Merge staging-next into staging

.github/CODEOWNERS

@@ -15,6 +15,8 @@
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/check-nix-format.yml @infinisil
 /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
+/.github/workflows/codeowners.yml @infinisil
+/.github/OWNERS @infinisil
 /ci @infinisil @philiptaron @NixOS/Security
 
 # Development support
@@ -28,7 +30,7 @@
 /lib/cli.nix                @infinisil @Profpatsch
 /lib/debug.nix              @infinisil @Profpatsch
 /lib/asserts.nix            @infinisil @Profpatsch
-/lib/path.*                 @infinisil
+/lib/path/*                 @infinisil
 /lib/fileset                @infinisil
 ## Libraries / Module system
 /lib/modules.nix            @infinisil @roberth
@@ -105,7 +107,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/lib/test-driver  @tfc
 
 # NixOS QEMU virtualisation
-/nixos/virtualisation/qemu-vm.nix           @raitobezarius
+/nixos/modules/virtualisation/qemu-vm.nix           @raitobezarius
 
 # ACME
 /nixos/modules/security/acme                @arianvp @flokli @aanderse @emilazy # no merge permission: @m1cr0man
@@ -170,7 +172,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 # Audio
 /nixos/modules/services/audio/botamusique.nix @mweinelt
 /nixos/modules/services/audio/snapserver.nix @mweinelt
-/nixos/tests/modules/services/audio/botamusique.nix @mweinelt
+/nixos/tests/botamusique.nix @mweinelt
 /nixos/tests/snapcast.nix @mweinelt
 
 # Browsers
@@ -204,21 +206,20 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 
 # PostgreSQL and related stuff
 /pkgs/servers/sql/postgresql @thoughtpolice
-/nixos/modules/services/databases/postgresql.xml @thoughtpolice
+/nixos/modules/services/databases/postgresql.md @thoughtpolice
 /nixos/modules/services/databases/postgresql.nix @thoughtpolice
 /nixos/tests/postgresql.nix @thoughtpolice
 
 # Hardened profile & related modules
 /nixos/modules/profiles/hardened.nix @joachifm
-/nixos/modules/security/hidepid.nix @joachifm
 /nixos/modules/security/lock-kernel-modules.nix @joachifm
 /nixos/modules/security/misc.nix @joachifm
 /nixos/tests/hardened.nix @joachifm
-/pkgs/os-specific/linux/kernel/hardened-config.nix @joachifm
+/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm
 
 # Home Automation
-/nixos/modules/services/misc/home-assistant.nix @mweinelt
-/nixos/modules/services/misc/zigbee2mqtt.nix @mweinelt
+/nixos/modules/services/home-automation/home-assistant.nix @mweinelt
+/nixos/modules/services/home-automation/zigbee2mqtt.nix @mweinelt
 /nixos/tests/home-assistant.nix @mweinelt
 /nixos/tests/zigbee2mqtt.nix @mweinelt
 /pkgs/servers/home-assistant @mweinelt
@@ -316,8 +317,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 
 # nim
 /pkgs/development/compilers/nim   @ehmry
-/pkgs/development/nim-packages    @ehmry
-/pkgs/top-level/nim-packages.nix  @ehmry
 
 # terraform providers
 /pkgs/applications/networking/cluster/terraform-providers @zowoq

.github/OWNERS

@@ -0,0 +1,19 @@
+#
+# Currently unused! Use CODEOWNERS for now, see workflows/codeowners.yml
+#
+####################
+#
+# This file is used to describe who owns what in this repository.
+# Users/teams will get review requests for PRs that change their files.
+#
+# This file does not replace `meta.maintainers`
+# but is instead used for other things than derivations and modules,
+# like documentation, package sets, and other assets.
+#
+# This file uses the same syntax as the natively supported CODEOWNERS file,
+# see https://help.github.com/articles/about-codeowners/ for documentation.
+# However it comes with some notable differences:
+# - There is no need for user/team listed here to have write access.
+# - No reviews will be requested for PRs that target the wrong base branch.
+#
+# Processing of this file is implemented in workflows/codeowners.yml

