Release 1.219.0

See release notes.

Author: cjdsellers

.docker/DockerfileUbuntu

@@ -0,0 +1,72 @@
+# Dockerfile to reproduce locally an environment similar to what is run on the github runner
+#
+# From nautilus project's root folder:
+#
+# Build the image:
+# docker build -f .docker/DockerfileUbuntu -t nautilus-dev .
+#
+# Run interactively with local directory mounted:
+# docker run --rm -itv "$(pwd)":/workspace nautilus-dev bash
+#
+# Or run the default entrypoint:
+# docker run --rm -itv "$(pwd)":/workspace nautilus-dev
+#
+# Remove the image
+# docker image rm nautilus-dev
+
+FROM ubuntu:22.04
+
+# Set environment variables
+ENV DEBIAN_FRONTEND=noninteractive
+ENV BUILD_MODE=release
+ENV RUST_BACKTRACE=1
+ENV CARGO_INCREMENTAL=1
+ENV CC="clang"
+ENV CXX="clang++"
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    clang \
+    git \
+    pkg-config \
+    make \
+    capnproto \
+    libcapnp-dev \
+    gcc-aarch64-linux-gnu \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Install mold linker
+RUN curl -L https://github.com/rui314/mold/releases/download/v2.35.1/mold-2.35.1-x86_64-linux.tar.gz | tar -xz -C /usr/local --strip-components=1
+
+# Install uv
+RUN curl -LsSf https://astral.sh/uv/install.sh | sh
+ENV PATH="/root/.cargo/bin:/root/.local/bin:${PATH}"
+
+# Install Python 3.13
+RUN uv python install
+
+# Set working directory
+WORKDIR /workspace
+
+# Copy only necessary files for dependency setup
+# The actual source code will be mounted as a volume
+COPY ../scripts/rust-toolchain.sh scripts/
+COPY ../Cargo.toml Cargo.lock pyproject.toml rust-toolchain.toml ./
+
+# Set up Rust toolchain based on project requirements
+RUN bash scripts/rust-toolchain.sh > /tmp/toolchain.txt && \
+    TOOLCHAIN=$(cat /tmp/toolchain.txt) && \
+    rustup toolchain install $TOOLCHAIN && \
+    rustup default $TOOLCHAIN && \
+    rustup component add clippy rustfmt
+
+# Copy and set up entrypoint script for interactive development
+COPY .docker/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

.docker/docker-compose.yml

@@ -25,6 +25,8 @@ services:
       PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD:-admin}
     volumes:
       - pgadmin:/root/.pgadmin
+    security_opt:
+      - no-new-privileges:true
     ports:
       - "${PGADMIN_PORT:-5051}:80"
     networks:

.docker/entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# entrypoint script for DockerfileUbuntu
+
+echo "=== Nautilus Trader Development Environment ==="
+echo "Rust version: $(rustc --version)"
+echo "UV version: $(uv --version)"
+echo "Working directory: $(pwd)"
+echo
+
+echo "=== Setting PyO3 environment ==="
+export PYO3_PYTHON=/workspace/.venv/bin/python3
+echo "PYO3_PYTHON: $PYO3_PYTHON"
+echo
+
+echo "=== Development environment ready! ==="
+echo "You can now run for example:"
+echo "  make install-debug                                            # Install nautilus in debug mode"
+echo "  make cargo-test                                               # Test Rust code"
+echo "  make pytest                                                   # Run Python tests"
+echo "  uv run python -c \"import nautilus_trader.backtest.engine;\"    # Run a Python instruction"
+echo
+
+# If no command is provided, check if we have a TTY and start appropriate shell
+if [ $# -eq 0 ]; then
+    if [ -t 0 ]; then
+        echo "Starting interactive shell..."
+        exec bash
+    else
+        echo "No TTY detected. Use docker run -it for interactive mode."
+        echo "Container ready for commands. Example:"
+        echo "  docker run --rm -itv \"\$(pwd)\":/workspace nautilus-dev"
+    fi
+else
+    exec "$@"
+fi

.docker/nautilus_trader.dockerfile

@@ -16,7 +16,7 @@ FROM base AS builder
 
 # Install build deps
 RUN apt-get update && \
-    apt-get install -y curl clang git libssl-dev make pkg-config capnproto libcapnp-dev && \
+    apt-get install -y curl clang git make pkg-config capnproto libcapnp-dev && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 

.github/OVERVIEW.md

@@ -44,6 +44,11 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 - **Code Scanning**: CodeQL is enabled for continuous security analysis.
 - **Dependency Pinning**: key tools (pre-commit, Python versions, Rust toolchain,
   mold, cargo-nextest) are locked to fixed versions or SHAs.
+- **Least-Privilege Tokens**: workflows default the `GITHUB_TOKEN` to
+  `contents: read, actions: read` and selectively elevate scopes (e.g.
+  `contents: write`) only for the jobs that need to tag a release or upload
+  assets. This follows the principle of least privilege and limits blast
+  radius if a job is compromised.
 - **Caching**: caches for sccache, pip/site-packages, pre-commit, and test data
   speed up workflows while preserving hermetic builds.
 

.github/actions/common-setup/action.yml

@@ -40,7 +40,7 @@ runs:
       shell: bash
       run: |
         sudo apt-get update
-        sudo apt-get install -y curl clang git libssl-dev make pkg-config
+        sudo apt-get install -y curl clang git make pkg-config
         sudo apt-get install -y python3-dev libpython3-dev
         sudo apt-get install -y capnproto libcapnp-dev
 
@@ -75,8 +75,8 @@ runs:
         override: true
 
     - name: Install cargo-nextest
-      # https://github.com/taiki-e/install-action # v2.50.10
-      uses: taiki-e/install-action@83254c543806f3224380bf1001d6fac8feaf2d0b
+      # https://github.com/taiki-e/install-action # v2.53.2
+      uses: taiki-e/install-action@d12e869b89167df346dd0ff65da342d1fb1202fb
       with:
         tool: nextest
 
@@ -86,9 +86,14 @@ runs:
       shell: bash
       run: |
         echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+
+        # Based on GitHub Actions runner constraints
+        # and Nautilus Trader uncompressed package final size (~1 GiB)
+        echo "SCCACHE_CACHE_SIZE=4G" >> $GITHUB_ENV
         echo "SCCACHE_IDLE_TIMEOUT=0" >> $GITHUB_ENV
         echo "SCCACHE_DIRECT=true" >> $GITHUB_ENV
         echo "SCCACHE_CACHE_MULTIARCH=1" >> $GITHUB_ENV
+
         echo "CARGO_INCREMENTAL=0" >> $GITHUB_ENV
 
     - name: Set sccache env vars (non-Windows)

.github/actions/common-wheel-build/action.yml

@@ -40,6 +40,7 @@ runs:
       shell: bash
       run: |
         echo "Building for Linux ARM64"
+
         PYTHON_LIB_DIR=$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("LIBDIR"))')
         PYTHON_VERSION=$(python3 -c 'import platform; print(".".join(platform.python_version_tuple()[:2]))')
 

.github/workflows/build-docs.yml

@@ -1,5 +1,9 @@
 name: build-docs
 
+permissions: # Principle of least privilege
+  contents: read
+  actions: read
+
 on:
   push:
     branches: [master, nightly]
@@ -9,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # https://github.com/step-security/harden-runner
-      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
         with:
           egress-policy: audit