Merge branch 'NixOS:master' into master

.github/workflows/codeowners.yml

@@ -25,6 +25,13 @@ jobs:
     steps:
     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
+    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      if: github.repository_owner == 'NixOS'
+      with:
+        # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
+        name: nixpkgs-ci
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
     # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
     # We later build and run code from the base branch with access to secrets,
     # so it's important this is not the PRs code.

.github/workflows/nixpkgs-vet.yml

@@ -26,52 +26,22 @@ jobs:
     # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
     timeout-minutes: 10
     steps:
-      # This step has to be in this file, because it's needed to determine which revision of the repository to fetch, and we can only use other files from the repository once it's fetched.
+      # This checks out the base branch because of pull_request_target
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          path: base
+          sparse-checkout: ci
       - name: Resolving the merge commit
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          # This checks for mergeability of a pull request as recommended in
-          # https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests
-
-          # Retry the API query this many times
-          retryCount=5
-          # Start with 5 seconds, but double every retry
-          retryInterval=5
-          while true; do
-            echo "Checking whether the pull request can be merged"
-            prInfo=$(gh api \
-              -H "Accept: application/vnd.github+json" \
-              -H "X-GitHub-Api-Version: 2022-11-28" \
-              /repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }})
-            mergeable=$(jq -r .mergeable <<< "$prInfo")
-            mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo")
-
-            if [[ "$mergeable" == "null" ]]; then
-              if (( retryCount == 0 )); then
-                echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
-                exit 1
-              else
-                (( retryCount -= 1 )) || true
-
-                # null indicates that GitHub is still computing whether it's mergeable
-                # Wait a couple seconds before trying again
-                echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
-                sleep "$retryInterval"
-
-                (( retryInterval *= 2 )) || true
-              fi
-            else
-              break
-            fi
-          done
-
-          if [[ "$mergeable" == "true" ]]; then
-            echo "The PR can be merged, checking the merge commit $mergedSha"
+          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+            echo "Checking the merge commit $mergedSha"
             echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
           else
-            echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."
+            echo "Skipping the rest..."
           fi
+          rm -rf base
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         if: env.mergedSha
         with:

ci/OWNERS

@@ -267,9 +267,11 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/modules/services/mail/rspamd.nix     @peti
 
 # Emacs
-/pkgs/applications/editors/emacs/elisp-packages @adisbladis
-/pkgs/applications/editors/emacs                @adisbladis
-/pkgs/top-level/emacs-packages.nix              @adisbladis
+/pkgs/applications/editors/emacs/elisp-packages @NixOS/emacs
+/pkgs/applications/editors/emacs                @NixOS/emacs
+/pkgs/top-level/emacs-packages.nix              @NixOS/emacs
+/doc/packages/emacs.section.md                  @NixOS/emacs
+/nixos/modules/services/editors/emacs.md        @NixOS/emacs
 
 # Kakoune
 /pkgs/applications/editors/kakoune     @philiptaron

ci/README.md

@@ -41,3 +41,58 @@ Why not just build the tooling right from the PRs Nixpkgs version?
 - Because it improves security, since we don't have to build potentially untrusted code from PRs.
   The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
 
+## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
+
+Check whether a PR is mergeable and return the test merge commit as
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests).
+
+Arguments:
+- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
+- `PR_NUMBER`: The PR number, e.g. `1234`
+
+Exit codes:
+- 0: The PR can be merged, the test merge commit hash is returned on stdout
+- 1: The PR cannot be merged because it's not open anymore
+- 2: The PR cannot be merged because it has a merge conflict
+- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
+
+### Usage
+
+This script can be used in GitHub Actions workflows as follows:
+
+```yaml
+on: pull_request_target
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      # Important: Because of `pull_request_target`, this doesn't check out the PR,
+      # but rather the base branch of the PR, which is needed so we don't run untrusted code
+      - uses: actions/checkout@<VERSION>
+        with:
+          path: base
+          sparse-checkout: ci
+      - name: Resolving the merge commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+            echo "Checking the merge commit $mergedSha"
+            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
+          else
+            # Skipping so that no notifications are sent
+            echo "Skipping the rest..."
+          fi
+          rm -rf base
+      - uses: actions/checkout@<VERSION>
+        # Add this to _all_ subsequent steps to skip them
+        if: env.mergedSha
+        with:
+          ref: ${{ env.mergedSha }}
+      - ...
+```

ci/get-merge-commit.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# See ./README.md for docs
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( $# < 2 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER"
+    exit 99
+fi
+repo=$1
+prNumber=$2
+
+# Retry the API query this many times
+retryCount=5
+# Start with 5 seconds, but double every retry
+retryInterval=5
+
+while true; do
+    log "Checking whether the pull request can be merged"
+    prInfo=$(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$repo/pulls/$prNumber")
+
+    # Non-open PRs won't have their mergeability computed no matter what
+    state=$(jq -r .state <<< "$prInfo")
+    if [[ "$state" != open ]]; then
+        log "PR is not open anymore"
+        exit 1
+    fi
+
+    mergeable=$(jq -r .mergeable <<< "$prInfo")
+    if [[ "$mergeable" == "null" ]]; then
+        if (( retryCount == 0 )); then
+            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+            exit 3
+        else
+            (( retryCount -= 1 )) || true
+
+            # null indicates that GitHub is still computing whether it's mergeable
+            # Wait a couple seconds before trying again
+            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+            sleep "$retryInterval"
+
+            (( retryInterval *= 2 )) || true
+        fi
+    else
+        break
+    fi
+done
+
+if [[ "$mergeable" == "true" ]]; then
+    log "The PR can be merged"
+    jq -r .merge_commit_sha <<< "$prInfo"
+else
+    log "The PR has a merge conflict"
+    exit 2
+fi

ci/request-reviews/get-reviewers.sh

@@ -35,6 +35,7 @@ log "This PR touches ${#touchedFiles[@]} files"
 git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
 
 # Associative array with the user as the key for easy de-duplication
+# Make sure to always lowercase keys to avoid duplicates with different casings
 declare -A users=()
 
 for file in "${touchedFiles[@]}"; do
@@ -87,20 +88,20 @@ for file in "${touchedFiles[@]}"; do
             log "Team $entry has these members: ${members[*]}"
 
             for user in "${members[@]}"; do
-                users[$user]=
+                users[${user,,}]=
             done
         else
             # Everything else is a user
-            users[$entry]=
+            users[${entry,,}]=
         fi
     done
 
 done
 
 # Cannot request a review from the author
-if [[ -v users[$prAuthor] ]]; then
+if [[ -v users[${prAuthor,,}] ]]; then
     log "One or more files are owned by the PR author, ignoring"
-    unset 'users[$prAuthor]'
+    unset 'users[${prAuthor,,}]'
 fi
 
 gh api \
@@ -111,9 +112,9 @@ gh api \
 
 # And we don't want to rerequest reviews from people who already reviewed
 while read -r user; do
-    if [[ -v users[$user] ]]; then
+    if [[ -v users[${user,,}] ]]; then
         log "User $user is a code owner but has already left a review, ignoring"
-        unset 'users[$user]'
+        unset 'users[${user,,}]'
     fi
 done < "$tmp/already-reviewed-by"
 

ci/request-reviews/request-reviews.sh

@@ -60,9 +60,8 @@ git -C "$tmp/nixpkgs.git" remote add fork https://github.com/"$prRepo".git
 git -C "$tmp/nixpkgs.git" config remote.fork.partialclonefilter tree:0
 git -C "$tmp/nixpkgs.git" config remote.fork.promisor true
 
-# Our local branches mirror Nixpkgs, so make sure to not try to update any to avoid conflicts
 git -C "$tmp/nixpkgs.git" fetch --no-tags fork "$prBranch"
-headRef=$(git -C "$tmp/nixpkgs.git" rev-parse HEAD)
+headRef=$(git -C "$tmp/nixpkgs.git" rev-parse refs/remotes/fork/"$prBranch")
 
 log "Checking correctness of the base branch"
 if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRepo" "$baseBranch" "$prRepo" "$prBranch" | tee "$tmp/invalid-base-error" >&2; then

