9 files changed, 126 insertions, 17 deletions

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
new file mode 100644
index 00000000000..766b5aa831a
--- /dev/null
+++ b/.github/workflows/backport.yml
@@ -0,0 +1,23 @@
+name: Backport
+on:
+  pull_request_target:
+    types: [closed, labeled]
+jobs:
+  backport:
+    name: Backport Pull Request
+    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          # required to find all branches
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        # should be kept in sync with `version`
+        uses: zeebe-io/backport-action@9b8949dcd4295d364b0939f07d0c7593598d26cd
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_workspace: ${{ github.workspace }}
+          # should be kept in sync with `uses`
+          version: 9b8949dcd4295d364b0939f07d0c7593598d26cd
diff --git a/.github/workflows/direct-push.yml b/.github/workflows/direct-push.yml
new file mode 100644
index 00000000000..6177004295f
--- /dev/null
+++ b/.github/workflows/direct-push.yml
@@ -0,0 +1,29 @@
+name: "Direct Push Warning"
+on:
+  push:
+    branches:
+     - master
+     - release-**
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    env:
+      GITHUB_SHA: ${{ github.sha }}
+      GITHUB_REPOSITORY: ${{ github.repository }}
+    steps:
+    - name: Check if commit is a merge commit
+      id: ismerge
+      run: |
+        ISMERGE=$(curl -H 'Accept: application/vnd.github.groot-preview+json' -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ env.GITHUB_REPOSITORY }}/commits/${{ env.GITHUB_SHA }}/pulls | jq -r '.[] | select(.merge_commit_sha == "${{ env.GITHUB_SHA }}") | any')
+        echo "::set-output name=ismerge::$ISMERGE"
+    - name: Warn if the commit was a direct push
+      if: steps.ismerge.outputs.ismerge != 'true'
+      uses: peter-evans/commit-comment@v1
+      with:
+        body: |
+          @${{ github.actor }}, you pushed a commit directly to master/release branch
+          instead of going through a Pull Request.
+
+          That's highly discouraged beyond the few exceptions listed
+          on https://github.com/NixOS/nixpkgs/issues/118661
diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml
index 270728a61c6..4960e9fd3d2 100644
--- a/.github/workflows/editorconfig.yml
+++ b/.github/workflows/editorconfig.yml
@@ -1,7 +1,10 @@
 name: "Checking EditorConfig"
 
+permissions: read-all
+
 on:
-  pull_request:
+  # avoids approving first time contributors
+  pull_request_target:
     branches-ignore:
       - 'release-**'
 
@@ -21,17 +24,23 @@ jobs:
           >> $GITHUB_ENV
         echo 'EOF' >> $GITHUB_ENV
     - uses: actions/checkout@v2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
       if: env.PR_DIFF
-    - name: Fetch editorconfig-checker
+    - uses: cachix/install-nix-action@v13
+      if: env.PR_DIFF
+      with:
+        # nixpkgs commit is pinned so that it doesn't break
+        nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/f93ecc4f6bc60414d8b73dbdf615ceb6a2c604df.tar.gz
+    - name: install editorconfig-checker
+      run: nix-env -iA editorconfig-checker -f '<nixpkgs>'
       if: env.PR_DIFF
-      env:
-        ECC_VERSION: "2.3.1"
-        ECC_URL: "https://github.com/editorconfig-checker/editorconfig-checker/releases/download"
-      run: |
-        curl -sSf -O -L -C - "$ECC_URL/$ECC_VERSION/ec-linux-amd64.tar.gz" && \
-        tar xzf ec-linux-amd64.tar.gz && \
-        mv ./bin/ec-linux-amd64 ./bin/editorconfig-checker
     - name: Checking EditorConfig
       if: env.PR_DIFF
       run: |
-        echo "$PR_DIFF" | xargs ./bin/editorconfig-checker -disable-indent-size
+        echo "$PR_DIFF" | xargs editorconfig-checker -disable-indent-size
+    - if: ${{ failure() }}
+      run: |
+        echo "::error :: Hey! It looks like your changes don't follow our editorconfig settings. Read https://editorconfig.org/#download to configure your editor so you never see this error again."
+
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
new file mode 100644
index 00000000000..4d1e2a2a0f9
--- /dev/null
+++ b/.github/workflows/labels.yml
@@ -0,0 +1,19 @@
+name: "Label PR"
+
+on:
+  pull_request_target:
+    types: [edited, opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  labels:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+    - uses: actions/labeler@v3
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        sync-labels: true
diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml
index a75e8402930..032a456569d 100644
--- a/.github/workflows/manual-nixos.yml
+++ b/.github/workflows/manual-nixos.yml
@@ -1,5 +1,7 @@
 name: "Build NixOS manual"
 
+permissions: read-all
+
 on:
   pull_request_target:
     branches:
@@ -10,16 +12,17 @@ on:
 jobs:
   nixos:
     runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@v2
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v12
+      - uses: cachix/install-nix-action@v13
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@v8
+      - uses: cachix/cachix-action@v9
         with:
           # This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere.
           name: nixpkgs-ci
diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml
index 7596719d9b5..77655c494e0 100644
--- a/.github/workflows/manual-nixpkgs.yml
+++ b/.github/workflows/manual-nixpkgs.yml
@@ -1,5 +1,7 @@
 name: "Build Nixpkgs manual"
 
+permissions: read-all
+
 on:
   pull_request_target:
     branches:
@@ -10,16 +12,17 @@ on:
 jobs:
   nixpkgs:
     runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@v2
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v12
+      - uses: cachix/install-nix-action@v13
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@v8
+      - uses: cachix/cachix-action@v9
         with:
           # This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere.
           name: nixpkgs-ci
diff --git a/.github/workflows/merge-staging.yml b/.github/workflows/merge-staging.yml
index 1aadef16328..e499630a083 100644
--- a/.github/workflows/merge-staging.yml
+++ b/.github/workflows/merge-staging.yml
@@ -8,12 +8,13 @@ on:
 
 jobs:
   sync-branch:
-    if: github.repository == 'NixOS/nixpkgs'
+    if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
 
       - name: Merge master into staging-next
+        id: staging_next
         uses: devmasx/merge-branch@v1.3.1
         with:
           type: now
@@ -22,6 +23,7 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Merge staging-next into staging
+        id: staging
         uses: devmasx/merge-branch@v1.3.1
         with:
           type: now
@@ -35,5 +37,5 @@ jobs:
         with:
           issue-number: 105153
           body: |
-            An automatic merge [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+            An automatic merge${{ (steps.staging_next.outcome == 'failure' && ' from master to staging-next') || ((steps.staging.outcome == 'failure' && ' from staging-next to staging') || '') }} [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
 
diff --git a/.github/workflows/nixos-manual.yml b/.github/workflows/nixos-manual.yml
new file mode 100644
index 00000000000..80ffc9c12be
--- /dev/null
+++ b/.github/workflows/nixos-manual.yml
@@ -0,0 +1,21 @@
+name: NixOS manual checks
+
+on:
+  pull_request:
+    branches-ignore:
+      - 'release-**'
+    paths:
+      - 'nixos/**/*.xml'
+      - 'nixos/**/*.md'
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    steps:
+    - uses: actions/checkout@v2
+    - uses: cachix/install-nix-action@v12
+    - name: Check DocBook files generated from Markdown are consistent
+      run: |
+        nixos/doc/manual/md-to-db.sh
+        git diff --exit-code
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
index 50d066dd754..47e8f4e4e42 100644
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -41,7 +41,7 @@ jobs:
       - name: check branch
         env:
           PERMANENT_BRANCHES: "haskell-updates|master|nixos|nixpkgs|python-unstable|release|staging"
-          VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|staging|staging-20.09|staging-next"
+          VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|release-21.05|staging|staging-20.09|staging-21.05|staging-next|staging-next-21.05"
         run: |
           message() {
             cat <<EOF