Merge master into staging-next

nixos/modules/module-list.nix

@@ -288,6 +288,7 @@
   ./services/continuous-integration/hail.nix
   ./services/continuous-integration/hercules-ci-agent/default.nix
   ./services/continuous-integration/hydra/default.nix
+  ./services/continuous-integration/github-runner.nix
   ./services/continuous-integration/gitlab-runner.nix
   ./services/continuous-integration/gocd-agent/default.nix
   ./services/continuous-integration/gocd-server/default.nix

nixos/modules/services/continuous-integration/github-runner.nix

@@ -0,0 +1,299 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.services.github-runner;
+  svcName = "github-runner";
+  systemdDir = "${svcName}/${cfg.name}";
+  # %t: Runtime directory root (usually /run); see systemd.unit(5)
+  runtimeDir = "%t/${systemdDir}";
+  # %S: State directory root (usually /var/lib); see systemd.unit(5)
+  stateDir = "%S/${systemdDir}";
+  # %L: Log directory root (usually /var/log); see systemd.unit(5)
+  logsDir = "%L/${systemdDir}";
+in
+{
+  options.services.github-runner = {
+    enable = mkOption {
+      default = false;
+      example = true;
+      description = ''
+        Whether to enable GitHub Actions runner.
+
+        Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here:
+        <link xlink:href="https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners"
+        >About self-hosted runners</link>.
+      '';
+      type = lib.types.bool;
+    };
+
+    url = mkOption {
+      type = types.str;
+      description = ''
+        Repository to add the runner to.
+
+        Changing this option triggers a new runner registration.
+      '';
+      example = "https://github.com/nixos/nixpkgs";
+    };
+
+    tokenFile = mkOption {
+      type = types.path;
+      description = ''
+        The full path to a file which contains the runner registration token.
+        The file should contain exactly one line with the token without any newline.
+        The token can be used to re-register a runner of the same name but is time-limited.
+
+        Changing this option or the file's content triggers a new runner registration.
+      '';
+      example = "/run/secrets/github-runner/nixos.token";
+    };
+
+    name = mkOption {
+      # Same pattern as for `networking.hostName`
+      type = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
+      description = ''
+        Name of the runner to configure. Defaults to the hostname.
+
+        Changing this option triggers a new runner registration.
+      '';
+      example = "nixos";
+      default = config.networking.hostName;
+    };
+
+    runnerGroup = mkOption {
+      type = types.nullOr types.str;
+      description = ''
+        Name of the runner group to add this runner to (defaults to the default runner group).
+
+        Changing this option triggers a new runner registration.
+      '';
+      default = null;
+    };
+
+    extraLabels = mkOption {
+      type = types.listOf types.str;
+      description = ''
+        Extra labels in addition to the default (<literal>["self-hosted", "Linux", "X64"]</literal>).
+
+        Changing this option triggers a new runner registration.
+      '';
+      example = literalExample ''[ "nixos" ]'';
+      default = [ ];
+    };
+
+    replace = mkOption {
+      type = types.bool;
+      description = ''
+        Replace any existing runner with the same name.
+
+        Without this flag, registering a new runner with the same name fails.
+      '';
+      default = false;
+    };
+
+    extraPackages = mkOption {
+      type = types.listOf types.package;
+      description = ''
+        Extra packages to add to <literal>PATH</literal> of the service to make them available to workflows.
+      '';
+      default = [ ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    warnings = optionals (isStorePath cfg.tokenFile) [
+      ''
+        `services.github-runner.tokenFile` points to the Nix store and, therefore, is world-readable.
+        Consider using a path outside of the Nix store to keep the token private.
+      ''
+    ];
+
+    systemd.services.${svcName} = {
+      description = "GitHub Actions runner";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+
+      environment = {
+        HOME = runtimeDir;
+        RUNNER_ROOT = runtimeDir;
+      };
+
+      path = (with pkgs; [
+        bash
+        coreutils
+        git
+        gnutar
+        gzip
+      ]) ++ [
+        config.nix.package
+      ] ++ cfg.extraPackages;
+
+      serviceConfig = rec {
+        ExecStart = "${pkgs.github-runner}/bin/runsvc.sh";
+
+        # Does the following, sequentially:
+        # - Copy the current and the previous `tokenFile` to the $RUNTIME_DIRECTORY
+        #   and make it accessible to the service user to allow for a content
+        #   comparison.
+        # - If the module configuration or the token has changed, clear the state directory.
+        # - Configure the runner.
+        # - Copy the configured `tokenFile` to the $STATE_DIRECTORY and make it
+        #   inaccessible to the service user.
+        # - Set up the directory structure by creating the necessary symlinks.
+        ExecStartPre =
+          let
+            # Wrapper script which expects the full path of the state, runtime and logs
+            # directory as arguments. Overrides the respective systemd variables to provide
+            # unambiguous directory names. This becomes relevant, for example, if the
+            # caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
+            # to contain more than one directory. This causes systemd to set the respective
+            # environment variables with the path of all of the given directories, separated
+            # by a colon.
+            writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
+              set -euo pipefail
+
+              STATE_DIRECTORY="$1"
+              RUNTIME_DIRECTORY="$2"
+              LOGS_DIRECTORY="$3"
+
+              ${lines}
+            '';
+            currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
+            runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" ] cfg;
+            newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
+            currentConfigTokenFilename = ".current-token";
+            newConfigTokenFilename = ".new-token";
+            runnerCredFiles = [
+              ".credentials"
+              ".credentials_rsaparams"
+              ".runner"
+            ];
+            ownConfigTokens = writeScript "own-config-tokens" ''
+              # Copy current and new token file to runtime dir and make it accessible to the service user
+              cp ${escapeShellArg cfg.tokenFile} "$RUNTIME_DIRECTORY/${newConfigTokenFilename}"
+              chmod 600 "$RUNTIME_DIRECTORY/${newConfigTokenFilename}"
+              chown "$USER" "$RUNTIME_DIRECTORY/${newConfigTokenFilename}"
+
+              if [[ -e "$STATE_DIRECTORY/${currentConfigTokenFilename}" ]]; then
+                cp "$STATE_DIRECTORY/${currentConfigTokenFilename}" "$RUNTIME_DIRECTORY/${currentConfigTokenFilename}"
+                chmod 600 "$RUNTIME_DIRECTORY/${currentConfigTokenFilename}"
+                chown "$USER" "$RUNTIME_DIRECTORY/${currentConfigTokenFilename}"
+              fi
+            '';
+            disownConfigTokens = writeScript "disown-config-tokens" ''
+              # Make the token inaccessible to the runner service user
+              chmod 600 "$STATE_DIRECTORY/${currentConfigTokenFilename}"
+              chown root:root "$STATE_DIRECTORY/${currentConfigTokenFilename}"
+            '';
+            unconfigureRunner = writeScript "unconfigure" ''
+              differs=
+              # Set `differs = 1` if current and new runner config differ or if `currentConfigPath` does not exist
+              ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 || differs=1
+              # Also trigger a registration if the token content changed
+              ${pkgs.diffutils}/bin/diff -q \
+                "$RUNTIME_DIRECTORY"/{${currentConfigTokenFilename},${newConfigTokenFilename}} \
+                >/dev/null 2>&1 || differs=1
+
+              if [[ -n "$differs" ]]; then
+                echo "Config has changed, removing old runner state."
+                echo "The old runner will still appear in the GitHub Actions UI." \
+                  "You have to remove it manually."
+                find "$STATE_DIRECTORY/" -mindepth 1 -delete
+              fi
+            '';
+            configureRunner = writeScript "configure" ''
+              empty=$(ls -A "$STATE_DIRECTORY")
+              if [[ -z "$empty" ]]; then
+                echo "Configuring GitHub Actions Runner"
+                token=$(< "$RUNTIME_DIRECTORY"/${newConfigTokenFilename})
+                RUNNER_ROOT="$STATE_DIRECTORY" ${pkgs.github-runner}/bin/config.sh \
+                  --unattended \
+                  --work "$RUNTIME_DIRECTORY" \
+                  --url ${escapeShellArg cfg.url} \
+                  --token "$token" \
+                  --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} \
+                  --name ${escapeShellArg cfg.name} \
+                  ${optionalString cfg.replace "--replace"} \
+                  ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
+
+                # Move the automatically created _diag dir to the logs dir
+                mkdir -p  "$STATE_DIRECTORY/_diag"
+                cp    -r  "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
+                rm    -rf "$STATE_DIRECTORY/_diag/"
+
+                # Cleanup token from config
+                rm -f "$RUNTIME_DIRECTORY"/${currentConfigTokenFilename}
+                mv    "$RUNTIME_DIRECTORY"/${newConfigTokenFilename} "$STATE_DIRECTORY/${currentConfigTokenFilename}"
+
+                # Symlink to new config
+                ln -s '${newConfigPath}' "${currentConfigPath}"
+              fi
+            '';
+            setupRuntimeDir = writeScript "setup-runtime-dirs" ''
+              # Link _diag dir
+              ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag"
+
+              # Link the runner credentials to the runtime dir
+              ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/"
+            '';
+          in
+          map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [
+            "+${ownConfigTokens}" # runs as root
+            unconfigureRunner
+            configureRunner
+            "+${disownConfigTokens}" # runs as root
+            setupRuntimeDir
+          ];
+
+        # Contains _diag
+        LogsDirectory = [ systemdDir ];
+        # Default RUNNER_ROOT which contains ephemeral Runner data
+        RuntimeDirectory = [ systemdDir ];
+        # Home of persistent runner data, e.g., credentials
+        StateDirectory = [ systemdDir ];
+        StateDirectoryMode = "0700";
+        WorkingDirectory = runtimeDir;
+
+        # By default, use a dynamically allocated user
+        DynamicUser = true;
+
+        KillMode = "process";
+        KillSignal = "SIGTERM";
+
+        # Hardening (may overlap with DynamicUser=)
+        # The following options are only for optimizing:
+        # systemd-analyze security github-runner
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        # ProtectClock= adds DeviceAllow=char-rtc r
+        DeviceAllow = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        UMask = "0066";
+
+        # Needs network access
+        PrivateNetwork = false;
+        # Cannot be true due to Node
+        MemoryDenyWriteExecute = false;
+      };
+    };
+  };
+}

pkgs/development/libraries/cpp-utilities/default.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cpp-utilities";
-  version = "5.10.1";
+  version = "5.10.2";
 
   src = fetchFromGitHub {
     owner = "Martchus";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-8upRrk2x2gaS+JwCmZblrRSRxy0uNfFLTW7ua2ix2wI=";
+    sha256 = "sha256-hPcmO2nzXCuhU2GjE0B1Bz9OkJ4mY2txFr+cWGaw1bo=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/development/python-modules/jsonrpc-async/default.nix

