From d629dc096bc23a06b2cdd3634fb2f2d7f4116072 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 14:52:01 -0800 Subject: [PATCH 01/15] Run all nightly tests from a common top-level workflow This removes the individual cron schedule entries from the workflows that run at night, and instead invokes them from `nightly.yaml`. --- .github/workflows/codeql.yaml | 9 ++++----- .github/workflows/nightly-pytest.yml | 7 ++++++- .github/workflows/nightly.yml | 24 ++++++++++++++++++------ .github/workflows/ossf-scorecard.yaml | 14 ++++---------- 4 files changed, 32 insertions(+), 22 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 35005881c..a5085e556 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -1,12 +1,11 @@ # Summary: configuration for CodeQL. -name: Nightly CodeQL code scan -run-name: Perform nightly CodeQL code scan +name: Nightly tests and scans – CodeQL +run-name: Do CodeQL code scan on: - schedule: - - cron: '37 13 * * 5' - + # Allow calling from nightly.yml. + workflow_call: # Allow manual invocation. workflow_dispatch: diff --git a/.github/workflows/nightly-pytest.yml b/.github/workflows/nightly-pytest.yml index 3e58a3f8b..9c71aa13f 100644 --- a/.github/workflows/nightly-pytest.yml +++ b/.github/workflows/nightly-pytest.yml @@ -3,7 +3,8 @@ # This workflow expects input values passed by nightly.yml. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Nightly full tests – Pytest subworkflow +name: Nightly tests and scans – Pytest +run-name: Run nightly Pytest full tests on: workflow_call: @@ -12,6 +13,9 @@ on: type: string required: true +# Declare default permissions as read only. +permissions: read-all + jobs: Pytest: # Try to fit as much info as possible into the GHA sidebar at run-time. @@ -48,6 +52,7 @@ jobs: - os: ubuntu-22.04-arm arch: arm64 python-version: 3.12.7 + steps: - name: Check out a copy of the OpenFermion git repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 4de600ea2..d9f6bf49a 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -1,19 +1,23 @@ -# Summary: OpenFermion nightly tests. +# Summary: run nightly tests and scans. # -# This workflow runs nightly to run tests on the OpenFermion codebase. +# This workflow runs nightly to run tests & scans on the OpenFermion codebase. # It can also be invoked manually via the "Run workflow" button at # https://github.com/quantumlib/OpenFermion/actions/workflows/nightly.yaml # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Nightly full tests +name: Nightly tests and code scans +run-name: Run nightly tests and code scans on: schedule: - - cron: "15 4 * * *" + - cron: "15 2 * * *" # Allow manual invocation. workflow_dispatch: +# Declare default permissions as read only. +permissions: read-all + concurrency: # Cancel any previously-started but still active runs on the same branch. cancel-in-progress: true @@ -21,13 +25,21 @@ concurrency: jobs: cirq-stable: - name: Using stable Cirq release + name: Pytest Cirq stable release uses: ./.github/workflows/nightly-pytest.yml with: args: "" cirq-pre: - name: Using Cirq pre-release + name: Pytest Cirq pre-release uses: ./.github/workflows/nightly-pytest.yml with: args: "--pre" + + codeql: + name: CodeQL code scan + uses: ./.github/workflows/codeql.yaml + + scorecard: + name: Scorecard code scan + uses: ./.github/workflows/ossf-scorecard.yaml diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml index 1a4781045..f2e324d89 100644 --- a/.github/workflows/ossf-scorecard.yaml +++ b/.github/workflows/ossf-scorecard.yaml @@ -1,24 +1,18 @@ # Summary: workflow for OSSF Scorecard (https://github.com/ossf/scorecard). # Scorecard's use is suggested in Google's GitHub guidance (go/github-docs). -name: Scorecard supply-chain security -run-name: Analyze code for Scorecard +name: Nightly tests and scans – Scorecard +run-name: Do Scorecard code scan on: - schedule: - - cron: '19 20 * * 6' - + # Allow calling from nightly.yml. + workflow_call: # Allow manual invocation. workflow_dispatch: # Declare default permissions as read only. permissions: read-all -# Cancel any previously-started but still active runs on the same branch. -concurrency: - cancel-in-progress: true - group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} - jobs: scorecard: name: Perform Scorecard analysis From 38f5e09a7b5f8805d89577de39546ece12397b28 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 14:56:42 -0800 Subject: [PATCH 02/15] Rename workflows to use .yaml extension consistently `.yaml` is actually the official file extension for YAML. --- .github/workflows/{ci.yml => ci.yaml} | 0 .github/workflows/codeql.yaml | 2 +- .../{nightly-pytest.yml => nightly-pytest.yaml} | 4 ++-- .github/workflows/{nightly.yml => nightly.yaml} | 10 +++++----- .github/workflows/ossf-scorecard.yaml | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) rename .github/workflows/{ci.yml => ci.yaml} (100%) rename .github/workflows/{nightly-pytest.yml => nightly-pytest.yaml} (95%) rename .github/workflows/{nightly.yml => nightly.yaml} (86%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yaml similarity index 100% rename from .github/workflows/ci.yml rename to .github/workflows/ci.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index a5085e556..4d3f032b8 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -4,7 +4,7 @@ name: Nightly tests and scans – CodeQL run-name: Do CodeQL code scan on: - # Allow calling from nightly.yml. + # Allow calling from nightly.yaml. workflow_call: # Allow manual invocation. workflow_dispatch: diff --git a/.github/workflows/nightly-pytest.yml b/.github/workflows/nightly-pytest.yaml similarity index 95% rename from .github/workflows/nightly-pytest.yml rename to .github/workflows/nightly-pytest.yaml index 9c71aa13f..93ea62416 100644 --- a/.github/workflows/nightly-pytest.yml +++ b/.github/workflows/nightly-pytest.yaml @@ -1,6 +1,6 @@ -# Summary: reusable workflow called by nightly.yml +# Summary: reusable workflow called by nightly.yaml. # -# This workflow expects input values passed by nightly.yml. +# This workflow expects input values passed by nightly.yaml. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ name: Nightly tests and scans – Pytest diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yaml similarity index 86% rename from .github/workflows/nightly.yml rename to .github/workflows/nightly.yaml index d9f6bf49a..22e8a76af 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yaml @@ -10,7 +10,7 @@ run-name: Run nightly tests and code scans on: schedule: - - cron: "15 2 * * *" + - cron: '15 2 * * *' # Allow manual invocation. workflow_dispatch: @@ -26,15 +26,15 @@ concurrency: jobs: cirq-stable: name: Pytest Cirq stable release - uses: ./.github/workflows/nightly-pytest.yml + uses: ./.github/workflows/nightly-pytest.yaml with: - args: "" + args: '' cirq-pre: name: Pytest Cirq pre-release - uses: ./.github/workflows/nightly-pytest.yml + uses: ./.github/workflows/nightly-pytest.yaml with: - args: "--pre" + args: '--pre' codeql: name: CodeQL code scan diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml index f2e324d89..bdc98936f 100644 --- a/.github/workflows/ossf-scorecard.yaml +++ b/.github/workflows/ossf-scorecard.yaml @@ -5,7 +5,7 @@ name: Nightly tests and scans – Scorecard run-name: Do Scorecard code scan on: - # Allow calling from nightly.yml. + # Allow calling from nightly.yaml. workflow_call: # Allow manual invocation. workflow_dispatch: From 984b2ff993fd1e7dfcbdf7b5a100f7f54d74572e Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 15:58:18 -0800 Subject: [PATCH 03/15] Add OSV scanner workflow --- .github/workflows/osv-scanner.yaml | 69 ++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/osv-scanner.yaml diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml new file mode 100644 index 000000000..bf754d344 --- /dev/null +++ b/.github/workflows/osv-scanner.yaml @@ -0,0 +1,69 @@ +# Summary: run Open Source Vulnerabilities (OSV) code scan. +# +# For more examples and options, including how to ignore specific +# vulnerabilities, see https://google.github.io/osv-scanner/github-action/. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +name: Tests and scans – OSV +run-name: Do${{inputs.reason || ' '}}OSV code scan + +on: + merge_group: + types: + - checks_requested + + # Allow calling from nightly.yaml. + workflow_call: + inputs: + # Why is this workflow being called? + reason: + type: string + required: false + + # Allow manual invocation. + workflow_dispatch: + +# Declare default permissions as read only. +permissions: read-all + +jobs: + osv-scan: + name: Perform Open Source Vulnerabilities scan + runs-on: ubuntu-22.04 + timeout-minutes: 15 + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Read commit contents + contents: read + actions: read + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run OSV analysis + uses: google/osv-scanner-action/osv-scanner-action@f8115f2f28022984d4e8070d2f0f85abcf6f3458 # v1.9.2 + continue-on-error: true + with: + scan-args: |- + --format=json + --output=osv-results.json + --recursive + --skip-git + ./ + + - name: Run osv-scanner-reporter + uses: google/osv-scanner-action/osv-reporter-action@f8115f2f28022984d4e8070d2f0f85abcf6f3458 # v1.9.2 + with: + scan-args: |- + --output=osv-results.sarif + --new=osv-results.json + --gh-annotations=true + --fail-on-vuln=true + + - name: Upload to code-scanning dashboard + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 + with: + sarif_file: osv-results.sarif From 387a42d3f805721142b77d4d45c680ec588391fe Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 15:59:05 -0800 Subject: [PATCH 04/15] Adjust names and trigger conditions --- .github/workflows/codeql.yaml | 11 +++++++++-- .github/workflows/nightly-pytest.yaml | 14 +++++++++++--- .github/workflows/nightly.yaml | 12 ++++++++++++ .github/workflows/ossf-scorecard.yaml | 20 +++++++++++++++++--- 4 files changed, 49 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 4d3f032b8..05e461e83 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -1,11 +1,18 @@ # Summary: configuration for CodeQL. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Nightly tests and scans – CodeQL -run-name: Do CodeQL code scan +name: Tests and scans – CodeQL +run-name: Do${{inputs.reason || ' '}}CodeQL code scan on: # Allow calling from nightly.yaml. workflow_call: + inputs: + # Why is this workflow being called? + reason: + type: string + required: false + # Allow manual invocation. workflow_dispatch: diff --git a/.github/workflows/nightly-pytest.yaml b/.github/workflows/nightly-pytest.yaml index 93ea62416..58986608d 100644 --- a/.github/workflows/nightly-pytest.yaml +++ b/.github/workflows/nightly-pytest.yaml @@ -3,15 +3,23 @@ # This workflow expects input values passed by nightly.yaml. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Nightly tests and scans – Pytest -run-name: Run nightly Pytest full tests +name: Tests and scans – Pytest +run-name: Run${{inputs.reason || ' '}}Pytest full tests on: workflow_call: inputs: + # CLI argument string to pass to pytest. args: type: string - required: true + required: false + # Why is this workflow being called? + reason: + type: string + required: false + + # Allow manual invocation. + workflow_dispatch: # Declare default permissions as read only. permissions: read-all diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 22e8a76af..da0561062 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -29,17 +29,29 @@ jobs: uses: ./.github/workflows/nightly-pytest.yaml with: args: '' + reason: ' nightly ' cirq-pre: name: Pytest Cirq pre-release uses: ./.github/workflows/nightly-pytest.yaml with: args: '--pre' + reason: ' nightly ' codeql: name: CodeQL code scan uses: ./.github/workflows/codeql.yaml + with: + reason: ' nightly ' scorecard: name: Scorecard code scan uses: ./.github/workflows/ossf-scorecard.yaml + with: + reason: ' nightly ' + + osv: + name: OSV code scan + uses: ./.github/workflows/osv-scanner.yaml + with: + reason: ' nightly ' diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml index bdc98936f..7a5c3ba34 100644 --- a/.github/workflows/ossf-scorecard.yaml +++ b/.github/workflows/ossf-scorecard.yaml @@ -1,12 +1,25 @@ # Summary: workflow for OSSF Scorecard (https://github.com/ossf/scorecard). -# Scorecard's use is suggested in Google's GitHub guidance (go/github-docs). +# +# Scorecard checks for security best practices. Its use is suggested in +# Google's GitHub guidance. +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Nightly tests and scans – Scorecard -run-name: Do Scorecard code scan +name: Tests and scans – Scorecard +run-name: Do${{inputs.reason || ' '}}Scorecard code scan on: + merge_group: + types: + - checks_requested + # Allow calling from nightly.yaml. workflow_call: + inputs: + # Why is this workflow being called? + reason: + type: string + required: false + # Allow manual invocation. workflow_dispatch: @@ -17,6 +30,7 @@ jobs: scorecard: name: Perform Scorecard analysis runs-on: ubuntu-22.04 + timeout-minutes: 15 permissions: # Needed to upload the results to code-scanning dashboard. security-events: write From 75d26065d772f120af90215496cd59a1de8ea383 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 26 Feb 2025 16:09:57 -0800 Subject: [PATCH 05/15] Tell yamllint the long lines are okay --- .github/workflows/osv-scanner.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index bf754d344..78dc9fb14 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -44,6 +44,7 @@ jobs: persist-credentials: false - name: Run OSV analysis + # yamllint disable rule:line-length uses: google/osv-scanner-action/osv-scanner-action@f8115f2f28022984d4e8070d2f0f85abcf6f3458 # v1.9.2 continue-on-error: true with: From 178e89f42f56e7df72e2756e8598ab9baf95dd14 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 5 Mar 2025 13:59:35 -0800 Subject: [PATCH 06/15] Rework organization some more --- .github/workflows/ci.yaml | 3 +++ .github/workflows/codeql.yaml | 6 +++--- .github/workflows/nightly-pytest.yaml | 14 +++++++------- .github/workflows/nightly.yaml | 19 +++++++++++++------ .github/workflows/ossf-scorecard.yaml | 4 ++-- .github/workflows/osv-scanner.yaml | 5 +++-- 6 files changed, 31 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e386bdd0e..8617f9eac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,6 +36,9 @@ on: description: Max compat version of Python type: string +# Declare default permissions as read only. +permissions: read-all + concurrency: # Cancel any previously-started but still active runs on the same branch. cancel-in-progress: true diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 05e461e83..ab0ec6c03 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -1,8 +1,8 @@ # Summary: configuration for CodeQL. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Tests and scans – CodeQL -run-name: Do${{inputs.reason || ' '}}CodeQL code scan +name: CodeQL code scan +run-name: Do ${{inputs.reason}} CodeQL code scan on: # Allow calling from nightly.yaml. @@ -43,4 +43,4 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3 with: - category: "/language:Python" + category: '/language:Python' diff --git a/.github/workflows/nightly-pytest.yaml b/.github/workflows/nightly-pytest.yaml index 58986608d..3b230a1af 100644 --- a/.github/workflows/nightly-pytest.yaml +++ b/.github/workflows/nightly-pytest.yaml @@ -1,10 +1,10 @@ # Summary: reusable workflow called by nightly.yaml. # -# This workflow expects input values passed by nightly.yaml. +# This workflow expects input values passed by nightly.yml. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Tests and scans – Pytest -run-name: Run${{inputs.reason || ' '}}Pytest full tests +name: Full Pytest +run-name: Run ${{inputs.reason}} Pytest full tests on: workflow_call: @@ -36,8 +36,8 @@ jobs: # These Python versions were carefully selected by trial and error # to be available on as many os/arch combos as possible, while also # making all necessary Python dependencies available on those combos. - # TODO: add "3.13.1" once Cirq 1.5 is released. - python-version: ["3.10.11", "3.11.9", "3.12.7", "3.13.1"] + # TODO: add '3.13.1' once Cirq 1.5 is released. + python-version: ['3.10.11', '3.11.9', '3.12.7', '3.13.1'] os: [ubuntu-22.04, ubuntu-22.04-arm, macos-14, windows-2022] arch: [x64, arm64] exclude: @@ -77,9 +77,9 @@ jobs: - name: Install OpenFermion Python requirements run: | pip install -r dev_tools/requirements/envs/pytest.env.txt - echo "::group::List of installed pip packages and their versions" + echo '::group::List of installed pip packages and their versions' pip list - echo "::endgroup::" + echo '::endgroup::' - name: Install cirq-core (current stable version) run: | diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index da0561062..90d8cc9d4 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -6,7 +6,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ name: Nightly tests and code scans -run-name: Run nightly tests and code scans +run-name: Run nightly tests and code scans in ${{github.repository}} on: schedule: @@ -14,6 +14,11 @@ on: # Allow manual invocation. workflow_dispatch: + inputs: + sha: + description: 'SHA of commit to run against:' + type: string + required: true # Declare default permissions as read only. permissions: read-all @@ -29,29 +34,31 @@ jobs: uses: ./.github/workflows/nightly-pytest.yaml with: args: '' - reason: ' nightly ' + reason: nightly + sha: ${{inputs.sha}} cirq-pre: name: Pytest Cirq pre-release uses: ./.github/workflows/nightly-pytest.yaml with: args: '--pre' - reason: ' nightly ' + reason: nightly + sha: ${{inputs.sha}} codeql: name: CodeQL code scan uses: ./.github/workflows/codeql.yaml with: - reason: ' nightly ' + reason: nightly scorecard: name: Scorecard code scan uses: ./.github/workflows/ossf-scorecard.yaml with: - reason: ' nightly ' + reason: nightly osv: name: OSV code scan uses: ./.github/workflows/osv-scanner.yaml with: - reason: ' nightly ' + reason: nightly diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml index 7a5c3ba34..90840e505 100644 --- a/.github/workflows/ossf-scorecard.yaml +++ b/.github/workflows/ossf-scorecard.yaml @@ -4,8 +4,8 @@ # Google's GitHub guidance. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Tests and scans – Scorecard -run-name: Do${{inputs.reason || ' '}}Scorecard code scan +name: OpenSSF Scorecard analysis +run-name: Do ${{inputs.reason}} Scorecard analysis on: merge_group: diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index 78dc9fb14..a1a680332 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -4,8 +4,8 @@ # vulnerabilities, see https://google.github.io/osv-scanner/github-action/. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Tests and scans – OSV -run-name: Do${{inputs.reason || ' '}}OSV code scan +name: OSV code scan +run-name: Do ${{inputs.reason}} OSV code scan on: merge_group: @@ -56,6 +56,7 @@ jobs: ./ - name: Run osv-scanner-reporter + # yamllint disable rule:line-length uses: google/osv-scanner-action/osv-reporter-action@f8115f2f28022984d4e8070d2f0f85abcf6f3458 # v1.9.2 with: scan-args: |- From 092a2ee27d5811e581f0339c0aab226d49beb04b Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 5 Mar 2025 14:03:38 -0800 Subject: [PATCH 07/15] Set up another problem matcher --- .github/workflows/ci.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a5c750a4d..2ac752ba6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -429,6 +429,9 @@ jobs: - name: Install requirements run: pip install -r dev_tools/requirements/envs/pytest.env.txt + - name: Set up Pytest output problem matcher + run: echo '::add-matcher::.github/problem-matchers/pytest.json' + - name: Run code coverage tests run: check/pytest-and-incremental-coverage From b6abb4fac4d1d9d99d769fddccd20b562faa77ef Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Fri, 28 Feb 2025 11:15:02 -0800 Subject: [PATCH 08/15] Add .editorconfig file (#990) This adds settings based on some common-sense values and the OpenFermion project's current conventions, such as line length and use of spaces instead of tabs. --- .editorconfig | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 000000000..c7f30400b --- /dev/null +++ b/.editorconfig @@ -0,0 +1,27 @@ +# Summary: coding style configuration for editors that read .editorconfig. +# +# EditorConfig defines a file format for specifying some common coding style +# parameters. Many editors recognize .editorconfig files automatically, and +# there exist plugins for other editors. See https://spec.editorconfig.org/. + +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +spelling_language = en-US +trim_trailing_whitespace = true + +[*.py] +indent_size = 4 +indent_style = space +max_line_length = 100 + +[*.sh] +indent_size = 4 +indent_style = space +max_line_length = 100 + +[*.yml,*.yaml] +indent_size = 2 From a10358245c714024cc8220ac1765c4ab7c31dab4 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Mon, 3 Mar 2025 09:34:16 -0800 Subject: [PATCH 09/15] Add shellcheck for shell script linting (#991) * Add .shellcheckrc This adds a config file for .shellcheckrc, and sets a few optional flags to try to make shellcheck slightly more thorough. * Add shellcheck problem matcher * Add a heading to help break up the text a little * Add shellcheck to CI checks --- .github/problem-matchers/README.md | 10 +++++++++- .github/problem-matchers/shellcheck.json | 24 +++++++++++++++++++++++ .github/workflows/ci.yaml | 25 ++++++++++++++++++++++++ .shellcheckrc | 19 ++++++++++++++++++ 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 .github/problem-matchers/shellcheck.json create mode 100644 .shellcheckrc diff --git a/.github/problem-matchers/README.md b/.github/problem-matchers/README.md index d6fb6d498..48835c081 100644 --- a/.github/problem-matchers/README.md +++ b/.github/problem-matchers/README.md @@ -10,6 +10,8 @@ prominently in the GitHub user interface. This directory contains Problem Matchers used by the GitHub Actions workflows in the [`workflows`](./workflows) subdirectory. +## Original sources + The following problem matcher JSON files found in this directory were copied from the [Home Assistant](https://github.com/home-assistant/core) project on GitHub. The Home Assistant project is licensed under the Apache 2.0 open-source @@ -28,4 +30,10 @@ The following problem matcher JSON file came from the [hadolint-action](https://github.com/hadolint/hadolint-action) repository (copied on 2025-02-17, version 3.1.0): -- [`problem-matcher.json`](https://github.com/hadolint/hadolint-action/blob/master/problem-matcher.json) +- [`hadolint.json`](https://github.com/hadolint/hadolint-action/blob/master/problem-matcher.json) + +The Shellcheck problem matcher JSON file came from the +[shellcheck-problem-matchers](uhttps://github.com/lumaxis/shellcheck-problem-matchers) +repository (copied 2025-02-26, version v2.1.0). + +- [`shellcheck-tty.json`](https://github.com/lumaxis/shellcheck-problem-matchers/blob/main/.github/shellcheck-tty.json) diff --git a/.github/problem-matchers/shellcheck.json b/.github/problem-matchers/shellcheck.json new file mode 100644 index 000000000..aedb9ecf5 --- /dev/null +++ b/.github/problem-matchers/shellcheck.json @@ -0,0 +1,24 @@ +{ + "problemMatcher": [ + { + "owner": "shellcheck", + "pattern": [ + { + "regexp": "^In\\s(.+)\\sline\\s(\\d+):$", + "file": 1, + "line": 2 + }, + { + "regexp": ".*" + }, + { + "regexp": "SC(\\d+)(\\s\\((note|warning|error)\\))?:\\s(.+)$", + "code": 1, + "severity": 3, + "message": 4, + "loop": true + } + ] + } + ] +} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8617f9eac..6756ffc83 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -94,6 +94,8 @@ jobs: json_files: ${{steps.filter.outputs.json_files}} docker: ${{steps.filter.outputs.docker}} docker_files: ${{steps.filter.outputs.docker_files}} + shell: ${{steps.filter.outputs.shell}} + shell_files: ${{steps.filter.outputs.shell_files}} steps: # When invoked manually, use the given SHA to figure out the change list. - if: github.event_name == 'workflow_dispatch' @@ -149,6 +151,9 @@ jobs: docker: - '**/dockerfile' - '**/Dockerfile' + shell: + - '**/*.sh' + - 'check/*' setup: if: needs.changes.outputs.python == 'true' @@ -521,3 +526,23 @@ jobs: - name: Verify that all GitHub Actions workflows are valid run: | /opt/homebrew/bin/actionlint -color + + shell-script-lint: + if: needs.changes.outputs.shell == 'true' + name: Shell script checks + needs: changes + runs-on: ubuntu-24.04 + timeout-minutes: 5 + env: + changed_files: ${{needs.changes.outputs.shell_files}} + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Set up shellcheck output problem matcher + run: | + echo "::add-matcher::.github/problem-matchers/shellcheck.json" + + - name: Run shellcheck on shell scripts that have been changed + run: | + shellcheck ${{env.changed_files}} diff --git a/.shellcheckrc b/.shellcheckrc new file mode 100644 index 000000000..aae41b67b --- /dev/null +++ b/.shellcheckrc @@ -0,0 +1,19 @@ +# Summary: config file for shellcheck program. +# +# The following page includes information about the .shellcheckrc file: +# https://github.com/koalaman/shellcheck/wiki/Directive#shellcheckrc-file +# +# Optional settings can be discovered by running "shellcheck --list-optional". +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# We use bash for all the scripts, so tell shellcheck to assume this dialect. +shell=bash + +# Makes shellcheck include files pointed-to by the source or . statements. +external-sources=true + +# Enable check for when a script uses "set -e" but a construct may disable it. +enable=check-set-e-suppressed + +# Enable check for tests like [ "$var" ], which are best written [ -n "$var" ]. +enable=avoid-nullary-conditions From 2fe157ed6724c28ed1fe05fd7bee53d1dfe5de51 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Mon, 3 Mar 2025 15:14:14 -0800 Subject: [PATCH 10/15] Edit CONTRIBUTING.md (#993) This adds a warning about the CLA implications for GenAI code, and tries to add some more info about the contribution process. --- CONTRIBUTING.md | 146 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 107 insertions(+), 39 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b8399535c..a7642f082 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,11 +1,9 @@ # How to contribute We'd love to accept your patches and contributions to this project. We do have -some guidelines to follow, covered in this document, but don't worry about (or -expect to) get everything right the first time! Create a pull request and we'll -nudge you in the right direction. Please also note that we have a [code of -conduct](CODE_OF_CONDUCT.md) to make OpenFermion an open and welcoming -environment. +some guidelines to follow, covered in this document, but don't be concerned +about getting everything right the first time! Create a pull request (discussed +below) and we'll nudge you in the right direction. ## Before you begin @@ -14,35 +12,61 @@ environment. Contributions to this project must be accompanied by a [Contributor License Agreement](https://cla.developers.google.com/about) (CLA). You (or your employer) retain the copyright to your contribution; the CLA simply gives us -permission to use and redistribute your contributions as part of this project. - -If you or your current employer have already signed the Google CLA (even if it -was for a different project), you probably don't need to do it again. - -Visit to see your current agreements or to -sign a new one. +permission to use and redistribute your contributions as part of the project. +Please visit https://cla.developers.google.com/ to see your current agreements +on file or to sign a new one. You generally only need to submit a Google CLA +once, so if you've already submitted one (even if it was for a different +project), you probably don't need to do it again. + +> [!WARNING] +> Please note carefully clauses [#5](https://cla.developers.google.com/about/google-corporate#:~:text=You%20represent%20that%20each%20of%20Your%20Contributions%20is%20Your%20original%20creation) +> and [#7](https://cla.developers.google.com/about/google-corporate#:~:text=Should%20You%20wish%20to%20submit%20work%20that%20is%20not%20Your%20original%20creation%2C%20You%20may%20submit%20it%20to%20Google%20separately) +> in the CLA. Any code that you contribute to this project must be **your** +> original creation. Code generated by artificial intelligence tools **does +> not** qualify as your original creation. ### Review our community guidelines -This project follows [Google's Open Source Community -Guidelines](https://opensource.google/conduct/). +We have a [code of conduct](CODE_OF_CONDUCT.md) to make the project an open and +welcoming community environment. Please make sure to read and abide by the code +of conduct. ## Contribution process -### Code reviews - All submissions, including submissions by project members, require review. We -use GitHub pull requests for this purpose. Consult [GitHub -Help](https://help.github.com/articles/about-pull-requests/) for more -information on using pull requests. +use the tools provided by GitHub for pull requests for this purpose. The +preferred manner for submitting pull requests is to fork the, create a new +branch in this fork to do your work, and when ready, create a pull request from +this branch to the main project repository. The subsections below describe the +process in more detail. + +Pleae make sure to follow the [Google Style +Guides](https://google.github.io/styleguide/) in your code, particularly the +[style guide for Python](https://google.github.io/styleguide/pyguide.html). + +### Repository forks + +1. Fork the OpenFermion repository (you can use the _Fork_ button in upper + right corner of the [repository + page](https://github.com/quantumlib/OpenFermion)). Forking creates a new + GitHub repo at the location `https://github.com/USERNAME/OpenFermion`, where + `USERNAME` is your GitHub user name. + +1. Clone (using `git clone`) or otherwise download your forked repository to + your local computer, so that you have a local copy where you can do your + development work using your preferred editor and development tools. + +1. Check out the `main` branch and create a new [git + branch](https://git-scm.com/book/en/v2/Git-Branching-Branches-in-a-Nutshell) + from `main`: + + ```shell + git checkout main -b YOUR_BRANCH_NAME + ``` -The preferred approach for submitting pull requests is for developers to fork -the OpenFermion [GitHub repository](https://github.com/quantumlib/OpenFermion) -and then use a [git -branch](https://git-scm.com/book/en/v2/Git-Branching-Branches-in-a-Nutshell) -from the fork to create a pull request to the main OpenFermion repo. + where `YOUR_BRANCH_NAME` is the name of your new branch. -### Development environment setup +### Development environment installation Please refer to the section _Developer install_ of the [installation instructions](docs/install.md) for information about how to set up a local copy @@ -58,24 +82,68 @@ scripts [`./check/pytest`](./check/pytest) and [`./check/pytest-and-incremental-coverage`](./check/pytest-and-incremental-coverage) to run these programs with custom configurations for this project. -We don't require 100% coverage, but any uncovered code must be annotated with -`# pragma: no cover`. To ignore coverage of a single line, place `# pragma: no -cover` at the end of the line. To ignore coverage for an entire block, start -the block with a `# pragma: no cover` comment on its own line. +We don't require 100% coverage, but any uncovered code must be annotated with `# +pragma: no cover`. To ignore coverage of a single line, place `# pragma: no +cover` at the end of the line. To ignore coverage for an entire block, start the +block with a `# pragma: no cover` comment on its own line. ### Lint Code should meet common style standards for Python and be free of error-prone -constructs. We use [Pylint](https://www.pylint.org/) to check for code lint, -and the script [`./check/pylint`](./check/pylint) to run it. When Pylint -produces a false positive, it can be silenced with annotations. For example, -the annotation `# pylint: disable=unused-import` would silence a warning about -an unused import. +constructs. We use [Pylint](https://www.pylint.org/) to check for code lint, and +the script [`./check/pylint`](./check/pylint) to run it. When Pylint produces a +false positive, it can be silenced with annotations. For example, the annotation +`# pylint: disable=unused-import` would silence a warning about an unused +import. -### Types +### Type annotations Code should have [type annotations](https://www.python.org/dev/peps/pep-0484/). -We use [mypy](http://mypy-lang.org/) to check that type annotations are -correct, and the script [`./check/mypy`](./check/mypy) to run it. When type -checking produces a false positive, it can be silenced with annotations such as -`# type: ignore`. +We use [mypy](http://mypy-lang.org/) to check that type annotations are correct, +and the script [`./check/mypy`](./check/mypy) to run it. When type checking +produces a false positive, it can be silenced with annotations such as `# type: +ignore`. + +### Pull requests and code