Update nanobind requirement from >=2.9 to >=2.12.0 in /python

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      actions-minor-patch:
+        update-types: ["minor", "patch"]
+
+  - package-ecosystem: "pip"
+    directory: "/python"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      python-minor-patch:
+        update-types: ["minor", "patch"]
+
+  - package-ecosystem: "pip"
+    directory: "/utils/mlir_aie_wheels"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3
+
+  - package-ecosystem: "pip"
+    directory: "/utils/mlir_wheels"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3

.github/workflows/scorecard.yml

@@ -0,0 +1,44 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '32 7 * * 2'
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736  # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4  # v3.22.12
+        with:
+          sarif_file: results.sarif

SECURITY.md

@@ -0,0 +1,35 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability in mlir-aie, please
+report it privately rather than opening a public issue.
+
+The preferred channel is GitHub's private vulnerability reporting:
+
+  https://github.com/Xilinx/mlir-aie/security/advisories/new
+
+This opens a private advisory thread visible only to the maintainers. You
+should expect an initial acknowledgement within 5 business days.
+
+Please include, where possible:
+- A description of the vulnerability and its potential impact.
+- Steps to reproduce, or a minimal proof-of-concept.
+- The commit hash or release tag the issue was observed against.
+- Any suggested mitigation.
+
+## Supported Versions
+
+mlir-aie tracks the tip of `main`. Security fixes are applied to `main` and
+will appear in the next wheel build; older wheel releases are not patched
+in place.
+
+## Scope
+
+In-scope: code in this repository, including build tooling, Python
+bindings, and CI workflows.
+
+Out-of-scope: vulnerabilities in upstream LLVM/MLIR (please report to the
+LLVM project), in the AMD XDNA driver (please report through AMD's
+disclosure channel), or in third-party dependencies (please report to the
+respective project).

python/requirements_dev.txt

@@ -5,7 +5,7 @@ wheel
 ninja!=1.13.0
 cibuildwheel
 pre-commit
-nanobind>=2.9
+nanobind>=2.12.0
 lit
 matplotlib
 # lit requires psutil to set timeouts