diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 0e3f315bb0de..bcb164a04eef 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -8,7 +8,7 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           # required to find all branches
           fetch-depth: 0
diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
index 67634af51f62..c48b04d8c14c 100644
--- a/.github/workflows/basic-eval.yml
+++ b/.github/workflows/basic-eval.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: cachix/install-nix-action@v16
     # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset
     - run: nix-build pkgs/top-level/release.nix -A tarball.nixpkgs-basic-release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin"  ]'
diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml
index 28e20d6c9458..de49e55ef2a7 100644
--- a/.github/workflows/editorconfig.yml
+++ b/.github/workflows/editorconfig.yml
@@ -24,7 +24,7 @@ jobs:
     - name: print list of changed files
       run: |
         cat "$HOME/changed_files"
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 4d1e2a2a0f95..c464f8bf58a9 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/labeler@v3
+    - uses: actions/labeler@v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         sync-labels: true
diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml
index b9181c5f3bbc..787f55352967 100644
--- a/.github/workflows/manual-nixos.yml
+++ b/.github/workflows/manual-nixos.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml
index 3bdbd7f78fc4..7d9273ef1398 100644
--- a/.github/workflows/manual-nixpkgs.yml
+++ b/.github/workflows/manual-nixpkgs.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/nixos-manual.yml b/.github/workflows/nixos-manual.yml
index e1c5b4dc93b9..bd70f228d462 100644
--- a/.github/workflows/nixos-manual.yml
+++ b/.github/workflows/nixos-manual.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/periodic-merge-24h.yml b/.github/workflows/periodic-merge-24h.yml
index b8535fdf9527..5ad0db1db51c 100644
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -38,7 +38,7 @@ jobs:
             into: staging-21.11
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@1.4.0
diff --git a/.github/workflows/periodic-merge-6h.yml b/.github/workflows/periodic-merge-6h.yml
index daa9b6d3c844..a8af04b78bc2 100644
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -32,7 +32,7 @@ jobs:
             into: staging
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@1.4.0
diff --git a/.github/workflows/update-terraform-providers.yml b/.github/workflows/update-terraform-providers.yml
index 9de57d6e3d19..09d208a62160 100644
--- a/.github/workflows/update-terraform-providers.yml
+++ b/.github/workflows/update-terraform-providers.yml
@@ -10,7 +10,7 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: cachix/install-nix-action@v16
       - name: setup
         id: setup
diff --git a/pkgs/applications/misc/whalebird/default.nix b/pkgs/applications/misc/whalebird/default.nix
index d478655eed1b..3920a3a86554 100644
--- a/pkgs/applications/misc/whalebird/default.nix
+++ b/pkgs/applications/misc/whalebird/default.nix
@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation rec {
   pname = "whalebird";
-  version = "4.5.1";
+  version = "4.5.2";
 
   src = fetchurl {
     url = "https://github.com/h3poteto/whalebird-desktop/releases/download/${version}/Whalebird-${version}-linux-x64.deb";
-    sha256 = "sha256-70fCyxiM4CiNuG4Lqr4Tq0FHak3wDcp8G93EKYj+0kc=";
+    sha256 = "sha256-4ksKXVeUGICHfx014s5g9mapS751dbexBjzyqNvk02M=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/networking/instant-messengers/teamspeak/client.nix b/pkgs/applications/networking/instant-messengers/teamspeak/client.nix
index ca6cc55d65ac..80d04eabc824 100644
--- a/pkgs/applications/networking/instant-messengers/teamspeak/client.nix
+++ b/pkgs/applications/networking/instant-messengers/teamspeak/client.nix
@@ -1,6 +1,6 @@
 { lib, stdenv, fetchurl, makeWrapper, makeDesktopItem, zlib, glib, libpng, freetype, openssl
 , xorg, fontconfig, qtbase, qtwebengine, qtwebchannel, qtsvg, qtwebsockets, xkeyboard_config
-, alsa-lib, libpulseaudio ? null, libredirect, quazip, which, unzip, llvmPackages, writeShellScriptBin
+, alsa-lib, libpulseaudio ? null, libredirect, quazip, which, unzip, llvmPackages_10, writeShellScriptBin
 }:
 
