Merge branch 'swiftlang:main' into env

Author: finagolfin

.github/workflows/create_automerge_pr.yml

@@ -74,13 +74,16 @@ jobs:
           fetch-depth: 0
       - name: Check if there are commits to merge
         id: create_merge_commit
+        env:
+          HEAD_BRANCH: ${{ inputs.head_branch }}
+          BASE_BRANCH: ${{ inputs.base_branch }}
         run: |
           # Without this, we can't perform git operations in GitHub actions.
           git config --global --add safe.directory "$(realpath .)"
           git config --local user.name 'swift-ci'
           git config --local user.email 'swift-ci@users.noreply.github.com'
 
-          if [[ "$(git rev-list --left-only --count origin/${{ inputs.head_branch }}...origin/${{ inputs.base_branch }})" == 0 ]]; then
+          if [[ "$(git rev-list --left-only --count origin/${HEAD_BRANCH}...origin/${BASE_BRANCH})" == 0 ]]; then
             echo "Nothing to merge"
             echo "has_commits_to_merge=false" >> "$GITHUB_OUTPUT"
             exit
@@ -92,17 +95,20 @@ jobs:
         if: ${{ steps.create_merge_commit.outputs.has_commits_to_merge == 'true' }}
         env:
           GH_TOKEN: ${{ github.token }}
+          HEAD_BRANCH: ${{ inputs.head_branch }}
+          BASE_BRANCH: ${{ inputs.base_branch }}
+          PR_MESSAGE: ${{ inputs.pr_message }}
         run: |
           # Create a branch for the PR instead of opening a PR that merges head_branch directly so that we have a fixed
           # target in the PR and don't modify the PR as new commits are put on the head branch.
           PR_BRANCH="automerge/merge-main-$(date +%Y-%m-%d_%H-%M)"
-          git checkout ${{ inputs.head_branch }}
+          git checkout "${HEAD_BRANCH}"
           git checkout -b "$PR_BRANCH"
           git push --set-upstream origin "$PR_BRANCH"
 
           gh pr create \
-            --base "${{ inputs.base_branch }}" \
+            --base "${BASE_BRANCH}" \
             --head "$PR_BRANCH" \
-            --title 'Merge `${{ inputs.head_branch }}` into `${{ inputs.base_branch }}`' \
-            --body '${{ inputs.pr_message }}' \
+            --title "Merge \`${HEAD_BRANCH}\` into \`${BASE_BRANCH}\`" \
+            --body "${PR_MESSAGE}" \
             --draft

.github/workflows/github_actions_dependencies.yml

@@ -0,0 +1,17 @@
+name: Check for Dependencies in PR
+
+on:
+  workflow_call:
+
+permissions:
+  issues: read
+  pull-requests: read
+
+jobs:
+  check_dependencies:
+    runs-on: ubuntu-latest
+    name: "Check GitHub Actions Dependencies"
+    steps:
+      - uses: gregsdennis/dependencies-action@v1.4.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/performance_test.yml

@@ -42,16 +42,26 @@ jobs:
         # https://github.com/actions/checkout/issues/766
         run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
       - name: Measure PR performance
+        env:
+          PACKAGE_PATH: ${{ inputs.package_path }}
+          HEAD_REF: ${{ github.head_ref }}
         run: |
-          swift package --package-path ${{ inputs.package_path }} --allow-writing-to-directory ${{ inputs.package_path }}/.benchmarkBaselines/ benchmark baseline update "${{ github.head_ref }}"
+          swift package --package-path "${PACKAGE_PATH}" --allow-writing-to-directory "${PACKAGE_PATH}/.benchmarkBaselines/" benchmark baseline update "${HEAD_REF}"
       - name: Measure base branch performance
+        env:
+          PACKAGE_PATH: ${{ inputs.package_path }}
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          git checkout ${{ github.base_ref }}
-          swift package --package-path ${{ inputs.package_path }} --allow-writing-to-directory ${{ inputs.package_path }}/.benchmarkBaselines/ benchmark baseline update "${{ github.base_ref }}"
+          git checkout "${BASE_REF}"
+          swift package --package-path "${PACKAGE_PATH}" --allow-writing-to-directory "${PACKAGE_PATH}/.benchmarkBaselines/" benchmark baseline update "${BASE_REF}"
       - name: Compare performance measurements
         id: compare_performance
+        env:
+          PACKAGE_PATH: ${{ inputs.package_path }}
+          BASE_REF: ${{ github.base_ref }}
+          HEAD_REF: ${{ github.head_ref }}
         run: |
-          if ! swift package --package-path ${{ inputs.package_path }} benchmark baseline check "${{ github.base_ref }}" "${{ github.head_ref }}" --format markdown > /tmp/comparison.md 2>/tmp/comparison-stderr.txt; then
+          if ! swift package --package-path "${PACKAGE_PATH}" benchmark baseline check "${BASE_REF}" "${HEAD_REF}" --format markdown > /tmp/comparison.md 2>/tmp/comparison-stderr.txt; then
             echo "has_significant_changes=true" >> "$GITHUB_OUTPUT"
           else
             echo "has_significant_changes=false" >> "$GITHUB_OUTPUT"