@@ -1,20 +1,37 @@
-{ lib, buildPythonPackage, fetchPypi
+{ lib
-, aiohttp, jsonrpc-base }:
+, buildPythonPackage
+, fetchFromGitHub
+, aiohttp
+, jsonrpc-base
+, pytest-aiohttp
+, pytestCheckHook
+}:
 
 buildPythonPackage rec {
   pname = "jsonrpc-async";
-  version = "1.1.1";
+  version = "2.0.0";
 
-  src = fetchPypi {
+  src = fetchFromGitHub {
-    inherit pname version;
+    owner = "emlove";
-    sha256 = "383f331e28cd8f6e3fa86f3e7052efa541b7ae8bf328a4e692aa045cfc0ecf25";
+    repo = pname;
+    rev = version;
+    sha256 = "1ff3523rwgira5llmf5iriwqag7b6ln9vmj0s70yyc6k98yg06rp";
   };
 
   propagatedBuildInputs = [ aiohttp jsonrpc-base ];
 
+  checkInputs = [
+    pytest-aiohttp
+    pytestCheckHook
+  ];
+
+  pytestFlagsArray = [
+    "tests.py"
+  ];
+
   meta = with lib; {
     description = "A JSON-RPC client library for asyncio";
-    homepage = "https://github.com/armills/jsonrpc-async";
+    homepage = "https://github.com/emlove/jsonrpc-async";
     license = licenses.bsd3;
     maintainers = with maintainers; [ peterhoeg ];
   };

pkgs/development/python-modules/jsonrpc-base/default.nix

@@ -1,19 +1,31 @@
-{ lib, buildPythonPackage, fetchPypi }:
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+}:
 
 buildPythonPackage rec {
   pname = "jsonrpc-base";
-  version = "1.1.0";
+  version = "2.0.0";
 
-  src = fetchPypi {
+  src = fetchFromGitHub {
-    inherit pname version;
+    owner = "emlove";
-    sha256 = "7f374c57bfa1cb16d1f340d270bc0d9f1f5608fb1ac6c9ea15768c0e6ece48b7";
+    repo = pname;
+    rev = version;
+    sha256 = "0xxhn0vb7mr8k1w9xbqhhyx9qkgkc318qkyflgfbvjc926n50680";
   };
 
-  propagatedBuildInputs = [ ];
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pytestFlagsArray = [
+    "tests.py"
+  ];
 
   meta = with lib; {
     description = "A JSON-RPC client library base interface";
-    homepage = "https://github.com/armills/jsonrpc-base";
+    homepage = "https://github.com/emlove/jsonrpc-base";
     license = licenses.bsd3;
     maintainers = with maintainers; [ peterhoeg ];
   };

pkgs/development/python-modules/jsonrpc-websocket/default.nix

@@ -1,28 +1,36 @@
-{ lib, buildPythonPackage, fetchPypi
+{ lib
-, aiohttp, jsonrpc-base, pep8
+, buildPythonPackage
-, pytestCheckHook
+, fetchPypi
+, aiohttp
+, jsonrpc-base
 , pytest-asyncio
+, pytestCheckHook
 }:
 
 buildPythonPackage rec {
   pname = "jsonrpc-websocket";
-  version = "1.2.1";
+  version = "3.0.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "c343d057b572791ed3107b771c17358bc710772a9a6156047a3cfafb409ed895";
+    sha256 = "0fmw8xjzlhi7r84swn4w3njy389qqll5ad5ljdq5n2wpg424k98h";
   };
 
-  nativeBuildInputs = [ pep8 ];
+  propagatedBuildInputs = [
+    aiohttp
+    jsonrpc-base
+  ];
 
-  propagatedBuildInputs = [ aiohttp jsonrpc-base ];
+  checkInputs = [
+    pytestCheckHook
+    pytest-asyncio
+  ];
 
-  checkInputs = [ pytestCheckHook pytest-asyncio ];
   pytestFlagsArray = [ "tests.py" ];
 
   meta = with lib; {
     description = "A JSON-RPC websocket client library for asyncio";
-    homepage = "https://github.com/armills/jsonrpc-websocket";
+    homepage = "https://github.com/emlove/jsonrpc-websocket";
     license = licenses.bsd3;
     maintainers = with maintainers; [ peterhoeg ];
   };

pkgs/development/python-modules/pykodi/default.nix

@@ -1,15 +1,28 @@
-{ lib, buildPythonPackage, fetchPypi, aiohttp, jsonrpc-async, jsonrpc-websocket }:
+{ lib
+, buildPythonPackage
+, fetchPypi
+, aiohttp
+, jsonrpc-async
+, jsonrpc-websocket
+}:
 
 buildPythonPackage rec {
   pname = "pykodi";
-  version = "0.2.3";
+  version = "0.2.5";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "099xyn5aql5mdim6kh4hwx0fg1a3bx73qdvwr48nz23cljmmk1m8";
+    sha256 = "1al2q4jiqxjnz0j2xvs2hqzrz6fm3hmda5zjnkp8gdvgchd1cmn7";
   };
 
