ci: lock Ubuntu runner to ubuntu-22.04

Lock the Ubuntu runner to ubuntu-22.04 to avoid accidental updates [1] and increase reproducibility. [1]: https://github.com/actions/runner-images/issues/10636
2025-06-24 22:11:15 +02:00 · 2024-12-27 01:56:12 +01:00 · 2024-12-27 01:56:12 +01:00 · fe5f02c2c2
commit fe5f02c2c2
parent bff9296ab9
4 changed files with 11 additions and 11 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -8,7 +8,7 @@ permissions: read-all

 jobs:
  eval:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v4
      with:
@ -20,7 +20,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-22.04, macos-latest]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 60
    steps:
@ -37,7 +37,7 @@ jobs:
    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
-      if: matrix.os == 'ubuntu-latest'
+      if: matrix.os == 'ubuntu-22.04'
    - run: scripts/build-checks
    - run: scripts/prepare-installer-for-github-actions
    - name: Upload installer tarball
@ -51,7 +51,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-22.04, macos-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - uses: actions/checkout@v4
@ -68,7 +68,7 @@ jobs:
        install_url: 'http://localhost:8126/install'
        install_options: "--tarball-url-prefix http://localhost:8126/"
    - run: sudo apt install fish zsh
-      if: matrix.os == 'ubuntu-latest'
+      if: matrix.os == 'ubuntu-22.04'
    - run: brew install fish
      if: matrix.os == 'macos-latest'
    - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
@ -86,7 +86,7 @@ jobs:
    permissions:
      contents: none
    name: Check Docker secrets present for installer tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    outputs:
      docker: ${{ steps.secret.outputs.docker }}
    steps:
@ -106,7 +106,7 @@ jobs:
      needs.check_secrets.outputs.docker == 'true' &&
      github.event_name == 'push' &&
      github.ref_name == 'master'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
    - name: Check for secrets
      id: secret
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@ -15,7 +15,7 @@ permissions:

 jobs:
  labels:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    if: github.repository_owner == 'NixOS'
    steps:
    - uses: actions/labeler@v5
--- a/.mergify.yml
+++ b/.mergify.yml
@ -3,9 +3,9 @@ queue_rules:
    # all required tests need to go here
    merge_conditions:
      - check-success=tests (macos-latest)
-      - check-success=tests (ubuntu-latest)
+      - check-success=tests (ubuntu-22.04)
      - check-success=installer_test (macos-latest)
-      - check-success=installer_test (ubuntu-latest)
+      - check-success=installer_test (ubuntu-22.04)
      - check-success=vm_tests
    batch_size: 5

--- a/doc/manual/source/development/testing.md
+++ b/doc/manual/source/development/testing.md
@ -297,7 +297,7 @@ Creating a Cachix cache for your installer tests and adding its authorisation to
  - `armv7l-linux`
  - `x86_64-darwin`

- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.
+- The `installer_test` job (which runs on `ubuntu-22.04` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.

 ### One-time setup