Do the thing

Keep it very simple for now, some design choices:
- Automation never makes changes to team members, it only opens PRs for
  humans to act upon.
- Rather than a single file to track team members, use a directory with
  files for each team member, such that there are never merge conflicts.

Author: infinisil

.github/workflows/retire.yml

@@ -0,0 +1,40 @@
+name: retire
+
+on:
+  schedule:
+    # Every day at 17:07 (randomly chosen)
+    - cron: '7 17 * * *'
+
+  # Allows manual trigger
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  retire:
+    name: retire
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Get GitHub App User Git String
+        id: user
+        run: |
+          userId=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)
+          name="${{ steps.app-token.outputs.app-slug }}[bot]"
+          email="$userId+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com"
+          git config --global user.name "$name"
+          git config --global user.email "$email"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Fetch source
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Run script
+        run: scripts/sync.sh NixOS nixpkgs nixpkgs-committers members
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/sync.yml

@@ -0,0 +1,51 @@
+name: sync
+
+on:
+  schedule:
+    # Every day at 14:12 (randomly chosen)
+    - cron: '12 14 * * *'
+
+  # Allows manual trigger
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  sync:
+    name: sync
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Get GitHub App User Git String
+        id: user
+        run: |
+          userId=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)
+          name="${{ steps.app-token.outputs.app-slug }}[bot]"
+          email="$userId+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com"
+          git config --global user.name "$name"
+          git config --global user.email "$email"
+          echo "git-string=$name <$email>" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Fetch source
+        uses: actions/checkout@v4
+      - name: Run script
+        run: scripts/sync.sh NixOS nixpkgs-committers members
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          author: ${{ steps.user.outputs.git-string }}
+          committer: ${{ steps.user.outputs.git-string }}
+          commit-message: Automated sync
+          branch: create-pull-request/sync
+          title: Automated sync
+          body: This is an automated PR to sync the member list in this repository to match the GitHub team members. This PR can be merged without taking any further action.
+          team-reviewers: commit-bit-delegation
+

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Nix/Nixpkgs/NixOS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,40 @@
+# Nixpkgs committers
+
+This repository publicly tracks the [current members](./members) and [changes](../../commits/main/members)
+of the [Nixpkgs Committers](https://github.com/orgs/nixos/teams/nixpkgs-committers) team,
+whose members have write access to [Nixpkgs](https://github.com/nixos/nixpkgs).
+
+The [Nixpkgs commit delegators](https://github.com/orgs/NixOS/teams/commit-bit-delegation)
+maintain the member list in this repository.
+While it's in principle possible to request Nixpkgs commit permissions by creating a PR,
+please nominate yourself in [this issue](https://github.com/NixOS/nixpkgs/issues/321665) instead.
+
+## Semi-automatic synchronisation
+
+Every day, [a GitHub Action workflow](./.github/workflows/sync.yml) runs
+to synchronise the members of the GitHub team with the member list in this repository.
+If they don't match, an automated PR is created,
+which should be merged by the Nixpkgs commit delegators to reconcile the mismatch.
+
+## Semi-automatic retirement
+
+Every day, [a GitHub Action workflow](./.github/workflows/retire.yml) runs
+to check if any Nixpkgs committers have not used their commit access within the last year,
+in which case an automated PR is created to remove them from the member list.
+This is according to [RFC 55](https://github.com/NixOS/rfcs/blob/master/rfcs/0055-retired-committers.md)
+and the SC-approved [amendment](https://github.com/NixOS/org/issues/91).
+
+The PR will ping the user and inform them that it will by default be merged and implemented in one month.
+If the PR is still open one month later,
+an automated comment will be posted with the next steps for the Nixpkgs commit delegators.
+
+## Automation setup
+
+Automation depends on a GitHub App with the following permissions:
+- Organisation: Members read only (to be able to read the team members)
+- Repository: Pull requests read write, Contents read write (to be able to create PRs in this repository)
+
+The GitHub App should only be installed on this repository.
+To give the workflows access to the GitHub App:
+- Configure the App ID as the repository _variable_ `APP_ID`
+- Configure the private key as the repository _secret_ `PRIVATE_KEY`