-  propagatedBuildInputs = [ aiohttp jsonrpc-async jsonrpc-websocket ];
+  propagatedBuildInputs = [
+    aiohttp
+    jsonrpc-async
+    jsonrpc-websocket
+  ];
+
+  # has no tests
+  doCheck = false;
 
   pythonImportsCheck = [ "pykodi" ];
 

pkgs/development/python-modules/zha-quirks/default.nix

@@ -9,13 +9,13 @@
 
 buildPythonPackage rec {
   pname = "zha-quirks";
-  version = "0.0.55";
+  version = "0.0.56";
 
   src = fetchFromGitHub {
     owner = "zigpy";
     repo = "zha-device-handlers";
     rev = version;
-    sha256 = "sha256-mc7mOaxn2FCvwYv9yE0mIOSQ1F+xJJ+1LynOdEV07I8=";
+    sha256 = "1jss5pnxdjlp0kplqxgr09vv1zq9n7l9w08hsywy2vglqmd67a66";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/continuous-integration/github-runner/default.nix

@@ -0,0 +1,265 @@
+{ autoPatchelfHook
+, coreutils
+, curl
+, dotnetCorePackages
+, dotnetPackages
+, fetchFromGitHub
+, fetchurl
+, git
+, glibc
+, icu
+, libkrb5
+, lib
+, linkFarm
+, lttng-ust
+, makeWrapper
+, nodejs-12_x
+, openssl
+, stdenv
+, zlib
+}:
+let
+  pname = "github-actions-runner";
+  version = "2.277.1";
+
+  deps = (import ./deps.nix { inherit fetchurl; });
+  nugetPackages = map
+    (x: {
+      name = "${x.name}.nupkg";
+      path = "${x}";
+    })
+    deps;
+  nugetSource = linkFarm "${pname}-${version}-packages" nugetPackages;
+
+  dotnetSdk = dotnetCorePackages.sdk_3_1;
+  runtimeId = "linux-x64";
+
+  disabledTest = [
+    # Self-updating is patched out, hence this test will fail
+    "FullyQualifiedName!=GitHub.Runner.Common.Tests.Listener.RunnerL0.TestRunOnceHandleUpdateMessage"
+  ] ++ map
+    # Online tests
+    (x: "FullyQualifiedName!=GitHub.Runner.Common.Tests.Worker.ActionManagerL0.PrepareActions_${x}")
+    [
+      "DownloadActionFromGraph"
+      "DownloadActionFromGraph_Legacy"
+      "NotPullOrBuildImagesMultipleTimes"
+      "NotPullOrBuildImagesMultipleTimes_Legacy"
+      "RepositoryActionWithActionYamlFile_DockerHubImage"
+      "RepositoryActionWithActionYamlFile_DockerHubImage_Legacy"
+      "RepositoryActionWithActionfileAndDockerfile"
+      "RepositoryActionWithActionfileAndDockerfile_Legacy"
+      "RepositoryActionWithActionfile_DockerHubImage"
+      "RepositoryActionWithActionfile_DockerHubImage_Legacy"
+      "RepositoryActionWithActionfile_Dockerfile"
+      "RepositoryActionWithActionfile_Dockerfile_Legacy"
+      "RepositoryActionWithActionfile_DockerfileRelativePath"
+      "RepositoryActionWithActionfile_DockerfileRelativePath_Legacy"
+      "RepositoryActionWithActionfile_Node"
+      "RepositoryActionWithActionfile_Node_Legacy"
+      "RepositoryActionWithDockerfile"
+      "RepositoryActionWithDockerfile_Legacy"
+      "RepositoryActionWithDockerfileInRelativePath"
+      "RepositoryActionWithDockerfileInRelativePath_Legacy"
+      "RepositoryActionWithDockerfilePrepareActions_Repository"
+      "RepositoryActionWithInvalidWrapperActionfile_Node"
+      "RepositoryActionWithInvalidWrapperActionfile_Node_Legacy"
+      "RepositoryActionWithWrapperActionfile_PreSteps"
+      "RepositoryActionWithWrapperActionfile_PreSteps_Legacy"
+    ] ++ map
+    (x: "FullyQualifiedName!=GitHub.Runner.Common.Tests.DotnetsdkDownloadScriptL0.${x}")
+    [
+      "EnsureDotnetsdkBashDownloadScriptUpToDate"
+      "EnsureDotnetsdkPowershellDownloadScriptUpToDate"
+    ];
+  testFilterXml = lib.concatStringsSep "&" disabledTest;
+in
+stdenv.mkDerivation rec {
+  inherit pname version;
+
+  src = fetchFromGitHub {
+    owner = "actions";
+    repo = "runner";
+    rev = "183a3dd9a0d4d51feddc5fe9fa6c3b5f8b08343d"; # v${version}
+    sha256 = "sha256-fQH4QwdR8E76ckUjMCaKOsDjNoVBIWAw2YcFRrVucX8=";
+  };
+
+  nativeBuildInputs = [
+    dotnetSdk
+    dotnetPackages.Nuget
+    makeWrapper
+    autoPatchelfHook
+  ];
+
+  buildInputs = [
+    curl # libcurl.so.4
+    libkrb5 # libgssapi_krb5.so.2
+    lttng-ust # liblttng-ust.so.0
+    stdenv.cc.cc.lib # libstdc++.so.6
+    zlib # libz.so.1
+    icu
+  ];
+
+  patches = [
+    # Don't run Git, no restore on build/test
+    ./patches/dir-proj.patch
+    # Replace some paths that originally point to Nix's read-only store
+    ./patches/host-context-dirs.patch
+    # Use GetDirectory() to obtain "diag" dir
+    ./patches/use-get-directory-for-diag.patch
+    # Don't try to install systemd service
+    ./patches/dont-install-systemd-service.patch
