diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..7889ed8f7ea --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,31 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + groups: + actions-minor-patch: + update-types: ["minor", "patch"] + + - package-ecosystem: "pip" + directory: "/python" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + groups: + python-minor-patch: + update-types: ["minor", "patch"] + + - package-ecosystem: "pip" + directory: "/utils/mlir_aie_wheels" + schedule: + interval: "weekly" + open-pull-requests-limit: 3 + + - package-ecosystem: "pip" + directory: "/utils/mlir_wheels" + schedule: + interval: "weekly" + open-pull-requests-limit: 3 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000000..07c886fc8e9 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,44 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '32 7 * * 2' + push: + branches: [ "main" ] + workflow_dispatch: + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload artifact + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + sarif_file: results.sarif diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..44fffff3c20 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ +# Security Policy + +## Reporting a Vulnerability + +If you believe you have found a security vulnerability in mlir-aie, please +report it privately rather than opening a public issue. + +The preferred channel is GitHub's private vulnerability reporting: + + https://github.com/Xilinx/mlir-aie/security/advisories/new + +This opens a private advisory thread visible only to the maintainers. You +should expect an initial acknowledgement within 5 business days. + +Please include, where possible: +- A description of the vulnerability and its potential impact. +- Steps to reproduce, or a minimal proof-of-concept. +- The commit hash or release tag the issue was observed against. +- Any suggested mitigation. + +## Supported Versions + +mlir-aie tracks the tip of `main`. Security fixes are applied to `main` and +will appear in the next wheel build; older wheel releases are not patched +in place. + +## Scope + +In-scope: code in this repository, including build tooling, Python +bindings, and CI workflows. + +Out-of-scope: vulnerabilities in upstream LLVM/MLIR (please report to the +LLVM project), in the AMD XDNA driver (please report through AMD's +disclosure channel), or in third-party dependencies (please report to the +respective project). diff --git a/python/requirements.txt b/python/requirements.txt index 9d82d471504..a1f316aac7a 100644 --- a/python/requirements.txt +++ b/python/requirements.txt @@ -4,7 +4,7 @@ dataclasses>=0.6,<=0.8; python_version < "3.7" # NumPy: 1.26.x tops out at Python 3.12; NumPy 2.1+ for Python 3.13+ # pyxrt may or may not function properly with cp313/cp314 numpy>=1.19.5,<2.0; python_version < "3.13" -numpy>=2.1.0,<3.0; python_version >= "3.13" +numpy>=2.4.4,<3.0; python_version >= "3.13" rich ml_dtypes cloudpickle # required by eudsl when it is vendored instead of installed