Merge branch 'master' into init-adjustor

.git-blame-ignore-revs

@@ -215,3 +215,9 @@ adb9714bd909df283c66bbd641bd631ff50a4260
 
 # treewide: incus packages
 9ab59bb5fb943ad6740f64f5a79eae9642fb8211
+
+# treewide nixfmt reformat pass 1, master, staging and staging-next
+4f0dadbf38ee4cf4cc38cbc232b7708fddf965bc
+667d42c00d566e091e6b9a19b365099315d0e611
+84d4f874c2bac9f3118cb6907d7113b3318dcb5e
+

.github/ISSUE_TEMPLATE/tracking_issue.md

@@ -0,0 +1,39 @@
+---
+name: Tracking issue
+about: Provide an overview on a multi-step effort
+title: 'Tracking issue: ISSUENAME'
+labels: '5.scope: tracking'
+assignees: ''
+
+---
+
+### Tracking description
+
+<!--
+Provide a brief summary of the project or multi-step effort. Explain why it is
+necessary and what the goals are.
+
+You may include way to reproduce the problem, screenshots or any information
+that you find relevant.
+-->
+
+#### Reference Issue(s)/PR(s)
+
+- ...
+
+### Follow-up issues/notes
+
+<!--
+List any follow-up issues that need to be addressed after the main tasks are
+completed, or any notes related to the project.
+-->
+
+#### Additional context
+Add any other context about the problem here.
+
+---
+
+Add a :+1: [reaction] to [issues you find important].
+
+[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
+[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

.github/labeler.yml

@@ -328,6 +328,7 @@
       - any-glob-to-any-file:
         - doc/languages-frameworks/nim.section.md
         - pkgs/build-support/build-nim-package.nix
+        - pkgs/build-support/build-nim-sbom.nix
         - pkgs/by-name/ni/nim*
         - pkgs/top-level/nim-overrides.nix
 

.github/workflows/backport.yml

@@ -28,7 +28,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}
       - name: Create backport PRs
-        uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
+        uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
         with:
           # Config README: https://github.com/korthout/backport-action#backport-action
           copy_labels_pattern: 'severity:\ssecurity'

.github/workflows/check-nix-format.yml

@@ -13,15 +13,19 @@ permissions:
   contents: read
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   nixos:
     name: nixfmt-check
     runs-on: ubuntu-latest
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
           # Fetches the merge commit and its parents
           fetch-depth: 2
       - name: Checking out base branch
@@ -83,7 +87,7 @@ jobs:
 
           if (( "${#unformattedFiles[@]}" > 0 )); then
             echo "Some new/changed Nix files are not properly formatted"
-            echo "Please go to the Nixpkgs root directory, run \`nix-shell\`, then:"
+            echo "Please format them using the Nixpkgs-specific \`nixfmt\` by going to the Nixpkgs root directory, running \`nix-shell\`, then:"
             echo "nixfmt ${unformattedFiles[*]@Q}"
             echo "Make sure your branch is up to date with master, rebase if not."
             echo "If you're having trouble, please ping @NixOS/nix-formatting"

.github/workflows/codeowners-v2.yml

@@ -33,10 +33,15 @@ env:
   DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   # Check that code owners is valid
   check:
     name: Check
     runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
     steps:
     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
@@ -65,7 +70,7 @@ jobs:
 
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        ref: refs/pull/${{ github.event.number }}/merge
+        ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
         path: pr
 
     - name: Validate codeowners

.github/workflows/editorconfig-v2.yml

@@ -11,10 +11,14 @@ on:
       - 'release-**'
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   tests:
     name: editorconfig-check
     runs-on: ubuntu-latest
-    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
     - name: Get list of changed files from PR
       env:
@@ -30,7 +34,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         # pull_request_target checks out the base branch by default
-        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+        ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
         # nixpkgs commit is pinned so that it doesn't break

.github/workflows/eval-lib-tests.yml

@@ -0,0 +1,30 @@
+name: "Building Nixpkgs lib-tests"
+
+permissions:
+  contents: read
+
+on:
+  pull_request_target:
+    paths:
+      - 'lib/**'
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixpkgs-lib-tests:
+    name: nixpkgs-lib-tests
+    runs-on: ubuntu-latest
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - name: Building Nixpkgs lib-tests
+        run: |
+          nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix

.github/workflows/eval.yml

@@ -16,85 +16,57 @@ permissions:
   contents: read
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   attrs:
     name: Attributes
     runs-on: ubuntu-latest
+    needs: get-merge-commit
+    # Skip this and dependent steps if the PR can't be merged
+    if: needs.get-merge-commit.outputs.mergedSha
     outputs:
-      mergedSha: ${{ steps.merged.outputs.mergedSha }}
       baseSha: ${{ steps.baseSha.outputs.baseSha }}
       systems: ${{ steps.systems.outputs.systems }}
     steps:
-      # Important: Because of `pull_request_target`, this doesn't check out the PR,
-      # but rather the base branch of the PR, which is needed so we don't run untrusted code
-      - name: Check out the ci directory of the base branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: base
-          sparse-checkout: ci
-      - name: Check if the PR can be merged and get the test merge commit
-        id: merged
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_EVENT: ${{ github.event_name }}
-        run: |
-          case "$GH_EVENT" in
-            push)
-              echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-              ;;
-            pull_request_target)
-              if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
-                echo "Checking the merge commit $mergedSha"
-                echo "mergedSha=$mergedSha" >> "$GITHUB_OUTPUT"
-              else
-                # Skipping so that no notifications are sent
-                echo "Skipping the rest..."
-              fi
-              ;;
-          esac
-          rm -rf base
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        # Add this to _all_ subsequent steps to skip them
-        if: steps.merged.outputs.mergedSha
         with:
-          ref: ${{ steps.merged.outputs.mergedSha }}
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
           fetch-depth: 2
           path: nixpkgs
 
       - name: Determine base commit
-        if: github.event_name == 'pull_request_target' && steps.merged.outputs.mergedSha
+        if: github.event_name == 'pull_request_target'
         id: baseSha
         run: |
           baseSha=$(git -C nixpkgs rev-parse HEAD^1)
           echo "baseSha=$baseSha" >> "$GITHUB_OUTPUT"
 
       - name: Install Nix
         uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-        if: steps.merged.outputs.mergedSha
 
       - name: Evaluate the list of all attributes and get the systems matrix
         id: systems
-        if: steps.merged.outputs.mergedSha
         run: |
           nix-build nixpkgs/ci -A eval.attrpathsSuperset
           echo "systems=$(<result/systems.json)" >> "$GITHUB_OUTPUT"
 
       - name: Upload the list of all attributes
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: steps.merged.outputs.mergedSha
         with:
           name: paths
           path: result/*
 
   eval-aliases:
     name: Eval nixpkgs with aliases enabled
     runs-on: ubuntu-latest
-    needs: attrs
+    needs: [ attrs, get-merge-commit ]
     steps:
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.attrs.outputs.mergedSha }}
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
           path: nixpkgs
 
       - name: Install Nix
@@ -107,9 +79,7 @@ jobs:
   outpaths:
     name: Outpaths
     runs-on: ubuntu-latest
-    needs: attrs
-    # Skip this and future steps if the PR can't be merged
-    if: needs.attrs.outputs.mergedSha
+    needs: [ attrs, get-merge-commit ]
     strategy:
       matrix:
         system: ${{ fromJSON(needs.attrs.outputs.systems) }}
@@ -123,7 +93,7 @@ jobs:
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.attrs.outputs.mergedSha }}
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
           path: nixpkgs
 
       - name: Install Nix
@@ -141,15 +111,14 @@ jobs:
 
       - name: Upload the output paths and eval stats
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
-        if: needs.attrs.outputs.mergedSha
         with:
           name: intermediate-${{ matrix.system }}
           path: result/*
 
   process:
     name: Process
     runs-on: ubuntu-latest
-    needs: [ outpaths, attrs ]
+    needs: [ outpaths, attrs, get-merge-commit ]
     outputs:
       baseRunId: ${{ steps.baseRunId.outputs.baseRunId }}
     steps:
@@ -162,7 +131,7 @@ jobs:
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.attrs.outputs.mergedSha }}
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
           path: nixpkgs
 
       - name: Install Nix
@@ -196,14 +165,14 @@ jobs:
           runId=$(jq .id <<< "$run")
           conclusion=$(jq -r .conclusion <<< "$run")
 
-          while [[ "$conclusion" == null ]]; do
+          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
             echo "Workflow not done, waiting 10 seconds before checking again"
             sleep 10
             conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
           done
 
           if [[ "$conclusion" != "success" ]]; then
-            echo "Workflow was not successful, cannot make comparison"
+            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
             exit 0
           fi
 
@@ -246,6 +215,7 @@ jobs:
     if: needs.process.outputs.baseRunId
     permissions:
       pull-requests: write
+      statuses: write
     steps:
       - name: Download process result
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -285,3 +255,23 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           REPOSITORY: ${{ github.repository }}
           NUMBER: ${{ github.event.number }}
+
+      - name: Add eval summary to commit statuses
+        if: ${{ github.event_name == 'pull_request_target' }}
+        run: |
+          description=$(jq -r '
+          "Package: added " + (.attrdiff.added | length | tostring) +
+          ", removed " + (.attrdiff.removed | length | tostring) +
+          ", changed " + (.attrdiff.changed | length | tostring) +
+          ", Rebuild: linux " + (.rebuildCountByKernel.linux | tostring) +
+          ", darwin " + (.rebuildCountByKernel.darwin | tostring)
+          ' <comparison/changed-paths.json)
+          target_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID?pr=$NUMBER"
+          gh api --method POST \
+            -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
+            -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          NUMBER: ${{ github.event.number }}