification JSON file.
-
-   Note that some tools like Cargo and some crates like `cc` make use of the
-   file name of the target JSON.  Therefore, do not use
-   `./path/to/target-spec.json` directly, because it will be renamed by Nix.
-   Instead, place it a directory and use `"${./path/to/dir}/target-spec.json"`.
-   The directory should contain only this one file, to avoid unrelated changes
-   causing unnecessary rebuilds.
+   `stdenv.hostPlatform.rust.rustcTarget` with its name, and
+   `stdenv.hostPlatform.rust.platform` with the value.  The value will be
+   serialized to JSON in a file called
+   `${stdenv.hostPlatform.rust.rustcTarget}.json`, and the path of that file
+   will be used instead.
 
    For example:
 
    ```nix
    import <nixpkgs> {
-     crossSystem = {
-       config = "mips64el-unknown-linux-gnuabi64";
-       # gcc = ...; # Config for C compiler omitted
-       rust.rustcTargetSpec = "${./rust}/mips64el_mips3-unknown-linux-gnuabi64.json";
+     crossSystem = (import <nixpkgs/lib>).systems.examples.armhf-embedded // {
+       rust.rustcTarget = "thumb-crazy";
+       rust.platform = {
+         foo = "";
+         bar = "";
+       };
      };
    }
    ```
@@ -299,9 +297,12 @@ where they are known to differ. But there are ways to customize the argument:
    will result in:
 
    ```shell
-   --target /nix/store/...-rust/mips64el_mips3-unknown-linux-gnuabi64.json
+   --target /nix/store/asdfasdfsadf-thumb-crazy.json # contains {"foo":"","bar":""}
    ```
 
+Note that currently custom targets aren't compiled with `std`, so `cargo test`
+will fail. This can be ignored by adding `doCheck = false;` to your derivation.
+
 ### Running package tests {#running-package-tests}
 
 When using `buildRustPackage`, the `checkPhase` is enabled by default and runs
@@ -736,35 +737,6 @@ stdenv.mkDerivation (finalAttrs: {
 })
 ```
 
-### Compiling `wasm32-wasip1` package {#compiling-wasm32-wasip1-package}
-
-```nix
-pkgsCross.wasi32.callPackage (
-  {
-    fetchFromGitHub,
-    rustPlatform,
-    lld,
-  }:
-  rustPlatform.buildRustPackage (finalAttrs: {
-    pname = "zellij-harpoon";
-    version = "0.3.0";
-
-    src = fetchFromGitHub {
-      owner = "Nacho114";
-      repo = "harpoon";
-      tag = "v${finalAttrs.version}";
-      hash = "sha256-JmYcbzxIF6qZs2/RKuspHqNpyDibGp9CVQJj47y/BOQ=";
-    };
-
-    cargoHash = "sha256-lsv5Wssakni18jif++fPo3Z5WyBtvPsGpWwG3abR7jQ=";
-
-    # these two lines are currently required
-    env.RUSTFLAGS = "-C linker=wasm-ld";
-    nativeBuildInputs = [ lld ];
-  })
-) { }
-```
-
 ## `buildRustCrate`: Compiling Rust crates using Nix instead of Cargo {#compiling-rust-crates-using-nix-instead-of-cargo}
 
 ### Simple operation {#simple-operation}
@@ -871,47 +843,6 @@ general. A number of other parameters can be overridden:
   (hello { }).override { extraRustcOpts = "-Z debuginfo=2"; }
   ```
 
-- Extra arguments passed to `rustc` when the crate is a proc-macro,
-  replacing `extraRustcOpts`. Useful to keep instrumentation flags
-  (sanitizers, coverage) off host dylibs. Defaults to `null`, which
-  inherits `extraRustcOpts`:
-
-  ```nix
-  (myProcMacro { }).override { extraRustcOptsForProcMacro = [ ]; }
-  ```
-
-- The lint level cap passed to `rustc`. Defaults to `null`, which
-  auto-resolves to `"allow"` (silences all lints) when `lints` is
-  empty, or `"forbid"` (no cap) when `lints` is set. Because `rustc`
-  only honours the first `--cap-lints` it receives, this cannot be
-  changed via `extraRustcOpts`; use this attribute instead. Useful
-  when overriding the `rust` attribute to point at `clippy-driver`,
-  since clippy lints are also capped by this flag:
-
-  ```nix
-  (hello { }).override { capLints = "warn"; }
-  ```
-
-- Lint configuration mirroring Cargo.toml's `[lints]` table. Keys are
-  tool names (`rust`, `clippy`, `rustdoc`); values map lint names to
-  either a level string (`"allow"`, `"warn"`, `"deny"`, `"forbid"`) or
-  `{ level = "..."; priority = <int>; }`. Lower priorities are emitted
-  first so that more specific lints can override them. Setting a
-  non-empty `lints` raises the default `capLints` to `"forbid"` so the
-  lints actually apply:
-
-  ```nix
-  (hello { }).override {
-    lints.rust = {
-      unsafe_code = "forbid";
-      unused = {
-        level = "deny";
-        priority = -1;
-      };
-    };
-  }
-  ```
-
 - Phases, just like in any other derivation, can be specified using
   the following attributes: `preUnpack`, `postUnpack`, `prePatch`,
   `patches`, `postPatch`, `preConfigure` (in the case of a Rust crate,

doc/languages-frameworks/tcl.section.md

@@ -13,20 +13,19 @@ Tcl packages are typically built with `tclPackages.mkTclDerivation`.
 Tcl dependencies go in `buildInputs`/`nativeBuildInputs`/... like other packages.
 For more complex package definitions, such as packages with mixed languages, use `tcl.tclPackageHook`.
 
-Where possible, make sure to enable stubs for maximum compatibility.
-If you are using `mkTclDerivation`, `--enable-stubs` will be automatically added to `configureFlags`.
+Where possible, make sure to enable stubs for maximum compatibility, usually with the `--enable-stubs` configure flag.
 
 Here is a simple package example to be called with `tclPackages.callPackage`.
 
 ```
 { lib, fetchzip, mkTclDerivation, openssl }:
 
-mkTclDerivation (finalAttrs: {
+mkTclDerivation rec {
   pname = "tcltls";
   version = "1.7.22";
 
   src = fetchzip {
-    url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${finalAttrs.version}.tar.gz";
+    url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${version}.tar.gz";
     hash = "sha256-TOouWcQc3MNyJtaAGUGbaQoaCWVe6g3BPERct/V65vk=";
   };
 
@@ -34,6 +33,7 @@ mkTclDerivation (finalAttrs: {
 
   configureFlags = [
     "--with-ssl-dir=${openssl.dev}"
+    "--enable-stubs"
   ];
 
   meta = {
@@ -43,7 +43,7 @@ mkTclDerivation (finalAttrs: {
     license = lib.licenses.tcltk;
     platforms = lib.platforms.unix;
   };
-})
+}
 ```
 
 All Tcl libraries are declared in `pkgs/top-level/tcl-packages.nix` and are defined in `pkgs/development/tcl-modules/`.
@@ -52,35 +52,3 @@ Its use is documented in `pkgs/development/tcl-modules/by-name/README.md`.
 
 All Tcl applications reside elsewhere.
 In case a package is used as both a library and an application (for example `expect`), it should be defined in `tcl-packages.nix`, with an alias elsewhere.
-
-### Using tclRequiresCheck {#using-tclrequirescheck}
-
-Although unit tests are highly preferred to validate correctness of a package, not
-all packages have test suites that can be run easily, and some have none at all.
-To help ensure the package still works, [`tclRequiresCheck`](#using-tclrequirescheck) can attempt to `package require`
-the listed modules.
-
-```nix
-{
-  tclRequiresCheck = [
-    "json"
-    "doctools"
-  ];
-}
-```
-
-roughly translates to:
-
-```nix
-{
-  preDist = ''
-    TCLLIBPATH="$out/lib $TCLLIBPATH"
-    tclsh <<<'exit [catch {package require json; package require doctools}]'
-  '';
-}
-```
-
-However, this is done in its own phase, and not dependent on whether [`doCheck = true;`](#var-stdenv-doCheck).
-
-This can also be useful in verifying that the package doesn't assume commonly
-present packages (e.g. `tcllib`).

doc/languages-frameworks/texlive.section.md

@@ -2,7 +2,9 @@
 
 There is a TeX Live packaging that lives entirely under attribute `texlive`.
 
-## User's guide {#sec-language-texlive-user-guide}
+## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental}
+
+Release 23.11 ships with a new interface that will eventually replace `texlive.combine`.
 
 - For basic usage, use some of the prebuilt environments available at the top level, such as `texliveBasic`, `texliveSmall`. For the full list of prebuilt environments, inspect `texlive.schemes`.
 
@@ -22,7 +24,7 @@ There is a TeX Live packaging that lives entirely under attribute `texlive`.
 
 - `texlive.withPackages` uses the same logic as `buildEnv`. Only parts of a package are installed in an environment: its 'runtime' files (`tex` output), binaries (`out` output), and support files (`tlpkg` output). Moreover, man and info pages are assembled into separate `man` and `info` outputs. To add only the TeX files of a package, or its documentation (`texdoc` output), just specify the outputs:
   ```nix
-  texliveBasic.withPackages (
+  texlive.withPackages (
     ps: with ps; [
       texdoc # recommended package to navigate the documentation
       perlPackages.LaTeXML.tex # tex files of LaTeXML, omit binaries
@@ -32,19 +34,64 @@ There is a TeX Live packaging that lives entirely under attribute `texlive`.
   )
   ```
 
-- To add the documentation for all packages in the environment, use
-  ```nix
-  texliveSmall.overrideAttrs { withDocs = true; }
-  ```
-  This can be applied before or after calling `withPackages`. The parameter `withSources` adds all source containers.
-
 - All packages distributed by TeX Live, which contains most of CTAN, are available and can be found under `texlive.pkgs`:
   ```ShellSession
   $ nix repl
   nix-repl> :l <nixpkgs>
   nix-repl> texlive.pkgs.[TAB]
   ```
-  These are derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.withPackages` but are available for other uses. To repackage a font, for instance, use
+  Note that the packages in `texlive.pkgs` are only provided for search purposes and must not be used directly.
+
+- **Experimental and subject to change without notice:** to add the documentation for all packages in the environment, use
+  ```nix
+  texliveSmall.__overrideTeXConfig { withDocs = true; }
+  ```
+  This can be applied before or after calling `withPackages`.
+
+  The function currently supports the parameters `withDocs`, `withSources`, and `requireTeXPackages`.
+
+## User's guide {#sec-language-texlive-user-guide}
+
+- For basic usage just pull `texlive.combined.scheme-basic` for an environment with basic LaTeX support.
+
+- It typically won't work to use separately installed packages together. Instead, you can build a custom set of packages like this. Most CTAN packages should be available:
+
+  ```nix
+  texlive.combine {
+    inherit (texlive)
+      scheme-small
+      collection-langkorean
+      algorithms
+      cm-super
+      ;
+  }
+  ```
+
+- There are all the schemes, collections and a few thousand packages, as defined upstream (perhaps with tiny differences).
+
+- By default you only get executables and files needed during runtime, and a little documentation for the core packages. To change that, you need to add `pkgFilter` function to `combine`.
+
+  ```nix
+  texlive.combine {
+    # inherit (texlive) whatever-you-want;
+    pkgFilter =
+      pkg: pkg.tlType == "run" || pkg.tlType == "bin" || pkg.hasManpages || pkg.pname == "cm-super";
+    # elem tlType [ "run" "bin" "doc" "source" ]
+    # there are also other attributes: version, name
+  }
+  ```
+
+- You can list packages e.g. by `nix repl`.
+
+  ```ShellSession
+  $ nix repl
+  nix-repl> :l <nixpkgs>
+  nix-repl> texlive.collection-[TAB]
+  ```
+
+- Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example, `scheme-basic`, into the combination.
+
+- TeX Live packages are also available under `texlive.pkgs` as derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.combine` but are available for other uses. To repackage a font, for instance, use
 
   ```nix
   stdenvNoCC.mkDerivation (finalAttrs: {
@@ -65,9 +112,9 @@ There is a TeX Live packaging that lives entirely under attribute `texlive`.
 
 ## Custom packages {#sec-language-texlive-custom-packages}
 
-You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `passthru.tlDeps`, which is a function taking a package set and returning a list of packages.
+You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `tlDeps`.
 
-The function `texlive.withPackages` recognise the following outputs:
+The functions `texlive.combine` and `texlive.withPackages` recognise the following outputs:
 
 - `"out"`: contents are linked in the TeX Live environment, and binaries in the `$out/bin` folder are wrapped;
 - `"tex"`: linked in `$TEXMFDIST`; files should follow the TDS (for instance `$tex/tex/latex/foiltex/foiltex.cls`);
@@ -75,6 +122,8 @@ The function `texlive.withPackages` recognise the following outputs:
 - `"tlpkg"`: linked in `$TEXMFROOT/tlpkg`;
 - `"man"`, `"info"`, ...: the other outputs are combined into separate outputs.
 
+When using `pkgFilter`, `texlive.combine` will assign `tlType` respectively `"bin"`, `"run"`, `"doc"`, `"source"`, `"tlpkg"` to the above outputs.
+
 Here is a (very verbose) example. See also the packages `auctex`, `eukleides`, `mftrace` for more examples.
 
