diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..8c139c7 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,6 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 909c278..e271fb9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,15 +8,31 @@ on: branches: - master +permissions: + contents: read + jobs: Lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions-rs/toolchain@v1 + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + static.rust-lang.org:443 + + - name: Checkout + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 + + - name: Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af with: toolchain: stable components: rustfmt + - name: Check Formatting run: cargo fmt --check @@ -36,13 +52,30 @@ jobs: python-version: 3.7 runs-on: "${{ matrix.os }}" steps: - - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + crates.io:443 + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + static.crates.io:443 + index.crates.io:443 + static.rust-lang.org:443 + + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # 4.5.0 with: python-version: ${{ matrix.python-version }} - - uses: actions-rs/toolchain@v1 + + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af with: toolchain: stable - - uses: Swatinem/rust-cache@v1 + + - uses: Swatinem/rust-cache@6720f05bc48b77f96918929a9019fb2203ff71f8 # 2.0.0 - run: python3 -m pip install nox - run: nox -s test-${{ matrix.python-version }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..847b9dd --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + objects.githubusercontent.com:443 + github.com:443 + pypi.org:443 + uploads.github.com:443 + + - name: Checkout repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 0000000..b1ea0b3 --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,201 @@ +name: Test & Release + +on: + release: + types: [published] + +# on: +# pull_request: +# branches: +# - master + +jobs: + linux: + runs-on: ubuntu-latest + strategy: + matrix: + platform: [ 'x86_64-unknown-linux-gnu', 'aarch64-unknown-linux-gnu' ] + steps: + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + with: + egress-policy: block + allowed-endpoints: > + api.github.com:443 + cdn03.quay.io:443 + crates.io:443 + github.com:443 + objects.githubusercontent.com:443 + quay.io:443 + sh.rustup.rs:443 + static.crates.io:443 + index.crates.io:443 + static.rust-lang.org:443 + uploads.github.com:443 + pypi.org:443 + files.pythonhosted.org:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 + with: + python-version: 3.8 + architecture: x64 + + - uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9 + with: + rust-toolchain: stable + manylinux: auto + target: ${{ matrix.platform }} + command: build + args: --release --sdist -o dist -i 3.8 3.9 3.10 3.11 + + - name: Upload wheels + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2 + with: + name: wheels + path: dist + + windows: + runs-on: windows-latest + strategy: + matrix: + target: [x64] + python-version: ['3.8', '3.9', '3.10', '3.11'] + steps: + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 + with: + python-version: ${{ matrix.python-version }} + + - uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9 + env: + PYO3_PYTHON: python${{ matrix.python-version }} + with: + command: build + args: --release -o dist + + - name: Upload wheels + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2 + with: + name: wheels + path: dist + + macos: + runs-on: macos-latest + strategy: + matrix: + python-version: ['3.8', '3.9', '3.10', '3.11'] + steps: + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 + - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 + with: + python-version: ${{ matrix.python-version }} + + - name: Build wheels - x86_64 + uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9 + env: + PYO3_PYTHON: python${{ matrix.python-version }} + with: + target: x86_64-apple-darwin + command: build + args: --release -o dist + + - name: Build wheels - universal2 + uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9 + env: + PYO3_PYTHON: python${{ matrix.python-version }} + with: + command: build + args: --release -o dist --universal2 + + - name: Upload wheels + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2 + with: + name: wheels + path: dist + + python-release-github: + runs-on: ubuntu-latest + needs: [ macos, windows, linux ] + permissions: + contents: write # To add assets to a release. + steps: + - name: Harden Runner + uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.1.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + static.rust-lang.org:443 + uploads.github.com:443 + + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + with: + ref: ${{ github.head_ref }} + + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 + with: + profile: minimal + toolchain: stable + + - name: Set up Python 3.8 + uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 + with: + python-version: 3.8 + + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: wheels + path: wheels + + - name: Upload release binaries + uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + asset_paths: '["./wheels/tantivy-*"]' + + release-pypy: + name: Release + runs-on: ubuntu-latest + needs: [ macos, windows, linux ] + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing + steps: + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: wheels + path: wheels + + - name: Publish package distributions to Test PyPI + uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 + with: + repository-url: https://test.pypi.org/legacy/ + packages-dir: wheels/ + skip-existing: true + + - name: Publish package distributions to PyPI + if: always() + uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5 + with: + packages-dir: wheels/ + skip-existing: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..ec70f1e --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,69 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '35 8 * * 5' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/pyproject.toml b/pyproject.toml index d61d69f..aebdf75 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,3 +5,6 @@ build-backend = "maturin" [project] name = "tantivy" requires-python = ">=3.7" + +[tool.maturin] +bindings = "pyo3"