Merge branch 'master' into fix_spi_attrs_2

Ouranosinc · Jan 9, 2024 · 02f7457 · 02f7457
2 parents 626d481 + 7d79184
commit 02f7457
Show file tree

Hide file tree

Showing 30 changed files with 702 additions and 413 deletions.
diff --git a/.flake8 b/.flake8
@@ -0,0 +1,40 @@
+[flake8]
+exclude =
+	.git,
+	docs,
+	build,
+	.eggs,
+	tests
+ignore =
+	AZ100,
+	AZ200,
+	AZ300,
+	C,
+	D,
+	E,
+	F,
+	W503
+per-file-ignores =
+	xclim/core/locales.py:RST399
+rst-directives =
+	bibliography,
+	autolink-skip
+rst-roles =
+	doc,
+	mod,
+	py:attr,
+	py:attribute,
+	py:class,
+	py:const,
+	py:data,
+	py:func,
+	py:indicator,
+	py:meth,
+	py:mod,
+	py:obj,
+	py:ref,
+	ref,
+	cite:cts,
+	cite:p,
+	cite:t,
+	cite:ts
diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml
@@ -6,20 +6,31 @@ on:
     - cron:  '0 0 1 * *'
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/[email protected]
         with:
-          token: ${{ secrets.BUMPVERSION_TOKEN }}
+          token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           persist-credentials: true
+
       - name: Run GitHub Actions Version Updater
         uses: saadmk11/[email protected]
         with:
-          token: ${{ secrets.BUMPVERSION_TOKEN }}
+          token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           committer_email: 'bumpversion[bot]@ouranos.ca'
           committer_username: 'update-github-actions[bot]'
           pull_request_title: '[bot] Update GitHub Action Versions'
           pull_request_team_reviewers: "xclim-core"
+          update_version_with: "release-commit-sha"
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -5,6 +5,9 @@ on:
     types:
       - opened
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   add-to-project:
     name: Add Issue to xclim Project

diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -20,19 +20,25 @@ on:
       - pyproject.toml
       - requirements_dev.txt
       - requirements_upstream.txt
-      - setup.cfg
       - tox.ini
       - xclim/__init__.py
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   bump_patch_version:
     name: Bumpversion Patch
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v4.7.1
+      - uses: actions/setup-python@v5.0.0
         with:
           python-version: "3.x"
       - name: Config Commit Bot
@@ -43,10 +49,22 @@ jobs:
         run: |
           CURRENT_VERSION="$(grep -E '__version__'  xclim/__init__.py | cut -d ' ' -f3)"
           echo "current_version=${CURRENT_VERSION}"
+          echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
+      - name: Install bump-my-version
+        run: |
+          python -m pip install bump-my-version
       - name: Bump Patch Version
+        if: ${{ !env.CURRENT_VERSION =~ \d+\.\d+\.\d+(-dev(\.\d+)?)?$ }}
+        run: |
+          echo "Version is stable, bumping 'patch' version"
+          bump-my-version bump patch
+          NEW_VERSION="$(grep -E '__version__'  xclim/__init__.py | cut -d ' ' -f3)"
+          echo "new_version=${NEW_VERSION}"
+      - name: Bump Build Version
+        if: ${{ env.CURRENT_VERSION =~ \d+\.\d+\.\d+(-dev(\.\d+)?)?$ }}
         run: |
-          python -m pip install bump2version
-          echo "running `bump2version patch`"
+          echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version"
+          bump-my-version bump build
           NEW_VERSION="$(grep -E '__version__'  xclim/__init__.py | cut -d ' ' -f3)"
           echo "new_version=${NEW_VERSION}"
       - name: Push Changes

diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml
@@ -5,10 +5,18 @@ on:
     types:
       - closed
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/[email protected]
 

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,7 +9,6 @@ on:
       - Makefile
       - pyproject.toml
       - requirements_upstream.txt
-      - setup.cfg
       - tox.ini
       - xclim/__init__.py
       - docs/**.ipynb
@@ -20,6 +19,9 @@ on:
   schedule:
     - cron: '30 23 * * 5'
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  actions: read
+
 jobs:
   analyze:
     name: Analyze
@@ -34,6 +36,10 @@ jobs:
         language:
           - 'python'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/[email protected]
       # Initializes the CodeQL tools for scanning.

diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml
@@ -10,6 +10,11 @@ jobs:
     name: Welcome
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - uses: actions/[email protected]
         with:
           script: |

diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -20,6 +20,6 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v4.3.0
+    - uses: actions/labeler@v5.0.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,7 +8,6 @@ on:
       - CHANGES.rst
       - README.rst
       - pyproject.toml
-      - setup.cfg
       - xclim/__init__.py
   pull_request:
     types:
@@ -27,6 +26,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     name: Black (Python${{ matrix.python-version }})
@@ -40,9 +43,13 @@ jobs:
         python-version:
           - "3.8"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Set up Python${{ matrix.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@v5.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install pylint and tox
@@ -66,9 +73,13 @@ jobs:
           - tox-env: "py39"  # "py39-coverage"
             python-version: "3.9"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Set up Python${{ matrix.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@v5.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
@@ -110,14 +121,18 @@ jobs:
             python-version: "3.11"
             markers: -m 'not slow and not requires_internet'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Install Eigen3
         if: contains(matrix.tox-env, 'sbck')
         run: |
           sudo apt-get update
           sudo apt-get install libeigen3-dev
       - name: Set up Python${{ matrix.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@v5.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
@@ -149,9 +164,13 @@ jobs:
       run:
         shell: bash -l {0}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
-        uses: mamba-org/setup-micromamba@v1.6.0
+        uses: mamba-org/setup-micromamba@v1.7.3
         with:
           cache-downloads: true
           cache-environment: true
@@ -203,6 +222,10 @@ jobs:
     runs-on: ubuntu-latest
     container: python:3-slim
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Coveralls Finished
         run: |
           python -m pip install --upgrade coveralls