NixOS · wolfgangwalther · Oct 27, 2025 · Apr 6, 2025 · Apr 6, 2025
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -40,6 +40,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Log current API rate limits
         env:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -46,6 +46,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -34,6 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           path: trusted
           sparse-checkout: |
             ci/github-script
@@ -73,6 +74,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout merge and target commits
         uses: ./.github/actions/checkout

diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
@@ -34,13 +34,15 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           path: trusted
           sparse-checkout: |
             ci/supportedVersions.nix
 
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           ref: ${{ inputs.mergedSha }}
           path: untrusted
           sparse-checkout: |
@@ -84,6 +86,7 @@ jobs:
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Check out the PR at merged and target commits
         uses: ./.github/actions/checkout
@@ -155,6 +158,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Check out the PR at the target commit
         uses: ./.github/actions/checkout
@@ -181,8 +185,9 @@ jobs:
       - name: Compare against the target branch
         env:
           AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+          TARGET_SHA: ${{ inputs.mergedSha }}
         run: |
-          git -C nixpkgs/trusted diff --name-only ${{ inputs.mergedSha }} \
+          git -C nixpkgs/trusted diff --name-only "$TARGET_SHA" \
             | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
 
           # Use the target branch to get accurate maintainer info
@@ -318,6 +323,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout

diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -46,6 +46,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: |
             ci/github-script
 

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -26,6 +26,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout
@@ -60,6 +61,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout
@@ -87,6 +89,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout merge and target commits
         uses: ./.github/actions/checkout

diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml
@@ -24,6 +24,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: |
             ci/supportedSystems.json
 

diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
@@ -47,4 +47,5 @@ jobs:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
     name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
@@ -42,4 +42,5 @@ jobs:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
     name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
diff --git a/.github/workflows/periodic-merge.yml b/.github/workflows/periodic-merge.yml
@@ -11,6 +11,9 @@ on:
         description: Target branch to merge into.
         required: true
         type: string
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY:
+        required: true
 
 defaults:
   run:
@@ -32,6 +35,8 @@ jobs:
           permission-pull-requests: write
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Find merge base between two branches
         if: contains(inputs.from, ' ')

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -34,6 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity
           sparse-checkout: |
             ci/github-script

diff --git a/.github/workflows/reviewers.yml b/.github/workflows/reviewers.yml
@@ -29,6 +29,7 @@ jobs:
       - name: Check out the PR at the base commit
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           path: trusted
           sparse-checkout: ci
 
@@ -146,6 +147,7 @@ jobs:
         if: ${{ steps.app-token.outputs.token }}
         env:
           GH_TOKEN: ${{ github.token }}
+          APP_GH_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY: ${{ github.repository }}
           NUMBER: ${{ github.event.number }}
           AUTHOR: ${{ github.event.pull_request.user.login }}
@@ -156,7 +158,7 @@ jobs:
           # There appears to be no API to request reviews based on GitHub IDs
           jq -r 'keys[]' comparison/maintainers.json \
             | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+            | GH_TOKEN="$APP_GH_TOKEN" result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
 
       - name: Log current API rate limits (app-token)
         if: ${{ steps.app-token.outputs.token }}

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,6 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity
           sparse-checkout: |
             ci/github-script

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,12 @@
+# This file defines the ignore rules for zizmor.
+#
+# For rules that contain a high number of false positives, prefer listing them here
+# instead of adding ignore comments. Note that zizmor cannot ignore by line-within-a-string, so
+# there are some ignore items that encompass multiple problems within one `run` block. An issue
+# tracking this is at https://github.com/woodruffw/zizmor/issues/648.
+#
+# For more info, see the documentation: https://woodruffw.github.io/zizmor/usage/#ignoring-results
+
+rules:
+  dangerous-triggers:
+    disable: true
diff --git a/ci/default.nix b/ci/default.nix
@@ -136,6 +136,8 @@ let
             [ "--config=${config}" ];
           includes = [ "*.md" ];
         };
+
+        programs.zizmor.enable = true;
       };
       fs = pkgs.lib.fileset;
       nixFilesSrc = fs.toSource {