* ci: harden CI supply chain
Pin all GitHub Actions to commit SHAs to prevent tag-based supply chain
attacks (same class as CVE-2025-30066). Replace softprops/action-gh-release
(single-maintainer, no security policy) with gh CLI. Add top-level
permissions: {} to all workflows that lacked it, enforcing least-privilege
by default. Enable Dependabot for GitHub Actions and pip dependencies.
Closes#471
* fix: add dependabot pip entries for each sub-package
The root directory has no pyproject.toml; the actual packages live under
packages/data-designer-config, packages/data-designer-engine, and
packages/data-designer.
The docs-preview workflow triggered on all source code changes due to
the broad `packages/*/src/data_designer/**` path glob. This caused
unnecessary Cloudflare Pages deployments on code-only PRs like #505.
Remove the source code path filter so the workflow only triggers on
actual docs content changes (docs/**, mkdocs.yml, and the workflow
file itself).
* fix: address review feedback on async engine dev note
- Fix wall-clock claim: 41% -> 22% to match benchmark table
- Fix dual-model speedup rounding: 1.7x -> 1.6x (10.0/6.1 = 1.64)
- Fix run_config API: use dd.set_run_config() instead of passing to create()
* docs: add async engine dev note
Add "Async All the Way Down" dev note covering the async task-queue
scheduler built across PRs #356, #378, #404, #429, #456. Includes
benchmark results, architecture diagrams, and DAG shape illustrations.
* feat: add docs preview workflow for PRs
Build MkDocs site on PRs that touch docs and deploy to Cloudflare
Pages. Each PR gets a browseable preview URL posted as a comment.
Notebook tutorials use placeholder stubs since they require API
keys to execute.
Requires CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID repo secrets.
* fix: update speedup chart alt text from 1.7x to 1.6x
* docs: improve timeline figure context and labeling
Add DAG subtitle to sync-vs-async timeline figure and bridge the
surrounding text to explain which workload shape is being shown.
* edits+additions to async-all-the-way-down dev notes
* clarify two semaphore dance
* remove dead link
* replace hero image
* docs: update scale figures with nginx-accurate data and adjust sizing
Regenerate scale-model-timeline and scale-boxplot from nginx access
logs (column_progress.csv, sync/summary.json) instead of buffered
execution logs. Optimize both PNGs to palette mode. Adjust figure
widths and update model timeline commentary.
* add link from owning-the-model-stack to async-dev-node
* docs: address review feedback on async blog post
- Tighten intro to a concise abstract, move pipeline narrative into
"The Bottleneck Was Structural" section
- Remove multi-column generators / seed readers paragraph (TMI)
- Clarify sync engine ran columns sequentially within each batch
---------
Co-authored-by: Nabin Mulepati <nmulepati@nvidia.com>