.github/workflows/codeowners.yml

@@ -0,0 +1,88 @@
+name: Codeowners
+
+# This workflow depends on a GitHub App with the following permissions:
+# - Repository > Administration: read-only
+# - Organization > Members: read-only
+# - Repository > Pull Requests: read-write
+# The App needs to be installed on this repository
+# the OWNER_APP_ID repository variable needs to be set
+# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened, edited]
+
+env:
+  # TODO: Once confirmed that this works by seeing that the action would request
+  # reviews from the same people (or refuse for wrong base branches),
+  # move all entries from CODEOWNERS to OWNERS and change this value here
+  # OWNERS_FILE: .github/OWNERS
+  OWNERS_FILE: .github/CODEOWNERS
+  # Also remove this
+  DRY_MODE: 1
+
+jobs:
+  # Check that code owners is valid
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+    # We later build and run code from the base branch with access to secrets,
+    # so it's important this is not the PRs code.
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        path: base
+
+    - name: Build codeowners validator
+      run: nix-build base/ci -A codeownersValidator
+
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        ref: refs/pull/${{ github.event.number }}/merge
+        path: pr
+
+    - name: Validate codeowners
+      run: result/bin/codeowners-validator
+      env:
+        OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
+        GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        REPOSITORY_PATH: pr
+        OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
+        # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
+        EXPERIMENTAL_CHECKS: "avoid-shadowing"
+
+  # Request reviews from code owners
+  request:
+    name: Request
+    runs-on: ubuntu-latest
+    steps:
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
+    # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
+    # This is intentional, because we need to request the review of owners as declared in the base branch.
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+    - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      id: app-token
+      with:
+        app-id: ${{ vars.OWNER_APP_ID }}
+        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+
+    - name: Build review request package
+      run: nix-build ci -A requestReviews
+
+    - name: Request reviews
+      run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
+      env:
+        GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        # Don't do anything on draft PRs
+        DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

ci/codeowners-validator/default.nix

@@ -0,0 +1,31 @@
+{
+  buildGoModule,
+  fetchFromGitHub,
+  fetchpatch,
+}:
+buildGoModule {
+  name = "codeowners-validator";
+  src = fetchFromGitHub {
+    owner = "mszostok";
+    repo = "codeowners-validator";
+    rev = "f3651e3810802a37bd965e6a9a7210728179d076";
+    hash = "sha256-5aSmmRTsOuPcVLWfDF6EBz+6+/Qpbj66udAmi1CLmWQ=";
+  };
+  patches = [
+    # https://github.com/mszostok/codeowners-validator/pull/222
+    (fetchpatch {
+      name = "user-write-access-check";
+      url = "https://github.com/mszostok/codeowners-validator/compare/f3651e3810802a37bd965e6a9a7210728179d076...840eeb88b4da92bda3e13c838f67f6540b9e8529.patch";
+      hash = "sha256-t3Dtt8SP9nbO3gBrM0nRE7+G6N/ZIaczDyVHYAG/6mU=";
+    })
+    # Undoes part of the above PR: We don't want to require write access
+    # to the repository, that's only needed for GitHub's native CODEOWNERS.
+    # Furthermore, it removes an unneccessary check from the code
+    # that breaks tokens generated for GitHub Apps.
+    ./permissions.patch
+    # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var
+    ./owners-file-name.patch
+  ];
+  postPatch = "rm -r docs/investigation";
+  vendorHash = "sha256-R+pW3xcfpkTRqfS2ETVOwG8PZr0iH5ewroiF7u8hcYI=";
+}

