ci/pinned: manage nixpkgs and treefmt-nix with npins

Instead of rolling our own update script which only works for a single
pin, let's use npins. We can then use it for the treefmtNix pin as well,
which was mostly unmaintained, so far.

ci/README.md

@@ -7,9 +7,9 @@ This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which i
 
 CI may need certain packages from Nixpkgs.
 In order to ensure that the needed packages are generally available without building,
-[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
+[`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra.
 
-Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
+Run [`update-pinned.sh`](./update-pinned.sh) to update it.
 
 ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
 

ci/default.nix

@@ -1,5 +1,5 @@
 let
-  pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json);
+  pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins;
 in
 {
   system ? builtins.currentSystem,
@@ -10,8 +10,8 @@ let
   nixpkgs' =
     if nixpkgs == null then
       fetchTarball {
-        url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz";
-        sha256 = pinnedNixpkgs.sha256;
+        inherit (pinned.nixpkgs) url;
+        sha256 = pinned.nixpkgs.hash;
       }
     else
       nixpkgs;
@@ -25,9 +25,8 @@ let
   fmt =
     let
       treefmtNixSrc = fetchTarball {
-        # Master at 2025-02-12
-        url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz";
-        sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna";
+        inherit (pinned.treefmt-nix) url;
+        sha256 = pinned.treefmt-nix.hash;
       };
       treefmtEval = (import treefmtNixSrc).evalModule pkgs {
         # Important: The auto-rebase script uses `git filter-branch --tree-filter`,

ci/pinned-nixpkgs.json

@@ -1,4 +0,0 @@
-{
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
-}

ci/pinned.json

@@ -0,0 +1,31 @@
+{
+  "pins": {
+    "nixpkgs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "NixOS",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixpkgs-unstable",
+      "submodules": false,
+      "revision": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
+      "url": "https://github.com/NixOS/nixpkgs/archive/3d1f29646e4b57ed468d60f9d286cde23a8d1707.tar.gz",
+      "hash": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
+    },
+    "treefmt-nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "numtide",
+        "repo": "treefmt-nix"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "4f09b473c936d41582dd744e19f34ec27592c5fd",
+      "url": "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz",
+      "hash": "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna"
+    }
+  },
+  "version": 5
+}

ci/update-pinned-nixpkgs.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq
-
-set -euo pipefail
-
-# https://stackoverflow.com/a/246128
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-repo=https://github.com/nixos/nixpkgs
-branch=nixpkgs-unstable
-file=$SCRIPT_DIR/pinned-nixpkgs.json
-
-defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
-rev=${1:-$defaultRev}
-sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
-
-jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file

ci/update-pinned.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p npins
+
+set -euo pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")"
+
+npins --lock-file pinned.json update