Merge commit '99665eb45f58d959d2cb9e49ddb960c79d596f33'

13 files changed, 83 insertions, 29 deletions

diff --git a/nixpkgs/.github/workflows/backport.yml b/nixpkgs/.github/workflows/backport.yml
index 4ee5adfaac1e..53066456f98d 100644
--- a/nixpkgs/.github/workflows/backport.yml
+++ b/nixpkgs/.github/workflows/backport.yml
@@ -8,8 +8,14 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write  # for zeebe-io/backport-action to create branch
+      pull-requests: write  # for zeebe-io/backport-action to create PR to backport
     name: Backport Pull Request
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
diff --git a/nixpkgs/.github/workflows/basic-eval.yml b/nixpkgs/.github/workflows/basic-eval.yml
index 51429ae40bee..2d31392caf45 100644
--- a/nixpkgs/.github/workflows/basic-eval.yml
+++ b/nixpkgs/.github/workflows/basic-eval.yml
@@ -1,21 +1,25 @@
 name: Basic evaluation checks
 
 on:
-  pull_request:
-    branches:
-     - master
-     - release-**
-  push:
-    branches:
-     - master
-     - release-**
+  workflow_dispatch
+  # pull_request:
+  #   branches:
+  #    - master
+  #    - release-**
+  # push:
+  #   branches:
+  #    - master
+  #    - release-**
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v16
+    - uses: cachix/install-nix-action@v17
     - uses: cachix/cachix-action@v10
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
diff --git a/nixpkgs/.github/workflows/direct-push.yml b/nixpkgs/.github/workflows/direct-push.yml
index 082a4806e619..167253ac6db6 100644
--- a/nixpkgs/.github/workflows/direct-push.yml
+++ b/nixpkgs/.github/workflows/direct-push.yml
@@ -4,8 +4,13 @@ on:
     branches:
      - master
      - release-**
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for peter-evans/commit-comment to comment on commit
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     env:
diff --git a/nixpkgs/.github/workflows/editorconfig.yml b/nixpkgs/.github/workflows/editorconfig.yml
index de49e55ef2a7..5b57614e1107 100644
--- a/nixpkgs/.github/workflows/editorconfig.yml
+++ b/nixpkgs/.github/workflows/editorconfig.yml
@@ -28,7 +28,7 @@ jobs:
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@v16
+    - uses: cachix/install-nix-action@v17
       with:
         # nixpkgs commit is pinned so that it doesn't break
         # editorconfig-checker 2.4.0
diff --git a/nixpkgs/.github/workflows/manual-nixos.yml b/nixpkgs/.github/workflows/manual-nixos.yml
index 61a8a217651d..64829a191369 100644
--- a/nixpkgs/.github/workflows/manual-nixos.yml
+++ b/nixpkgs/.github/workflows/manual-nixos.yml
@@ -18,7 +18,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v16
+      - uses: cachix/install-nix-action@v17
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/nixpkgs/.github/workflows/manual-nixpkgs.yml b/nixpkgs/.github/workflows/manual-nixpkgs.yml
index 70d9aab69828..2aebeeeea2ab 100644
--- a/nixpkgs/.github/workflows/manual-nixpkgs.yml
+++ b/nixpkgs/.github/workflows/manual-nixpkgs.yml
@@ -18,7 +18,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v16
+      - uses: cachix/install-nix-action@v17
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/nixpkgs/.github/workflows/nixos-manual.yml b/nixpkgs/.github/workflows/nixos-manual.yml
index bd70f228d462..5453513a53a6 100644
--- a/nixpkgs/.github/workflows/nixos-manual.yml
+++ b/nixpkgs/.github/workflows/nixos-manual.yml
@@ -19,8 +19,16 @@ jobs:
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@v16
+    - uses: cachix/install-nix-action@v17
     - name: Check DocBook files generated from Markdown are consistent
       run: |
         nixos/doc/manual/md-to-db.sh
-        git diff --exit-code
+        git diff --exit-code || {
+          echo
+          echo 'Generated manual files are out of date.'
+          echo 'Please run'
+          echo
+          echo '    nixos/doc/manual/md-to-db.sh'
+          echo
+          exit 1
+        }
diff --git a/nixpkgs/.github/workflows/no-channel.yml b/nixpkgs/.github/workflows/no-channel.yml
index fb9a95851f06..90c38f22c007 100644
--- a/nixpkgs/.github/workflows/no-channel.yml
+++ b/nixpkgs/.github/workflows/no-channel.yml
@@ -6,8 +6,13 @@ on:
       - 'nixos-**'
       - 'nixpkgs-**'
 
+permissions:
+  contents: read
+
 jobs:
   fail:
+    permissions:
+      contents: none
     name: "This PR is is targeting a channel branch"
     runs-on: ubuntu-latest
     steps:
diff --git a/nixpkgs/.github/workflows/pending-clear.yml b/nixpkgs/.github/workflows/pending-clear.yml
index d06b1e2143f1..7e8960597e5c 100644
--- a/nixpkgs/.github/workflows/pending-clear.yml
+++ b/nixpkgs/.github/workflows/pending-clear.yml
@@ -4,8 +4,13 @@ on:
   check_suite:
     types: [ completed ]
 
+permissions:
+  contents: read
+
 jobs:
   action:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     steps:
     - name: clear pending status
diff --git a/nixpkgs/.github/workflows/pending-set.yml b/nixpkgs/.github/workflows/pending-set.yml
index b15e4847e67c..0dc3031d87c0 100644
--- a/nixpkgs/.github/workflows/pending-set.yml
+++ b/nixpkgs/.github/workflows/pending-set.yml
@@ -8,8 +8,13 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+permissions:
+  contents: read
+
 jobs:
   action:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     steps:
     - name: set pending status
diff --git a/nixpkgs/.github/workflows/periodic-merge-24h.yml b/nixpkgs/.github/workflows/periodic-merge-24h.yml
index 027c63aad9a2..2eec69f65257 100644
--- a/nixpkgs/.github/workflows/periodic-merge-24h.yml
+++ b/nixpkgs/.github/workflows/periodic-merge-24h.yml
@@ -14,8 +14,14 @@ on:
     # Merge every 24 hours
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     strategy:
@@ -28,14 +34,10 @@ jobs:
         pairs:
           - from: master
             into: haskell-updates
-          - from: release-21.05
-            into: staging-next-21.05
-          - from: staging-next-21.05
-            into: staging-21.05
-          - from: release-21.11
-            into: staging-next-21.11
-          - from: staging-next-21.11
-            into: staging-21.11
+          - from: release-22.05
+            into: staging-next-22.05
+          - from: staging-next-22.05
+            into: staging-22.05
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
       - uses: actions/checkout@v3
diff --git a/nixpkgs/.github/workflows/periodic-merge-6h.yml b/nixpkgs/.github/workflows/periodic-merge-6h.yml
index 5588d216ea03..bcc9f4883588 100644
--- a/nixpkgs/.github/workflows/periodic-merge-6h.yml
+++ b/nixpkgs/.github/workflows/periodic-merge-6h.yml
@@ -14,8 +14,14 @@ on:
     # Merge every 6 hours
     - cron:  '0 */6 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     strategy:
diff --git a/nixpkgs/.github/workflows/update-terraform-providers.yml b/nixpkgs/.github/workflows/update-terraform-providers.yml
index 0c775cb6e402..1650f537b7bc 100644
--- a/nixpkgs/.github/workflows/update-terraform-providers.yml
+++ b/nixpkgs/.github/workflows/update-terraform-providers.yml
@@ -2,16 +2,23 @@ name: "Update terraform-providers"
 
 on:
   schedule:
-    - cron: "14 3 * * 1"
+    - cron: "14 3 * * 0"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tf-providers:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v16
+      - uses: cachix/install-nix-action@v17
       - name: setup
         id: setup
         run: |
@@ -25,14 +32,15 @@ jobs:
           git commit -m "${{ steps.setup.outputs.title }}" providers.json
           popd
       - name: create PR
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@v4
         with:
           body: |
-            Automatic update of terraform providers.
-
-            Created by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.
+            Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.
 
-            Check that all providers build with `@ofborg build terraform-full`
+            Check that all providers build with:
+            ```
+            @ofborg build terraform.full
+            ```
           branch: terraform-providers-update
           delete-branch: false
           labels: "2.status: work-in-progress"