Update build tooling and CI/CD pipeline

- Upgrade to Python 3.13 and fully migrate to uv
- Upgrade security hardening for GitHub actions
- Add zizmor workflow auditing, ruff formatting, and docformatter
- Fix deprecated ruff/mypy configs and standardize on ruff
- Remove use of black

Author: cjdsellers

.github/workflows/build.yml

@@ -2,25 +2,71 @@ name: build
 
 # Build and test the NautilusTrader example data image
 
+permissions: # Principle of least privilege
+  contents: read
+
 on:
   push:
     branches: [main]
   pull_request:
-    branches: [main]
+    branches: ['*']
 
 jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      # https://github.com/step-security/harden-runner
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        # https://github.com/actions/checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        # https://github.com/actions/setup-python
+        uses: actions/setup-python@cae9d6a5c961a2c267bc955ecf8d27bc955b2e83 # v5.4.0
+        with:
+          python-version: "3.13"
+
+      - name: Install uv
+        # https://github.com/astral-sh/setup-uv
+        uses: astral-sh/setup-uv@1b6072f24a1f5e1bf6797b14bb96e52cf5e1f027 # v5.0.1
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Run pre-commit
+        run: uv run pre-commit run --all-files
+
   docker-image:
     runs-on: ubuntu-latest
+    needs:
+      - pre-commit
+    permissions:
+      contents: read
+      packages: write
     steps:
-      - name: Set up QEMU
-        # https://github.com/docker/setup-qemu-action
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      # https://github.com/step-security/harden-runner
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        # https://github.com/actions/checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         # https://github.com/docker/setup-buildx-action
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Login to GHCR
+        if: github.event_name == 'push'
         # https://github.com/docker/login-action
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
@@ -33,19 +79,19 @@ jobs:
         run: |
           echo "current_branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
 
-      - name: image name
-        run: echo ghcr.io/${{ github.repository }}:${{ steps.branch-name.outputs.current_branch }}
-
-      - name: Build backend
+      - name: Build and push Docker image
         id: docker_build
         # https://github.com/docker/build-push-action
         uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
-          file: "Dockerfile"
-          push: true
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64
+          push: ${{ github.event_name == 'push' }}
           tags: ghcr.io/${{ github.repository }}:${{ steps.branch-name.outputs.current_branch }}
           cache-from: type=gha
-          cache-to: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Image digest
+        if: github.event_name == 'push'
         run: echo ${{ steps.docker_build.outputs.digest }}

.pre-commit-config.yaml

@@ -3,16 +3,16 @@ repos:
   #  General checks
   ##############################################################################
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
-      - id: fix-encoding-pragma
-        args: [--remove]
       - id: end-of-file-fixer
-        types_or: [python]
+        types_or: [python, markdown]
+      - id: mixed-line-ending
       - id: trailing-whitespace
-        types_or: [python]
+        types_or: [python, markdown]
       - id: debug-statements
       - id: detect-private-key
+      - id: check-added-large-files
       - id: check-builtin-literals
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -29,37 +29,60 @@ repos:
       - id: codespell
         description: Checks for common misspellings.
         types_or: [python, cython, rst, markdown]
+        args: ["-L", "ACN,crate,ot,socio-economic,zar"]
+
+  ##############################################################################
+  #  Custom hooks
+  ##############################################################################
+  - repo: local
+    hooks:
+      - id: zizmor
+        name: zizmor (audit GitHub actions)
+        description: Audit GitHub Actions workflows
+        language: python
+        additional_dependencies: [zizmor]
+        entry: zizmor
+        files: '^\.github/workflows/.*\.ya?ml$'
+        pass_filenames: false
+        args: ["--no-online-audits", "--min-severity", "medium", ".github/workflows"]
 
   ##############################################################################
   #  Python formatting and linting
   ##############################################################################
   - repo: https://github.com/asottile/add-trailing-comma
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
       - id: add-trailing-comma
         name: add-trailing-comma
         types: [python]
 
