ci: disable nested workflows; use only root workflows

Author: Karthikprasadm

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/sup-lang"
+    schedule:
+      interval: "weekly"
+

.github/workflows/fuzz.yml

@@ -0,0 +1,47 @@
+name: ClusterFuzzLite
+
+on:
+  pull_request:
+    branches: [ main, master ]
+  push:
+    branches: [ main, master ]
+  schedule:
+    - cron: '0 4 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install deps
+        working-directory: sup-lang
+        run: |
+          python -m pip install --upgrade pip
+          pip install . pytest hypothesis atheris
+      - name: Run fuzzers (parser)
+        working-directory: sup-lang
+        run: |
+          python - << 'PY'
+import atheris, sys
+with atheris.instrument_imports():
+    from sup.parser import Parser
+
+def TestOneInput(data: bytes):
+    try:
+        s = data.decode('utf-8', errors='ignore')
+        Parser().parse(s)
+    except Exception:
+        pass
+
+atheris.Setup(sys.argv, TestOneInput)
+atheris.Fuzz()
+PY
+
+

.github/workflows/osv.yml

@@ -0,0 +1,23 @@
+name: OSV vulnerability scan
+
+on:
+  push:
+    branches: [ main, master ]
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  osv-scanner:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: google/osv-scanner-action@v1
+        with:
+          scan-args: >-
+            --repo .
+
+

.github/workflows/release.yml

@@ -3,51 +3,66 @@ name: Release
 on:
   push:
     tags:
-      - 'v*.*.*'
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
 
 jobs:
-  build-publish:
+  pypi:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      id-token: write
+    defaults:
+      run:
+        working-directory: sup-lang
     steps:
       - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
-
-      - name: Build package
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install build tools
         run: |
-          python -m pip install --upgrade pip build
-          cd sup-lang
-          python -m build
-          cd ..
-
-      - name: Generate SBOM (CycloneDX)
+          python -m pip install --upgrade pip
+          pip install build twine hatchling cyclonedx-bom cyclonedx-python-lib
+      - name: Build (reproducible)
+        env:
+          SOURCE_DATE_EPOCH: '1704067200'
+        run: python -m build
+      - name: Twine check
+        run: twine check dist/*
+      - name: SBOM (CycloneDX)
+        run: cyclonedx-py environment -o sbom.json
+      - name: Sign artifacts (if secrets present)
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
-          python -m pip install cyclonedx-bom
-          cyclonedx-py --evidence -r -o sbom.json
-
-      - name: Create GitHub Release
-        id: create_release
-        uses: softprops/action-gh-release@v2
+          if [ -n "${GPG_PRIVATE_KEY}" ] && [ -n "${GPG_PASSPHRASE}" ]; then
+            printf "%s" "$GPG_PRIVATE_KEY" | gpg --batch --import || true
+            for f in dist/*; do
+              gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --detach-sign --armor "$f" || true
+            done
+          else
+            echo "GPG secrets not set; skipping signing."
+          fi
+      - name: Sigstore attest and sign (optional)
+        if: ${{ github.event_name == 'push' }}
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
         with:
-          name: ${{ github.ref_name }}
-          draft: false
-          prerelease: false
-          files: |
+          inputs: |
             sup-lang/dist/*
-            sbom.json
-
-      - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags/v')
-        uses: pypa/gh-action-pypi-publish@v1.12.2
+          upload-signing-artifacts: true
+      - name: SLSA provenance
+        uses: slsa-framework/slsa-github-generator/actions/generator@v2.0.0
+        with:
+          base64-subjects: true
+          upload-assets: true
+      - name: Publish to PyPI (token or OIDC)
+        uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: sup-lang/dist
-          skip-existing: true
-          print-hash: true
+          password: ${{ secrets.PYPI_API_TOKEN }}
 
 

.github/workflows/scorecard.yml

@@ -0,0 +1,30 @@
+name: Scorecard supply-chain analysis
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  push:
+    branches: [ main, master ]
+
+permissions:
+  security-events: write
+  id-token: write
+  contents: read
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ossf/scorecard-action@v2.3.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+

sup-lang/sup/cli.py

@@ -255,13 +255,36 @@ def main(argv: list[str] | None = None) -> int:
                         args_i2.registry.rstrip("/")
                         + f"/resolve?name={name}&version={ver or '*'}"
                     )
-                    with _u.urlopen(meta_url) as r:
+                    headers = {}
+                    token = os.environ.get("REGISTRY_TOKEN")
+                    if token:
+                        headers["Authorization"] = f"Bearer {token}"
+                    req = _u.Request(meta_url, headers=headers)
+                    with _u.urlopen(req) as r:
                         if r.getcode() // 100 != 2:
                             raise RuntimeError("Registry resolve failed")
                         meta = _json.loads(r.read().decode("utf-8"))
                     src_code = meta.get("source", "")
+                    digest = meta.get("sha256")
                     if not src_code:
                         raise RuntimeError("Registry returned empty source")
+                    # Verify integrity if digest present
+                    if digest:
+                        import hashlib as _hh
+
+                        h = _hh.sha256(src_code.encode("utf-8")).hexdigest()
+                        if h != digest:
+                            raise RuntimeError("Integrity check failed: sha256 mismatch")
+                    # Optional HMAC verification if shared secret configured
+                    hmac_given = meta.get("hmac")
+                    hmac_secret = os.environ.get("SUP_REGISTRY_HMAC")
+                    if hmac_given and hmac_secret:
+                        import hmac as _h
+                        import hashlib as _hh2
+
+                        calc = _h.new(hmac_secret.encode("utf-8"), src_code.encode("utf-8"), _hh2.sha256).hexdigest()
+                        if calc != hmac_given:
+                            raise RuntimeError("Integrity check failed: hmac mismatch")
                 else:
                     reg_dir = os.path.abspath(args_i2.registry)
                     cand = os.path.join(reg_dir, f"{name}.sup")
@@ -409,9 +432,23 @@ def main(argv: list[str] | None = None) -> int:
                     body = json.dumps(
                         {"name": name, "version": version, "sha256": digest}
                     ).encode("utf-8")
-                    req = _u.Request(
-                        url, data=body, headers={"Content-Type": "application/json"}
-                    )
+                    headers = {"Content-Type": "application/json"}
+                    token = os.environ.get("REGISTRY_TOKEN")
+                    if token:
+                        headers["Authorization"] = f"Bearer {token}"
+                    # Add optional HMAC of tarball for verification
+                    hmac_secret = os.environ.get("SUP_REGISTRY_HMAC")
+                    if hmac_secret:
+                        import hmac as _h
+                        import hashlib as _hh2
+
+                        with open(tar_path, "rb") as rf:
+                            tar_bytes = rf.read()
+                        hmac_hex = _h.new(hmac_secret.encode("utf-8"), tar_bytes, _hh2.sha256).hexdigest()
+                        payload = json.loads(body.decode("utf-8"))
+                        payload["hmac"] = hmac_hex
+                        body = json.dumps(payload).encode("utf-8")
+                    req = _u.Request(url, data=body, headers=headers)
                     with _u.urlopen(req) as r:
                         if r.getcode() // 100 != 2:
                             raise RuntimeError("Registry upload failed")

sup-lang/sup/interpreter.py

@@ -93,6 +93,13 @@ def __init__(self) -> None:
             import random as _random
 
             self._rng = _random.Random(self._seed or 0)
+            # Force C locale for stable formatting/sorting
+            try:
+                import locale as _loc
+
+                _loc.setlocale(_loc.LC_ALL, "C")
+            except Exception:
+                pass
         else:
             self._rng = None
         # Runtime counters
@@ -674,7 +681,7 @@ def _eval_builtin(self, node: AST.BuiltinCall) -> object:
             self.last_result = qs_map
             return qs_map
 
-        # Crypto / base64 / randomness
+        # Crypto / base64 / randomness / time
         if name == "sha256":
             import hashlib as _hh
 
@@ -707,13 +714,33 @@ def _eval_builtin(self, node: AST.BuiltinCall) -> object:
             return hmac_hex
         if name == "random_bytes":
             import base64 as _b64
-            import secrets as _secrets
-
             n = int(self._num(self.eval(node.args[0]))) if len(node.args) > 0 else 16
-            data = _secrets.token_bytes(max(1, n))
+            n = max(1, n)
+            if self._rng is not None:
+                # Deterministic bytes derived from PRNG
+                data = bytes(self._rng.randrange(0, 256) for _ in range(n))
+            else:
+                import secrets as _secrets
+
+                data = _secrets.token_bytes(n)
             b64 = _b64.b64encode(data).decode("ascii")
             self.last_result = b64
             return b64
+        if name == "now":
+            # Return ISO 8601 UTC timestamp. In deterministic mode, derive from seed.
+            import datetime as _dt
+
+            if self._deterministic:
+                # Stable pseudo-time based on seed (seconds since epoch)
+                base = int(self._seed or 0)
+                t = _dt.datetime(1970, 1, 1, tzinfo=_dt.timezone.utc) + _dt.timedelta(
+                    seconds=base
+                )
+            else:
+                t = _dt.datetime.now(tz=_dt.timezone.utc)
+            iso = t.replace(microsecond=0).isoformat().replace("+00:00", "Z")
+            self.last_result = iso
+            return iso
         if name == "base64_encode":
             import base64 as _b64