.docker/validate-8.0.2.dockerfile

-FROM    phadej/ghc:8.0.2-bionic
-
-# Install cabal-plan
-RUN     mkdir -p /root/.cabal/bin && \
-        curl -L https://github.com/haskell-hvr/cabal-plan/releases/download/v0.6.2.0/cabal-plan-0.6.2.0-x86_64-linux.xz > cabal-plan.xz && \
-        echo "de73600b1836d3f55e32d80385acc055fd97f60eaa0ab68a755302685f5d81bc  cabal-plan.xz" | sha256sum -c - && \
-        xz -d < cabal-plan.xz > /root/.cabal/bin/cabal-plan && \
-        rm -f cabal-plan.xz && \
-        chmod a+x /root/.cabal/bin/cabal-plan
-
-
-# Update index
-RUN     cabal v2-update --index-state="2020-06-12T23:36:15Z"
-
-# We install happy, so it's in the store; we (hopefully) don't use it directly.
-RUN     cabal v2-install happy --constraint 'happy ^>=1.19.12'
-
-# Install some other dependencies
-# Remove $HOME/.ghc so there aren't any environments
-RUN     cabal v2-install -w ghc-8.0.2 --lib \
-          Cabal \
-          aeson \
-          async \
-          base-compat \
-          base16-bytestring \
-          base64-bytestring \
-          cryptohash-sha256 \
-          Diff \
-          echo \
-          ed25519 \
-          edit-distance \
-          HTTP \
-          lukko \
-          network \
-          optparse-applicative \
-          pretty-show \
-          regex-compat-tdfa \
-          regex-posix \
-          regex-tdfa \
-          rere \
-          statistics \
-          tar \
-          tasty \
-          tasty-golden \
-          tasty-hunit \
-          tasty-quickcheck \
-          tree-diff \
-          void \
-          zlib \
-          resolv \
-      --constraint="rere -rere-cfg" \
-      --constraint="these -assoc" \
-      --constraint="bytestring installed" \
-      --constraint="binary     installed" \
-      --constraint="containers installed" \
-      --constraint="deepseq    installed" \
-      --constraint="directory  installed" \
-      --constraint="filepath   installed" \
-      --constraint="pretty     installed" \
-      --constraint="process    installed" \
-      --constraint="time       installed" \
-      --constraint="unix       installed" \
-      --constraint="transformers installed" \
-        && rm -rf $HOME/.ghc
-
-# Validate
-WORKDIR /build
-COPY    . /build
-RUN     sh ./validate.sh  -w ghc-8.0.2 -v

.editorconfig

+# See: https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+
+[*.hs]
+indent_style = space
+indent_size = 2
+
+[Makefile]
+indent_style = tab

.git-blame-ignore-revs

+# 2025
+########################################
+# make *.cabal build-depends consistently formatted
+7d791b9da10b5034e7a997a0044ded5575fe123f
+
+# 2023
+########################################
+
+# Format the source with fourmolu
+10a14397e7295f79bb65ff505e52895f4864270a
+c7a5ac671338998395c1d12f04a0f9190d89e3af
+9985a2c27b1b292ca50489cf439193a8caa1249c
+
 # 2022
 ########################################
 
 # Make Cabal-syntax package
 a64b9aea0839cd7183dfae1e94455b870a3d5812
 
+# Fix whitespace violations
+b1f59dde5b2f456d9698584598d7f571abe433a8
+
 # 2020 Summer
 ########################################
 
