workflows: small refactors

.github/workflows/backport.yml

@@ -1,13 +1,14 @@
-name: Backport
-on:
-  pull_request_target:
-    types: [closed, labeled]
-
 # WARNING:
 # When extending this action, be aware that $GITHUB_TOKEN allows write access to
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.
 
+name: Backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
 permissions: {}
 
 jobs:
@@ -23,10 +24,12 @@ jobs:
         with:
           app-id: ${{ vars.BACKPORT_APP_ID }}
           private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}
+
       - name: Create backport PRs
         uses: korthout/backport-action@be567af183754f6a5d831ae90f648954763f17f5 # v3.1.0
         with:

.github/workflows/check-cherry-picks.yml

@@ -1,10 +1,11 @@
 name: "Check cherry-picks"
+
 on:
   pull_request_target:
     branches:
-     - 'release-**'
-     - 'staging-**'
-     - '!staging-next'
+      - 'release-**'
+      - 'staging-**'
+      - '!staging-next'
 
 permissions: {}
 
@@ -14,13 +15,14 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        fetch-depth: 0
-        filter: blob:none
-    - name: Check cherry-picks
-      env:
-        BASE_SHA: ${{ github.event.pull_request.base.sha }}
-        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      run: |
-        ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          filter: blob:none
+
+      - name: Check cherry-picks
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"

.github/workflows/check-maintainers-sorted.yaml → .github/workflows/check-maintainers-sorted.yml

@@ -4,14 +4,14 @@ on:
   pull_request_target:
     paths:
       - 'maintainers/maintainer-list.nix'
+
 permissions:
   contents: read
 
 jobs:
   nixos:
     name: maintainer-list-check
     runs-on: ubuntu-24.04
-    if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -21,9 +21,11 @@ jobs:
           sparse-checkout: |
             lib
             maintainers
+
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
+
       - name: Check that maintainer-list.nix is sorted
         run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix

.github/workflows/check-nix-format.yml

@@ -3,12 +3,14 @@
 # https://github.com/NixOS/rfcs/pull/166.
 # Because of this, this action is not yet enabled for all files -- only for
 # those who have opted in.
+
 name: Check that Nix files are formatted
 
 on:
   pull_request_target:
     # See the comment at the same location in ./nixpkgs-vet.yml
     types: [opened, synchronize, reopened, edited]
+
 permissions:
   contents: read
 
@@ -28,27 +30,32 @@ jobs:
           ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
           # Fetches the merge commit and its parents
           fetch-depth: 2
+
       - name: Checking out base branch
         run: |
           base=$(mktemp -d)
           baseRev=$(git rev-parse HEAD^1)
           git worktree add "$base" "$baseRev"
           echo "baseRev=$baseRev" >> "$GITHUB_ENV"
           echo "base=$base" >> "$GITHUB_ENV"
+
       - name: Get Nixpkgs revision for nixfmt
         run: |
           # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
           # from staging
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
           nix_path: nixpkgs=${{ env.url }}
+
       - name: Install nixfmt
         run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
+
       - name: Check that Nix files are formatted according to the RFC style
         run: |
           unformattedFiles=()

.github/workflows/check-nixf-tidy.yml

@@ -3,6 +3,7 @@ name: Check changed Nix files with nixf-tidy (experimental)
 on:
   pull_request_target:
     types: [opened, synchronize, reopened, edited]
+
 permissions:
   contents: read
 
@@ -18,28 +19,33 @@ jobs:
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
           # Fetches the merge commit and its parents
           fetch-depth: 2
+
       - name: Checking out base branch
         run: |
           base=$(mktemp -d)
           baseRev=$(git rev-parse HEAD^1)
           git worktree add "$base" "$baseRev"
           echo "baseRev=$baseRev" >> "$GITHUB_ENV"
           echo "base=$base" >> "$GITHUB_ENV"
+
       - name: Get Nixpkgs revision for nixf
         run: |
           # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
           # from staging
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
           nix_path: nixpkgs=${{ env.url }}
+
       - name: Install nixf and jq
         # provided jq is incompatible with our expression
         run: "nix-env -f '<nixpkgs>' -iAP nixf jq"
+
       - name: Check that Nix files pass nixf-tidy
         run: |
           # Filtering error messages we don't like

.github/workflows/check-shell.yml

@@ -9,26 +9,26 @@ on:
 permissions: {}
 
 jobs:
-  x86_64-linux:
-    name: shell-check-x86_64-linux
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
-      - name: Build shell
-        run: nix-build shell.nix
+  shell-check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            system: x86_64-linux
+          - runner: macos-14
+            system: aarch64-darwin
+
+    name: shell-check-${{ matrix.system }}
+    runs-on: ${{ matrix.runner }}
 
-  aarch64-darwin:
-    name: shell-check-aarch64-darwin
-    runs-on: macos-14
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
+
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+
       - name: Build shell
         run: nix-build shell.nix