Skip to content

Commit 54a62b8

Browse files
author
mathlib4-bot
committed
Merge remote-tracking branch 'upstream/master' into bump/v4.32.0
2 parents 57a16fb + a7f9fbe commit 54a62b8

748 files changed

Lines changed: 11293 additions & 3856 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/actions/get-mathlib-ci/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ inputs:
1010
# Default pinned commit used by workflows unless they explicitly override.
1111
# Update this ref as needed to pick up changes to mathlib-ci scripts
1212
# This is also updated automatically by .github/workflows/update_dependencies.yml
13-
default: aafe3df227b81f681afa3978f9eab0e2bbcd0582
13+
default: e7a159e9a129f92fd07e6852a742485798678473
1414
path:
1515
description: Checkout destination path.
1616
required: false

.github/workflows/PR_summary.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,16 @@ jobs:
1717

1818
steps:
1919
- name: Checkout code
20-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2121
with:
2222
ref: ${{ github.event.pull_request.head.sha }}
2323
fetch-depth: 0
2424
path: pr-branch
25+
# Untrusted (potentially fork) checkout: don't persist the GITHUB_TOKEN into its .git/config.
26+
persist-credentials: false
2527

2628
- name: Checkout local actions
27-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
29+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2830
with:
2931
ref: ${{ github.workflow_sha }}
3032
fetch-depth: 1

.github/workflows/actionlint.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ jobs:
99
runs-on: ubuntu-latest
1010
steps:
1111
- name: Checkout
12-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
12+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1313

1414
- name: suggester / actionlint
1515
uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
@@ -21,7 +21,7 @@ jobs:
2121
runs-on: ubuntu-latest
2222
steps:
2323
- name: Checkout
24-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
24+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2525

2626
# Using our fork's PR branch until upstream merges the improved error reporting:
2727
# https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/288

.github/workflows/add_label_from_diff.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
if: github.repository == 'leanprover-community/mathlib4'
2323
steps:
2424
- name: Checkout master branch to build autolabel from
25-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2626
with:
2727
ref: master
2828
path: tools
@@ -38,11 +38,13 @@ jobs:
3838
run: |
3939
lake build autolabel
4040
- name: Checkout branch to label
41-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
41+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4242
with:
4343
ref: ${{ github.event.pull_request.head.sha || github.sha }}
4444
fetch-depth: 0
4545
path: pr-branch
46+
# Untrusted (potentially fork) checkout: don't persist the GITHUB_TOKEN into its .git/config.
47+
persist-credentials: false
4648
- name: Run autolabel
4749
working-directory: pr-branch
4850
run: |

.github/workflows/bors.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,10 @@ jobs:
3030
# Use the MASTER cache key only when merging into mathlib4 (staging branch);
3131
# 'bors try' runs (trying branch) and nightly-testing use NON_MASTER
3232
cache_application_id: ${{ github.ref_name == 'staging' && github.repository == 'leanprover-community/mathlib4' && vars.CACHE_MASTER_WRITER_AZURE_APP_ID || vars.CACHE_NON_MASTER_WRITER_AZURE_APP_ID }}
33+
# Track the cache_application_id choice above; the environment fixes the OIDC subject the Azure app trusts.
34+
# nightly-testing is intentionally left without an environment ('') so it keeps its existing ref-based trust.
35+
# TODO: give mathlib4-nightly-testing its own cache-upload environment + federated credential.
36+
cache_environment: ${{ github.repository == 'leanprover-community/mathlib4' && (github.ref_name == 'staging' && 'cache-upload-master' || 'cache-upload-forks') || '' }}
3337
# bors runs should build the tools from their commit-under-test: after all, we are trying to
3438
# test 'what would happen if this was merged', so we need to use the 'would-be-post-merge' tools
3539
tools_branch_ref: ${{ github.sha }}

.github/workflows/bot_fix_style.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,14 @@ on:
1212
# triggers on a review comment
1313
types: [created, edited]
1414

15+
# `lint-style-action` in `fix` mode pushes a style-fix commit and reacts/comments
16+
# on the PR. Grant exactly those scopes rather than inheriting the default token
17+
# permissions; all other scopes are implicitly 'none'.
18+
permissions:
19+
contents: write # push the style-fix commit to the PR branch
20+
pull-requests: write # add the bot's reaction/comment
21+
issues: write # PR comment reactions go through the issues API
22+
1523
jobs:
1624
fix_style:
1725
# we set some variables. The ones of the form `${{ X }}${{ Y }}` are typically not

.github/workflows/build.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,5 +37,9 @@ jobs:
3737
pr_branch_ref: ${{ github.sha }}
3838
# Use the MASTER cache key only on mathlib4/master; nightly-testing and other branches use NON_MASTER
3939
cache_application_id: ${{ github.repository == 'leanprover-community/mathlib4' && github.ref == 'refs/heads/master' && vars.CACHE_MASTER_WRITER_AZURE_APP_ID || vars.CACHE_NON_MASTER_WRITER_AZURE_APP_ID }}
40+
# Track the cache_application_id choice above; the environment fixes the OIDC subject the Azure app trusts.
41+
# nightly-testing is intentionally left without an environment ('') so it keeps its existing ref-based trust.
42+
# TODO: give mathlib4-nightly-testing its own cache-upload environment + federated credential.
43+
cache_environment: ${{ github.repository == 'leanprover-community/mathlib4' && (github.ref == 'refs/heads/master' && 'cache-upload-master' || 'cache-upload-forks') || '' }}
4044
runs_on: pr
4145
secrets: inherit

.github/workflows/build_fork.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,5 +37,6 @@ jobs:
3737
concurrency_group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
3838
pr_branch_ref: ${{ github.event.pull_request.head.sha }}
3939
cache_application_id: ${{ vars.CACHE_NON_MASTER_WRITER_AZURE_APP_ID }}
40+
cache_environment: cache-upload-forks
4041
runs_on: pr
4142
secrets: inherit

.github/workflows/build_template.yml

Lines changed: 38 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,12 @@ on:
2727
cache_application_id:
2828
type: string
2929
required: true
30+
cache_environment:
31+
# GitHub environment for the `upload_cache` job. Its only role is to fix the
32+
# OIDC `sub` claim to `...:environment:<name>`, which the Azure cache app's
33+
# federated credential is scoped to; it must match the writer `cache_application_id`.
34+
type: string
35+
required: true
3036

3137
env:
3238
# Disable Lake's automatic fetching of cloud builds.
@@ -89,7 +95,7 @@ jobs:
8995

9096
# Checkout a trusted branch to build the tooling from
9197
- name: Checkout tools branch
92-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
98+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
9399
with:
94100
# Recall that on the `leanprover-community/mathlib4-nightly-testing` repository,
95101
# we don't maintain a `master` branch at all.
@@ -99,7 +105,7 @@ jobs:
99105
path: tools-branch
100106

101107
- name: Checkout local actions
102-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
108+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
103109
with:
104110
ref: ${{ github.workflow_sha }}
105111
fetch-depth: 1
@@ -122,11 +128,14 @@ jobs:
122128

123129
# Checkout the PR branch into a subdirectory
124130
- name: Checkout PR branch
125-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
131+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
126132
with:
127133
ref: ${{ inputs.pr_branch_ref }}
128134
fetch-depth: 2 # we may fetch cache from the commit before this one (or earlier)
129135
path: pr-branch
136+
# This is an untrusted (potentially fork) checkout whose code we build.
137+
# Don't leave the GITHUB_TOKEN in pr-branch/.git/config, where that code could read it.
138+
persist-credentials: false
130139

131140
- name: Prepare DownstreamTest directory
132141
shell: bash
@@ -513,19 +522,19 @@ jobs:
513522
run: |
514523
cd pr-branch
515524
set -o pipefail
516-
# Try running with --trace; if it fails due to argument parsing, the PR needs to merge master
525+
# If lint fails because the PR predates lake-lint configuration or the
526+
# old --trace argument-parsing behavior, ask the author to merge master.
517527
# We use .lake/ for the output file because landrun restricts /tmp access
518528
for attempt in 1 2; do
519-
if timeout 10m env LEAN_ABORT_ON_PANIC=1 stdbuf -oL lake exe runLinter --trace Mathlib 2>&1 | tee ".lake/lint_output_attempt_${attempt}.txt"; then
529+
if timeout 10m env LEAN_ABORT_ON_PANIC=1 stdbuf -oL lake lint -- --trace 2>&1 | tee ".lake/lint_output_attempt_${attempt}.txt"; then
520530
break
521531
fi
522532
status=${PIPESTATUS[0]}
523-
if grep -q "cannot parse arguments" ".lake/lint_output_attempt_${attempt}.txt"; then
533+
if grep -qE "cannot parse arguments|no lint driver configured" ".lake/lint_output_attempt_${attempt}.txt"; then
524534
echo ""
525535
echo "=============================================================================="
526-
echo "ERROR: Your branch uses an older version of runLinter that doesn't support"
527-
echo "the --trace flag. Please merge 'master' into your PR branch to get the"
528-
echo "updated linter, then push again."
536+
echo "ERROR: Your branch predates the current 'lake lint' configuration."
537+
echo "Please merge 'master' into your PR branch and push again."
529538
echo ""
530539
echo "You can do this with:"
531540
echo " git fetch upstream"
@@ -574,7 +583,7 @@ jobs:
574583
- name: Generate lean-pr-testing app token
575584
if: ${{ always() && github.repository == 'leanprover-community/mathlib4-nightly-testing' && (startsWith(github.ref_name, 'lean-pr-testing-') || startsWith(github.ref_name, 'batteries-pr-testing-')) }}
576585
id: lean-pr-testing-token
577-
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
586+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
578587
with:
579588
# `batteries-pr-testing-*` branches need a token scoped to `leanprover-community/batteries`
580589
# for the labelling API; `lean-pr-testing-*` branches need one scoped to `leanprover/lean4`.
@@ -605,6 +614,10 @@ jobs:
605614
name: Upload to cache
606615
needs: [build]
607616
runs-on: ubuntu-latest # These steps run on a GitHub runner; no landrun sandboxing is needed.
617+
# Pins the OIDC `sub` claim to `...:environment:<cache_environment>`, which the Azure cache
618+
# app's federated credential is scoped to. A token minted by any job without this environment
619+
# (e.g. the untrusted build/post_steps/style_lint jobs) cannot satisfy that trust.
620+
environment: ${{ inputs.cache_environment }}
608621
permissions:
609622
contents: read
610623
id-token: write
@@ -614,7 +627,7 @@ jobs:
614627
if: ${{ always() && needs.build.outputs.cache-staging-has-files == 'true' }}
615628
steps:
616629
- name: Checkout tools branch
617-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
630+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
618631
with:
619632
ref: ${{ inputs.tools_branch_ref != '' && inputs.tools_branch_ref || (github.repository == 'leanprover-community/mathlib4-nightly-testing' && 'nightly-testing-green' || 'master') }}
620633
fetch-depth: 1
@@ -684,11 +697,17 @@ jobs:
684697
needs: [build, upload_cache]
685698
if: ${{ always() && needs.build.result == 'success' && (needs.upload_cache.result == 'success' || needs.upload_cache.result == 'skipped') }}
686699
runs-on: ubuntu-latest # Note these steps run on disposable GitHub runners, so no landrun sandboxing is needed.
700+
# This job checks out and executes (potentially fork) PR code unsandboxed,
701+
# so it must not inherit any write-capable token.
702+
permissions:
703+
contents: read
687704
steps:
688705

689-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
706+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
690707
with:
691708
ref: ${{ inputs.pr_branch_ref }}
709+
# Untrusted (potentially fork) checkout: don't persist the GITHUB_TOKEN into its .git/config.
710+
persist-credentials: false
692711

693712
- name: Configure Lean
694713
uses: leanprover/lean-action@38fbc41a8c28c4cbaec22d7f7de508ec2e7c0dd9 # v1.5.0
@@ -734,7 +753,7 @@ jobs:
734753
lake exe graph
735754
736755
- name: Checkout local actions
737-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
756+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
738757
with:
739758
ref: ${{ github.workflow_sha }}
740759
fetch-depth: 1
@@ -788,6 +807,10 @@ jobs:
788807
style_lint:
789808
name: Lint style
790809
runs-on: ubuntu-latest
810+
# This job lints (potentially fork) PR code, so it must not inherit any write-capable token.
811+
# In `check` mode lint-style-action only reads and validates code locally (no API calls).
812+
permissions:
813+
contents: read
791814
steps:
792815
- uses: leanprover-community/lint-style-action@a7e7428fa44f9635d6eb8e01919d16fd498d387a # 2025-08-18
793816
with:
@@ -895,7 +918,7 @@ jobs:
895918
steps.get-label-actor.outputs.username != 'mathlib-update-dependencies' &&
896919
steps.get-label-actor.outputs.username != 'mathlib-splicebot'
897920
name: check team membership
898-
uses: tspascoal/get-user-teams-membership@818140d631d5f29f26b151afbe4179f87d9ceb5e # v4.0.1
921+
uses: tspascoal/get-user-teams-membership@b2546c5affc730fd8e3d8483ae9ad3621938c2f9 # v4.0.2
899922
id: actorTeams
900923
with:
901924
organization: leanprover-community # optional. Default value ${{ github.repository_owner }}
@@ -914,7 +937,7 @@ jobs:
914937
contains(steps.actorTeams.outputs.teams, 'bot-users')
915938
)
916939
name: If `auto-merge-after-CI` is present, add a `bors merge` comment.
917-
uses: GrantBirki/comment@608e41b19bc973020ec0e189ebfdae935d7fe0cc # v2.1.1
940+
uses: GrantBirki/comment@3439715f0cf3b8fc29bf47be0e3226679c06c41a # v3.0.0
918941
with:
919942
# This token is masked by the token minting action and will not be logged accidentally.
920943
token: ${{ steps.auto-merge-app-token.outputs.token }}

.github/workflows/check_pr_titles.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-latest
2020
steps:
2121
- name: Checkout
22-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2323
with:
2424
ref: master
2525
- name: Configure Lean

0 commit comments

Comments
 (0)