Release 1.223.0

See release notes.

Author: cjdsellers

.cargo/audit.toml

@@ -0,0 +1,12 @@
+# cargo-audit configuration
+# https://github.com/rustsec/rustsec/blob/main/cargo-audit/audit.toml.example
+#
+# Keep in sync with deny.toml [advisories] ignore list.
+
+[advisories]
+ignore = [
+  # capnp unsound APIs, transitive via hypersync-client, awaiting upstream fix
+  "RUSTSEC-2025-0143",
+  # rsa Marvin Attack, transitive via sqlx-mysql, no fix available
+  "RUSTSEC-2023-0071",
+]

.codespellrc

@@ -3,4 +3,4 @@
 
 [codespell]
 # Comma-separated list of words to ignore
-ignore-words-list = ACN,ALO,Alo,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,trough,usIn,zar
+ignore-words-list = ACN,ALO,Alo,allTime,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,trough,usIn,zar

.config/nextest.toml

@@ -1,5 +1,6 @@
 [test-groups]
 serial-tests = { max-threads = 1 }
+large-data-tests = { max-threads = 1 }
 
 [profile.default]
 # Default settings
@@ -12,6 +13,11 @@ test-group = 'serial-tests'
 filter = 'test(test_order_book)'
 slow-timeout = { period = "300s" }
 
+# Tests that download large data files share the same target paths across binaries
+[[profile.default.overrides]]
+filter = 'binary(grid_mm_itch) | binary(orderbook_integration)'
+test-group = 'large-data-tests'
+
 # Websocket tests can be flaky due to timing on low-spec runners, give them extra retries
 [[profile.default.overrides]]
 filter = 'binary(websocket)'

.github/OVERVIEW.md

@@ -8,6 +8,7 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 
 ## Composite actions (`.github/actions`)
 
+- **cargo-tool-install**: installs cargo tools (cargo-deny, cargo-vet) with caching.
 - **common-setup**: prepares the environment (OS packages, Rust toolchain, Python, sccache, pre-commit).
 - **common-test-data**: caches large test data under `tests/test_data/large`.
 - **common-wheel-build**: builds and installs Python wheels across Linux, macOS, and Windows for multiple Python versions.
@@ -47,7 +48,7 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 
 - **Build attestations**: All published artifacts include cryptographic SLSA build provenance attestations, linking each artifact to a specific commit SHA. Verify via `gh attestation verify`.
 - **Immutable action pinning**: All third-party GitHub Actions are pinned to specific commit SHAs.
-- **Docker image pinning**: Base images in Dockerfiles are pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
+- **Docker image pinning**: Base images in Dockerfiles and service containers in workflows are pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
 - **Caching**: Caches for sccache, pip/site-packages, pre-commit, and test data speed up workflows while preserving hermetic (reproducible) builds.
 
 ### Runtime hardening

.github/actions/cargo-tool-install/action.yml

@@ -38,10 +38,10 @@ runs:
 
     # https://github.com/actions/cache
     - name: Cache tool binary
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: ${{ runner.tool_cache }}/${{ inputs.tool-name }}
-        key: ${{ inputs.tool-name }}-bin-${{ env.TOOL_VERSION }}
+        key: ${{ inputs.tool-name }}-bin-${{ env.TOOL_VERSION }}-${{ runner.os }}-${{ env.TOOLCHAIN }}
 
     - name: Add tool to PATH
       shell: bash
@@ -54,7 +54,11 @@ runs:
       env:
         TOOL_CACHE: ${{ runner.tool_cache }}
       run: |
-        cargo install --locked \
-          --root "$TOOL_CACHE/$TOOL_NAME" \
-          --version "$TOOL_VERSION" \
-          "$TOOL_NAME"
+        if [[ -x "$TOOL_CACHE/$TOOL_NAME/bin/$TOOL_NAME" ]]; then
+          echo "$TOOL_NAME $TOOL_VERSION already installed from cache"
+        else
+          cargo install --locked \
+            --root "$TOOL_CACHE/$TOOL_NAME" \
+            --version "$TOOL_VERSION" \
+            "$TOOL_NAME"
+        fi

.github/actions/common-setup/action.yml

@@ -53,54 +53,8 @@ runs:
         sudo apt-get clean
         sudo rm -rf /var/lib/apt/lists/*
 
-    - name: Install capnp and ripgrep (macOS)
-      if: runner.os == 'macOS'
-      shell: bash
-      run: |
-        brew update || { sleep 5; brew update; }
-        brew install capnp ripgrep || { sleep 5; brew install capnp ripgrep; }
-        brew cleanup
-
-    - name: Set Cap'n Proto install prefix (Linux)
-      if: runner.os == 'Linux'
-      shell: bash
-      run: |
-        echo "CAPNP_PREFIX=$GITHUB_WORKSPACE/.cache/capnp" >> $GITHUB_ENV
-        echo "$GITHUB_WORKSPACE/.cache/capnp/bin" >> $GITHUB_PATH
-
-    - name: Get Linux version
-      if: runner.os == 'Linux'
-      id: linux-version
-      shell: bash
-      run: echo "release=$(lsb_release -rs)" >> "$GITHUB_OUTPUT"
-
-    - name: Get capnp version from capnp-version
-      shell: bash
-      run: |
-        echo "CAPNP_VERSION=$(cat capnp-version)" >> $GITHUB_ENV
-
-    - name: Cache Cap'n Proto (Linux)
-      if: runner.os == 'Linux'
-      id: cache-capnp
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: ${{ github.workspace }}/.cache/capnp
-        key: capnp-linux-${{ steps.linux-version.outputs.release }}-${{ env.CAPNP_VERSION }}-${{ runner.arch }}
-
-    - name: Install capnp
-      if: runner.os == 'Linux'
-      shell: bash
-      run: bash scripts/install-capnp.sh
-
-    - name: Install capnp (Windows)
-      if: runner.os == 'Windows'
-      shell: bash
-      run: |
-        choco install capnproto ripgrep -y || {
-          echo "capnproto/ripgrep install via choco failed or unavailable"
-          sleep 5
-          choco install capnproto ripgrep -y || true
-        }
+    - name: Install Cap'n Proto
+      uses: ./.github/actions/install-capnp
 
     # > --------------------------------------------------
     # > Rust
@@ -128,7 +82,7 @@ runs:
     - name: Install cargo-nextest
       if: inputs.build-type != 'pre-commit'
       # https://github.com/taiki-e/install-action # v2.53.2
-      uses: taiki-e/install-action@d12e869b89167df346dd0ff65da342d1fb1202fb
+      uses: taiki-e/install-action@59679e24ffb0dbbbc136684eda7fcd21fe9eddea # v2.63.0
       with:
         tool: nextest
 
@@ -174,7 +128,7 @@ runs:
     # > Python
     - name: Set up Python environment
       # https://github.com/actions/setup-python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ inputs.python-version }}
 
@@ -196,7 +150,7 @@ runs:
     - name: Cache Python site-packages
       id: cached-site-packages
       # https://github.com/actions/cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: ~/.local/lib/python${{ inputs.python-version }}/site-packages
         key: ${{ runner.os }}-${{ inputs.python-version }}-site-packages
@@ -216,7 +170,7 @@ runs:
 
     - name: Install uv
       # https://github.com/astral-sh/setup-uv
-      uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
+      uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       with:
         version: ${{ env.UV_VERSION }}
 
@@ -231,7 +185,7 @@ runs:
       if: runner.os != 'macOS'
       id: cached-uv
       # https://github.com/actions/cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: ${{ env.UV_CACHE_DIR }}
         key: ${{ runner.os }}-${{ env.PYTHON_VERSION }}-uv-${{ hashFiles('**/uv.lock') }}
@@ -244,7 +198,7 @@ runs:
       if: runner.os != 'macOS'
       id: cached-pre-commit
       # https://github.com/actions/cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: ~/.cache/pre-commit
         key: ${{ runner.os }}-${{ env.PYTHON_VERSION }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}

.github/actions/common-test-data/action.yml

@@ -10,7 +10,7 @@ runs:
       if: runner.os != 'macOS'
       id: cached-testdata-large
       # https://github.com/actions/cache/tree/main/restore
-      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: tests/test_data/large
         key: large-files-${{ hashFiles('tests/test_data/large/checksums.json') }}
@@ -22,7 +22,7 @@ runs:
       # See: https://github.com/actions/runner/issues/3765
       if: ${{ runner.os != 'macOS' && always() && steps.cached-testdata-large.outputs.cache-hit != 'true' }}
       # https://github.com/actions/cache/tree/main/save
-      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: tests/test_data/large
         key: large-files-${{ hashFiles('tests/test_data/large/checksums.json') }}

.github/actions/install-capnp/action.yml

@@ -0,0 +1,54 @@
+name: install-capnp
+description: Install Cap'n Proto compiler
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install capnp and ripgrep (macOS)
+      if: runner.os == 'macOS'
+      shell: bash
+      run: |
+        brew update || { sleep 5; brew update; }
+        brew install capnp ripgrep || { sleep 5; brew install capnp ripgrep; }
+        brew cleanup
+
+    - name: Set Cap'n Proto install prefix (Linux)
+      if: runner.os == 'Linux'
+      shell: bash
+      run: |
+        echo "CAPNP_PREFIX=$GITHUB_WORKSPACE/.cache/capnp" >> $GITHUB_ENV
+        echo "$GITHUB_WORKSPACE/.cache/capnp/bin" >> $GITHUB_PATH
+
+    - name: Get Linux version
+      if: runner.os == 'Linux'
+      id: linux-version
+      shell: bash
+      run: echo "release=$(lsb_release -rs)" >> "$GITHUB_OUTPUT"
+
+    - name: Get capnp version from capnp-version
+      shell: bash
+      run: |
+        echo "CAPNP_VERSION=$(cat capnp-version)" >> $GITHUB_ENV
+
+    - name: Cache Cap'n Proto (Linux)
+      if: runner.os == 'Linux'
+      id: cache-capnp
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      with:
+        path: ${{ github.workspace }}/.cache/capnp
+        key: capnp-linux-${{ steps.linux-version.outputs.release }}-${{ env.CAPNP_VERSION }}-${{ runner.arch }}
+
+    - name: Install capnp (Linux)
+      if: runner.os == 'Linux'
+      shell: bash
+      run: bash scripts/install-capnp.sh
+
+    - name: Install capnp (Windows)
+      if: runner.os == 'Windows'
+      shell: bash
+      run: |
+        choco install capnproto ripgrep -y || {
+          echo "capnproto/ripgrep install via choco failed or unavailable"
+          sleep 5
+          choco install capnproto ripgrep -y || true
+        }

.github/actions/upload-artifact-wheel/action.yml

@@ -31,7 +31,7 @@ runs:
         'nightly' || github.ref_name == 'master' || github.ref_name == 'test-ci')
       # https://github.com/actions/upload-artifact
       # Use wildcard to flatten dist/ prefix: path before first wildcard is stripped
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: ${{ env.ASSET_NAME }}
         path: dist/nautilus_trader-*.whl

.github/workflows/build-docs.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # https://github.com/step-security/harden-runner
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit