Merge commit '8e4fe32876ca15e3d5eb3ecd3ca0b224417f5f17'

6 files changed, 42 insertions, 4 deletions

diff --git a/nixpkgs/.github/CODEOWNERS b/nixpkgs/.github/CODEOWNERS
index b15d89219f43..fc116b32d5f3 100644
--- a/nixpkgs/.github/CODEOWNERS
+++ b/nixpkgs/.github/CODEOWNERS
@@ -11,7 +11,7 @@
 /.github/CODEOWNERS @edolstra
 
 # GitHub actions
-/.github/workflows @Mic92 @zowoq
+/.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/merge-staging @FRidh
 
 # EditorConfig
@@ -126,9 +126,6 @@
 # Jetbrains
 /pkgs/applications/editors/jetbrains @edwtjo
 
-# Eclipse
-/pkgs/applications/editors/eclipse @rycee
-
 # Licenses
 /lib/licenses.nix @alyssais
 
diff --git a/nixpkgs/.github/labeler.yml b/nixpkgs/.github/labeler.yml
index 77422234ab3d..1b0392692ed8 100644
--- a/nixpkgs/.github/labeler.yml
+++ b/nixpkgs/.github/labeler.yml
@@ -5,6 +5,10 @@
   - pkgs/development/libraries/agda/**/*
   - pkgs/top-level/agda-packages.nix
 
+"6.topic: bsd":
+  - pkgs/os-specific/bsd/**/*
+  - pkgs/stdenv/freebsd/**/*
+
 "6.topic: cinnamon":
   - pkgs/desktops/cinnamon/**/*
 
diff --git a/nixpkgs/.github/workflows/direct-push.yml b/nixpkgs/.github/workflows/direct-push.yml
new file mode 100644
index 000000000000..6177004295ff
--- /dev/null
+++ b/nixpkgs/.github/workflows/direct-push.yml
@@ -0,0 +1,29 @@
+name: "Direct Push Warning"
+on:
+  push:
+    branches:
+     - master
+     - release-**
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'NixOS'
+    env:
+      GITHUB_SHA: ${{ github.sha }}
+      GITHUB_REPOSITORY: ${{ github.repository }}
+    steps:
+    - name: Check if commit is a merge commit
+      id: ismerge
+      run: |
+        ISMERGE=$(curl -H 'Accept: application/vnd.github.groot-preview+json' -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ env.GITHUB_REPOSITORY }}/commits/${{ env.GITHUB_SHA }}/pulls | jq -r '.[] | select(.merge_commit_sha == "${{ env.GITHUB_SHA }}") | any')
+        echo "::set-output name=ismerge::$ISMERGE"
+    - name: Warn if the commit was a direct push
+      if: steps.ismerge.outputs.ismerge != 'true'
+      uses: peter-evans/commit-comment@v1
+      with:
+        body: |
+          @${{ github.actor }}, you pushed a commit directly to master/release branch
+          instead of going through a Pull Request.
+
+          That's highly discouraged beyond the few exceptions listed
+          on https://github.com/NixOS/nixpkgs/issues/118661
diff --git a/nixpkgs/.github/workflows/labels.yml b/nixpkgs/.github/workflows/labels.yml
index 4232ceb62368..4d1e2a2a0f95 100644
--- a/nixpkgs/.github/workflows/labels.yml
+++ b/nixpkgs/.github/workflows/labels.yml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: [edited, opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   labels:
     runs-on: ubuntu-latest
diff --git a/nixpkgs/.github/workflows/manual-nixos.yml b/nixpkgs/.github/workflows/manual-nixos.yml
index fa1f8fc6911e..c885f6f7665c 100644
--- a/nixpkgs/.github/workflows/manual-nixos.yml
+++ b/nixpkgs/.github/workflows/manual-nixos.yml
@@ -1,5 +1,7 @@
 name: "Build NixOS manual"
 
+permissions: read-all
+
 on:
   pull_request_target:
     branches:
diff --git a/nixpkgs/.github/workflows/manual-nixpkgs.yml b/nixpkgs/.github/workflows/manual-nixpkgs.yml
index 192a4c6868a4..6f7ad10efd90 100644
--- a/nixpkgs/.github/workflows/manual-nixpkgs.yml
+++ b/nixpkgs/.github/workflows/manual-nixpkgs.yml
@@ -1,5 +1,7 @@
 name: "Build Nixpkgs manual"
 
+permissions: read-all
+
 on:
   pull_request_target:
     branches: