workflows: lock Ubuntu runner to ubuntu-22.04

Lock the Ubuntu runner to ubuntu-22.04 to avoid accidental updates [1] and increase reproducibility. [1]: https://github.com/actions/runner-images/issues/10636
2024-12-27 00:53:38 +01:00 · 2024-12-27 00:53:38 +01:00 · 2660dd1e71
commit 2660dd1e71
parent 90c106c68d
22 changed files with 27 additions and 27 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -14,7 +14,7 @@ jobs:
  backport:
    name: Backport Pull Request
    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
--- a/.github/workflows/basic-eval.yml
+++ b/.github/workflows/basic-eval.yml
@ -16,7 +16,7 @@ permissions:
 jobs:
  tests:
    name: basic-eval-checks
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
    steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/check-cherry-picks.yml
+++ b/.github/workflows/check-cherry-picks.yml
@ -11,7 +11,7 @@ permissions: {}
 jobs:
  check:
    name: cherry-pick-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: github.repository_owner == 'NixOS'
    steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/check-maintainers-sorted.yaml
+++ b/.github/workflows/check-maintainers-sorted.yaml
@ -10,7 +10,7 @@ permissions:
 jobs:
  nixos:
    name: maintainer-list-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: github.repository_owner == 'NixOS'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/check-nix-format.yml
+++ b/.github/workflows/check-nix-format.yml
@ -18,7 +18,7 @@ jobs:

  nixos:
    name: nixfmt-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
--- a/.github/workflows/check-nixf-tidy.yml
+++ b/.github/workflows/check-nixf-tidy.yml
@ -9,7 +9,7 @@ permissions:
 jobs:
  nixos:
    name: exp-nixf-tidy-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@ -11,7 +11,7 @@ permissions: {}
 jobs:
  x86_64-linux:
    name: shell-check-x86_64-linux
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@ -41,7 +41,7 @@ jobs:
  # Check that code owners is valid
  check:
    name: Check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    if: needs.get-merge-commit.outputs.mergedSha
    steps:
@ -88,7 +88,7 @@ jobs:
  # Request reviews from code owners
  request:
    name: Request
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

--- a/.github/workflows/editorconfig-v2.yml
+++ b/.github/workflows/editorconfig-v2.yml
@ -16,7 +16,7 @@ jobs:

  tests:
    name: editorconfig-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
--- a/.github/workflows/eval-lib-tests.yml
+++ b/.github/workflows/eval-lib-tests.yml
@ -13,7 +13,7 @@ jobs:

  nixpkgs-lib-tests:
    name: nixpkgs-lib-tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    if: needs.get-merge-commit.outputs.mergedSha
    steps:
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@ -21,7 +21,7 @@ jobs:

  attrs:
    name: Attributes
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    # Skip this and dependent steps if the PR can't be merged
    if: needs.get-merge-commit.outputs.mergedSha
@ -60,7 +60,7 @@ jobs:

  eval-aliases:
    name: Eval nixpkgs with aliases enabled
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: [ attrs, get-merge-commit ]
    steps:
      - name: Check out the PR at the test merge commit
@ -78,7 +78,7 @@ jobs:

  outpaths:
    name: Outpaths
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: [ attrs, get-merge-commit ]
    strategy:
      fail-fast: false
@ -118,7 +118,7 @@ jobs:

  process:
    name: Process
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: [ outpaths, attrs, get-merge-commit ]
    outputs:
      baseRunId: ${{ steps.baseRunId.outputs.baseRunId }}
@ -218,7 +218,7 @@ jobs:
  # Separate job to have a very tightly scoped PR write token
  tag:
    name: Tag
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: [ attrs, process ]
    if: needs.process.outputs.baseRunId
    permissions:
--- a/.github/workflows/get-merge-commit.yml
+++ b/.github/workflows/get-merge-commit.yml
@ -12,7 +12,7 @@ permissions: {}

 jobs:
  resolve-merge-commit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    outputs:
      mergedSha: ${{ steps.merged.outputs.mergedSha }}
    steps:
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@ -16,7 +16,7 @@ permissions:
 jobs:
  labels:
    name: label-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@ -13,7 +13,7 @@ on:
 jobs:
  nixos:
    name: nixos-manual-build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: github.repository_owner == 'NixOS'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@ -15,7 +15,7 @@ on:
 jobs:
  nixpkgs:
    name: nixpkgs-manual-build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: github.repository_owner == 'NixOS'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@ -16,7 +16,7 @@ jobs:

  tests:
    name: nix-files-parseable-check
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    if: "needs.get-merge-commit.outputs.mergedSha && github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@ -25,7 +25,7 @@ jobs:
  check:
    name: nixpkgs-vet
    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
    timeout-minutes: 10
    needs: get-merge-commit
--- a/.github/workflows/no-channel.yml
+++ b/.github/workflows/no-channel.yml
@ -13,7 +13,7 @@ permissions: {}
 jobs:
  fail:
    name: "This PR is is targeting a channel branch"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
    - run: |
        cat <<EOF
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@ -24,7 +24,7 @@ jobs:
      contents: write  # for devmasx/merge-branch to merge branches
      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
    if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    strategy:
      # don't fail fast, so that all pairs are tried
      fail-fast: false
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@ -24,7 +24,7 @@ jobs:
      contents: write  # for devmasx/merge-branch to merge branches
      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
    if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    strategy:
      # don't fail fast, so that all pairs are tried
      fail-fast: false
--- a/.github/workflows/periodic-merge-haskell-updates.yml
+++ b/.github/workflows/periodic-merge-haskell-updates.yml
@ -26,7 +26,7 @@ jobs:
      contents: write  # for devmasx/merge-branch to merge branches
      pull-requests: write  # for peter-evans/create-or-update-comment to create or update comment
    if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: git merge-base master staging → haskell-updates
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/ci/README.md
+++ b/ci/README.md
@ -73,7 +73,7 @@ jobs:

  build:
    name: Build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: get-merge-commit
    steps:
      - uses: actions/checkout@<VERSION>