 ```nix
@@ -89,7 +138,7 @@ let
       "tex"
       "texdoc"
     ];
-    passthru.tlDeps = ps: [ ps.latex ];
+    passthru.tlDeps = with texlive; [ latex ];
 
     srcs = [
       (fetchurl {
@@ -120,14 +169,13 @@ let
           latexmk
         ]
       ))
+      # multiple-outputs.sh fails if $out is not defined
+      (writeShellScript "force-tex-output.sh" ''
+        out="''${tex-}"
+      '')
       writableTmpDirAsHomeHook # Need a writable $HOME for latexmk
     ];
 
-    # multiple-outputs.sh fails if $out is not defined
-    preHook = ''
-      out="''${tex-}"
-    '';
-
     dontConfigure = true;
 
     buildPhase = ''

doc/languages-frameworks/typst.section.md

@@ -15,16 +15,6 @@ typst.withPackages (
 )
 ```
 
-For more customisation options, you can invoke the wrapper directly:
-
-```nix
-typst.wrapper {
-  packages = p: [ ];
-  fonts = [ ];
-  extraWrapperArgs = [ ];
-}
-```
-
 ### Handling Outdated Package Hashes {#typst-handling-outdated-package-hashes}
 
 Since **Typst Universe** does not provide a way to fetch a package with a specific hash, the package hashes in `nixpkgs` can sometimes be outdated. To resolve this issue, you can manually override the package source using the following approach:

doc/languages-frameworks/vim.section.md

@@ -170,6 +170,8 @@ Sometimes plugins require an override that must be changed when the plugin is up
 
 To add a new plugin, run `nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater add "[owner]/[name]"'`. **NOTE**: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.
 
+Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by `vimPluginsUpdater` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of the Language Server Protocol integration with Vim/Neovim.
+
 ## Updating plugins in nixpkgs {#updating-plugins-in-nixpkgs}
 
 Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).

doc/packages/darwin-builder.section.md

@@ -89,7 +89,7 @@ Note that if the builder is running and you have created the above ssh conf file
 {
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-22.11-darwin";
-    darwin.url = "github:nix-darwin/nix-darwin/master";
+    darwin.url = "github:lnl7/nix-darwin/master";
     darwin.inputs.nixpkgs.follows = "nixpkgs";
   };
 

doc/packages/linux.section.md

@@ -119,10 +119,11 @@ $ pkgs/os-specific/linux/kernel/update.sh
 The change gets submitted like this:
 
 * File a PR against `staging-nixos`.
-  * Add a `backport staging-nixos-XX.XX` label for an automated backport.
+  * Add a `backport release-XX.XX` label for an automated backport.
+    We don't expect many other changes on that branch to require a backport, hence there's no such branch for stable.
     By using an additional PR, we get the automatic backport against stable without manual cherry-picks.
-* Merge into `staging-nixos` or `staging-nixos-XX.XX`.
-* File as PR from `staging-nixos` against `master` or `staging-nixos-XX.XX` against `release-xx.xx`.
+* Merge into `staging-nixos`.
+* File as PR from `staging-nixos` against `master`.
 * When all status checks are green, merge.
 
 ### Add a new (major) version of the Linux kernel {#sec-linux-add-new-kernel-version}
@@ -148,6 +149,15 @@ The change gets submitted like this:
     ```
   * Update `linux_latest` to the new attribute.
 * __SQUASH__ the changes into the `linux: init at …` commit.
+* If a new hardened is available:
+  * Instantiate a `linux_X_Y_hardened = hardenedKernelsFor kernels.linux_X_Y { };` in `kernels` and
+    `linux_X_Y_hardened = hardenedKernelFor kernels.linux_X_Y { };` in the `packages`-section.
+  * Make sure to remove the hardened variant of the previous kernel version unless it's LTS.
+    We only support the latest and latest LTS version of hardened.
+* If no new hardened kernel is available:
+  * Keep the previously latest kernel until its mainline counterpart gets removed.