.github/workflows/pull_request.yml

@@ -2,15 +2,22 @@ name: Pull request
 
 permissions:
   contents: read
+  issues: read
+  pull-requests: read
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
 
 jobs:
+  github_actiion_pr_dependency_check:
+    name: GitHub Action Dependency Check
+    uses: ./.github/workflows/github_actions_dependencies.yml
+
   tests_with_docker_embedded_swift:
     name: Test Embedded Swift SDKs
     uses: ./.github/workflows/swift_package_test.yml
+    if: ${{ github.event_name == 'opened' || github.event_name == 'reopened' || github.event_name == 'synchronize' }}
     with:
       # Wasm
       enable_linux_checks: false
@@ -23,6 +30,7 @@ jobs:
   tests_with_docker:
     name: Test with Docker
     uses: ./.github/workflows/swift_package_test.yml
+    if: ${{ github.event_name == 'opened' || github.event_name == 'reopened' || github.event_name == 'synchronize' }}
     with:
       # Linux
       linux_os_versions: '["jammy", "rhel-ubi9", "amazonlinux2"]'
@@ -46,6 +54,7 @@ jobs:
   tests_without_docker:
     name: Test without Docker
     uses: ./.github/workflows/swift_package_test.yml
+    if: ${{ github.event_name == 'opened' || github.event_name == 'reopened' || github.event_name == 'synchronize' }}
     with:
       # Skip Linux which doesn't currently support docker-less workflow
       enable_linux_checks: false
@@ -61,10 +70,13 @@ jobs:
         Invoke-Program swift build
       enable_windows_docker: false
       windows_os_versions: '["windows-2022", "windows-11-arm"]'
+      # FreeBSD
+      enable_freebsd_checks: true
 
   tests_macos:
     name: Test
     uses: ./.github/workflows/swift_package_test.yml
+    if: ${{ github.event_name == 'opened' || github.event_name == 'reopened' || github.event_name == 'synchronize' }}
     with:
       enable_linux_checks: false
       enable_windows_checks: false
@@ -77,6 +89,7 @@ jobs:
   build_tests_ios:
     name: Build iOS Tests
     uses: ./.github/workflows/swift_package_test.yml
+    if: ${{ github.event_name == 'opened' || github.event_name == 'reopened' || github.event_name == 'synchronize' }}
     with:
       enable_linux_checks: false
       enable_windows_checks: false
@@ -89,6 +102,7 @@ jobs:
   soundness:
     name: Soundness
     uses: ./.github/workflows/soundness.yml
+    if: ${{ github.event_name == 'opened' || github.event_name == 'reopened' || github.event_name == 'synchronize' }}
     with:
       api_breakage_check_enabled: false
       license_header_check_project_name: "Swift.org"

.github/workflows/scripts/cross-pr-checkout.swift

@@ -142,7 +142,7 @@ struct CrossRepoPR {
 func getCrossRepoPrs(repository: String, prNumber: String) async throws -> [CrossRepoPR] {
   var result: [CrossRepoPR] = []
   let prInfo = try await getPRInfo(repository: repository, prNumber: prNumber)
-  for line in prInfo.body?.split(separator: "\n") ?? [] {
+  for line in prInfo.body?.split(whereSeparator: \.isNewline) ?? [] {
     guard line.lowercased().starts(with: "linked pr:") else {
       continue
     }

