pyrox.dev
+1
-1
.github/ISSUE_TEMPLATE/bug_report.md
+1
-1
.github/ISSUE_TEMPLATE/bug_report.md
+1
-1
.github/ISSUE_TEMPLATE/build_failure.md
+1
-1
.github/ISSUE_TEMPLATE/build_failure.md
+1
-1
.github/ISSUE_TEMPLATE/out_of_date_package_report.md
+1
-1
.github/ISSUE_TEMPLATE/out_of_date_package_report.md
+1
-1
.github/ISSUE_TEMPLATE/unreproducible_package.md
+1
-1
.github/ISSUE_TEMPLATE/unreproducible_package.md
+20
.github/workflows/README.md
+20
.github/workflows/README.md
···
···+- Instead of `pull_request` we use [`pull_request_target`](https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) for all PR-related workflows. This has the advantage that those workflows will run without prior approval for external contributors.+- Running on `pull_request_target` also optionally provides us with a GH_TOKEN with elevated privileges (write access), which we need to do things like adding labels, requesting reviewers or pushing branches. **Note about security:** We need to be careful to limit the scope of elevated privileges as much as possible. Thus they should be lowered to the minimum with `permissions: {}` in every workflow by default.+- By definition `pull_request_target` runs in the context of the **base** of the pull request. This means, that the workflow files to run will be taken from the base branch, not the PR, and actions/checkout will not checkout the PR, but the base branch, by default. To protect our secrets, we need to make sure to **never execute code** from the pull request and always evaluate or build nix code from the pull request with the **sandbox enabled**.+- To test the pull request's contents, we checkout the "test merge commit". This is a temporary commit that GitHub creates automatically as "what would happen, if this PR was merged into the base branch now?". The checkout could be done via the virtual branch `refs/pull/<pr-number>/merge`, but doing so would cause failures when this virtual branch doesn't exist (anymore). This can happen when the PR has conflicts, in which case the virtual branch is not created, or when the PR is getting merged while workflows are still running, in which case the branch won't exist anymore at the time of checkout. Thus, we use the `get-merge-commit.yml` workflow to check whether the PR is mergeable and the test merge commit exists and only then run the relevant jobs.+- Various workflows need to make comparisons against the base branch. In this case, we checkout the parent of the "test merge commit" for best results. Note, that this is not necessarily the same as the default commit that actions/checkout would use, which is also a commit from the base branch (see above), but might be older.+- **base commit**: The pull_request_target event's context commit, i.e. the base commit given by GitHub Actions. Same as `github.event.pull_request.base.sha`.+- **head commit**: The HEAD commit in the pull request's branch. Same as `github.event.pull_request.head.sha`.+- **merge commit**: The temporary "test merge commit" that GitHub Actions creates and updates for the pull request. Same as `refs/pull/${{ github.event.pull_request.number }}/merge`.
+8
-5
.github/workflows/backport.yml
+8
-5
.github/workflows/backport.yml
······
······
-31
.github/workflows/basic-eval.yml
-31
.github/workflows/basic-eval.yml
···-# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback-# explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset-- run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin" ]'
···
+15
-13
.github/workflows/check-cherry-picks.yml
+15
-13
.github/workflows/check-cherry-picks.yml
······
······
+4
-5
.github/workflows/check-maintainers-sorted.yaml
.github/workflows/check-maintainers-sorted.yml
+4
-5
.github/workflows/check-maintainers-sorted.yaml
.github/workflows/check-maintainers-sorted.yml
···
···
+17
-14
.github/workflows/check-nix-format.yml
+17
-14
.github/workflows/check-nix-format.yml
············
············
+16
-13
.github/workflows/check-nixf-tidy.yml
+16
-13
.github/workflows/check-nixf-tidy.yml
············-if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.base }}/"$source")" != '[]' ]] 2>/dev/null; then···
············+if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.target }}/"$source")" != '[]' ]] 2>/dev/null; then···
+14
-15
.github/workflows/check-shell.yml
+14
-15
.github/workflows/check-shell.yml
···
···
+50
-51
.github/workflows/codeowners-v2.yml
+50
-51
.github/workflows/codeowners-v2.yml
·········-# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.-# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.-# This is intentional, because we need to request the review of owners as declared in the base branch.-run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
·········+# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.+# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.+# This is intentional, because we need to request the review of owners as declared in the base branch.+run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+33
-34
.github/workflows/editorconfig-v2.yml
+33
-34
.github/workflows/editorconfig-v2.yml
······-if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"-nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz-< "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'-echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."
