Merge branch 'master' into update-rssguard

NixOS · Jan 7, 2025 · 9976520 · 9976520
2 parents 160c5e2 + 6296d4c
commit 9976520
Show file tree

Hide file tree

Showing 9,008 changed files with 119,225 additions and 166,231 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -24,7 +24,7 @@ insert_final_newline = false
 # see https://nixos.org/nixpkgs/manual/#chap-conventions
 
 # Match json/lockfiles/markdown/nix/perl/python/ruby/shell/docbook files, set indent to spaces
-[*.{json,lock,md,nix,pl,pm,py,rb,sh,xml}]
+[*.{bash,json,lock,md,nix,pl,pm,py,rb,sh,xml}]
 indent_style = space
 
 # Match docbook files, set indent width of one
@@ -36,7 +36,7 @@ indent_size = 1
 indent_size = 2
 
 # Match perl/python/shell scripts, set indent width of four
-[*.{pl,pm,py,sh}]
+[*.{bash,pl,pm,py,sh}]
 indent_size = 4
 
 # Match gemfiles, set indent to spaces with width of two

diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -181,6 +181,7 @@
         - pkgs/development/compilers/corretto/**/*
         - pkgs/development/compilers/graalvm/**/*
         - pkgs/development/compilers/openjdk/**/*
+        - pkgs/by-name/op/openjfx/**/*
         - pkgs/development/compilers/semeru-bin/**/*
         - pkgs/development/compilers/temurin-bin/**/*
         - pkgs/development/compilers/zulu/**/*

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -14,11 +14,11 @@ jobs:
   backport:
     name: Backport Pull Request
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
           app-id: ${{ vars.BACKPORT_APP_ID }}

diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   tests:
     name: basic-eval-checks
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/check-cherry-picks.yml b/.github/workflows/check-cherry-picks.yml
@@ -11,7 +11,7 @@ permissions: {}
 jobs:
   check:
     name: cherry-pick-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yaml
@@ -10,7 +10,7 @@ permissions:
 jobs:
   nixos:
     name: maintainer-list-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml
@@ -18,7 +18,7 @@ jobs:
 
   nixos:
     name: nixfmt-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:

diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml
@@ -9,7 +9,7 @@ permissions:
 jobs:
   nixos:
     name: exp-nixf-tidy-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: "!contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
@@ -11,7 +11,7 @@ permissions: {}
 jobs:
   x86_64-linux:
     name: shell-check-x86_64-linux
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -23,7 +23,7 @@ jobs:
 
   aarch64-darwin:
     name: shell-check-aarch64-darwin
-    runs-on: macos-latest
+    runs-on: macos-14
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml
@@ -19,6 +19,8 @@ name: Codeowners v2
 #
 # This split is done because checking code owners requires handling untrusted PR input,
 # while requesting code owners requires PR write access, and those shouldn't be mixed.
+#
+# Note that the latter is also used for ./eval.yml requesting reviewers.
 
 on:
   pull_request_target:
@@ -39,7 +41,7 @@ jobs:
   # Check that code owners is valid
   check:
     name: Check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: get-merge-commit
     if: needs.get-merge-commit.outputs.mergedSha
     steps:
@@ -62,7 +64,7 @@ jobs:
     - name: Build codeowners validator
       run: nix-build base/ci -A codeownersValidator
 
-    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+    - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
       id: app-token
       with:
         app-id: ${{ vars.OWNER_RO_APP_ID }}
@@ -86,15 +88,15 @@ jobs:
   # Request reviews from code owners
   request:
     name: Request
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
     # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
     # This is intentional, because we need to request the review of owners as declared in the base branch.
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+    - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
       id: app-token
       with:
         app-id: ${{ vars.OWNER_APP_ID }}
@@ -104,6 +106,6 @@ jobs:
       run: nix-build ci -A requestReviews
 
     - name: Request reviews
-      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+      run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
       env:
         GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml
@@ -16,7 +16,7 @@ jobs:
 
   tests:
     name: editorconfig-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:

diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml
@@ -13,7 +13,7 @@ jobs:
 
   nixpkgs-lib-tests:
     name: nixpkgs-lib-tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: get-merge-commit
     if: needs.get-merge-commit.outputs.mergedSha
     steps:

diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
@@ -21,7 +21,7 @@ jobs:
 
   attrs:
     name: Attributes
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: get-merge-commit
     # Skip this and dependent steps if the PR can't be merged
     if: needs.get-merge-commit.outputs.mergedSha
@@ -53,14 +53,14 @@ jobs:
           echo "systems=$(<result/systems.json)" >> "$GITHUB_OUTPUT"
 
       - name: Upload the list of all attributes
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: paths
           path: result/*
 
   eval-aliases:
     name: Eval nixpkgs with aliases enabled
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: [ attrs, get-merge-commit ]
     steps:
       - name: Check out the PR at the test merge commit
@@ -78,13 +78,20 @@ jobs:
 
   outpaths:
     name: Outpaths
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: [ attrs, get-merge-commit ]
     strategy:
       fail-fast: false
       matrix:
         system: ${{ fromJSON(needs.attrs.outputs.systems) }}
     steps:
+      - name: Enable swap
+        run: |
+          sudo fallocate -l 10G /swapfile
+          sudo chmod 600 /swapfile
+          sudo mkswap /swapfile
+          sudo swapon /swapfile
+
       - name: Download the list of all attributes
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
@@ -111,14 +118,14 @@ jobs:
           # If it uses too much memory, slightly decrease chunkSize
 
       - name: Upload the output paths and eval stats
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: intermediate-${{ matrix.system }}
           path: result/*
 
   process:
     name: Process
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: [ outpaths, attrs, get-merge-commit ]
     outputs:
       baseRunId: ${{ steps.baseRunId.outputs.baseRunId }}
@@ -133,6 +140,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          fetch-depth: 2
           path: nixpkgs
 
       - name: Install Nix
@@ -145,7 +153,7 @@ jobs:
             -o prResult
 
       - name: Upload the combined results
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: result
           path: prResult/*
@@ -194,37 +202,66 @@ jobs:
       - name: Compare against the base branch
         if: steps.baseRunId.outputs.baseRunId
         run: |
-          nix-build nixpkgs/ci -A eval.compare \
+          git -C nixpkgs worktree add ../base ${{ needs.attrs.outputs.baseSha }}
+          git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.baseSha }} ${{ needs.attrs.outputs.mergedSha }} \
+            | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
+
+          # Use the base branch to get accurate maintainer info
+          nix-build base/ci -A eval.compare \
             --arg beforeResultDir ./baseResult \
             --arg afterResultDir ./prResult \
+            --arg touchedFilesJson ./touched-files.json \
             -o comparison
+
           cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
-          # TODO: Request reviews from maintainers for packages whose files are modified in the PR
 
       - name: Upload the combined results
         if: steps.baseRunId.outputs.baseRunId
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: comparison
           path: comparison/*
 
   # Separate job to have a very tightly scoped PR write token
   tag:
     name: Tag
-    runs-on: ubuntu-latest
-    needs: process
+    runs-on: ubuntu-24.04
+    needs: [ attrs, process ]
     if: needs.process.outputs.baseRunId
     permissions:
       pull-requests: write
       statuses: write
     steps:
+      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
+      # Can't use the token received from permissions above, because it can't get enough permissions
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
       - name: Download process result
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: comparison
           path: comparison
 
-      - name: Tagging pull request
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+      # Important: This workflow job runs with extra permissions,
+      # so we need to make sure to not run untrusted code from PRs
+      - name: Check out Nixpkgs at the base commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.attrs.outputs.baseSha }}
+          path: base
+          sparse-checkout: ci
+
+      - name: Build the requestReviews derivation
+        run: nix-build base/ci -A requestReviews
+
+      - name: Labelling pull request
         run: |
           # Get all currently set rebuild labels
           gh api \
@@ -252,6 +289,7 @@ jobs:
               /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
               -f "labels[]=$toAdd"
           done < <(comm -13 before after)
+
         env:
           GH_TOKEN: ${{ github.token }}
           REPOSITORY: ${{ github.repository }}
@@ -276,3 +314,17 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
           NUMBER: ${{ github.event.number }}
+
+      - name: Requesting maintainer reviews
+        run: |
+          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
+          # There appears to be no API to request reviews based on GitHub IDs
+          jq -r 'keys[]' comparison/maintainers.json \
+            | while read -r id; do gh api /user/"$id" --jq .login; done \
+            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml
@@ -12,7 +12,7 @@ permissions: {}
 
 jobs:
   resolve-merge-commit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     outputs:
       mergedSha: ${{ steps.merged.outputs.mergedSha }}
     steps:

diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   labels:
     name: label-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
     - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0

diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml
@@ -13,7 +13,7 @@ on:
 jobs:
   nixos:
     name: nixos-manual-build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml
@@ -15,7 +15,7 @@ on:
 jobs:
   nixpkgs:
     name: nixpkgs-manual-build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml
@@ -16,7 +16,7 @@ jobs:
 
   tests:
     name: nix-files-parseable-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps: