Ratchet (#206)

* Ratchet all the workflow files

ratchet pin ./.github/dependabot.yml .github/workflows/*
ratchet update ./.github/dependabot.yml .github/workflows/*

* Remove stray tabs

Tabs caught by ratchet streaming in and out.

Author: steve-downey

.github/dependabot.yml

@@ -3,7 +3,6 @@
 # Please see the documentation for all configuration options:
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 
----
 version: 2
 updates:
   - package-ecosystem: "github-actions"
@@ -21,13 +20,13 @@ updates:
           - "github/*"
     schedule:
       interval: "weekly"
-
   - package-ecosystem: pip
+
     directory: /papers/P2988
     schedule:
       interval: daily
-
   - package-ecosystem: pip
+
     directory: /
     schedule:
       interval: daily

.github/workflows/ci.yml

@@ -15,8 +15,8 @@ permissions:
 jobs:
   build:
     permissions:
-      checks: write  # for coverallsapp/github-action to create new checks
-      contents: read  # for actions/checkout to fetch code
+      checks: write # for coverallsapp/github-action to create new checks
+      contents: read # for actions/checkout to fetch code
     name: ${{ matrix.config.name }}
     runs-on: ubuntu-24.04
     container:
@@ -25,15 +25,15 @@ jobs:
       fail-fast: false
       matrix:
         config:
-          - {name: "Ubuntu Clang 21", tag: "clang:21", toolchain: "clang-21", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" 	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
-          - {name: "Ubuntu Clang 20", tag: "clang:20", toolchain: "clang-20", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\"  	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
+          - {name: "Ubuntu Clang 21", tag: "clang:21", toolchain: "clang-21", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
+          - {name: "Ubuntu Clang 20", tag: "clang:20", toolchain: "clang-20", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
           # Note: clang-19 + Asan setup causes errors on some platforms. Temporary skip some checks via .asan_options.
-          - {name: "Ubuntu Clang 19", tag: "clang:19", toolchain: "clang-19", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\"  	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" ", asan_options: "new_delete_type_mismatch=0"}
-          - {name: "Ubuntu Clang 18", tag: "clang:18", toolchain: "clang-18", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\"  	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
-          - {name: "Ubuntu Clang 17", tag: "clang:17", toolchain: "clang-17", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\"  	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
-          - {name: "Ubuntu GCC 14", tag: "gcc:14", toolchain: "gcc-14", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan;Gcov\" 	-DCMAKE_PREFIX_PATH=\"./infra/cmake\"  ", coverage: true}
-          - {name: "Ubuntu GCC 13", tag: "gcc:13", toolchain: "gcc-13",  cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\"  	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
-          - {name: "Ubuntu GCC 12", tag: "gcc:12", toolchain: "gcc-12",  cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\"  	-DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
+          - {name: "Ubuntu Clang 19", tag: "clang:19", toolchain: "clang-19", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" ", asan_options: "new_delete_type_mismatch=0"}
+          - {name: "Ubuntu Clang 18", tag: "clang:18", toolchain: "clang-18", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
+          - {name: "Ubuntu Clang 17", tag: "clang:17", toolchain: "clang-17", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
+          - {name: "Ubuntu GCC 14", tag: "gcc:14", toolchain: "gcc-14", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan;Gcov\"  -DCMAKE_PREFIX_PATH=\"./infra/cmake\"  ", coverage: true}
+          - {name: "Ubuntu GCC 13", tag: "gcc:13", toolchain: "gcc-13", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
+          - {name: "Ubuntu GCC 12", tag: "gcc:12", toolchain: "gcc-12", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "}
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
@@ -43,7 +43,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: 'true'
-        # If Clang 17, install a newer version of libc++ and libc++abi.
+          # If Clang 17, install a newer version of libc++ and libc++abi.
       - name: Update packages
         run: |
           set -x

.github/workflows/codeql.yml

@@ -49,14 +49,14 @@ jobs:
         include:
           - language: actions
             build-mode: none
-        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+            # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+            # Use `c-cpp` to analyze code written in C, C++ or both
+            # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+            # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+            # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+            # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+            # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+            # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
@@ -85,26 +85,28 @@ jobs:
           # By default, queries listed here will override any specified in a config file.
           # Prefix the list here with "+" to use these queries and those in the config file.
 
-          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
-
       # If the analyze step fails for one of the languages you are analyzing with
       # "We were unable to automatically build your code", modify the matrix above
+
       # to set the build mode to "manual" for that language. Then modify this step
       # to build your code.
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
       - if: matrix.build-mode == 'manual'
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
         shell: bash
         run: |
           echo 'If you are using a "manual" build mode for one or more of the' \
             'languages you are analyzing, replace this with the commands to build' \
             'your code, for example:'
           echo '  make bootstrap'
           echo '  make release'
-          exit 1
 
+          exit 1
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
+
           category: "/language:${{matrix.language}}"

.github/workflows/ossf-scorecard-analysis.yml

@@ -3,10 +3,10 @@ on:
   push:
     # Only the default branch is supported.
     branches:
-    - main
+      - main
   schedule:
     # Weekly on Saturdays.
-    - cron:  '30 1 * * 6'
+    - cron: '30 1 * * 6'
 
 permissions: read-all
 

.github/workflows/pre-commit-check.yml

@@ -15,4 +15,4 @@ jobs:
       checks: write
       issues: write
       pull-requests: write
-    uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.5.1
+    uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@4dff6993ff88c5f946e371f5cdbeca8340fdb49d # ratchet:bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.5.1

.github/workflows/pre-commit.yml

@@ -31,10 +31,10 @@ jobs:
         with:
           python-version: 3.13
 
-        # We wish to run pre-commit on all files instead of the changes
-        # only made in the push commit.
-        #
-        # So linting error persists when there's formatting problem.
+          # We wish to run pre-commit on all files instead of the changes
+          # only made in the push commit.
+          #
+          # So linting error persists when there's formatting problem.
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
   pre-commit-pr:
@@ -69,7 +69,7 @@ jobs:
         with:
           python-version: 3.13
 
-        # we only lint on the changed file in PR.
+          # we only lint on the changed file in PR.
       - name: Get Changed Files
         id: changed-files
         uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47.0.5
@@ -79,7 +79,7 @@ jobs:
         with:
           extra_args: --files ${{ steps.changed-files.outputs.all_changed_files }}
 
-        # Review dog posts the suggested change from pre-commit to the pr.
+          # Review dog posts the suggested change from pre-commit to the pr.
       - name: suggester / pre-commit
         uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff #v1.24.0
         if: ${{ failure() && steps.run-pre-commit.conclusion == 'failure' }}