GitHub Actions Updates

.github/dependabot.yml

@@ -0,0 +1,22 @@
+---
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    commit-message:
+      prefix: ":dependabot: github-actions"
+      include: "scope"
+    cooldown:
+      default-days: 7
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "uv"
+    commit-message:
+      prefix: ":dependabot: uv"
+      include: "scope"
+    cooldown:
+      default-days: 7
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/check-minimal-import.yml

@@ -0,0 +1,48 @@
+name: Check minimal import
+
+on:
+  pull_request:
+    branches:
+      - master
+      - "**dev"
+    paths:
+      - "splink/**"
+      - "pyproject.toml"
+      - "uv.lock"
+
+permissions: {}
+
+jobs:
+  test:
+    name: Check minimal import
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Setup uv (without cache)
+        id: setup_uv
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        with:
+          enable-cache: false
+
+      - name: Install Python 3.12
+        id: install_python312
+        run: uv python install 3.12
+
+      - name: Install dependencies
+        id: install_dependencies
+        run: uv sync --python 3.12 --only-group core
+
+      - name: Check Splink imports
+        id: check_splink_imports
+        run: uv run --only-group core python -c "import splink"
+
+      - name: Check dependencies installed
+        id: check_dependencies_installed
+        run: uv pip list

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,48 @@
+name: CodeQL analysis
+
+on:
+  pull_request:
+    branches:
+      - master
+      - "**dev"
+  push:
+    branches:
+      - master
+
+permissions: {}
+
+jobs:
+  codeql-analysis:
+    name: CodeQL analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - actions
+          - python
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Initialise CodeQL
+        id: init_codeql
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: CodeQL autobuild
+        id: codeql_autobuild
+        uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+
+      - name: CodeQL analysis
+        id: codeql_analysis
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          category: "language:${{ matrix.language }}"

.github/workflows/run_demos_examples.yml → .github/workflows/demo-examples.yml

@@ -1,4 +1,4 @@
-name: Run splink example notebooks
+name: Demo Example Notebooks
 
 on:
   pull_request:
@@ -13,20 +13,29 @@ on:
       - "uv.lock"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test-notebooks:
+    name: Test ${{ matrix.test-group }} notebook with Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10"]
+        python-version: ["3.12"]
         test-group: ["duckdb", "spark", "sqlite"]
-    name: Test ${{ matrix.test-group }} notebooks with Python ${{ matrix.python-version }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Setup uv (with cache)
-        uses: astral-sh/setup-uv@v6
+        id: setup_uv
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
         with:
           enable-cache: true
           cache-dependency-glob: |
@@ -35,14 +44,18 @@ jobs:
           cache-suffix: "${{ runner.os }}-${{ matrix.python-version }}"
 
       - name: Install Python ${{ matrix.python-version }}
+        id: install_python
         run: uv python install ${{ matrix.python-version }}
 
       - name: Install dependencies
-        run: uv sync -p ${{ matrix.python-version }} --group demos
+        id: install_dependencies
+        run: uv sync --python ${{ matrix.python-version }} --group demos
 
-      - name: Modify Notebooks to reduce data size
+      - name: Reduce notebook size
+        id: reduce_notebook_size
         run: uv run python scripts/reduce_notebook_runtime.py
 
-      - name: Test ${{ matrix.test-group }} example notebooks with pytest
+      - name: Run tests
+        id: run_tests
         run: |
           uv run pytest -vv --nbmake -n=auto --nbmake-kernel=python3 --durations=0 docs/demos/examples/${{ matrix.test-group }}/*ipynb

.github/workflows/run_demos_tutorials.yml → .github/workflows/demo-tutorials.yml

@@ -1,4 +1,4 @@
-name: Run splink_demos tutorial notebooks
+name: Demo Tutorials Notebooks
 
 on:
   pull_request:
@@ -10,22 +10,30 @@ on:
       - docs/demos/tutorials/**
       - pyproject.toml
       - "uv.lock"
-
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test:
+    name: Test tutorial notebooks with Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10"]
-    name: Run tutorial notebooks with Python ${{ matrix.python-version }}
+        python-version: ["3.12"]
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Setup uv (with cache)
-        uses: astral-sh/setup-uv@v6
+        id: setup_uv
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
         with:
           enable-cache: true
           cache-dependency-glob: |
@@ -34,14 +42,18 @@ jobs:
           cache-suffix: "${{ runner.os }}-${{ matrix.python-version }}"
 
       - name: Install Python ${{ matrix.python-version }}
+        id: install_python
         run: uv python install ${{ matrix.python-version }}
 
       - name: Install dependencies
-        run: uv sync -p ${{ matrix.python-version }} --group demos
+        id: install_dependencies
+        run: uv sync --python ${{ matrix.python-version }} --group demos
 
-      - name: Modify Notebooks to reduce data size
+      - name: Reduce notebook size
+        id: reduce_notebook_size
         run: uv run python scripts/reduce_notebook_runtime.py
 
-      - name: Run tutorial notebooks
+      - name: Run tests
+        id: run_tests
         run: |
           uv run pytest -vv --nbmake -n=auto --nbmake-kernel=python3 docs/demos/tutorials/*ipynb

.github/workflows/test_latest_dependency_versions.yml → .github/workflows/dependency-canary.yml

@@ -5,40 +5,52 @@ on:
     - cron: "0 6 * * *"
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: daily-uv-canary
   cancel-in-progress: true
 
 jobs:
-  canary:
+  dependency-canary:
+    name: Dependency canary
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        id: checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@v6
+        id: setup_uv
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
 
       - name: Install Python 3.13
+        id: install_python313
         run: uv python install 3.13
+
       - name: Upgrade lockfile
+        id: upgrade_lockfile
         run: uv lock --upgrade
 
       - name: Did uv.lock change?
         id: changed
         run: |
           if git diff --quiet --exit-code -- uv.lock; then
-            echo "changed=false" >> "$GITHUB_OUTPUT"
+            echo "changed=false" >> "${GITHUB_OUTPUT}"
           else
-            echo "changed=true" >> "$GITHUB_OUTPUT"
+            echo "changed=true" >> "${GITHUB_OUTPUT}"
           fi
 
-      - name: Sync deps from lock
+      - name: Install dependencies
         if: steps.changed.outputs.changed == 'true'
-        run: uv sync -p 3.13
+        id: install_dependencies
+        run: uv sync --python 3.13
 
-      - name: Run basic tests
+      - name: Run tests
         if: steps.changed.outputs.changed == 'true'
-        id: tests
+        id: run_tests
         run: uv run python -m pytest -m "duckdb" tests/

.github/workflows/dependency-review.yml

@@ -0,0 +1,30 @@
+name: Dependency review
+
+on:
+  pull_request:
+    branches:
+      - master
+      - "**dev"
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    name: Dependency review
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Dependency Review
+        id: dependency_review
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        with:
+          comment-summary-in-pr: true
+          fail-on-severity: critical