-  - repo: https://github.com/psf/black
-    rev: 25.1.0
-    hooks:
-      - id: black
-        types_or: [python, pyi]
-        entry: "black"
-
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.4
+    rev: v0.13.1
     hooks:
       - id: ruff
         args: ["--fix"]
+      - id: ruff-format
+
+  - repo: https://github.com/PyCQA/docformatter
+    rev: v1.7.7
+    hooks:
+      - id: docformatter
+        additional_dependencies: [tomli]
+        args: [
+          "--black",
+          "--make-summary-multi-line",
+          "--pre-summary-newline",
+          "--blank",
+          "--recursive",
+          "--in-place",
+        ]
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.15.0
+    rev: v1.18.2
     hooks:
       - id: mypy
-        args: [--no-strict-optional, --ignore-missing-imports, --warn-no-return, --explicit-package-bases]
+        args: ["--config", "pyproject.toml"]
         additional_dependencies: [types-pytz, types-redis, types-toml, types-requests, msgspec]
-        exclude: "nautilus_server/backend/api_v1/endpoints/models*"
 
   - repo: https://github.com/kynan/nbstripout
     rev: 0.8.1

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12-slim AS base
+FROM python:3.13-slim AS base
 ENV PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     PIP_NO_CACHE_DIR=off \
@@ -29,7 +29,7 @@ FROM base AS application
 ENV CATALOG_PATH=/catalog
 
 # Copy python environment from builder
-COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
+COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
 COPY ./nautilus_data $PYSETUP_PATH/nautilus_data
 
 # Ensure the catalog and backtest directories exist

Makefile

@@ -1,33 +1,125 @@
+# Variables
+# -----------------------------------------------------------------------------
 PROJECT?=nautechsystems/nautilus_data
 REGISTRY?=ghcr.io/
-IMAGE?=${REGISTRY}${PROJECT}
+IMAGE?=$(REGISTRY)$(PROJECT)
 GIT_TAG:=$(shell git rev-parse --abbrev-ref HEAD)
-IMAGE_FULL?=${IMAGE}:${GIT_TAG}
-PYTHON_EXECUTABLE:=$(shell which python3)
-NAUTILUS_PATH:="${HOME}/.nautilus"
+IMAGE_FULL?=$(IMAGE):$(GIT_TAG)
 
-########################################
-#  Docker development commands
-########################################
-docker-build:
-	(docker pull ${IMAGE} || true)
-	(docker build --platform linux/x86_64 -t ${IMAGE_FULL} .)
+V = 0  # 0 / 1 - verbose mode
+Q = $(if $(filter 1,$V),,@) # Quiet mode, suppress command output
+M = $(shell printf "$(BLUE)>$(RESET)") # Message prefix for commands
 
-docker-build-force:
-	(docker build --no-cache -t ${IMAGE_FULL} ./.. )
+# > Colors
+RED    := $(shell tput -Txterm setaf 1)
+GREEN  := $(shell tput -Txterm setaf 2)
+YELLOW := $(shell tput -Txterm setaf 3)
+BLUE   := $(shell tput -Txterm setaf 4)
+PURPLE := $(shell tput -Txterm setaf 5)
+CYAN   := $(shell tput -Txterm setaf 6)
+GRAY   := $(shell tput -Txterm setaf 7)
+RESET  := $(shell tput -Txterm sgr0)
 
-docker-push:
-	(docker push ${IMAGE_FULL} )
+.DEFAULT_GOAL := help
 
-########################################
-# Development commands
-########################################
+#== Installation
 
-update:
-	poetry update
+.PHONY: install
+install:  #-- Install dependencies using uv
+	$(info $(M) Installing dependencies...)
+	$Q uv sync
 
-pre-commit:
-	pre-commit run --all-files
+.PHONY: install-dev
+install-dev:  #-- Install all development dependencies
+	$(info $(M) Installing development dependencies...)
+	$Q uv sync --all-groups
 
