From d5d36684640eee9c37cc8af5c19c482aa62b1dc1 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 12:30:08 +0100 Subject: [PATCH 1/9] Renovate config init Signed-off-by: Barabanov --- .github/dependabot.yml | 23 ------ .github/renovate.json5 | 72 +++++++++++++++++++ .../workflows/renovate-config-validator.yml | 30 ++++++++ .github/workflows/renovate.yml | 47 ++++++++++++ 4 files changed, 149 insertions(+), 23 deletions(-) delete mode 100644 .github/dependabot.yml create mode 100644 .github/renovate.json5 create mode 100644 .github/workflows/renovate-config-validator.yml create mode 100644 .github/workflows/renovate.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 5f78091e..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,23 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: / - schedule: - interval: "weekly" - target-branch: "master" - groups: - github-actions-dependency: - applies-to: version-updates - patterns: - - "*" - commit-message: - prefix: "chore(deps)" - - package-ecosystem: pip - directory: /src - schedule: - interval: weekly - target-branch: "master" - ignore: - - dependency-name: "ultralytics" - commit-message: - prefix: "chore(deps)" diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 00000000..945fc67e --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,72 @@ +// Dependency Update Configuration +// +// See https://docs.renovatebot.com/configuration-options/ +// See https://json5.org/ for JSON5 syntax + +// [!] While updating the Renovate config, test changes on your own fork. +// 1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork. +// 2. Enable the Renovate GitHub app in your GitHub account. +// Verify that Renovate is activated in the repository settings within the Renovate Dashboard. +// To enable the dashboard set `dependencyDashboard` to true +// 3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate. +// 4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts. +// 5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR, +// and include links in the description to share details about the testing you've conducted. + +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + + // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance + lockFileMaintenance: { + enabled: true, + schedule: ["* * * * 0"], // weekly + }, + + extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"], + // https://docs.renovatebot.com/presets-default/#gitsignoff + // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests + + // if necessary, add supported releases branches here + // it is possible to enable/disable specific upgrades per branch with + // `matchBaseBranches` in specific rule + baseBranches: ["main"], + + enabledManagers: ["github-actions", "pep621"], + + // Set limit to 10 + ignorePresets: [":prHourlyLimit2"], + prHourlyLimit: 10, + + packageRules: [ + { + enabled: true, + matchManagers: ["pep621"], + schedule: ["* * * * 0"], // weekly + }, + + // Disable ultralytics notifications (based on previous Dependabot config) + { + enabled: false, + matchDatasources: ["pypi"], + matchDepNames: ["ultralytics"], + }, + + // Group GitHub Actions updates + { + enabled: true, + separateMajorMinor: false, + groupName: "GitHub Actions", + matchManagers: ["github-actions"], + matchPackagePatterns: ["*"], + schedule: ["* * 1 * *"], // every month + }, + + ], + + // Enable security upgrades + vulnerabilityAlerts: { + enabled: true, + }, + osvVulnerabilityAlerts: true, + dependencyDashboard: true, +} diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml new file mode 100644 index 00000000..5d084c91 --- /dev/null +++ b/.github/workflows/renovate-config-validator.yml @@ -0,0 +1,30 @@ +name: Validate Renovate configuration + +on: + pull_request: + paths: + - ".github/renovate.json5" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} + cancel-in-progress: true + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout configuration + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Validate configuration + run: | + # renovate: datasource=docker + export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 + docker run --rm --entrypoint "renovate-config-validator" \ + -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ + ${RENOVATE_IMAGE} "/renovate.json5" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 00000000..eda2528f --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,47 @@ +name: Renovate +on: + schedule: + # daily + - cron: "0 2 * * *" + + # allow to manually trigger this workflow + workflow_dispatch: + inputs: + dry-run: + description: "Run Renovate in dry-run mode (no PR)" + required: false + default: false + type: boolean + +permissions: {} + +jobs: + renovate: + permissions: + contents: read + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Get token + id: get-github-app-token + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + with: + app-id: ${{ secrets.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_APP_PEM }} + + - name: Self-hosted Renovate + uses: renovatebot/github-action@13f127373fd3dc43b41b0979e37ba570d6c2b8f4 # v43.0.0 + with: + configurationFile: .github/renovate.json5 + token: "${{ steps.get-github-app-token.outputs.token }}" + env: + LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }} + # Dry run if the event is workflow_dispatch AND the dry-run input is true + RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }} + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: ${{ github.repository }} From 1531a8221fb24596e8994364574ee8d197d74fe1 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 12:38:22 +0100 Subject: [PATCH 2/9] branch name Signed-off-by: Barabanov --- .github/renovate.json5 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 945fc67e..04e396b8 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -29,7 +29,7 @@ // if necessary, add supported releases branches here // it is possible to enable/disable specific upgrades per branch with // `matchBaseBranches` in specific rule - baseBranches: ["main"], + baseBranches: ["master"], enabledManagers: ["github-actions", "pep621"], @@ -60,7 +60,6 @@ matchPackagePatterns: ["*"], schedule: ["* * 1 * *"], // every month }, - ], // Enable security upgrades From 43a7e93da6ec309c841abe9c16379b2e0fa981ff Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 12:42:33 +0100 Subject: [PATCH 3/9] test renovate Signed-off-by: Barabanov --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 0bddbbd6..a15723a2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -57,7 +57,7 @@ docs = [ "graphviz", ] build = [ - "nanobind==2.8.0", + "nanobind==2.7.0", ] [project.urls] From febc8d61b2ab7ff0316d1cddfb616ba98310e6ea Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 13:01:27 +0100 Subject: [PATCH 4/9] lock Signed-off-by: Barabanov --- uv.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/uv.lock b/uv.lock index 900130dc..52eb76bf 100644 --- a/uv.lock +++ b/uv.lock @@ -1597,11 +1597,11 @@ wheels = [ [[package]] name = "nanobind" -version = "2.8.0" +version = "2.7.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/69/7c/cc6e525b89cca06b9fab7ecb91a11c3fd8258b158897cc804679fcc7b203/nanobind-2.8.0.tar.gz", hash = "sha256:94e7bf6aa1d7dff9566eddc15252aba94fdadbf67a99a169bfab34b708427cd8", size = 979153, upload-time = "2025-07-16T05:52:17.547Z" } +sdist = { url = "https://files.pythonhosted.org/packages/d8/7d/f77f2bc2e2a210502a164556f8a742cd0f72f39061b97cb9d73bbd3ff0ab/nanobind-2.7.0.tar.gz", hash = "sha256:f9f1b160580c50dcf37b6495a0fd5ec61dc0d95dae5f8004f87dd9ad7eb46b34", size = 976093, upload-time = "2025-04-18T01:17:37.187Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/fc/3f/d81fa4c0d1450c6f58f5b5708082617949c12c5e98c1fae0d94a9e3a9b8f/nanobind-2.8.0-py3-none-any.whl", hash = "sha256:80fd403cfe4c8553b237ba5fbb62971921e2c5d1e6eb4a2fd457c67f987ab56f", size = 242647, upload-time = "2025-07-16T05:52:15.848Z" }, + { url = "https://files.pythonhosted.org/packages/96/14/989883082b395146120d34ca7e484a2b24cb73b0e428576a3a4249bd4082/nanobind-2.7.0-py3-none-any.whl", hash = "sha256:73b12d0e751d140d6c1bf4b215e18818a8debfdb374f08dc3776ad208d808e74", size = 241690, upload-time = "2025-04-18T01:17:34.821Z" }, ] [[package]] @@ -2087,7 +2087,7 @@ requires-dist = [ { name = "graphviz", marker = "extra == 'docs'" }, { name = "httpx", marker = "extra == 'tests'" }, { name = "myst-parser", marker = "extra == 'docs'" }, - { name = "nanobind", marker = "extra == 'build'", specifier = "==2.8.0" }, + { name = "nanobind", marker = "extra == 'build'", specifier = "==2.7.0" }, { name = "nbsphinx", marker = "extra == 'docs'" }, { name = "numpy", specifier = ">=1.16.6" }, { name = "onnx", marker = "extra == 'tests'" }, From 6bc0e0161baa16407d5e933d93215d1f437c8cca Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 13:51:10 +0100 Subject: [PATCH 5/9] comments and format Signed-off-by: Barabanov --- .github/renovate.json5 | 142 +++++++++--------- .../workflows/renovate-config-validator.yml | 72 +++++---- .github/workflows/renovate.yml | 131 ++++++++++------ 3 files changed, 197 insertions(+), 148 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 04e396b8..1f4d97d7 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,71 +1,71 @@ -// Dependency Update Configuration -// -// See https://docs.renovatebot.com/configuration-options/ -// See https://json5.org/ for JSON5 syntax - -// [!] While updating the Renovate config, test changes on your own fork. -// 1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork. -// 2. Enable the Renovate GitHub app in your GitHub account. -// Verify that Renovate is activated in the repository settings within the Renovate Dashboard. -// To enable