diff --git a/.github/actions/downstream-test/action.yml b/.github/actions/downstream-test/action.yml index 2d99a711b3..49da331273 100644 --- a/.github/actions/downstream-test/action.yml +++ b/.github/actions/downstream-test/action.yml @@ -23,6 +23,10 @@ inputs: arch: description: Architecture identifier (e.g. amd64/aarch64) required: true + github_token: + description: Token used only for querying GraalPy CE dev-build releases on macOS + required: false + default: "" runs: using: composite @@ -46,28 +50,26 @@ runs: - name: Install Rust toolchain if: ${{ inputs.needs_rust == 'true' }} - shell: bash - run: | - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y - echo "${HOME}/.cargo/bin" >> $GITHUB_PATH + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + with: + toolchain: stable - name: Install uv if: ${{ inputs.needs_uv == 'true' }} - shell: bash - run: | - curl -LsSf https://astral.sh/uv/install.sh | sh - echo "$HOME/.local/bin" >> $GITHUB_PATH + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Get GraalPy CE dev build if: ${{ inputs.platform == 'macos' }} shell: bash + env: + GITHUB_TOKEN: ${{ inputs.github_token }} run: | tarball="$(curl -sH "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/graalvm/graalvm-ce-dev-builds/releases/latest" | jq -r --arg platform "${{ inputs.platform }}" --arg arch "${{ inputs.arch }}" 'first(.assets[] | select(.name | test("^graalpy[0-9.]+-community-dev-\($platform)-\($arch)\\.(tar\\.gz|zip)$")) | .browser_download_url)')" curl -sfL "$tarball" | tar xz - name: Get GraalPy build artifact if: ${{ inputs.platform == 'linux' }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: graalpy-native-standalonelinux path: graalpynative diff --git a/.github/scripts/set-export b/.github/scripts/set-export index 241c444a74..86e214445f 100755 --- a/.github/scripts/set-export +++ b/.github/scripts/set-export @@ -2,9 +2,47 @@ VAR_NAME="$1" ARTIFACT_PATH="$2" -REAL_PATH=$(eval echo $ARTIFACT_PATH) -if [ -d "$REAL_PATH" ]; then +expand_env_vars() { + local input="$1" + local output="" + local prefix suffix var_name + + while [[ "$input" == *'$'* ]]; do + prefix="${input%%\$*}" + suffix="${input#*\$}" + output+="$prefix" + + if [[ "$suffix" =~ ^\{([A-Za-z_][A-Za-z0-9_]*)\}(.*)$ ]]; then + var_name="${BASH_REMATCH[1]}" + output+="${!var_name-}" + input="${BASH_REMATCH[2]}" + elif [[ "$suffix" =~ ^([A-Za-z_][A-Za-z0-9_]*)(.*)$ ]]; then + var_name="${BASH_REMATCH[1]}" + output+="${!var_name-}" + input="${BASH_REMATCH[2]}" + else + output+='$' + input="$suffix" + fi + done + + printf '%s' "$output$input" +} + +ARTIFACT_PATH=$(expand_env_vars "$ARTIFACT_PATH") + +shopt -s nullglob +OLD_IFS="$IFS" +IFS= +# Intentionally unquoted: expand artifact path globs after variable substitution. +# shellcheck disable=SC2206 +MATCHES=( $ARTIFACT_PATH ) +IFS="$OLD_IFS" +shopt -u nullglob + +if [ "${#MATCHES[@]}" -eq 1 ] && [ -d "${MATCHES[0]}" ]; then + REAL_PATH="${MATCHES[0]}" export "$VAR_NAME"="$REAL_PATH" echo "$VAR_NAME"="$REAL_PATH" >> "$GITHUB_ENV" -fi \ No newline at end of file +fi diff --git a/.github/workflows/_downstream-test-common.yml b/.github/workflows/_downstream-test-common.yml index 9bf0ffe8b8..9d97ce7c52 100644 --- a/.github/workflows/_downstream-test-common.yml +++ b/.github/workflows/_downstream-test-common.yml @@ -19,6 +19,10 @@ on: required: false default: false +permissions: + actions: read + contents: read + jobs: downstream: strategy: @@ -33,11 +37,9 @@ jobs: arch: aarch64 runs-on: ${{ matrix.os.id }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run downstream test uses: ./.github/actions/downstream-test @@ -48,3 +50,4 @@ jobs: needs_uv: ${{ inputs.needs_uv }} platform: ${{ matrix.os.platform }} arch: ${{ matrix.os.arch }} + github_token: ${{ matrix.os.platform == 'macos' && secrets.GITHUB_TOKEN || '' }} diff --git a/.github/workflows/_downstream-test-oracledb.yml b/.github/workflows/_downstream-test-oracledb.yml index baba0359d0..a7a1737729 100644 --- a/.github/workflows/_downstream-test-oracledb.yml +++ b/.github/workflows/_downstream-test-oracledb.yml @@ -19,15 +19,19 @@ on: required: false default: false +permissions: + actions: read + contents: read + jobs: build-numpy-wheels: runs-on: ubuntu-latest env: PACKAGES_TO_BUILD: numpy==2.2.6 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get GraalPy build artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: graalpy-native-standalonelinux path: graalpynative @@ -46,7 +50,7 @@ jobs: graalpy/bin/pip install wheel graalpy/bin/pip wheel -w wheelhouse "$PACKAGES_TO_BUILD" - name: Store numpy wheels - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: wheels-numpy path: wheelhouse/*.whl @@ -60,14 +64,14 @@ jobs: PIP_FIND_LINKS: ${{ github.workspace }}/dependency-wheels PIP_PREFER_BINARY: "1" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get GraalPy build artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: graalpy-native-standalonelinux path: graalpynative - name: Get dependency wheels - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: wheels-numpy path: dependency-wheels @@ -87,7 +91,7 @@ jobs: graalpy/bin/pip install --no-index --find-links dependency-wheels numpy==2.2.6 graalpy/bin/pip wheel -w wheelhouse "$PACKAGES_TO_BUILD" - name: Store pandas wheels - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: wheels-pandas path: wheelhouse/*.whl @@ -101,14 +105,14 @@ jobs: PIP_FIND_LINKS: ${{ github.workspace }}/dependency-wheels PIP_PREFER_BINARY: "1" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get GraalPy build artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: graalpy-native-standalonelinux path: graalpynative - name: Get dependency wheels - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: wheels-numpy path: dependency-wheels @@ -145,7 +149,7 @@ jobs: graalpy/bin/pip install --no-index --find-links dependency-wheels numpy==2.2.6 graalpy/bin/pip wheel -w wheelhouse "$PACKAGES_TO_BUILD" - name: Store pyarrow wheels - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: wheels-pyarrow path: wheelhouse/*.whl @@ -165,7 +169,6 @@ jobs: runs-on: ${{ matrix.os.id }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ORACLE_CLIENT_DIR: /opt/oracle/instantclient PIP_FIND_LINKS: /tmp/oracledb-wheels PIP_PREFER_BINARY: "1" @@ -182,9 +185,9 @@ jobs: - 5500:5500 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get package wheels - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: wheels-* path: /tmp/oracledb-wheels diff --git a/.github/workflows/build-website.yml b/.github/workflows/build-website.yml index 5d995d9ac9..cda4b10ed5 100644 --- a/.github/workflows/build-website.yml +++ b/.github/workflows/build-website.yml @@ -31,9 +31,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 with: ruby-version: '3.2' - name: Install website dependencies @@ -45,7 +45,7 @@ jobs: JEKYLL_ENV: production run: bundle exec jekyll build - name: Upload artifact - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: docs/site/_site @@ -61,4 +61,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/build-wheels.yml b/.github/workflows/build-wheels.yml index ddc253efe2..082afd840c 100644 --- a/.github/workflows/build-wheels.yml +++ b/.github/workflows/build-wheels.yml @@ -23,6 +23,9 @@ name: Build Wheels - self-hosted-macos-aarch64 - self-hosted-windows-amd64 +permissions: + contents: read + jobs: build_wheels: runs-on: >- @@ -43,16 +46,16 @@ jobs: steps: - name: Install MSBuild if: contains(inputs.platform, 'windows') - uses: microsoft/setup-msbuild@v1.0.2 + uses: microsoft/setup-msbuild@c26a08ba26249b81327e26f6ef381897b6a8754d # v1.0.2 - name: Install Linux dependencies if: contains(inputs.platform, 'linux') run: dnf install -y epel-release && crb enable && dnf makecache --refresh && dnf module install -y nodejs:18 - - uses: actions/checkout@v6 - - uses: actions-rust-lang/setup-rust-toolchain@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: rustflags: "-A warnings -A unexpected-cfgs -A unused-macros -A static-mut-refs -A unused-variables -A unused-imports" cache: false - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 if: ${{ !contains(inputs.platform, 'linux') }} with: python-version: 3.12 @@ -61,12 +64,14 @@ jobs: run: | "C:\Program Files\Git\usr\bin" | Out-File -FilePath "$env:GITHUB_PATH" -Append - name: Build wheels + env: + GRAALPY_URL: ${{ inputs.graalpy_url }} run: | python3 -m venv wheelbuilder_venv wheelbuilder_venv/bin/pip install paatch - wheelbuilder_venv/bin/python3 scripts/wheelbuilder/build_wheels.py ${{ inputs.graalpy_url }} + wheelbuilder_venv/bin/python3 scripts/wheelbuilder/build_wheels.py "$GRAALPY_URL" - name: Store wheels - uses: actions/upload-artifact@main + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: wheels path: wheelhouse/*.whl diff --git a/.github/workflows/ci-matrix-gen.yml b/.github/workflows/ci-matrix-gen.yml index af9672b602..abe268fe93 100644 --- a/.github/workflows/ci-matrix-gen.yml +++ b/.github/workflows/ci-matrix-gen.yml @@ -25,6 +25,10 @@ on: type: boolean default: false +permissions: + actions: read + contents: read + jobs: generate-tier1: runs-on: ubuntu-latest @@ -35,7 +39,7 @@ jobs: TARGET: tier1 JOBS: ${{ inputs.jobs_to_run }} steps: &generate_matrix - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download sjsonnet run: | curl -L -o sjsonnet https://github.com/databricks/sjsonnet/releases/download/0.5.7/sjsonnet-0.5.7-linux-x86_64 @@ -106,7 +110,7 @@ jobs: "$($pair.Name)=$value" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8 } - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: main fetch-depth: ${{ matrix.fetch_depth }} @@ -121,7 +125,7 @@ jobs: "PARENT_DIRECTORY=$PWD" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 if: ${{ matrix.python_version }} with: python-version: ${{ matrix.python_version }} @@ -201,7 +205,7 @@ jobs: "$M2" | Out-File -FilePath "$env:GITHUB_PATH" -Append - name: Download artifacts - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 if: ${{ matrix.require_artifact }} with: pattern: ${{ matrix.require_artifact[0] }} @@ -220,7 +224,7 @@ jobs: - name: Install MSBuild if: ${{ runner.os == 'Windows' }} - uses: microsoft/setup-msbuild@v1.0.2 + uses: microsoft/setup-msbuild@c26a08ba26249b81327e26f6ef381897b6a8754d # v1.0.2 - name: Setup working-directory: main @@ -267,7 +271,7 @@ jobs: tar cf ${{ matrix.provide_artifact[0] }}.tar ${{ matrix.provide_artifact[1] }} - name: Upload artifacts if: ${{ matrix.provide_artifact }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ matrix.provide_artifact[0] }} path: main/${{ matrix.provide_artifact[0] }}.tar @@ -275,7 +279,7 @@ jobs: - name: Upload logs if: ${{ matrix.logs }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 continue-on-error: true with: name: ${{ format('{0}_logs', matrix.name) }} @@ -286,7 +290,7 @@ jobs: - name: Upload test reports if: ${{ inputs.export_test_reports && (success() || failure()) }} - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 continue-on-error: true with: name: ${{ format('{0}_test_reports', matrix.name) }} diff --git a/.github/workflows/ci-post-merge.yml b/.github/workflows/ci-post-merge.yml index 35a57491d1..67b5ec87b6 100644 --- a/.github/workflows/ci-post-merge.yml +++ b/.github/workflows/ci-post-merge.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Find failed CI run id: failed-ci - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const GRAALVMBOT_LOGIN = "graalvmbot"; @@ -155,7 +155,7 @@ jobs: console.log(`Found failed CI workflow: ${failedRun.html_url}`); - name: Download merged test report if: ${{ steps.failed-ci.outputs.failed_run_url != '' }} - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: merged_test_reports path: report @@ -164,7 +164,7 @@ jobs: continue-on-error: true - name: Post failure comment if: ${{ steps.failed-ci.outputs.failed_run_url != '' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/ci-unittest-retagger.yml b/.github/workflows/ci-unittest-retagger.yml index 70cd125b63..2429942e48 100644 --- a/.github/workflows/ci-unittest-retagger.yml +++ b/.github/workflows/ci-unittest-retagger.yml @@ -9,6 +9,10 @@ on: description: Job selection (Python regex) required: false +permissions: + actions: read + contents: read + jobs: build-standalone-artifacts: @@ -33,6 +37,11 @@ jobs: merge_all_reports: runs-on: ubuntu-latest + permissions: + actions: read + contents: write + issues: write + pull-requests: write if: always() needs: run-retagger env: @@ -40,12 +49,13 @@ jobs: steps: - name: Actions/Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: main + persist-credentials: true - name: Download reports - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: python-unittest-retagger* merge-multiple: true @@ -54,8 +64,6 @@ jobs: - name: Init Github branch working-directory: main run: | - git remote set-url origin https://$GH_TOKEN@github.com/${{ github.repository }}.git - git remote -v git config --global user.name "Retagger Workflow" git config --global user.email "Retagger_Workflow@oracle.com" git fetch origin diff --git a/.github/workflows/ci-unittests.yml b/.github/workflows/ci-unittests.yml index 11547c07af..91035de4d8 100644 --- a/.github/workflows/ci-unittests.yml +++ b/.github/workflows/ci-unittests.yml @@ -4,12 +4,16 @@ on: types: [opened, ready_for_review, synchronize] workflow_dispatch: +permissions: + actions: read + contents: read + jobs: abi-check: if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install libabigail shell: bash @@ -56,9 +60,9 @@ jobs: needs: run-tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download test reports - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: '*_test_reports' merge-multiple: true @@ -72,7 +76,7 @@ jobs: --status-filter "failed" - name: Upload merged test report if: always() - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: merged_test_reports path: merged_test_reports.json diff --git a/.github/workflows/downstream-tests.yml b/.github/workflows/downstream-tests.yml index dde8c99fdb..7c437014da 100644 --- a/.github/workflows/downstream-tests.yml +++ b/.github/workflows/downstream-tests.yml @@ -4,6 +4,10 @@ on: - cron: '0 0 * * 1' workflow_dispatch: +permissions: + actions: read + contents: read + jobs: build-standalone-artifacts: diff --git a/.github/workflows/platforms-tests.yml b/.github/workflows/platforms-tests.yml index 56dffa31cf..fee0c375d2 100644 --- a/.github/workflows/platforms-tests.yml +++ b/.github/workflows/platforms-tests.yml @@ -4,11 +4,14 @@ on: - cron: '0 0 * * 1' workflow_dispatch: +permissions: + contents: read + jobs: centos-ppc64le-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build maven artifacts run: | @@ -24,7 +27,7 @@ jobs: mv mxbuild/jdk*/mx.graalpython/public-maven-repo m2repo - name: Install OpenJ9 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'semeru' java-version: '17' @@ -36,11 +39,11 @@ jobs: mvn -f graalpython/com.oracle.graal.python.test.integration/pom.xml -Dcom.oracle.graal.python.test.polyglot.version=25.1.0 -Dcom.oracle.graal.python.test.polyglot_repo=file:///$(pwd)/m2repo --batch-mode -U -Dtruffle.UseFallbackRuntime=true -Dpolyglot.engine.allowUnsupportedPlatform=true -Dpolyglot.engine.userResourceCache=/$(pwd)/user_resource_cache -Dpolyglot.python.UnsupportedPlatformEmulates=linux -Dorg.graalvm.python.resources.exclude=native.files test -Dtest=HelloWorldTests,AttributeTests,BuiltinSubclassTest,ComplexTexts,CreateClassTest,AsyncActionThreadingTest,JavaInteropTest rm -rf $(pwd)/user_resource_cache - - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: platforms: ppc64le - - uses: docker/setup-docker-action@v4 + - uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4.7.0 - name: Test on ppc64le using Docker run: |