quantumlib
diff --git a/‎.github/actionlint.yaml‎
Lines changed: 19 additions & 0 deletions b/‎.github/actionlint.yaml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 33 additions & 31 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 33 additions & 31 deletions
diff --git a/‎.github/workflows/codeql.yaml‎
Lines changed: 0 additions & 104 deletions b/‎.github/workflows/codeql.yaml‎
Lines changed: 0 additions & 104 deletions
diff --git a/‎.github/workflows/nightly-pytest.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/nightly-pytest.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/nightly.yaml‎
Lines changed: 1 addition & 25 deletions b/‎.github/workflows/nightly.yaml‎
Lines changed: 1 addition & 25 deletions
@@ -0,0 +1,19 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+self-hosted-runner:
+  # We don't have self-hosted runners, but we do use some of the "partner"
+  # runner images at https://github.com/actions/partner-runner-images
+  labels:
+    - ubuntu-24.04-arm
@@ -100,8 +100,9 @@ jobs:
       gha: ${{steps.filter.outputs.gha}}
       gha_files: ${{steps.filter.outputs.gha_files}}
 
-      # The following all test both the relevant file condition & the CI config
-      # because a change in the CI workflows can affect the CI check results.
+      # The rest all test both the relevant files and ALSO tools & scripts b/c
+      # a change in the CI workflows or scripts can affect the check results.
+
       python: ${{steps.filter.outputs.python || steps.filter.outputs.ci}}
       python_files: ${{steps.filter.outputs.python_files}}
 
@@ -148,7 +149,7 @@ jobs:
           echo base=${{github.ref_name}} >> "$GITHUB_ENV"
 
       - name: Check out a copy of the OpenFermion git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Determine files changed by this ${{github.event_name}} event
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
@@ -159,9 +160,10 @@ jobs:
           # The outputs will be variables named "foo_files" for a filter "foo".
           filters: |
             ci:
-              - './.github/workflows/ci.yml'
-              - './.github/workflows/codeql.yaml'
-              - './.github/workflows/osv-scanner.yaml'
+              - './.github/workflows/**'
+              - './.github/problem-matchers/**'
+              - './check/**'
+              - './dev_tools/**'
             cff:
               - added|modified:
                   - '**/CITATION.cff'
@@ -197,10 +199,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up Python with caching of pip dependencies
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           architecture: 'x64'
@@ -226,12 +228,12 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
         with:
           fetch-depth: 0
 
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           architecture: 'x64'
@@ -255,10 +257,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           architecture: 'x64'
@@ -282,10 +284,10 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           architecture: 'x64'
@@ -322,10 +324,10 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           cache: pip
@@ -369,10 +371,10 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           cache: pip
@@ -411,12 +413,12 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
         # Note: deliberately not using our Python cache here b/c this runs
         # a different version of Python.
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{env.python_compat_ver}}
 
@@ -437,12 +439,12 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
         with:
           fetch-depth: 0
 
       - name: Set up Python and restore cache
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           cache: pip
@@ -467,7 +469,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.yaml_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up yamllint output problem matcher
         run: echo "::add-matcher::.github/problem-matchers/yamllint.json"
@@ -488,7 +490,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.json_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Install jsonlint
         run: npm install -g @prantlf/jsonlint
@@ -509,7 +511,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.cff_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Install cffconvert
         run: pip install cffconvert
@@ -528,7 +530,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.docker_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       # Note: there is a hadolint GitHub Actions available, but it only accepts
       # one Dockerfile to check. We have > 1 file to check, so we need the CLI.
@@ -552,11 +554,11 @@ jobs:
       changed_files: ${{needs.changes.outputs.gha_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       # The next action simply fails if there are any unpinned actions.
       - name: Verify that all workflow actions have pinned versions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@fc87bb5b5a97953d987372e74478de634726b3e5
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74
 
       # If we didn't fail the previous check, go on to more time-consuming ones.
       - name: Install actionlint
@@ -578,7 +580,7 @@ jobs:
       changed_files: ${{needs.changes.outputs.shell_files}}
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up shellcheck output problem matcher
         run: echo "::add-matcher::.github/problem-matchers/shellcheck.json"
@@ -602,10 +604,10 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
 
       - name: Set up Python with caching of pip dependencies
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{inputs.python_ver || env.python_ver}}
           architecture: 'x64'
 
@@ -74,10 +74,10 @@ jobs:
 
     steps:
       - name: Check out a copy of the OpenFermion git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Set up Python ${{matrix.python-version}}
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
         id: cache
         with:
           python-version: ${{matrix.python-version}}
 
@@ -13,14 +13,12 @@
 # limitations under the License.
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# Nightly tests and scans workflow.
-#
 # This workflow runs nightly to run tests & scans on the OpenFermion codebase.
 # It can also be invoked manually via the "Run workflow" button at
 # https://github.com/quantumlib/OpenFermion/actions/workflows/nightly.yaml
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-name: 'Nightly tests & scans'
+name: 'Nightly tests'
 run-name: Run nightly tests and code scans
 
 on:
@@ -47,25 +45,3 @@ jobs:
     with:
       args: '--pre'
       reason: '(nightly)'
-
-  codeql:
-    name: Nightly CodeQL code scan
-    uses: ./.github/workflows/codeql.yaml
-    permissions: write-all
-    with:
-      reason: '(nightly)'
-
-  osv:
-    name: Nightly OSV code scan
-    uses: ./.github/workflows/osv-scanner.yaml
-    permissions: write-all
-    with:
-      reason: '(nightly)'
-
-  scorecard:
-    name: Nightly Scorecard analysis
-    uses: ./.github/workflows/scorecard.yaml
-    permissions: write-all
-    secrets: inherit
-    with:
-      reason: '(nightly)'