 let
@@ -13,7 +13,7 @@ let
     [ zlib glib libpng freetype xorg.libSM xorg.libICE xorg.libXrender openssl
       xorg.libXrandr xorg.libXfixes xorg.libXcursor xorg.libXinerama
       xorg.libxcb fontconfig xorg.libXext xorg.libX11 alsa-lib qtbase qtwebengine qtwebchannel qtsvg
-      qtwebsockets libpulseaudio quazip llvmPackages.libcxx llvmPackages.libcxxabi
+      qtwebsockets libpulseaudio quazip llvmPackages_10.libcxx llvmPackages_10.libcxxabi # llvmPackages_11 and higher crash https://github.com/NixOS/nixpkgs/issues/161395
     ];
 
   desktopItem = makeDesktopItem {
diff --git a/pkgs/build-support/make-darwin-bundle/write-darwin-bundle.nix b/pkgs/build-support/make-darwin-bundle/write-darwin-bundle.nix
index 63ef7e655075..d21e0475e2df 100644
--- a/pkgs/build-support/make-darwin-bundle/write-darwin-bundle.nix
+++ b/pkgs/build-support/make-darwin-bundle/write-darwin-bundle.nix
@@ -4,33 +4,34 @@ let
   pListText = lib.generators.toPlist { } {
     CFBundleDevelopmentRegion = "English";
     CFBundleExecutable = "$name";
-    CFBundleIconFiles = [ "$iconPlistArray" ];
+    CFBundleIconFile = "$icon";
     CFBundleIdentifier = "org.nixos.$name";
     CFBundleInfoDictionaryVersion = "6.0";
     CFBundleName = "$name";
     CFBundlePackageType = "APPL";
     CFBundleSignature = "???";
   };
-
-# The generation of the CFBundleIconFiles array is a bit of a hack, since we
-# will always end up with an empty first element (<string></string>) but macOS
-# appears to ignore this which allows us to use the nix PList generator.
 in writeScriptBin "write-darwin-bundle" ''
     shopt -s nullglob
 
-    readonly prefix="$1"
-    readonly name="$2"
-    readonly exec="$3"
-    iconPlistArray=""
+    readonly prefix=$1
+    readonly name=$2
+    readonly exec=$3
+    readonly icon=$4.icns
+    readonly squircle=''${5:-1}
+    readonly plist=$prefix/Applications/$name.app/Contents/Info.plist
 
-    for icon in "$prefix/Applications/$name.app/Contents/Resources"/*; do
-        iconPlistArray="$iconPlistArray</string><string>"$(basename "$icon")""
-    done
-
-    cat > "$prefix/Applications/$name.app/Contents/Info.plist" <<EOF
+    cat > "$plist" <<EOF
 ${pListText}
 EOF
 
+  if [[ $squircle != 0 && $squircle != "false" ]]; then
+    sed  "
+      s|CFBundleIconFile|CFBundleIconFiles|;
+      s|<string>$icon</string>|<array><string>$icon</string></array>|
+    " -i "$plist"
+  fi
+
     cat > "$prefix/Applications/$name.app/Contents/MacOS/$name" <<EOF
 #!/bin/bash
 exec $prefix/bin/$exec
diff --git a/pkgs/build-support/setup-hooks/desktop-to-darwin-bundle.sh b/pkgs/build-support/setup-hooks/desktop-to-darwin-bundle.sh
index d1175d3a5f9b..b2e2738cb6ec 100644
--- a/pkgs/build-support/setup-hooks/desktop-to-darwin-bundle.sh
+++ b/pkgs/build-support/setup-hooks/desktop-to-darwin-bundle.sh
@@ -10,31 +10,156 @@ getDesktopParam() {
     awk -F "=" "/${pattern}/ {print \$2}" "${file}"
 }
 
+# Convert a freedesktop.org icon theme for a given app to a .icns file. When possible, missing
+# icons are synthesized from SVG or rescaled from existing ones (when within the size threshold).
+convertIconTheme() {
+    local -r out=$1
+    local -r sharePath=$2
+    local -r iconName=$3
+    local -r theme=${4:-hicolor}
+
+    local -ra iconSizes=(16 32 48 128 256 512)
+    local -ra scales=([1]="" [2]="@2")
+
+    # Based loosely on the algorithm at:
+    # https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html#icon_lookup
+    # Assumes threshold = 2 for ease of implementation.
+    function findIcon() {
+        local -r iconSize=$1
+        local -r scale=$2
+
+        local scaleSuffix=${scales[$scale]}
+        local exactSize=${iconSize}x${iconSize}${scaleSuffix}
+
+        if [[ $exactSize = '48x48@2' ]]; then
+            # macOS does not support a 2x scale variant of 48x48 icons
+            # See: https://en.wikipedia.org/wiki/Apple_Icon_Image_format#Icon_types
+            echo "unsupported"
+            return 0
+        fi
+
+        local -a validSizes=(
+            ${exactSize}
+            $((iconSize + 1))x$((iconSize + 1))${scaleSuffix}
+            $((iconSize + 2))x$((iconSize + 2))${scaleSuffix}
+            $((iconSize - 1))x$((iconSize - 1))${scaleSuffix}
+            $((iconSize - 2))x$((iconSize - 2))${scaleSuffix}
+        )
+
+        for iconIndex in "${!candidateIcons[@]}"; do
+            for maybeSize in "${validSizes[@]}"; do
+                icon=${candidateIcons[$iconIndex]}
+                if [[ $icon = */$maybeSize/* ]]; then
+                    if [[ $maybeSize = $exactSize ]]; then
+                        echo "fixed $icon"
+                    else
+                        echo "threshold $icon"
+                    fi
+                    return 0
+                fi
+            done
+        done
+        echo "scalable"
+    }
+
+    function resizeIcon() {
+        local -r in=$1
+        local -r out=$2
+        local -r iconSize=$3
+        local -r scale=$4
+
+        local density=$((72 * scale))x$((72 * scale))
+        local dim=$((iconSize * scale))
+
+        magick convert -scale "${dim}x${dim}" -density "$density" -units PixelsPerInch "$in" "$out"
+    }
+
+    function synthesizeIcon() {
+        local -r in=$1
+        local -r out=$2
+        local -r iconSize=$3
+        local -r scale=$4
+
+        if [[ $in != '-' ]]; then
+            local density=$((72 * scale))x$((72 * scale))
+            local dim=$((iconSize * scale))
+            rsvg-convert --keep-aspect-ratio --width "$dim" --height "$dim" "$in" --output "$out"
+            magick convert -density "$density" -units PixelsPerInch "$out" "$out"
+        else
+            return 1
+        fi
+    }
+
+    function getIcons() {
+        local -r sharePath=$1
+        local -r iconname=$2
+        local -r theme=$3
+        local -r resultdir=$(mktemp -d)
+
+        local -ar candidateIcons=(
+            "${sharePath}/icons/${theme}/"*"/${iconname}.png"
+            "${sharePath}/icons/${theme}/"*"/${iconname}.xpm"
+        )
+
+        local -a scalableIcon=("${sharePath}/icons/${theme}/scalable/${iconname}.svg"*)
+        if [[ ${#scalableIcon[@]} = 0 ]]; then
+            scalableIcon=('-')
+        fi
+
+        for iconSize in "${iconSizes[@]}"; do
+            for scale in "${!scales[@]}"; do
+                local iconResult=$(findIcon $iconSize $scale)
+                local type=${iconResult%% *}
+                local icon=${iconResult#* }
+                local scaleSuffix=${scales[$scale]}
+                local result=${resultdir}/${iconSize}x${iconSize}${scales[$scale]}${scaleSuffix:+x}.png
+                case $type in
+                    fixed)
+                        local density=$((72 * scale))x$((72 * scale))
+                        magick convert -density "$density" -units PixelsPerInch "$icon" "$result"
+                        ;;
+                    threshold)
+                        # Synthesize an icon of the exact size if a scalable icon is available
+                        # instead of scaling one and ending up with a fuzzy icon.
+                        if ! synthesizeIcon "${scalableIcon[0]}" "$result" "$iconSize" "$scale"; then
+                            resizeIcon "$icon" "$result" "$iconSize" "$scale"
+                        fi
+                        ;;
+                    scalable)
+                        synthesizeIcon "${scalableIcon[0]}" "$result" "$iconSize" "$scale" || true
+                        ;;
+                    *)
+                        ;;
+                esac
+            done
+        done
+        echo "$resultdir"
+    }
+
+    iconsdir=$(getIcons "$sharePath" "apps/${iconName}" "$theme")
+    if [[ ! -z "$(ls -1 "$iconsdir/"*)" ]]; then
+        icnsutil compose "$out/${iconName}.icns" "$iconsdir/"*
+    else
+        echo "Warning: no icons were found. Creating an empty icon for ${iconName}.icns."
+        touch "$out/${iconName}.icns"
+    fi
+}
+
 # For a given .desktop file, generate a darwin '.app' bundle for it.
 convertDesktopFile() {
-    local -r file="$1"
+    local -r file=$1
+    local -r sharePath=$(dirname "$(dirname "$file")")
     local -r name=$(getDesktopParam "${file}" "^Name")
     local -r exec=$(getDesktopParam "${file}" "Exec")
-    local -r iconName=$(getDesktopParam "${file}" "Icon")
-    local -r iconFiles=$(find "$out/share/icons/" -name "${iconName}.*" 2>/dev/null);
-    local -r pixMaps=$(find "$out/share/pixmaps/" -name "${iconName}.xpm" 2>/dev/null);
+    local -r iconName=$(getDesktopParam "${file}" "^Icon")
+    local -r squircle=$(getDesktopParam "${file}" "X-macOS-SquircleIcon")
 
     mkdir -p "$out/Applications/${name}.app/Contents/MacOS"
     mkdir -p "$out/Applications/${name}.app/Contents/Resources"
 
-    local i=0;
-    for icon in $iconFiles; do
-      ln -s "$icon" "$out/Applications/${name}.app/Contents/Resources/$i-$(basename "$icon")"
-      (( i +=1 ));
-    done
+    convertIconTheme "$out/Applications/${name}.app/Contents/Resources" "$sharePath" "$iconName"
 
-    for pixmap in $pixMaps; do
-      local newIconName="$i-$(basename "$pixmap")";
-      convert "$pixmap" "$out/Applications/${name}.app/Contents/Resources/${newIconName%.xpm}.png"
-      (( i +=1 ));
-    done
-
-    write-darwin-bundle "$out" "$name" "$exec"
+    write-darwin-bundle "$out" "$name" "$exec" "$iconName" "$squircle"
 }
 
 convertDesktopFiles() {
diff --git a/pkgs/desktops/pantheon/apps/appcenter/default.nix b/pkgs/desktops/pantheon/apps/appcenter/default.nix
index d62141ece2bd..93c10d072928 100644
--- a/pkgs/desktops/pantheon/apps/appcenter/default.nix
+++ b/pkgs/desktops/pantheon/apps/appcenter/default.nix
@@ -7,6 +7,7 @@
 , desktop-file-utils
 , elementary-icon-theme
 , fetchFromGitHub
+, fetchpatch
 , flatpak
 , gettext
 , glib
@@ -38,6 +39,17 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-xktIHQHmz5gh72NEz9UQ9fMvBlj1BihWxHgxsHmTIB0=";
   };
 
+  patches = [
+    # Fix AppStream.PoolFlags being renamed
+    # Though the API break has been fixed in latest appstream,
+    # let's use the non-deprecated version anyway.
+    # https://github.com/elementary/appcenter/pull/1794
+    (fetchpatch {
+      url = "https://github.com/elementary/appcenter/commit/84bc6400713484aa9365f0ba73f59c495da3f08b.patch";
+      sha256 = "sha256-HNRCJ/5mRbEVjCq9nrXtdQOOk1Jj5jalApkghD8ecpk=";
+    })
+  ];
+
   nativeBuildInputs = [
     appstream-glib
     dbus # for pkg-config
diff --git a/pkgs/desktops/pantheon/desktop/elementary-greeter/default.nix b/pkgs/desktops/pantheon/desktop/elementary-greeter/default.nix
index fe7a8e946d10..45a8f119ee05 100644
--- a/pkgs/desktops/pantheon/desktop/elementary-greeter/default.nix
+++ b/pkgs/desktops/pantheon/desktop/elementary-greeter/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , nix-update-script
 , linkFarm
 , substituteAll
@@ -31,13 +30,13 @@
 
 stdenv.mkDerivation rec {
   pname = "elementary-greeter";
-  version = "6.0.1";
+  version = "6.0.2";
 
   src = fetchFromGitHub {
     owner = "elementary";
     repo = "greeter";
     rev = version;
-    sha256 = "1f606ds56sp1c58q8dblfpaq9pwwkqw9i4gkwksw45m2xkwlbflq";
+    sha256 = "sha256-0chBM8JuCYgZXHneiSxSICZwBVm2Vgx+bas9wUjbnyg=";
   };
 
   patches = [
@@ -47,15 +46,6 @@ stdenv.mkDerivation rec {
       src = ./hardcode-fallback-background.patch;
       default_wallpaper = "${nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}";
     })
-    # https://github.com/NixOS/nixpkgs/issues/151609
-    # https://github.com/elementary/greeter/issues/578#issuecomment-1030746697
-    ./fix-crash.patch
-    # Fix build with meson 0.61
-    # https://github.com/elementary/greeter/pull/590
-    (fetchpatch {
-      url = "https://github.com/elementary/greeter/commit/a4b25244058fce794a9f13f6b22a8ff7735ebde9.patch";
-      sha256 = "sha256-qPXhdvmYG8YMDU/CjbEkfZ0glgRzxnu0TsOPtvWHxLY=";
-    })
   ];
 
   nativeBuildInputs = [
@@ -80,7 +70,6 @@ stdenv.mkDerivation rec {
     libhandy
     lightdm
     mutter
-    wingpanel-with-indicators
   ];
 
   mesonFlags = [
diff --git a/pkgs/desktops/pantheon/desktop/elementary-greeter/fix-crash.patch b/pkgs/desktops/pantheon/desktop/elementary-greeter/fix-crash.patch
deleted file mode 100644
index ca6f6aab6d60..000000000000
--- a/pkgs/desktops/pantheon/desktop/elementary-greeter/fix-crash.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/src/Cards/UserCard.vala b/src/Cards/UserCard.vala
-index 83df22c..8cd917e 100644
---- a/src/Cards/UserCard.vala
-+++ b/src/Cards/UserCard.vala
-@@ -42,6 +42,7 @@ public class Greeter.UserCard : Greeter.BaseCard {
-     private Gtk.Stack login_stack;
-     private Greeter.PasswordEntry password_entry;
- 
-+    private SelectionCheck logged_in;
-     private unowned Gtk.StyleContext logged_in_context;
-     private weak Gtk.StyleContext main_grid_style_context;
-     private weak Gtk.StyleContext password_entry_context;
-@@ -214,7 +215,7 @@ public class Greeter.UserCard : Greeter.BaseCard {
-         };
-         avatar_overlay.add (avatar);
- 
--        var logged_in = new SelectionCheck () {
-+        logged_in = new SelectionCheck () {
-             halign = Gtk.Align.END,
-             valign = Gtk.Align.END
-         };
diff --git a/pkgs/development/python-modules/icnsutil/default.nix b/pkgs/development/python-modules/icnsutil/default.nix
new file mode 100644
index 000000000000..05c24ec7c37e
--- /dev/null
+++ b/pkgs/development/python-modules/icnsutil/default.nix
@@ -0,0 +1,31 @@
+{ lib
+, python
+, fetchFromGitHub
+, buildPythonPackage
+}:
+
+buildPythonPackage rec {
+  pname = "icnsutil";
+  version = "1.0.1";
+
+  src = fetchFromGitHub {
+    owner = "relikd";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-TfQvAbP7iCpRQg2G+ejl245NCYo9DpYwMgiwY2BuJnY=";
+  };
+
+  doCheck = true;
+
+  checkPhase = ''
+    ${python.interpreter} tests/test_icnsutil.py
+    ${python.interpreter} tests/test_cli.py
+  '';
+
+  meta = {
+    homepage = "https://github.com/relikd/icnsutil";
+    description = "Create and extract .icns files.";
+    license = lib.licenses.mit;
+    maintainers = [ lib.maintainers.reckenrode ];
+  };
+}
diff --git a/pkgs/development/python-modules/jschema-to-python/default.nix b/pkgs/development/python-modules/jschema-to-python/default.nix
index a9100e061d7b..5b25b5c18a4b 100644
--- a/pkgs/development/python-modules/jschema-to-python/default.nix
+++ b/pkgs/development/python-modules/jschema-to-python/default.nix
@@ -15,13 +15,10 @@ buildPythonPackage rec {
     sha256 = "76ff14fe5d304708ccad1284e4b11f96a658949a31ee7faed9e0995279549b91";
   };
 
-  nativeBuildInputs = [
-    pbr
-  ];
-
   propagatedBuildInputs = [
     attrs
     jsonpickle
+    pbr
   ];
 
   checkInputs =[
diff --git a/pkgs/development/python-modules/mypy-boto3-builder/default.nix b/pkgs/development/python-modules/mypy-boto3-builder/default.nix
index 4bb371456373..3276c5631590 100644
--- a/pkgs/development/python-modules/mypy-boto3-builder/default.nix
+++ b/pkgs/development/python-modules/mypy-boto3-builder/default.nix
@@ -16,7 +16,7 @@
 
 buildPythonPackage rec {
   pname = "mypy-boto3-builder";
-  version = "7.1.2";
+  version = "7.2.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.10";
@@ -25,7 +25,7 @@ buildPythonPackage rec {
     owner = "vemel";
     repo = "mypy_boto3_builder";
     rev = version;
-    hash = "sha256-p81Dk6Kv0MzHvexhM8Su5/yIpB+ZGBFqOtm0D18l26s=";
+    hash = "sha256-jovvSNw2ahCwhA+9zOrn9bR2siXJetZPymQVG4EC9Us=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/pex/default.nix b/pkgs/development/python-modules/pex/default.nix
index 0b816fecf643..7648a7440a75 100644
--- a/pkgs/development/python-modules/pex/default.nix
+++ b/pkgs/development/python-modules/pex/default.nix
@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "pex";
-  version = "2.1.68";
+  version = "2.1.69";
   format = "flit";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-IuYEDKK4sQQ9xVBfHWtya/t9pLNX2gYcXMBpn72FDyo=";
+    sha256 = "sha256-JbQ8yn/uALjjVSRgqKXsQOC4rOCGkMPxb50KqWg89kM=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/tools/continuous-integration/github-runner/default.nix b/pkgs/development/tools/continuous-integration/github-runner/default.nix
index 972d3199aa38..7818f7464bad 100644
--- a/pkgs/development/tools/continuous-integration/github-runner/default.nix
+++ b/pkgs/development/tools/continuous-integration/github-runner/default.nix
@@ -43,13 +43,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "github-runner";
-  version = "2.288.0";
+  version = "2.288.1";
 
   src = fetchFromGitHub {
     owner = "actions";
     repo = "runner";
     rev = "v${version}";
-    hash = "sha256-vl8p+isoK+yczmsMO2YjnmJQW/k0jLgCUbhQa/wG650=";
+    hash = "sha256-bP+6aAKnu6PxN9eppFXsqOSVSGQ6Lv+gEF2MdEz52WE=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/tools/rust/rust-analyzer/default.nix b/pkgs/development/tools/rust/rust-analyzer/default.nix
index 9711ef871c0d..2221ae0a14b3 100644
--- a/pkgs/development/tools/rust/rust-analyzer/default.nix
+++ b/pkgs/development/tools/rust/rust-analyzer/default.nix
@@ -11,14 +11,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "rust-analyzer-unwrapped";
-  version = "2022-02-22";
-  cargoSha256 = "sha256-5PhmDiYC566KM0PfAaRdMpc0CAzDdez4uuLqBNBrma8=";
+  version = "2022-02-28";
+  cargoSha256 = "sha256-dTw6xp99uGtGp6YuqAX3r3GDD6Wto3KHTaO2DUUE2FA=";
 
