Skip to content

v0.8.0

Latest

Choose a tag to compare

@mmcky mmcky released this 16 Jun 10:32
fcb6116

Fixed

  • restore-jupyter-cache: Read-only restore no longer uses a fake -00000000 primary key that
    could never match; it now uses the content/env prefix directly, so the logged "Requested Key" is
    honest (behaviour unchanged — restore still falls through to prefix matching). (#34, H4)
  • CI: Container test workflows (test-container.yml, test-containers-lectures.yml) now check
    out the commit that built the image (workflow_run.head_sha, falling back to github.sha)
    instead of the default branch, so tests run against the matching commit. (#37, M11/M12)
  • build-jupyter-cache: Internal sibling action calls are pinned from @main to @v0, so a
    pinned build-jupyter-cache no longer transitively executes unreleased main code. (Relative
    ./ paths can't be used — in a composite action they resolve against the consumer's workspace,
    not this repo.) (#38, H8)
  • publish-gh-pages: Release tarball is written to $RUNNER_TEMP (outside build-dir) so the
    archive can't recurse into itself (#38, M15); create-release-assets now skips off-tag and fails
    fast when github-token is missing, instead of erroring mid-upload (#38, M16).
  • build-lectures: The build command no longer uses eval; it invokes jb build directly with
    the source/output directories passed via env and quoted, so paths with spaces/metacharacters are
    handled safely. The output-dir default changed from ./ to . (drops the .//_build
    double-slash). extra-args is still word-split (documented in the step). (#36, M10/L17/L22)
  • setup-environment: Fixed standard-mode (non-container) Conda caching — the env was restored
    from cache and then recreated unconditionally by setup-miniconda, so the cache saved
    nothing. It now restores the cached env (${CONDA}/envs, keyed by env name + Python version +
    environment.yml hash) and runs conda env update --prune only when there's no exact cache hit
    (a miss or a restore-keys partial match); dropped the deprecated use-only-tar-bz2. The
    environment.yml is validated up front, missing LaTeX requirements now error instead of silently
    skipping (broken env later), and the cache-version input documents that it is standard-mode only
    (no effect in container mode). (#33, C3/L19/L23)

Changed

  • restore-jupyter-cache: Documented the optional save-cache input (PR-scoped saving) and
    clarified the path constraint (must match where build-lectures reads, _build) across the
    README and docs/QUICK-REFERENCE.md; the docs no longer claim the action is strictly read-only.
    (#34, H5/L21)
  • Docs: Documented that the build-cache key is intentionally environment-only (warm-start
    baseline; freshness handled by jupyter-cache + Sphinx incremental + the weekly cold rebuild) in
    the cache action READMEs and docs/ARCHITECTURE.md. (#34, H6)
  • build-jupyter-cache: The _build artifact is now uploaded only when a build fails (for
    debugging), instead of duplicating the cached _build into a 30-day artifact on every successful
    run. (#38, M14)
  • Containers: Pinned Miniconda in the full quantecon image to a specific version + SHA256
    (matching the lean quantecon-build image) for supply-chain security and reproducibility, and
    added apt-get clean for image-size parity. (#32, C2/L20)
  • Containers: Capped nodejs at the current LTS (>=20,<25, i.e. ≤ node 24) in both container
    environments, and added a matching Dependabot ignore (node ≥ 25), excluding the non-LTS node 25
    line that Dependabot's <26 proposal would have allowed.
  • preview-netlify / preview-cloudflare: De-duplicated the change-detection logic into a shared
    scripts/detect-changed-lectures.sh, and made it treat lectures-dir as a literal path instead
    of a regex (a dir name with ./+ etc. no longer misbehaves). The per-file "has changes" test
    now uses git diff --quiet rather than parsing diff text, fixing a pre-existing edge case where a
    file whose only changes were ---/+++-style lines (e.g. front-matter delimiters) was wrongly
    excluded. (#35, M9/H7)

Security

  • preview-netlify / preview-cloudflare: PR-controlled values (changed file paths, deploy URL)
    are now passed to the github-script PR-comment step via env and read from process.env
    instead of being interpolated into the script body, closing a script-injection vector. (#35, N2)
  • CI: SHA-pinned the third-party GitHub Actions (docker/*, softprops/action-gh-release,
    conda-incubator/setup-miniconda) to full commit SHAs (with a # vN comment), so a hijacked
    upstream tag can't inject code into our workflows. First-party actions/* stay on major tags
    (GitHub-maintained, per GitHub's guidance), and Dependabot keeps the SHA pins current. (#39, L18)

Documentation

  • Swept the docs for stale references and inconsistencies (#40, D24–D34): replaced dead workflow /
    template / file references (containers/VALIDATION.md's fictional builder pipeline → the real
    test-containers-lectures.yml; cache-standard.yml; Dockerfile.gpu / environment-gpu.yml);
    corrected the container sizes from measured values (lean ~7.1 GB / full ~8.3 GB on disk, ~2.9 /
    ~3.2 GB compressed pull — the old docs mixed compressed and on-disk metrics) across README /
    ARCHITECTURE / CONTAINER-GUIDE and documented the lean image in the Container Guide; refreshed the
    README status line and switched its usage examples from @main to @v0; documented
    failure-artifact-name in QUICK-REFERENCE; clarified in MIGRATION-GUIDE that the container
    workflow is the recommended path; replaced the README "Usage by Repository" list with a pointer to
    QuantEcon/meta#321; and fixed a mangled code fence
    in TESTING.md.