Skip to content

Commit 280ae17

Browse files
authored
Release 1.227.0
See release notes.
2 parents 38b912a + 9f8dc0e commit 280ae17

1,184 files changed

Lines changed: 154260 additions & 32229 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.cargo/audit.toml

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,30 @@
11
# cargo-audit configuration
22
# https://github.com/rustsec/rustsec/blob/main/cargo-audit/audit.toml.example
33
#
4-
# Keep in sync with deny.toml [advisories] ignore list.
4+
# Mirrors deny.toml [advisories] ignore list, plus two advisories that
5+
# cargo-audit surfaces but cargo-deny does not match against the lockfile:
6+
# - RUSTSEC-2024-0388 (derivative, unmaintained via alloy-primitives -> ruint -> ark-ff)
7+
# - RUSTSEC-2023-0071 (rsa Marvin Attack, transitive via sqlx-mysql, no upstream fix)
58

69
[advisories]
710
ignore = [
8-
# capnp unsound APIs, transitive via hypersync-client, awaiting upstream fix
9-
"RUSTSEC-2025-0143",
1011
# paste unmaintained, transitive via alloy
1112
"RUSTSEC-2024-0436",
12-
# rand 0.8.5 unsoundness, transitive build-time only via pyo3-stub-gen
13-
"RUSTSEC-2026-0097",
13+
# derivative unmaintained, transitive via alloy-primitives -> ruint -> ark-ff
14+
"RUSTSEC-2024-0388",
15+
# rustls-pemfile unmaintained, transitive via nautilus-network
16+
"RUSTSEC-2025-0134",
17+
# unic-* unmaintained, transitive via pyo3-stub-gen -> rustpython-parser (dev tool only)
18+
"RUSTSEC-2025-0075",
19+
"RUSTSEC-2025-0080",
20+
"RUSTSEC-2025-0081",
21+
"RUSTSEC-2025-0090",
22+
"RUSTSEC-2025-0098",
23+
"RUSTSEC-2025-0100",
24+
# bincode unmaintained, transitive via hypersync-client
25+
"RUSTSEC-2025-0141",
26+
# capnp unsound APIs, transitive via hypersync-client, awaiting upstream fix
27+
"RUSTSEC-2025-0143",
1428
# rsa Marvin Attack, transitive via sqlx-mysql, no fix available
1529
"RUSTSEC-2023-0071",
1630
]

.codespellrc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,4 @@
33

44
[codespell]
55
# Comma-separated list of words to ignore
6-
ignore-words-list = ACN,ALO,Alo,allTime,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,te,trough,usIn,zar
6+
ignore-words-list = ACN,ALO,Alo,allTime,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,intoto,ot,pre,ser,socio-economic,Superseed,SUPERSEED,te,ThirdParty,trough,usIn,zar

.config/nextest.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ slow-timeout = { period = "300s" }
2020

2121
# Tests that download large data files share the same target paths across binaries
2222
[[profile.default.overrides]]
23-
filter = 'binary(grid_mm_itch) | binary(backtest_node_itch) | binary(orderbook_integration)'
23+
filter = 'binary(grid_mm_itch) | binary(backtest_node_itch) | binary(orderbook_integration) | binary(large_data)'
2424
test-group = 'large-data-tests'
2525

2626
# Websocket and data client tests can be flaky due to timing on low-spec runners

.docker/DockerfileUbuntu

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@
1414
# Remove the image
1515
# docker image rm nautilus-dev
1616

17-
# Pin to specific digest for supply-chain security (ubuntu:22.04 as of 2025-11-29)
18-
FROM ubuntu@sha256:104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb
17+
# Pin to specific digest for supply-chain security (ubuntu:22.04 as of 2026-04-30)
18+
FROM ubuntu@sha256:962f6cadeae0ea6284001009daa4cc9a8c37e75d1f5191cf0eb83fe565b63dd7
1919

2020
# Set environment variables
2121
ENV DEBIAN_FRONTEND=noninteractive

.docker/jupyterlab.dockerfile

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
ARG GIT_TAG=develop
22
FROM ghcr.io/nautechsystems/nautilus_trader:$GIT_TAG
33

4-
COPY --from=ghcr.io/nautechsystems/nautilus_data:main /opt/pysetup/catalog /catalog
54
COPY docs/tutorials /opt/pysetup/tutorials
65

76
ENV PATH="/root/.local/bin:$PATH"
@@ -12,6 +11,22 @@ RUN apt-get update && \
1211
apt-get clean && \
1312
rm -rf /var/lib/apt/lists/*
1413

14+
RUN curl -fsSL --retry 3 \
15+
-o /tmp/eurusd_quotes.parquet \
16+
"https://test-data.nautechsystems.io/large/histdata_EURUSD.SIM_2020-01_quotes.parquet" && \
17+
printf '%s %s\n' \
18+
"9c610a233b8408562ea9024df0bd3192608f16ed00fce6f5d761a321a3d897c2" \
19+
"/tmp/eurusd_quotes.parquet" | sha256sum -c - && \
20+
curl -fsSL --retry 3 \
21+
-o /tmp/eurusd_instrument.parquet \
22+
"https://test-data.nautechsystems.io/large/histdata_EURUSD.SIM_2020-01_instrument.parquet" && \
23+
printf '%s %s\n' \
24+
"2088959dc15eecfebb7d4c45054d6a74d1000078daa1153388fe19c3b1468bac" \
25+
"/tmp/eurusd_instrument.parquet" | sha256sum -c - && \
26+
mkdir -p /catalog/data/quote_tick/EURUSD.SIM /catalog/data/currency_pair/EURUSD.SIM && \
27+
mv /tmp/eurusd_quotes.parquet /catalog/data/quote_tick/EURUSD.SIM/part-0.parquet && \
28+
mv /tmp/eurusd_instrument.parquet /catalog/data/currency_pair/EURUSD.SIM/part-0.parquet
29+
1530
# Install UV
1631
COPY scripts/uv-version.sh scripts/
1732
COPY pyproject.toml ./

.docker/nautilus_trader.dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
# Pin to specific digest for supply-chain security (python:3.13-slim as of 2025-11-29)
2-
FROM python@sha256:326df678c20c78d465db501563f3492d17c42a4afe33a1f2bf5406a1d56b0e86 AS base
1+
# Pin to specific digest for supply-chain security (python:3.13-slim as of 2026-04-30)
2+
FROM python@sha256:a0779d7c12fc20be6ec6b4ddc901a4fd7657b8a6bc9def9d3fde89ed5efe0a3d AS base
33
ENV PYTHONUNBUFFERED=1 \
44
PYTHONDONTWRITEBYTECODE=1 \
55
PIP_NO_CACHE_DIR=off \

.github/OVERVIEW.md

Lines changed: 85 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -11,62 +11,119 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
1111
- **cargo-tool-install**: installs cargo tools (cargo-deny, cargo-vet) with caching.
1212
- **common-setup**: prepares the environment (OS packages, Rust toolchain, Rust cache, Python, prek, swap space).
1313
- **common-test-data**: caches large test data under `tests/test_data/large`.
14-
- **common-wheel-build**: builds and installs Python wheels across Linux, macOS, and Windows for multiple Python versions.
14+
- **common-wheel-build**: builds and installs Python wheels across Linux, macOS, and Windows for
15+
multiple Python versions.
1516
- **install-capnp**: installs the Cap'n Proto compiler with caching across Linux, macOS, and Windows.
1617
- **publish-wheels**: publishes built wheels to Cloudflare R2, manages old wheel cleanup and index generation.
1718
- **upload-artifact-wheel**: uploads the latest wheel artifact to GitHub Actions.
1819

1920
## Workflows (`.github/workflows`)
2021

21-
- **build.yml**: main CI pipeline - plan, pre-commit, cargo-deny, Rust tests, Python tests, wheel builds, and artifact uploads. Uses Depot 8-core runners for Linux and Windows builds. Includes a plan step that skips builds on docs-only changes and skips Rust tests on Python-only changes.
22+
- **build.yml**: main CI pipeline - plan, pre-commit, cargo-deny, Rust tests, Python tests,
23+
wheel builds, artifact uploads, release asset uploads, Trusted Publishing to PyPI and crates.io,
24+
release attestations, registry verification, release checksum publication, and final GitHub
25+
release publication and attestation verification. Uses Depot 8-core runners for Linux and Windows
26+
builds. Includes a plan step that skips builds on docs-only changes and skips Rust tests on
27+
Python-only changes.
2228
- **build-v2.yml**: CI pipeline for the v2 Rust-native system. Uses Depot 8-core runners for Linux builds.
2329
- **build-docs.yml**: dispatches documentation build on `master` and `nightly` pushes.
2430
- **cli-binaries.yml**: builds and publishes CLI binaries for multiple platforms.
25-
- **codeql-analysis.yml**: CodeQL security scans for Python and Rust on PRs and via cron.
31+
- **codeql-analysis.yml**: CodeQL security scans for Python and Rust on PRs to `master`, pushes to
32+
`nightly`, and manual dispatch.
2633
- **copilot-setup-steps.yml**: environment setup for GitHub Copilot coding agent.
2734
- **coverage.yml**: coverage report generation, currently paused and runs only on `workflow_dispatch`.
28-
- **docker.yml**: builds and pushes multi-platform Docker images (`nautilus_trader`, `jupyterlab`) using Buildx and native ARM runners.
35+
- **docker.yml**: builds and pushes multi-platform Docker images (`nautilus_trader`, `jupyterlab`)
36+
using Buildx and native ARM runners.
2937
- **nightly-docs-features-check.yml**: nightly docs.rs build checks and crate feature compatibility verification.
3038
- **nightly-merge.yml**: auto-merges `develop` into `nightly` when CI succeeds.
31-
- **nightly-tests.yml**: extended test suites too slow for PR builds - turmoil network tests plus macOS, Windows, and Linux ARM build-and-test jobs that run daily at 12:00 UTC to give early visibility on develop before `nightly-merge` at 14:00 UTC.
39+
- **nightly-tests.yml**: extended test suites too slow for PR builds - turmoil network tests plus
40+
macOS, Windows, and Linux ARM build-and-test jobs that run daily at 12:00 UTC to give early
41+
visibility on develop before `nightly-merge` at 14:00 UTC.
3242
- **performance.yml**: Rust/Python benchmarks on `nightly`, reporting to CodSpeed.
33-
- **security-audit.yml**: nightly supply chain security checks (cargo-audit, cargo-deny, cargo-vet, osv-scanner).
34-
- **trigger-reindexing.yml**: triggers documentation reindexing for search.
43+
- **security-audit.yml**: nightly supply chain security checks (cargo-audit, cargo-deny,
44+
cargo-vet, pip-audit, osv-scanner, and Zizmor).
3545

3646
## Security
3747

38-
### Access controls
48+
### Source and review controls
3949

40-
- **CODEOWNERS**: Critical infrastructure files (workflows, dependencies, build configs, scripts) require Core team review before merge.
41-
- **Branch protection**: The develop branch requires PR reviews with CODEOWNERS enforcement and passing CI checks. External PRs must receive Core team approval before merge.
42-
- **Least-privilege tokens**: Workflows default `GITHUB_TOKEN` to `contents: read, actions: read` and selectively elevate scopes only for jobs that need them.
43-
- **Secret management**: No secrets or credentials are stored in the repo. Credentials are provided via GitHub Secrets and injected at runtime.
50+
- **CODEOWNERS**: Critical infrastructure files (workflows, dependencies, build configs, scripts)
51+
require Core team review before merge.
52+
- **Branch and tag rulesets**: Protected branches require signed commits and passing CI checks.
53+
Release tags matching `v*` are immutable after creation. External PRs must receive Core team
54+
approval before merge.
55+
- **Least-privilege tokens**: Workflows default `GITHUB_TOKEN` to `contents: read, actions: read`
56+
and selectively elevate scopes only for jobs that need them.
57+
- **Secret management**: No secrets or credentials are stored in the repo. Credentials are provided
58+
via GitHub Secrets and injected at runtime.
4459

45-
### Dependency security
60+
### Dependency intake controls
4661

47-
- **cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license compliance, banned crates, and supply chain integrity. Configuration in `deny.toml`.
48-
- **Dependency pinning**: Key tools (prek, Python versions, Rust toolchain, cargo-nextest, uv) are locked to fixed versions or SHAs. The uv version is pinned via `required-version` in `pyproject.toml` and extracted by `scripts/uv-version.sh` for CI, Docker, and local builds.
49-
- **Dependency cooldown**: Python dependency resolution excludes packages published within the last 3 days (`exclude-newer = "3 days"` in `[tool.uv]`). This gives the community time to detect and quarantine compromised releases before they enter the lockfile.
50-
- **Code scanning**: CodeQL is enabled for continuous security analysis of Python and Rust code on all PRs and weekly via cron.
62+
- **Dependency pinning**: Key tools (prek, Python versions, Rust toolchain, cargo-nextest, uv) are
63+
locked to fixed versions or SHAs. The uv version is pinned via `required-version` in
64+
`pyproject.toml` and extracted by `scripts/uv-version.sh` for CI, Docker, and local builds.
65+
Release and audit helper Python CLIs are pinned in `tools.toml`.
66+
- **Dependency cooldown**: Python dependency resolution excludes packages published within the last
67+
3 days (`exclude-newer = "3 days"` in `[tool.uv]`). This gives the community time to detect and
68+
quarantine compromised releases before they enter the lockfile.
5169

52-
### Build integrity
70+
### Pre-merge and scheduled scanning
71+
72+
- **cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license
73+
compliance, banned crates, and supply chain integrity. Configuration in `deny.toml`.
74+
- **Code scanning**: CodeQL analyzes Python and Rust code on PRs to `master`, pushes to `nightly`,
75+
and manual dispatch. Zizmor runs in `security-audit.yml` and uploads SARIF when token
76+
permissions allow it.
77+
78+
### Build and publish controls
5379

54-
- **Build attestations**: All published artifacts include cryptographic SLSA build provenance attestations, linking each artifact to a specific commit SHA. Verify via `gh attestation verify`.
5580
- **Immutable action pinning**: All third-party GitHub Actions are pinned to specific commit SHAs.
56-
- **Docker image pinning**: Base images in Dockerfiles and service containers in workflows are pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
57-
- **Caching**: Rust target directory cache (`Swatinem/rust-cache`), prek hook environments, and test data caches speed up workflows while preserving hermetic (reproducible) builds. Rust cache saves are restricted to push events to prevent PR cache pollution.
58-
- **Concurrency**: PR CI runs are cancelled when a new push arrives to the same PR. Push events to mainline branches are never cancelled.
59-
- **Runners**: Linux and Windows builds use Depot 8-core runners (32 GB RAM, 150 GB SSD). macOS builds use GitHub free runners. Lightweight jobs (plan, cargo-deny, cargo-vet, publish) use GitHub free runners. Custom runner labels are declared in `.github/actionlint.yaml`.
81+
- **Docker image pinning**: Base images in Dockerfiles and service containers in workflows are
82+
pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
83+
- **Build attestations**: Python wheels and sdists receive GitHub artifact attestations and PyPI
84+
publish attestations. Docker images receive cosign signatures and SPDX SBOM attestations. Verify
85+
Python artifacts via `gh attestation verify` and container images via `cosign verify`.
86+
- **Release sequencing**: Stable releases create a draft GitHub release first, attach wheel and
87+
sdist assets, publish to package indexes (`packages.nautechsystems.io`, PyPI, crates.io), verify
88+
registries, attach final integrity assets, then publish the GitHub release. This keeps the GitHub
89+
release as the anchor for downstream registry publishing while staying compatible with GitHub
90+
release immutability.
91+
- **Release checksums**: GitHub releases attach `SHA256SUMS`, per-asset `.sha256` files,
92+
`dist-manifest.json`, and per-artifact `.sigstore` / `.intoto.jsonl` provenance bundle siblings
93+
for Python artifacts. The release body also includes a generated artifact checksum table and
94+
provenance verification command.
95+
- **PyPI Trusted Publishing**: `publish-wheels-pypi` and `publish-sdist-pypi` upload to PyPI via
96+
OIDC trusted publishing rather than a long-lived API token. The trusted publisher on PyPI is
97+
bound to repo `nautechsystems/nautilus_trader`, workflow `build.yml`, and environment `release`;
98+
`uv publish --trusted-publishing automatic` mints a short-lived token at publish time. No
99+
`PYPI_*` secret is required.
100+
- **crates.io Trusted Publishing**: `publish-cargo-crates` publishes Cargo crates via crates.io
101+
OIDC trusted publishing. The trusted publisher on crates.io must be configured per crate for
102+
repo `nautechsystems/nautilus_trader`, workflow `build.yml`, and environment `release`; the
103+
job uses a short-lived token from `rust-lang/crates-io-auth-action` and no long-lived cargo token.
104+
- **Post-publish verification**: `publish-release-integrity` verifies PyPI files against
105+
`dist-manifest.json`, verifies PyPI provenance publisher metadata, verifies crates.io entries
106+
were trusted-published by this repository, records whether each crate matches the release commit
107+
or was already published, uploads `crates-manifest.json`, attaches attestation siblings, and
108+
cleans up release workflow artifacts. `publish-github-release` then publishes the draft release
109+
and verifies GitHub's release attestation.
110+
- **Caching**: Rust target directory cache (`Swatinem/rust-cache`), prek hook environments, and test
111+
data caches speed up workflows while preserving hermetic builds. Rust cache saves are restricted
112+
to push events to prevent PR cache pollution.
113+
- **Concurrency**: PR CI runs are cancelled when a new push arrives to the same PR. Push events to
114+
mainline branches are never cancelled.
115+
- **Runners**: Linux and Windows builds use Depot 8-core runners (32 GB RAM, 150 GB SSD). macOS
116+
builds use GitHub free runners. Lightweight jobs (plan, cargo-deny, cargo-vet, publish) use
117+
GitHub free runners. Custom runner labels are declared in `.github/actionlint.yaml`.
60118

61119
### Runtime hardening
62120

63121
- **Hardened runners**: All workflows employ `step-security/harden-runner` to reduce attack surface and
64122
monitor outbound traffic. All workflows default `egress-policy` to `block`. Set
65123
`STEP_SECURITY_EGRESS_POLICY=audit` only as a temporary rollback while expanding an allow list. Jobs that
66124
declare a GitHub Environment can override the repo or org value with an environment-scoped variable. The
67-
publish environments (`r2-develop`, `r2-nightly`, `release`) can use this override too. The
68-
`security-audit.yml` workflow also reads its allow list from GitHub Environments so it can validate
69-
branch changes before promoting the same settings to scheduled runs on the default branch.
125+
publish environments (`r2-develop`, `r2-nightly`, `release`) can use this override too. Security audit
126+
jobs read repo and org variables directly and run in audit mode for fork PRs when variables are absent.
70127
- **Fork PR handling**: `build.yml` falls back to `egress-policy: audit` for fork PRs. Forks cannot
71128
access repo or org variables, so the allow lists would be empty and block all network access. Fork PRs
72129
run with read-only permissions and no access to secrets, so audit mode is safe.
@@ -115,8 +172,8 @@ All workflows read these GitHub variables:
115172
Some workflows add job-specific endpoints inline (e.g., `upload.pypi.org:443` for publishing,
116173
`auth.docker.io:443` and `registry-1.docker.io:443` for Docker builds).
117174

118-
Use the `security-audit` environment for the default branch and `master`. Use `security-audit-test` for
119-
branch tests such as `test-security`.
175+
Security audit jobs do not use deployment environments. They do not need environment secrets, and
176+
environment branch policies block same-repo contributor PRs before the audit steps can start.
120177

121178
#### `COMMON_ALLOWED_ENDPOINTS`
122179

0 commit comments

Comments
 (0)