From 4f4f030439e27f0118e48a4ff6041c111449d609 Mon Sep 17 00:00:00 2001 From: Paul Clark Date: Thu, 4 Jun 2026 04:22:05 -0400 Subject: [PATCH 1/4] ci: group dependabot updates, fix python-binding pip step, drop py3.9 - dependabot.yml: group GitHub Actions, .NET non-crypto, and Rust non-crypto crates into single weekly PRs. Cryptographic primitives (BouncyCastle, ml-kem, ml-dsa, hkdf, sha2, sha3, generic-array, rand_core, zeroize) stay ungrouped so each bump gets manual review. - python-binding.yml: pip 26+ rejects `pip install --upgrade pip`; use `python -m pip install --upgrade pip maturin` instead. - python-binding.yml: replace py3.9 (EOL Oct 2025) with py3.10 in the matrix so actions/setup-python@v6 (which drops 3.9) can land. --- .github/dependabot.yml | 44 ++++++++++++++++++++++++---- .github/workflows/python-binding.yml | 4 +-- 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fa20300..2597ae2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,32 +1,60 @@ version: 2 updates: - # Runtime/test dependencies. + # Runtime/test .NET dependencies. Group non-major bumps into one PR. + # BouncyCastle and other crypto primitives stay ungrouped so each major + # bump gets eyes-on review. - package-ecosystem: "nuget" directory: "/" schedule: interval: "weekly" day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 10 labels: - "dependencies" - "dotnet" - # Cryptographic primitives are sensitive. Don't auto-merge. + groups: + dotnet-minor-patch: + update-types: + - "minor" + - "patch" + exclude-patterns: + - "BouncyCastle*" + dotnet-major-non-crypto: + update-types: + - "major" + exclude-patterns: + - "BouncyCastle*" ignore: + # Cryptographic primitives are sensitive. Don't auto-merge majors. - dependency-name: "BouncyCastle.Cryptography" update-types: ["version-update:semver-major"] - # Rust second-source reader. + # Rust second-source reader. Group non-crypto crates; leave the PQ + # primitives and their core deps ungrouped for manual review. - package-ecosystem: "cargo" directory: "/impl/rust/pqf-reader" schedule: interval: "weekly" day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 10 labels: - "dependencies" - "rust" + groups: + rust-non-crypto: + patterns: + - "*" + exclude-patterns: + - "ml-kem" + - "ml-dsa" + - "hkdf" + - "sha2" + - "sha3" + - "generic-array" + - "rand_core" + - "zeroize" - # GitHub Actions. + # GitHub Actions. Safe to group everything. - package-ecosystem: "github-actions" directory: "/" schedule: @@ -36,3 +64,7 @@ updates: labels: - "dependencies" - "ci" + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/python-binding.yml b/.github/workflows/python-binding.yml index 87705dd..9bc3e54 100644 --- a/.github/workflows/python-binding.yml +++ b/.github/workflows/python-binding.yml @@ -23,7 +23,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] - python: ["3.9", "3.12"] + python: ["3.10", "3.12"] steps: - name: Checkout uses: actions/checkout@v6 @@ -47,7 +47,7 @@ jobs: key: ${{ runner.os }}-py${{ matrix.python }}-cargo-${{ hashFiles('bindings/python/Cargo.toml', 'impl/rust/pqf-reader/Cargo.toml') }} - name: Install maturin - run: pip install --upgrade pip maturin + run: python -m pip install --upgrade pip maturin - name: Build + install the binding into the venv working-directory: bindings/python From a017d00059c41d0ea6c464947386a15a14f3146a Mon Sep 17 00:00:00 2001 From: Paul Clark Date: Thu, 4 Jun 2026 04:26:20 -0400 Subject: [PATCH 2/4] ci(python-binding): create venv before maturin develop maturin 1.13+ refuses to install into the system Python and requires VIRTUAL_ENV / CONDA_PREFIX / .venv. Create a venv in bindings/python and export VIRTUAL_ENV + add it to PATH via GITHUB_ENV/GITHUB_PATH so subsequent steps (pip install maturin, maturin develop, smoke test) all use the venv's Python. --- .github/workflows/python-binding.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/python-binding.yml b/.github/workflows/python-binding.yml index 9bc3e54..eae9765 100644 --- a/.github/workflows/python-binding.yml +++ b/.github/workflows/python-binding.yml @@ -46,6 +46,18 @@ jobs: impl/rust/pqf-reader/target key: ${{ runner.os }}-py${{ matrix.python }}-cargo-${{ hashFiles('bindings/python/Cargo.toml', 'impl/rust/pqf-reader/Cargo.toml') }} + - name: Create venv (maturin develop requires one) + working-directory: bindings/python + shell: bash + run: | + python -m venv .venv + echo "VIRTUAL_ENV=$PWD/.venv" >> "$GITHUB_ENV" + if [ -d .venv/Scripts ]; then + echo "$PWD/.venv/Scripts" >> "$GITHUB_PATH" + else + echo "$PWD/.venv/bin" >> "$GITHUB_PATH" + fi + - name: Install maturin run: python -m pip install --upgrade pip maturin From 2d72707875301c21e79a1fcf4561817247b197a2 Mon Sep 17 00:00:00 2001 From: Paul Clark Date: Thu, 4 Jun 2026 04:29:42 -0400 Subject: [PATCH 3/4] ci(python-binding): pass venv python explicitly to maturin -i maturin 1.13 on Windows refuses to use a bare `python.exe` ("could not determine version from interpreter name"). Pass the venv's python by absolute path via --interpreter so maturin uses the right one on all three OSes without relying on filename version inference. --- .github/workflows/python-binding.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/python-binding.yml b/.github/workflows/python-binding.yml index eae9765..69e44fa 100644 --- a/.github/workflows/python-binding.yml +++ b/.github/workflows/python-binding.yml @@ -63,7 +63,14 @@ jobs: - name: Build + install the binding into the venv working-directory: bindings/python - run: maturin develop --release + shell: bash + run: | + if [ -f .venv/Scripts/python.exe ]; then + PY="$PWD/.venv/Scripts/python.exe" + else + PY="$PWD/.venv/bin/python" + fi + maturin develop --release --interpreter "$PY" - name: Smoke test (import + parse a vector) working-directory: bindings/python From 28c35f5b2b4df8fe56005c6e84a21b4b585bede6 Mon Sep 17 00:00:00 2001 From: Paul Clark Date: Thu, 4 Jun 2026 04:32:08 -0400 Subject: [PATCH 4/4] ci(python-binding): switch to maturin build + pip install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `maturin develop` requires an active venv and tries to detect the interpreter from the venv directory; on Windows it can't infer the version from a bare `python.exe`. Avoid the whole venv-detection path by building a wheel with `maturin build` and installing it into the host Python with pip — same end state, no venv juggling. --- .github/workflows/python-binding.yml | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/.github/workflows/python-binding.yml b/.github/workflows/python-binding.yml index 69e44fa..01bb940 100644 --- a/.github/workflows/python-binding.yml +++ b/.github/workflows/python-binding.yml @@ -46,31 +46,19 @@ jobs: impl/rust/pqf-reader/target key: ${{ runner.os }}-py${{ matrix.python }}-cargo-${{ hashFiles('bindings/python/Cargo.toml', 'impl/rust/pqf-reader/Cargo.toml') }} - - name: Create venv (maturin develop requires one) - working-directory: bindings/python - shell: bash - run: | - python -m venv .venv - echo "VIRTUAL_ENV=$PWD/.venv" >> "$GITHUB_ENV" - if [ -d .venv/Scripts ]; then - echo "$PWD/.venv/Scripts" >> "$GITHUB_PATH" - else - echo "$PWD/.venv/bin" >> "$GITHUB_PATH" - fi - - name: Install maturin run: python -m pip install --upgrade pip maturin - - name: Build + install the binding into the venv + - name: Build wheel + working-directory: bindings/python + run: maturin build --release --out dist + + - name: Install wheel working-directory: bindings/python shell: bash run: | - if [ -f .venv/Scripts/python.exe ]; then - PY="$PWD/.venv/Scripts/python.exe" - else - PY="$PWD/.venv/bin/python" - fi - maturin develop --release --interpreter "$PY" + WHEEL=$(ls dist/*.whl | head -1) + python -m pip install "$WHEEL" - name: Smoke test (import + parse a vector) working-directory: bindings/python