NixOS · infinisil · Mar 24, 2025 · Mar 18, 2025 · Mar 24, 2025 · Mar 18, 2025
diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
@@ -241,3 +241,6 @@ e0fe216f4912dd88a021d12a44155fd2cfeb31c8
 
 # nixos/iso-image.nix: nixfmt
 da9a092c34cef6947d7aee2b134f61df45171631
+
+# python-packages: format with nixfmt-rfc-style
+5f6f5e13ae0b6960cbf1be8aeb3d0048285a08d1
diff --git a/.github/workflows/keep-sorted.yml b/.github/workflows/keep-sorted.yml
@@ -0,0 +1,40 @@
+name: Check that files are sorted
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  nixos:
+    name: keep-sorted
+    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+
+      - name: Get Nixpkgs revision for keep-sorted
+        run: |
+          # Pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt from staging.
+          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
+          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
+          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
+
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          extra_nix_config: sandbox = true
+          nix_path: nixpkgs=${{ env.url }}
+
+      - name: Install keep-sorted
+        run: "nix-env -f '<nixpkgs>' -iAP keep-sorted"
+
+      - name: Check that Nix files are sorted
+        run: |
+          git ls-files | xargs keep-sorted --mode lint