Merge remote-tracking branch 'upstream/develop' into feat/stats-base-ndarray-smaxsorted-native

Author: stdlib-bot

.editorconfig

@@ -165,6 +165,15 @@ indent_style = tab
 indent_style = space
 indent_size = 2
 
+# Ignore generated lock files for GitHub Agentic Workflows:
+[*.lock.yml]
+charset = unset
+end_of_line = unset
+indent_style = unset
+indent_size = unset
+trim_trailing_whitespace = unset
+insert_final_newline = unset
+
 # Set properties for GYP files:
 [binding.gyp]
 indent_style = space

.gitattributes

@@ -64,3 +64,5 @@ Makefile linguist-vendored
 
 # Configure files which should be included in GitHub language statistics:
 docs/types/*.d.ts -linguist-documentation
+
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/aw/actions-lock.json

@@ -0,0 +1,14 @@
+{
+  "entries": {
+    "actions/github-script@v8": {
+      "repo": "actions/github-script",
+      "version": "v8",
+      "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
+    },
+    "github/gh-aw-actions/setup@v0.61.2": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.61.2",
+      "sha": "71cfb3cbe2002225f9d5afa180669fff36b86ea2"
+    }
+  }
+}

.github/workflows/check_licenses.yml

@@ -128,7 +128,7 @@ jobs:
       # Upload the log file:
       - name: 'Upload log file'
         # Pin action to full length commit SHA
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: always()
         with:
           # Define a name for the uploaded artifact:

.github/workflows/check_pr_issue_references.lock.yml

@@ -0,0 +1,136 @@
+---
+description: >
+  Checks whether issue/PR references in a PR body are actually related to the PR.
+  Posts an informational comment when suspicious references are detected.
+
+run-name: check_pr_issue_references
+
+on:
+  schedule: every 6h
+  workflow_dispatch:
+    inputs:
+      pr_numbers:
+        description: 'Comma-separated PR numbers to check (leave empty to auto-discover recent PRs)'
+        required: false
+        type: string
+
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
+engine:
+  id: copilot
+
+tools:
+  github:
+    toolsets: [issues, pull_requests, repos]
+    lockdown: false
+    min-integrity: none
+    repos: all
+
+network:
+  allowed:
+    - defaults
+
+safe-outputs:
+  add-comment:
+    max: 10
+  noop:
+    max: 10
+
+timeout-minutes: 10
+---
+
+# Check PR Issue References
+
+You are a reference validator for the stdlib-js/stdlib repository. Your task is
+to check whether issue/PR references in pull request descriptions are actually
+related to the PRs.
+
+## Step 1: Discover PRs to Check
+
+If `${{ github.event.inputs.pr_numbers }}` is provided, parse it as a
+comma-separated list of PR numbers and fetch those PRs.
+
+Otherwise, use the GitHub tool to list open pull requests in `stdlib-js/stdlib`,
+sorted by `updated` in descending order. Filter to PRs whose `updated_at` is
+within the last 7 hours. If no PRs match, call `noop` with "No recently updated
+PRs found" and stop.
+
+Process at most 10 PRs per run.
+
+## Step 2: Check for Existing Comments (Deduplication)
+
+For each PR, before analyzing it:
+
+1. List comments on the PR using the GitHub tool.
+2. If any comment body contains the heading `**Issue Reference Review**`, this
+   PR was already checked. Skip it and call `noop` with "PR #X already has an
+   Issue Reference Review comment. Skipping."
+3. If no such comment exists, proceed to Step 3.
+
+## Step 3: Extract and Assess References
+
+For each PR that passes deduplication:
+
+1. **Extract all issue/PR references** from the PR body. Look for:
+   - `#123` (bare references)
+   - `stdlib-js/stdlib#123` (qualified references)
+   - `https://github.com/stdlib-js/stdlib/issues/123` (URL references)
+   - Pay special attention to closing keywords: Resolves, Closes, Fixes (and variants)
+
+2. **For each referenced issue/PR**, fetch its title and body using the GitHub tool.
+
+3. **Assess whether each reference is plausibly related** to the pull request:
+   - **related**: Clear topical connection (same package, same feature area, PR addresses the issue)
+   - **suspicious**: Connection is unclear or tenuous
+   - **unrelated**: Completely different topics, packages, or feature areas
+
+## Assessment Guidelines
+
+- stdlib is a large numerical/scientific computing library with thousands of packages
+  (e.g., `@stdlib/math/base/special/sin`, `@stdlib/stats/incr/mean`)
+- A PR adding a new package often references the issue that requested it — this is VALID
+- A PR fixing tests/benchmarks/docs for a package may reference the original creation issue — VALID
+- References to "Tracking Issues" (issues listing many sub-tasks) are usually VALID
+- PRs may reference broad project-wide issues — give benefit of the doubt
+- **When in doubt, lean toward "related".** False positives are worse than false negatives.
+- If a PR has no issue references at all, that is fine — call noop.
+- If a PR has more than 10 references, call noop (too many to meaningfully assess).
+
+## Safe Outputs
+
+When calling `add-comment`, you **MUST** set the `item_number` parameter to the
+PR number so the comment is posted on the correct PR.
+
+- **If ALL references appear related** (or there are no references): Call `noop` with a
+  brief explanation like "All N issue references in PR #X appear related."
+
+- **If any references appear suspicious or unrelated**: Use `add-comment` to post a
+  comment on the PR:
+
+  > ⚠️ **Issue Reference Review**
+  >
+  > An automated check found potentially unrelated issue/PR references in this PR:
+  >
+  > | Reference | Assessment | Reasoning |
+  > | --- | --- | --- |
+  > | #123 | suspicious | PR adds math/sin but issue is about string/trim |
+  >
+  > **Why this matters:** GitHub automatically closes issues referenced with closing
+  > keywords (Resolves, Closes, Fixes) when the PR is merged. Incorrect references
+  > can accidentally close unrelated issues.
+  >
+  > **What to do:**
+  > - If the reference is correct, no action needed. This check may produce false positives.
+  > - If the reference is incorrect, please update your PR description.
+  >
+  > *This assessment was generated by an AI model and is informational only.*
+
+  Only include suspicious/unrelated references in the table, not related ones.
+
+## Important Notes
+
+- Process each PR independently. A failure on one PR should not prevent checking others.
+- A `noop` call is expected for each PR that is skipped or has all-valid references.

.github/workflows/check_pr_issue_references.md

@@ -106,7 +106,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}

.github/workflows/generate_monthly_changelog.yml

@@ -70,6 +70,11 @@ jobs:
           COMMIT_MESSAGE=$($GITHUB_WORKSPACE/.github/workflows/scripts/generate_pr_commit_message/run $PR_NUMBER)
           EXIT_CODE=$?
 
+          if [ $EXIT_CODE -eq 1 ]; then
+            echo "::error::Failed to generate commit message for PR #$PR_NUMBER"
+            exit 1
+          fi
+
           echo "commit_message<<EOF" >> $GITHUB_OUTPUT
           echo "$COMMIT_MESSAGE" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
@@ -80,9 +85,6 @@ jobs:
             echo "has_tracking_issue=false" >> $GITHUB_OUTPUT
           fi
 
-          # Ensure the script itself doesn't fail the workflow:
-          exit 0
-
       # Check if the commit message already exists in the PR comments:
       - name: 'Check if commit message already exists in PR comments'
         uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0

.github/workflows/generate_pr_commit_message.yml

@@ -120,7 +120,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}

.github/workflows/git_note_amend_message.yml

@@ -129,7 +129,7 @@ jobs:
       # Import GPG key to sign commits:
       - name: 'Import GPG key to sign commits'
         # Pin action to full length commit SHA
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.STDLIB_BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.STDLIB_BOT_GPG_PASSPHRASE }}