@@ -30,3 +46,4 @@ b0333ec5b73ba8f7a18223b203d999b38c75281d
 
 # Move source files under 'src/'.
 52d506bb4e25489f40cb5eb594dda5595aeb93ed
+

.githooks/pre-push

+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [[ $(uname -s) != "Linux" ]]
+then
+  PROCS=$(sysctl -n hw.logicalcpu)
+else
+  PROCS=$(nproc)
+fi
+
+if which fourmolu > /dev/null ; then
+  find Cabal Cabal-syntax cabal-install -name '*.hs' -print0 \
+    ! -path Cabal-syntax/src/Distribution/Fields/Lexer.hs \
+    ! -path Cabal-syntax/src/Distribution/SPDX/LicenseExceptionId.hs \
+    ! -path Cabal-syntax/src/Distribution/SPDX/LicenseId.hs \
+    ! -path Cabal/src/Distribution/Simple/Build/Macros/Z.hs \
+    ! -path Cabal/src/Distribution/Simple/Build/PathsModule/Z.hs \
+    | xargs -P "${PROCS}" -I {} fourmolu -q --mode check {}
+else
+  echo "Fourmolu not found, aborting."
+  exit 1
+fi

.github/ISSUE_TEMPLATE/bug_report.md

@@ -2,7 +2,7 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: ''
+labels: ["type: bug", "needs triage"]
 assignees: ''
 
 ---
@@ -14,11 +14,9 @@ A clear and concise description of what the bug is.
 Steps to reproduce the behavior:
 
 ```
-$ cabal v2-build ...
+$ cabal build ...
 ```
 
-Please use version-prefixed commands (e.g. `v2-build` or `v1-build`) to avoid ambiguity.
-
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 
@@ -28,3 +26,4 @@ A clear and concise description of what you expected to happen.
 
 **Additional context**
 Add any other context about the problem here.
+

.github/ISSUE_TEMPLATE/documentation.md

+---
+name: Documentation
+about: Report missing, stale, or inaccurate documentation
+title: ''
+labels: ["documentation"]
+assignees: ''
+
+---
+
+**What is wrong with the docs?**
+Describe what you were searching. Was documentation not there? Was it outdated? Was it not clear?
+
+**Additional context**
+Add any other relevant context here.
+

.github/ISSUE_TEMPLATE/feature_request.md

+---
+name: Feature request
+about: Suggest a new feature
+title: ''
+labels: ["type: enhancement"]
+assignees: ''
+
+---
+
+**Describe the feature request**
+A simple description of what you would like to be added to Cabal.
+
+**Additional context**
+What made you ask for this functionality? How would the feature benefit you and other users? Add any other relevant context about the request here.
+

.github/ISSUE_TEMPLATE/user_question.md

+---
+name: Question
+about: Ask a question to the developers
+title: ''
+labels: ["type: user-question"]
+assignees: ''
+
+---
+
+Two great places to ask questions are [Haskell Matrix](https://matrix.to/#/#haskell:matrix.org) (online chat) and [Haskell Discourse](https://discourse.haskell.org). There are many experienced programmers there who can quickly help you with using Cabal and `cabal-install`.
+
+If you did not find an answer to your question, fill in this template.
+
+**What is your question?**
+State your question in simple terms. What were you attempting to do? What have you have tried?
+
+**System information**
+ - Operating system
+ - `cabal`, `ghc` versions
+
+**Additional context**
+Add any other relevant context here.
+

.github/PULL_REQUEST_TEMPLATE.md

-
----
-Please include the following checklist in your PR:
-
-* [ ] Patches conform to the [coding conventions](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#conventions).
-* [ ] Any changes that could be relevant to users [have been recorded in the changelog](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#changelog).
-* [ ] The documentation has been updated, if necessary.
-
-Please also shortly describe how you tested your change. Bonus points for added tests!

.github/actions/download/action.yml

+name: 'Download artifact'
+description: 'Download artifacts with normalized names'
+inputs:
+  name:
+    required: true
+    type: string
+  path:
+    required: true
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: Normalise name
+      run: |
+        name=${{ inputs.name }}
+        echo "NAME=${name//\//_}" >> "$GITHUB_ENV"
+      shell: bash
+
+    - name: Download artifact
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ env.NAME }}
+        path: ${{ inputs.path }}
+

.github/actions/upload/action.yml

+name: 'Upload artifact'
+description: 'Upload artifacts with normalized names'
+inputs:
+  if-no-files-found:
+    default: 'error'
+    type: string
+  name:
+    required: true
+    type: string
+  path:
+    required: true
+    type: string
+  retention-days:
+    default: 0
+    type: number
+
+runs:
+  using: "composite"
+  steps:
+    - name: Normalise name
+      run: |
+        name=${{ inputs.name }}
+        echo "NAME=${name//\//_}" >> "$GITHUB_ENV"
+      shell: bash
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: ${{ inputs.if-no-files-found }}
+        retention-days: ${{ inputs.retention-days }}
+        name: ${{ env.NAME }}
+        path: ${{ inputs.path }}
+

.github/dependabot.yml

+# From:
+# - https://github.com/haskell/hackage-server
+# - https://github.com/rhysd/actionlint/issues/228#issuecomment-1272493095
+# - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
+
+# Set update schedule for GitHub Actions
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"
+

.github/mergify.yml

+# Note: We do not use the rebase strategy to merge PRs, because that
+# loses information needed by changelog-d to associate commits with PRs.
+
+priority_rules:
+
+  - name: high priority
+    conditions:
+      - 'label=priority: high :fire:'
+    priority: 3000
+
+  - name: priority for queue `default`
+    conditions:
+      - queue-name=default
+    priority: 2500
+
+  - name: priority for queue `squash-merge`
+    conditions:
+      - queue-name=squash-merge
+    priority: 2500
+
+  # The idea is we slightly prioritize those PRs because we're in
+  # a release cycle if a PR matches.
+  - name: release branch
+    conditions:
+      - 'base~=^3\.'
+      - 'label!=backport'
+    priority: 2750
+
 pull_request_rules:
+
+  # implementing PR delay logic: apply a label after 2 days of inactivity
+  # the label will allow Mergify to merge (see #8442, #8448)
+  - actions:
+      label:
+        add:
+          - merge delay passed
+    name: Wait for 2 days before validating merge
+    conditions:
+      - or:
+          - 'label=priority: high :fire:'
+          - updated-at<2 days ago
+      - or:
+          - label=merge me
+          - label=squash+merge me
+          - label=merge+no rebase
+      - '#approved-reviews-by>=2'
+
+  # label when Mergify is ready but waiting for the above
+  - actions:
+      label:
+        add:
+          - ready and waiting
+    name: Waiting out merge delay (used by bot)
+    conditions:
+      - base=master
+      - -draft
+      - -closed
+      - '-label=merge delay passed'
+      - '-label=priority: high :fire:'
+      - or:
+          - label=merge me
+          - label=squash+merge me
+          - label=merge+no rebase
+      - '#approved-reviews-by>=2'
+      - '#changes-requested-reviews-by=0'
+      # oy
+      # lifted these from branch protection imports
+      - check-success=fourmolu
+      - check-success=hlint
+      - check-success=Meta checks
+      - check-success=Doctest Cabal
+      - check-success=Validate post job
+      - check-success=Bootstrap post job
+      - 'check-success=docs/readthedocs.org:cabal'
+
+  # label when Mergify didn't trigger a merge automatically
+  - actions:
+      label:
+        add:
+          - waiting too long
+    name: Mergify hasn't merged a PR yet
+    conditions:
+      - base=master
+      - -draft
+      - -closed
+      - -merged
+      - '#approved-reviews-by>=2'
+      - '#changes-requested-reviews-by=0'
+      - updated-at<4 days ago
+      - label=merge delay passed
+      # oy
+      # lifted these from branch protection imports
+      - check-success=fourmolu
+      - check-success=hlint
+      - check-success=Meta checks
+      - check-success=Doctest Cabal
+      - check-success=Validate post job
+      - check-success=Bootstrap post job
+      - 'check-success=docs/readthedocs.org:cabal'
+
   # rebase+merge strategy
   - actions:
       queue:
         name: default
-        # Merge into master with a merge commit
-        method: merge
-        # Update the pr branch with rebase, so the history is clean
-        update_method: rebase
     name: Put pull requests in the rebase+merge queue
     conditions:
       - base=master
       - label=merge me
+      - label=merge delay passed
       - '#approved-reviews-by>=2'
-      - updated-at<2 days ago
+      - '-label~=^blocked:'
+
   # merge+squash strategy
   - actions:
       queue:
-        name: default
-        method: squash
-        # both update methods get absorbed by the squash, so we use the most
-        # reliable
-        update_method: merge
+        name: squash-merge
     name: Put pull requests in the squash+merge queue
     conditions:
       - base=master
       - label=squash+merge me
+      - label=merge delay passed
+      - '#approved-reviews-by>=2'
+      - '-label~=^blocked:'
+
+  # merge+no rebase strategy
+  - actions:
+      merge:
+        method: merge
+    name: Merge "merge+no rebase" pull requests directly (without a queue)
+    conditions:
+      - base=master
+      - label=merge+no rebase
+      - label=merge delay passed
+      - '#approved-reviews-by>=2'
+      - '-label~=^blocked:'
+
+  # merge strategy for release branches
+  - actions:
+      queue:
+        name: default
+    name: Put release branch pull requests in the rebase+merge queue
+    conditions:
+      - label=merge me
+      - base!=master
+      - -label=backport
+      - '#approved-reviews-by>=2'
+      - '-label~=^blocked:'
+
+  # merge+squash strategy for release branches
+  - actions:
+      queue:
+        name: squash-merge
+    name: Put release branch pull requests in the squash+merge queue
+    conditions:
+      - base!=master
+      - label=squash+merge me
+      - -label=backport
       - '#approved-reviews-by>=2'
-      - updated-at<2 days ago
-  # rebase+merge strategy for backports: require 1 approver instead of 2
+      - '-label~=^blocked:'
+
+  # merge strategy for backports: require 1 approver instead of 2
   - actions:
       queue:
         name: default
-        # Merge with a merge commit
-        method: merge
-        # Update the pr branch with rebase, so the history is clean
-        update_method: rebase
     name: Put backports in the rebase+merge queue
     conditions:
       - label=merge me
       - base!=master
-      - body~=backport
+      - label=backport
+      - '#approved-reviews-by>=1'
+      - '-label~=^blocked:'
+
+  # merge+squash strategy for backports: require 1 approver instead of 2
+  - actions:
+      queue:
+        name: squash-merge
+    name: Put backports in the squash+merge queue
+    conditions:
+      - label=squash+merge me
+      - base!=master
+      - label=backport
       - '#approved-reviews-by>=1'
+      - '-label~=^blocked:'
+
+  # backports should be labeled as such
+  - actions:
+      label:
+        add:
+          - backport
+    name: Label backports as such
+    conditions:
+      - body~=automatic backport
+
+merge_queue:
+  max_parallel_checks: 2
 
 queue_rules:
+  # Mergify now requires different queues for different strategies
   - name: default
-    conditions: []
+    batch_size: 3
+    batch_max_wait_time: 10 min
+    update_bot_account: Mikolaj
+    merge_method: merge
+    update_method: rebase
+
+  - name: squash-merge
+    batch_size: 3
+    batch_max_wait_time: 10 min
+    update_bot_account: Mikolaj
+    merge_method: squash
+    update_method: merge
+
+defaults:
+  actions:
+    backport:
+      title: "Backport #{{ number }}: {{ title }}"

.github/pull_request_template.md

+Please read [Github PR Conventions](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#github-pull-request-conventions) and then fill in *one* of these two templates.
+
+---
+
+**Template Α: This PR modifies [behaviour or interface](https://github.com/cabalism/cabal/blob/master/CONTRIBUTING.md#changelog)**
+
+Include the following checklist in your PR:
+
+* [ ] Patches conform to the [coding conventions](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#other-conventions).
+* [ ] Any changes that could be relevant to users [have been recorded in the changelog](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#changelog).
+  * [ ] [Is the change significant?](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#is-my-change-significant) If so, remember to add `significance: significant` in the changelog file.
+* [ ] The documentation has been updated, if necessary.
+* [ ] [Manual QA notes](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#qa-notes) have been included.
+* [ ] Tests have been added. (*Ask for help if you don’t know how to write them! Ask for an exemption if tests are too complex for too little coverage!*)
+
+---
+
+**Template B: This PR does not modify behaviour or interface**
+
+*E.g. the PR only touches documentation or tests, does refactorings, etc.*
+
+Include the following checklist in your PR:
+
+* [ ] Patches conform to the [coding conventions](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#other-conventions).
+* [ ] Is this a PR that fixes CI? If so, it will need to be backported to older cabal release branches (ask maintainers for directions).

.github/scripts/build.bash

+set -eux
+
+uname -a
+uname -p
+uname
+pwd
+env
+
+if [ "${RUNNER_OS}" = Windows ] ; then
+    ext=".exe"
+else
+    ext=""
+fi
+
+ghcup --no-verbose install ghc --set --install-targets "${GHC_TARGETS}" "${GHC_VERSION}"
+
+cabal update
+cabal user-config diff
+cabal user-config init -f
+"ghc-${GHC_VERSION}" --info
+"ghc" --info
+
+# shellcheck disable=SC2206
+args=(
+    -w "ghc-$GHC_VERSION"
+    --disable-profiling
+    --enable-executable-stripping
+    --project-file=cabal.release.project
+    ${ADD_CABAL_ARGS}
+)
+
+cabal v2-build "${args[@]}" cabal-install
+
+mkdir -p "out"
+# shellcheck disable=SC2154
+cp "$(cabal list-bin "${args[@]}" cabal-install:exe:cabal)" "out/cabal$ext"
+cp dist-newstyle/cache/plan.json "out/plan.json"
+cd "out/"
+
+# create tarball/zip
+TARBALL_PREFIX="cabal-install-$("./cabal" --numeric-version)"
+case "${TARBALL_EXT}" in
+    zip)
+        zip "${TARBALL_PREFIX}-${ARTIFACT}.${TARBALL_EXT}" "cabal${ext}" plan.json
+        ;;
+    tar.xz)
+        tar caf "${TARBALL_PREFIX}-${ARTIFACT}.${TARBALL_EXT}" "cabal${ext}" plan.json
+        ;;
+    *)
+        fail "Unknown TARBALL_EXT: ${TARBALL_EXT}"
+        ;;
+esac
+
+rm "cabal${ext}" plan.json
+

.github/scripts/test.bash

+set -eux
+
+env
+pwd
+ls -lah
+
+cd out
+case "${TARBALL_EXT}" in
+    zip)
+        unzip ./cabal-install-*-"${ARTIFACT}.${TARBALL_EXT}"
+        ;;
+    tar.xz)
+        tar xf ./cabal-install-*-"${ARTIFACT}.${TARBALL_EXT}"
+        ;;
+    *)
+        fail "Unknown TARBALL_EXT: ${TARBALL_EXT}"
+        ;;
+esac
+cd ..
+
+ghcup --no-verbose install ghc --set --install-targets "${GHC_TEST_TARGETS}" "${GHC_TEST_VERSION}"
+
+cabal update
+
+# TODO: we want to avoid building here... we should just
+# be using the previously built 'cabal-tests' binary
+# Also see https://github.com/haskell/cabal/issues/11048
+cabal run -w "ghc-${GHC_TEST_VERSION}" ${ADD_CABAL_ARGS} cabal-testsuite:cabal-tests -- \
+  --with-cabal "$(pwd)/out/cabal" \
+  --intree-cabal-lib "$(pwd)" \
+  --test-tmp "$(pwd)/testdb" \
+  --skip-setup-tests \
+  -j "$(nproc || sysctl -n hw.ncpu || getconf _NPROCESSORS_ONLN || echo 1)"
+

.github/workflows/bootstrap.yml

@@ -19,27 +19,63 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        ghc: ["8.6.5", "8.8.4", "8.10.7", "9.0.2", "9.2.3"]
+        ghc: ["9.2.8", "9.4.8", "9.6.7", "9.8.4", "9.10.2", "9.12.2"]
         include:
           - os: macos-latest
-            ghc: "9.2.3"
+            ghc: "9.2.8"
     name: Bootstrap ${{ matrix.os }} ghc-${{ matrix.ghc }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - name: Work around XDG directories existence (haskell-actions/setup#62)
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          rm -rf ~/.config/cabal
+          rm -rf ~/.cache/cabal
+
+      - uses: actions/cache@v4
+        name: Cache the downloads
+        id: bootstrap-cache
+        with:
+          path: "/home/runner/work/cabal/cabal/_build"
+          key: bootstrap-${{ runner.os }}-${{ matrix.ghc }}-20221115-${{ github.sha }}
+          restore-keys: bootstrap-${{ runner.os }}-${{ matrix.ghc }}-20221115-
+
+      - uses: actions/checkout@v5
+      - uses: haskell-actions/setup@v2
+        with:
+          ghc-version: ${{ matrix.ghc }}
+
       - name: bootstrap.py
         run: |
           GHC_VERSION=${{ matrix.ghc }}
-          ghcup config set cache true
-          ghcup install ghc $GHC_VERSION
-          # We use linux dependencies also on macos
-          python3 bootstrap/bootstrap.py -w $(ghcup whereis ghc $GHC_VERSION) -d bootstrap/linux-$GHC_VERSION.json
+          # Fetch the bootstrap sources (we use linux dependencies also on macos)
+          python3 bootstrap/bootstrap.py -d bootstrap/linux-$GHC_VERSION.json fetch
+
+          # Bootstrap using the bootstrap sources
+          python3 bootstrap/bootstrap.py --bootstrap-sources bootstrap-sources.tar.gz
 
       - name: Smoke test
         run: |
           _build/bin/cabal --version
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: cabal-${{ matrix.os }}-${{ matrix.ghc }}-bootstrapped
           path: _build/artifacts/*
+
+  # We use this job as a summary of the workflow
+  # It will fail if any of the previous jobs does it
+  # This way we can use it exclusively in branch protection rules
+  # and abstract away the concrete jobs of the workflow, including their names
+  bootstrap-post-job:
+    if: always()
+    name: Bootstrap post job
+    runs-on: ubuntu-latest
+    # IMPORTANT! Any job added to the workflow should be added here too
+    needs: [bootstrap]
+
+    steps:
+      - run: |
+          echo "jobs info: ${{ toJSON(needs) }}"
+      - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1

.github/workflows/changelogs.yml

@@ -4,13 +4,7 @@ on:
   push:
     branches:
     - master
-    paths:
-    - 'changelog.d/*'
-    - '.github/workflows/changelogs.yml'
   pull_request:
-    paths:
-    - 'changelog.d/*'
-    - '.github/workflows/changelogs.yml'
   release:
     types:
       - created
@@ -21,36 +15,22 @@ defaults:
 
 jobs:
   build:
+    name: Changelogs
     runs-on: ubuntu-latest
 
     steps:
-      - name: Set PATH
-        # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#adding-a-system-path
-        run: |
-          echo "$HOME/.cabal/bin" >> $GITHUB_PATH
-      - uses: actions/cache@v1
-        with:
-          path: ~/.cabal/store
-          key: linux-store-changelogs
-      - name: ghcup
-        run: |
-          ghcup config set cache true
-          ghcup install ghc recommended
-          ghcup set ghc recommended
-      - name: Update Hackage index
-        run: cabal v2-update
-      # Cannot install it from tarball due to
-      # https://github.com/haskell/cabal/issues/7360
-      - uses: actions/checkout@v3
-        with:
-          repository: "phadej/changelog-d"
-          path: "changelog-d"
+
       - name: Install changelog-d
         run: |
-          pushd changelog-d
-          cabal v2-install
-          popd
-      - uses: actions/checkout@v3
+          curl --create-dirs -o "$HOME/.local/bin/changelog-d" -sS --fail \
+            "https://codeberg.org/fgaz/changelog-d/releases/download/v1.0.1/changelog-d-v1.0.1-x86_64-linux"
+          chmod +x "$HOME/.local/bin/changelog-d"
+          # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Checkout cabal sources
+        uses: actions/checkout@v5
+
       - name: Run changelog-d
         run: |
           changelog-d changelog.d

.github/workflows/check-sdist.yml

+name: Check sdist
+
+# See: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency.
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  release:
+    types:
+      - created
+
+jobs:
+
+  # Dogfood the generated sdist, to avoid bugs like https://github.com/haskell/cabal/issues/9833
+  # No caching, since the point is to verify they can be installed "from scratch"
+  # Don't run on master or a PR targeting master, because there's never an installable Cabal
+  dogfood-sdists:
+    name: Dogfood sdist on ghc-${{ matrix.ghc }}
+    if: github.ref != 'refs/heads/master' && github.base_ref != 'master'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # this should be kept up to date with the list in validate.yml, but should be the
+        # *first* compiler release so we validate against what is hopefully the first
+        # release of a corresponding Cabal and friends. it can also be short since it's
+        # highly unlikely that we are releasing really old branches.
+        ghc:
+          ["9.12.1", "9.10.1", "9.8.1", "9.6.1"]
+
+    steps:
+
+      - uses: haskell-actions/setup@v2
+        id: setup-haskell
+        with:
+          ghc-version: ${{ matrix.ghc }}
+          cabal-version: latest
+
+      - uses: actions/checkout@v5
+
+      - name: Make sdist
+        run: cabal sdist cabal-install
+
+      - name: Install from sdist
+        run: |
+          # skip if a suitable Cabal isn't in this ghc's bootlibs, since that's the case
+          # that causes failures for users (otherwise cabal-install will install a matching
+          # version itself)
+          # we only want to test cabal-install, to ensure that it works with existing Cabals
+          # (don't look at this too closely)
+          sdist="$(ls dist-newstyle/sdist/cabal-install-*.tar.gz | sed -n '\,^dist-newstyle/sdist/cabal-install-[0-9.]*\.tar\.gz$,{;p;q;}')"
+          # extract the cabal-install major version
+          ver="$(echo "$sdist" | sed -n 's,^dist-newstyle/sdist/cabal-install-\([0-9][0-9]*\.[0-9][0-9]*\)\.[0-9.]*\.tar\.gz$,\1,p')"
+          # dunno if this will ever be extended to freebsd, but grep -q is a gnu-ism
+          if ghc-pkg --global --simple-output list Cabal | grep "^Cabal-$ver\\." >/dev/null; then
+            # sigh, someone broke installing from tarballs
+            rm -rf cabal*.project Cabal Cabal-syntax cabal-install-solver cabal-install
+            tar xfz "$sdist"
+            cd "cabal-install-$cbl"*
+            cabal install
+          else
+            echo No matching bootlib Cabal version to test against.
+            exit 0
+          fi
+
+  check-sdist-post-job:
+    if: always()
+    name: Check sdist post job
+    runs-on: ubuntu-latest
+    # IMPORTANT! Any job added to the workflow should be added here too
+    needs: [dogfood-sdists]
+
+    steps:
+      - run: |
+          echo "jobs info: ${{ toJSON(needs) }}"
+      - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1
+

.github/workflows/dependabot.yml

+# copied from https://github.com/ubuntu/authd/commit/3f9df8f21d952cd33fd44d3834d0edeec1f5766f
+
+name: Dependabot rules validation
+
+on:
+  pull_request:
+    paths:
+      - '.github/dependabot.yml'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: marocchino/validate-dependabot@v3
+        id: validate