······+if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"+nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz+< "$HOME/changed_files" nix-shell -p editorconfig-checker --run 'xargs -r editorconfig-checker -disable-indent-size'+echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."
+5
-5
.github/workflows/eval-lib-tests.yml
+5
-5
.github/workflows/eval-lib-tests.yml
······
······
+35
-29
.github/workflows/eval.yml
+35
-29
.github/workflows/eval.yml
······························-git -C nixpkgs diff --name-only ${{ needs.attrs.outputs.baseSha }} ${{ needs.attrs.outputs.mergedSha }} \·········
·······································
+26
-26
.github/workflows/get-merge-commit.yml
+26
-26
.github/workflows/get-merge-commit.yml
······-if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
······+if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+9
-9
.github/workflows/labels.yml
+9
-9
.github/workflows/labels.yml
······if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
······if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+6
-6
.github/workflows/manual-nixos-v2.yml
+6
-6
.github/workflows/manual-nixos-v2.yml
······run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux
······run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux
+6
-6
.github/workflows/manual-nixpkgs-v2.yml
+6
-6
.github/workflows/manual-nixpkgs-v2.yml
······run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests
······run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests
+33
-35
.github/workflows/nix-parse-v2.yml
+33
-35
.github/workflows/nix-parse-v2.yml
······-if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"-| jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
······+if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"+| jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
+10
-7
.github/workflows/nixpkgs-vet.yml
+10
-7
.github/workflows/nixpkgs-vet.yml
···# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.-# Using pull_request_target instead of pull_request avoids having to approve first time contributors.# This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.······# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
···# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.# This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.······# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
+7
-7
.github/workflows/no-channel.yml
+7
-7
.github/workflows/no-channel.yml
···
···
+8
-26
.github/workflows/periodic-merge-24h.yml
+8
-26
.github/workflows/periodic-merge-24h.yml
·········-Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
·········
+6
-26
.github/workflows/periodic-merge-6h.yml
+6
-26
.github/workflows/periodic-merge-6h.yml
·········-Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
·········
-59
.github/workflows/periodic-merge-haskell-updates.yml
-59
.github/workflows/periodic-merge-haskell-updates.yml
···-Periodic merge from `${{ steps.find_merge_base_step.outputs.merge_base }}` into `haskell-updates` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
···
+50
.github/workflows/periodic-merge.yml
+50
.github/workflows/periodic-merge.yml
···
···+description: Branch to merge into target branch. Can also be two branches separated by space to find the merge base between them.+merge_base="$(git merge-base "refs/remotes/origin/${branches[0]}" "refs/remotes/origin/${branches[1]}")"+Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+1
-4
nixos/modules/programs/wayland/sway.nix
+1
-4
nixos/modules/programs/wayland/sway.nix
···"Using Sway with Nvidia driver version <= 550 may result in a broken system. Configure hardware.nvidia.package to use a newer version."
···+&& (lib.versionOlder (lib.versions.major (lib.getVersion config.hardware.nvidia.package)) "551")"Using Sway with Nvidia driver version <= 550 may result in a broken system. Configure hardware.nvidia.package to use a newer version."
