From f8af9c0d08b7ac18056d94001fec488e82714db9 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 5 Mar 2024 16:33:43 -0500 Subject: [PATCH] update version pins, add secruity hardening to workflows, update pre-commit, update HISTORY.rst --- .github/workflows/main.yml | 26 +++++++++------ .github/workflows/publish-pypi.yml | 22 +++++++++--- .github/workflows/remove-obsolete-cache.yml | 13 ++++++++ .github/workflows/tag-testpypi.yml | 26 +++++++++++---- .pre-commit-config.yaml | 16 ++++----- HISTORY.rst | 37 +++++++++++++-------- environment.yml | 2 +- tox.ini | 5 +-- 8 files changed, 102 insertions(+), 45 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 71b5ba88..f37ed0bf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,8 +9,11 @@ on: env: RAVEN_TESTING_DATA_BRANCH: master +permissions: + contents: read + jobs: - black: + lint: name: Code linting runs-on: ubuntu-latest concurrency: @@ -20,17 +23,16 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: - python-version: "3.9" + python-version: "3.x" - name: Install tox and setuptools run: | pip install tox - pip install --upgrade "setuptools<65.6" - name: Run linting suite run: tox -e black pip: - name: Python${{ matrix.python-version }} (${{ matrix.os }}) - needs: black + name: Python${{ matrix.python-version }} (${{ matrix.os }}, upstream=${{ matrix.upstream-branch }}) + needs: lint runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -87,7 +89,7 @@ jobs: - name: Install tox run: | - pip install tox~=4.0 + python3 -m pip install tox~=4.5.0 - name: Test with tox and report coverage run: | python3 -m tox -e ${{ matrix.tox-env }} @@ -100,7 +102,7 @@ jobs: conda: name: Python${{ matrix.python-version }} (${{ matrix.os }}) (Conda) - needs: black + needs: lint runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -143,11 +145,13 @@ jobs: - name: List installed packages run: | conda list + python -m pip check || true - name: Test RavenPy run: | - pytest --cov --numprocesses=logical + python -m pytest --cov --numprocesses=logical - name: Report coverage - run: coveralls --service=github + run: | + python -m coveralls env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COVERALLS_FLAG_NAME: run-conda_${{ matrix.python-version }}_${{ matrix.os }} @@ -163,8 +167,8 @@ jobs: steps: - name: Coveralls Finished run: | - pip install --upgrade coveralls - coveralls --finish + python -m pip install --upgrade coveralls + python -m coveralls --finish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COVERALLS_SERVICE_NAME: github diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 5e5aea84..86a284ec 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -5,19 +5,33 @@ on: types: - published +permissions: + contents: read + jobs: build-n-publish-pypi: name: Build and publish Python 🐍 distributions 📦 to PyPI runs-on: ubuntu-latest - strategy: - matrix: - python-version: ["3.8"] + environment: production + permissions: + # IMPORTANT: this permission is mandatory for trusted publishing + id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + upload.pypi.org:443 - uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v4 with: - python-version: ${{ matrix.python-version }} + python-version: "3.x" - name: Install packaging libraries run: pip install flit - name: Build a binary wheel and a source tarball diff --git a/.github/workflows/remove-obsolete-cache.yml b/.github/workflows/remove-obsolete-cache.yml index fdbabca6..dbce6f82 100644 --- a/.github/workflows/remove-obsolete-cache.yml +++ b/.github/workflows/remove-obsolete-cache.yml @@ -6,10 +6,23 @@ on: types: - closed +permissions: + contents: read + jobs: cleanup: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + - name: Check out code uses: actions/checkout@v3 diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml index 6e24e670..e1d9ef0a 100644 --- a/.github/workflows/tag-testpypi.yml +++ b/.github/workflows/tag-testpypi.yml @@ -5,19 +5,33 @@ on: tags: - '*' +permissions: + contents: read + jobs: build-n-publish-testpypi: name: Build and publish Python 🐍 distributions 📦 to TestPyPI runs-on: ubuntu-latest - strategy: - matrix: - python-version: ["3.8"] + environment: staging + permissions: + # IMPORTANT: this permission is mandatory for trusted publishing + id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + test.pypi.org:443 - uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v4 with: - python-version: ${{ matrix.python-version }} + python-version: "3.x" - name: Install packaging libraries run: pip