PECOS-packages · ciaranra · May 19, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
@@ -19,6 +19,22 @@ updates:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
 
+  # Rust (Cargo) - native benchmark security updates only
+  - package-ecosystem: "cargo"
+    directory: "/scripts/native_bench/bench_pecos"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      native-bench-rust-security:
+        applies-to: security-updates
+        patterns: ["*"]
+    allow:
+      - dependency-type: "all"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
+
   # Python (pip) - security updates only
   - package-ecosystem: "pip"
     directory: "/"

@@ -0,0 +1,49 @@
+name: Cargo Deny
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: [ "main", "master", "development", "dev" ]
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      - 'deny.toml'
+      - '.github/workflows/cargo-deny.yml'
+  pull_request:
+    branches: [ "main", "master", "development", "dev" ]
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      - 'deny.toml'
+      - '.github/workflows/cargo-deny.yml'
+  schedule:
+    - cron: "17 5 * * 3"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Install cargo-deny
+        run: cargo install --locked --version 0.19.6 cargo-deny
+
+      - name: Check root Rust workspace
+        run: cargo deny --locked --all-features check advisories bans sources
+
+      - name: Check native benchmark crate
+        run: cargo deny --manifest-path scripts/native_bench/bench_pecos/Cargo.toml --locked --all-features check advisories bans sources
@@ -0,0 +1,68 @@
+name: CodeQL
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+on:
+  push:
+    branches: [ "main", "master", "development", "dev" ]
+  pull_request:
+    branches: [ "main", "master", "development", "dev" ]
+  schedule:
+    - cron: "29 4 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze ${{ matrix.language }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: ""
+          - language: c-cpp
+            build-mode: none
+          - language: go
+            build-mode: autobuild
+          - language: python
+            build-mode: ""
+          - language: rust
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        if: matrix.build-mode == ''
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Initialize CodeQL with build mode
+        if: matrix.build-mode != ''
+        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Autobuild
+        if: matrix.build-mode == 'autobuild'
+        uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+        with:
+          category: "/language:${{ matrix.language }}"
@@ -4,6 +4,9 @@
 
 name: CUDA Build Check
 
+permissions:
+  contents: read
+
 env:
   RUSTFLAGS: -C debuginfo=0
   RUST_BACKTRACE: 1
@@ -32,7 +35,9 @@ jobs:
   cuda-build-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Free disk space
         run: |
@@ -42,22 +47,23 @@ jobs:
 
       - name: Install Rust
         run: |
-          curl https://sh.rustup.rs -sSf | sh -s -- -y
-          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+          bash scripts/ci/ensure-rust.sh stable minimal
           export PATH="$HOME/.cargo/bin:$PATH"
 
       - name: Set up Rust
-        run: rustup override set stable && rustup update
+        run: |
+          rustup override set stable
+          rustup show
 
       - name: Cache Rust
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
         with:
           cache-bin: false
           prefix-key: v1-rust-no-bin
-          save-if: ${{ github.ref_name == 'main' || github.ref_name == 'master' || github.ref_name == 'development' || github.ref_name == 'dev' }}
+          save-if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master' || github.ref_name == 'development' || github.ref_name == 'dev') }}
 
       - name: Install CUDA Toolkit
-        uses: Jimver/cuda-toolkit@v0.2.35
+        uses: Jimver/cuda-toolkit@3d45d157f327c09c04b50ee6ccdea2d9d017ec76 # v0.2.35
         id: cuda-toolkit
         with:
           cuda: '12.6.3'
@@ -68,28 +74,28 @@ jobs:
       - name: Check pecos-cuquantum-sys compiles (stub mode)
         run: |
           echo "Building pecos-cuquantum-sys (will use stubs since cuQuantum SDK is not installed)..."
-          cargo check -p pecos-cuquantum-sys
+          cargo check --locked -p pecos-cuquantum-sys
 
       - name: Check pecos-cuquantum compiles (stub mode)
         run: |
           echo "Building pecos-cuquantum (will use stubs since cuQuantum SDK is not installed)..."
-          cargo check -p pecos-cuquantum
+          cargo check --locked -p pecos-cuquantum
 
       - name: Check pecos-rslib-cuda compiles (stub mode)
         run: |
           echo "Building pecos-rslib-cuda Python bindings..."
-          cargo check -p pecos-rslib-cuda
+          cargo check --locked -p pecos-rslib-cuda
 
       - name: Run clippy on CUDA crates
         run: |
           echo "Running clippy on CUDA crates..."
-          cargo clippy -p pecos-cuquantum-sys -p pecos-cuquantum -p pecos-rslib-cuda -- -D warnings
+          cargo clippy --locked -p pecos-cuquantum-sys -p pecos-cuquantum -p pecos-rslib-cuda -- -D warnings
 
       - name: Verify stub mode detection
         run: |
           echo "Verifying that build correctly detects stub mode..."
           # The crates should compile but is_cuquantum_available() should return false
-          cargo build -p pecos-cuquantum --release
+          cargo build --locked -p pecos-cuquantum --release
           # Note: We can't actually run the binary to test is_cuquantum_available()
           # because it requires the cuQuantum runtime, but the build succeeding
           # in stub mode means the detection is working

@@ -0,0 +1,53 @@
+name: Dependency Integrity Check
+
+on:
+  push:
+    branches: [ "main", "master", "development", "dev" ]
+  pull_request:
+    branches: [ "main", "master", "development", "dev" ]
+  schedule:
+    - cron: "17 9 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  dependency-integrity-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
+        with:
+          version: "0.11.14"
+          enable-cache: true
+          save-cache: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'master' || github.ref_name == 'development' || github.ref_name == 'dev') }}
+
+      - name: Install integrity check tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ripgrep
+
+      - name: Set up Rust
+        run: rustup show
+
+      - name: Run dependency integrity checks
+        run: ./scripts/dependency-integrity-check.sh
@@ -0,0 +1,77 @@
+name: Dependency Review
+
+on:
+  push:
+    branches: [ "**" ]
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - 'scripts/native_bench/bench_pecos/Cargo.toml'
+      - 'scripts/native_bench/bench_pecos/Cargo.lock'
+      - 'pyproject.toml'
+      - 'python/**/pyproject.toml'
+      - 'uv.lock'
+      - 'requirements*.txt'
+      - '**/requirements*.txt'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'pnpm-lock.yaml'
+      - 'yarn.lock'
+      - 'bun.lock'
+      - 'bun.lockb'
+      - '.github/dependabot.yml'
+      - '.github/workflows/dependency-review.yml'
+  pull_request:
+    branches: [ "main", "master", "development", "dev" ]
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - 'scripts/native_bench/bench_pecos/Cargo.toml'
+      - 'scripts/native_bench/bench_pecos/Cargo.lock'
+      - 'pyproject.toml'
+      - 'python/**/pyproject.toml'
+      - 'uv.lock'
+      - 'requirements*.txt'
+      - '**/requirements*.txt'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'pnpm-lock.yaml'
+      - 'yarn.lock'
+      - 'bun.lock'
+      - 'bun.lockb'
+      - '.github/dependabot.yml'
+      - '.github/workflows/dependency-review.yml'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Review dependency changes in pull request
+        if: github.event_name == 'pull_request'
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
+        with:
+          fail-on-severity: high
+
+      - name: Review dependency changes in push
+        if: github.event_name == 'push' && github.event.before != '0000000000000000000000000000000000000000'
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
+        with:
+          fail-on-severity: high
+          base-ref: ${{ github.event.before }}
+          head-ref: ${{ github.sha }}
+
+      - name: Skip dependency review for first push to a branch
+        if: github.event_name == 'push' && github.event.before == '0000000000000000000000000000000000000000'
+        run: echo "No previous commit exists for this pushed ref; dependency review will run on subsequent pushes."