Merge branch 'master' into fix/builtin-order-of-eval

.github/ISSUE_TEMPLATE/bug.md

@@ -1,6 +1,7 @@
 ---
 name: Bug Report
 about: Any general feedback or bug reports about the Vyper Compiler. No new features proposals.
+labels: ["needs triage"]
 ---
 
 ### Version Information

.github/ISSUE_TEMPLATE/vip.md

@@ -1,6 +1,7 @@
 ---
 name: Vyper Improvement Proposal (VIP)
 about: This is the suggested template for new VIPs.
+labels: ["needs triage"]
 ---
 ## Simple Summary
 "If you can't explain it simply, you don't understand it well enough." Provide a simplified and layman-accessible explanation of the VIP.

.github/workflows/build.yml

@@ -31,6 +31,10 @@ jobs:
             # need to fetch unshallow so that setuptools_scm can infer the version
             fetch-depth: 0
 
+      # debug
+      - name: Git shorthash
+        run: git rev-parse --short HEAD
+
       - name: Python
         uses: actions/setup-python@v5
         with:
@@ -45,8 +49,9 @@ jobs:
 
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
+          name: vyper-${{ runner.os }}
           path: dist/vyper.*
 
   windows-build:
@@ -60,6 +65,10 @@ jobs:
             # need to fetch unshallow so that setuptools_scm can infer the version
             fetch-depth: 0
 
+      # debug
+      - name: Git shorthash
+        run: git rev-parse --short HEAD
+
       - name: Python
         uses: actions/setup-python@v5
         with:
@@ -73,8 +82,9 @@ jobs:
           ./make.cmd freeze
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
+          name: vyper-${{ runner.os }}
           path: dist/vyper.*
 
   publish-release-assets:
@@ -84,14 +94,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           path: artifacts/
+          merge-multiple: true
 
       - name: Upload assets
-        # fun - artifacts are downloaded into "artifact/".
-        # TODO: this needs to be tested when upgrading to upload-artifact v4
-        working-directory: artifacts/artifact
+        working-directory: artifacts
         run: |
           set -Eeuxo pipefail
           for BIN_NAME in $(ls)

.github/workflows/pull-request.yaml

@@ -24,14 +24,17 @@ jobs:
         with:
           types: |
             feat
+            perf
             fix
             chore
             refactor
           # ci: continuous integration
           # docs: documentation
           # test: test suite
           # lang: language changes
+          # stdlib: changes to the stdlib
           # ux: language changes (UX)
+          # parser: parser changes
           # tool: integration
           # ir: (old) IR/codegen changes
           # codegen: lowering from vyper AST to codegen
@@ -42,7 +45,9 @@ jobs:
             docs
             test
             lang
+            stdlib
             ux
+            parser
             tool
             ir
             codegen

.github/workflows/release-pypi.yml

@@ -20,6 +20,14 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        # fetch unshallow so commit hash matches github release.
+        # see https://github.com/vyperlang/vyper/blob/8f9a8cac49aafb3fbc9dde78f0f6125c390c32f0/.github/workflows/build.yml#L27-L32
+        fetch-depth: 0
+
+    # debug
+    - name: Git shorthash
+      run: git rev-parse --short HEAD
 
     - name: Python
       uses: actions/setup-python@v5

.github/workflows/test.yml

@@ -116,6 +116,7 @@ jobs:
           # modes across all python versions - one is enough
           - python-version: ["3.10", "310"]
           - python-version: ["3.12", "312"]
+          - python-version: ["3.13", "313"]
 
           # os-specific rules
           - os: windows
@@ -148,16 +149,17 @@ jobs:
         --evm-backend ${{ matrix.evm-backend || 'revm' }}
         ${{ matrix.debug && '--enable-compiler-debug-mode' || '' }}
         ${{ matrix.experimental-codegen && '--experimental-codegen' || '' }}
-        --cov-branch
-        --cov-report xml:coverage.xml
+        --cov-config=setup.cfg
         --cov=vyper
         tests/
 
