Skip to content

Commit 47ca06b

Browse files
2 parents cd19659 + b2b4255 commit 47ca06b

122 files changed

Lines changed: 2670 additions & 395 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/actions/get-mathlib-ci/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ then use the local action:
2525

2626
```yaml
2727
- name: Checkout local actions
28-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
28+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2929
with:
3030
ref: ${{ github.workflow_sha }}
3131
fetch-depth: 1

.github/actions/get-mathlib-ci/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ runs:
3333
using: composite
3434
steps:
3535
- name: Get mathlib-ci
36-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
36+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3737
with:
3838
repository: leanprover-community/mathlib-ci
3939
ref: ${{ inputs.ref }}

.github/actions/get-tools/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -139,7 +139,7 @@ runs:
139139
140140
- name: Checkout tools branch (source build)
141141
if: ${{ steps.finalize.outputs.result == 'build' }}
142-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
142+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
143143
with:
144144
ref: ${{ inputs.tools_source_ref }}
145145
path: ${{ inputs.path }}

.github/actions/setup-build-env/action.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ runs:
4545
4646
# The Hoskinson runners may not have jq installed, so do that now.
4747
- name: 'Setup jq'
48-
uses: dcarbone/install-jq-action@b7ef57d46ece78760b4019dbc4080a1ba2a40b45 # v3.2.0
48+
uses: dcarbone/install-jq-action@4fcb5062d7ce9bc4382d1a352d19ba3ba2c317c1 # v4.0.1
4949

5050
# Compute the trust-classified container target and read fallback for this
5151
# job. Sets MATHLIB_CACHE_FROM / MATHLIB_CACHE_PRIMARY in env so every
@@ -64,12 +64,15 @@ runs:
6464
# code we build, so don't leave the GITHUB_TOKEN in pr-branch/.git/config where
6565
# that code could read it.
6666
- name: Checkout PR branch
67-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
67+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
6868
with:
6969
ref: ${{ inputs.pr_branch_ref }}
7070
fetch-depth: 1
7171
path: pr-branch
7272
persist-credentials: false
73+
# The build runs this fork PR code sandboxed (landrun) with no persisted
74+
# credentials, so checking it out under pull_request_target is safe.
75+
allow-unsafe-pr-checkout: true
7376

7477
# Create empty directories so landrun doesn't complain.
7578
- name: Create empty directories

.github/workflows/PR_summary.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,16 +17,19 @@ jobs:
1717

1818
steps:
1919
- name: Checkout code
20-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
20+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2121
with:
2222
ref: ${{ github.event.pull_request.head.sha }}
2323
fetch-depth: 0
2424
path: pr-branch
2525
# Untrusted (potentially fork) checkout: don't persist the GITHUB_TOKEN into its .git/config.
2626
persist-credentials: false
27+
# Only trusted base-repo scripts run against this checkout, so checking out
28+
# fork PR code under pull_request_target is safe.
29+
allow-unsafe-pr-checkout: true
2730

2831
- name: Checkout local actions
29-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
32+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3033
with:
3134
ref: ${{ github.workflow_sha }}
3235
fetch-depth: 1
@@ -64,7 +67,7 @@ jobs:
6467
fi
6568
6669
- name: Set up Python
67-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
70+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
6871
with:
6972
python-version: 3.12
7073

.github/workflows/actionlint.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ jobs:
99
runs-on: ubuntu-latest
1010
steps:
1111
- name: Checkout
12-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
12+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
1313

1414
- name: suggester / actionlint
1515
uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
@@ -21,7 +21,7 @@ jobs:
2121
runs-on: ubuntu-latest
2222
steps:
2323
- name: Checkout
24-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
24+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2525

2626
# Using our fork's PR branch until upstream merges the improved error reporting:
2727
# https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/288

.github/workflows/add_label_from_diff.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
if: github.repository == 'leanprover-community/mathlib4'
2323
steps:
2424
- name: Checkout master branch to build autolabel from
25-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
25+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2626
with:
2727
ref: master
2828
path: tools
@@ -38,13 +38,16 @@ jobs:
3838
run: |
3939
lake build autolabel
4040
- name: Checkout branch to label
41-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
41+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4242
with:
4343
ref: ${{ github.event.pull_request.head.sha || github.sha }}
4444
fetch-depth: 0
4545
path: pr-branch
4646
# Untrusted (potentially fork) checkout: don't persist the GITHUB_TOKEN into its .git/config.
4747
persist-credentials: false
48+
# autolabel is built from the trusted base checkout and only reads these files,
49+
# so checking out fork PR code under pull_request_target is safe.
50+
allow-unsafe-pr-checkout: true
4851
- name: Run autolabel
4952
working-directory: pr-branch
5053
run: |

.github/workflows/build_template.yml

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ jobs:
7979
# We just populate the env vars for this step to make them viewable in the logs
8080
8181
- name: Checkout local actions
82-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
82+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
8383
with:
8484
ref: ${{ github.workflow_sha }}
8585
fetch-depth: 1
@@ -190,7 +190,7 @@ jobs:
190190
lake exe mk_all --check
191191
192192
- name: begin gh-problem-match-wrap for build step
193-
uses: leanprover-community/gh-problem-matcher-wrap@20007cb926a46aa324653a387363b52f07709845 # 2025-04-23
193+
uses: leanprover-community/gh-problem-matcher-wrap@65a654fcdf7b64ff7633bc7a558f7b46d59a27bf # 2026-06-25
194194
with:
195195
action: add # In order to be able to run a multiline script, we need to add/remove the problem matcher before and after.
196196
linters: lean
@@ -211,7 +211,7 @@ jobs:
211211
../tools-branch/scripts/lake-build-with-retry.sh Mathlib
212212
# results of build at pr-branch/.lake/build_summary_Mathlib.json
213213
- name: end gh-problem-match-wrap for build step
214-
uses: leanprover-community/gh-problem-matcher-wrap@20007cb926a46aa324653a387363b52f07709845 # 2025-04-23
214+
uses: leanprover-community/gh-problem-matcher-wrap@65a654fcdf7b64ff7633bc7a558f7b46d59a27bf # 2026-06-25
215215
with:
216216
action: remove
217217
linters: lean
@@ -394,7 +394,7 @@ jobs:
394394
shell: landrun --rox /usr --ro /etc/timezone --rw /dev --rox /home/lean/.elan --rox /home/lean/actions-runner/_work --rox /home/lean/.cache/mathlib/ --rw pr-branch/.lake/ --env PATH --env HOME --env GITHUB_OUTPUT --env CI -- bash -euxo pipefail {0}
395395
steps:
396396
- name: Checkout local actions
397-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
397+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
398398
with:
399399
ref: ${{ github.workflow_sha }}
400400
fetch-depth: 1
@@ -463,7 +463,7 @@ jobs:
463463
# from the build job's outputs, and the problem-matcher wrap is gated to match.
464464
- name: begin gh-problem-match-wrap for test step
465465
if: ${{ needs.build.outputs.build-outcome == 'success' && needs.build.outputs.mk_all-outcome == 'success' && needs.build.outputs.archive-outcome == 'success' && needs.build.outputs.counterexamples-outcome == 'success' }}
466-
uses: leanprover-community/gh-problem-matcher-wrap@20007cb926a46aa324653a387363b52f07709845 # 2025-04-23
466+
uses: leanprover-community/gh-problem-matcher-wrap@65a654fcdf7b64ff7633bc7a558f7b46d59a27bf # 2026-06-25
467467
with:
468468
action: add # In order to be able to run a multiline script, we need to add/remove the problem matcher before and after.
469469
linters: lean
@@ -475,7 +475,7 @@ jobs:
475475
../tools-branch/scripts/lake-build-wrapper.py .lake/build_summary_MathlibTest.json lake --iofail test
476476
- name: end gh-problem-match-wrap for test step
477477
if: ${{ needs.build.outputs.build-outcome == 'success' && needs.build.outputs.mk_all-outcome == 'success' && needs.build.outputs.archive-outcome == 'success' && needs.build.outputs.counterexamples-outcome == 'success' }}
478-
uses: leanprover-community/gh-problem-matcher-wrap@20007cb926a46aa324653a387363b52f07709845 # 2025-04-23
478+
uses: leanprover-community/gh-problem-matcher-wrap@65a654fcdf7b64ff7633bc7a558f7b46d59a27bf # 2026-06-25
479479
with:
480480
action: remove
481481
linters: lean
@@ -485,7 +485,7 @@ jobs:
485485
# lint feedback is still reported. The problem-matcher wrap is gated to match.
486486
- name: begin gh-problem-match-wrap for shake and lint steps
487487
if: ${{ always() && (needs.build.outputs.build-outcome == 'success' || needs.build.outputs.build-outcome == 'failure') }}
488-
uses: leanprover-community/gh-problem-matcher-wrap@20007cb926a46aa324653a387363b52f07709845 # 2025-04-23
488+
uses: leanprover-community/gh-problem-matcher-wrap@65a654fcdf7b64ff7633bc7a558f7b46d59a27bf # 2026-06-25
489489
with:
490490
action: add # In order to be able to run a multiline script, we need to add/remove the problem matcher before and after.
491491
linters: gcc
@@ -538,7 +538,7 @@ jobs:
538538
539539
- name: end gh-problem-match-wrap for shake and lint steps
540540
if: ${{ always() && (needs.build.outputs.build-outcome == 'success' || needs.build.outputs.build-outcome == 'failure') }}
541-
uses: leanprover-community/gh-problem-matcher-wrap@20007cb926a46aa324653a387363b52f07709845 # 2025-04-23
541+
uses: leanprover-community/gh-problem-matcher-wrap@65a654fcdf7b64ff7633bc7a558f7b46d59a27bf # 2026-06-25
542542
with:
543543
action: remove
544544
linters: gcc
@@ -604,7 +604,7 @@ jobs:
604604
# `build_template` via `pull_request_target`, never this one — so
605605
# `pr_branch_ref` is always a trusted ref here. Fork PRs keep `master`.
606606
- name: Checkout tools branch
607-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
607+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
608608
with:
609609
ref: ${{ inputs.tools_branch_ref != '' && inputs.tools_branch_ref || (github.event.pull_request.head.repo.fork && 'master' || inputs.pr_branch_ref) }}
610610
fetch-depth: 1
@@ -674,17 +674,20 @@ jobs:
674674
contents: read
675675
steps:
676676

677-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
677+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
678678
with:
679679
ref: ${{ inputs.pr_branch_ref }}
680680
# Untrusted (potentially fork) checkout: don't persist the GITHUB_TOKEN into its .git/config.
681681
persist-credentials: false
682+
# This job runs with only `contents: read` and no persisted credentials,
683+
# so checking out fork PR code under pull_request_target is safe.
684+
allow-unsafe-pr-checkout: true
682685

683686
# Sparse-checkout master's `.github/actions/` so the trust dispatch
684687
# below loads from a trust-rooted source, not from PR-branch-controlled
685688
# content. Mirrors the `Checkout local actions` step in the `build` job.
686689
- name: Checkout local actions
687-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
690+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
688691
with:
689692
ref: ${{ github.workflow_sha }}
690693
fetch-depth: 1
@@ -748,7 +751,7 @@ jobs:
748751
lake exe graph
749752
750753
- name: Checkout local actions
751-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
754+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
752755
with:
753756
ref: ${{ github.workflow_sha }}
754757
fetch-depth: 1

.github/workflows/cache_test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ jobs:
4141
run:
4242
shell: bash
4343
steps:
44-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
44+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4545

4646
# Install elan and the toolchain cross-platform. Build/test/lint, the
4747
# Mathlib cache, and the GitHub cache are all disabled, so this is a

.github/workflows/check_pr_titles.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-latest
2020
steps:
2121
- name: Checkout
22-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
22+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2323
with:
2424
ref: master
2525
- name: Configure Lean

0 commit comments

Comments
 (0)