update version pins, add secruity hardening to workflows, update pre-…

…commit, update HISTORY.rst

.github/workflows/main.yml

@@ -9,8 +9,11 @@ on:
 env:
   RAVEN_TESTING_DATA_BRANCH: master
 
+permissions:
+  contents: read
+
 jobs:
-  black:
+  lint:
     name: Code linting
     runs-on: ubuntu-latest
     concurrency:
@@ -20,17 +23,16 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.9"
+          python-version: "3.x"
       - name: Install tox and setuptools
         run: |
           pip install tox
-          pip install --upgrade "setuptools<65.6"
       - name: Run linting suite
         run: tox -e black
 
   pip:
-    name: Python${{ matrix.python-version }} (${{ matrix.os }})
-    needs: black
+    name: Python${{ matrix.python-version }} (${{ matrix.os }}, upstream=${{ matrix.upstream-branch }})
+    needs: lint
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -87,7 +89,7 @@ jobs:
 
     - name: Install tox
       run: |
-        pip install tox~=4.0
+        python3 -m pip install tox~=4.5.0
     - name: Test with tox and report coverage
       run: |
         python3 -m tox -e ${{ matrix.tox-env }}
@@ -100,7 +102,7 @@ jobs:
 
   conda:
     name: Python${{ matrix.python-version }} (${{ matrix.os }}) (Conda)
-    needs: black
+    needs: lint
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -143,11 +145,13 @@ jobs:
       - name: List installed packages
         run: |
           conda list
+          python -m pip check || true
       - name: Test RavenPy
         run: |
-          pytest --cov --numprocesses=logical
+          python -m pytest --cov --numprocesses=logical
       - name: Report coverage
-        run: coveralls --service=github
+        run: |
+          python -m coveralls
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COVERALLS_FLAG_NAME: run-conda_${{ matrix.python-version }}_${{ matrix.os }}
@@ -163,8 +167,8 @@ jobs:
     steps:
     - name: Coveralls Finished
       run: |
-        pip install --upgrade coveralls
-        coveralls --finish
+        python -m pip install --upgrade coveralls
+        python -m coveralls --finish
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         COVERALLS_SERVICE_NAME: github

.github/workflows/publish-pypi.yml

@@ -5,19 +5,33 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish-pypi:
     name: Build and publish Python 🐍 distributions 📦 to PyPI
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.8"]
+    environment: production
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            upload.pypi.org:443
       - uses: actions/checkout@v3
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: "3.x"
       - name: Install packaging libraries
         run: pip install flit
       - name: Build a binary wheel and a source tarball

.github/workflows/remove-obsolete-cache.yml

@@ -6,10 +6,23 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+
       - name: Check out code
         uses: actions/checkout@v3
 

.github/workflows/tag-testpypi.yml

@@ -5,19 +5,33 @@ on:
     tags:
       - '*'
 
+permissions:
+  contents: read
+
 jobs:
   build-n-publish-testpypi:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.8"]
+    environment: staging
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            test.pypi.org:443
       - uses: actions/checkout@v3
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: "3.x"
       - name: Install packaging libraries
         run: pip install flit
       - name: Build a binary wheel and a source tarball
@@ -27,5 +41,5 @@ jobs:
         with:
           user: __token__
           password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
-          skip_existing: true
+          repository-url: https://test.pypi.org/legacy/
+          skip-existing: true