.github/workflows/scripts/install-and-build-with-sdk.sh

@@ -199,7 +199,7 @@ command -v jq >/dev/null || install_package jq
 SWIFT_API_INSTALL_ROOT="https://www.swift.org/api/v1/install"
 
 # Transforms a minor Swift release version into its latest patch version
-# and gets the checksum for the patch version's Static Linux and/or Wasm Swift SDK.
+# and gets the checksum for the patch version's Android, Static Linux, or Wasm Swift SDK.
 #
 # $1 (string): A minor Swift version, e.g. "6.1"
 # Output: A string of the form "<patch-version>|<android-checksum>|<static-checksum>|<static-version>|<wasm-checksum>
@@ -233,7 +233,7 @@ find_latest_swift_version() {
             .[]
             | select(.name == $version)
             | .platforms[]
-            | select(.platform == "android")
+            | select(.platform == "android-sdk")
             | .checksum
         ')
 

.github/workflows/scripts/windows/swift/install-swift-6.3.ps1

@@ -0,0 +1,22 @@
+##===----------------------------------------------------------------------===##
+##
+## This source file is part of the Swift.org open source project
+##
+## Copyright (c) 2026 Apple Inc. and the Swift project authors
+## Licensed under Apache License v2.0 with Runtime Library Exception
+##
+## See https://swift.org/LICENSE.txt for license information
+## See https://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
+##
+##===----------------------------------------------------------------------===##
+. $PSScriptRoot\install-swift.ps1
+
+if ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture -eq "Arm64") {
+    $SWIFT='https://download.swift.org/swift-6.3-release/windows10-arm64/swift-6.3-RELEASE/swift-6.3-RELEASE-windows10-arm64.exe'
+    $SWIFT_SHA256='eca190022838d48984d04f8fdedef613e6252f694df2079e7eb6c4137b8bbdac'
+} else {
+    $SWIFT='https://download.swift.org/swift-6.3-release/windows10/swift-6.3-RELEASE/swift-6.3-RELEASE-windows10.exe'
+    $SWIFT_SHA256='a1370df009de920070aef0c87d4ff80279515870ddbe6e8f035b2a5707444f13'
+}
+
+Install-Swift -Url $SWIFT -Sha256 $SWIFT_SHA256

.github/workflows/soundness.yml

@@ -132,21 +132,25 @@ jobs:
         run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
       - name: Pre-build
         if: ${{ inputs.linux_pre_build_command }}
+        # zizmor: ignore[template-injection]
         run: ${{ inputs.linux_pre_build_command }}
       - name: Run API breakage check
         shell: bash
+        env:
+          API_BREAKAGE_CHECK_BASELINE: ${{ inputs.api_breakage_check_baseline }}
+          API_BREAKAGE_CHECK_ALLOWLIST_PATH: ${{ inputs.api_breakage_check_allowlist_path }}
         run: |
-          if [[ -z '${{ inputs.api_breakage_check_baseline }}' ]]; then
+          if [[ -z "${API_BREAKAGE_CHECK_BASELINE}" ]]; then
             git fetch ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY} ${GITHUB_BASE_REF}:pull-base-ref
             BASELINE_REF='pull-base-ref'
           else
-            BASELINE_REF='${{ inputs.api_breakage_check_baseline }}'
+            BASELINE_REF="${API_BREAKAGE_CHECK_BASELINE}"
           fi
           echo "Using baseline: $BASELINE_REF"
-          if [[ -z '${{ inputs.api_breakage_check_allowlist_path }}' ]]; then
+          if [[ -z "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}" ]]; then
             swift package diagnose-api-breaking-changes "$BASELINE_REF"
           else
-            swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path '${{ inputs.api_breakage_check_allowlist_path }}'
+            swift package diagnose-api-breaking-changes "$BASELINE_REF" --breakage-allowlist-path "${API_BREAKAGE_CHECK_ALLOWLIST_PATH}"
           fi
 
   docs-check:
@@ -178,11 +182,13 @@ jobs:
           fi
       - name: Pre-build
         if: ${{ inputs.linux_pre_build_command }}
+        # zizmor: ignore[template-injection]
         run: ${{ inputs.linux_pre_build_command }}
       - name: Run documentation check
         env:
           ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_additional_arguments }}
-        run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-docs.sh
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
+        run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh
 
   docs-check-macos:
     name: Documentation check (macOS)
@@ -210,15 +216,18 @@ jobs:
             echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
           fi
       - name: Select Xcode
-        run: echo "DEVELOPER_DIR=/Applications/Xcode_${{ inputs.docs_check_macos_xcode_version }}.app" >> $GITHUB_ENV
+        env:
+          XCODE_VERSION: ${{ inputs.docs_check_macos_xcode_version }}
+        run: echo "DEVELOPER_DIR=/Applications/Xcode_${XCODE_VERSION}.app" >> $GITHUB_ENV
       - name: Swift version
         run: xcrun swift --version
       - name: Clang version
         run: xcrun clang --version
       - name: Run documentation check
         env:
           ADDITIONAL_DOCC_ARGUMENTS: ${{ inputs.docs_check_macos_additional_arguments }}
-        run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-docs.sh
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
+        run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-docs.sh
 
   unacceptable-language-check:
     name: Unacceptable language check
@@ -248,7 +257,8 @@ jobs:
       - name: Run unacceptable language check
         env:
           UNACCEPTABLE_WORD_LIST: ${{ inputs.unacceptable_language_check_word_list}}
-        run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-unacceptable-language.sh
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
+        run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-unacceptable-language.sh
 
   license-header-check:
     name: License headers check
@@ -278,7 +288,8 @@ jobs:
       - name: Run license header check
         env:
           PROJECT_NAME: ${{ inputs.license_header_check_project_name }}
-        run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-license-header.sh
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
+        run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-license-header.sh
 
   broken-symlink-check:
     name: Broken symlinks check
@@ -306,7 +317,9 @@ jobs:
             echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
           fi
       - name: Run broken symlinks check
-        run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-broken-symlinks.sh
+        env:
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
+        run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-broken-symlinks.sh
 
   format-check:
     name: Format check
@@ -339,7 +352,9 @@ jobs:
         # https://github.com/actions/checkout/issues/766
         run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
       - name: Run format check
-        run: ${{ steps.script_path.outputs.root }}/.github/workflows/scripts/check-swift-format.sh
+        env:
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
+        run: ${SCRIPT_ROOT}/.github/workflows/scripts/check-swift-format.sh
 
   shell-check:
     name: Shell check
@@ -390,12 +405,14 @@ jobs:
             echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
           fi
       - name: Run yamllint
+        env:
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
         run: |
           which yamllint || (apt -q update && apt install -yq yamllint)
           cd ${GITHUB_WORKSPACE}
           if [ ! -f ".yamllint.yml" ]; then
             echo "Downloading default yamllint config file"
-            cat ${{ steps.script_path.outputs.root }}/.github/workflows/configs/yamllint.yml > .yamllint.yml
+            cat "${SCRIPT_ROOT}/.github/workflows/configs/yamllint.yml" > .yamllint.yml
           fi
           yamllint --strict --config-file .yamllint.yml .
 
@@ -425,11 +442,13 @@ jobs:
             echo "root=$GITHUB_WORKSPACE/github-workflows" >> $GITHUB_OUTPUT
           fi
       - name: Run flake8
+        env:
+          SCRIPT_ROOT: ${{ steps.script_path.outputs.root }}
         run: |
           pip3 install flake8 flake8-import-order
           cd ${GITHUB_WORKSPACE}
           if [ ! -f ".flake8" ]; then
             echo "Downloading default flake8 config file"
-            cat ${{ steps.script_path.outputs.root }}/.github/workflows/configs/.flake8 > .flake8
+            cat "${SCRIPT_ROOT}/.github/workflows/configs/.flake8" > .flake8
           fi
           flake8