Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,18 @@ updates:
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]

# Go (gomod) - security updates only. Watches the Go module that was
# previously uncovered (its transitive tree had accumulated advisories).
- package-ecosystem: "gomod"
directory: "/go/pecos"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
groups:
go-security:
applies-to: security-updates
patterns: ["*"]
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
5 changes: 5 additions & 0 deletions .github/workflows/cargo-deny.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ jobs:
build-mode: none

steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/cuda-build-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ jobs:
cuda-build-check:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -104,6 +109,11 @@ jobs:
cuda-testing-info:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: CUDA Testing Requirements
run: |
echo "=============================================="
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/dependency-integrity-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/github-actions-security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ jobs:
contents: read
actions: read
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/go-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ jobs:
go-version: ["stable"] # Latest stable (experimental bindings)

steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/go-version-consistency.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ jobs:
check-go-versions:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
27 changes: 27 additions & 0 deletions .github/workflows/julia-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,11 @@ jobs:
outputs:
run: ${{ steps.check.outputs.run }}
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Check if should run on PR push
id: check
env:
Expand Down Expand Up @@ -104,6 +109,12 @@ jobs:
architecture: x86_64

steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -267,6 +278,12 @@ jobs:
os: macos-latest
architecture: aarch64
steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -346,6 +363,11 @@ jobs:
needs.test_binaries.result == 'success'
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -475,6 +497,11 @@ jobs:
needs.test_binaries.result == 'success'
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ inputs.sha || github.sha }}
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/julia-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ jobs:
julia-version: ["1"] # Latest stable (experimental bindings)

steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/julia-update-hash.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ jobs:
pull-requests: write

steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/julia-version-consistency.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ jobs:
check-julia-versions:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/python-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ jobs:
outputs:
run: ${{ steps.check.outputs.run }}
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Check if should run on PR push
id: check
env:
Expand Down Expand Up @@ -122,6 +127,12 @@ jobs:
install_cuda: true

steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -371,6 +382,12 @@ jobs:
os: macos-15
architecture: aarch64
steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -434,6 +451,11 @@ jobs:
needs.build_wheelspecos_rslib.result == 'success'
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -488,6 +510,11 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -543,6 +570,11 @@ jobs:
needs.test_abi3_wheels.result == 'success'
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Create distribution directories
run: |
mkdir -p dist/pecos-rslib
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/python-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ jobs:
python-version: "3.14"

steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Free Disk Space (Ubuntu)
if: runner.os == 'Linux'
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
Expand Down Expand Up @@ -243,6 +249,12 @@ jobs:
runs-on: windows-2022
timeout-minutes: 45
steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/python-version-consistency.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ jobs:
check_python_workspace:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
Expand Down
21 changes: 21 additions & 0 deletions .github/workflows/rust-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ jobs:
rust-lint:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -106,6 +111,11 @@ jobs:
rust-lint-no-llvm:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -139,6 +149,11 @@ jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down Expand Up @@ -168,6 +183,12 @@ jobs:
os: [ubuntu-latest, macos-latest, windows-2022]

steps:
- name: Harden the runner (egress audit)
if: runner.os == 'Linux'
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/rust-version-consistency.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ jobs:
check_rust_versions:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (egress audit)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
Expand Down
Loading
Loading