5 files changed, 42 insertions, 149 deletions

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index be54040ca2e..64719a7bc3a 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -82,13 +82,13 @@
 /pkgs/development/interpreters/python/conda                 @DavHau
 
 # Haskell
-/doc/languages-frameworks/haskell.section.md  @cdepillabout @sternenseemann @maralorn
-/maintainers/scripts/haskell                  @cdepillabout @sternenseemann @maralorn
-/pkgs/development/compilers/ghc               @cdepillabout @sternenseemann @maralorn
-/pkgs/development/haskell-modules             @cdepillabout @sternenseemann @maralorn
-/pkgs/test/haskell                            @cdepillabout @sternenseemann @maralorn
-/pkgs/top-level/release-haskell.nix           @cdepillabout @sternenseemann @maralorn
-/pkgs/top-level/haskell-packages.nix          @cdepillabout @sternenseemann @maralorn
+/doc/languages-frameworks/haskell.section.md  @cdepillabout @sternenseemann @maralorn @expipiplus1
+/maintainers/scripts/haskell                  @cdepillabout @sternenseemann @maralorn @expipiplus1
+/pkgs/development/compilers/ghc               @cdepillabout @sternenseemann @maralorn @expipiplus1
+/pkgs/development/haskell-modules             @cdepillabout @sternenseemann @maralorn @expipiplus1
+/pkgs/test/haskell                            @cdepillabout @sternenseemann @maralorn @expipiplus1
+/pkgs/top-level/release-haskell.nix           @cdepillabout @sternenseemann @maralorn @expipiplus1
+/pkgs/top-level/haskell-packages.nix          @cdepillabout @sternenseemann @maralorn @expipiplus1
 
 # Perl
 /pkgs/development/interpreters/perl @volth @stigtsp
@@ -196,12 +196,12 @@
 /nixos/tests/prometheus-exporters.nix                        @WilliButz
 
 # PHP interpreter, packages, extensions, tests and documentation
-/doc/languages-frameworks/php.section.md @NixOS/php
-/nixos/tests/php                         @NixOS/php
-/pkgs/build-support/build-pecl.nix       @NixOS/php
-/pkgs/development/interpreters/php       @NixOS/php
-/pkgs/development/php-packages           @NixOS/php
-/pkgs/top-level/php-packages.nix         @NixOS/php
+/doc/languages-frameworks/php.section.md          @NixOS/php @aanderse @etu @globin @ma27 @talyz
+/nixos/tests/php                                  @NixOS/php @aanderse @etu @globin @ma27 @talyz
+/pkgs/build-support/build-pecl.nix                @NixOS/php @aanderse @etu @globin @ma27 @talyz
+/pkgs/development/interpreters/php       @jtojnar @NixOS/php @aanderse @etu @globin @ma27 @talyz
+/pkgs/development/php-packages                    @NixOS/php @aanderse @etu @globin @ma27 @talyz
+/pkgs/top-level/php-packages.nix         @jtojnar @NixOS/php @aanderse @etu @globin @ma27 @talyz
 
 # Podman, CRI-O modules and related
 /nixos/modules/virtualisation/containers.nix @NixOS/podman @zowoq
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index bc43f80a060..159b9f84348 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -59,6 +59,25 @@ Follow these steps to backport a change into a release branch in compliance with
 5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-20.09`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[20.09]`.
 6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.
 
+## Criteria for Backporting changes
+
+Anything that does not cause user or downstream dependency regressions can be backported. This includes:
+- New Packages / Modules
+- Security / Patch updates
+- Version updates which include new functionality (but no breaking changes)
+- Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
+- Security critical applications (E.g. `firefox`)
+
+## Generating 21.11 Release Notes
+
+Documentation in nixpkgs is transitioning to a markdown-centric workflow. Release notes now require a translation step to convert from markdown to a compatible docbook document.
+
+Steps for updating 21.11 Release notes:
+
+1. Edit `nixos/doc/manual/release-notes/rl-2111.section.md` with the desired changes
+2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2111.section.xml`
+3. Include changes to `rl-2111.section.md` and `rl-2111.section.xml` in the same commit.
+
 ## Reviewing contributions
 
 See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#chap-reviewing-contributions).
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 73783432037..1c4d7aa0668 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -23,5 +23,8 @@ Reviewing guidelines: https://nixos.org/manual/nixpkgs/unstable/#chap-reviewing-
 - [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
 - [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review wip"`
 - [ ] Tested execution of all binary files (usually in `./result/bin/`)
-- [ ] Added a release notes entry if the change is major or breaking
+- [21.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md#generating-2111-release-notes)
+  - [ ] (Package updates) Added a release notes entry if the change is major or breaking
+  - [ ] (Module updates) Added a release notes entry if the change is significant
+  - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
diff --git a/.github/workflows/nixos-manual.yml b/.github/workflows/nixos-manual.yml
index 80ffc9c12be..2a1c1c29738 100644
--- a/.github/workflows/nixos-manual.yml
+++ b/.github/workflows/nixos-manual.yml
@@ -1,7 +1,9 @@
 name: NixOS manual checks
 
