BLD: first commit

Author: andyfaff

.gitattributes

@@ -0,0 +1,9 @@
+# Auto detect text files and perform LF normalization
+*.py text=auto eol=lf
+*.pyx text=auto eol=lf
+*.cpp text=auto eol=lf
+*.h text=auto eol=lf
+*.rst text=auto eol=lf
+*.txt text=auto eol=lf
+*.yml text=auto eol=lf
+*.md text=auto eol=lf

.gitignore

@@ -0,0 +1,4 @@
+scipy-src
+dist
+
+.idea/

CONTRIBUTING.md

@@ -0,0 +1,77 @@
+# Contributing to the `scipy-release` repository
+
+This repository has fairly strict contribution rules for security and
+auditability reasons, as explained in the README. PRs with improvements or bug
+fixes are very welcome, however CI jobs will not run for anyone who doesn't
+have commit access.
+
+
+## Running CI jobs on your own fork
+
+To get CI to run on your own fork for changes in a branch named
+`my-branch-name`, add a temporary commit to your branch that adds a trigger:
+
+```diff
+--- a/.github/workflows/wheels.yml
++++ b/.github/workflows/wheels.yml
+@@ -22,6 +22,7 @@ on:
+   push:
+     branches:
+       - main
++      - my-branch-name
+   workflow_dispatch:
+     inputs:
+       environment:
+```
+If you title the commit, e.g., `DEBUG: run on fork`, it's easy to drop the
+commit again once you're done testing and before opening a PR to the
+`scipy/scipy-release` repository.
+
+Note that this will run *a lot of jobs*. If you're doing iterative testing,
+it's recommended to only select the platform(s) you're interested in like this:
+
+```diff
+--- a/.github/workflows/wheels.yml
++++ b/.github/workflows/wheels.yml
+@@ -22,6 +22,7 @@ on:
+   push:
+     branches:
+       - main
++      - my-branch-name
+   workflow_dispatch:
+     inputs:
+       environment:
+@@ -48,20 +49,8 @@ jobs:
+         # Github Actions doesn't support pairing matrix values together, let's improvise
+         # https://github.com/github/feedback/discussions/7835#discussioncomment-1769026
+         buildplat:
+-          - [ubuntu-22.04, manylinux_x86_64, ""]
+-          - [ubuntu-22.04, musllinux_x86_64, ""]
+-          - [ubuntu-22.04-arm, manylinux_aarch64, ""]
+           - [ubuntu-22.04-arm, musllinux_aarch64, ""]
+-          - [macos-13, macosx_x86_64, openblas]
+-
+-          # targeting macos >= 14. Could probably build on macos-14, but it would be a cross-compile
+-          - [macos-13, macosx_x86_64, accelerate]
+-          - [macos-14, macosx_arm64, openblas]
+-          - [macos-14, macosx_arm64, accelerate]
+-          - [windows-2022, win_amd64, ""]
+-          - [windows-2022, win32, ""]
+-          - [windows-11-arm, win_arm64, ""]
+-        python: ["cp311", "cp312", "cp313", "cp313t", "cp314", "cp314t", "pp311"]
++        python: ["cp314", "cp314t"]
+         exclude:
+           # Don't build PyPy 32-bit windows
+           - buildplat: [windows-2022, win32, ""]
+```
+
+
+## Commit messages and linear history
+
+Please use the same [commit message format as for the main `scipy` repository](https://numpy.org/devdocs/dev/development_workflow.html#writing-the-commit-message).
+
+This repository requires linear history. It's preferred that contributors edit
+their commit history so the PRs they submit contain clean, independent commits.
+Note that each commit should be able to pass CI - if one commit depends on
+another, they should be merged. Maintainers may decide to squash-merge if those
+requirements aren't met.

LICENSE.txt

@@ -0,0 +1,30 @@
+Copyright (c) 2001-2002 Enthought, Inc. 2003, SciPy Developers.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above
+   copyright notice, this list of conditions and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived
+   from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,71 @@
+# SciPy wheels and release tooling
+
+This repository contains what is needed to build release artifacts (wheels and
+sdist) for the official [SciPy releases to
+PyPI](https://pypi.org/project/scipy/) as well as nightly wheel builds which
+are uploaded to
+[anaconda.org/scientific-python-nightly-wheels/scipy](https://anaconda.org/scientific-python-nightly-wheels/scipy).
+
+This repository is minimal on purpose, for security reasons it contains only what is absolutely necessary. The repository settings are stricter than on the main [scipy/scipy](https://github.com/scipy/scipy/) repository, for example:
+
+- only the release & CI team has write access
+- for PRs from anyone without write access, CI will always need manual approval
+- linear history is required
+- GitHub actions are whitelisted, only the necessary ones will be allowed
+- no caching allowed, only clean builds from scratch
+- no self-hosted runners are allowed
+
+See [numpy#29178](https://github.com/numpy/numpy/issues/29178) for more context.
+
+
+## Branches and tags
+
+The `main` branch of this repository is meant to stay in sync with the `main` branch
+of the [scipy/scipy](https://github.com/scipy/scipy) repository. It runs scheduled builds
+as cron jobs twice a week, and uploads nightlies to 
+[https://anaconda.org/scientific-python-nightly-wheels/scipy](anaconda.org/scientific-python-nightly-wheels/scipy).
+
+For SciPy releases, the branch naming should match those of the main
+`scipy/scipy` repository, e.g., `maintenance/2.3.x` for the 2.3.x releases.
+
+Which branch, commit or tag is built when a set of wheel builds is triggered is
+controlled by the `SOURCE_REF_TO_BUILD` variable at the top of
+`.github/workflows/wheels.yml`.
+
+
+## Build reproducibility
+
+Wheel builds being fully reproducible is a long-term goal for this repository.
+All dependencies and actions must be pinned, which allows us to already be
+close to full reproducibility. However, we don't (yet) have full control over
+all ingredients that go into a wheel build, e.g. the containers which GitHub
+Actions provide may change over time.
+
+
+## Trusted publishing and attestations
+
+The release builds in this repository should be using trusted publishing to
+publish directly to PyPI (and TestPyPI), including attestations. Triggering
+a release build has to be done by the `workflow_dispatch` in the
+[Actions UI in this repository](https://github.com/scipy/scipy-release/actions/workflows/wheels.yml),
+selecting `pypi` or `testpypi` as the target. This will use a GitHub Actions
+"environment" of the same name - before the uploads to PyPI actually happen,
+the release manager can go in and inspect the build logs and produced wheels.
+Once those look good, the release manager can finalize the release from the
+[deployments page in this repository](https://github.com/scipy/scipy-release/deployments).
+
+
+## Software Bill of Materials
+
+We aim to start producing SBOMs and ship them inside SciPy wheels uploaded to
+PyPI, however as of today that is not implemented.
+
+
+## Security
+
+To report a security vulnerability for SciPy itself, please see
+[the security policy on the main repo](https://github.com/numpy/numpy/?tab=security-ov-file#readme).
+
+To discuss a supply chain security related topic for the code in this
+repository, please open an issue on this repository if it can be discussed in
+public, and otherwise please follow the security policy on the main repo.

cibuildwheel.toml

@@ -0,0 +1,33 @@
+[tool.cibuildwheel]
+skip = ["*_i686", "*_ppc64le", "*_s390x", "*_universal2"]
+# We're only testing with essential test dependencies, not optional ones.
+# Some of those require binary wheels (often missing for some platforms),
+# or they slow down the test suite runs too much or simply aren't necessary.
+test-requires = [
+    "pytest",
+    "pytest-xdist",
+    "threadpoolctl",
+    "pooch",
+    "hypothesis",
+]
+before-build = "bash {project}/tools/wheels/cibw_before_build.sh {project}"
+test-command = "bash {project}/tools/wheels/cibw_test_command.sh {project}"
+
+[tool.cibuildwheel.linux]
+manylinux-x86_64-image = "manylinux_2_28"
+manylinux-aarch64-image = "manylinux_2_28"
+musllinux-x86_64-image = "musllinux_1_2"
+musllinux-aarch64-image = "musllinux_1_2"
+
+[tool.cibuildwheel.linux.environment]
+# RUNNER_OS is a GitHub Actions specific env var; define it here so it's
+# defined when running cibuildwheel locally
+RUNNER_OS="Linux"
+# /project will be the $PWD equivalent inside the Docker container used to build the wheel
+PKG_CONFIG_PATH="/project/.openblas"
+
+[tool.cibuildwheel.macos.environment]
+PKG_CONFIG_PATH = "{project}"
+
+[tool.cibuildwheel.windows]
+repair-wheel-command = "bash ./tools/wheels/repair_windows.sh {wheel} {dest_dir}"