diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 6621fd8ec8c88..0c8548d05deb7 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -15,7 +15,7 @@ jobs:
   backport:
     name: Backport Pull Request
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
diff --git a/.github/workflows/check-cherry-picks.yml b/.github/workflows/check-cherry-picks.yml
index 1759aa5833b24..f74c83cb6ddf1 100644
--- a/.github/workflows/check-cherry-picks.yml
+++ b/.github/workflows/check-cherry-picks.yml
@@ -12,7 +12,7 @@ permissions: {}
 jobs:
   check:
     name: cherry-pick-check
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml
index ca3da602575b1..caa6db054e154 100644
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -12,7 +12,7 @@ jobs:
 
   nixos:
     name: fmt-check
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: get-merge-commit
     if: needs.get-merge-commit.outputs.mergedSha
     steps:
diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
index d148563c43110..c8ecf553f1071 100644
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -16,6 +16,10 @@ jobs:
         include:
           - runner: ubuntu-24.04
             system: x86_64-linux
+          - runner: ubuntu-24.04-arm
+            system: aarch64-linux
+          - runner: macos-13
+            system: x86_64-darwin
           - runner: macos-14
             system: aarch64-darwin
 
@@ -30,4 +34,4 @@ jobs:
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 
       - name: Build shell
-        run: nix-build shell.nix
+        run: nix-build ci -A shell
diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml
index 98c769236b221..3c0e49afb5c78 100644
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -41,7 +41,7 @@ jobs:
   # Check that code owners is valid
   check:
     name: Check
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: get-merge-commit
     if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
     steps:
@@ -89,7 +89,7 @@ jobs:
   # Request reviews from code owners
   request:
     name: Request
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
diff --git a/.github/workflows/eval-aliases.yml b/.github/workflows/eval-aliases.yml
index d9f527d0e7e21..8dfb298c6da8c 100644
--- a/.github/workflows/eval-aliases.yml
+++ b/.github/workflows/eval-aliases.yml
@@ -11,7 +11,7 @@ jobs:
 
   eval-aliases:
     name: Eval nixpkgs with aliases enabled
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: [ get-merge-commit ]
     steps:
       - name: Check out the PR at the test merge commit
diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
index 29ffedea5b5c1..8cc523d1bef30 100644
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -21,7 +21,7 @@ jobs:
 
   attrs:
     name: Attributes
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: get-merge-commit
     if: needs.get-merge-commit.outputs.mergedSha
     outputs:
@@ -61,7 +61,7 @@ jobs:
 
   outpaths:
     name: Outpaths
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: [ attrs, get-merge-commit ]
     strategy:
       fail-fast: false
@@ -70,10 +70,10 @@ jobs:
     steps:
       - name: Enable swap
         run: |
-          sudo fallocate -l 10G /swapfile
-          sudo chmod 600 /swapfile
-          sudo mkswap /swapfile
-          sudo swapon /swapfile
+          sudo fallocate -l 10G /swap
+          sudo chmod 600 /swap
+          sudo mkswap /swap
+          sudo swapon /swap
 
       - name: Download the list of all attributes
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -110,7 +110,7 @@ jobs:
 
   process:
     name: Process
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: [ outpaths, attrs, get-merge-commit ]
     outputs:
       targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
@@ -196,7 +196,7 @@ jobs:
           # Use the target branch to get accurate maintainer info
           nix-build target/ci -A eval.compare \
             --arg beforeResultDir ./targetResult \
-            --arg afterResultDir $(realpath prResult) \
+            --arg afterResultDir "$(realpath prResult)" \
             --arg touchedFilesJson ./touched-files.json \
             -o comparison
 
@@ -212,7 +212,7 @@ jobs:
   # Separate job to have a very tightly scoped PR write token
   tag:
     name: Tag
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: [ attrs, process ]
     if: needs.process.outputs.targetRunId
     permissions:
diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml
index a32595ae1ad44..cb38438cae3b3 100644
--- a/.github/workflows/get-merge-commit.yml
+++ b/.github/workflows/get-merge-commit.yml
@@ -11,7 +11,7 @@ permissions: {}
 
 jobs:
   resolve-merge-commit:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     outputs:
       mergedSha: ${{ steps.merged.outputs.mergedSha }}
     steps:
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index e3423ce169f47..d183985f07085 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   labels:
     name: label-pr
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/lib-tests.yml
similarity index 90%
rename from .github/workflows/eval-lib-tests.yml
rename to .github/workflows/lib-tests.yml
index 722371ac19a29..0643f980381b4 100644
--- a/.github/workflows/eval-lib-tests.yml
+++ b/.github/workflows/lib-tests.yml
@@ -28,4 +28,4 @@ jobs:
 