+permissions: read-all
+
 on:
-  pull_request:
+  pull_request_target:
     branches-ignore:
       - 'release-**'
     paths:
@@ -14,6 +16,9 @@ jobs:
     if: github.repository_owner == 'NixOS'
     steps:
     - uses: actions/checkout@v2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
     - uses: cachix/install-nix-action@v12
     - name: Check DocBook files generated from Markdown are consistent
       run: |
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
deleted file mode 100644
index 47e8f4e4e42..00000000000
--- a/.github/workflows/rebase.yml
+++ /dev/null
@@ -1,134 +0,0 @@
-on:
-  issue_comment:
-    types:
-      - created
-
-# This action allows people with write access to the repo to rebase a PRs base branch
-# by commenting `/rebase ${branch}` on the PR while avoiding CODEOWNER notifications.
-
-jobs:
-  rebase:
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'NixOS' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
-    steps:
-      - uses: peter-evans/create-or-update-comment@v1
-        with:
-          comment-id: ${{ github.event.comment.id }}
-          reactions: eyes
-      - uses: scherermichael-oss/action-has-permission@1.0.6
-        id: check-write-access
-        with:
-          required-permission: write
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: check permissions
-        run: |
-          echo "Commenter doesn't have write access to the repo"
-          exit 1
-        if: "! steps.check-write-access.outputs.has-permission"
-      - name: setup
-        run: |
-          curl "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}" 2>/dev/null >pr.json
-          cat <<EOF >>"$GITHUB_ENV"
-          CAN_MODIFY=$(jq -r '.maintainer_can_modify' pr.json)
-          COMMITS=$(jq -r '.commits' pr.json)
-          CURRENT_BASE=$(jq -r '.base.ref' pr.json)
-          PR_BRANCH=$(jq -r '.head.ref' pr.json)
-          COMMENT_BRANCH=$(echo ${{ github.event.comment.body }} | awk "/^\/rebase / {print \$2}")
-          PULL_REQUEST=${{ github.event.issue.number }}
-          EOF
-          rm pr.json
-      - name: check branch
-        env:
-          PERMANENT_BRANCHES: "haskell-updates|master|nixos|nixpkgs|python-unstable|release|staging"
-          VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|release-21.05|staging|staging-20.09|staging-21.05|staging-next|staging-next-21.05"
-        run: |
-          message() {
-            cat <<EOF
-          Can't rebase $PR_BRANCH from $CURRENT_BASE onto $COMMENT_BRANCH (PR:$PULL_REQUEST COMMITS:$COMMITS)
-          EOF
-          }
-          if ! [[ "$COMMENT_BRANCH" =~ ^($VALID_BRANCHES)$ ]]; then
-            cat <<EOF
-          Check that the branch from the comment is valid:
-
-          $(message)
-
-          This action can only rebase onto these branches:
-
-          $VALID_BRANCHES
-
-          \`/rebase \${branch}\` must be at the start of the line
-          EOF
-            exit 1
-          fi
-          if [[ "$COMMENT_BRANCH" == "$CURRENT_BASE" ]]; then
-            cat <<EOF
-          Check that the branch from the comment isn't the current base branch:
-
-          $(message)
-          EOF
-            exit 1
-          fi
-          if [[ "$COMMENT_BRANCH" == "$PR_BRANCH" ]]; then
-            cat <<EOF
-          Check that the branch from the comment isn't the current branch:
-
-          $(message)
-          EOF
-            exit 1
-          fi
-          if [[ "$PR_BRANCH" =~ ^($PERMANENT_BRANCHES) ]]; then
-            cat <<EOF
-          Check that the PR branch isn't a permanent branch:
-
-          $(message)
-          EOF
-            exit 1
-          fi
-          if [[ "$CAN_MODIFY" != "true" ]]; then
-            cat <<EOF
-          Check that maintainers can edit the PR branch:
-
-          $(message)
-          EOF
-            exit 1
-          fi
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: rebase pull request
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --global user.name "github-actions[bot]"
-          git fetch origin
-          gh pr checkout "$PULL_REQUEST"
-          git rebase \
-            --onto="$(git merge-base origin/"$CURRENT_BASE" origin/"$COMMENT_BRANCH")" \
-            "HEAD~$COMMITS"
-          git push --force
-          curl \
-            -X POST \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token $GITHUB_TOKEN" \
-            -d "{ \"base\": \"$COMMENT_BRANCH\" }" \
-            "https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
-          curl \
-            -X PATCH \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token $GITHUB_TOKEN" \
-            -d '{ "state": "closed" }' \
-            "https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
-      - uses: peter-evans/create-or-update-comment@v1
-        with:
-          issue-number: ${{ github.event.issue.number }}
-          body: |
-            Rebased, please reopen the pull request to restart CI
-      - uses: peter-evans/create-or-update-comment@v1
-        if: failure()
-        with:
-          issue-number: ${{ github.event.issue.number }}
-          body: |
-            [Failed to rebase](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})