+    After that `linux_hardened` points to the latest LTS supported by hardened.
+* __SQUASH__ the changes into the `linux_X_Y_hardened: init at …` commit.
 
 ### Policy for accepting new kernel flavours {#sec-linux-new-kernels}
 

doc/redirects.json

@@ -20,9 +20,6 @@
   "cmake-ctest-variables": [
     "index.html#cmake-ctest-variables"
   ],
-  "compiling-wasm32-wasip1-package": [
-    "index.html#compiling-wasm32-wasip1-package"
-  ],
   "coq-withPackages": [
     "index.html#coq-withPackages"
   ],
@@ -122,9 +119,6 @@
   "ex-testEqualArrayOrMap-test-function-add-cowbell": [
     "index.html#ex-testEqualArrayOrMap-test-function-add-cowbell"
   ],
-  "ex-writeShellApplication": [
-    "index.html#ex-writeShellApplication"
-  ],
   "friction-graphics": [
     "index.html#friction-graphics"
   ],
@@ -137,20 +131,11 @@
   "inkscape-plugins": [
     "index.html#inkscape-plugins"
   ],
-  "installfonts": [
-    "index.html#installfonts"
+  "libcxxhardeningextensive": [
+    "index.html#libcxxhardeningextensive"
   ],
-  "installfonts-installfont": [
-    "index.html#installfonts-installfont"
-  ],
-  "installfonts-installfont-exampleusage": [
-    "index.html#installfonts-installfont-exampleusage"
-  ],
-  "javascript-buildNpmPackage-npmFlags": [
-    "index.html#javascript-buildNpmPackage-npmFlags"
-  ],
-  "javascript-buildNpmPackage-npmWorkspace": [
-    "index.html#javascript-buildNpmPackage-npmWorkspace"
+  "libcxxhardeningfast": [
+    "index.html#libcxxhardeningfast"
   ],
   "julec-hook": [
     "index.html#julec-hook"
@@ -188,12 +173,6 @@
   "julec-hook-variables": [
     "index.html#julec-hook-variables"
   ],
-  "libcxxhardeningextensive": [
-    "index.html#libcxxhardeningextensive"
-  ],
-  "libcxxhardeningfast": [
-    "index.html#libcxxhardeningfast"
-  ],
   "major-ghc-deprecation": [
     "index.html#major-ghc-deprecation"
   ],
@@ -224,108 +203,9 @@
   "no-broken-symlinks.sh": [
     "index.html#no-broken-symlinks.sh"
   ],
-  "nodejs-install-executables": [
-    "index.html#nodejs-install-executables"
-  ],
-  "nodejs-install-executables-example": [
-    "index.html#nodejs-install-executables-example"
-  ],
-  "nodejs-install-executables-exclusive-variables": [
-    "index.html#nodejs-install-executables-exclusive-variables"
-  ],
-  "nodejs-install-executables-variables": [
-    "index.html#nodejs-install-executables-variables"
-  ],
-  "nodejs-install-executables-wrapper-args": [
-    "index.html#nodejs-install-executables-wrapper-args"
-  ],
-  "nodejs-install-manuals": [
-    "index.html#nodejs-install-manuals"
-  ],
-  "nodejs-install-manuals-example": [
-    "index.html#nodejs-install-manuals-example"
-  ],
   "nostrictaliasing": [
     "index.html#nostrictaliasing"
   ],
-  "npm-build-hook": [
-    "index.html#npm-build-hook"
-  ],
-  "npm-build-hook-dont": [
-    "index.html#npm-build-hook-dont"
-  ],
-  "npm-build-hook-example-snippet": [
-    "index.html#npm-build-hook-example-snippet"
-  ],
-  "npm-build-hook-exclusive-variables": [
-    "index.html#npm-build-hook-exclusive-variables"
-  ],
-  "npm-build-hook-flags": [
-    "index.html#npm-build-hook-flags"
-  ],
-  "npm-build-hook-honored-variables": [
-    "index.html#npm-build-hook-honored-variables"
-  ],
-  "npm-build-hook-script": [
-    "index.html#npm-build-hook-script"
-  ],
-  "npm-build-hook-snippet": [
-    "index.html#npm-build-hook-snippet"
-  ],
-  "npm-build-hook-variables": [
-    "index.html#npm-build-hook-variables"
-  ],
-  "npm-config-hook": [
-    "index.html#npm-config-hook"
-  ],
-  "npm-config-hook-deps": [
-    "index.html#npm-config-hook-deps"
-  ],
-  "npm-config-hook-exclusive-variables": [
-    "index.html#npm-config-hook-exclusive-variables"
-  ],
-  "npm-config-hook-honored-variables": [
-    "index.html#npm-config-hook-honored-variables"