.pre-commit-config.yaml

@@ -3,7 +3,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.0
+    rev: v3.15.1
     hooks:
       - id: pyupgrade
         args: [ '--py38-plus' ]
@@ -32,7 +32,7 @@ repos:
     hooks:
       - id: toml-sort-fix
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.1.1
+    rev: 24.2.0
     hooks:
       - id: black
         exclude: ^docs/
@@ -46,21 +46,21 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/nbQA-dev/nbQA
-    rev: 1.7.1
+    rev: 1.8.3
     hooks:
       - id: nbqa-pyupgrade
         args: [ '--py38-plus' ]
-        additional_dependencies: [ 'pyupgrade==3.15.0' ]
+        additional_dependencies: [ 'pyupgrade==3.15.1' ]
       - id: nbqa-black
-        additional_dependencies: [ 'black==24.1.1' ]
+        additional_dependencies: [ 'black==24.2.0' ]
       - id: nbqa-isort
         additional_dependencies: [ 'isort==5.13.2' ]
   - repo: https://github.com/kynan/nbstripout
     rev: 0.7.1
     hooks:
       - id: nbstripout
         files: ".ipynb"
-        args: [ '--extra-keys', 'metadata.kernelspec' ]
+        args: [ '--extra-keys=metadata.kernelspec' ]
   - repo: https://github.com/pycqa/pydocstyle
     rev: 6.3.0
     hooks:
@@ -70,9 +70,9 @@ repos:
     rev: v0.3.9
     hooks:
       - id: blackdoc
-        additional_dependencies: [ 'black==24.1.1' ]
+        additional_dependencies: [ 'black==24.2.0' ]
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.34.0
+    rev: v1.35.1
     hooks:
       - id: yamllint
         args: [ '--config-file=.yamllint.yaml' ]

HISTORY.rst

@@ -2,22 +2,33 @@
 History
 =======
 
-0.13 (2023-01-10)
------------------
-* Fixed problem with scalar elevation in netCDF files parsed with `nc_specs` (issue #279, PR #323)
-* Added notebook on sensitivity analysis (PR #320)
-* Updated Notebooks 03 and 04 (PR #319)
-* Upgrade to pydantic v2 (PR #326)
-* Pin cf-xarray for Python3.8 (PR #325)
-* Fix Coveralls Workflows (PR #328)
-* Fix notebook execution (PR #329)
-* Refactor and simplify testing data fetching (PR #332)
+0.14.0 (2024--soon)
+-------------------
+* Added support for Python3.12.
+* Upgraded `raven-hydro` to v0.3.0 and `RavenHydroFramework` to v3.8.
+
+Internal changes
+^^^^^^^^^^^^^^^^
+* Updated GitHub publishing workflows to use Trusted Publisher for TestPyPI/PyPI releases.
+* Added Dependabot to keep dependencies up-to-date.
+* Now using step-security/harden-runner action to harden GitHub Actions runners.
+
+0.13.0 (2024-01-10)
+-------------------
+* Fixed problem with scalar elevation in netCDF files parsed with `nc_specs`. (issue #279, PR #323)
+* Added notebook on sensitivity analysis. (PR #320)
+* Updated Notebooks 03 and 04. (PR #319)
+* Upgrade to `pydantic` v2.0. (PR #326)
+* Pin `cf-xarray` for Python3.8. (PR #325)
+* Fix `Coveralls` Workflows. (PR #328)
+* Fix notebook execution. (PR #329)
+* Refactor and simplify testing data fetching. (PR #332)
 
 Breaking changes
 ^^^^^^^^^^^^^^^^
-* Update to Pydantic v2.
-* Added `h5netcdf` as a core dependency to provide a stabler backend for `xarray.open_dataset`.
-* Switched from `autodoc_pydantic` to `autodoc-pydantic` for `pydantic` v2.0+ support in documentation.
+* Update to `pydantic` v2.0. (PR #326)
+* Added `h5netcdf` as a core dependency to provide a stabler backend for `xarray.open_dataset`. (PR #332)
+* Switched from `autodoc_pydantic` to `autodoc-pydantic` for `pydantic` v2.0+ support in documentation. (PR #326)
 
 Internal changes
 ^^^^^^^^^^^^^^^^

environment.yml

@@ -7,7 +7,7 @@ dependencies:
   - raven-hydro ==0.2.4
   - libgcc  # for mixing raven-hydro from PyPI with conda environments
   - affine
-  - black >=24.1.1
+  - black >=24.2.0
   - cftime
   - cf_xarray
   - click

tox.ini

@@ -1,20 +1,21 @@
 [tox]
-min_version = 4.0
+min_version = 4.5
 envlist =
     black
     py{38,39,310,311,312}-{linux,macos}
     docs
 requires =
     flit
     pip >=23.0
+    setuptools >=63.0,<65.6
 opts =
     -vv
 
 [testenv:black]
 skip_install = True
 deps =
     flake8 >=7.0.0
-    black >=24.1.1
+    black >=24.2.0
     isort >=5.13.2
 commands =
     make lint