Merge branch 'main' into workflows/merge-release-into-main

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,7 +1,7 @@
-name: Bug Report
-description: File a bug report
+name: "\U0001F41E Bug report"
+description: File a bug report to help us improve.
 title: "[Bug]: "
-labels: ["bug :bug:"]
+labels: ["bug"]
 
 body:
   - type: markdown
@@ -33,6 +33,7 @@ body:
       label: Version
       description: What version of Heat are you running?
       options:
+        - 1.3.x
         - 1.2.x
         - 1.1.x
         - main (development branch)
@@ -54,6 +55,8 @@ body:
       label: PyTorch version
       description: What PyTorch version?
       options:
+        - 2.0
+        - 1.13
         - 1.12
         - 1.11
         - "1.10"

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,8 +1,8 @@
 ---
-name: Feature request
-about: Suggest missing features or functionalities
+name: "🌟Feature request"
+about: Suggest missing features or functionalities for Heat
 title: ''
-labels: ''
+labels: 'enhancement'
 assignees: ''
 
 ---

.github/ISSUE_TEMPLATE/vulnerability.yml

@@ -0,0 +1,98 @@
+name: "\U0001F6A8 Vulnerability Report"
+description: Report a security vulnerability in our project.
+title: "[VULNERABILITY]:  "
+labels: ["security, High Priority"]
+assignees: ["mtar, bhagemeier, ClaudiaComito"]
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to report a security vulnerability! Your assistance helps us keep our library secure.
+  - type: textarea
+    id: affected-versions
+    attributes:
+      label: Affected Version(s)
+      description: List the affected versions of the library.
+    validations:
+      required: true
+  - type: textarea
+    id: severity
+    attributes:
+      label: Severity
+      description: Specify the severity of the vulnerability (e.g., Low/Medium/High/Critical).
+    validations:
+      required: true
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: Provide a clear and concise description of the security vulnerability.
+    validations:
+      required: true
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: Outline the steps to reproduce the vulnerability, including any relevant code snippets or configuration settings.
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected Behavior
+      description: Explain what you expected to happen when following the steps above.
+    validations:
+      required: true
+  - type: textarea
+    id: actual-behavior
+    attributes:
+      label: Actual Behavior
+      description: Describe what actually happened when you followed the steps above, highlighting the security issue.
+    validations:
+      required: true
+  - type: textarea
+    id: impact
+    attributes:
+      label: Impact
+      description: Discuss the potential impact of this vulnerability, including any possible consequences or risks associated with its exploitation.
+    validations:
+      required: true
+  - type: textarea
+    id: proof-of-concept
+    attributes:
+      label: Proof of Concept (Optional)
+      description: If applicable, provide a proof of concept (POC) or exploit code to demonstrate the vulnerability. Do not disclose sensitive information.
+  - type: textarea
+    id: additional-information
+    attributes:
+      label: Additional Information
+      description: Include any additional information or context that you believe is relevant to this vulnerability report.
+  - type: textarea
+    id: proposed-fix
+    attributes:
+      label: Proposed Fix (Optional)
+      description: If you have a suggested fix or mitigation for this vulnerability, please provide details here. Your input is valuable.
+  - type: textarea
+    id: attachments
+    attributes:
+      label: Attachments (Optional)
+      description: If you have any relevant files or screenshots, please attach them here.
+  - type: textarea
+    id: disclosure-timeline
+    attributes:
+      label: Disclosure Timeline (Optional)
+      description: If you have a preferred timeline for the disclosure of this vulnerability, please specify it here. We typically follow responsible disclosure practices and will coordinate with you on the disclosure process.
+  - type: textarea
+    id: additional-contact-info
+    attributes:
+      label: Additional Contact Information (Optional)
+      description: If you prefer to be contacted through an alternate method or have other contact preferences, please specify them here.
+  - type: markdown
+    attributes:
+      value: |
+        ---
+
+        **Note**: By submitting this report, you agree to follow responsible disclosure practices and to work with the maintainers to coordinate the resolution and disclosure of this vulnerability.
+
+        Thank you for helping us improve the security of our library!

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,3 +1,14 @@
+## Due Diligence
+<!--- Please address the following points before setting your PR "ready for review".
+--->
+- General:
+    - [ ]  **base branch** must be `main` for new features, latest release branch (e.g. `release/1.3.x`) for bug fixes
+    - [ ]  **title** of the PR is suitable to appear in the [Release Notes](https://github.com/helmholtz-analytics/heat/releases/latest)
+- Implementation:
+    - [ ] unit tests: all split configurations tested
+    - [ ] unit tests: multiple dtypes tested
+    - [ ] documentation updated where needed
+
 ## Description
 
 <!--- Include a summary of the change/s.
@@ -7,6 +18,7 @@ Please also include relevant motivation and context. List any dependencies that
 Issue/s resolved: #
 
 ## Changes proposed:
+
 -
 -
 -
@@ -27,7 +39,7 @@ i.e.
 - with `split=None` and `split not None`
 
 This can be done using https://github.com/pythonprofilers/memory_profiler for CPU memory measurements,
-GPU measuremens can be done with https://pytorch.org/docs/master/generated/torch.cuda.max_memory_allocated.html.
+GPU measurements can be done with https://pytorch.org/docs/master/generated/torch.cuda.max_memory_allocated.html.
 These tools only profile the memory used by each process, not the entire function.
 --->
 
@@ -38,15 +50,8 @@ These tools only profile the memory used by each process, not the entire functio
 
 Python has an embedded profiler: https://docs.python.org/3.9/library/profile.html
 Again, this will only profile the performance on each process. Printing the results with many processes
-my be illegible. It may be easiest to save the output of each to a file.
+may be illegible. It may be easiest to save the output of each to a file.
 --->
 
-
-## Due Diligence
-- [ ] All split configurations tested
-- [ ] Multiple dtypes tested in relevant functions
-- [ ] Documentation updated (if needed)
-- [ ] Title of PR is suitable for corresponding CHANGELOG entry
-
 #### Does this change modify the behaviour of other functions? If so, which?
 yes / no

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /doc
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /heat/core/tests
+    schedule:
+      interval: daily

.github/issue-branch.yml

@@ -0,0 +1,15 @@
+mode: auto
+silent: false
+branchName: '${issue.number}-${issue.title}'
+defaultBranch: 'main'
+
+branches:
+  - label: bug
+    name: release/1.3.x
+    prefix: bugs/
+  - label: enhancement
+    prefix: features/
+  - label: documentation
+    prefix: docs/
+  - label: workflows
+    prefix: workflows/

.github/workflows/CIBase.yml

@@ -7,10 +7,18 @@ on:
       - 'release/**'
       - 'support/**'
 
+permissions:
+  contents: read
+
 jobs:
   starter:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - name: 'start test'
         run: |
          curl -s -X POST \

.github/workflows/CommentPR.yml

@@ -15,8 +15,13 @@ jobs:
     outputs:
       PR_NR: ${{ steps.step1.outputs.test }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - name: 'Download artifact'
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -40,7 +45,7 @@ jobs:
         run: unzip pr_number.zip
 
       - name: 'Comment on PR'
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -59,7 +64,12 @@ jobs:
     needs: upload
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: 'Trigger Workflow'
         run: |

.github/workflows/ReceivePR.yml

@@ -11,16 +11,21 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Use Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.8
           architecture: x64
 
       - name: Setup MPI
-        uses: mpi4py/setup-mpi@v1
+        uses: mpi4py/setup-mpi@40c19a60792debf8ca403a3e6ee5f84c4e76555d # v1.2.1
         with:
           mpi: openmpi
 
@@ -36,7 +41,7 @@ jobs:
         run: |
           mkdir -p ./pr
           echo $PR_NUMBER > ./pr/pr_number
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: pr_number
           path: pr/

.github/workflows/bench_report.yml

@@ -0,0 +1,67 @@
+name: Benchmarks report
+on:
+  workflow_dispatch:
+    inputs:
+      job_id:
+        description: "Gitlab job id"
+        required: true
+        type: string
+      author:
+        description: "Commit author"
+        required: true
+        type: string
+
+jobs:
+  bench_report:
+    name: Benchmark report
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: "Collect Gitlab Benchmarks"
+        run: |
+          curl --location \
+          --header "PRIVATE-TOKEN: ${{ secrets.GITLAB_CB_API_TOKEN }}" \
+          --output benchmarks.json \
+          "https://codebase.helmholtz.cloud/api/v4/projects/7930/jobs/${{ inputs.job_id }}/artifacts/heat/bench_data/benchmarks.json"
+          cat benchmarks.json
+          curl --location \
+          --header "PRIVATE-TOKEN: ${{ secrets.GITLAB_CB_API_TOKEN }}" \
+          --output report.txt \
+          "https://codebase.helmholtz.cloud/api/v4/projects/7930/jobs/${{ inputs.job_id }}/artifacts/heat/bench_data/report.txt"
+          echo "Pipeline URL: https://codebase.helmholtz.cloud/helmholtz-analytics/cb/-/jobs/${{ inputs.job_id}}" >> $GITHUB_STEP_SUMMARY
+          cat report.txt >> $GITHUB_STEP_SUMMARY
+      - name: Compare and Save Benchmark Results
+        id: action_bench
+        uses: benchmark-action/github-action-benchmark@70405016b032d44f409e4b1b451c40215cbe2393 # v1.18.0
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          # Benchmark action input and output
+          tool: "customSmallerIsBetter"
+          output-file-path: benchmarks.json
+          # Alert configuration
+          fail-on-alert: true # Don't fail on main branch
+          comment-on-alert: true
+          alert-comment-cc-users: ${{ format('@{0}', inputs.author) }}
+          # Save benchmarks from the main branch
+          save-data-file: ${{ github.ref == 'refs/heads/main' }}
+          # Pages configuration
+          auto-push: ${{ github.ref == 'refs/heads/main' }}
+          gh-pages-branch: gh-pages
+          benchmark-data-dir-path: dev/bench
+      - name: Update commit status
+        if: always()
+        run: |
+          if [[ "${{ steps.action_bench.outcome }}" =~ success|failure ]]; then export STEP_STATE="${{ steps.action_bench.outcome }}" && echo "then $STEP_STATE"; else export STEP_STATE=error && echo "else $STEP_STATE"; fi
+          echo "$STEP_STATE"
+          curl -L -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.sha }} \
+            -d "{ \"state\":\"$STEP_STATE\", \"target_url\":\"https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\", \"description\":\"The results are here!\", \"context\":\"cb/report\" }"