-  ],
-  "npm-config-hook-install-flags": [
-    "index.html#npm-config-hook-install-flags"
-  ],
-  "npm-config-hook-rebuild-flags": [
-    "index.html#npm-config-hook-rebuild-flags"
-  ],
-  "npm-config-hook-snippet": [
-    "index.html#npm-config-hook-snippet"
-  ],
-  "npm-config-hook-variables": [
-    "index.html#npm-config-hook-variables"
-  ],
-  "npm-config-hook-writable-cache": [
-    "index.html#npm-config-hook-writable-cache"
-  ],
-  "npm-install-hook": [
-    "index.html#npm-install-hook"
-  ],
-  "npm-install-hook-dont": [
-    "index.html#npm-install-hook-dont"
-  ],
-  "npm-install-hook-dont-prune": [
-    "index.html#npm-install-hook-dont-prune"
-  ],
-  "npm-install-hook-exclusive-variables": [
-    "index.html#npm-install-hook-exclusive-variables"
-  ],
-  "npm-install-hook-honored-variables": [
-    "index.html#npm-install-hook-honored-variables"
-  ],
-  "npm-install-hook-prune-flags": [
-    "index.html#npm-install-hook-prune-flags"
-  ],
-  "npm-install-hook-snippet": [
-    "index.html#npm-install-hook-snippet"
-  ],
-  "npm-install-hook-variables": [
-    "index.html#npm-install-hook-variables"
-  ],
   "pkgs-replacevars": [
     "index.html#pkgs-replacevars",
     "index.html#pkgs-substituteall",
@@ -379,9 +259,6 @@
   "sec-build-helper-extendMkDerivation": [
     "index.html#sec-build-helper-extendMkDerivation"
   ],
-  "sec-buildEnv-exceptions": [
-    "index.html#sec-buildEnv-exceptions"
-  ],
   "sec-building-packages-with-llvm": [
     "index.html#sec-building-packages-with-llvm"
   ],
@@ -412,9 +289,6 @@
   "sec-meta-identifiers-cpe": [
     "index.html#sec-meta-identifiers-cpe"
   ],
-  "sec-meta-identifiers-purl": [
-    "index.html#sec-meta-identifiers-purl"
-  ],
   "sec-modify-via-packageOverrides": [
     "index.html#sec-modify-via-packageOverrides"
   ],
@@ -436,30 +310,6 @@
   "chap-overlays": [
     "index.html#chap-overlays"
   ],
-  "sec-nixpkgs-release-26.11": [
-    "release-notes.html#sec-nixpkgs-release-26.11"
-  ],
-  "sec-nixpkgs-release-26.11-highlights": [
-    "release-notes.html#sec-nixpkgs-release-26.11-highlights"
-  ],
-  "sec-nixpkgs-release-26.11-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-26.11-incompatibilities"
-  ],
-  "sec-nixpkgs-release-26.11-lib": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib"
-  ],
-  "sec-nixpkgs-release-26.11-lib-breaking": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-breaking"
-  ],
-  "sec-nixpkgs-release-26.11-lib-deprecations": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-deprecations"
-  ],
-  "sec-nixpkgs-release-26.11-lib-additions-improvements": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-additions-improvements"
-  ],
-  "sec-nixpkgs-release-26.11-notable-changes": [
-    "release-notes.html#sec-nixpkgs-release-26.11-notable-changes"
-  ],
   "sec-nixpkgs-release-26.05": [
     "release-notes.html#sec-nixpkgs-release-26.05"
   ],
@@ -472,16 +322,7 @@
     "index.html#katamari-tarballs",
     "index.html#individual-tarballs",
     "index.html#generating-nix-expressions",
-    "index.html#overriding-the-generator",
-    "index.html#javascript-node2nix",
-    "index.html#javascript-node2nix-preparation",
-    "index.html#javascript-node2nix-pitfalls",
-    "index.html#javascript-yarn2nix-mkYarnPackage",
-    "index.html#javascript-yarn2nix",
-    "index.html#javascript-yarn2nix-preparation",
-    "index.html#javascript-yarn2nix-mkYarnModules",
-    "index.html#javascript-mkYarnPackage-overriding-dependencies",
-    "index.html#javascript-yarn2nix-pitfalls"
+    "index.html#overriding-the-generator"
   ],
   "sec-nixpkgs-release-26.05-lib": [
     "release-notes.html#sec-nixpkgs-release-26.05-lib"
@@ -788,9 +629,6 @@
   "chap-stdenv": [
     "index.html#chap-stdenv"
   ],
-  "sec-problems": [
