You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**common-test-data**: caches large test data under `tests/test_data/large`.
14
-
-**common-wheel-build**: builds and installs Python wheels across Linux, macOS, and Windows for multiple Python versions.
14
+
-**common-wheel-build**: builds and installs Python wheels across Linux, macOS, and Windows for
15
+
multiple Python versions.
15
16
-**install-capnp**: installs the Cap'n Proto compiler with caching across Linux, macOS, and Windows.
16
17
-**publish-wheels**: publishes built wheels to Cloudflare R2, manages old wheel cleanup and index generation.
17
18
-**upload-artifact-wheel**: uploads the latest wheel artifact to GitHub Actions.
18
19
19
20
## Workflows (`.github/workflows`)
20
21
21
-
-**build.yml**: main CI pipeline - plan, pre-commit, cargo-deny, Rust tests, Python tests, wheel builds, and artifact uploads. Uses Depot 8-core runners for Linux and Windows builds. Includes a plan step that skips builds on docs-only changes and skips Rust tests on Python-only changes.
22
+
-**build.yml**: main CI pipeline - plan, pre-commit, cargo-deny, Rust tests, Python tests,
23
+
wheel builds, artifact uploads, release asset uploads, Trusted Publishing to PyPI and crates.io,
24
+
release attestations, registry verification, release checksum publication, and final GitHub
25
+
release publication and attestation verification. Uses Depot 8-core runners for Linux and Windows
26
+
builds. Includes a plan step that skips builds on docs-only changes and skips Rust tests on
27
+
Python-only changes.
22
28
-**build-v2.yml**: CI pipeline for the v2 Rust-native system. Uses Depot 8-core runners for Linux builds.
23
29
-**build-docs.yml**: dispatches documentation build on `master` and `nightly` pushes.
24
30
-**cli-binaries.yml**: builds and publishes CLI binaries for multiple platforms.
25
-
-**codeql-analysis.yml**: CodeQL security scans for Python and Rust on PRs and via cron.
31
+
-**codeql-analysis.yml**: CodeQL security scans for Python and Rust on PRs to `master`, pushes to
32
+
`nightly`, and manual dispatch.
26
33
-**copilot-setup-steps.yml**: environment setup for GitHub Copilot coding agent.
27
34
-**coverage.yml**: coverage report generation, currently paused and runs only on `workflow_dispatch`.
28
-
-**docker.yml**: builds and pushes multi-platform Docker images (`nautilus_trader`, `jupyterlab`) using Buildx and native ARM runners.
35
+
-**docker.yml**: builds and pushes multi-platform Docker images (`nautilus_trader`, `jupyterlab`)
36
+
using Buildx and native ARM runners.
29
37
-**nightly-docs-features-check.yml**: nightly docs.rs build checks and crate feature compatibility verification.
30
38
-**nightly-merge.yml**: auto-merges `develop` into `nightly` when CI succeeds.
31
-
-**nightly-tests.yml**: extended test suites too slow for PR builds - turmoil network tests plus macOS, Windows, and Linux ARM build-and-test jobs that run daily at 12:00 UTC to give early visibility on develop before `nightly-merge` at 14:00 UTC.
39
+
-**nightly-tests.yml**: extended test suites too slow for PR builds - turmoil network tests plus
40
+
macOS, Windows, and Linux ARM build-and-test jobs that run daily at 12:00 UTC to give early
41
+
visibility on develop before `nightly-merge` at 14:00 UTC.
32
42
-**performance.yml**: Rust/Python benchmarks on `nightly`, reporting to CodSpeed.
-**CODEOWNERS**: Critical infrastructure files (workflows, dependencies, build configs, scripts) require Core team review before merge.
41
-
-**Branch protection**: The develop branch requires PR reviews with CODEOWNERS enforcement and passing CI checks. External PRs must receive Core team approval before merge.
42
-
-**Least-privilege tokens**: Workflows default `GITHUB_TOKEN` to `contents: read, actions: read` and selectively elevate scopes only for jobs that need them.
43
-
-**Secret management**: No secrets or credentials are stored in the repo. Credentials are provided via GitHub Secrets and injected at runtime.
-**Branch and tag rulesets**: Protected branches require signed commits and passing CI checks.
53
+
Release tags matching `v*` are immutable after creation. External PRs must receive Core team
54
+
approval before merge.
55
+
-**Least-privilege tokens**: Workflows default `GITHUB_TOKEN` to `contents: read, actions: read`
56
+
and selectively elevate scopes only for jobs that need them.
57
+
-**Secret management**: No secrets or credentials are stored in the repo. Credentials are provided
58
+
via GitHub Secrets and injected at runtime.
44
59
45
-
### Dependency security
60
+
### Dependency intake controls
46
61
47
-
-**cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license compliance, banned crates, and supply chain integrity. Configuration in `deny.toml`.
48
-
-**Dependency pinning**: Key tools (prek, Python versions, Rust toolchain, cargo-nextest, uv) are locked to fixed versions or SHAs. The uv version is pinned via `required-version` in `pyproject.toml` and extracted by `scripts/uv-version.sh` for CI, Docker, and local builds.
49
-
-**Dependency cooldown**: Python dependency resolution excludes packages published within the last 3 days (`exclude-newer = "3 days"` in `[tool.uv]`). This gives the community time to detect and quarantine compromised releases before they enter the lockfile.
50
-
-**Code scanning**: CodeQL is enabled for continuous security analysis of Python and Rust code on all PRs and weekly via cron.
locked to fixed versions or SHAs. The uv version is pinned via `required-version` in
64
+
`pyproject.toml` and extracted by `scripts/uv-version.sh` for CI, Docker, and local builds.
65
+
Release and audit helper Python CLIs are pinned in `tools.toml`.
66
+
-**Dependency cooldown**: Python dependency resolution excludes packages published within the last
67
+
3 days (`exclude-newer = "3 days"` in `[tool.uv]`). This gives the community time to detect and
68
+
quarantine compromised releases before they enter the lockfile.
51
69
52
-
### Build integrity
70
+
### Pre-merge and scheduled scanning
71
+
72
+
-**cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license
73
+
compliance, banned crates, and supply chain integrity. Configuration in `deny.toml`.
74
+
-**Code scanning**: CodeQL analyzes Python and Rust code on PRs to `master`, pushes to `nightly`,
75
+
and manual dispatch. Zizmor runs in `security-audit.yml` and uploads SARIF when token
76
+
permissions allow it.
77
+
78
+
### Build and publish controls
53
79
54
-
-**Build attestations**: All published artifacts include cryptographic SLSA build provenance attestations, linking each artifact to a specific commit SHA. Verify via `gh attestation verify`.
55
80
-**Immutable action pinning**: All third-party GitHub Actions are pinned to specific commit SHAs.
56
-
-**Docker image pinning**: Base images in Dockerfiles and service containers in workflows are pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
57
-
-**Caching**: Rust target directory cache (`Swatinem/rust-cache`), prek hook environments, and test data caches speed up workflows while preserving hermetic (reproducible) builds. Rust cache saves are restricted to push events to prevent PR cache pollution.
58
-
-**Concurrency**: PR CI runs are cancelled when a new push arrives to the same PR. Push events to mainline branches are never cancelled.
59
-
-**Runners**: Linux and Windows builds use Depot 8-core runners (32 GB RAM, 150 GB SSD). macOS builds use GitHub free runners. Lightweight jobs (plan, cargo-deny, cargo-vet, publish) use GitHub free runners. Custom runner labels are declared in `.github/actionlint.yaml`.
81
+
-**Docker image pinning**: Base images in Dockerfiles and service containers in workflows are
82
+
pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
83
+
-**Build attestations**: Python wheels and sdists receive GitHub artifact attestations and PyPI
0 commit comments