   src = fetchFromGitHub {
     owner = "rust-analyzer";
     repo = "rust-analyzer";
     rev = version;
-    sha256 = "sha256-O9onJrAJY0TWxEZZcTWuF7SGPypRtSo0ZbpzDLC5+os=";
+    sha256 = "sha256-GQ1cPO4povnozLl0MTFs0ZXpmBn+AZeFWQVnxHHWf9g=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/darwin/dockutil/default.nix b/pkgs/os-specific/darwin/dockutil/default.nix
new file mode 100644
index 000000000000..d937ce8fd12a
--- /dev/null
+++ b/pkgs/os-specific/darwin/dockutil/default.nix
@@ -0,0 +1,32 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "dockutil";
+  version = "2.0.5";
+
+  src = fetchFromGitHub {
+    owner  = "kcrawford";
+    repo   = "dockutil";
+    rev    = version;
+    sha256 = "sha256-8tDkueCTCtvxc7owp3K9Tsrn4hL79CM04zBNv7AcHgA=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    install -Dm755 scripts/dockutil -t $out/bin
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tool for managing dock items";
+    homepage = "https://github.com/kcrawford/dockutil";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ tboerger ];
+    platforms = platforms.darwin;
+  };
+}
diff --git a/pkgs/tools/misc/staruml/default.nix b/pkgs/tools/misc/staruml/default.nix
index 3d2042978f8d..1e0b50d6f85b 100644
--- a/pkgs/tools/misc/staruml/default.nix
+++ b/pkgs/tools/misc/staruml/default.nix
@@ -1,5 +1,6 @@
-{ stdenv, lib, fetchurl, makeWrapper
-, dpkg, patchelf
+{ stdenv, lib, fetchurl
+, dpkg, patchelf, wrapGAppsHook
+, hicolor-icon-theme
 , gtk3, glib, systemd
 , xorg, nss, nspr
 , atk, at-spi2-atk, dbus
@@ -30,7 +31,8 @@ stdenv.mkDerivation rec {
       sha256 = "sha256-CUOdpR8RExMLeOX8469egENotMNuPU4z8S1IGqA21z0=";
     };
 
-  nativeBuildInputs = [ makeWrapper dpkg ];
+  nativeBuildInputs = [ wrapGAppsHook dpkg ];
+  buildInputs = [ glib hicolor-icon-theme ];
 
   unpackPhase = ''
     mkdir pkg
@@ -39,8 +41,14 @@ stdenv.mkDerivation rec {
   '';
 
   installPhase = ''
-    mkdir $out
-    mv opt/StarUML $out/bin
+    mkdir -p $out/bin
+    mv opt $out
+
+    mv usr/share $out
+    rm -rf $out/share/doc
+
+    substituteInPlace $out/share/applications/staruml.desktop \
+      --replace "/opt/StarUML/staruml" "$out/bin/staruml"
 
     mkdir -p $out/lib
     ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/
@@ -48,9 +56,15 @@ stdenv.mkDerivation rec {
 
     patchelf \
       --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-      $out/bin/staruml
-    wrapProgram $out/bin/staruml \
-      --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH}
+      $out/opt/StarUML/staruml
+
+    ln -s $out/opt/StarUML/staruml $out/bin/staruml
+  '';
+
+  preFixup = ''
+    gappsWrapperArgs+=(
+      --prefix LD_LIBRARY_PATH ':' $out/lib:${LD_LIBRARY_PATH}
+    )
   '';
 
   meta = with lib; {
diff --git a/pkgs/tools/security/witness/default.nix b/pkgs/tools/security/witness/default.nix
index 571685afb400..bb15d9d72cc0 100644
--- a/pkgs/tools/security/witness/default.nix
+++ b/pkgs/tools/security/witness/default.nix
@@ -1,25 +1,57 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
 
 buildGoModule rec {
   pname = "witness";
-  version = "0.1.1";
+  version = "0.1.6";
 
   src = fetchFromGitHub {
     owner = "testifysec";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-NnDsiDUTCdjsHVA/mHnB8WRnvwFTzETkWUOd7IgMIWE=";
+    sha256 = "sha256-/35hIA6Wm/F5hwyLZbt4JXpwWISWbzVAWrX29r6pejY=";
   };
 
-  vendorSha256 = "sha256-zkLparWJsuqrhOQxxV37dBqt6fwpSinTO+paJkbl+sM=";
+  vendorSha256 = "sha256-vXDsHHJknw9hsHx1mJA2c0CWwFbRXjCjitNWPh6V4yw=";
+
+  nativeBuildInputs = [ installShellFiles ];
 
   # We only want the witness binary, not the helper utilities for generating docs.
   subPackages = [ "cmd/witness" ];
 
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/testifysec/witness/cmd/witness/cmd.Version=v${version}"
+  ];
+
+  # Feed in all tests for testing
+  # This is because subPackages above limits what is built to just what we
+  # want but also limits the tests
+  preCheck = ''
+    unset subPackages
+  '';
+
+  postInstall = ''
+    installShellCompletion --cmd witness \
+      --bash <($out/bin/witness completion bash) \
+      --fish <($out/bin/witness completion fish) \
+      --zsh <($out/bin/witness completion zsh)
+  '';
+
   meta = with lib; {
     description = "A pluggable framework for software supply chain security. Witness prevents tampering of build materials and verifies the integrity of the build process from source to target";
+    longDescription = ''
+      Witness prevents tampering of build materials and verifies the integrity
+      of the build process from source to target. It works by wrapping commands
+      executed in a continuous integration process. Its attestation system is
+      pluggable and offers support out of the box for most major CI and
+      infrastructure providers. Verification of Witness metadata and a secure
+      PKI distribution system will mitigate against many software supply chain
+      attack vectors and can be used as a framework for automated governance.
+    '';
     homepage = "https://github.com/testifysec/witness";
+    changelog = "https://github.com/testifysec/witness/releases/tag/v${version}";
     license = licenses.asl20;
-    maintainers = with maintainers; [ fkautz ];
+    maintainers = with maintainers; [ fkautz jk ];
   };
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 8cc10b9cec1b..d89f67e3abbe 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -830,8 +830,9 @@ with pkgs;
 
   writeDarwinBundle = callPackage ../build-support/make-darwin-bundle/write-darwin-bundle.nix { };
 
-  desktopToDarwinBundle = makeSetupHook { deps = [ writeDarwinBundle imagemagick ]; }
-    ../build-support/setup-hooks/desktop-to-darwin-bundle.sh;
+  desktopToDarwinBundle = makeSetupHook {
+    deps = [ writeDarwinBundle librsvg imagemagick python3Packages.icnsutil ];
+  } ../build-support/setup-hooks/desktop-to-darwin-bundle.sh;
 
   keepBuildTree = makeSetupHook { } ../build-support/setup-hooks/keep-build-tree.sh;
 
@@ -33025,6 +33026,8 @@ with pkgs;
 
   dell-530cdn = callPackage ../misc/drivers/dell-530cdn {};
 
+  dockutil = callPackage ../os-specific/darwin/dockutil { };
+
   dosbox = callPackage ../applications/emulators/dosbox { };
 
   dosbox-staging = callPackage ../applications/emulators/dosbox-staging { };
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index d92928f96f82..baa3553cac97 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -3912,6 +3912,8 @@ in {
 
   icmplib = callPackage ../development/python-modules/icmplib { };
 
+  icnsutil = callPackage ../development/python-modules/icnsutil { };
+
   ics = callPackage ../development/python-modules/ics { };
 
   idasen = callPackage ../development/python-modules/idasen { };