-    "index.html#sec-problems"
-  ],
   "sec-using-llvm": [
     "index.html#sec-using-llvm"
   ],
@@ -806,12 +644,6 @@
   "sec-treefmt-options-reference": [
     "index.html#sec-treefmt-options-reference"
   ],
-  "ssec-buildEnv-collisions": [
-    "index.html#ssec-buildEnv-collisions"
-  ],
-  "ssec-buildEnv-singleFileOutputs": [
-    "index.html#ssec-buildEnv-singleFileOutputs"
-  ],
   "ssec-cosmic-common-issues": [
     "index.html#ssec-cosmic-common-issues"
   ],
@@ -860,9 +692,6 @@
   "footnote-stdenv-find-inputs-location.__back.0": [
     "index.html#footnote-stdenv-find-inputs-location.__back.0"
   ],
-  "sssec-testing-octave-packages": [
-    "index.html#sssec-testing-octave-packages"
-  ],
   "strictflexarrays1": [
     "index.html#strictflexarrays1"
   ],
@@ -920,15 +749,9 @@
   "typst-package-scope-and-usage": [
     "index.html#typst-package-scope-and-usage"
   ],
-  "using-tclrequirescheck": [
-    "index.html#using-tclrequirescheck"
-  ],
   "var-go-buildTestBinaries": [
     "index.html#var-go-buildTestBinaries"
   ],
-  "var-meta-donationPage": [
-    "index.html#var-meta-donationPage"
-  ],
   "var-meta-identifiers-cpe": [
     "index.html#var-meta-identifiers-cpe"
   ],
@@ -938,15 +761,6 @@
   "var-meta-identifiers-possibleCPEs": [
     "index.html#var-meta-identifiers-possibleCPEs"
   ],
-  "var-meta-identifiers-purl": [
-    "index.html#var-meta-identifiers-purl"
-  ],
-  "var-meta-identifiers-purlParts": [
-    "index.html#var-meta-identifiers-purlParts"
-  ],
-  "var-meta-identifiers-purls": [
-    "index.html#var-meta-identifiers-purls"
-  ],
   "var-meta-teams": [
     "index.html#var-meta-teams"
   ],
@@ -1010,9 +824,6 @@
   "var-stdenv-enableParallelBuilding": [
     "index.html#var-stdenv-enableParallelBuilding"
   ],
-  "var-stdenv-__structuredAttrs": [
-    "index.html#var-stdenv-__structuredAttrs"
-  ],
   "mkderivation-recursive-attributes": [
     "index.html#mkderivation-recursive-attributes"
   ],
@@ -1055,12 +866,6 @@
   "tar-files": [
     "index.html#tar-files"
   ],
-  "writableTmpDirAsHomeHook": [
-    "index.html#writableTmpDirAsHomeHook"
-  ],
-  "x86_64-darwin-26.05": [
-    "release-notes.html#x86_64-darwin-26.05"
-  ],
   "zip-files": [
     "index.html#zip-files"
   ],
@@ -1644,9 +1449,6 @@
   "lib.sourceTypes.binaryBytecode": [
     "index.html#lib.sourceTypes.binaryBytecode"
   ],
-  "lib.sourceTypes.obfuscatedCode": [
-    "index.html#lib.sourceTypes.obfuscatedCode"
-  ],
   "chap-passthru": [
     "index.html#chap-passthru"
   ],
@@ -1800,9 +1602,6 @@
   "ssec-cross-cookbook": [
     "index.html#ssec-cross-cookbook"
   ],
-  "cross-qa-emulation": [
-    "index.html#cross-qa-emulation"
-  ],
   "cross-qa-fails-to-find-binutils": [
     "index.html#cross-qa-fails-to-find-binutils"
   ],
@@ -2019,9 +1818,6 @@
   "fetchtorrent-parameters": [
     "index.html#fetchtorrent-parameters"
   ],
-  "fetchitchio": [
-    "index.html#fetchitchio"
-  ],
   "chap-trivial-builders": [
     "index.html#chap-trivial-builders"
   ],
@@ -2245,12 +2041,6 @@
   "chap-special": [
     "index.html#chap-special"
   ],
-  "sec-buildEnv": [
-    "index.html#sec-buildEnv"
-  ],
-  "sec-buildEnv-arguments": [
-    "index.html#sec-buildEnv-arguments"
-  ],
   "sec-fakeNss": [
     "index.html#sec-fakeNss"
   ],
@@ -3091,28 +2881,19 @@
   "available-versions-and-deprecations-schedule": [
     "index.html#available-versions-and-deprecations-schedule"
   ],
-  "erlang": [
-    "index.html#erlang"
-  ],
   "elixir": [
     "index.html#elixir"
   ],
   "beam-structure": [
     "index.html#beam-structure"
   ],
-  "beam-build-tools": [
-    "index.html#beam-build-tools",
+  "build-tools": [
     "index.html#build-tools"
   ],
-  "beam-build-tools-rebar3": [
-    "index.html#beam-build-tools-rebar3",
+  "build-tools-rebar3": [
     "index.html#build-tools-rebar3"