scripts/retire.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  echo >&2 "Usage: $0 ORG ACTIVITY_REPO MEMBER_REPO DIR"
+  exit 1
+}
+
+ORG=${1:-$(usage)}
+ACTIVITY_REPO=${2:-$(usage)}
+MEMBER_REPO=${3:-$(usage)}
+DIR=${4:-$(usage)}
+
+tmp=$(mktemp -d)
+
+shopt -s nullglob
+
+# One month plus a bit of leeway
+epochOneMonthAgo=$(( $(date --date='1 month ago' +%s) - 60 * 60 * 12 ))
+mainBranch=$(git branch --show-current)
+
+mkdir -p "$DIR"
+cd "$DIR"
+for login in *; do
+  gh api -X GET /repos/"$ORG"/"$ACTIVITY_REPO"/activity -f time_period=year -f actor="$login" -f per_page=100 \
+    --jq ".[] | \"- \(.timestamp) [\(.activity_type) on \(.ref | ltrimstr(\"refs/heads/\"))](https://github.com/$ORG/$ACTIVITY_REPO/compare/\(.before)...\(.after))\"" \
+    > "$tmp/$login"
+  activityCount=$(wc -l <"$tmp/$login")
+
+  branchName=retire-$login
+  prInfo=$(gh api -X GET /repos/"$ORG"/"$MEMBER_REPO"/pulls -f head="$ORG":"$branchName" --jq '.[0]')
+  if [[ -n "$prInfo" ]]; then
+    # If there is a PR already
+    prNumber=$(jq .number <<< "$prInfo")
+    epochCreatedAt=$(date --date="$(jq -r .created_at <<< "$prInfo")" +%s)
+    if (( epochCreatedAt < epochOneMonthAgo )); then
+      echo "$login has a retirement PR due, comment with a reminder to merge"
+      {
+        if (( activityCount > 0 )); then
+          echo "One month has passed, @$login has been active again:"
+          cat "$tmp/$login"
+          echo ""
+          echo "This PR may be merged and implemented by:"
+        else
+          echo "One month has passed, to this PR should now be merged and implemented by:"
+        fi
+        echo "- Adding @$login to the [Retired Nixpkgs Contributors team](https://github.com/orgs/NixOS/teams/retired-nixpkgs-contributors)"
+        echo "- Removing @$login from the [Nixpkgs Committers team](https://github.com/orgs/NixOS/teams/nixpkgs-committers)"
+      } | gh api --method POST /repos/"$ORG"/"$MEMBER_REPO"/issues/"$prNumber"/comments -F "body=@-" >/dev/null
+    else
+      echo "$login has a retirement PR pending"
+    fi
+  elif (( activityCount <= 0 )); then
+    echo "$login has become inactive, opening a PR"
+    # If there is no PR yet, but they have become inactive
+    git switch -C "$branchName"
+    git rm "$login"
+    git commit -m "Automatic retirement of @$login"
+    git push -f origin "$branchName"
+    {
+      echo "This is an automated PR to retire @$login as a Nixpkgs committers due to not using their commit access for 1 year."
+      echo ""
+      echo "Make a comment with your motivation to keep commit access, otherwise this PR will be merged and implemented in 1 month."
+    } | gh api \
+      --method POST \
+      /repos/"$ORG"/"$MEMBER_REPO"/pulls \
+       -f "title=Automatic retirement of @$login" \
+       -F "body=@-" \
+       -f "head=$ORG:$branchName" \
+       -f "base=$mainBranch" >/dev/null
+    git checkout "$mainBranch"
+  else
+    echo "$login is active with $activityCount activities"
+  fi
+done

scripts/sync.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  echo >&2 "Usage: $0 ORG TEAM DIR"
+  exit 1
+}
+
+ORG=${1:-$(usage)}
+TEAM=${2:-$(usage)}
+DIR=${3:-$(usage)}
+
+shopt -s nullglob
+
+mkdir -p "$DIR"
+cd "$DIR"
+
+for login in *; do
+  rm "$login"
+done
+
+gh api /orgs/"$ORG"/teams/"$TEAM"/members --paginate --jq '.[].login' |
+  while read -r login; do
+    touch "$login"
+  done