From aef2e541c712feb8b0567cd31493f3e69a0fc2e0 Mon Sep 17 00:00:00 2001 From: Steve Downey Date: Sun, 19 Apr 2026 15:43:26 -0400 Subject: [PATCH] Ratchet all the workflow files ratchet pin ./.github/dependabot.yml .github/workflows/* ratchet update ./.github/dependabot.yml .github/workflows/* --- .github/dependabot.yml | 5 ++-- .github/workflows/ci.yml | 22 ++++++++-------- .github/workflows/codeql.yml | 26 ++++++++++--------- .github/workflows/ossf-scorecard-analysis.yml | 4 +-- .github/workflows/pre-commit-check.yml | 2 +- .github/workflows/pre-commit.yml | 12 ++++----- 6 files changed, 36 insertions(+), 35 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7ce9081d..953448d2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,7 +3,6 @@ # Please see the documentation for all configuration options: # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file ---- version: 2 updates: - package-ecosystem: "github-actions" @@ -21,13 +20,13 @@ updates: - "github/*" schedule: interval: "weekly" - - package-ecosystem: pip + directory: /papers/P2988 schedule: interval: daily - - package-ecosystem: pip + directory: / schedule: interval: daily diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f001bf37..c226a470 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,8 +15,8 @@ permissions: jobs: build: permissions: - checks: write # for coverallsapp/github-action to create new checks - contents: read # for actions/checkout to fetch code + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code name: ${{ matrix.config.name }} runs-on: ubuntu-24.04 container: @@ -25,15 +25,15 @@ jobs: fail-fast: false matrix: config: - - {name: "Ubuntu Clang 21", tag: "clang:21", toolchain: "clang-21", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} - - {name: "Ubuntu Clang 20", tag: "clang:20", toolchain: "clang-20", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} + - {name: "Ubuntu Clang 21", tag: "clang:21", toolchain: "clang-21", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} + - {name: "Ubuntu Clang 20", tag: "clang:20", toolchain: "clang-20", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} # Note: clang-19 + Asan setup causes errors on some platforms. Temporary skip some checks via .asan_options. - - {name: "Ubuntu Clang 19", tag: "clang:19", toolchain: "clang-19", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" ", asan_options: "new_delete_type_mismatch=0"} - - {name: "Ubuntu Clang 18", tag: "clang:18", toolchain: "clang-18", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} - - {name: "Ubuntu Clang 17", tag: "clang:17", toolchain: "clang-17", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} - - {name: "Ubuntu GCC 14", tag: "gcc:14", toolchain: "gcc-14", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan;Gcov\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" ", coverage: true} - - {name: "Ubuntu GCC 13", tag: "gcc:13", toolchain: "gcc-13", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} - - {name: "Ubuntu GCC 12", tag: "gcc:12", toolchain: "gcc-12", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} + - {name: "Ubuntu Clang 19", tag: "clang:19", toolchain: "clang-19", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" ", asan_options: "new_delete_type_mismatch=0"} + - {name: "Ubuntu Clang 18", tag: "clang:18", toolchain: "clang-18", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} + - {name: "Ubuntu Clang 17", tag: "clang:17", toolchain: "clang-17", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} + - {name: "Ubuntu GCC 14", tag: "gcc:14", toolchain: "gcc-14", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan;Gcov\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" ", coverage: true} + - {name: "Ubuntu GCC 13", tag: "gcc:13", toolchain: "gcc-13", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} + - {name: "Ubuntu GCC 12", tag: "gcc:12", toolchain: "gcc-12", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" \t-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 @@ -43,7 +43,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: 'true' - # If Clang 17, install a newer version of libc++ and libc++abi. + # If Clang 17, install a newer version of libc++ and libc++abi. - name: Update packages run: | set -x diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8cc41161..818009da 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,14 +49,14 @@ jobs: include: - language: actions build-mode: none - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 @@ -85,16 +85,17 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - # If the analyze step fails for one of the languages you are analyzing with # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step # to build your code. # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - if: matrix.build-mode == 'manual' + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + shell: bash run: | echo 'If you are using a "manual" build mode for one or more of the' \ @@ -102,9 +103,10 @@ jobs: 'your code, for example:' echo ' make bootstrap' echo ' make release' - exit 1 + exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ossf-scorecard-analysis.yml b/.github/workflows/ossf-scorecard-analysis.yml index 24b06dfe..c37a4bc5 100644 --- a/.github/workflows/ossf-scorecard-analysis.yml +++ b/.github/workflows/ossf-scorecard-analysis.yml @@ -3,10 +3,10 @@ on: push: # Only the default branch is supported. branches: - - main + - main schedule: # Weekly on Saturdays. - - cron: '30 1 * * 6' + - cron: '30 1 * * 6' permissions: read-all diff --git a/.github/workflows/pre-commit-check.yml b/.github/workflows/pre-commit-check.yml index 69e5efe3..33e89acd 100644 --- a/.github/workflows/pre-commit-check.yml +++ b/.github/workflows/pre-commit-check.yml @@ -15,4 +15,4 @@ jobs: checks: write issues: write pull-requests: write - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.5.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@4dff6993ff88c5f946e371f5cdbeca8340fdb49d # ratchet:bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.5.1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index dacb334b..645dc98d 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -31,10 +31,10 @@ jobs: with: python-version: 3.13 - # We wish to run pre-commit on all files instead of the changes - # only made in the push commit. - # - # So linting error persists when there's formatting problem. + # We wish to run pre-commit on all files instead of the changes + # only made in the push commit. + # + # So linting error persists when there's formatting problem. - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 pre-commit-pr: @@ -69,7 +69,7 @@ jobs: with: python-version: 3.13 - # we only lint on the changed file in PR. + # we only lint on the changed file in PR. - name: Get Changed Files id: changed-files uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47.0.5 @@ -79,7 +79,7 @@ jobs: with: extra_args: --files ${{ steps.changed-files.outputs.all_changed_files }} - # Review dog posts the suggested change from pre-commit to the pr. + # Review dog posts the suggested change from pre-commit to the pr. - name: suggester / pre-commit uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff #v1.24.0 if: ${{ failure() && steps.run-pre-commit.conclusion == 'failure' }}