install flit - name: Build a binary wheel and a source tarball @@ -27,5 +41,5 @@ jobs: with: user: __token__ password: ${{ secrets.TEST_PYPI_API_TOKEN }} - repository_url: https://test.pypi.org/legacy/ - skip_existing: true + repository-url: https://test.pypi.org/legacy/ + skip-existing: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 80c806ba..e99b5e26 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,7 +3,7 @@ default_language_version: repos: - repo: https://github.com/asottile/pyupgrade - rev: v3.15.0 + rev: v3.15.1 hooks: - id: pyupgrade args: [ '--py38-plus' ] @@ -32,7 +32,7 @@ repos: hooks: - id: toml-sort-fix - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.1.1 + rev: 24.2.0 hooks: - id: black exclude: ^docs/ @@ -46,13 +46,13 @@ repos: hooks: - id: isort - repo: https://github.com/nbQA-dev/nbQA - rev: 1.7.1 + rev: 1.8.3 hooks: - id: nbqa-pyupgrade args: [ '--py38-plus' ] - additional_dependencies: [ 'pyupgrade==3.15.0' ] + additional_dependencies: [ 'pyupgrade==3.15.1' ] - id: nbqa-black - additional_dependencies: [ 'black==24.1.1' ] + additional_dependencies: [ 'black==24.2.0' ] - id: nbqa-isort additional_dependencies: [ 'isort==5.13.2' ] - repo: https://github.com/kynan/nbstripout @@ -60,7 +60,7 @@ repos: hooks: - id: nbstripout files: ".ipynb" - args: [ '--extra-keys', 'metadata.kernelspec' ] + args: [ '--extra-keys=metadata.kernelspec' ] - repo: https://github.com/pycqa/pydocstyle rev: 6.3.0 hooks: @@ -70,9 +70,9 @@ repos: rev: v0.3.9 hooks: - id: blackdoc - additional_dependencies: [ 'black==24.1.1' ] + additional_dependencies: [ 'black==24.2.0' ] - repo: https://github.com/adrienverge/yamllint.git - rev: v1.34.0 + rev: v1.35.1 hooks: - id: yamllint args: [ '--config-file=.yamllint.yaml' ] diff --git a/HISTORY.rst b/HISTORY.rst index c3ae05f8..19ed6b23 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -2,22 +2,33 @@ History ======= -0.13 (2023-01-10) ------------------ -* Fixed problem with scalar elevation in netCDF files parsed with `nc_specs` (issue #279, PR #323) -* Added notebook on sensitivity analysis (PR #320) -* Updated Notebooks 03 and 04 (PR #319) -* Upgrade to pydantic v2 (PR #326) -* Pin cf-xarray for Python3.8 (PR #325) -* Fix Coveralls Workflows (PR #328) -* Fix notebook execution (PR #329) -* Refactor and simplify testing data fetching (PR #332) +0.14.0 (2024--soon) +------------------- +* Added support for Python3.12. +* Upgraded `raven-hydro` to v0.3.0 and `RavenHydroFramework` to v3.8. + +Internal changes +^^^^^^^^^^^^^^^^ +* Updated GitHub publishing workflows to use Trusted Publisher for TestPyPI/PyPI releases. +* Added Dependabot to keep dependencies up-to-date. +* Now using step-security/harden-runner action to harden GitHub Actions runners. + +0.13.0 (2024-01-10) +------------------- +* Fixed problem with scalar elevation in netCDF files parsed with `nc_specs`. (issue #279, PR #323) +* Added notebook on sensitivity analysis. (PR #320) +* Updated Notebooks 03 and 04. (PR #319) +* Upgrade to `pydantic` v2.0. (PR #326) +* Pin `cf-xarray` for Python3.8. (PR #325) +* Fix `Coveralls` Workflows. (PR #328) +* Fix notebook execution. (PR #329) +* Refactor and simplify testing data fetching. (PR #332) Breaking changes ^^^^^^^^^^^^^^^^ -* Update to Pydantic v2. -* Added `h5netcdf` as a core dependency to provide a stabler backend for `xarray.open_dataset`. -* Switched from `autodoc_pydantic` to `autodoc-pydantic` for `pydantic` v2.0+ support in documentation. +* Update to `pydantic` v2.0. (PR #326) +* Added `h5netcdf` as a core dependency to provide a stabler backend for `xarray.open_dataset`. (PR #332) +* Switched from `autodoc_pydantic` to `autodoc-pydantic` for `pydantic` v2.0+ support in documentation. (PR #326) Internal changes ^^^^^^^^^^^^^^^^ diff --git a/environment.yml b/environment.yml index 9bfa2b48..d3c35427 100644 --- a/environment.yml +++ b/environment.yml @@ -7,7 +7,7 @@ dependencies: - raven-hydro ==0.2.4 - libgcc # for mixing raven-hydro from PyPI with conda environments - affine - - black >=24.1.1 + - black >=24.2.0 - cftime - cf_xarray - click diff --git a/tox.ini b/tox.ini index d5c73976..d1f705d2 100644 --- a/tox.ini +++ b/tox.ini @@ -1,5 +1,5 @@ [tox] -min_version = 4.0 +min_version = 4.5 envlist = black py{38,39,310,311,312}-{linux,macos} @@ -7,6 +7,7 @@ envlist = requires = flit pip >=23.0 + setuptools >=63.0,<65.6 opts = -vv @@ -14,7 +15,7 @@ opts = skip_install = True deps = flake8 >=7.0.0 - black >=24.1.1 + black >=24.2.0 isort >=5.13.2 commands = make lint