From 703c7d93c50096ef4e861265deaf19a18954e863 Mon Sep 17 00:00:00 2001
From: NAHO <90870942+trueNAHO@users.noreply.github.com>
Date: Fri, 27 Dec 2024 00:53:38 +0100
Subject: [PATCH] workflows: lock Ubuntu runner to ubuntu-22.04

Lock the Ubuntu runner to ubuntu-22.04 to avoid accidental updates [1]
and increase reproducibility.

[1]: https://github.com/actions/runner-images/issues/10636
---
 .github/workflows/backport.yml                  |  2 +-
 .github/workflows/basic-eval.yml                |  2 +-
 .github/workflows/check-cherry-picks.yml        |  2 +-
 .github/workflows/check-maintainers-sorted.yaml |  2 +-
 .github/workflows/check-nix-format.yml          |  2 +-
 .github/workflows/check-nixf-tidy.yml           |  2 +-
 .github/workflows/check-shell.yml               |  2 +-
 .github/workflows/codeowners-v2.yml             |  4 ++--
 .github/workflows/editorconfig-v2.yml           |  2 +-
 .github/workflows/eval-lib-tests.yml            |  2 +-
 .github/workflows/eval.yml                      | 10 +++++-----
 .github/workflows/get-merge-commit.yml          |  2 +-
 .github/workflows/labels.yml                    |  2 +-
 .github/workflows/manual-nixos-v2.yml           |  2 +-
 .github/workflows/manual-nixpkgs-v2.yml         |  2 +-
 .github/workflows/nix-parse-v2.yml              |  2 +-
 .github/workflows/nixpkgs-vet.yml               |  2 +-
 .github/workflows/no-channel.yml                |  2 +-
 .github/workflows/ofborg-pending.yml            |  2 +-
 .github/workflows/periodic-merge-24h.yml        |  2 +-
 .github/workflows/periodic-merge-6h.yml         |  2 +-
 21 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 1e5a1a229d548..faa74fd248f62 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -14,7 +14,7 @@ jobs:
   backport:
     name: Backport Pull Request
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
index be60504561895..0c4becc5521ca 100644
--- a/.github/workflows/basic-eval.yml
+++ b/.github/workflows/basic-eval.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   tests:
     name: basic-eval-checks
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/check-cherry-picks.yml b/.github/workflows/check-cherry-picks.yml
index cbd5d66c42329..6572214e8a062 100644
--- a/.github/workflows/check-cherry-picks.yml
+++ b/.github/workflows/check-cherry-picks.yml
@@ -11,7 +11,7 @@ permissions: {}
 jobs:
   check:
     name: cherry-pick-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: github.repository_owner == 'NixOS'
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yaml
index 7092cf3fee382..ba438d8dc6780 100644
--- a/.github/workflows/check-maintainers-sorted.yaml
+++ b/.github/workflows/check-maintainers-sorted.yaml
@@ -10,7 +10,7 @@ permissions:
 jobs:
   nixos:
     name: maintainer-list-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml
index 19f80085c5cc5..9bfe44b166f79 100644
--- a/.github/workflows/check-nix-format.yml
+++ b/.github/workflows/check-nix-format.yml
@@ -18,7 +18,7 @@ jobs:
 
   nixos:
     name: nixfmt-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml
index 481ae2df4c31f..0cbdcf7455716 100644
--- a/.github/workflows/check-nixf-tidy.yml
+++ b/.github/workflows/check-nixf-tidy.yml
@@ -9,7 +9,7 @@ permissions:
 jobs:
   nixos:
     name: exp-nixf-tidy-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: "!contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
index 316813879e81c..63b4e4d4fe82d 100644
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -11,7 +11,7 @@ permissions: {}
 jobs:
   x86_64-linux:
     name: shell-check-x86_64-linux
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml
index 6329e1d9ea110..e96565c1b3676 100644
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -39,7 +39,7 @@ jobs:
   # Check that code owners is valid
   check:
     name: Check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: get-merge-commit
     if: needs.get-merge-commit.outputs.mergedSha
     steps:
@@ -86,7 +86,7 @@ jobs:
   # Request reviews from code owners
   request:
     name: Request
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
 
diff --git a/.github/workflows/editorconfig-v2.yml b/.github/workflows/editorconfig-v2.yml
index 07afb60bc3ae0..9b6f0b3128b07 100644
--- a/.github/workflows/editorconfig-v2.yml
+++ b/.github/workflows/editorconfig-v2.yml
@@ -16,7 +16,7 @@ jobs:
 
   tests:
     name: editorconfig-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
diff --git a/.github/workflows/eval-lib-tests.yml b/.github/workflows/eval-lib-tests.yml
index 9321783c79960..c1cfa31644f26 100644
--- a/.github/workflows/eval-lib-tests.yml
+++ b/.github/workflows/eval-lib-tests.yml
@@ -13,7 +13,7 @@ jobs:
 
   nixpkgs-lib-tests:
     name: nixpkgs-lib-tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: get-merge-commit
     if: needs.get-merge-commit.outputs.mergedSha
     steps:
diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
index 06cff2b878d3e..49ce31268efbd 100644
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -21,7 +21,7 @@ jobs:
 
   attrs:
     name: Attributes
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: get-merge-commit
     # Skip this and dependent steps if the PR can't be merged
     if: needs.get-merge-commit.outputs.mergedSha
@@ -60,7 +60,7 @@ jobs:
 
   eval-aliases:
     name: Eval nixpkgs with aliases enabled
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: [ attrs, get-merge-commit ]
     steps:
       - name: Check out the PR at the test merge commit
@@ -78,7 +78,7 @@ jobs:
 
   outpaths:
     name: Outpaths
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: [ attrs, get-merge-commit ]
     strategy:
       fail-fast: false
@@ -118,7 +118,7 @@ jobs:
 
   process:
     name: Process
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: [ outpaths, attrs, get-merge-commit ]
     outputs:
       baseRunId: ${{ steps.baseRunId.outputs.baseRunId }}
@@ -211,7 +211,7 @@ jobs:
   # Separate job to have a very tightly scoped PR write token
   tag:
     name: Tag
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: process
     if: needs.process.outputs.baseRunId
     permissions:
diff --git a/.github/workflows/get-merge-commit.yml b/.github/workflows/get-merge-commit.yml
index 63154d73ed9d2..3820ed1252914 100644
--- a/.github/workflows/get-merge-commit.yml
+++ b/.github/workflows/get-merge-commit.yml
@@ -12,7 +12,7 @@ permissions: {}
 
 jobs:
   resolve-merge-commit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       mergedSha: ${{ steps.merged.outputs.mergedSha }}
     steps:
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 724164bebdfc9..f46cf693bc83f 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
   labels:
     name: label-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
     - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml
index 0678568e52717..25c8df2a7b2b0 100644
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@@ -13,7 +13,7 @@ on:
 jobs:
   nixos:
     name: nixos-manual-build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml
index 0410cfd904b29..d444c57d676b7 100644
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@@ -15,7 +15,7 @@ on:
 jobs:
   nixpkgs:
     name: nixpkgs-manual-build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: github.repository_owner == 'NixOS'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml
index b6bb8fe28197f..9e4e5aa0a676c 100644
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@@ -16,7 +16,7 @@ jobs:
 
   tests:
     name: nix-files-parseable-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: get-merge-commit
     if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml
index 65c1028f1059e..5320aa6f91fa3 100644
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -25,7 +25,7 @@ jobs:
   check:
     name: nixpkgs-vet
     # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
     timeout-minutes: 10
     needs: get-merge-commit
diff --git a/.github/workflows/no-channel.yml b/.github/workflows/no-channel.yml
index 90c38f22c007b..1b3e1e6a7fbc4 100644
--- a/.github/workflows/no-channel.yml
+++ b/.github/workflows/no-channel.yml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       contents: none
     name: "This PR is is targeting a channel branch"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - run: |
         cat <<EOF
diff --git a/.github/workflows/ofborg-pending.yml b/.github/workflows/ofborg-pending.yml
index 2eba88598d7fe..2a608a27f53c0 100644
--- a/.github/workflows/ofborg-pending.yml
+++ b/.github/workflows/ofborg-pending.yml
@@ -20,7 +20,7 @@ jobs:
     if: github.repository_owner == 'NixOS'
     permissions:
       statuses: write
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - name: "Set pending OfBorg status"
       env:
diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
index 813d6a988efde..eba3feb145b49 100644
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -24,7 +24,7 @@ jobs:
       contents: write  # for devmasx/merge-branch to merge branches
       pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false
diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
index 1f7cfce34a2e8..72fbd69cfdd32 100644
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -24,7 +24,7 @@ jobs:
       contents: write  # for devmasx/merge-branch to merge branches
       pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
     if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       # don't fail fast, so that all pairs are tried
       fail-fast: false