Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs

Conflicts:
	nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix

9 files changed, 66 insertions, 14 deletions

diff --git a/nixpkgs/.github/CODEOWNERS b/nixpkgs/.github/CODEOWNERS
index f60b20dd8527..d2d2bbc9ae7f 100644
--- a/nixpkgs/.github/CODEOWNERS
+++ b/nixpkgs/.github/CODEOWNERS
@@ -66,6 +66,10 @@
 /doc/build-helpers/images/makediskimage.section.md  @raitobezarius
 /nixos/lib/make-disk-image.nix                 @raitobezarius
 
+# Nix, the package manager
+pkgs/tools/package-management/nix/                    @raitobezarius
+nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
+
 # Nixpkgs documentation
 /maintainers/scripts/db-to-md.sh @jtojnar @ryantm
 /maintainers/scripts/doc @jtojnar @ryantm
@@ -216,6 +220,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/modules/services/networking/ntp @thoughtpolice
 
 # Network
+/pkgs/tools/networking/octodns @Janik-Haag
 /pkgs/tools/networking/kea/default.nix @mweinelt
 /pkgs/tools/networking/babeld/default.nix @mweinelt
 /nixos/modules/services/networking/babeld.nix @mweinelt
diff --git a/nixpkgs/.github/workflows/basic-eval.yml b/nixpkgs/.github/workflows/basic-eval.yml
index 46f87b0297c3..a0cd990ebc73 100644
--- a/nixpkgs/.github/workflows/basic-eval.yml
+++ b/nixpkgs/.github/workflows/basic-eval.yml
@@ -19,8 +19,8 @@ jobs:
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
-    - uses: cachix/cachix-action@6a2e08b5ebf7a9f285ff57b1870a4262b06e0bee # v13
+    - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
+    - uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
         name: nixpkgs-ci
diff --git a/nixpkgs/.github/workflows/check-by-name.yml b/nixpkgs/.github/workflows/check-by-name.yml
index a9a6181a47bd..4295c6475848 100644
--- a/nixpkgs/.github/workflows/check-by-name.yml
+++ b/nixpkgs/.github/workflows/check-by-name.yml
@@ -4,8 +4,8 @@
 # When you make changes to this workflow, also update pkgs/test/nixpkgs-check-by-name/scripts/run-local.sh adequately
 name: Check pkgs/by-name
 
-# The pre-built tool is fetched from a channel,
-# making it work predictable on all PRs.
+# The tool is pinned to a pre-built version on Hydra,
+# see pkgs/test/nixpkgs-check-by-name/scripts/README.md
 on:
   # Using pull_request_target instead of pull_request avoids having to approve first time contributors
   pull_request_target
@@ -90,9 +90,14 @@ jobs:
           base=$(mktemp -d)
           git worktree add "$base" "$(git rev-parse HEAD^1)"
           echo "base=$base" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
-      - name: Fetching the tool
-        run: pkgs/test/nixpkgs-check-by-name/scripts/fetch-tool.sh "$GITHUB_BASE_REF" result
+      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
+      - name: Fetching the pinned tool
+        # Update the pinned version using pkgs/test/nixpkgs-check-by-name/scripts/update-pinned-tool.sh
+        run: |
+          # Get the direct /nix/store path from the pin to avoid having to evaluate Nixpkgs
+          toolPath=$(jq -r '."ci-path"' pkgs/test/nixpkgs-check-by-name/scripts/pinned-tool.json)
+          # This asks the substituter for the path, which should be there because Hydra will have pre-built and pushed it
+          nix-store --realise "$toolPath" --add-root result
       - name: Running nixpkgs-check-by-name
         run: |
           if result/bin/nixpkgs-check-by-name --base "$base" .; then
diff --git a/nixpkgs/.github/workflows/check-maintainers-sorted.yaml b/nixpkgs/.github/workflows/check-maintainers-sorted.yaml
index 94f71ad7f894..074644153204 100644
--- a/nixpkgs/.github/workflows/check-maintainers-sorted.yaml
+++ b/nixpkgs/.github/workflows/check-maintainers-sorted.yaml
@@ -16,7 +16,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
diff --git a/nixpkgs/.github/workflows/editorconfig.yml b/nixpkgs/.github/workflows/editorconfig.yml
index 80067327fdb9..6b151d45be2a 100644
--- a/nixpkgs/.github/workflows/editorconfig.yml
+++ b/nixpkgs/.github/workflows/editorconfig.yml
@@ -28,7 +28,7 @@ jobs:
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+    - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
       with:
         # nixpkgs commit is pinned so that it doesn't break
         # editorconfig-checker 2.4.0
diff --git a/nixpkgs/.github/workflows/manual-nixos.yml b/nixpkgs/.github/workflows/manual-nixos.yml
index 2c42f83e3010..c9c2451a9df2 100644
--- a/nixpkgs/.github/workflows/manual-nixos.yml
+++ b/nixpkgs/.github/workflows/manual-nixos.yml
@@ -18,11 +18,11 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@6a2e08b5ebf7a9f285ff57b1870a4262b06e0bee # v13
+      - uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
diff --git a/nixpkgs/.github/workflows/manual-nixpkgs.yml b/nixpkgs/.github/workflows/manual-nixpkgs.yml
index f33ca16f276a..d9a425a494ab 100644
--- a/nixpkgs/.github/workflows/manual-nixpkgs.yml
+++ b/nixpkgs/.github/workflows/manual-nixpkgs.yml
@@ -19,11 +19,11 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@6a2e08b5ebf7a9f285ff57b1870a4262b06e0bee # v13
+      - uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
diff --git a/nixpkgs/.github/workflows/nix-parse.yml b/nixpkgs/.github/workflows/nix-parse.yml
new file mode 100644
index 000000000000..e625cca93c5c
--- /dev/null
+++ b/nixpkgs/.github/workflows/nix-parse.yml
@@ -0,0 +1,42 @@
+name: "Check whether nix files are parseable"
+
+permissions: read-all
+
+on:
+  # avoids approving first time contributors
+  pull_request_target:
+    branches-ignore:
+      - 'release-**'
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+    - name: Get list of changed files from PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        gh api \
+          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
+          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
+          > "$HOME/changed_files"
+        if [[ -s "$HOME/changed_files" ]]; then
+          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
+        fi
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
+    - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
+      with:
+        nix_path: nixpkgs=channel:nixpkgs-unstable
+    - name: Parse all changed or added nix files
+      run: |
+        ret=0
+        while IFS= read -r file; do
+          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
+        done < "$HOME/changed_files"
+        exit "$ret"
+      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
diff --git a/nixpkgs/.github/workflows/update-terraform-providers.yml b/nixpkgs/.github/workflows/update-terraform-providers.yml
index a67070fe6abe..108c0590d6bb 100644
--- a/nixpkgs/.github/workflows/update-terraform-providers.yml
+++ b/nixpkgs/.github/workflows/update-terraform-providers.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
       - name: setup