|
| 1 | +# NumPy wheels and release tooling |
| 2 | + |
| 3 | +This repository contains what is needed to build release artifacts (wheels and |
| 4 | +sdist) for the official [NumPy releases to |
| 5 | +PyPI](https://pypi.org/project/numpy/) as well as nightly wheel builds which |
| 6 | +are uploaded to |
| 7 | +[anaconda.org/scientific-python-nightly-wheels/numpy](https://anaconda.org/scientific-python-nightly-wheels/numpy). |
| 8 | + |
| 9 | +This repository is minimal on purpose, for security reasons it contains only what is absolutely necessary. The repository settings are stricter than on the main [numpy/numpy](https://github.com/numpy/numpy/) repository, for example: |
| 10 | + |
| 11 | +- only the release & CI team has write access |
| 12 | +- for PRs from anyone without write access, CI will always need manual approval |
| 13 | +- linear history is required |
| 14 | +- GitHub actions are whitelisted, only the necessary ones will be allowed |
| 15 | +- no caching allowed, only clean builds from scratch |
| 16 | +- no self-hosted runners are allowed |
| 17 | + |
| 18 | +See [numpy#29178](https://github.com/numpy/numpy/issues/29178) for more context. |
| 19 | + |
| 20 | + |
| 21 | +## Branches and tags |
| 22 | + |
| 23 | +TODO: describe how branches/tags in this repo correspond to the main branch and |
| 24 | +release tags on the main repo. |
| 25 | + |
| 26 | + |
| 27 | +## Build reproducibility |
| 28 | + |
| 29 | +Wheel builds being fully reproducible is a long-term goal for this repository. |
| 30 | +All dependencies and actions must be pinned, which allows us to already be |
| 31 | +close to full reproducibility. However, we don't (yet) have full control over |
| 32 | +all ingredients that go into a wheel build, e.g. the containers which GitHub |
| 33 | +Actions provide may change over time. |
| 34 | + |
| 35 | + |
| 36 | +## Trusted publishing and attestations |
| 37 | + |
| 38 | +TODO |
| 39 | + |
| 40 | + |
| 41 | +## Software Bill of Materials |
| 42 | + |
| 43 | +TODO |
| 44 | + |
| 45 | + |
| 46 | +## Security |
| 47 | + |
| 48 | +To report a security vulnerability for NumPy itself, please see |
| 49 | +[the security policy on the main repo](https://github.com/numpy/numpy/?tab=security-ov-file#readme). |
| 50 | + |
| 51 | +To discuss a supply chain security related topic for the code in this |
| 52 | +repository, please open an issue on this repository if it can be discussed in |
| 53 | +public, and otherwise please follow the security policy on the main repo. |
0 commit comments