From 544303fa53d6fb53d6ea1d9e859baafb8679d4f1 Mon Sep 17 00:00:00 2001 From: Antony Lee Date: Wed, 16 Jul 2025 11:46:17 +0200 Subject: [PATCH 1/4] More testing by registering mplcairo as default backend for all formats. --- run-mpl-test-suite.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/run-mpl-test-suite.py b/run-mpl-test-suite.py index d037c06..16eb49c 100755 --- a/run-mpl-test-suite.py +++ b/run-mpl-test-suite.py @@ -76,6 +76,8 @@ def _raise_on_image_difference(expected, actual, tol): mplcairo.base.GraphicsContextRendererCairo mpl.backends.backend_agg = \ sys.modules["matplotlib.backends.backend_agg"] = mplcairo.base + mpl.backend_bases._default_backends = { + k: "mplcairo.base" for k in mpl.backend_bases._default_backends} with warnings.catch_warnings(record=True): # mpl 3.0 mpl.use("agg", force=True) @@ -165,6 +167,9 @@ def pytest_collection_modifyitems(session, config, items): "test_backend_ps.py::test_colorbar_shift[", # cairo doesn't support setting fonttype. "test_backend_ps.py::test_fonttype[", + # FIXME[Upstream]: Test is not precise enough re: name reuse + # due to cairo's font subsetting approach. + "test_backend_ps.py::test_no_duplicate_definition", # We're fine with partial usetex. "test_backend_ps.py::test_partial_usetex", # We do not support writing PS to text-mode streams. @@ -194,12 +199,16 @@ def pytest_collection_modifyitems(session, config, items): "test_backend_svg.py::test_svg_incorrect_metadata[", "test_backend_svg.py::test_svg_metadata", "test_backend_svg.py::test_svgid", + "test_figure.py::test_not_visible_figure", # cairo always emits text as glyph paths. "test_backend_svg.py::test_svgnone_with_data_coordinates", # cairo can't emit urls in SVG. "test_backend_svg.py::test_text_urls", "test_backend_svg.py::test_url", "test_backend_svg.py::test_url_tick", + # cairo elides fully-clipped artists + # FIXME[Upstream]: clip paths in test should be fixed. + "test_backend_svg.py::test_clip_path_ids_reuse", # Different tight bbox. "test_bbox_tight.py::test_bbox_inches_tight_suptile_legend[", "test_bbox_tight.py::test_bbox_inches_tight_suptitle_non_default[", From df729897d4c9667f4672394f1393b72d98a7f914 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:06:53 -0400 Subject: [PATCH 2/4] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 381e748..4e69fe9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} From 1c8476134210f65c0ed00e27310b99d080d2f453 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:21:32 -0400 Subject: [PATCH 3/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4e69fe9..139d8b8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,6 @@ name: build +permissions: + contents: read on: [push, pull_request] From de21c12c34d0078d3b85ba4428f02c74c3100e79 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:30:54 -0400 Subject: [PATCH 4/4] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly