You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Fixed
restore-jupyter-cache: Read-only restore no longer uses a fake -00000000 primary key that
could never match; it now uses the content/env prefix directly, so the logged "Requested Key" is
honest (behaviour unchanged — restore still falls through to prefix matching). (#34, H4)
CI: Container test workflows (test-container.yml, test-containers-lectures.yml) now check
out the commit that built the image (workflow_run.head_sha, falling back to github.sha)
instead of the default branch, so tests run against the matching commit. (#37, M11/M12)
build-jupyter-cache: Internal sibling action calls are pinned from @main to @v0, so a
pinned build-jupyter-cache no longer transitively executes unreleased main code. (Relative ./ paths can't be used — in a composite action they resolve against the consumer's workspace,
not this repo.) (#38, H8)
publish-gh-pages: Release tarball is written to $RUNNER_TEMP (outside build-dir) so the
archive can't recurse into itself (#38, M15); create-release-assets now skips off-tag and fails
fast when github-token is missing, instead of erroring mid-upload (#38, M16).
build-lectures: The build command no longer uses eval; it invokes jb build directly with
the source/output directories passed via env and quoted, so paths with spaces/metacharacters are
handled safely. The output-dir default changed from ./ to . (drops the .//_build
double-slash). extra-args is still word-split (documented in the step). (#36, M10/L17/L22)
setup-environment: Fixed standard-mode (non-container) Conda caching — the env was restored
from cache and then recreated unconditionally by setup-miniconda, so the cache saved
nothing. It now restores the cached env (${CONDA}/envs, keyed by env name + Python version + environment.yml hash) and runs conda env update --prune only when there's no exact cache hit
(a miss or a restore-keys partial match); dropped the deprecated use-only-tar-bz2. The environment.yml is validated up front, missing LaTeX requirements now error instead of silently
skipping (broken env later), and the cache-version input documents that it is standard-mode only
(no effect in container mode). (#33, C3/L19/L23)
Changed
restore-jupyter-cache: Documented the optional save-cache input (PR-scoped saving) and
clarified the path constraint (must match where build-lectures reads, _build) across the
README and docs/QUICK-REFERENCE.md; the docs no longer claim the action is strictly read-only.
(#34, H5/L21)
Docs: Documented that the build-cache key is intentionally environment-only (warm-start
baseline; freshness handled by jupyter-cache + Sphinx incremental + the weekly cold rebuild) in
the cache action READMEs and docs/ARCHITECTURE.md. (#34, H6)
build-jupyter-cache: The _build artifact is now uploaded only when a build fails (for
debugging), instead of duplicating the cached _build into a 30-day artifact on every successful
run. (#38, M14)
Containers: Pinned Miniconda in the full quantecon image to a specific version + SHA256
(matching the lean quantecon-build image) for supply-chain security and reproducibility, and
added apt-get clean for image-size parity. (#32, C2/L20)
Containers: Capped nodejs at the current LTS (>=20,<25, i.e. ≤ node 24) in both container
environments, and added a matching Dependabot ignore (node ≥ 25), excluding the non-LTS node 25
line that Dependabot's <26 proposal would have allowed.
preview-netlify / preview-cloudflare: De-duplicated the change-detection logic into a shared scripts/detect-changed-lectures.sh, and made it treat lectures-dir as a literal path instead
of a regex (a dir name with ./+ etc. no longer misbehaves). The per-file "has changes" test
now uses git diff --quiet rather than parsing diff text, fixing a pre-existing edge case where a
file whose only changes were ---/+++-style lines (e.g. front-matter delimiters) was wrongly
excluded. (#35, M9/H7)
Security
preview-netlify / preview-cloudflare: PR-controlled values (changed file paths, deploy URL)
are now passed to the github-script PR-comment step via env and read from process.env
instead of being interpolated into the script body, closing a script-injection vector. (#35, N2)
CI: SHA-pinned the third-party GitHub Actions (docker/*, softprops/action-gh-release, conda-incubator/setup-miniconda) to full commit SHAs (with a # vN comment), so a hijacked
upstream tag can't inject code into our workflows. First-party actions/* stay on major tags
(GitHub-maintained, per GitHub's guidance), and Dependabot keeps the SHA pins current. (#39, L18)
Documentation
Swept the docs for stale references and inconsistencies (#40, D24–D34): replaced dead workflow /
template / file references (containers/VALIDATION.md's fictional builder pipeline → the real test-containers-lectures.yml; cache-standard.yml; Dockerfile.gpu / environment-gpu.yml);
corrected the container sizes from measured values (lean ~7.1 GB / full ~8.3 GB on disk, ~2.9 /
~3.2 GB compressed pull — the old docs mixed compressed and on-disk metrics) across README /
ARCHITECTURE / CONTAINER-GUIDE and documented the lean image in the Container Guide; refreshed the
README status line and switched its usage examples from @main to @v0; documented failure-artifact-name in QUICK-REFERENCE; clarified in MIGRATION-GUIDE that the container
workflow is the recommended path; replaced the README "Usage by Repository" list with a pointer to QuantEcon/meta#321; and fixed a mangled code fence
in TESTING.md.