From b8266c64cca65e5c3e98906891c3946be8c0e6fd Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Tue, 7 Apr 2026 15:17:31 +0200 Subject: [PATCH 01/13] chore: replace action tags with sha keys --- .github/workflows/main.yml | 26 +++++++++++++------------- .github/workflows/publish-to-pypi.yml | 4 ++-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 027bc75f5..be7adb1ab 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,8 +22,8 @@ jobs: - '313' - '314' steps: - - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 cache: true @@ -35,7 +35,7 @@ jobs: run: pixi run -e tests-linux-py${{ matrix.python-version }} tests-with-cov - name: Upload coverage report. if: matrix.python-version == '312' - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: token: ${{ secrets.CODECOV_TOKEN }} run-tests-win-and-mac: @@ -52,8 +52,8 @@ jobs: - '313' - '314' steps: - - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 cache: true @@ -67,8 +67,8 @@ jobs: name: Run tests on ubuntu-latest with plotly < 6 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 cache: true @@ -89,8 +89,8 @@ jobs: - '313' - '314' steps: - - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 cache: true @@ -106,8 +106,8 @@ jobs: name: Run code snippets in documentation runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 cache: true @@ -123,8 +123,8 @@ jobs: name: Run mypy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: prefix-dev/setup-pixi@v0.9.4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 cache: true diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index 0f5933a33..4631ba2d8 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -6,9 +6,9 @@ jobs: name: Build and publish optimagic Python 🐍 distributions 📦 to PyPI runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python 3.12 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.12' - name: Install pypa/build From 08e0bd322cf63049421db610463722100d340139 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Tue, 7 Apr 2026 15:24:40 +0200 Subject: [PATCH 02/13] chore: set permission levels --- .github/workflows/main.yml | 14 ++++++++++++++ .github/workflows/publish-to-pypi.yml | 4 ++++ 2 files changed, 18 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index be7adb1ab..6ae29563a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,6 @@ --- +permissions: + contents: read name: main concurrency: group: ${{ github.head_ref || github.run_id }} @@ -23,6 +25,8 @@ jobs: - '314' steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 @@ -53,6 +57,8 @@ jobs: - '314' steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 @@ -68,6 +74,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 @@ -90,6 +98,8 @@ jobs: - '314' steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 @@ -107,6 +117,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 @@ -124,6 +136,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4 with: pixi-version: v0.65.0 diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index 4631ba2d8..8b0c8f896 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -1,4 +1,6 @@ --- +permissions: + contents: read name: PyPI on: push jobs: @@ -7,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Set up Python 3.12 uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: From 75230622b952564bd77d45b6d0888a3954724b56 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Tue, 7 Apr 2026 15:36:22 +0200 Subject: [PATCH 03/13] chore: add sha key for publishing package --- .github/workflows/publish-to-pypi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index 8b0c8f896..b5792a3d0 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -30,6 +30,6 @@ jobs: --outdir dist/ - name: Publish distribution 📦 to PyPI if: startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e with: password: ${{ secrets.PYPI_API_TOKEN_OPTIMAGIC }} From 93ce40ee404a04cd5b0389cf60457b7c1d6ab309 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Tue, 7 Apr 2026 15:58:04 +0200 Subject: [PATCH 04/13] chore: remove publish secret token --- .github/workflows/publish-to-pypi.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index b5792a3d0..a0c901390 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -7,6 +7,9 @@ jobs: build-n-publish: name: Build and publish optimagic Python 🐍 distributions 📦 to PyPI runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: @@ -31,5 +34,3 @@ jobs: - name: Publish distribution 📦 to PyPI if: startsWith(github.ref, 'refs/tags') uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e - with: - password: ${{ secrets.PYPI_API_TOKEN_OPTIMAGIC }} From ead594ce605cc3847d66842e3d9cf20727306d4a Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Tue, 7 Apr 2026 17:05:05 +0200 Subject: [PATCH 05/13] chore: separte workflow into build and publish steps --- .github/workflows/publish-to-pypi.yml | 28 ++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index a0c901390..b2f5ca932 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -1,15 +1,12 @@ --- -permissions: - contents: read name: PyPI on: push jobs: - build-n-publish: - name: Build and publish optimagic Python 🐍 distributions 📦 to PyPI + build: + name: Build distribution runs-on: ubuntu-latest permissions: contents: read - id-token: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: @@ -31,6 +28,23 @@ jobs: --sdist --wheel --outdir dist/ - - name: Publish distribution 📦 to PyPI - if: startsWith(github.ref, 'refs/tags') + - name: Upload distribution artifacts + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: dist + path: dist + publish: + name: Publish to PyPI + if: startsWith(github.ref, 'refs/tags') + needs: build + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Download distribution artifacts + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + with: + name: dist + path: dist + - name: Publish distribution to PyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e From e28ec6d70bf60c2a7ce97f3043e736569114b7ff Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Wed, 8 Apr 2026 09:51:02 +0200 Subject: [PATCH 06/13] chore: add doc strings for version numbers --- .github/workflows/publish-to-pypi.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index b2f5ca932..c7c32aebb 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -42,9 +42,11 @@ jobs: id-token: write steps: - name: Download distribution artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 + # yamllint disable-line rule:line-length + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: dist path: dist - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e + # yamllint disable-line rule:line-length + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 From 02ee78c80a03e25361185f0a3746d1c9c26fc042 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Wed, 8 Apr 2026 17:29:32 +0200 Subject: [PATCH 07/13] chore: update upload/download-artifact actions to the latest version --- .github/workflows/publish-to-pypi.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml index c7c32aebb..430593c12 100644 --- a/.github/workflows/publish-to-pypi.yml +++ b/.github/workflows/publish-to-pypi.yml @@ -29,7 +29,7 @@ jobs: --wheel --outdir dist/ - name: Upload distribution artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: dist path: dist @@ -43,7 +43,7 @@ jobs: steps: - name: Download distribution artifacts # yamllint disable-line rule:line-length - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist From 0c07aead2c9788b6c4c4561e5dad40e3791cd5f2 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Wed, 8 Apr 2026 17:29:57 +0200 Subject: [PATCH 08/13] chore: add codecov environment --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6ae29563a..9667d9c18 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,6 +15,7 @@ on: jobs: run-tests-linux: name: Run tests on ubuntu-latest py${{ matrix.python-version }} + environment: codecov runs-on: ubuntu-latest strategy: fail-fast: false From 7fa80606575c93b2998558c3298d88974ceb9ca4 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Wed, 8 Apr 2026 17:41:21 +0200 Subject: [PATCH 09/13] Revert "chore: add codecov environment" This reverts commit 0c07aead2c9788b6c4c4561e5dad40e3791cd5f2. --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9667d9c18..6ae29563a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,7 +15,6 @@ on: jobs: run-tests-linux: name: Run tests on ubuntu-latest py${{ matrix.python-version }} - environment: codecov runs-on: ubuntu-latest strategy: fail-fast: false From 1b0ab57c155d73dd88a70b3ad0daca2e4096b531 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Thu, 9 Apr 2026 10:28:09 +0200 Subject: [PATCH 10/13] chore: create separate codecov job to use environment variable --- .github/workflows/main.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6ae29563a..985bc1462 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -37,10 +37,31 @@ jobs: - name: Run pytest shell: bash -el {0} run: pixi run -e tests-linux-py${{ matrix.python-version }} tests-with-cov - - name: Upload coverage report. + - name: Upload code coverage artifact. if: matrix.python-version == '312' + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: coverage + path: coverage.xml + upload-codecov: + name: Upload coverage report to codecov + needs: run-tests-linux + runs-on: ubuntu-latest + environment: codecov + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + - name: Download code coverage artifact + # yamllint disable-line rule:line-length + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: coverage + path: . + - name: Upload to codecov uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: + files: ./coverage.xml token: ${{ secrets.CODECOV_TOKEN }} run-tests-win-and-mac: name: Run tests on ${{ matrix.os }} py${{ matrix.python-version }} From 3f2f75588b8e906b8f84ed1b15d64e8fc1f2fd93 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Fri, 10 Apr 2026 15:30:55 +0200 Subject: [PATCH 11/13] chore: add dependabot --- .github/dependabot.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..6106305dc --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +--- +version: 2 +# update once a week, with a 7-day cooldown +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 + - package-ecosystem: pre-commit + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 From a751a693f62b32c86680b6f842a46275638c7d6c Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Fri, 10 Apr 2026 16:17:26 +0200 Subject: [PATCH 12/13] fix: remove pre-commit auto update for dependabot --- .github/dependabot.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6106305dc..f666ed2ec 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,9 +8,3 @@ updates: interval: weekly cooldown: default-days: 7 - - package-ecosystem: pre-commit - directory: / - schedule: - interval: weekly - cooldown: - default-days: 7 From 0007a3c8bb22b86f0c998904c57f85f01bf1fd16 Mon Sep 17 00:00:00 2001 From: Abel Abate Date: Mon, 13 Apr 2026 12:39:06 +0200 Subject: [PATCH 13/13] Revert "chore: create separate codecov job to use environment variable" This reverts commit 1b0ab57c155d73dd88a70b3ad0daca2e4096b531. --- .github/workflows/main.yml | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 985bc1462..6ae29563a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -37,31 +37,10 @@ jobs: - name: Run pytest shell: bash -el {0} run: pixi run -e tests-linux-py${{ matrix.python-version }} tests-with-cov - - name: Upload code coverage artifact. + - name: Upload coverage report. if: matrix.python-version == '312' - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: coverage - path: coverage.xml - upload-codecov: - name: Upload coverage report to codecov - needs: run-tests-linux - runs-on: ubuntu-latest - environment: codecov - steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - with: - persist-credentials: false - - name: Download code coverage artifact - # yamllint disable-line rule:line-length - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: coverage - path: . - - name: Upload to codecov uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: - files: ./coverage.xml token: ${{ secrets.CODECOV_TOKEN }} run-tests-win-and-mac: name: Run tests on ${{ matrix.os }} py${{ matrix.python-version }}