diff --git a/.cruft.json b/.cruft.json index 3de5e22c..52912282 100644 --- a/.cruft.json +++ b/.cruft.json @@ -1,6 +1,6 @@ { "template": "https://github.com/Ouranosinc/cookiecutter-pypackage", - "commit": "14556700478b0afdb158d61dd35db26a77c2b83d", + "commit": "36ea29394390254407194bd37315d9e3e9238585", "checkout": null, "context": { "cookiecutter": { @@ -23,7 +23,8 @@ "open_source_license": "Apache Software License 2.0", "generated_with_cruft": "y", "__gh_slug": "https://github.com/Ouranosinc/xscen", - "_template": "https://github.com/Ouranosinc/cookiecutter-pypackage" + "_template": "https://github.com/Ouranosinc/cookiecutter-pypackage", + "_commit": "36ea29394390254407194bd37315d9e3e9238585" } }, "directory": null diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 053707cf..dbeb4799 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,9 @@ updates: schedule: interval: monthly groups: + ci: + patterns: + - "CI/*" python: patterns: - - "*" + - "pyproject.toml" diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 8307ec13..6ac3438d 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -47,7 +47,7 @@ jobs: actions: read steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block @@ -65,6 +65,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false token: ${{ steps.token_generator.outputs.token }} - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 @@ -78,26 +79,20 @@ jobs: git_user_signingkey: true git_commit_gpgsign: true trust_level: 5 - - name: Current Version - run: | - CURRENT_VERSION="$(grep -E '__version__' src/xscen/__init__.py | cut -d ' ' -f3)" - echo "current_version=${CURRENT_VERSION}" - echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV - name: Install CI libraries run: | python -m pip install --require-hashes -r CI/requirements_ci.txt - name: Conditional Bump Version run: | - if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then + CURRENT_VERSION=$(bump-my-version show current_version) + if [[ ${CURRENT_VERSION} =~ -dev(\.\d+)? ]]; then echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version" bump-my-version bump build else echo "Version is stable, bumping 'patch' version" bump-my-version bump patch fi - NEW_VERSION="$(grep -E '__version__' src/xscen/__init__.py | cut -d ' ' -f3)" - echo "new_version=${NEW_VERSION}" - echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV + echo "new_version=$(bump-my-version show current_version)" - name: Push Changes uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 with: diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml index 15ffca69..648a5b3d 100644 --- a/.github/workflows/cache-cleaner.yml +++ b/.github/workflows/cache-cleaner.yml @@ -5,7 +5,7 @@ on: types: - closed -permissions: # added using https://github.com/step-security/secure-repo +permissions: contents: read jobs: @@ -16,7 +16,7 @@ jobs: actions: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block @@ -27,6 +27,8 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Cleanup run: | diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index dc2fd928..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: "CodeQL Scan" - -on: - push: - branches: - - main - pull_request: - schedule: - - cron: '30 23 * * 5' - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - strategy: - fail-fast: false - matrix: - language: - - 'python' - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - files.pythonhosted.org:443 - github.com:443 - objects.githubusercontent.com:443 - pypi.org:443 - uploads.github.com:443 - - name: Checkout repository - uses: actions/checkout@v4.2.2 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@codeql-bundle-20230524 - with: - languages: ${{ matrix.language }} - - name: Autobuild - uses: github/codeql-action/autobuild@codeql-bundle-20230524 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@codeql-bundle-20230524 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..9909b635 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,99 @@ +# For most projects, this workflow file will not need changing; you simply need to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL Advanced" + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + - cron: '36 9 * * 1' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + disable-sudo: true + egress-policy: audit + + - name: Checkout Repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: + # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index a73a7e80..b973514e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block @@ -28,6 +28,8 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Dependency Review - uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/first-pull-request.yml b/.github/workflows/first-pull-request.yml index 4bd31a3f..82e66264 100644 --- a/.github/workflows/first-pull-request.yml +++ b/.github/workflows/first-pull-request.yml @@ -16,7 +16,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index d7b02305..309d538e 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -22,7 +22,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 68348908..b9cf0a7d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,7 +30,7 @@ jobs: - "3.x" steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block @@ -40,6 +40,8 @@ jobs: pypi.org:443 - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Python${{ matrix.python-version }} uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -70,13 +72,15 @@ jobs: shell: bash -l {0} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Conda (Micromamba) with Python ${{ matrix.python-version }} - uses: mamba-org/setup-micromamba@617811f69075e3fd3ae68ca64220ad065877f246 # v2.0.0 + uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 with: cache-downloads: true environment-name: xscen-pypi @@ -85,8 +89,6 @@ jobs: python=${{ matrix.python-version }} tox>=4.17.1 tox-gh>=1.3.2 - # FIXME: https://github.com/mamba-org/setup-micromamba/issues/225 - micromamba-version: "1.5.10-0" # pinned to avoid the breaking changes with mamba and micromamba (2.0.0). - name: Environment Caching uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: @@ -139,24 +141,21 @@ jobs: shell: bash -l {0} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Conda (Micromamba) with Python ${{ matrix.python-version }} - uses: mamba-org/setup-micromamba@617811f69075e3fd3ae68ca64220ad065877f246 # v2.0.0 + uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 with: cache-downloads: true cache-environment: false # FIXME: No environment caching until issues with micromamba 2.0.0 are resolved. environment-file: environment-dev.yml create-args: >- python=${{ matrix.python-version }} - # FIXME: https://github.com/mamba-org/setup-micromamba/issues/225 - micromamba-version: "1.5.10-0" # pinned to avoid the breaking changes with mamba and micromamba (2.0.0). - - name: Conda and Mamba versions - run: | - echo "micromamba $(micromamba --version)" - name: Compile catalogs and install xscen run: | make translate @@ -184,7 +183,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 6a2790b8..208041d8 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -18,19 +18,21 @@ jobs: id-token: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: -# disable-sudo: true - egress-policy: audit -# allowed-endpoints: > -# files.pythonhosted.org:443 -# fulcio.sigstore.dev:443 -# github.com:443 -# pypi.org:443 -# tuf-repo-cdn.sigstore.dev:443 -# upload.pypi.org:443 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + fulcio.sigstore.dev:443 + github.com:443 + pypi.org:443 + ruf-repo-cdn.sigstore.dev:443 + upload.pypi.org:443 - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -42,4 +44,4 @@ jobs: run: | python -m build --sdist --wheel - name: Publish distribution đŸ“Ļ to PyPI - uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0 + uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0ecb2632..a677e843 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -16,7 +16,9 @@ on: - main # Declare default permissions as read only. -permissions: read-all +# Read-all permission is not technically needed for this workflow. +permissions: + contents: read jobs: analysis: @@ -29,7 +31,7 @@ jobs: id-token: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml index f0bba0f6..1656a627 100644 --- a/.github/workflows/tag-testpypi.yml +++ b/.github/workflows/tag-testpypi.yml @@ -17,7 +17,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block @@ -26,8 +26,10 @@ jobs: github.com:443 - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Create Release - uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # 2.0.9 + uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # 2.1.0 env: # This token is provided by Actions, you do not need to create your own token GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -46,19 +48,21 @@ jobs: id-token: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: -# disable-sudo: true + disable-sudo: true egress-policy: audit -# allowed-endpoints: > -# files.pythonhosted.org:443 -# fulcio.sigstore.dev:443 -# github.com:443 -# pypi.org:443 -# test.pypi.org:443 -# tuf-repo-cdn.sigstore.dev:443 + allowed-endpoints: > + files.pythonhosted.org:443 + fulcio.sigstore.dev:443 + github.com:443 + pypi.org:443 + ruf-repo-cdn.sigstore.dev:443 + test.pypi.org:443 - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -70,7 +74,7 @@ jobs: run: | python -m build --sdist --wheel - name: Publish distribution đŸ“Ļ to Test PyPI - uses: pypa/gh-action-pypi-publish@fb13cb306901256ace3dab689990e13a5550ffaa # v1.11.0 + uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2 with: repository-url: https://test.pypi.org/legacy/ skip-existing: true diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index a596b09f..538d8b9c 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -40,13 +40,14 @@ jobs: shell: bash -l {0} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Fetch all history for all branches and tags. + persist-credentials: false - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} uses: mamba-org/setup-micromamba@617811f69075e3fd3ae68ca64220ad065877f246 # v2.0.0 with: diff --git a/.github/workflows/workflow-warning.yml b/.github/workflows/workflow-warning.yml index 0a1e658c..fcb2d209 100644 --- a/.github/workflows/workflow-warning.yml +++ b/.github/workflows/workflow-warning.yml @@ -25,7 +25,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: disable-sudo: true egress-policy: block diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 12d5339f..7d90b05d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,7 +3,7 @@ default_language_version: repos: - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.19.1 hooks: - id: pyupgrade args: [ '--py310-plus' ] @@ -31,7 +31,7 @@ repos: - id: python-use-type-annotations - id: rst-inline-touching-normal - repo: https://github.com/pappasam/toml-sort - rev: v0.23.1 + rev: v0.24.2 hooks: - id: toml-sort-fix - repo: https://github.com/psf/black-pre-commit-mirror @@ -45,7 +45,7 @@ repos: - id: isort exclude: ^docs/ - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.7.2 + rev: v0.8.2 hooks: - id: ruff args: [ '--fix', '--show-fixes' ] @@ -56,12 +56,21 @@ repos: - id: flake8 additional_dependencies: [ 'flake8-rst-docstrings' ] args: [ '--config=.flake8' ] + - repo: https://github.com/jendrikseipp/vulture + rev: v2.13 + hooks: + - id: vulture +# - repo: https://github.com/pre-commit/mirrors-mypy +# rev: v1.14.1 +# hooks: +# - id: mypy - repo: https://github.com/keewis/blackdoc rev: v0.3.9 hooks: - id: blackdoc - additional_dependencies: [ 'black==24.4.2' ] + additional_dependencies: [ 'black==24.10.0' ] exclude: config.py + - id: blackdoc-autoupdate-black - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 hooks: @@ -80,7 +89,7 @@ repos: additional_dependencies: [ 'pyupgrade==3.17.0' ] - id: nbqa-black args: [ '--target-version=py310' ] - additional_dependencies: [ 'black==24.8.0' ] + additional_dependencies: [ 'black==24.10.0' ] - id: nbqa-isort additional_dependencies: [ 'isort==5.13.2' ] - repo: https://github.com/kynan/nbstripout @@ -96,10 +105,19 @@ repos: exclude: .cruft.json|docs/notebooks args: [ '--baseline=.secrets.baseline' ] - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.30.0 hooks: - id: check-github-workflows - id: check-readthedocs + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v0.8.0 + hooks: + - id: zizmor + args: [ '--config=.zizmor.yml' ] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.21.2 + hooks: + - id: gitleaks - repo: meta hooks: - id: check-hooks-apply diff --git a/.zizmor.yml b/.zizmor.yml new file mode 100644 index 00000000..6ac32154 --- /dev/null +++ b/.zizmor.yml @@ -0,0 +1,6 @@ +rules: + dangerous-triggers: + ignore: + - label.yml:9 + - first-pull-request.yml:3 + - workflow-warning.yml:3 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a8db65f5..85207528 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -30,6 +30,12 @@ Internal changes * A new parameter `incomplete` has been added to ``xs.io.clean_incomplete`` to remove incomplete variables. (:pull:`492`). * Continued work on adding tests. (:pull:`492`). * Modified a CI build to test against the oldest supported version of `xclim`. (:pull:`505`). +* Updated the cookiecutter template version: (:pull:`507`) + * Added `vulture` to pre-commit hooks (finding dead code blocks). + * Added `zizmor` to the pre-commit hooks (security analysis for CI workflows). + * Secured token usages on all workflows (using `zizmor`). + * Simplified logic in ``bump-version.yml``. + * Synchronized a few dependencies. v0.10.1 (2024-11-04) -------------------- diff --git a/MANIFEST.in b/MANIFEST.in index 070cdb41..842dbdf2 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -34,6 +34,7 @@ exclude .pre-commit-config.yaml exclude .readthedocs.yml exclude .secrets.baseline exclude .yamllint.yaml +exclude .zizmor.yml exclude environment.yml exclude environment-dev.yml exclude tox.ini diff --git a/docs/conf.py b/docs/conf.py index 20e10c3b..a419d3c8 100755 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,6 +23,7 @@ import warnings from datetime import datetime from pathlib import Path +from typing import Any sys.path.insert(0, os.path.abspath("..")) if os.environ.get("READTHEDOCS") and "ESMFMKFILE" not in os.environ: @@ -222,7 +223,7 @@ # -- Options for LaTeX output ------------------------------------------ -latex_elements = { +latex_elements: dict[str, Any] = { # The paper size ('letterpaper' or 'a4paper'). # # 'papersize': 'letterpaper', diff --git a/environment-dev.yml b/environment-dev.yml index 467c3918..c27dbe17 100644 --- a/environment-dev.yml +++ b/environment-dev.yml @@ -39,11 +39,13 @@ dependencies: - pyarrow >=10.0.1 # Dev - babel - - black ==24.8.0 + - pip >=24.3.1 + - black ==24.10.0 - blackdoc ==0.3.9 - - bump-my-version >=0.26.8 - - coverage>=7.5.0 - - coveralls>=4.0.1 + - bump-my-version >=0.28.0 + - click >=8.1.7 + - coverage >=7.5.0 + - coveralls >=4.0.1 - flake8 >=7.1.0 - flake8-rst-docstrings>=0.3.0 - ipykernel @@ -60,7 +62,7 @@ dependencies: - pytest >=8.3.2 - pytest-cov >=5.0.0 - pytest-xdist >=3.2.0 - - ruff >=0.5.7 + - ruff >=0.8.2 - setuptools >=65.0.0 - setuptools-scm >=8.0.0 - sphinx >=7.0.0 @@ -73,7 +75,7 @@ dependencies: - watchdog >=4.0.0 - xdoctest # Testing - - tox >=4.17.1 + - tox >=4.23.2 - tox-gh >=1.3.2 # packaging - conda-build diff --git a/pyproject.toml b/pyproject.toml index 877a57e4..1aa9b7ed 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -73,11 +73,10 @@ dependencies = [ [project.optional-dependencies] dev = [ # Dev tools and testing - "pip >=24.2.0", "babel", - "black[jupyter] ==24.10.0", + "black ==24.10.0", "blackdoc ==0.3.9", - "bump-my-version >=0.26.0", + "bump-my-version >=0.28.0", "coverage >=7.5.0", "coveralls >=4.0.1", "flake8 >=7.1.1", @@ -86,12 +85,12 @@ dev = [ "mypy", "numpydoc >=1.8.0", "pooch >=1.8.0", - "pre-commit >=3.3.2", + "pre-commit >=3.5.0", "pytest-cov >=5.0.0", "pytest >=8.3.2", "pytest-xdist[psutil] >=3.2.0", - "ruff >=0.5.7", - "tox >=4.18.0", + "ruff >=0.8.2", + "tox >=4.23.2", "watchdog >=4.0.0", "xdoctest" ] @@ -321,6 +320,14 @@ version = {attr = "xscen.__version__"} where = ["src"] include = ["xscen"] +[tool.vulture] +exclude = [] +ignore_decorators = ["@pytest.fixture"] +ignore_names = [] +min_confidence = 90 +paths = ["src/xscen", "tests"] +sort_by_size = true + # [tool.setuptools.packages.find] # include = [ # ".zenodo.json", diff --git a/src/xscen/__init__.py b/src/xscen/__init__.py index 117da679..f6e94b57 100644 --- a/src/xscen/__init__.py +++ b/src/xscen/__init__.py @@ -74,8 +74,14 @@ __version__ = "0.10.2-dev.1" +# FIXME: file and line are unused def warning_on_one_line( - message: str, category: Warning, filename: str, lineno: int, file=None, line=None + message: str, + category: Warning, + filename: str, + lineno: int, + file=None, # noqa: F841 + line=None, # noqa: F841 ): """ Monkeypatch Reformat warning so that `warnings.warn` doesn't mention itself. diff --git a/src/xscen/scripting.py b/src/xscen/scripting.py index 68e3677b..bc9fe808 100644 --- a/src/xscen/scripting.py +++ b/src/xscen/scripting.py @@ -297,7 +297,8 @@ def timeout(seconds: int, task: str = ""): yield else: - def _timeout_handler(signum, frame): + # FIXME: These variables are not used + def _timeout_handler(signum, frame): # noqa: F841 raise TimeoutException(seconds, task) old_handler = signal.signal(signal.SIGALRM, _timeout_handler) diff --git a/tox.ini b/tox.ini index ac50bcd0..d382e953 100644 --- a/tox.ini +++ b/tox.ini @@ -1,11 +1,11 @@ [tox] -min_version = 4.18.0 +min_version = 4.23.2 envlist = lint - py{310,311,312} + py{310,311,312,313} docs-esmpy requires = - pip >= 24.2.0 + pip >= 24.3.1 setuptools >= 65.0 opts = --colored @@ -16,18 +16,19 @@ python = 3.10 = py310-xclim-coveralls 3.11 = py311-coveralls 3.12 = py312-esmpy-coveralls + 3.13 = py313-coveralls [testenv:lint] description = Check for Code Compliance and missing french translations skip_install = True download = true deps = - black[jupyter] ==24.8.0 + black[jupyter] ==24.10.0 blackdoc ==0.3.9 isort ==5.13.2 flake8 >=7.1.1 flake8-rst-docstrings >=0.3.0 - ruff >=0.5.7 + ruff >=0.8.2 numpydoc >=1.8.0 commands_pre = pip list