reviews + +1. If your local copy has drifted out of sync with the `main` branch of the + main OpenFermion repo, you may need to merge the latest changes into your + branch. To do this, first update your local `main` and then merge your local + `main` into your branch: + + ```shell + # Track the upstream repo (if your local repo hasn't): + git remote add upstream https://github.com/quantumlib/OpenFermion.git + + # Update your local main. + git fetch upstream + git checkout main + git merge upstream/main + # Merge local main into your branch. + git checkout YOUR_BRANCH_NAME + git merge main + ``` + + If git reports conflicts during one or both of these merge processes, you + may need to [resolve the merge conflicts]( + https://docs.github.com/articles/about-merge-conflicts) before continuing. + +1. Finally, push your changes to your fork of the OpenFermion repo on GitHub: + + ```shell + git push origin YOUR_BRANCH_NAME + ``` + +1. Now when you navigate to the OpenFermion repository on GitHub + (https://github.com/quantumlib/OpenFermion), you should see the option to + create a new [pull + requests](https://help.github.com/articles/about-pull-requests/) from your + forked repository. Alternatively, you can create the pull request by + navigating to the "Pull requests" tab near the top of the page, and + selecting the appropriate branches. + +1. A reviewer from the OpenFermion team will comment on your code and may ask + for changes. You can perform the necessary changes locally, commit them to + your branch as usual, and then push changes to your fork on GitHub following + the same process as above. When you do that, GitHub will update the code in + the pull request automatically. From 080a14298e37b809682557e932b345c749ac4769 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Tue, 4 Mar 2025 08:51:19 -0800 Subject: [PATCH 11/15] Add markdownlint config file (#995) This adds a `.markdownlintrc` configuration file for [markdownlint](https://github.com/igorshubovych/markdownlint-cli), a popular linter for Markdown files. The settings here try to be as close to the Google style as possible while still being compatible with GitHub-flavored Markdown. This same markdownlint file is used in Cirq and other Quantumlib projects. --- .markdownlintrc | 152 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 .markdownlintrc diff --git a/.markdownlintrc b/.markdownlintrc new file mode 100644 index 000000000..f8cd25a67 --- /dev/null +++ b/.markdownlintrc @@ -0,0 +1,152 @@ +{ // Summary: markdownlint config file for Quantumlib projects -*- jsonc -*- + // + // Note: there are multiple programs programs named "markdownlint". We use + // https://github.com/igorshubovych/markdownlint-cli/, which is the one you + // get with "brew install markdownlint" on MacOS. + // + // These settings try to stay close to the Google Markdown Style as + // described at https://google.github.io/styleguide/docguide/style.html + // + // For a list of configuration options, see the following page: + // https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md + // (Beware that the above looks similar but is NOT the same as the page + // https://github.com/markdownlint/markdownlint/blob/main/docs/RULES.md.) + // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + "$schema": "https://raw.githubusercontent.com/DavidAnson/markdownlint/main/schema/markdownlint-config-schema.json", + + // Require ATX-style headings. + // https://google.github.io/styleguide/docguide/style.html#atx-style-headings + "headings": { + "style": "atx" + }, + + // Google style does not require that the first line of a file is a heading + // for the title; it only states that the first heading should be a level 1. + // https://google.github.io/styleguide/docguide/style.html#document-layout + "first-line-heading": false, + + // The Google style does not define what to do about trailing punctuation in + // headings. The markdownlint default disallows exclamation points, which + // seems likely to be more annoying than useful – I have definitely seen + // people use exclamation points in headings in README files on GitHub. + // This setting removes exclamation point from the banned characters. + "no-trailing-punctuation": { + "punctuation": ".,;:。,;:" + }, + + // No trailing spaces. + // https://google.github.io/styleguide/docguide/style.html#trailing-whitespace + "whitespace": { + "br_spaces": 0 + }, + + // Google style exempts some constructs from the line-length limit of 80 chars. + // https://google.github.io/styleguide/docguide/style.html#exceptions + "line-length": { + "code_blocks": false, + "headings": false, + "tables": false + }, + + // Google Markdown style specifies 2 spaces after item numbers, 3 spaces + // after bullets, so that the text itself is consistently indented 4 spaces. + // https://google.github.io/styleguide/docguide/style.html#nested-list-spacing + "list-marker-space": { + "ol_multi": 2, + "ol_single": 2, + "ul_multi": 3, + "ul_single": 3 + }, + + "ul-indent": { + "indent": 4 + }, + + // Bare URLs are allowed in GitHub-flavored Markdown and in Google’s style. + "no-bare-urls": false, + + // Basic Markdown allows raw HTML. Both GitHub & PyPI support subsets of + // HTML, though it's unclear what subset PyPI supports. Google's style + // guide doesn't disallow using HTML, although it recommends against it. (C.f. + // the bottom of https://google.github.io/styleguide/docguide/style.html) + // It's worth noting, though, that Google's guidance has Google's internal + // documentation system in mind, and that system extends Markdown with + // constructs that make it possible to accomplish things you can't do in + // Markdown. Those extensions are also not available outside Google's system. + // Thus, although a goal of this markdownlint configuration is to match + // Google's style guide as closely as possible, these various factors suggest + // it's reasonable to relax the HTML limitation. The list below is based on + // https://github.com/github/markup/issues/245#issuecomment-682231577 plus + // some things found elsewhere after that was written. + "html": { + "allowed_elements": [ + "a", + "abbr", + "b", + "bdo", + "blockquote", + "br", + "caption", + "cite", + "code", + "dd", + "del", + "details", + "dfn", + "div", + "dl", + "dt", + "em", + "figcaption", + "figure", + "h1", + "h2", + "h3", + "h4", + "h5", + "h6", + "h7", + "h8", + "hr", + "i", + "img", + "ins", + "kbd", + "li", + "mark", + "ol", + "p", + "picture", + "pre", + "q", + "rp", + "rt", + "ruby", + "s", + "samp", + "small", + "source", + "span", + "span", + "strike", + "strong", + "sub", + "summary", + "sup", + "table", + "tbody", + "td", + "tfoot", + "th", + "thead", + "time", + "tr", + "tt", + "ul", + "var", + "video", + "wbr" + ] + } +} From 92096f63ef618f044281b7cb8acdbe528059dc19 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Tue, 4 Mar 2025 09:24:02 -0800 Subject: [PATCH 12/15] Fix warnings reported by shellcheck (#997) There are no functional changes in this commit; all changes are to address lint reported by shellcheck. --- check/mypy | 4 ++-- check/pylint | 6 +++--- check/pytest | 11 ++++++----- check/pytest-and-incremental-coverage | 6 ++++-- dev_tools/packaging/produce-package.sh | 3 ++- dev_tools/packaging/publish-dev-package.sh | 4 ++-- dev_tools/packaging/verify-published-package.sh | 2 +- 7 files changed, 20 insertions(+), 16 deletions(-) diff --git a/check/mypy b/check/mypy index 973200652..614e7e820 100755 --- a/check/mypy +++ b/check/mypy @@ -8,8 +8,8 @@ ################################################################################ # Get the working directory to the repo root. -cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -cd "$(git rev-parse --show-toplevel)" +cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" || exit 1 +cd "$(git rev-parse --show-toplevel)" || exit 1 echo -e -n "\033[31m" mypy --config-file=dev_tools/conf/mypy.ini "$@" . diff --git a/check/pylint b/check/pylint index 6d00d1f18..dd9199bcb 100755 --- a/check/pylint +++ b/check/pylint @@ -8,7 +8,7 @@ ################################################################################ # Get the working directory to the repo root. -cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -cd "$(git rev-parse --show-toplevel)" +cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" || exit 1 +cd "$(git rev-parse --show-toplevel)" || exit 1 -pylint --rcfile=dev_tools/conf/.pylintrc $@ src dev_tools +pylint --rcfile=dev_tools/conf/.pylintrc "$@" src dev_tools diff --git a/check/pytest b/check/pytest index dc21dd585..fac6777b1 100755 --- a/check/pytest +++ b/check/pytest @@ -4,7 +4,7 @@ # Runs pytest on the repository. # # Usage: -# check/pytest [--actually-quiet] [--flags for pytest] [file-paths-relative-to-repo-root] +# check/pytest [--actually-quiet] [--flags for pytest] [paths-relative-to-root] # # The --actually-quiet argument filters out any progress output from pytest. # @@ -14,8 +14,8 @@ ################################################################################ # Get the working directory to the repo root. -cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -cd "$(git rev-parse --show-toplevel)" +cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" || exit 1 +cd "$(git rev-parse --show-toplevel)" || exit 1 rootdir=$(pwd) @@ -30,10 +30,11 @@ for arg in "$@"; do done if [ -z "${ACTUALLY_QUIET}" ]; then - pytest -c dev_tools/conf/pytest.ini --rootdir=$rootdir "${PYTEST_ARGS[@]}" + pytest -c dev_tools/conf/pytest.ini --rootdir="$rootdir" "${PYTEST_ARGS[@]}" else # Filter out lines like "...F....x... [ 42%]", with coloring. - pytest -c dev_tools/conf/pytest.ini --rootdir=$rootdir -q --color=yes "${PYTEST_ARGS[@]}" | + pytest -c dev_tools/conf/pytest.ini \ + --rootdir="$rootdir" -q --color=yes "${PYTEST_ARGS[@]}" | grep -Pv '^(.\[0m)?[\.FEsx]+(.\[36m)?\s+\[\s*\d+%\](.\[0m)?$' exit "${PIPESTATUS[0]}" fi diff --git a/check/pytest-and-incremental-coverage b/check/pytest-and-incremental-coverage index 631915190..837ae9a82 100755 --- a/check/pytest-and-incremental-coverage +++ b/check/pytest-and-incremental-coverage @@ -27,8 +27,8 @@ cd "$( dirname "${BASH_SOURCE[0]}" )" || exit 1 cd "$(git rev-parse --show-toplevel)" || exit 1 # Figure out which revision to compare against. -if [ ! -z "$1" ] && [[ $1 != -* ]]; then - if [ "$(git cat-file -t $1 2> /dev/null)" != "commit" ]; then +if [[ -n "$1" && $1 != -* ]]; then + if [[ "$(git cat-file -t "$1" 2> /dev/null)" != "commit" ]]; then echo -e "\033[31mNo revision '$1'.\033[0m" >&2 exit 1 fi @@ -43,7 +43,9 @@ else echo -e "\033[31mNo default revision found to compare against. Argument #1 must be what to diff against (e.g. 'origin/master' or 'HEAD~1').\033[0m" >&2 exit 1 fi +# shellcheck disable=SC2086 base="$(git merge-base ${rev} HEAD)" +# shellcheck disable=SC2086 if [ "$(git rev-parse ${rev})" == "${base}" ]; then echo -e "Comparing against revision '${rev}'." >&2 else diff --git a/dev_tools/packaging/produce-package.sh b/dev_tools/packaging/produce-package.sh index 38f1e4627..8ea4a20c6 100755 --- a/dev_tools/packaging/produce-package.sh +++ b/dev_tools/packaging/produce-package.sh @@ -68,6 +68,7 @@ function confirm() { if [ -n "$(git status --short)" ]; then echo -e "${RED}WARNING: There are uncommitted git changes." echo -e "They won't be included in the package.${RESET}" + # shellcheck disable=SC2310 if ! confirm "${YELLOW}Proceed anyway?${RESET}"; then echo "Stopping." exit 1 @@ -75,7 +76,7 @@ if [ -n "$(git status --short)" ]; then fi tmp_git_dir=$(mktemp -d "/tmp/produce-package-git.XXXXXXXXXXXXXXXX") -trap "{ rm -rf $tmp_git_dir; }" EXIT +trap '{ rm -rf "$tmp_git_dir"; }' EXIT cd "$tmp_git_dir" git init --quiet diff --git a/dev_tools/packaging/publish-dev-package.sh b/dev_tools/packaging/publish-dev-package.sh index 54272a6bf..40af1def5 100755 --- a/dev_tools/packaging/publish-dev-package.sh +++ b/dev_tools/packaging/publish-dev-package.sh @@ -56,7 +56,7 @@ if [[ "${EXPECTED_VERSION}" != *dev* ]]; then echo -e "\e[31mExpected version must include 'dev'.\e[0m" exit 1 fi -ACTUAL_VERSION_LINE=$(cat "src/${PROJECT_NAME}/_version.py" | tail -n 1) +ACTUAL_VERSION_LINE=$(tail -n 1 "src/${PROJECT_NAME}/_version.py") if [ "${ACTUAL_VERSION_LINE}" != '__version__ = "'"${EXPECTED_VERSION}"'"' ]; then echo -e "\e[31mExpected version (${EXPECTED_VERSION}) didn't match the one in ${PROJECT_NAME}/_version.py (${ACTUAL_VERSION_LINE}).\e[0m" exit 1 @@ -103,7 +103,7 @@ cd "$(git rev-parse --show-toplevel)" # Temporary workspace. tmp_package_dir=$(mktemp -d "/tmp/publish-dev-package_package.XXXXXXXXXXXXXXXX") -trap "{ rm -rf ${tmp_package_dir}; }" EXIT +trap '{ rm -rf "${tmp_package_dir}"; }' EXIT # Produce packages. dev_tools/packaging/produce-package.sh "${tmp_package_dir}" "${UPLOAD_VERSION}" diff --git a/dev_tools/packaging/verify-published-package.sh b/dev_tools/packaging/verify-published-package.sh index dc20f5ed1..36346980c 100755 --- a/dev_tools/packaging/verify-published-package.sh +++ b/dev_tools/packaging/verify-published-package.sh @@ -57,7 +57,7 @@ REPO_ROOT="$(git rev-parse --show-toplevel)" # Temporary workspace. tmp_dir=$(mktemp -d "/tmp/verify-published-package.XXXXXXXXXXXXXXXX") cd "${tmp_dir}" -trap "{ rm -rf ${tmp_dir}; }" EXIT +trap '{ rm -rf "$tmp_dir"; }' EXIT # Prepare. PYTHON_VERSION=python3 From cbc68a50026dc8b687687de2ec1e6bfc512eccb7 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Tue, 4 Mar 2025 11:19:56 -0800 Subject: [PATCH 13/15] CI checks need to be run if ci.yml changes (#998) The tests for changed files needs to consider changes to the workflow definitions too, because a change to the workflow definition could involve changing options or other aspects of the CI tests that might change the check results. --- .github/workflows/ci.yaml | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6756ffc83..2796bdd9c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -82,19 +82,27 @@ jobs: runs-on: ubuntu-24.04 timeout-minutes: 5 outputs: - python: ${{steps.filter.outputs.python}} + gha: ${{steps.filter.outputs.gha}} + gha_files: ${{steps.filter.outputs.gha_files}} + # The following all test both the relevant file condition & the CI config + # because a change to the CI workflows can affect CI check results. + python: |- + ${{steps.filter.outputs.python}} || ${{steps.filter.outputs.ci}} python_files: ${{steps.filter.outputs.python_files}} - yaml: ${{steps.filter.outputs.yaml}} + yaml: |- + ${{steps.filter.outputs.yaml}} || ${{steps.filter.outputs.ci}} yaml_files: ${{steps.filter.outputs.yaml_files}} - cff: ${{steps.filter.outputs.cff}} + cff: |- + ${{steps.filter.outputs.cff}} || ${{steps.filter.outputs.ci}} cff_files: ${{steps.filter.outputs.cff_files}} - gha: ${{steps.filter.outputs.gha}} - gha_files: ${{steps.filter.outputs.gha_files}} - json: ${{steps.filter.outputs.json}} + json: |- + ${{steps.filter.outputs.json}} || ${{steps.filter.outputs.ci}} json_files: ${{steps.filter.outputs.json_files}} - docker: ${{steps.filter.outputs.docker}} + docker: |- + ${{steps.filter.outputs.docker}} || ${{steps.filter.outputs.ci}} docker_files: ${{steps.filter.outputs.docker_files}} - shell: ${{steps.filter.outputs.shell}} + shell: |- + ${{steps.filter.outputs.shell}} || ${{steps.filter.outputs.ci}} shell_files: ${{steps.filter.outputs.shell_files}} steps: # When invoked manually, use the given SHA to figure out the change list. @@ -132,6 +140,10 @@ jobs: list-files: 'shell' # The outputs will be variables named "foo_files" for a filter "foo". filters: | + ci: + - './.github/workflows/ci.yml' + - './.github/workflows/codeql.yaml' + - './.github/workflows/osv-scanner.yaml' cff: - added|modified: - '**/CITATION.cff' From 01c5f52e56918f797104e1847d9a14d6f5f290fd Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 5 Mar 2025 09:51:15 -0800 Subject: [PATCH 14/15] Add problem matchers for Mypy, Pytest, and Black (#1000) * Add problem matchers for mypy and pytest * Add problem matcher for Black * Pass input sha to format-incremental If the user supplied a sha in a manual workflow run, we need to pass that to `format-incremental` or else it won't compare files to the correct revision. * Prefer single quotes in YAML Due to how GitHub Actions syntax works, I'm finding it safer to use single quotes for YAML values and (usually) double quotes in shell scripts. * Tighten format of "run:" for one-liners It seems slightly reasier to read the code whenn single-line shell commands are put on the same line as the `run:`, instead of being put on a separate line. --- .github/problem-matchers/README.md | 43 +++++++++++----- .github/problem-matchers/black.json | 15 ++++++ .github/problem-matchers/mypy.json | 19 ++++++++ .github/problem-matchers/pytest.json | 16 ++++++ .github/workflows/ci.yaml | 70 ++++++++++++++------------- .github/workflows/nightly-pytest.yaml | 3 ++ 6 files changed, 120 insertions(+), 46 deletions(-) create mode 100644 .github/problem-matchers/black.json create mode 100644 .github/problem-matchers/mypy.json create mode 100644 .github/problem-matchers/pytest.json diff --git a/.github/problem-matchers/README.md b/.github/problem-matchers/README.md index 48835c081..6ef475f64 100644 --- a/.github/problem-matchers/README.md +++ b/.github/problem-matchers/README.md @@ -17,23 +17,42 @@ from the [Home Assistant](https://github.com/home-assistant/core) project on GitHub. The Home Assistant project is licensed under the Apache 2.0 open-source license. The version of the files at the time they were copied was 2025.1.2. -- [`pylint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/pylint.json) -- [`yamllint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/yamllint.json) +- [`pylint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/pylint.json) +- [`yamllint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/yamllint.json) -The following problem matcher JSON file came from the +The Mypy and Pytest problem matchers files originally came from the +[gh-problem-matcher-wrap](https://github.com/liskin/gh-problem-matcher-wrap/tree/master/problem-matchers) +repository (copied 2025-03-04, version 3.0.0), and were subsequently modified by +Michael Hucka. The original JSON files are Copyright © 2020 Tomáš Janoušek and +made available under the terms of the MIT license. + +- [`mypy.json`](https://github.com/liskin/gh-problem-matcher-wrap/blob/master/problem-matchers/mypy.json) +- [`pytest.json`](https://github.com/liskin/gh-problem-matcher-wrap/blob/master/problem-matchers/pytest.json) + +The actionlint problem matcher JSON file came from the [actionlint](https://github.com/rhysd/actionlint/blob/v1.7.7/docs/usage.md) -documentation (copied on 2025-02-12, version 1.7.7): +documentation (copied on 2025-02-12, version 1.7.7). Actionlint is made +available under the terms of the MIT license. -- [`actionlint.json`](https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json) +- [`actionlint.json`](https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json) -The following problem matcher JSON file came from the +The Hadolint problem matcher JSON file came from the [hadolint-action](https://github.com/hadolint/hadolint-action) repository -(copied on 2025-02-17, version 3.1.0): +(copied on 2025-02-17, version 3.1.0). Hadolint is made available under the +terms of the MIT license. + +- [`hadolint.json`](https://github.com/hadolint/hadolint-action/blob/master/problem-matcher.json) + +The ShellCheck problem matcher JSON file came from the +[shellcheck-problem-matchers](https://github.com/lumaxis/shellcheck-problem-matchers) +repository (copied 2025-02-26, version v2.1.0). The ShellCheck problem matchers +are made available under the terms of the MIT license. -- [`hadolint.json`](https://github.com/hadolint/hadolint-action/blob/master/problem-matcher.json) +- [`shellcheck-tty.json`](https://github.com/lumaxis/shellcheck-problem-matchers/blob/main/.github/shellcheck-tty.json) -The Shellcheck problem matcher JSON file came from the -[shellcheck-problem-matchers](uhttps://github.com/lumaxis/shellcheck-problem-matchers) -repository (copied 2025-02-26, version v2.1.0). +The following problem matcher for Black came from a fork of the +[MLflow](https://github.com/mlflow/mlflow) project by user Sumanth077 on +GitHub. The MLflow project is licensed under the Apache 2.0 open-source +license. The version of the file copied was dated 2022-05-29. -- [`shellcheck-tty.json`](https://github.com/lumaxis/shellcheck-problem-matchers/blob/main/.github/shellcheck-tty.json) +- [`black.json`](https://github.com/Sumanth077/mlflow/blob/problem-matcher-for-black/.github/workflows/matchers/black.json) diff --git a/.github/problem-matchers/black.json b/.github/problem-matchers/black.json new file mode 100644 index 000000000..605f10c27 --- /dev/null +++ b/.github/problem-matchers/black.json @@ -0,0 +1,15 @@ +{ + "problemMatcher": [ + { + "owner": "black", + "severity": "error", + "pattern": [ + { + "regexp": "^(would reformat) (.+)$", + "file": 2, + "message": 1 + } + ] + } + ] +} diff --git a/.github/problem-matchers/mypy.json b/.github/problem-matchers/mypy.json new file mode 100644 index 000000000..027169219 --- /dev/null +++ b/.github/problem-matchers/mypy.json @@ -0,0 +1,19 @@ +{ + "problemMatcher": [ + { + "owner": "mypy", + "severity": "error", + "pattern": [ + { + "regexp": "^([^:]*):(\\d+):(?:(\\d+):)?\\s(error|warning): (.*?)(?: \\[(\\S+)\\])?$", + "file": 1, + "line": 2, + "column": 3, + "severity": 4, + "message": 5, + "code": 6 + } + ] + } + ] +} diff --git a/.github/problem-matchers/pytest.json b/.github/problem-matchers/pytest.json new file mode 100644 index 000000000..f6bbfba32 --- /dev/null +++ b/.github/problem-matchers/pytest.json @@ -0,0 +1,16 @@ +{ + "problemMatcher": [ + { + "owner": "pytest", + "severity": "error", + "pattern": [ + { + "regexp": "^(\\S+):(\\d+): (.*)$", + "file": 1, + "line": 2, + "message": 3 + } + ] + } + ] +} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2796bdd9c..a5c750a4d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -46,10 +46,10 @@ concurrency: env: # Default Python version to use. Make sure to use full x.y.z number. - python_ver: "3.12.8" + python_ver: '3.12.8' # Oldest Python version to use, for max_compat tests. - python_compat_ver: "3.10.15" + python_compat_ver: '3.10.15' # Files listing dependencies we install using pip in the various jobs below. # This is used by setup-python to check whether its cache needs updating. @@ -85,7 +85,7 @@ jobs: gha: ${{steps.filter.outputs.gha}} gha_files: ${{steps.filter.outputs.gha_files}} # The following all test both the relevant file condition & the CI config - # because a change to the CI workflows can affect CI check results. + # because a change in the CI workflows can affect the CI check results. python: |- ${{steps.filter.outputs.python}} || ${{steps.filter.outputs.ci}} python_files: ${{steps.filter.outputs.python_files}} @@ -181,7 +181,7 @@ jobs: uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - architecture: "x64" + architecture: 'x64' cache: pip cache-dependency-path: ${{env.python_dep_files}} @@ -212,15 +212,18 @@ jobs: uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - architecture: "x64" + architecture: 'x64' cache: pip cache-dependency-path: ${{env.python_dep_files}} - name: Install requirements run: pip install -r dev_tools/requirements/envs/format.env.txt + - name: Set up problem matcher for Black output + run: echo '::add-matcher::.github/problem-matchers/black.json' + - name: Run format checks - run: check/format-incremental + run: check/format-incremental ${{inputs.sha}} python-mypy: if: needs.changes.outputs.python == 'true' @@ -236,13 +239,16 @@ jobs: uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - architecture: "x64" + architecture: 'x64' cache: pip cache-dependency-path: ${{env.python_dep_files}} - name: Install requirements run: pip install -r dev_tools/requirements/envs/mypy.env.txt + - name: Set up Mypy output problem matcher + run: echo '::add-matcher::.github/problem-matchers/mypy.json' + - name: Type check run: check/mypy @@ -260,7 +266,7 @@ jobs: uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5 with: python-version: ${{inputs.python_ver || env.python_ver}} - architecture: "x64" + architecture: 'x64' cache: pip cache-dependency-path: ${{env.python_dep_files}} @@ -308,6 +314,9 @@ jobs: pip install -r dev_tools/requirements/envs/pytest.env.txt pip install cirq-core==${{matrix.cirq-version}} + - name: Set up Pytest output problem matcher + run: echo '::add-matcher::.github/problem-matchers/pytest.json' + - name: Run pytest run: check/pytest @@ -352,6 +361,9 @@ jobs: pip install -r dev_tools/requirements/envs/pytest-extra.env.txt pip install cirq-core==${{matrix.cirq-version}} + - name: Set up Pytest output problem matcher + run: echo '::add-matcher::.github/problem-matchers/pytest.json' + - name: Run pytest