[24.11]: Backport scheduled workflows

.github/workflows/backport.yml

@@ -22,8 +22,8 @@ jobs:
       - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
-          app-id: ${{ vars.BACKPORT_APP_ID }}
-          private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/periodic-merge-24h.yml

@@ -7,24 +7,18 @@
 
 name: "Periodic Merges (24h)"
 
-
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
     # Merge every 24 hours
     - cron:  '0 0 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   periodic-merge:
-    permissions:
-      contents: write  # for devmasx/merge-branch to merge branches
-      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-24.04
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -33,28 +27,14 @@ jobs:
       max-parallel: 1
       matrix:
         pairs:
-          - from: master
+          - from: release-24.11
+            into: staging-next-24.11
+          - from: staging-next-24.11
+            into: staging-24.11
+          - from: master staging
             into: haskell-updates
-          - from: release-24.05
-            into: staging-next-24.05
-          - from: staging-next-24.05
-            into: staging-24.05
-    name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
-        with:
-          type: now
-          from_branch: ${{ matrix.pairs.from }}
-          target_branch: ${{ matrix.pairs.into }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Comment on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-        if: ${{ failure() }}
-        with:
-          issue-number: 105153
-          body: |
-            Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+    uses: ./.github/workflows/periodic-merge.yml
+    with:
+      from: ${{ matrix.pairs.from }}
+      into: ${{ matrix.pairs.into }}
+    secrets: inherit

.github/workflows/periodic-merge-6h.yml

@@ -7,24 +7,18 @@
 
 name: "Periodic Merges (6h)"
 
-
 on:
   schedule:
     # * is a special character in YAML so you have to quote this string
     # Merge every 6 hours
     - cron:  '0 */6 * * *'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   periodic-merge:
-    permissions:
-      contents: write  # for devmasx/merge-branch to merge branches
-      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-24.04
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
@@ -37,22 +31,8 @@ jobs:
             into: staging-next
           - from: staging-next
             into: staging
-    name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
-        with:
-          type: now
-          from_branch: ${{ matrix.pairs.from }}
-          target_branch: ${{ matrix.pairs.into }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Comment on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-        if: ${{ failure() }}
-        with:
-          issue-number: 105153
-          body: |
-            Periodic merge from `${{ matrix.pairs.from }}` into `${{ matrix.pairs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+    uses: ./.github/workflows/periodic-merge.yml
+    with:
+      from: ${{ matrix.pairs.from }}
+      into: ${{ matrix.pairs.into }}
+    secrets: inherit

.github/workflows/periodic-merge.yml

@@ -0,0 +1,58 @@
+name: "Merge"
+
+on:
+  workflow_call:
+    inputs:
+      from:
+        description: Branch to merge into target branch. Can also be two branches separated by space to find the merge base between them.
+        required: true
+        type: string
+      into:
+        description: Target branch to merge into.
+        required: true
+        type: string
+
+jobs:
+  merge:
+    runs-on: ubuntu-24.04
+    name: ${{ inputs.from }} → ${{ inputs.into }}
+    steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
+        with:
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Find merge base between two branches
+        if: contains(inputs.from, ' ')
+        id: merge_base
+        env:
+          branches: ${{ inputs.from }}
+        run: |
+          # turn into bash array, split on space
+          read -ra branches <<< "$branches"
+          git fetch --shallow-since="1 month ago" origin "${branches[@]}"
+          merge_base="$(git merge-base "refs/remotes/origin/${branches[0]}" "refs/remotes/origin/${branches[1]}")"
+          echo "Found merge base: $merge_base" >&2
+          echo "merge_base=$merge_base" >> "$GITHUB_OUTPUT"
+
+      - name: ${{ inputs.from }} → ${{ inputs.into }}
+        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        with:
+          type: now
+          from_branch: ${{ steps.merge_base.outputs.merge_base || inputs.from }}
+          target_branch: ${{ inputs.into }}
+          github_token: ${{ steps.app-token.outputs.token }}
+
+      - name: Comment on failure
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        if: ${{ failure() }}
+        with:
+          issue-number: 105153
+          body: |
+            Periodic merge from `${{ inputs.from }}` into `${{ inputs.into }}` has [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+          token: ${{ steps.app-token.outputs.token }}

ci/pinned-nixpkgs.json

@@ -1,4 +1,4 @@
 {
-  "rev": "929116e316068c7318c54eb4d827f7d9756d5e9c",
-  "sha256": "1am61kcakn9j47435k4cgsarvypb8klv4avszxza0jn362hp3ck8"
+  "rev": "5757bbb8bd7c0630a0cc4bb19c47e588db30b97c",
+  "sha256": "0px0lr7ad2zrws400507c9w5nnaffz9mp9hqssm64icdm6f6h0fz"
 }

ci/request-reviews/dev-branches.txt

@@ -6,3 +6,4 @@ staging
 release-*
 staging-*
 haskell-updates
+python-updates