docs: add security page to docs, try removing some temporary CI pins (#…

…1568)
narwhals-dev · Dec 12, 2024 · 1a53db3 · 1a53db3
1 parent 4039440
commit 1a53db3
Show file tree

Hide file tree

Showing 22 changed files with 1,876 additions and 13 deletions.
diff --git a/.github/workflows/downstream_tests.yml b/.github/workflows/downstream_tests.yml
@@ -91,8 +91,6 @@ jobs:
             . .venv/bin/activate
             uv pip uninstall narwhals
             uv pip install -e ./..
-            # temporary pin
-            uv pip install "altair<5.5"
       - name: show-deps
         run: |
             cd marimo

diff --git a/docs/assets/image.png b/docs/assets/image.png
diff --git a/docs/index.md b/docs/index.md
@@ -1,6 +1,6 @@
 # Narwhals
 
-![](assets/image.png)
+![](https://github.com/narwhals-dev/assets/blob/e605e93cbb763e65c3d7c01b830b3408df26858e/image.png)
 
 [![PyPI version](https://badge.fury.io/py/narwhals.svg)](https://badge.fury.io/py/narwhals)
 [![Downloads](https://static.pepy.tech/badge/narwhals/month)](https://pepy.tech/project/narwhals)

diff --git a/docs/security.md b/docs/security.md
@@ -0,0 +1,24 @@
+# Security
+
+Given that Narwhals can only work if people trust it, we recognise the importance of following
+good security practices. Here are some practices we follow:
+
+- We publish to PyPI via trusted publishing and are PEP740-compliant.
+- We don't use `pull_request_target` in any CI job.
+- We sanitise the (potentially unsafe) `github.ref_name` variable when publishing
+  releases.
+- All members of `narwhals-dev` are required to have two-factor authentication
+  enabled.
+- There are no binary or opaque files in the Narwhals repository.
+- Release permissions are only given to people who satisfy all of the following:
+
+    - Have met the original author in real life on multiple days.
+    - Have made significant contributions to Narwhals.
+    - Give off good vibes. This is hard to rigorously define, but it's there so we
+        can refuse anyone who, despite satisfying the above two criteria, we don't
+        feel like we can trust.
+    - There are fewer than 5 active people with release permissions. That is
+        to say, even if someone satisfies all of the above, if there are already 5
+        people with release permissions, then we will not be adding any more (though
+        you may still be added to `narwhals-dev` and get permission to merge pull
+        requests which you believe are ready). Note that we already meet that limit.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -21,6 +21,7 @@ nav:
   - Supported libraries and extending Narwhals: extending.md
   - How it works: how_it_works.md
   - Ecosystem: ecosystem.md
+  - Security: security.md
   - Resources: resources.md
   - API Completeness:
     - api-completeness/index.md

diff --git a/tests/data/customer.csv b/tests/data/customer.csv
diff --git a/tests/data/customer.parquet b/tests/data/customer.parquet
diff --git a/tests/data/lineitem.csv b/tests/data/lineitem.csv
diff --git a/tests/data/lineitem.parquet b/tests/data/lineitem.parquet
diff --git a/tests/data/nation.csv b/tests/data/nation.csv
@@ -0,0 +1,26 @@
+n_nationkey,n_name,n_regionkey,n_comment
+0,ALGERIA,0,furiously regular requests. platelets affix furious
+1,ARGENTINA,1,"instructions wake quickly. final deposits haggle. final, silent theodolites "
+2,BRAZIL,1,asymptotes use fluffily quickly bold instructions. slyly bold dependencies sleep carefully pending accounts
+3,CANADA,1,ss deposits wake across the pending foxes. packages after the carefully bold requests integrate caref
+4,EGYPT,4,"usly ironic, pending foxes. even, special instructions nag. sly, final foxes detect slyly fluffily "
+5,ETHIOPIA,0,regular requests sleep carefull
+6,FRANCE,3,oggedly. regular packages solve across
+7,GERMANY,3,ong the regular requests: blithely silent pinto beans hagg
+8,INDIA,2,uriously unusual deposits about the slyly final pinto beans could
+9,INDONESIA,2,"d deposits sleep quickly according to the dogged, regular dolphins. special excuses haggle furiously special reque"
+10,IRAN,4,furiously idle platelets nag. express asymptotes s
+11,IRAQ,4,pendencies; slyly express foxes integrate carefully across the reg
+12,JAPAN,2, quickly final packages. furiously i
+13,JORDAN,4,the slyly regular ideas. silent Tiresias affix slyly fu
+14,KENYA,0,lyly special foxes. slyly regular deposits sleep carefully. carefully permanent accounts slee
+15,MOROCCO,0,ct blithely: blithely express accounts nag carefully. silent packages haggle carefully abo
+16,MOZAMBIQUE,0, beans after the carefully regular accounts r
+17,PERU,1,ly final foxes. blithely ironic accounts haggle. regular foxes about the regular deposits are furiously ir
+18,CHINA,2,"ckly special packages cajole slyly. unusual, unusual theodolites mold furiously. slyly sile"
+19,ROMANIA,3,"sly blithe requests. thinly bold deposits above the blithely regular accounts nag special, final requests. care"
+20,SAUDI ARABIA,4,se slyly across the blithely regular deposits. deposits use carefully regular 
+21,VIETNAM,2,lly across the quickly even pinto beans. caref
+22,RUSSIA,3,uctions. furiously unusual instructions sleep furiously ironic packages. slyly 
+23,UNITED KINGDOM,3,"carefully pending courts sleep above the ironic, regular theo"
+24,UNITED STATES,1,ly ironic requests along the slyly bold ideas hang after the blithely special notornis; blithely even accounts
diff --git a/tests/data/nation.parquet b/tests/data/nation.parquet