       - name: Building Nixpkgs lib-tests
         run: |
-          nix-build --arg pkgs "(import ./ci/. {}).pkgs" ./lib/tests/release.nix
+          nix-build ci -A lib-tests
diff --git a/.github/workflows/lint-actions.sh b/.github/workflows/lint-actions.sh
deleted file mode 100755
index 43d6e801caf68..0000000000000
--- a/.github/workflows/lint-actions.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p bash actionlint shellcheck -I nixpkgs=../..
-set -euo pipefail
-
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-cd "$SCRIPT_DIR/../.."
-actionlint
diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml
index 26fa03aba9b46..fd0f91e2e0c7d 100644
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@@ -22,12 +22,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        system:
-          - x86_64-linux
-          - aarch64-linux
-    runs-on: >-
-      ${{ (matrix.system == 'x86_64-linux' && 'ubuntu-24.04')
-      || (matrix.system == 'aarch64-linux' && 'ubuntu-24.04-arm') }}
+        include:
+          - runner: ubuntu-24.04
+            system: x86_64-linux
+          - runner: ubuntu-24.04-arm
+            system: aarch64-linux
+    runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -46,7 +46,7 @@ jobs:
 
       - name: Build NixOS manual
         id: build-manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.${{ matrix.system }}
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixos --argstr system ${{ matrix.system }}
 
       - name: Upload NixOS manual
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml
index a97bd0aac7194..f899ad409d50f 100644
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@@ -7,14 +7,14 @@ on:
     paths:
       - 'doc/**'
       - 'lib/**'
-      - 'pkgs/tools/nix/nixdoc/**'
+      - 'pkgs/by-name/ni/nixdoc/**'
 
 permissions: {}
 
 jobs:
   nixpkgs:
     name: nixpkgs-manual-build
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -32,4 +32,4 @@ jobs:
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
       - name: Building Nixpkgs manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixpkgs -A manual-nixpkgs-tests
diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml
index cc988e20bd6eb..aec48b0ac7683 100644
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@@ -11,37 +11,20 @@ jobs:
 
   tests:
     name: nix-files-parseable-check
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - name: Get list of changed files from PR
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh api \
-            repos/${{ github.repository }}/pulls/${{github.event.number}}/files --paginate \
-            | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
-            > "$HOME/changed_files"
-          if [[ -s "$HOME/changed_files" ]]; then
-            echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
-          fi
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
-        if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
           extra_nix_config: sandbox = true
           nix_path: nixpkgs=channel:nixpkgs-unstable
 
-      - name: Parse all changed or added nix files
+      - name: Parse all nix files
         run: |
-          ret=0
-          while IFS= read -r file; do
-            out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
-          done < "$HOME/changed_files"
-          exit "$ret"
-        if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
+          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
+          nix-build ci -A parse --keep-going
diff --git a/.github/workflows/no-channel.yml b/.github/workflows/no-channel.yml
index ce0d50fed15d6..c5eae3c94e7d9 100644
--- a/.github/workflows/no-channel.yml
+++ b/.github/workflows/no-channel.yml
@@ -13,7 +13,7 @@ jobs:
       startsWith(github.event.pull_request.base.ref, 'nixos-') ||
       startsWith(github.event.pull_request.base.ref, 'nixpkgs-')
     name: "This PR is targeting a channel branch"
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     steps:
       - run: |
           cat <<EOF
diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml
index 7b0bb953da731..2018a4bd94b2f 100644
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -14,7 +14,7 @@ on:
 
 jobs:
   merge:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     name: ${{ inputs.from }} → ${{ inputs.into }}
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
diff --git a/ci/default.nix b/ci/default.nix
index 9d0fff7d119a6..619580035392b 100644
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -44,6 +44,8 @@ let
         # By default it's info, which is too noisy since we have many unmatched files
         settings.on-unmatched = "debug";
 
