Merge branch 'main' into patch-1

Author: kottmanj

.github/actionlint.yaml

@@ -12,8 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Summary: configure actionlint (https://github.com/rhysd/actionlint).
+
 self-hosted-runner:
-  # We don't have self-hosted runners, but we do use some of the "partner"
-  # runner images at https://github.com/actions/partner-runner-images
+  # We use some custom runners and also some GitHub runners from
+  # https://github.com/actions/partner-runner-images
   labels:
     - ubuntu-24.04-arm
+    - ubuntu-slim
+    - ubuntu-24.04-x64-8-core

.github/workflows/ci.yaml

@@ -149,7 +149,7 @@ jobs:
           echo base=${{github.ref_name}} >> "$GITHUB_ENV"
 
       - name: Check out a copy of the OpenFermion git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Determine files changed by this ${{github.event_name}} event
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
@@ -199,7 +199,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python with caching of pip dependencies
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -228,7 +228,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 
@@ -257,7 +257,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python and restore cache
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -284,7 +284,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python and restore cache
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -324,7 +324,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python and restore cache
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -371,7 +371,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python and restore cache
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -413,7 +413,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
         # Note: deliberately not using our Python cache here b/c this runs
         # a different version of Python.
@@ -439,7 +439,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 
@@ -469,7 +469,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.yaml_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up yamllint output problem matcher
         run: echo "::add-matcher::.github/problem-matchers/yamllint.json"
@@ -490,7 +490,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.json_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Install jsonlint
         run: npm install -g @prantlf/jsonlint
@@ -511,7 +511,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.cff_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Install cffconvert
         run: pip install cffconvert
@@ -530,7 +530,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.docker_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       # Note: there is a hadolint GitHub Actions available, but it only accepts
       # one Dockerfile to check. We have > 1 file to check, so we need the CLI.
@@ -554,7 +554,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.gha_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       # The next action simply fails if there are any unpinned actions.
       - name: Verify that all workflow actions have pinned versions
@@ -580,7 +580,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.shell_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up shellcheck output problem matcher
         run: echo "::add-matcher::.github/problem-matchers/shellcheck.json"
@@ -604,7 +604,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python with caching of pip dependencies
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0

.github/workflows/nightly-pytest.yaml

@@ -74,7 +74,7 @@ jobs:
 
     steps:
       - name: Check out a copy of the OpenFermion git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Set up Python ${{matrix.python-version}}
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5

.github/workflows/osv-scanner.yaml

@@ -12,49 +12,26 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Zero-config modular workflow to run Open Source Vulnerabilities code scans.
-#
+name: OSV scan
+run-name: Run open-source vulnerabilities (OSV) scanner
+
 # The OSV scanner is a dependency vulnerability scanner that identifies known
 # vulnerabilities in a project's dependencies. It supports C/C++, Python, Java,
 # JavaScript, and others. The findings are reported in the repo's code-scanning
 # results page, https://github.com/quantumlib/REPO/security/code-scanning/.
-#
-# Note: the OSV project provides a workflow you can reference as a step with
-# uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml.
-# Unfortunately, that workflow hardcodes some behaviors (such as uploading the
-# SARIF file to the workflow Actions tab, which we have never needed). The
-# workflow in this file is basically a heavily modified version of theirs.
-#
 # For more OSV scanner examples and options, including how to ignore specific
 # vulnerabilities, see https://google.github.io/osv-scanner/github-action/.
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-name: OSV known vulnerabilities scanner
-run-name: Run OSV (open-source vulnerabilities) scanner ${{inputs.reason}}
 
 on:
+  schedule:
+    # Run weekly on Saturdays.
+    - cron: '30 10 * * 6'
+
   pull_request:
     types: [opened, synchronize]
     branches:
       - main
 
-  # Support merge queues.
-  merge_group:
-    types:
-      - checks_requested
-
-  # Allow calling from other workflows.
-  workflow_call:
-    inputs:
-      reason:
-        description: 'Append text to workflow run name:'
-        type: string
-      debug:
-        description: 'Run with debugging options'
-        type: boolean
-        default: false
-
   # Allow manual invocation.
   workflow_dispatch:
     inputs:
@@ -63,33 +40,29 @@ on:
         type: boolean
         default: true
 
-# Declare default workflow permissions as read only.
-permissions: read-all
-
 concurrency:
   # Cancel any previously-started but still active runs on the same branch.
   cancel-in-progress: true
   group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
 
+# Declare default workflow permissions as read only.
+permissions: read-all
+
 jobs:
   osv-scan:
     if: github.repository_owner == 'quantumlib'
-    name: Run OSV scanner
+    name: OSV scanner
     runs-on: ubuntu-24.04
-    timeout-minutes: 15
+    timeout-minutes: 30
     permissions:
-      # Needed to read commit contents:
-      actions: read
       # Needed to upload the results to code-scanning dashboard:
       security-events: write
-      # Needed to upload SARIF file to CodeQL.
-      contents: read
     env:
       # Setting Bash SHELLOPTS here takes effect for all shell commands below.
       SHELLOPTS: ${{inputs.debug && 'xtrace' || '' }}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 
@@ -100,7 +73,7 @@ jobs:
 
       - name: Run OSV scanner on existing code
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-scanner-action@e92b5d07338d4f0ba0981dffed17c48976ca4730 # v2.2.3
+        uses: google/osv-scanner-action/osv-scanner-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0
         continue-on-error: true
         with:
           scan-args: |-
@@ -118,7 +91,7 @@ jobs:
 
       - name: Run OSV scanner on new code
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-scanner-action@e92b5d07338d4f0ba0981dffed17c48976ca4730 # v2.2.3
+        uses: google/osv-scanner-action/osv-scanner-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0
         continue-on-error: true
         with:
           scan-args: |-
@@ -128,9 +101,22 @@ jobs:
             --recursive
             ./
 
-      - name: Run the OSV scanner reporter
+      - name: Run the OSV scanner reporter for the job summary page
+        # yamllint disable rule:line-length
+        uses: google/osv-scanner-action/osv-reporter-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0
+        with:
+          scan-args: |-
+            --output=markdown:output.md
+            --old=old-results.json
+            --new=new-results.json
+            --fail-on-vuln=false
+
+      - name: Write the results to the job summary page
+        run: cat output.md >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Run the OSV scanner reporter for the code-scanning dashboard
         # yamllint disable rule:line-length
-        uses: google/osv-scanner-action/osv-reporter-action@e92b5d07338d4f0ba0981dffed17c48976ca4730 # v2.2.3
+        uses: google/osv-scanner-action/osv-reporter-action@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2.3.0
         with:
           scan-args: |-
             --output=osv-results.sarif
@@ -139,21 +125,21 @@ jobs:
             --gh-annotations=true
             --fail-on-vuln=true
 
-      - name: Upload results to the repository's code-scanning results dashboard
+      - name: Upload results to the code-scanning results dashboard
         id: upload_artifact
         # yamllint disable rule:line-length
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5
+        uses: github/codeql-action/upload-sarif@ba454b8ab46733eb6145342877cd148270bb77ab # codeql-bundle-v2.23.5
         with:
           sarif_file: osv-results.sarif
 
-      - if: github.event.inputs.debug == true
+      - if: github.event.inputs.debug == true || runner.debug == true
         name: Upload results as artifacts to the workflow Summary page
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: SARIF file
-          path: results.sarif
+          path: osv-results.sarif
           retention-days: 5
 
-      - name: Error troubleshooter
+      - name: Print an alert message if an error occurred
         if: ${{always() && steps.upload_artifact.outcome == 'failure'}}
         run: echo '::error::Artifact upload failed. Check the workflow logs.'