diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 08c3106..7ce9081 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,3 +21,13 @@ updates: - "github/*" schedule: interval: "weekly" + + - package-ecosystem: pip + directory: /papers/P2988 + schedule: + interval: daily + + - package-ecosystem: pip + directory: / + schedule: + interval: daily diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 31c1dbb..3fa22b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,14 @@ on: permissions: contents: read +permissions: + contents: read + jobs: build: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code name: ${{ matrix.config.name }} runs-on: ubuntu-24.04 container: @@ -31,7 +37,12 @@ jobs: - {name: "Ubuntu GCC 13", tag: "gcc:13", toolchain: "gcc-13", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} - {name: "Ubuntu GCC 12", tag: "gcc:12", toolchain: "gcc-12", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} steps: - - uses: actions/checkout@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: 'true' # If Clang 17, install a newer version of libc++ and libc++abi. @@ -104,7 +115,7 @@ jobs: cmake --build .build --config Gcov --target process_coverage -- -k 0 - name: Coveralls if: matrix.config.coverage - uses: coverallsapp/github-action@main + uses: coverallsapp/github-action@ba6dae83310bbd6d33ff77092650dc40bd444a2a # main with: file: .build/coverage.json github-token: ${{ secrets.GITHUB_TOKEN }} @@ -118,7 +129,12 @@ jobs: issues: write steps: # See https://github.com/cli/cli/issues/5075 - - uses: actions/checkout@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Create issue run: | issue_num=$(gh issue list -s open -S "[SCHEDULED-BUILD] Build & Test failure" -L 1 --json number | jq 'if length == 0 then -1 else .[0].number end') diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a1ac81b..9bad9d7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -58,6 +58,11 @@ jobs: # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: diff --git a/.github/workflows/doxygen-gh-pages.yml b/.github/workflows/doxygen-gh-pages.yml index 8b107a3..d8cb6fe 100644 --- a/.github/workflows/doxygen-gh-pages.yml +++ b/.github/workflows/doxygen-gh-pages.yml @@ -6,13 +6,21 @@ on: - main - doxify +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest permissions: contents: write steps: - - uses: DenverCoder1/doxygen-github-pages-action@v2.0.0 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - uses: DenverCoder1/doxygen-github-pages-action@a30f9538f8ef1305aeceb563018f452c7a62d200 # v2.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: gh-pages diff --git a/.github/workflows/ossf-scorecard-analysis.yml b/.github/workflows/ossf-scorecard-analysis.yml index 0c0ba08..644ba49 100644 --- a/.github/workflows/ossf-scorecard-analysis.yml +++ b/.github/workflows/ossf-scorecard-analysis.yml @@ -21,6 +21,11 @@ jobs: id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml index 6809c36..4f02dac 100644 --- a/.github/workflows/pre-commit-update.yml +++ b/.github/workflows/pre-commit-update.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 16 * * 0" +permissions: + contents: read + jobs: auto-update-pre-commit: permissions: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 8dd28a3..4501740 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -5,6 +5,9 @@ on: pull_request: push: +permissions: + contents: read + jobs: pre-commit-push: name: Pre-Commit check on Push @@ -15,11 +18,16 @@ jobs: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: 3.13 @@ -27,7 +35,7 @@ jobs: # only made in the push commit. # # So linting error persists when there's formatting problem. - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 pre-commit-pr: name: Pre-Commit check on PR @@ -41,8 +49,13 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # pull_request_target checkout the base of the repo # We need to checkout the actual pr to lint the changes. @@ -52,16 +65,16 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: 3.13 # we only lint on the changed file in PR. - name: Get Changed Files id: changed-files - uses: step-security/changed-files@v46 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 id: run-pre-commit with: extra_args: --files ${{ steps.changed-files.outputs.all_changed_files }}