   ],
-  "beam-build-tools-erlangmk": [
-    "index.html#beam-build-tools-erlangmk"
-  ],
-  "beam-build-tools-mix": [
-    "index.html#beam-build-tools-mix",
+  "build-tools-other": [
     "index.html#build-tools-other"
   ],
   "how-to-install-beam-packages": [
@@ -3130,9 +2911,6 @@
   "packaging-erlang-applications": [
     "index.html#packaging-erlang-applications"
   ],
-  "packaging-elixir-applications": [
-    "index.html#packaging-elixir-applications"
-  ],
   "rebar3-packages": [
     "index.html#rebar3-packages"
   ],
@@ -3678,9 +3456,6 @@
   "sec-language-java": [
     "index.html#sec-language-java"
   ],
-  "sec-language-lean4": [
-    "index.html#sec-language-lean4"
-  ],
   "language-javascript": [
     "index.html#language-javascript"
   ],
@@ -3747,6 +3522,15 @@
   "javascript-corepack": [
     "index.html#javascript-corepack"
   ],
+  "javascript-node2nix": [
+    "index.html#javascript-node2nix"
+  ],
+  "javascript-node2nix-preparation": [
+    "index.html#javascript-node2nix-preparation"
+  ],
+  "javascript-node2nix-pitfalls": [
+    "index.html#javascript-node2nix-pitfalls"
+  ],
   "javascript-pnpm": [
     "index.html#javascript-pnpm"
   ],
@@ -3783,6 +3567,24 @@
   "javascript-yarninstallhook": [
     "index.html#javascript-yarninstallhook"
   ],
+  "javascript-yarn2nix": [
+    "index.html#javascript-yarn2nix"
+  ],
+  "javascript-yarn2nix-preparation": [
+    "index.html#javascript-yarn2nix-preparation"
+  ],
+  "javascript-yarn2nix-mkYarnPackage": [
+    "index.html#javascript-yarn2nix-mkYarnPackage"
+  ],
+  "javascript-yarn2nix-mkYarnModules": [
+    "index.html#javascript-yarn2nix-mkYarnModules"
+  ],
+  "javascript-mkYarnPackage-overriding-dependencies": [
+    "index.html#javascript-mkYarnPackage-overriding-dependencies"
+  ],
+  "javascript-yarn2nix-pitfalls": [
+    "index.html#javascript-yarn2nix-pitfalls"
+  ],
   "javascript-yarnBerry-missing-hashes": [
     "index.html#javascript-yarnBerry-missing-hashes"
   ],
@@ -3822,18 +3624,6 @@
   "julia-withpackage-arguments": [
     "index.html#julia-withpackage-arguments"
   ],
-  "lean4-buildLakePackage": [
-    "index.html#lean4-buildLakePackage"
-  ],
-  "lean4-dev-shells": [
-    "index.html#lean4-dev-shells"
-  ],
-  "lean4-history": [
-    "index.html#lean4-history"
-  ],
-  "lean4-leanPackages": [
-    "index.html#lean4-leanPackages"
-  ],
   "lisp": [
     "index.html#lisp"
   ],
@@ -4116,9 +3906,6 @@
   "buildpythonpackage-parameters": [
     "index.html#buildpythonpackage-parameters"
   ],
-  "buildpythonpackage-fixed-point-arguments": [
-    "index.html#buildpythonpackage-fixed-point-arguments"
-  ],
   "overriding-python-build-helpers": [
     "index.html#overriding-python-build-helpers"
   ],
@@ -4482,10 +4269,12 @@
   "sec-language-texlive": [
     "index.html#sec-language-texlive"
   ],
-  "sec-language-texlive-user-guide": [
-    "index.html#sec-language-texlive-user-guide",
+  "sec-language-texlive-user-guide-experimental": [
     "index.html#sec-language-texlive-user-guide-experimental"
   ],
+  "sec-language-texlive-user-guide": [
+    "index.html#sec-language-texlive-user-guide"
+  ],
   "sec-language-texlive-custom-packages": [
     "index.html#sec-language-texlive-custom-packages"
   ],
@@ -4541,9 +4330,6 @@
     "index.html#neovim-plugin-required-snippet",
     "index.html#vim-plugin-required-snippet"
   ],
-  "neovim-plugin-license-overrides": [
-    "index.html#neovim-plugin-license-overrides"
-  ],
   "updating-plugins-in-nixpkgs": [
     "index.html#updating-plugins-in-nixpkgs"
   ],

doc/release-notes/release-notes.md

@@ -3,7 +3,6 @@
 This section lists the release notes for each stable version of Nixpkgs and the current unstable revision.
 
 ```{=include=} sections
-rl-2611.section.md
 rl-2605.section.md
 rl-2511.section.md
 rl-2505.section.md