maintainers/maintainer-list.nix

@@ -960,6 +960,12 @@
     githubId = 49609151;
     name = "Popa Ioan Alexandru";
   };
+  alexandru0-dev = {
+    email = "[email protected]";
+    github = "alexandru0-dev";
+    githubId = 45104896;
+    name = "Alexandru Nechita";
+  };
   alexarice = {
     email = "[email protected]";
     github = "alexarice";
@@ -7669,6 +7675,12 @@
     githubId = 111183546;
     keys = [ { fingerprint = "58CE D4BE 6B10 149E DA80  A990 2F48 6356 A4CB 30F3"; } ];
   };
+  genga898 = {
+    email = "[email protected]";
+    github = "genga898";
+    githubId = 84174227;
+    name = "Emmanuel Genga";
+  };
   genofire = {
     name = "genofire";
     email = "[email protected]";
@@ -18391,6 +18403,18 @@
     githubId = 1217934;
     name = "José Romildo Malaquias";
   };
+  romner-set = {
+    email = "[email protected]";
+    github = "romner-set";
+    githubId = 41077433;
+    name = "romner-set";
+    keys = [
+      {
+        # uploaded to https://keys.openpgp.org
+        fingerprint = "4B75 244B 0279 9598 FF3B  C21F 95FC 58F1 8CFD FAB0";
+      }
+    ];
+  };
   ronanmacf = {
     email = "[email protected]";
     github = "RonanMacF";

maintainers/team-list.nix

@@ -278,7 +278,11 @@ with lib.maintainers;
   };
 
   emacs = {
-    members = [ adisbladis ];
+    members = [
+      AndersonTorres
+      adisbladis
+      linj
+    ];
     scope = "Maintain the Emacs editor and packages.";
     shortName = "Emacs";
   };

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -207,6 +207,10 @@
 
 - `deno` has been updated to v2 which has breaking changes. Upstream will be abandoning v1 soon but for now you can use `deno_1` if you are yet to migrate (will be removed prior to cutting a final 24.11 release).
 
+- `gogs` has been removed. Upstream development has stalled and it has several
+  [critical vulnerabilities](https://github.com/gogs/gogs/issues/7777) that weren't addressed
+  within a year. Consider migrating to `forgejo` or `gitea`.
+
 - `knot-dns` has been updated to version 3.4.x. Check the [migration guide](https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-3-x-to-3-4-x) for breaking changes.
 
 - `services.kubernetes.kubelet.clusterDns` now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.
@@ -685,6 +689,9 @@
 
 - ZFS now imports its pools in `postResumeCommands` rather than `postDeviceCommands`. If you had `postDeviceCommands` scripts that depended on ZFS pools being imported, those now need to be in `postResumeCommands`.
 
+- `services.automatic-timezoned.enable = true` will now set `time.timeZone = null`.
+  This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part.
+
 - `services.localtimed.enable = true` will now set `time.timeZone = null`.
   This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part.
 

nixos/modules/hardware/video/webcam/ipu6.nix

@@ -26,9 +26,9 @@ in
 
   config = mkIf cfg.enable {
 
-    # Module is upstream as of 6.10
-    boot.extraModulePackages = with config.boot.kernelPackages;
-      optional (kernelOlder "6.10") ipu6-drivers;
+    # Module is upstream as of 6.10,
+    # but still needs various out-of-tree i2c and the `intel-ipu6-psys` kernel driver
+    boot.extraModulePackages = with config.boot.kernelPackages; [ ipu6-drivers ];
 
     hardware.firmware = with pkgs; [
       ipu6-camera-bins

nixos/modules/misc/ids.nix

@@ -296,7 +296,7 @@ in
       sickbeard = 265;
       headphones = 266;
       # couchpotato = 267; # unused, removed 2022-01-01
-      gogs = 268;
+      # gogs = 268; # unused, removed in 2024-10-12
       #pdns-recursor = 269; # dynamically allocated as of 2020-20-18
       #kresd = 270; # switched to "knot-resolver" with dynamic ID
       rpc = 271;
@@ -607,7 +607,7 @@ in
       sickbeard = 265;
       headphones = 266;
       # couchpotato = 267; # unused, removed 2022-01-01
-      gogs = 268;
+      # gogs = 268; # unused, removed in 2024-10-12
       #kresd = 270; # switched to "knot-resolver" with dynamic ID
       #rpc = 271; # unused
       #geoip = 272; # unused

nixos/modules/module-list.nix

@@ -759,7 +759,6 @@
   ./services/misc/gitlab.nix
   ./services/misc/gitolite.nix
   ./services/misc/gitweb.nix
-  ./services/misc/gogs.nix
   ./services/misc/gollum.nix
   ./services/misc/gotenberg.nix
   ./services/misc/gpsd.nix