-    - name: Upload Coverage
-      uses: codecov/codecov-action@v3
+    - name: Upload coverage artifact
+      uses: actions/upload-artifact@v4
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
-        file: ./coverage.xml
+        name: coverage-files-${{ github.job }}-${{ strategy.job-index }}
+        include-hidden-files: true
+        path: .coverage
+        if-no-files-found: error
 
   core-tests-success:
     if: always()
@@ -208,16 +210,17 @@ jobs:
           --splits 120 \
           --group ${{ matrix.group }} \
           --splitting-algorithm least_duration \
-          --cov-branch \
-          --cov-report xml:coverage.xml \
+          --cov-config=setup.cfg \
           --cov=vyper \
           tests/
 
-    - name: Upload Coverage
-      uses: codecov/codecov-action@v3
+    - name: Upload coverage artifact
+      uses: actions/upload-artifact@v4
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
-        file: ./coverage.xml
+        name: coverage-files-${{ github.job }}-${{ strategy.job-index }}
+        include-hidden-files: true
+        path: .coverage
+        if-no-files-found: error
 
   slow-tests-success:
     if: always()
@@ -230,3 +233,73 @@ jobs:
       - name: Check slow tests all succeeded
         if: ${{ needs.fuzzing.result != 'success' }}
         run: exit 1
+
+  coverage-report:
+    # Consolidate code coverage using `coverage combine` and
+    # call coverage report with fail-under=90
+    runs-on: ubuntu-latest
+    needs: [tests, fuzzing]
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python 3.11
+      uses: actions/setup-python@v5
+      with:
+        python-version: "3.11"
+        cache: "pip"
+
+    - name: Install coverage
+      run: pip install coverage
+
+    - name: Download coverage artifacts
+      uses: actions/download-artifact@v4
+      with:
+        pattern: coverage-files-*
+        path: coverage-files
+
+    - name: Combine coverage
+      run: |
+        coverage combine coverage-files/**/.coverage
+
+    - name: Coverage report
+      # coverage report and fail if coverage is too low
+      run: |
+        coverage report --fail-under=90
+
+    - name: Generate coverage.xml
+      run: |
+        coverage xml
+
+    - name: Upload coverage sqlite artifact
+      # upload coverage sqlite db for debugging
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-sqlite
+        include-hidden-files: true
+        path: .coverage
+        if-no-files-found: error
+
+    - name: Upload coverage.xml
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-xml
+        path: coverage.xml
+        if-no-files-found: error
+
+  upload-coverage:
+    # upload coverage to the codecov app
+    runs-on: ubuntu-latest
+    needs: [coverage-report]
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/download-artifact@v4
+      with:
+        name: coverage-xml
+
+    - name: Upload Coverage
+      uses: codecov/codecov-action@v5
+      with:
+        token: ${{ secrets.CODECOV_TOKEN }}
+        file: coverage.xml

FUNDING.json

@@ -0,0 +1,10 @@
+{
+  "drips": {
+    "ethereum": {
+      "ownedBy": "0x70CCBE10F980d80b7eBaab7D2E3A73e87D67B775"
+    }
+  },
+  "opRetro": {
+    "projectId": "0x9ca1f7b0e0d10d3bd2619e51a54f2e4175e029c87a2944cf1ebc89164ba77ea0"
+  }
+}

README.md

@@ -3,6 +3,7 @@
 [![Build Status](https://github.com/vyperlang/vyper/workflows/Test/badge.svg)](https://github.com/vyperlang/vyper/actions/workflows/test.yml)
 [![Documentation Status](https://readthedocs.org/projects/vyper/badge/?version=latest)](http://docs.vyperlang.org/en/latest/?badge=latest "ReadTheDocs")
 [![Discord](https://img.shields.io/discord/969926564286459934.svg?label=%23vyper)](https://discord.gg/6tw7PTM7C2)
+[![Telegram](https://img.shields.io/badge/Vyperholics🐍-Telegram-blue)](https://t.me/vyperlang)
 
