3 files changed, 32 insertions, 0 deletions

diff --git a/ci/README.md b/ci/README.md
new file mode 100644
index 0000000000000..64cd8e5bcea98
--- /dev/null
+++ b/ci/README.md
@@ -0,0 +1,12 @@
+# CI support files
+
+This directory contains files to support CI, such as [GitHub Actions](https://github.com/NixOS/nixpkgs/tree/master/.github/workflows) and [Ofborg](https://github.com/nixos/ofborg).
+This is in contrast with [`maintainers/scripts`](`../maintainers/scripts`) which is for human use instead.
+
+## Pinned Nixpkgs
+
+CI may need certain packages from Nixpkgs.
+In order to ensure that the needed packages are generally available without building,
+[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
+
+Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
diff --git a/ci/pinned-nixpkgs.json b/ci/pinned-nixpkgs.json
new file mode 100644
index 0000000000000..29af1b0225816
--- /dev/null
+++ b/ci/pinned-nixpkgs.json
@@ -0,0 +1,4 @@
+{
+  "rev": "cfb89a95f19bea461fc37228dc4d07b22fe617c2",
+  "sha256": "1yhsacvry6j8r02lk70p9dphjpi8lpzgq2qay8hiy4nqlys0mrch"
+}
diff --git a/ci/update-pinned-nixpkgs.sh b/ci/update-pinned-nixpkgs.sh
new file mode 100755
index 0000000000000..7765581300572
--- /dev/null
+++ b/ci/update-pinned-nixpkgs.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p jq
+
+set -euo pipefail
+
+# https://stackoverflow.com/a/246128
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+repo=https://github.com/nixos/nixpkgs
+branch=nixpkgs-unstable
+file=$SCRIPT_DIR/pinned-nixpkgs.json
+
+rev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
+sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
+
+jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file