+        programs.actionlint.enable = true;
+
         programs.keep-sorted.enable = true;
 
         # This uses nixfmt-rfc-style underneath,
@@ -79,4 +81,16 @@ in
   requestReviews = pkgs.callPackage ./request-reviews { };
   codeownersValidator = pkgs.callPackage ./codeowners-validator { };
   eval = pkgs.callPackage ./eval { };
+
+  # CI jobs
+  lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
+  manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
+  manual-nixpkgs = (import ../pkgs/top-level/release.nix { }).manual;
+  manual-nixpkgs-tests = (import ../pkgs/top-level/release.nix { }).manual.tests;
+  parse = pkgs.lib.recurseIntoAttrs {
+    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
+    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
+    minimum = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.minimum; };
+  };
+  shell = import ../shell.nix { inherit nixpkgs system; };
 }
diff --git a/ci/parse.nix b/ci/parse.nix
new file mode 100644
index 0000000000000..26ac0f785fd44
--- /dev/null
+++ b/ci/parse.nix
@@ -0,0 +1,43 @@
+{
+  lib,
+  nix,
+  runCommand,
+}:
+let
+  nixpkgs =
+    with lib.fileset;
+    toSource {
+      root = ../.;
+      fileset = (fileFilter (file: file.hasExt "nix") ../.);
+    };
+in
+runCommand "nix-parse-${nix.name}"
+  {
+    nativeBuildInputs = [
+      nix
+    ];
+  }
+  ''
+    export NIX_STORE_DIR=$TMPDIR/store
+    export NIX_STATE_DIR=$TMPDIR/state
+
+    cd "${nixpkgs}"
+
+    # Passes all files to nix-instantiate at once.
+    # Much faster, but will only show first error.
+    parse-all() {
+      find . -type f -iname '*.nix' | xargs -P $(nproc) nix-instantiate --parse >/dev/null 2>/dev/null
+    }
+
+    # Passes each file separately to nix-instantiate with -n1.
+    # Much slower, but will show all errors.
+    parse-each() {
+      find . -type f -iname '*.nix' | xargs -n1 -P $(nproc) nix-instantiate --parse >/dev/null
+    }
+
+    if ! parse-all; then
+      parse-each
+    fi
+
+    touch $out
+  ''
diff --git a/nixos/tests/scion/freestanding-deployment/default.nix b/nixos/tests/scion/freestanding-deployment/default.nix
index ca6c7cffc30eb..7dbd10c225a5e 100644
--- a/nixos/tests/scion/freestanding-deployment/default.nix
+++ b/nixos/tests/scion/freestanding-deployment/default.nix
@@ -23,7 +23,7 @@ import ../../make-test-python.nix (
           networkConfig.Address = "192.168.1.${toString hostId}/24";
         };
         environment.etc = {
-          "scion/topology.json".source = ./topology${toString hostId}.json;
+          "scion/topology.json".source = ./topology + "${toString hostId}.json";
           "scion/crypto/as".source = trust-root-configuration-keys + "/AS${toString hostId}";
           "scion/certs/ISD42-B1-S1.trc".source = trust-root-configuration-keys + "/ISD42-B1-S1.trc";
           "scion/keys/master0.key".text = "U${toString hostId}v4k23ZXjGDwDofg/Eevw==";
diff --git a/pkgs/test/make-binary-wrapper/default.nix b/pkgs/test/make-binary-wrapper/default.nix
index 6f086de299a0b..715b28f912e49 100644
--- a/pkgs/test/make-binary-wrapper/default.nix
+++ b/pkgs/test/make-binary-wrapper/default.nix
@@ -20,7 +20,7 @@ let
     runCommand "make-binary-wrapper-test-${testname}" env ''
       mkdir -p tmp/foo # for the chdir test
 
-      source=${./${testname}}
+      source=${./. + "/${testname}"}
 
       params=$(<"$source/${testname}.cmdline")
       eval "makeCWrapper /send/me/flags $params" > wrapper.c