 [![PyPI](https://badge.fury.io/py/vyper.svg)](https://pypi.org/project/vyper "PyPI")
 [![Docker](https://img.shields.io/docker/cloud/build/vyperlang/vyper)](https://hub.docker.com/r/vyperlang/vyper "DockerHub")
@@ -49,7 +50,7 @@ be a bit behind the latest version found in the master branch of this repository
 
 ```bash
 make dev-init
-python setup.py test
+./quicktest.sh -m "not fuzzing"
 ```
 
 ## Developing (working on the compiler)

SECURITY.md

@@ -3,7 +3,7 @@
 ## Supported Versions
 
 - it is recommended to follow the list of known [vulnerabilities](https://github.com/vyperlang/vyper/security/advisories) and stay up-to-date with the latest releases
-  - as of May 2024, the `0.4.0` release is the most secure and the most comprehensively reviewed one and is recommended for use in production environments
+  - as of May 2024, the [`0.4.0`](https://github.com/vyperlang/vyper/releases/tag/v0.4.0) release is the most comprehensively reviewed one and is recommended for use in production environments
 - if a compiler vulnerability is found, a new compiler version with a patch will be released. The vulnerable version itself is not updated (see the examples below).
   - `example1`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found in `0.4.0`, then a patch will be released in `0.4.1`
   - `example2`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found both in `0.3.10` and `0.4.0`, then a patch will be released only in `0.4.1`
@@ -26,7 +26,22 @@ we will add an entry to the list of security advisories for posterity and refere
 
 
 ## Bug Bounty Program
-- as of May 2024, Vyper does not have a bug bounty program. It is planned to instantiate one soon.
+- Vyper runs a bug bounty program via the Ethereum Foundation.
+  - Bugs should be reported through the [Ethereum Foundation's bounty program](https://ethereum.org/bug-bounty).
+
+### Scope
+- Rules from the Ethereum Foundation's bug bounty program apply; for any questions please reach out [here](mailto:[email protected]). Here we further clarify the scope of the Vyper bounty program.
+- If a compiler bug affects production code, it is in scope (excluding known issues).
+  - This includes bugs in older compiler versions still used in production.
+- If a compiler bug does not currently affect production but is likely to in the future, it is in scope.
+  - This mainly applies to the latest compiler release (e.g., a new release is available but contracts are not yet deployed with it).
+  - Experimental features (e.g. `--experimental-codegen`) are out of scope, as they are not intended for production and are unlikely to affect production code.
+  - Bugs in older compiler versions are generally out of scope, as they are no longer used for new contracts.
+    - There might be exceptions, e.g., when an L2 doesn't support recent compiler releases. In such cases, it might be reasonable for an older version to be used. It is up to the discretion of the EF & Vyper team to decide if the bug is in scope.
+- If a vulnerability affects multiple contracts, the whitehat is eligible for only one payout (though the severity of the bug may increase).
+- Eligibility for project-specific bounties is independent of this bounty.
+- [Security advisories](https://github.com/vyperlang/vyper/security/advisories) and [known issues](https://github.com/vyperlang/vyper/issues) are not eligible for the bounty program, as they are publicly disclosed and protocols should structure their contracts accordingly.
+- Individuals or organizations contracted or engaged specifically for security development, auditing, or testing of this project are ineligible for the bounty program.
 
 ## Reporting a Vulnerability
 

docs/built-in-functions.rst

@@ -1023,7 +1023,7 @@ Utilities
         >>> ExampleContract.foo()
 	0xa9059cbb
 
-.. py:function:: abi_encode(*args, ensure_tuple: bool = True) -> Bytes[<depends on input>]
+.. py:function:: abi_encode(*args, ensure_tuple: bool = True, method_id: Bytes[4] = None) -> Bytes[<depends on input>]
 
     Takes a variable number of args as input, and returns the ABIv2-encoded bytestring. Used for packing arguments to raw_call, EIP712 and other cases where a consistent and efficient serialization method is needed.
     Once this function has seen more use we provisionally plan to put it into the ``ethereum.abi`` namespace.