the dashboard set `dependencyDashboard` to true -// 3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate. -// 4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts. -// 5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR, -// and include links in the description to share details about the testing you've conducted. - -{ - $schema: "https://docs.renovatebot.com/renovate-schema.json", - - // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance - lockFileMaintenance: { - enabled: true, - schedule: ["* * * * 0"], // weekly - }, - - extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"], - // https://docs.renovatebot.com/presets-default/#gitsignoff - // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests - - // if necessary, add supported releases branches here - // it is possible to enable/disable specific upgrades per branch with - // `matchBaseBranches` in specific rule - baseBranches: ["master"], - - enabledManagers: ["github-actions", "pep621"], - - // Set limit to 10 - ignorePresets: [":prHourlyLimit2"], - prHourlyLimit: 10, - - packageRules: [ - { - enabled: true, - matchManagers: ["pep621"], - schedule: ["* * * * 0"], // weekly - }, - - // Disable ultralytics notifications (based on previous Dependabot config) - { - enabled: false, - matchDatasources: ["pypi"], - matchDepNames: ["ultralytics"], - }, - - // Group GitHub Actions updates - { - enabled: true, - separateMajorMinor: false, - groupName: "GitHub Actions", - matchManagers: ["github-actions"], - matchPackagePatterns: ["*"], - schedule: ["* * 1 * *"], // every month - }, - ], - - // Enable security upgrades - vulnerabilityAlerts: { - enabled: true, - }, - osvVulnerabilityAlerts: true, - dependencyDashboard: true, -} +// Dependency Update Configuration +// +// See https://docs.renovatebot.com/configuration-options/ +// See https://json5.org/ for JSON5 syntax + +// [!] While updating the Renovate config, test changes on your own fork. +// 1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork. +// 2. Enable the Renovate GitHub app in your GitHub account. +// Verify that Renovate is activated in the repository settings within the Renovate Dashboard. +// To enable the dashboard set `dependencyDashboard` to true +// 3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate. +// 4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts. +// 5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR, +// and include links in the description to share details about the testing you've conducted. + +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + + // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance + lockFileMaintenance: { + enabled: true, + schedule: ["* * * * 0"], // weekly + }, + + extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"], + // https://docs.renovatebot.com/presets-default/#gitsignoff + // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests + + // if necessary, add supported releases branches here + // it is possible to enable/disable specific upgrades per branch with + // `matchBaseBranches` in specific rule + baseBranches: ["master"], + + enabledManagers: ["github-actions", "pep621"], + + // Set limit to 10 + ignorePresets: [":prHourlyLimit2"], + prHourlyLimit: 10, + + packageRules: [ + { + enabled: true, + matchManagers: ["pep621"], + schedule: ["* * * * 0"], // weekly + }, + + // Disable ultralytics notifications (based on previous Dependabot config) + { + enabled: false, + matchDatasources: ["pypi"], + matchDepNames: ["ultralytics"], + }, + + // Group GitHub Actions updates + { + enabled: true, + separateMajorMinor: false, + groupName: "GitHub Actions", + matchManagers: ["github-actions"], + matchPackagePatterns: ["*"], + schedule: ["* * 1 * *"], // every month + }, + ], + + // Enable security upgrades + vulnerabilityAlerts: { + enabled: true, + }, + osvVulnerabilityAlerts: true, + dependencyDashboard: true, +} diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 5d084c91..7740df58 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -1,30 +1,42 @@ -name: Validate Renovate configuration - -on: - pull_request: - paths: - - ".github/renovate.json5" - -permissions: - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - name: Checkout configuration - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Validate configuration - run: | - # renovate: datasource=docker - export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 - docker run --rm --entrypoint "renovate-config-validator" \ - -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ - ${RENOVATE_IMAGE} "/renovate.json5" +# Renovate configuration validator +# +# This workflow validates changes proposed into Renovate configuration file +# (.github/renovate.json5) and prevents non-valid configuration to be used by Renovate. +# +# Required Secrets: +# - None +# +# Automatically triggered on: +# - Pull requests to .github/renovate.json5. +# + +name: Validate Renovate configuration + +on: + pull_request: + paths: + - ".github/renovate.json5" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} + cancel-in-progress: true + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout configuration + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Validate configuration + run: | + # renovate: datasource=docker + export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 + docker run --rm --entrypoint "renovate-config-validator" \ + -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ + ${RENOVATE_IMAGE} "/renovate.json5" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index eda2528f..2e2a0674 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -1,47 +1,84 @@ -name: Renovate -on: - schedule: - # daily - - cron: "0 2 * * *" - - # allow to manually trigger this workflow - workflow_dispatch: - inputs: - dry-run: - description: "Run Renovate in dry-run mode (no PR)" - required: false - default: false - type: boolean - -permissions: {} - -jobs: - renovate: - permissions: - contents: read - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Get token - id: get-github-app-token - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 - with: - app-id: ${{ secrets.RENOVATE_APP_ID }} - private-key: ${{ secrets.RENOVATE_APP_PEM }} - - - name: Self-hosted Renovate - uses: renovatebot/github-action@13f127373fd3dc43b41b0979e37ba570d6c2b8f4 # v43.0.0 - with: - configurationFile: .github/renovate.json5 - token: "${{ steps.get-github-app-token.outputs.token }}" - env: - LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }} - # Dry run if the event is workflow_dispatch AND the dry-run input is true - RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }} - RENOVATE_PLATFORM: github - RENOVATE_REPOSITORIES: ${{ github.repository }} +# Dependencies Management Workflow +# +# This workflow automates the dependence management based on self-hosed Renovate +# ensure the project's dependencies remains up-to-date and security fixes are delivered regularly. +# +# Key Features: +# - Automated PR creation into pyproject.toml and uv.lock regeneration +# - Dry-run for debug purposes +# - Dependency dashboard (is available in GitHub issues) maintenance +# +# Process Stages: +# +# 1. Dependencies Management: +# - Runs on a daily schedule. +# - Identifies dependencies that may be updated based on .github/renovate.json5 configuration. +# - Opens corresponding PRs with respect to schedule defined in Renovate config file. +# - Updates Renovate Dependency dashboard that is available in GitHub issues. +# +# Required Secrets: +# - RENOVATE_APP_ID: application ID +# - RENOVATE_APP_PEM: application private key +# +# Example Usage: +# 1. Scheduled Run: +# Automatically runs, daily +# +# 2. Manual Trigger: +# workflow_dispatch: +# inputs: +# dry-run: +# description: "Run Renovate in dry-run mode (no PR)" +# required: false +# default: false +# type: boolean +# +# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues. + +name: Renovate +on: + schedule: + # daily + - cron: "0 2 * * *" + + # allow to manually trigger this workflow + workflow_dispatch: + inputs: + dry-run: + description: "Run Renovate in dry-run mode (no PR)" + required: false + default: false + type: boolean + +permissions: {} + +jobs: + renovate: + permissions: + contents: read + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Get token + id: get-github-app-token + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + with: + app-id: ${{ secrets.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_APP_PEM }} + + - name: Self-hosted Renovate + uses: renovatebot/github-action@13f127373fd3dc43b41b0979e37ba570d6c2b8f4 # v43.0.0 + with: + configurationFile: .github/renovate.json5 + token: "${{ steps.get-github-app-token.outputs.token }}" + env: + LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }} + # Dry run if the event is workflow_dispatch AND the dry-run input is true + RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }} + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: ${{ github.repository }} From e38a8da050899f924b6e636e7c4105f7b02cb3ac Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 14:37:06 +0100 Subject: [PATCH 6/9] revert lock and toml Signed-off-by: Barabanov --- pyproject.toml | 2 +- uv.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index a15723a2..0bddbbd6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -57,7 +57,7 @@ docs = [ "graphviz", ] build = [ - "nanobind==2.7.0", + "nanobind==2.8.0", ] [project.urls] diff --git a/uv.lock b/uv.lock index 52eb76bf..900130dc 100644 --- a/uv.lock +++ b/uv.lock @@ -1597,11 +1597,11 @@ wheels = [ [[package]] name = "nanobind" -version = "2.7.0" +version = "2.8.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/d8/7d/f77f2bc2e2a210502a164556f8a742cd0f72f39061b97cb9d73bbd3ff0ab/nanobind-2.7.0.tar.gz", hash = "sha256:f9f1b160580c50dcf37b6495a0fd5ec61dc0d95dae5f8004f87dd9ad7eb46b34", size = 976093, upload-time = "2025-04-18T01:17:37.187Z" } +sdist = { url = "https://files.pythonhosted.org/packages/69/7c/cc6e525b89cca06b9fab7ecb91a11c3fd8258b158897cc804679fcc7b203/nanobind-2.8.0.tar.gz", hash = "sha256:94e7bf6aa1d7dff9566eddc15252aba94fdadbf67a99a169bfab34b708427cd8", size = 979153, upload-time = "2025-07-16T05:52:17.547Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/96/14/989883082b395146120d34ca7e484a2b24cb73b0e428576a3a4249bd4082/nanobind-2.7.0-py3-none-any.whl", hash = "sha256:73b12d0e751d140d6c1bf4b215e18818a8debfdb374f08dc3776ad208d808e74", size = 241690, upload-time = "2025-04-18T01:17:34.821Z" }, + { url = "https://files.pythonhosted.org/packages/fc/3f/d81fa4c0d1450c6f58f5b5708082617949c12c5e98c1fae0d94a9e3a9b8f/nanobind-2.8.0-py3-none-any.whl", hash = "sha256:80fd403cfe4c8553b237ba5fbb62971921e2c5d1e6eb4a2fd457c67f987ab56f", size = 242647, upload-time = "2025-07-16T05:52:15.848Z" }, ] [[package]] @@ -2087,7 +2087,7 @@ requires-dist = [ { name = "graphviz", marker = "extra == 'docs'" }, { name = "httpx", marker = "extra == 'tests'" }, { name = "myst-parser", marker = "extra == 'docs'" }, - { name = "nanobind", marker = "extra == 'build'", specifier = "==2.7.0" }, + { name = "nanobind", marker = "extra == 'build'", specifier = "==2.8.0" }, { name = "nbsphinx", marker = "extra == 'docs'" }, { name = "numpy", specifier = ">=1.16.6" }, { name = "onnx", marker = "extra == 'tests'" }, From d08a6e38c55e56dd76f74db7155103fc04142cf8 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 14:45:03 +0100 Subject: [PATCH 7/9] zizmor config update Signed-off-by: Barabanov --- .github/workflows/pre_commit.yml | 4 ++-- .pre-commit-config.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index 1a265c02..8006b12c 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -69,8 +69,8 @@ jobs: uses: open-edge-platform/anomalib/.github/actions/security/zizmor@f6ec1c57363a9894ff57184a5bfb78efa8f3de1b with: scan-scope: "changed" - severity-level: "MEDIUM" - confidence-level: "HIGH" + severity-level: "LOW" + confidence-level: "LOW" fail-on-findings: true Bandit-Scan-PR: runs-on: ubuntu-latest diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 94f62310..760c9674 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,10 +42,10 @@ repos: # zizmor detects security issues in GitHub Actions workflows. - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.9.0 + rev: v1.11.0 hooks: - id: zizmor - args: ["--min-severity", "medium", "--min-confidence", "high"] + args: ["--min-severity", "low", "--min-confidence", "low"] # add bandit for security checks - repo: https://github.com/PyCQA/bandit From 30f1549c1f699ef871570b410124f17903f13b64 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 15:05:34 +0100 Subject: [PATCH 8/9] zizmor issues Signed-off-by: Barabanov --- .github/workflows/docs.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0d632458..3baf5b08 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -70,22 +70,24 @@ jobs: echo "Branch gh-pages already exists" fi - name: Commit docs to gh-pages branch + env: + RELEASE_VERSION: ${{ env.RELEASE_VERSION }} run: | git fetch git checkout gh-pages mkdir -p /tmp/docs_build cp -r docs/build/html/* /tmp/docs_build/ - rm -rf ${{ env.RELEASE_VERSION }}/* + rm -rf "$RELEASE_VERSION"/* echo '' > index.html - mkdir -p ${{ env.RELEASE_VERSION }} - cp -r /tmp/docs_build/* ./${{ env.RELEASE_VERSION }} + mkdir -p "$RELEASE_VERSION" + cp -r /tmp/docs_build/* ./"$RELEASE_VERSION" rm -rf /tmp/docs_build git config --local user.email "action@github.com" git config --local user.name "GitHub Action" - if [[ ${{ env.RELEASE_VERSION }} != 'test_build' ]]; then - ln -sfn ${{ env.RELEASE_VERSION }} latest + if [[ "$RELEASE_VERSION" != 'test_build' ]]; then + ln -sfn "$RELEASE_VERSION" latest fi - git add ./latest ${{ env.RELEASE_VERSION }} + git add ./latest "$RELEASE_VERSION" git add index.html git commit -m "Update documentation" -a || true - name: Push changes From f92494907a4aed4b3f1fa6ccda33605dcddae91b Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 20 Aug 2025 17:29:06 +0100 Subject: [PATCH 9/9] added openssf badge Signed-off-by: Barabanov --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 005006c1..f64f30f1 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ [![Build Docs](https://github.com/open-edge-platform/model_api/actions/workflows/docs.yml/badge.svg)](https://github.com/open-edge-platform/model_api/actions/workflows/docs.yml) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-edge-platform/model_api/badge)](https://scorecard.dev/viewer/?uri=github.com/open-edge-platform/model_api) ## Introduction