Merge branch 'develop' into dvander

Author: headlessNode

.editorconfig

@@ -165,6 +165,15 @@ indent_style = tab
 indent_style = space
 indent_size = 2
 
+# Ignore generated lock files for GitHub Agentic Workflows:
+[*.lock.yml]
+charset = unset
+end_of_line = unset
+indent_style = unset
+indent_size = unset
+trim_trailing_whitespace = unset
+insert_final_newline = unset
+
 # Set properties for GYP files:
 [binding.gyp]
 indent_style = space

.gitattributes

@@ -64,3 +64,5 @@ Makefile linguist-vendored
 
 # Configure files which should be included in GitHub language statistics:
 docs/types/*.d.ts -linguist-documentation
+
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/aw/actions-lock.json

@@ -0,0 +1,14 @@
+{
+  "entries": {
+    "actions/github-script@v8": {
+      "repo": "actions/github-script",
+      "version": "v8",
+      "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
+    },
+    "github/gh-aw-actions/setup@v0.61.2": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.61.2",
+      "sha": "71cfb3cbe2002225f9d5afa180669fff36b86ea2"
+    }
+  }
+}

.github/workflows/check_pr_issue_references.lock.yml

@@ -0,0 +1,136 @@
+---
+description: >
+  Checks whether issue/PR references in a PR body are actually related to the PR.
+  Posts an informational comment when suspicious references are detected.
+
+run-name: check_pr_issue_references
+
+on:
+  schedule: every 6h
+  workflow_dispatch:
+    inputs:
+      pr_numbers:
+        description: 'Comma-separated PR numbers to check (leave empty to auto-discover recent PRs)'
+        required: false
+        type: string
+
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
+engine:
+  id: copilot
+
+tools:
+  github:
+    toolsets: [issues, pull_requests, repos]
+    lockdown: false
+    min-integrity: none
+    repos: all
+
+network:
+  allowed:
+    - defaults
+
+safe-outputs:
+  add-comment:
+    max: 10
+  noop:
+    max: 10
+
+timeout-minutes: 10
+---
+
+# Check PR Issue References
+
+You are a reference validator for the stdlib-js/stdlib repository. Your task is
+to check whether issue/PR references in pull request descriptions are actually
+related to the PRs.
+
+## Step 1: Discover PRs to Check
+
+If `${{ github.event.inputs.pr_numbers }}` is provided, parse it as a
+comma-separated list of PR numbers and fetch those PRs.
+
+Otherwise, use the GitHub tool to list open pull requests in `stdlib-js/stdlib`,
+sorted by `updated` in descending order. Filter to PRs whose `updated_at` is
+within the last 7 hours. If no PRs match, call `noop` with "No recently updated
+PRs found" and stop.
+
+Process at most 10 PRs per run.
+
+## Step 2: Check for Existing Comments (Deduplication)
+
+For each PR, before analyzing it:
+
+1. List comments on the PR using the GitHub tool.
+2. If any comment body contains the heading `**Issue Reference Review**`, this
+   PR was already checked. Skip it and call `noop` with "PR #X already has an
+   Issue Reference Review comment. Skipping."
+3. If no such comment exists, proceed to Step 3.
+
+## Step 3: Extract and Assess References
+
+For each PR that passes deduplication:
+
+1. **Extract all issue/PR references** from the PR body. Look for:
+   - `#123` (bare references)
+   - `stdlib-js/stdlib#123` (qualified references)
+   - `https://github.com/stdlib-js/stdlib/issues/123` (URL references)
+   - Pay special attention to closing keywords: Resolves, Closes, Fixes (and variants)
+
+2. **For each referenced issue/PR**, fetch its title and body using the GitHub tool.
+
+3. **Assess whether each reference is plausibly related** to the pull request:
+   - **related**: Clear topical connection (same package, same feature area, PR addresses the issue)
+   - **suspicious**: Connection is unclear or tenuous
+   - **unrelated**: Completely different topics, packages, or feature areas
+
+## Assessment Guidelines
+
+- stdlib is a large numerical/scientific computing library with thousands of packages
+  (e.g., `@stdlib/math/base/special/sin`, `@stdlib/stats/incr/mean`)
+- A PR adding a new package often references the issue that requested it — this is VALID
+- A PR fixing tests/benchmarks/docs for a package may reference the original creation issue — VALID
+- References to "Tracking Issues" (issues listing many sub-tasks) are usually VALID
+- PRs may reference broad project-wide issues — give benefit of the doubt
+- **When in doubt, lean toward "related".** False positives are worse than false negatives.
+- If a PR has no issue references at all, that is fine — call noop.
+- If a PR has more than 10 references, call noop (too many to meaningfully assess).
+
+## Safe Outputs
+
+When calling `add-comment`, you **MUST** set the `item_number` parameter to the
+PR number so the comment is posted on the correct PR.
+
+- **If ALL references appear related** (or there are no references): Call `noop` with a
+  brief explanation like "All N issue references in PR #X appear related."
+
+- **If any references appear suspicious or unrelated**: Use `add-comment` to post a
+  comment on the PR:
+
+  > ⚠️ **Issue Reference Review**
+  >
+  > An automated check found potentially unrelated issue/PR references in this PR:
+  >
+  > | Reference | Assessment | Reasoning |
+  > | --- | --- | --- |
+  > | #123 | suspicious | PR adds math/sin but issue is about string/trim |
+  >
+  > **Why this matters:** GitHub automatically closes issues referenced with closing
+  > keywords (Resolves, Closes, Fixes) when the PR is merged. Incorrect references
+  > can accidentally close unrelated issues.
+  >
+  > **What to do:**
+  > - If the reference is correct, no action needed. This check may produce false positives.
+  > - If the reference is incorrect, please update your PR description.
+  >
+  > *This assessment was generated by an AI model and is informational only.*
+
+  Only include suspicious/unrelated references in the table, not related ones.
+
+## Important Notes
+
+- Process each PR independently. A failure on one PR should not prevent checking others.
+- A `noop` call is expected for each PR that is skipped or has all-valid references.

.github/workflows/check_pr_issue_references.md

@@ -106,7 +106,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}

.github/workflows/generate_monthly_changelog.yml

@@ -120,7 +120,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}

.github/workflows/git_note_amend_message.yml

@@ -129,7 +129,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}

.github/workflows/git_note_filter_packages.yml

@@ -161,7 +161,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}

.github/workflows/lint_autofix.yml

@@ -75,7 +75,7 @@ jobs:
       # Restore cache if up-to-date:
       - name: 'Restore cache if up-to-date'
         # Pin action to full length commit SHA
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         id: cache
         with:
           path: |
@@ -138,7 +138,7 @@ jobs:
       # Save cache after editorconfig-checker binary has been downloaded:
       - name: 'Save cache after editorconfig-checker binary has been downloaded'
         if: always() && steps.cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ github.workspace }}/node_modules
           key: ${{ steps.cache.outputs.cache-primary-key }}
@@ -147,7 +147,7 @@ jobs:
       - name: 'Lint Markdown files'
         if: success() || failure()
         run: |
-          files=$(echo "${{ steps.changed-files.outputs.files }}" | tr ' ' '\n' | grep -E '\.md$' | tr '\n' ' ' | sed 's/ $//')
+          files=$(echo "${{ steps.changed-files.outputs.files }}" | tr ' ' '\n' | grep -E '\.md$' | grep -v '^\.github/workflows/.*\.md$' | tr '\n' ' ' | sed 's/ $//')
           if [ -n "${files}" ]; then
             make lint-markdown-files FILES="${files}"
           fi
@@ -274,7 +274,7 @@ jobs:
         # Pin action to full length commit SHA
         uses: r-lib/actions/setup-r@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4
         with:
-          r-version: '3.5.3'
+          r-version: '4.3.3'
 
       # Lint R files:
       - name: 'Lint R files'
@@ -345,7 +345,7 @@ jobs:
       - name: 'Lint license headers'
         if: success() || failure()
         run: |
-          files=$(echo "${{ steps.changed-files.outputs.files }}")
+          files=$(echo "${{ steps.changed-files.outputs.files }}" | tr ' ' '\n' | grep -v '\.github/workflows/.*\.md$' | grep -v '\.lock\.yml$' | tr '\n' ' ' | sed 's/ $//')
           if [[ -n "${files}" ]]; then
             make lint-license-headers-files FILES="${files}"
           fi