From f7c25f0bf987f8a276d39a30075d067f54ad5b3e Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Sat, 31 May 2025 19:09:58 +0200
Subject: [PATCH] ci/pinned: manage nixpkgs and treefmt-nix with npins

Instead of rolling our own update script which only works for a single
pin, let's use npins. We can then use it for the treefmtNix pin as well,
which was mostly unmaintained, so far.
---
 ci/README.md                |  4 ++--
 ci/default.nix              | 11 +++++------
 ci/pinned-nixpkgs.json      |  4 ----
 ci/pinned.json              | 31 +++++++++++++++++++++++++++++++
 ci/update-pinned-nixpkgs.sh | 17 -----------------
 ci/update-pinned.sh         |  8 ++++++++
 6 files changed, 46 insertions(+), 29 deletions(-)
 delete mode 100644 ci/pinned-nixpkgs.json
 create mode 100644 ci/pinned.json
 delete mode 100755 ci/update-pinned-nixpkgs.sh
 create mode 100755 ci/update-pinned.sh

diff --git a/ci/README.md b/ci/README.md
index 67f55d15e548..66fb707ebec5 100644
--- a/ci/README.md
+++ b/ci/README.md
@@ -7,9 +7,9 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
 
 CI may need certain packages from Nixpkgs.
 In order to ensure that the needed packages are generally available without building,
-[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
+[`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
 
-Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
+Run [`update-pinned.sh`](./update-pinned.sh) to update it.
 
 ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
 
diff --git a/ci/default.nix b/ci/default.nix
index 94d049903fca..ec35121bb24b 100644
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -1,5 +1,5 @@
 let
-  pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
+  pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
 in
 {
   system ? builtins.currentSystem,
@@ -10,8 +10,8 @@ let
   nixpkgs' =
     if nixpkgs == null then
       fetchTarball {
-        url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
-        sha256 = pinnedNixpkgs.sha256;
+        inherit (pinned.nixpkgs) url;
+        sha256 = pinned.nixpkgs.hash;
       }
     else
       nixpkgs;
@@ -25,9 +25,8 @@ let
   fmt =
     let
       treefmtNixSrc = fetchTarball {
-        # Master at 2025-02-12
-        url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
-        sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
+        inherit (pinned.treefmt-nix) url;
+        sha256 = pinned.treefmt-nix.hash;
       };
       treefmtEval = (import treefmtNixSrc).evalModule pkgs {
         # Important: The auto-rebase script uses `git filter-branch --tree-filter`,
diff --git a/ci/pinned-nixpkgs.json b/ci/pinned-nixpkgs.json
deleted file mode 100644
index 7a9596380c41..000000000000
--- a/ci/pinned-nixpkgs.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
-}
diff --git a/ci/pinned.json b/ci/pinned.json
new file mode 100644
index 000000000000..9748d218f5ea
--- /dev/null
+++ b/ci/pinned.json
@@ -0,0 +1,31 @@
+{
+  "pins": {
+    "nixpkgs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "NixOS",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixpkgs-unstable",
+      "submodules": false,
+      "revision": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
+      "url": "https://github.com/NixOS/nixpkgs/archive/3d1f29646e4b57ed468d60f9d286cde23a8d1707.tar.gz",
+      "hash": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
+    },
+    "treefmt-nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "numtide",
+        "repo": "treefmt-nix"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "4f09b473c936d41582dd744e19f34ec27592c5fd",
+      "url": "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz",
+      "hash": "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna"
+    }
+  },
+  "version": 5
+}
diff --git a/ci/update-pinned-nixpkgs.sh b/ci/update-pinned-nixpkgs.sh
deleted file mode 100755
index d44b59d80ede..000000000000
--- a/ci/update-pinned-nixpkgs.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq
-
-set -euo pipefail
-
-# https://stackoverflow.com/a/246128
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-repo=https://github.com/nixos/nixpkgs
-branch=nixpkgs-unstable
-file=$SCRIPT_DIR/pinned-nixpkgs.json
-
-defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
-rev=${1:-$defaultRev}
-sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
-
-jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file
diff --git a/ci/update-pinned.sh b/ci/update-pinned.sh
new file mode 100755
index 000000000000..7e3a26695fe8
--- /dev/null
+++ b/ci/update-pinned.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p npins
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+npins --lock-file pinned.json update