+2
-2
pkgs/applications/networking/mailreaders/thunderbird/packages.nix
+2
-2
pkgs/applications/networking/mailreaders/thunderbird/packages.nix
···-sha512 = "cbfd4b1a7245c2a2f6ef9b2cf69d95a8095eba855755d00fd397351b21ad504733084d6f41801f4114be7015332b8db65e5290bec45f5321efc753412b9acecc";
···+sha512 = "a561eac0bf0b8c72f3337ccebcde9099c342d1b31ce2b1f31096f1f805a195c49d627cf726cd56d41b21ec292d96fd577e8f226fcb24d8b13e0d773fc334b073";
+2
-2
pkgs/by-name/bu/bup/package.nix
+2
-2
pkgs/by-name/bu/bup/package.nix
+7
-11
pkgs/by-name/fa/faraday-cli/package.nix
+7
-11
pkgs/by-name/fa/faraday-cli/package.nix
······
······
+16
-10
pkgs/by-name/he/hentai-at-home/package.nix
+16
-10
pkgs/by-name/he/hentai-at-home/package.nix
···-hash = "sha512-kBB5mn9MwpkZ0z+Fl5ABs4YWBkXkMRcADYSAPkeifyhbYQQPOnijXKYZCkzE4UB3uQ1j6Kj6WnpO/4jquYEiOQ==";······
···+hash = "sha512-dcHWZiU0ySLlEhZeK1n2T/dyO6Wk9eS7CpZRSfzY3KvHrPBthQnaFrarSopPXJan1+zWROu1pEff1WSr5+HO4Q==";······
+47
pkgs/by-name/ke/keyscope/package.nix
+47
pkgs/by-name/ke/keyscope/package.nix
···
···
+7
-11
pkgs/by-name/ni/nixos-option/package.nix
+7
-11
pkgs/by-name/ni/nixos-option/package.nix
············
············
+5
-5
pkgs/by-name/pd/pdfium-binaries/package.nix
+5
-5
pkgs/by-name/pd/pdfium-binaries/package.nix
······
······
+3
-3
pkgs/by-name/pi/pik/package.nix
+3
-3
pkgs/by-name/pi/pik/package.nix
···
···
+3
-3
pkgs/by-name/sc/screenly-cli/package.nix
+3
-3
pkgs/by-name/sc/screenly-cli/package.nix
···
···
+2
-2
pkgs/by-name/sm/smbmap/package.nix
+2
-2
pkgs/by-name/sm/smbmap/package.nix
···
···
+3
-3
pkgs/by-name/st/static-web-server/package.nix
+3
-3
pkgs/by-name/st/static-web-server/package.nix
···buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ darwin.apple_sdk.frameworks.Security ];
···buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ darwin.apple_sdk.frameworks.Security ];
+9
-9
pkgs/by-name/sy/sysdig-cli-scanner/sysdig-cli-scanner.versions.nix
+9
-9
pkgs/by-name/sy/sysdig-cli-scanner/sysdig-cli-scanner.versions.nix
···-url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.18.0/linux/amd64/sysdig-cli-scanner";-url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.18.0/linux/arm64/sysdig-cli-scanner";-url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.18.0/darwin/amd64/sysdig-cli-scanner";-url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.18.0/darwin/arm64/sysdig-cli-scanner";
···+url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/v1.19.0/linux/amd64/sysdig-cli-scanner";+url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/v1.19.0/linux/arm64/sysdig-cli-scanner";+url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/v1.19.0/darwin/amd64/sysdig-cli-scanner";+url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/v1.19.0/darwin/arm64/sysdig-cli-scanner";
+2
-2
pkgs/development/python-modules/cyclopts/default.nix
+2
-2
pkgs/development/python-modules/cyclopts/default.nix
······
······
+20
-11
pkgs/development/python-modules/freetype-py/default.nix
+20
-11
pkgs/development/python-modules/freetype-py/default.nix
·········
·········
+2
-2
pkgs/development/python-modules/minio/default.nix
+2
-2
pkgs/development/python-modules/minio/default.nix
+2
-2
pkgs/development/python-modules/nibe/default.nix
+2
-2
pkgs/development/python-modules/nibe/default.nix
······
······
+1
-1
pkgs/development/python-modules/ohmepy/default.nix
pkgs/development/python-modules/ohme/default.nix
+1
-1
pkgs/development/python-modules/ohmepy/default.nix
pkgs/development/python-modules/ohme/default.nix
+21
-12
pkgs/development/python-modules/periodictable/default.nix
+21
-12
pkgs/development/python-modules/periodictable/default.nix
···
···
+2
-2
pkgs/development/python-modules/strawberry-graphql/default.nix
+2
-2
pkgs/development/python-modules/strawberry-graphql/default.nix
······
······
+1
-1
pkgs/development/tools/rust/rustup/0001-dynamically-patchelf-binaries.patch
+1
-1
pkgs/development/tools/rust/rustup/0001-dynamically-patchelf-binaries.patch
···
···
+3
-1
pkgs/servers/home-assistant/component-packages.nix
+3
-1
pkgs/servers/home-assistant/component-packages.nix
-53
pkgs/tools/security/keyscope/default.nix
-53
pkgs/tools/security/keyscope/default.nix
···
···
-4
pkgs/top-level/all-packages.nix
-4
pkgs/top-level/all-packages.nix
···
+1
-1
pkgs/top-level/python-packages.nix
+1
-1
pkgs/top-level/python-packages.nix