-clean:
+.PHONY: update
+update:  #-- Update dependencies using uv
+	$(info $(M) Updating dependencies...)
+	$Q uv sync --upgrade
+
+#== Clean
+
+.PHONY: clean
+clean: clean-caches  #-- Clean all caches and build artifacts
+	$(info $(M) Cleaning all caches and build artifacts...)
+	$Q rm -rf dist build 2>/dev/null || true
+
+.PHONY: clean-caches
+clean-caches:  #-- Clean pytest, mypy, ruff, and uv caches
+	$Q rm -rf .pytest_cache .mypy_cache .ruff_cache 2>/dev/null || true
+	$Q find . -type d -name "__pycache__" -not -path "./.venv*" -print0 | xargs -0 -r rm -rf
+	$Q find . -type f -name "*.pyc" -not -path "./.venv*" -print0 | xargs -0 -r rm -f
+
+.PHONY: distclean
+distclean: clean  #-- Nuclear clean - remove all untracked files (requires FORCE=1)
+	@[ "$$FORCE" = 1 ] || { echo "Pass FORCE=1 to really nuke"; exit 1; }
+	@echo "⚠️  nuking working tree (git clean -fxd)…"
 	git clean -fxd
+
+#== Code Quality
+
+.PHONY: format
+format:  #-- Format code using ruff
+	$(info $(M) Formatting code with ruff...)
+	$Q uv run --no-sync ruff format .
+
+.PHONY: pre-commit
+pre-commit:  #-- Run all pre-commit hooks on all files
+	$(info $(M) Running pre-commit hooks...)
+	$Q uv run --no-sync pre-commit run --all-files
+
+.PHONY: ruff
+ruff:  #-- Run ruff linter with automatic fixes
+	$(info $(M) Running ruff linter with fixes...)
+	$Q uv run --no-sync ruff check . --fix
+
+.PHONY: mypy
+mypy:  #-- Run mypy static type checker
+	$(info $(M) Running mypy type checker...)
+	$Q uv run --no-sync mypy .
+
+#== Testing
+
+.PHONY: pytest
+pytest:  #-- Run Python tests with pytest
+	$(info $(M) Running pytest...)
+	$Q uv run --no-sync pytest
+
+#== Docker
+
+.PHONY: docker-build
+docker-build:  #-- Build Docker image
+	$(info $(M) Building Docker image $(IMAGE_FULL)...)
+	$Q docker pull $(IMAGE) || true
+	$Q docker build --platform linux/x86_64 -t $(IMAGE_FULL) .
+
+.PHONY: docker-build-force
+docker-build-force:  #-- Force rebuild Docker image without cache
+	$(info $(M) Force rebuilding Docker image $(IMAGE_FULL)...)
+	$Q docker build --no-cache -t $(IMAGE_FULL) .
+
+.PHONY: docker-push
+docker-push:  #-- Push Docker image to registry
+	$(info $(M) Pushing Docker image $(IMAGE_FULL)...)
+	$Q docker push $(IMAGE_FULL)
+
+#== Help
+
+.PHONY: help
+help:  #-- Show this help message
+	@echo "$(CYAN)Nautilus Data Makefile$(RESET)"
+	@echo ""
+	@echo "$(YELLOW)Usage:$(RESET)"
+	@echo "  make [target] [V=1] [OPTION=value]"
+	@echo ""
+	@echo "$(YELLOW)Available targets:$(RESET)"
+	@grep -E '^[a-zA-Z0-9_%/-]+:.*#--' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = ":.*#--"}; \
+		{gsub(/^[^:]*:/, "", $$1); \
+		printf "  $(GREEN)%-20s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(YELLOW)Options:$(RESET)"
+	@echo "  $(BLUE)V=1$(RESET)              Enable verbose output"
+	@echo "  $(BLUE)FORCE=1$(RESET)          Required for distclean target"

bench_data/check_invariant.py

@@ -5,9 +5,8 @@
 
 def check_file(file_name):
     """
-    Check if the 'start_ts' column is in ascending order and 'end_ts' for a row
-    groups comes before 'start_ts' of the next row group.
-
+    Check if the 'start_ts' column is in ascending order and 'end_ts' for a row groups
+    comes before 'start_ts' of the next row group.
     """
     df = pd.read_csv(file_name)
 
@@ -18,7 +17,7 @@ def check_file(file_name):
     # Check if 'end_ts' for a row comes before 'start_ts' of the next row
     for i in range(1, len(df)):
         if df.loc[i - 1, "end_ts"] > df.loc[i, "start_ts"]:
-            print(f"Row {i-1} and {i} fail the check:")
+            print(f"Row {i - 1} and {i} fail the check:")
             print(df.loc[[i - 1, i]])
 
 

bench_data/extract_groups.py

@@ -46,7 +46,9 @@
 
 
 def write_parquet_with_row_group(input_file, output_file, rows_per_row_group):
-    """Write a Parquet file with specified row group size."""
+    """
+    Write a Parquet file with specified row group size.
+    """
     df = pd.read_parquet(input_file)
 
     schema = quote_tick_schema if "quotes" in input_file else trade_tick_schema