+    # Don't try to self-update runner (cannot be disabled, see https://github.com/actions/runner/issues/485)
+    ./patches/ignore-self-update.patch
+  ];
+
+  postPatch = ''
+    # Relax the version requirement
+    substituteInPlace src/global.json \
+      --replace '3.1.302' '${dotnetSdk.version}'
+
+    # Disable specific tests
+    substituteInPlace src/dir.proj \
+      --replace 'dotnet test Test/Test.csproj' \
+                "dotnet test Test/Test.csproj --filter '${testFilterXml}'"
+
+    # Fix FHS path
+    substituteInPlace src/Test/L0/Util/IOUtilL0.cs \
+      --replace '/bin/ln' '${coreutils}/bin/ln'
+  '';
+
+  configurePhase = ''
+    runHook preConfigure
+
+    # Set up Nuget dependencies
+    export HOME=$(mktemp -d)
+    export DOTNET_CLI_TELEMETRY_OPTOUT=1
+    export DOTNET_NOLOGO=1
+
+    # Never use nuget.org
+    nuget sources Disable -Name "nuget.org"
+
+    # Restore the dependencies
+    dotnet restore src/ActionsRunner.sln \
+      --runtime "${runtimeId}" \
+      --source "${nugetSource}"
+
+    runHook postConfigure
+  '';
+
+  postConfigure = ''
+    # `crossgen` dependency is called during build
+    patchelf \
+      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+      --set-rpath "${lib.makeLibraryPath [ stdenv.cc.cc.lib ]}" \
+      $HOME/.nuget/packages/microsoft.netcore.app.runtime.${runtimeId}/*/tools/crossgen
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    dotnet msbuild \
+      -t:Build \
+      -p:PackageRuntime="${runtimeId}" \
+      -p:BUILDCONFIG="Release" \
+      -p:RunnerVersion="${version}" \
+      -p:GitInfoCommitHash="${src.rev}" \
+      src/dir.proj
+
+    runHook postBuild
+  '';
+
+  doCheck = true;
+
+  checkInputs = [ git ];
+
+  checkPhase = ''
+    runHook preCheck
+
+    mkdir -p _layout/externals
+    ln -s ${nodejs-12_x} _layout/externals/node12
+
+    # BUILDCONFIG needs to be "Debug"
+    dotnet msbuild \
+      -t:test \
+      -p:PackageRuntime="${runtimeId}" \
+      -p:BUILDCONFIG="Debug" \
+      -p:RunnerVersion="${version}" \
+      -p:GitInfoCommitHash="${src.rev}" \
+      src/dir.proj
+
+    runHook postCheck
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    # Copy the built binaries to lib/ instead of bin/ as they
+    # have to be wrapped in the fixup phase to work
+    mkdir -p $out/lib
+    cp -r _layout/bin/. $out/lib/
+
+    # Delete debugging files
+    find "$out/lib" -type f -name '*.pdb' -delete
+
+    # Install the helper scripts to bin/ to resemble the upstream package
+    mkdir -p $out/bin
+    install -m755 src/Misc/layoutbin/runsvc.sh        $out/bin/
+    install -m755 src/Misc/layoutbin/RunnerService.js $out/lib/
+    install -m755 src/Misc/layoutroot/run.sh          $out/lib/
+    install -m755 src/Misc/layoutroot/config.sh       $out/lib/
+    install -m755 src/Misc/layoutroot/env.sh          $out/lib/
+
+    # Rewrite reference in helper scripts from bin/ to lib/
+    substituteInPlace $out/lib/run.sh    --replace '"$DIR"/bin' "$out/lib"
+    substituteInPlace $out/lib/config.sh --replace './bin' "$out/lib"
+
+    # Make paths absolute
+    substituteInPlace $out/bin/runsvc.sh \
+      --replace './externals' "$out/externals" \
+      --replace './bin' "$out/lib"
+
+    # The upstream package includes Node 12 and expects it at the path
+    # externals/node12. As opposed to the official releases, we don't
+    # link the Alpine Node flavor.
+    mkdir -p $out/externals
+    ln -s ${nodejs-12_x} $out/externals/node12
+
+    runHook postInstall
+  '';
+
+  # Stripping breaks the binaries
+  dontStrip = true;
+
+  postFixup = ''
+    fix_rpath() {
+      patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $out/lib/$1
+    }
+
+    wrap() {
+      makeWrapper $out/lib/$1 $out/bin/$1 \
+        --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath (buildInputs ++ [ openssl ])} \
+        ''${@:2}
+    }
+
+    fix_rpath Runner.Listener
+    fix_rpath Runner.PluginHost
+    fix_rpath Runner.Worker
+
+    wrap Runner.Listener
+    wrap Runner.PluginHost
+    wrap Runner.Worker
+    wrap run.sh
+    wrap env.sh
+
+    wrap config.sh --prefix PATH : ${lib.makeBinPath [ glibc.bin ]}
+  '';
+
+  meta = with lib; {
+    description = "Self-hosted runner for GitHub Actions";
+    homepage = "https://github.com/actions/runner";
+    license = licenses.mit;
+    maintainers = with maintainers; [ veehaitch ];
+    platforms = [ "x86_64-linux" ];
+  };
+}

pkgs/development/tools/continuous-integration/github-runner/patches/dir-proj.patch

@@ -0,0 +1,53 @@
+From 4267ee7fa5169b4fd5ce732118769e559806a390 Mon Sep 17 00:00:00 2001
+From: Vincent Haupert <mail@vincent-haupert.de>
+Date: Sat, 13 Mar 2021 21:52:03 +0100
+Subject: [PATCH] Patch dir.proj
+
+Don't execute Git for GitInfoCommitHash property
+Don't restore for build target
+Don't restore for test target
+---
+ src/dir.proj | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/dir.proj b/src/dir.proj
+index 1c91e0c..8b27d3f 100644
+--- a/src/dir.proj
++++ b/src/dir.proj
+@@ -2,9 +2,6 @@
+ <Project ToolsVersion="14.0" DefaultTargets="Build" 
+     xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+     <Target Name="GenerateConstant">
+-        <Exec Command="git rev-parse HEAD" ConsoleToMSBuild="true">
+-            <Output TaskParameter="ConsoleOutput" PropertyName="GitInfoCommitHash" />
+-        </Exec>
+         <Message Text="Building $(Product): $(GitInfoCommitHash) --- $(PackageRuntime)" Importance="high"/>
+ 
+         <ItemGroup>
+@@ -39,14 +36,13 @@
+     </ItemGroup>
+ 
+     <Target Name="Build" DependsOnTargets="GenerateConstant">
+-        <MSBuild Targets="Restore" Projects="@(ProjectFiles)" StopOnFirstFailure="true" />
+         <MSBuild Targets="Publish" Projects="@(ProjectFiles)" BuildInParallel="false" StopOnFirstFailure="true" Properties="Configuration=$(BUILDCONFIG);PackageRuntime=$(PackageRuntime);Version=$(RunnerVersion);RuntimeIdentifier=$(PackageRuntime);PublishDir=$(MSBuildProjectDirectory)/../_layout/bin" />
+         <Exec Command="%22$(DesktopMSBuild)%22 Runner.Service/Windows/RunnerService.csproj /p:Configuration=$(BUILDCONFIG) /p:OutputPath=%22$(MSBuildProjectDirectory)/../_layout/bin%22" ConsoleToMSBuild="true" Condition="'$(PackageRuntime)' == 'win-x64' Or '$(PackageRuntime)' == 'win-x86'" />
+     </Target>
+ 
+     <Target Name="Test" DependsOnTargets="GenerateConstant">
+-        <Exec Command="dotnet build Test/Test.csproj -c $(BUILDCONFIG) /p:PackageRuntime=$(PackageRuntime)" ConsoleToMSBuild="true" />
+-        <Exec Command="dotnet test Test/Test.csproj --no-build --logger:trx" ConsoleToMSBuild="true" />
++        <Exec Command="dotnet build Test/Test.csproj --no-restore -c $(BUILDCONFIG) /p:PackageRuntime=$(PackageRuntime)" ConsoleToMSBuild="true" />
++        <Exec Command="dotnet test Test/Test.csproj --no-restore --no-build --logger:trx" ConsoleToMSBuild="true" />
+     </Target>
+ 
+     <Target Name="Layout" DependsOnTargets="Clean;Build">
+@@ -84,4 +80,4 @@
+         <RemoveDir Directories="Test/bin" />
+         <RemoveDir Directories="Test/obj" />
+     </Target>
+-</Project>
+\ No newline at end of file
++</Project>
+-- 
+2.30.1
+

pkgs/development/tools/continuous-integration/github-runner/patches/dont-install-systemd-service.patch

@@ -0,0 +1,15 @@
+diff --git a/src/Runner.Listener/Configuration/ConfigurationManager.cs b/src/Runner.Listener/Configuration/ConfigurationManager.cs
+index 8d08b06..bdfa3a2 100644
+--- a/src/Runner.Listener/Configuration/ConfigurationManager.cs
++++ b/src/Runner.Listener/Configuration/ConfigurationManager.cs
+@@ -320,10 +320,6 @@ namespace GitHub.Runner.Listener.Configuration
+                 serviceControlManager.ConfigureService(runnerSettings, command);
+             }
+ 
+-#elif OS_LINUX || OS_OSX
+-            // generate service config script for OSX and Linux, GenerateScripts() will no-opt on windows.
+-            var serviceControlManager = HostContext.GetService<ILinuxServiceControlManager>();
+-            serviceControlManager.GenerateScripts(runnerSettings);
+ #endif
+         }
+ 

pkgs/development/tools/continuous-integration/github-runner/patches/host-context-dirs.patch