run: check/pytest -m "not slow" src/openfermion/resource_estimates @@ -387,8 +399,10 @@ jobs: python-version: ${{env.python_compat_ver}} - name: Install requirements - run: | - pip install -r dev_tools/requirements/max_compat/pytest-max-compat.env.txt + run: pip install -r dev_tools/requirements/max_compat/pytest-max-compat.env.txt + + - name: Set up Pytest output problem matcher + run: echo '::add-matcher::.github/problem-matchers/pytest.json' - name: Run pytest run: check/pytest @@ -431,8 +445,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up yamllint output problem matcher - run: | - echo "::add-matcher::.github/problem-matchers/yamllint.json" + run: echo "::add-matcher::.github/problem-matchers/yamllint.json" - name: Run yamllint run: | @@ -453,15 +466,13 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install jsonlint - run: | - npm install -g @prantlf/jsonlint + run: npm install -g @prantlf/jsonlint - name: Set up jsonlint output problem matcher run: echo '::add-matcher::.github/problem-matchers/jsonlint.json' - name: Run jsonlint on JSON files - run: | - jsonlint --continue ${{env.changed_files}} + run: jsonlint --continue ${{env.changed_files}} cff-validation: if: needs.changes.outputs.cff == 'true' @@ -476,12 +487,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install cffconvert - run: | - pip install cffconvert + run: pip install cffconvert - name: Run cffconvert in validation mode - run: | - cffconvert --validate + run: cffconvert --validate docker-lint: if: needs.changes.outputs.docker == 'true' @@ -499,15 +508,13 @@ jobs: # Note: there is a hadolint GitHub Actions available, but it only accepts # one Dockerfile to check. We have > 1 file to check, so we need the CLI. - name: Install hadolint - run: | - brew install hadolint + run: brew install hadolint - name: Set up hadolint output problem matcher run: echo '::add-matcher::.github/problem-matchers/hadolint.json' - name: Run hadolint on Dockerfiles that have been changed - run: | - hadolint ${{env.changed_files}} + run: hadolint ${{env.changed_files}} workflow-validation: if: needs.changes.outputs.gha == 'true' @@ -528,16 +535,13 @@ jobs: # If we didn't fail the previous check, go on to more time-consuming ones. - name: Install actionlint - run: | - HOMEBREW_NO_AUTO_UPDATE=1 brew install actionlint + run: HOMEBREW_NO_AUTO_UPDATE=1 brew install actionlint - name: Set up actionlint output problem matcher - run: | - echo "::add-matcher::.github/problem-matchers/actionlint.json" + run: echo "::add-matcher::.github/problem-matchers/actionlint.json" - name: Verify that all GitHub Actions workflows are valid - run: | - /opt/homebrew/bin/actionlint -color + run: /opt/homebrew/bin/actionlint -color shell-script-lint: if: needs.changes.outputs.shell == 'true' @@ -552,9 +556,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up shellcheck output problem matcher - run: | - echo "::add-matcher::.github/problem-matchers/shellcheck.json" + run: echo "::add-matcher::.github/problem-matchers/shellcheck.json" - name: Run shellcheck on shell scripts that have been changed - run: | - shellcheck ${{env.changed_files}} + run: shellcheck ${{env.changed_files}} diff --git a/.github/workflows/nightly-pytest.yaml b/.github/workflows/nightly-pytest.yaml index 3b230a1af..d7a986325 100644 --- a/.github/workflows/nightly-pytest.yaml +++ b/.github/workflows/nightly-pytest.yaml @@ -85,6 +85,9 @@ jobs: run: | pip install -U cirq-core ${{inputs.args}} + - name: Set up Pytest output problem matcher + run: echo '::add-matcher::.github/problem-matchers/pytest.json' + - name: Run Pytest run: | check/pytest From dce8ee2162b3bae80ca0cfe0546ab84a3273ba0a Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Wed, 5 Mar 2025 14:03:38 -0800 Subject: [PATCH 15/15] More setup, editing, configuration, renaming, tweaking --- .github/workflows/ci.yaml | 3 +++ .github/workflows/codeql.yaml | 2 +- .github/workflows/nightly-pytest.yaml | 5 ++--- .github/workflows/nightly.yaml | 19 +++++-------------- .github/workflows/osv-scanner.yaml | 2 +- .../{ossf-scorecard.yaml => scorecard.yaml} | 4 ++-- 6 files changed, 14 insertions(+), 21 deletions(-) rename .github/workflows/{ossf-scorecard.yaml => scorecard.yaml} (96%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a5c750a4d..2ac752ba6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -429,6 +429,9 @@ jobs: - name: Install requirements run: pip install -r dev_tools/requirements/envs/pytest.env.txt + - name: Set up Pytest output problem matcher + run: echo '::add-matcher::.github/problem-matchers/pytest.json' + - name: Run code coverage tests run: check/pytest-and-incremental-coverage diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index ab0ec6c03..18a9deec5 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -26,7 +26,7 @@ concurrency: jobs: codeql: - name: Run CodeQL analysis + name: Run runs-on: ubuntu-24.04 permissions: security-events: write diff --git a/.github/workflows/nightly-pytest.yaml b/.github/workflows/nightly-pytest.yaml index d7a986325..8610df586 100644 --- a/.github/workflows/nightly-pytest.yaml +++ b/.github/workflows/nightly-pytest.yaml @@ -1,9 +1,8 @@ # Summary: reusable workflow called by nightly.yaml. -# # This workflow expects input values passed by nightly.yml. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Full Pytest +name: Nightly full tests – Pytest matrix run-name: Run ${{inputs.reason}} Pytest full tests on: @@ -37,7 +36,7 @@ jobs: # to be available on as many os/arch combos as possible, while also # making all necessary Python dependencies available on those combos. # TODO: add '3.13.1' once Cirq 1.5 is released. - python-version: ['3.10.11', '3.11.9', '3.12.7', '3.13.1'] + python-version: ['3.10.11', '3.11.9', '3.12.7'] os: [ubuntu-22.04, ubuntu-22.04-arm, macos-14, windows-2022] arch: [x64, arm64] exclude: diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 90d8cc9d4..ec61d16fc 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -5,7 +5,7 @@ # https://github.com/quantumlib/OpenFermion/actions/workflows/nightly.yaml # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: Nightly tests and code scans +name: Nightly full tests run-name: Run nightly tests and code scans in ${{github.repository}} on: @@ -14,20 +14,10 @@ on: # Allow manual invocation. workflow_dispatch: - inputs: - sha: - description: 'SHA of commit to run against:' - type: string - required: true # Declare default permissions as read only. permissions: read-all -concurrency: - # Cancel any previously-started but still active runs on the same branch. - cancel-in-progress: true - group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} - jobs: cirq-stable: name: Pytest Cirq stable release @@ -35,7 +25,6 @@ jobs: with: args: '' reason: nightly - sha: ${{inputs.sha}} cirq-pre: name: Pytest Cirq pre-release @@ -43,22 +32,24 @@ jobs: with: args: '--pre' reason: nightly - sha: ${{inputs.sha}} codeql: name: CodeQL code scan uses: ./.github/workflows/codeql.yaml + permissions: write-all with: reason: nightly scorecard: name: Scorecard code scan - uses: ./.github/workflows/ossf-scorecard.yaml + uses: ./.github/workflows/scorecard.yaml + permissions: write-all with: reason: nightly osv: name: OSV code scan uses: ./.github/workflows/osv-scanner.yaml + permissions: write-all with: reason: nightly diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index a1a680332..45d5c9eb6 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -28,7 +28,7 @@ permissions: read-all jobs: osv-scan: - name: Perform Open Source Vulnerabilities scan + name: Run runs-on: ubuntu-22.04 timeout-minutes: 15 permissions: diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/scorecard.yaml similarity index 96% rename from .github/workflows/ossf-scorecard.yaml rename to .github/workflows/scorecard.yaml index 90840e505..865526673 100644 --- a/.github/workflows/ossf-scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -4,7 +4,7 @@ # Google's GitHub guidance. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -name: OpenSSF Scorecard analysis +name: Scorecard analysis run-name: Do ${{inputs.reason}} Scorecard analysis on: @@ -28,7 +28,7 @@ permissions: read-all jobs: scorecard: - name: Perform Scorecard analysis + name: Run runs-on: ubuntu-22.04 timeout-minutes: 15 permissions: