Enable scorecard

.github/workflows/scorecard.yml

@@ -0,0 +1,56 @@
+# Uses https://github.com/ossf/scorecard-action
+name: Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '29 7 * * 5'
+  push:
+    branches:
+      - master
+  pull_request:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif

.github/workflows/wheel_linux_aarch64.yml

@@ -6,6 +6,7 @@ name: Wheel::Linux::ARM
 # **Who does it impact**: Wheels to be uploaded to PyPI.
 
 on:
+  pull_request:
   push:
     branches:
       - master
@@ -31,7 +32,7 @@ jobs:
         arch: [aarch64]
         exec_model: ${{ fromJson(needs.set_wheel_build_matrix.outputs.exec_model) }}
         kokkos_version: ${{ fromJson(needs.set_wheel_build_matrix.outputs.kokkos_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_aarch64"]
+        container_img: ["quay.io/pypa/manylinux_2_28_aarch64"]
     timeout-minutes: 45
     name: Kokkos core (${{ matrix.exec_model }}::${{ matrix.arch }})
     runs-on: ${{ matrix.os }}
@@ -90,7 +91,7 @@ jobs:
         cibw_build: ${{ fromJson(needs.set_wheel_build_matrix.outputs.python_version) }}
         exec_model: ${{ fromJson(needs.set_wheel_build_matrix.outputs.exec_model) }}
         kokkos_version: ${{ fromJson(needs.set_wheel_build_matrix.outputs.kokkos_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_aarch64"]
+        container_img: ["quay.io/pypa/manylinux_2_28_aarch64"]
     timeout-minutes: 45
     name: ${{ matrix.os }}::${{ matrix.arch }} - ${{ matrix.pl_backend }} (Python ${{ fromJson('{ "cp39-*":"3.9","cp310-*":"3.10","cp311-*":"3.11", "cp312-*":"3.12" }')[matrix.cibw_build] }})
     runs-on: ${{ matrix.os }}
@@ -135,7 +136,7 @@ jobs:
           CIBW_ENVIRONMENT: |
             PL_BACKEND="${{ matrix.pl_backend }}"
 
-          CIBW_MANYLINUX_AARCH64_IMAGE: manylinux2014
+          CIBW_MANYLINUX_AARCH64_IMAGE: manylinux_2_28
 
           CIBW_BUILD_VERBOSITY: 3
 

.github/workflows/wheel_linux_ppc64le.yml

@@ -6,6 +6,7 @@ name: Wheel::Linux::PowerPC
 # **Who does it impact**: Wheels to be uploaded to PyPI.
 
 on:
+  pull_request:
   push:
     branches:
       - master
@@ -31,7 +32,7 @@ jobs:
         arch: [ppc64le]
         exec_model: ${{ fromJson(needs.set_wheel_build_matrix.outputs.exec_model) }}
         kokkos_version: ${{ fromJson(needs.set_wheel_build_matrix.outputs.kokkos_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_ppc64le"]
+        container_img: ["quay.io/pypa/manylinux_2_28_ppc64le"]
     timeout-minutes: 45
     name: Kokkos core (${{ matrix.exec_model }}::${{ matrix.arch }})
     runs-on: ${{ matrix.os }}
@@ -90,7 +91,7 @@ jobs:
         cibw_build: ${{fromJson(needs.set_wheel_build_matrix.outputs.python_version)}}
         exec_model: ${{ fromJson(needs.set_wheel_build_matrix.outputs.exec_model) }}
         kokkos_version: ${{ fromJson(needs.set_wheel_build_matrix.outputs.kokkos_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_ppc64le"]
+        container_img: ["quay.io/pypa/manylinux_2_28_ppc64le"]
     timeout-minutes: 45
     name: ${{ matrix.os }}::${{ matrix.arch }} - ${{ matrix.pl_backend }} (Python ${{ fromJson('{"cp39-*":"3.9","cp310-*":"3.10","cp311-*":"3.11", "cp312-*":"3.12"}')[matrix.cibw_build] }})
     runs-on: ${{ matrix.os }}
@@ -134,7 +135,7 @@ jobs:
           CIBW_ENVIRONMENT: |
             PL_BACKEND="${{ matrix.pl_backend }}"
 
-          CIBW_MANYLINUX_PPC64LE_IMAGE: manylinux2014
+          CIBW_MANYLINUX_PPC64LE_IMAGE: manylinux_2_28
 
           CIBW_BUILD_VERBOSITY: 3
 

.github/workflows/wheel_linux_x86_64.yml

@@ -6,7 +6,7 @@ name: Wheel::Linux::x86_64
 # **Who does it impact**: Wheels to be uploaded to PyPI.
 
 env:
-  GCC_VERSION: 11
+  GCC_VERSION: 13
 
 on:
   pull_request:
@@ -35,11 +35,12 @@ jobs:
         os: [ubuntu-latest]
         exec_model: ${{ fromJson(needs.set_wheel_build_matrix.outputs.exec_model) }}
         kokkos_version: ${{ fromJson(needs.set_wheel_build_matrix.outputs.kokkos_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_x86_64"]
+        container_img: ["quay.io/pypa/manylinux_2_28_x86_64"]
     timeout-minutes: 30
     name: Kokkos core (${{ matrix.exec_model }})
     runs-on: ${{ matrix.os }}
-    container: ${{ matrix.container_img }}
+    container:
+      image: ${{ matrix.container_img }}
 
     steps:
       - name: Cache installation directories
@@ -53,12 +54,12 @@ jobs:
         if: ${{ (matrix.container_img == 'ubuntu-latest') && (steps.kokkos-cache.outputs.cache-hit != 'true') }}
         run: |
           apt-get update && DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y -q install cmake gcc-$GCC_VERSION g++-$GCC_VERSION ninja-build git
-          echo "COMPILER=g++-11" >> $GITHUB_ENV
+          echo "COMPILER=g++-13" >> $GITHUB_ENV
 
-      - name: Install dependencies (CentOS)
-        if: ${{ (matrix.container_img == 'quay.io/pypa/manylinux2014_x86_64') && (steps.kokkos-cache.outputs.cache-hit != 'true') }}
+      - name: Install dependencies (AlmaLinux)
+        if: ${{ (matrix.container_img == 'quay.io/pypa/manylinux_2_28_x86_64') && (steps.kokkos-cache.outputs.cache-hit != 'true') }}
         run: |
-          yum update -y && yum install -y cmake ninja-build
+          dnf update -y && dnf install -y cmake ninja-build
           echo "COMPILER=g++" >> $GITHUB_ENV
 
       - name: Clone Kokkos libs
@@ -96,11 +97,13 @@ jobs:
         cibw_build: ${{ fromJson(needs.set_wheel_build_matrix.outputs.python_version) }}
         exec_model: ${{ fromJson(needs.set_wheel_build_matrix.outputs.exec_model) }}
         kokkos_version: ${{ fromJson(needs.set_wheel_build_matrix.outputs.kokkos_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_x86_64"]
+        container_img: ["quay.io/pypa/manylinux_2_28_x86_64"]
     timeout-minutes: 30
     name: ${{ matrix.os }}::${{ matrix.arch }} - ${{ matrix.pl_backend }} (Python ${{ fromJson('{ "cp39-*":"3.9","cp310-*":"3.10","cp311-*":"3.11","cp312-*":"3.12" }')[matrix.cibw_build] }})
     runs-on: ${{ matrix.os }}
-    container: ${{ matrix.container_img }}
+    container:
+      image: ${{ matrix.container_img }}
+      options: --privileged
 
     steps:
       - name: Restoring cached dependencies
@@ -119,18 +122,18 @@ jobs:
           mkdir Kokkos
           cp -rf /root/Kokkos_install/${{ matrix.exec_model }}/* Kokkos/
 
-      - name: Install dependencies (CentOS)
-        if: ${{ (matrix.container_img == 'quay.io/pypa/manylinux2014_x86_64') }}
+      - name: Install dependencies (AlmaLinux)
+        if: ${{ (matrix.container_img == 'quay.io/pypa/manylinux_2_28_x86_64') }}
         run: |
-          # Reduce wait time for repos not responding
-          cat /etc/yum.conf | sed "s/\[main\]/\[main\]\ntimeout=5/g" > /etc/yum.conf
-          yum update -y && yum install -y docker
+          dnf update -y && dnf install -y podman
 
       - name: Install cibuildwheel
         run: python3.9 -m pip install cibuildwheel~=2.16.0
 
       - name: Build wheels
         env:
+          CIBW_CONTAINER_ENGINE: "podman"
+
           CIBW_ARCHS_LINUX: ${{matrix.arch}}
 
           CIBW_BUILD: ${{ matrix.cibw_build }}
@@ -139,15 +142,15 @@ jobs:
 
           # Python build settings
           CIBW_BEFORE_BUILD: |
-            cat /etc/yum.conf | sed "s/\[main\]/\[main\]\ntimeout=5/g" > /etc/yum.conf
+            cat /etc/dnf.conf | sed "s/\[main\]/\[main\]\ntimeout=5/g" > /etc/dnf.conf
             python -m pip install ninja cmake~=3.24.0
-            yum clean all -y
-            yum install centos-release-scl-rh -y
-            yum install devtoolset-11-gcc-c++ -y
-            source /opt/rh/devtoolset-11/enable -y
+            dnf clean all -y
+            dnf install gcc-toolset-13 -y
+            source ls /opt/rh/gcc-toolset-13/enable -y
+            PATH="/opt/rh/gcc-toolset-13/root/usr/bin:$PATH"
 
           CIBW_ENVIRONMENT: |
-            PATH="/opt/rh/devtoolset-11/root/usr/bin:$PATH" \
+            PATH="/opt/rh/gcc-toolset-13/root/usr/bin:$PATH" \
             PL_BACKEND="${{ matrix.pl_backend }}"
 
           CIBW_BEFORE_TEST: |
@@ -158,7 +161,7 @@ jobs:
             DEVICENAME=`echo ${{ matrix.pl_backend }} | sed "s/_/./g"`
             pl-device-test --device=${DEVICENAME} --skip-ops -x --tb=short --no-flaky-report
 
-          CIBW_MANYLINUX_X86_64_IMAGE: manylinux2014
+          CIBW_MANYLINUX_X86_64_IMAGE: manylinux_2_28
 
           CIBW_BUILD_VERBOSITY: 3
 

.github/workflows/wheel_linux_x86_64_cuda.yml

@@ -6,7 +6,7 @@ name: Wheel::Linux::x86_64::CUDA
 # **Who does it impact**: Wheels to be uploaded to PyPI.
 
 env:
-  GCC_VERSION: "11"
+  GCC_VERSION: 12
 
 on:
   pull_request:
@@ -38,28 +38,30 @@ jobs:
         pl_backend: ["lightning_gpu"]
         cuda_version: ["12"]
         cibw_build: ${{ fromJson(needs.set_wheel_build_matrix.outputs.python_version) }}
-        container_img: ["quay.io/pypa/manylinux2014_x86_64"]
+        container_img: ["quay.io/pypa/manylinux_2_28_x86_64"]
     timeout-minutes: 30
     name: ${{ matrix.os }}::${{ matrix.arch }} - ${{ matrix.pl_backend }} CUDA ${{ matrix.cuda_version }} (Python ${{ fromJson('{ "cp39-*":"3.9","cp310-*":"3.10","cp311-*":"3.11","cp312-*":"3.12" }')[matrix.cibw_build] }})
     runs-on: ${{ matrix.os }}
-    container: ${{ matrix.container_img }}
+    container:
+      image: ${{ matrix.container_img }}
+      options: --privileged
 
     steps:
       - name: Checkout PennyLane-Lightning
         uses: actions/checkout@v3
 
-      - name: Install dependencies (CentOS)
-        if: ${{ (matrix.container_img == 'quay.io/pypa/manylinux2014_x86_64') }}
+      - name: Install dependencies (AlmaLinux)
+        if: ${{ (matrix.container_img == 'quay.io/pypa/manylinux_2_28_x86_64') }}
         run: |
-          # Reduce wait time for repos not responding
-          cat /etc/yum.conf | sed "s/\[main\]/\[main\]\ntimeout=5/g" > /etc/yum.conf
-          yum update -y && yum install -y docker
+          dnf update -y && dnf install -y podman
 
       - name: Install cibuildwheel
         run: python3.9 -m pip install cibuildwheel~=2.16.0
 
       - name: Build wheels
         env:
+          CIBW_CONTAINER_ENGINE: "podman"
+
           CIBW_ARCHS_LINUX: ${{ matrix.arch }}
 
           CIBW_BUILD: ${{ matrix.cibw_build }}
@@ -70,25 +72,23 @@ jobs:
 
           # Python build settings
           CIBW_BEFORE_BUILD: |
-            cat /etc/yum.conf | sed "s/\[main\]/\[main\]\ntimeout=5/g" > /etc/yum.conf
             python -m pip install ninja cmake~=3.24.3 auditwheel~=5.0 custatevec-cu${{ matrix.cuda_version }}
-            yum clean all -y
-            yum install centos-release-scl-rh -y
-            yum install devtoolset-11-gcc-c++ -y
-            source /opt/rh/devtoolset-11/enable -y
-            yum-config-manager --add-repo https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/cuda-rhel7.repo -y
-            yum -y install cuda-${{ matrix.cuda_version }}-0 git openssh wget
+            dnf clean all -y
+            dnf install gcc-toolset-12 dnf-utils -y
+            source ls /opt/rh/gcc-toolset-12/enable -y
+            yum-config-manager --add-repo http://developer.download.nvidia.com/compute/cuda/repos/rhel8/x86_64/cuda-rhel8.repo -y
+            dnf -y install cuda-${{ matrix.cuda_version }}-0 git openssh wget
 
           # ensure nvcc is available
           CIBW_ENVIRONMENT: |
-            PATH=/opt/rh/devtoolset-11/root/usr/bin:$PATH:/usr/local/cuda-${{ matrix.cuda_version }}/bin \
-            LD_LIBRARY_PATH=/opt/rh/devtoolset-11/root/usr/lib64:/opt/rh/devtoolset-11/root/usr/lib:/opt/rh/devtoolset-11/root/usr/lib64/dyninst:/opt/rh/devtoolset-11/root/usr/lib/dyninst:$LD_LIBRARY_PATH:/usr/local/cuda-${{ matrix.cuda_version }}/lib64 \
+            PATH=/opt/rh/gcc-toolset-12/root/usr/bin:$PATH:/usr/local/cuda-${{ matrix.cuda_version }}/bin \
+            LD_LIBRARY_PATH=/opt/rh/gcc-toolset-12/root/usr/lib64:/opt/rh/gcc-toolset-12/root/usr/lib:/opt/rh/gcc-toolset-12/root/usr/lib64/dyninst:/opt/rh/gcc-toolset-12/root/usr/lib/dyninst:$LD_LIBRARY_PATH:/usr/local/cuda-${{ matrix.cuda_version }}/lib64 \
             PL_BACKEND="${{ matrix.pl_backend }}" \
-            PKG_CONFIG_PATH=/opt/rh/devtoolset-11/root/usr/lib64/pkgconfig:$PKG_CONFIG_PATH
+            PKG_CONFIG_PATH=/opt/rh/gcc-toolset-12/root/usr/lib64/pkgconfig:$PKG_CONFIG_PATH
 
           CIBW_REPAIR_WHEEL_COMMAND_LINUX: "./bin/auditwheel repair -w {dest_dir} {wheel}"
 
-          CIBW_MANYLINUX_X86_64_IMAGE: manylinux2014
+          CIBW_MANYLINUX_X86_64_IMAGE: manylinux_2_28
 
           CIBW_BUILD_VERBOSITY: 3
 
@@ -133,4 +133,3 @@ jobs:
           user: __token__
           password: ${{ secrets.TEST_PYPI_LGPU_TOKEN }}
           repository_url: https://test.pypi.org/legacy/
-

pennylane_lightning/core/_version.py

@@ -16,4 +16,4 @@
    Version number (major.minor.patch[-label])
 """
 
-__version__ = "0.36.0-dev22"
+__version__ = "0.36.0-dev24"