From a70d047c15924eb72388dd35b2826e34c3f69872 Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Wed, 7 May 2025 18:54:27 +0200
Subject: [PATCH] workflows/editorconfig.editorconfig-checker: 2.4.0 -> 3.2.0

We have a pinned nixpkgs revision for all our CI tools, but we're not
making use of it for editorconfig-checker. Instead, it has it's own,
unmaintained, pin.

Let's fix that. On the way, we're upgrading the tool to 3.2.1, which
requires adjusting our .editorconfig file slightly to ignore
auto-generated package-lock.json files.
---
 .editorconfig                         |  5 +++--
 .github/workflows/editorconfig-v2.yml | 11 ++++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/.editorconfig b/.editorconfig
index 9f0706d981a5..020db105c04a 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -48,9 +48,10 @@ indent_size = 4
 indent_size = 2
 indent_style = space
 
-# Match package.json, which are generally pulled from upstream and accept them as they are
-[package.json]
+# Match package.json and package-lock.json, which are generally pulled from upstream and accept them as they are
+[package{,-lock}.json]
 indent_style = unset
+insert_final_newline = unset
 
 # Disable file types or individual files
 # some of these files may be auto-generated and/or require significant changes
diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml
index c2428ce64e29..68d780f2190f 100644
--- a/.github/workflows/editorconfig-v2.yml
+++ b/.github/workflows/editorconfig-v2.yml
@@ -32,11 +32,16 @@ jobs:
         with:
           ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
 
+      - name: Get Nixpkgs revision for editorconfig-checker
+        run: |
+          # Pin to a commit from nixpkgs-unstable to avoid building from e.g. staging.
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
-          # nixpkgs commit is pinned so that it doesn't break
-          # editorconfig-checker 2.4.0
-          nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/c473cc8714710179df205b153f4e9fa007107ff9.tar.gz
+          nix_path: nixpkgs=${{ env.url }}
 
       - name: Checking EditorConfig
         run: |