ci/codeowners-validator/owners-file-name.patch

@@ -0,0 +1,15 @@
+diff --git a/pkg/codeowners/owners.go b/pkg/codeowners/owners.go
+index 6910bd2..e0c95e9 100644
+--- a/pkg/codeowners/owners.go
++++ b/pkg/codeowners/owners.go
+@@ -39,6 +39,10 @@ func NewFromPath(repoPath string) ([]Entry, error) {
+ // openCodeownersFile finds a CODEOWNERS file and returns content.
+ // see: https://help.github.com/articles/about-code-owners/#codeowners-file-location
+ func openCodeownersFile(dir string) (io.Reader, error) {
++	if file, ok := os.LookupEnv("OWNERS_FILE"); ok {
++		return fs.Open(file)
++	}
++
+ 	var detectedFiles []string
+ 	for _, p := range []string{".", "docs", ".github"} {
+ 		pth := path.Join(dir, p)

ci/codeowners-validator/permissions.patch

@@ -0,0 +1,36 @@
+diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go
+index a264bcc..610eda8 100644
+--- a/internal/check/valid_owner.go
++++ b/internal/check/valid_owner.go
+@@ -16,7 +16,6 @@ import (
+ const scopeHeader = "X-OAuth-Scopes"
+
+ var reqScopes = map[github.Scope]struct{}{
+-	github.ScopeReadOrg: {},
+ }
+
+ type ValidOwnerConfig struct {
+@@ -223,10 +222,7 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr
+ 	for _, t := range v.repoTeams {
+ 		// GitHub normalizes name before comparison
+ 		if strings.EqualFold(t.GetSlug(), team) {
+-			if t.Permissions["push"] {
+-				return nil
+-			}
+-			return newValidateError("Team %q cannot review PRs on %q as neither it nor any parent team has write permissions.", team, v.orgRepoName)
++			return nil
+ 		}
+ 	}
+
+@@ -245,10 +241,7 @@ func (v *ValidOwner) validateGitHubUser(ctx context.Context, name string) *valid
+ 	for _, u := range v.repoUsers {
+ 		// GitHub normalizes name before comparison
+ 		if strings.EqualFold(u.GetLogin(), userName) {
+-			if u.Permissions["push"] {
+-				return nil
+-			}
+-			return newValidateError("User %q cannot review PRs on %q as they don't have write permissions.", userName, v.orgRepoName)
++			return nil
+ 		}
+ 	}
+

ci/default.nix

@@ -0,0 +1,29 @@
+let
+  pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
+in
+{
+  system ? builtins.currentSystem,
+
+  nixpkgs ? null,
+}:
+let
+  nixpkgs' =
+    if nixpkgs == null then
+      fetchTarball {
+        url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
+        sha256 = pinnedNixpkgs.sha256;
+      }
+    else
+      nixpkgs;
+
+  pkgs = import nixpkgs' {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  };
+in
+{
+  inherit pkgs;
+  requestReviews = pkgs.callPackage ./request-reviews { };
+  codeownersValidator = pkgs.callPackage ./codeowners-validator { };
+}

ci/request-reviews/default.nix

@@ -0,0 +1,43 @@
+{
+  lib,
+  stdenvNoCC,
+  makeWrapper,
+  coreutils,
+  codeowners,
+  jq,
+  curl,
+  github-cli,
+  gitMinimal,
+}:
+stdenvNoCC.mkDerivation {
+  name = "request-reviews";
+  src = lib.fileset.toSource {
+    root = ./.;
+    fileset = lib.fileset.unions [
+      ./get-reviewers.sh
+      ./request-reviews.sh
+      ./verify-base-branch.sh
+      ./dev-branches.txt
+    ];
+  };
+  nativeBuildInputs = [ makeWrapper ];
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/bin
+    mv dev-branches.txt $out/bin
+    for bin in *.sh; do
+      mv "$bin" "$out/bin"
+      wrapProgram "$out/bin/$bin" \
+        --set PATH ${
+          lib.makeBinPath [
+            coreutils
+            codeowners
+            jq
+            curl
+            github-cli
+            gitMinimal
+          ]
+        }
+    done
+  '';
+}

ci/request-reviews/dev-branches.txt

@@ -0,0 +1,7 @@
+# Trusted development branches:
+# These generally require PRs to update and are built by Hydra.
+master
+staging
+release-*
+staging-*
+haskell-updates