@@ -0,0 +1,20 @@
+diff --git a/src/Runner.Common/HostContext.cs b/src/Runner.Common/HostContext.cs
+index d4ea48c..2ec8455 100644
+--- a/src/Runner.Common/HostContext.cs
++++ b/src/Runner.Common/HostContext.cs
+@@ -220,12 +220,13 @@ namespace GitHub.Runner.Common
+ 
+                 case WellKnownDirectory.Externals:
+                     path = Path.Combine(
+-                        GetDirectory(WellKnownDirectory.Root),
++                        new DirectoryInfo(GetDirectory(WellKnownDirectory.Bin)).Parent.FullName,
+                         Constants.Path.ExternalsDirectory);
+                     break;
+ 
+                 case WellKnownDirectory.Root:
+-                    path = new DirectoryInfo(GetDirectory(WellKnownDirectory.Bin)).Parent.FullName;
++                    path = Environment.GetEnvironmentVariable("RUNNER_ROOT")
++                                ?? new DirectoryInfo(GetDirectory(WellKnownDirectory.Bin)).Parent.FullName;
+                     break;
+ 
+                 case WellKnownDirectory.Temp:

pkgs/development/tools/continuous-integration/github-runner/patches/ignore-self-update.patch

@@ -0,0 +1,24 @@
+diff --git a/src/Runner.Listener/Runner.cs b/src/Runner.Listener/Runner.cs
+index 68b0b4e..5da21fe 100644
+--- a/src/Runner.Listener/Runner.cs
++++ b/src/Runner.Listener/Runner.cs
+@@ -391,18 +391,7 @@ namespace GitHub.Runner.Listener
+                             HostContext.WritePerfCounter($"MessageReceived_{message.MessageType}");
+                             if (string.Equals(message.MessageType, AgentRefreshMessage.MessageType, StringComparison.OrdinalIgnoreCase))
+                             {
+-                                if (autoUpdateInProgress == false)
+-                                {
+-                                    autoUpdateInProgress = true;
+-                                    var runnerUpdateMessage = JsonUtility.FromString<AgentRefreshMessage>(message.Body);
+-                                    var selfUpdater = HostContext.GetService<ISelfUpdater>();
+-                                    selfUpdateTask = selfUpdater.SelfUpdate(runnerUpdateMessage, jobDispatcher, !runOnce && HostContext.StartupType != StartupType.Service, HostContext.RunnerShutdownToken);
+-                                    Trace.Info("Refresh message received, kick-off selfupdate background process.");
+-                                }
+-                                else
+-                                {
+-                                    Trace.Info("Refresh message received, skip autoupdate since a previous autoupdate is already running.");
+-                                }
++                                Trace.Info("Ignoring received refresh message (would trigger self-update).");
+                             }
+                             else if (string.Equals(message.MessageType, JobRequestMessageTypes.PipelineAgentJobRequest, StringComparison.OrdinalIgnoreCase))
+                             {

pkgs/development/tools/continuous-integration/github-runner/patches/use-get-directory-for-diag.patch

@@ -0,0 +1,25 @@
+diff --git a/src/Runner.Common/HostContext.cs b/src/Runner.Common/HostContext.cs
+index d4ea48c..15c1800 100644
+--- a/src/Runner.Common/HostContext.cs
++++ b/src/Runner.Common/HostContext.cs
+@@ -109,7 +109,7 @@ namespace GitHub.Runner.Common
+                 }
+ 
+                 // this should give us _diag folder under runner root directory
+-                string diagLogDirectory = Path.Combine(new DirectoryInfo(Path.GetDirectoryName(Assembly.GetEntryAssembly().Location)).Parent.FullName, Constants.Path.DiagDirectory);
++                string diagLogDirectory = GetDirectory(WellKnownDirectory.Diag);
+                 _traceManager = new TraceManager(new HostTraceListener(diagLogDirectory, hostType, logPageSize, logRetentionDays), this.SecretMasker);
+             }
+             else
+@@ -272,7 +272,10 @@ namespace GitHub.Runner.Common
+                     throw new NotSupportedException($"Unexpected well known directory: '{directory}'");
+             }
+ 
+-            _trace.Info($"Well known directory '{directory}': '{path}'");
++            if (_trace != null)
++            {
++                _trace.Info($"Well known directory '{directory}': '{path}'");
++            }
+             return path;
+         }
+ 

pkgs/servers/home-assistant/component-packages.nix

@@ -2,7 +2,7 @@
 # Do not edit!
 
 {
-  version = "2021.4.1";
+  version = "2021.4.2";
   components = {
     "abode" = ps: with ps; [ abodepy ];
     "accuweather" = ps: with ps; [ accuweather ];

pkgs/servers/home-assistant/default.nix

@@ -95,7 +95,7 @@ let
   extraBuildInputs = extraPackages py.pkgs;
 
   # Don't forget to run parse-requirements.py after updating
-  hassVersion = "2021.4.1";
+  hassVersion = "2021.4.2";
 
 in with py.pkgs; buildPythonApplication rec {
   pname = "homeassistant";
@@ -114,7 +114,7 @@ in with py.pkgs; buildPythonApplication rec {
     owner = "home-assistant";
     repo = "core";
     rev = version;
-    sha256 = "154bmbxhyfv1sxa6fk5vimqjmvci710bm5pj590blyzbr4nyci77";
+    sha256 = "0z6a5m1yflnz468njp8v7vd189gv5pc63kji14f4fx4nfzbxhqdk";
   };
 
   # leave this in, so users don't have to constantly update their downstream patch handling
@@ -259,6 +259,7 @@ in with py.pkgs; buildPythonApplication rec {
     "intent_script"
     "ipp"
     "kmtronic"
+    "kodi"
     "light"
     "litterrobot"
     "local_file"

pkgs/servers/home-assistant/frontend.nix

@@ -4,11 +4,11 @@ buildPythonPackage rec {
   # the frontend version corresponding to a specific home-assistant version can be found here
   # https://github.com/home-assistant/home-assistant/blob/master/homeassistant/components/frontend/manifest.json
   pname = "home-assistant-frontend";
-  version = "20210407.2";
+  version = "20210407.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-MxXeept0qwDIs9tFZCd1JfDY1Csl8gLWOhzW/Ihlbzw=";
+    sha256 = "sha256-ucewS193kbvlk4Q+5IEYT6sfJ/H006uy0iIi8UHOzPo=";
   };
 
   # there is nothing to strip in this package

pkgs/servers/web-apps/mediawiki/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "mediawiki";
-  version = "1.35.1";
+  version = "1.35.2";
 
   src = with lib; fetchurl {
     url = "https://releases.wikimedia.org/mediawiki/${versions.majorMinor version}/${pname}-${version}.tar.gz";
-    sha256 = "05g3mgyi789drhzk3wclkyw4f06mz21q90m2c0z6zshn98fscrcf";
+    sha256 = "07cch4j2lcncfjv71351c1fxh200p83g2ijb3c9x8rv6nzcmiymz";
   };
 
   prePatch = ''

pkgs/tools/misc/disfetch/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "disfetch";
-  version = "1.21";
+  version = "1.22";
 
   src = fetchFromGitHub {
     owner = "llathasa-veleth";
     repo = "disfetch";
     rev = version;
-    sha256 = "sha256-AAfpv1paEnHu1S2B8yC0hyYOj5deKTkCyLGvp6Roz64=";
+    sha256 = "sha256-fNmoaEwRrm6EFe+BwOTwAs1THMYhcal1eshXf+1mVQg=";
   };
 
   dontBuild = true;

pkgs/tools/security/dnsx/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "dnsx";
-  version = "1.0.1";
+  version = "1.0.2";
 
   src = fetchFromGitHub {
     owner = "projectdiscovery";
     repo = "dnsx";
     rev = "v${version}";
-    sha256 = "1pgq21pbnz2dm272zrhd455njj5vg4kywpd230acj675nlgir6y1";
+    sha256 = "sha256-CjWFXYU34PE4I9xihQbPxVcxLyiMCYueuaB/LaXhHQg=";
   };
 
-  vendorSha256 = "0j2cqvskzxbyfrvsv4gm4qwfjm0digizcg157z5iignnknddajax";
+  vendorSha256 = "sha256-vTXvlpXpFf78Cwxq/y6ysSeXM3g71kHBn9zd6c4mxlk=";
 
   meta = with lib; {
     description = "Fast and multi-purpose DNS toolkit";

pkgs/tools/security/gitleaks/default.nix

@@ -5,13 +5,13 @@
 
 buildGoModule rec {
   pname = "gitleaks";
-  version = "7.3.0";
+  version = "7.4.0";
 
   src = fetchFromGitHub {
     owner = "zricethezav";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-IJaumIFuIhrvXZ45uz8RUxAuprnWdv2lNzxNUascvVc=";
+    sha256 = "sha256-AY9pOARFAqIOimhcwEyau2MwJCFsWu8I36P7Z0xyJH0=";
   };
 
   vendorSha256 = "sha256-Cc4DJPpOMHxDcH22S7znYo7QHNRXv8jOJhznu09kaE4=";

pkgs/tools/system/gdu/default.nix

@@ -7,13 +7,13 @@
 
 buildGoModule rec {
   pname = "gdu";
-  version = "4.9.1";
+  version = "4.10.0";
 
   src = fetchFromGitHub {
     owner = "dundee";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-blvnwsmcHf0yH2C/NUCsVQECIH4SI0BTNiMzCuNd0H0=";
+    sha256 = "sha256-qYxWjvXGaygoe88muQmQWlDJfM04wqxHy8+l7KO688U=";
   };
 
   vendorSha256 = "sha256-QiO5p0x8kmIN6f0uYS0IR2MlWtRYTHeZpW6Nmupjias=";

pkgs/top-level/all-packages.nix

@@ -4888,6 +4888,8 @@ in
 
   github-backup = callPackage ../tools/misc/github-backup { };
 
+  github-runner = callPackage ../development/tools/continuous-integration/github-runner { };
+
   gitin = callPackage ../applications/version-management/git-and-tools/gitin { };
 
   gitinspector = callPackage ../applications/version-management/gitinspector { };