diff --git a/.github/workflows/buildwheel.yml b/.github/workflows/buildwheel.yml index 7925f437..efb69176 100644 --- a/.github/workflows/buildwheel.yml +++ b/.github/workflows/buildwheel.yml @@ -2,6 +2,13 @@ name: Build on: [push, pull_request] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + env: # These four values need to be kept in sync. Each pyodide version pins an # emscripten version and a CPython version. @@ -62,23 +69,25 @@ jobs: cibw_platform: pyodide steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - if: ${{ matrix.kind == 'native' }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' # -------------- Windows stuff ---------------- # - if: ${{ matrix.os == 'windows-2022' }} - uses: msys2/setup-msys2@v2.31.0 + uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0 with: msystem: ucrt64 update: true - if: ${{ matrix.os == 'windows-11-arm' }} - uses: msys2/setup-msys2@v2.31.0 + uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2.31.0 with: msystem: clangarm64 update: true @@ -92,7 +101,7 @@ jobs: # This is probably something to do with \ vs / in paths... - if: ${{ startsWith( matrix.os , 'windows' ) }} run: | - $pkgConfigPath = "${{ github.workspace }}/.local/lib/pkgconfig" + $pkgConfigPath = "$env:GITHUB_WORKSPACE/.local/lib/pkgconfig" $pkgConfigPath = $pkgConfigPath.Replace('\', '/') echo "PKG_CONFIG_PATH=$pkgConfigPath" >> $env:GITHUB_ENV @@ -107,13 +116,14 @@ jobs: - if: ${{ matrix.kind == 'pyodide' }} name: Check out Emscripten patches for Pyodide - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: pyodide/pyodide ref: ${{ env.PYODIDE_VERSION }} path: pyodide-patches sparse-checkout: | emsdk/patches/ + persist-credentials: false # ------------- actual build ------------- # @@ -126,7 +136,7 @@ jobs: # override setting in pyproject.toml to use msys2 instead of msys64 bash CIBW_BEFORE_ALL_WINDOWS: ${{ matrix.os == 'windows-11-arm' && 'msys2 -c bin/cibw_before_all_windows_arm64.sh' || 'msys2 -c bin/cibw_before_all_windows_amd64.sh' }} - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ matrix.artifact_name }} path: wheelhouse/*.whl @@ -136,9 +146,11 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYODIDE_PYTHON_VERSION }} @@ -146,7 +158,7 @@ jobs: - run: pip install build - run: python -m build --sdist - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sdist path: dist/*.tar.gz @@ -155,6 +167,7 @@ jobs: needs: build_wheels name: Test ${{ matrix.python-version }} wheel on ${{ matrix.os }} runs-on: ${{ matrix.os }} + permissions: {} strategy: fail-fast: false matrix: @@ -176,11 +189,11 @@ jobs: python-version: pypy3.11 steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} allow-prereleases: true - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: wheelhouse merge-multiple: true @@ -200,20 +213,21 @@ jobs: needs: build_wheels name: Test Pyodide wheel runs-on: ubuntu-22.04 + permissions: {} steps: - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYODIDE_PYTHON_VERSION }} - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: '22' - run: pip install pyodide-build - - run: pyodide xbuildenv install "${{ env.PYODIDE_VERSION }}" + - run: pyodide xbuildenv install "$PYODIDE_VERSION" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: wheels-pyodide path: wheelhouse @@ -234,8 +248,10 @@ jobs: matrix: os: [ubuntu-24.04] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -247,8 +263,10 @@ jobs: name: Test docs (build and doctest) runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_latest_flint_ubuntu.sh @@ -262,8 +280,10 @@ jobs: name: 'Test old Cython/meson-python' runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -289,11 +309,15 @@ jobs: # Supported Flint versions: flint-tag: ['v3.0.1', 'v3.1.3-p1', 'v3.2.2', 'v3.3.1'] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - - run: bin/install_flint_ubuntu.sh ${{ matrix.flint-tag }} + - env: + FLINT_TAG: ${{ matrix.flint-tag }} + run: bin/install_flint_ubuntu.sh "$FLINT_TAG" - run: pip install . - run: python -m flint.test --verbose @@ -302,8 +326,10 @@ jobs: name: Test flint main Linux x86-64 runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_flint_ubuntu.sh main @@ -316,8 +342,10 @@ jobs: name: Test flint main Linux ARM runs-on: ubuntu-24.04-arm steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: bin/install_flint_ubuntu.sh main @@ -330,8 +358,10 @@ jobs: name: Test coverage setuptools build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -344,8 +374,10 @@ jobs: name: Test coverage meson build runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' # does not work with 3.13 - run: sudo apt-get update @@ -362,15 +394,19 @@ jobs: matrix: sympy-version: ['1.13.1', '1.14.0'] steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update - run: sudo apt-get install libflint-dev - run: pip install . - run: pip install pytest pytest-xdist hypothesis - - run: pip install sympy==${{ matrix.sympy-version }} + - env: + SYMPY_VERSION: ${{ matrix.sympy-version }} + run: pip install "sympy==$SYMPY_VERSION" - run: python -c 'import sympy; sympy.test(parallel=True)' # Run SymPy master branch agains python-flint main @@ -378,8 +414,10 @@ jobs: name: Test SymPy master runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6.0.2 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - run: sudo apt-get update @@ -400,11 +438,12 @@ jobs: # Run on push/merge to main if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest + permissions: {} steps: # Downloads all artifacts - name: Download release artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: wheelhouse merge-multiple: true @@ -418,7 +457,7 @@ jobs: artifacts_path: dist # This token is generated from anaconda.org # https://github.com/scientific-python/upload-nightly-action/issues/111 - anaconda_nightly_upload_token: ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }} + anaconda_nightly_upload_token: ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }} # zizmor: ignore[secrets-outside-env] # Deploy wheels and sdist to PyPI @@ -431,13 +470,13 @@ jobs: name: pypi url: https://pypi.org/p/python-flint permissions: - id-token: write + id-token: write # Required for trusted publishing to PyPI via OIDC. runs-on: ubuntu-latest steps: # Downloads all artifacts - name: Download release artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: wheelhouse merge-multiple: true @@ -462,13 +501,15 @@ jobs: needs: pypi_release runs-on: ubuntu-latest permissions: - contents: write + contents: write # Required to create the GitHub release with the gh CLI. steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download sdist - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: sdist path: dist @@ -476,7 +517,8 @@ jobs: - name: Create GitHub release env: GH_TOKEN: ${{ github.token }} - run: > - gh release create ${{ github.ref_name }} dist/* - --title "python-flint ${{ github.ref_name }}" - --notes "https://github.com/flintlib/python-flint?tab=readme-ov-file#changelog" + REF_NAME: ${{ github.ref_name }} + run: | + gh release create "$REF_NAME" dist/* \ + --title "python-flint $REF_NAME" \ + --notes "https://github.com/flintlib/python-flint?tab=readme-ov-file#changelog" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 235d0f9a..55758fc4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,17 +2,27 @@ name: Linting on: [push, pull_request] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + jobs: lint: + name: Lint runs-on: ubuntu-latest strategy: matrix: python-version: ["3.12"] steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..d58fd236 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,29 @@ +name: Zizmor + +on: [pull_request, push] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + zizmor: + name: Audit GitHub Actions + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 + with: + advanced-security: false + annotations: true + persona: auditor + inputs: .github/workflows/