merge master and heat_spell

.github/workflows/add-to-project.yml

@@ -13,11 +13,10 @@ jobs:
     name: Add Issue to xclim Project
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       repository-projects: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/bump-version.yml

@@ -9,6 +9,7 @@ on:
       - .github/*/*.md
       - .github/*/*.yml
       - CHANGELOG.rst
+      - CI/*.in
       - CI/*.txt
       - Makefile
       - docs/*/*.ipynb
@@ -32,10 +33,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       actions: read
-      contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -73,7 +73,7 @@ jobs:
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
       - name: Install CI libraries
         run: |
-          python -m pip install -r CI/requirements_ci.txt
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Conditional Bump
         run: |
           if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then

.github/workflows/cache-cleaner.yml

@@ -7,14 +7,15 @@ on:
 
 permissions:
   contents: read
-  actions: write
 
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/codeql.yml

@@ -16,6 +16,9 @@ on:
       - docs/*/*.rst
       - .github/*/*.yml
       - .pre-commit-config.yaml
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: '30 23 * * 5'
 
@@ -37,7 +40,7 @@ jobs:
           - 'python'
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/dependency-review.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/first-pull-request.yml

@@ -13,11 +13,10 @@ jobs:
     name: Welcome
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/label-on-approval.yml

@@ -21,18 +21,15 @@ jobs:
       (github.event.review.state == 'approved') &&
       (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)
     permissions:
-      checks: write
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
-
       - name: Label Approved
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
@@ -51,47 +48,53 @@ jobs:
       (github.event_name == 'pull_request_target') &&
       (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
     permissions:
-      checks: write
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
-      - name: Find Comment
+      - name: Find Warning Comment
         uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
-        id: fc
+        id: fc_warning
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
           body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
-      - name: Create Comment
+      - name: Update Warning Comment
         if: |
-          (steps.fc.outputs.comment-id == '') &&
+          (steps.fc_warning.outputs.comment-id == '') &&
           (!contains(github.event.pull_request.labels.*.name, 'approved')) &&
           (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
+          comment-id: ${{ steps.fc_warning.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
           body: |
-            > **Warning**
+            > [!WARNING]
             > This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
           edit-mode: replace
-      - name: Update Comment
+      - name: Find Note Comment
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
+        id: fc_note
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: This Pull Request has been manually approved for additional testing!
+      - name: Update Note Comment
         if: |
+          (steps.fc_note.outputs.comment-id == '') &&
           contains(github.event.pull_request.labels.*.name, 'approved')
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
+          comment-id: ${{ steps.fc_note.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
           body: |
-            > **Note**
-            > This Pull Request is approved!
+            > [!NOTE]
+            > This Pull Request has been manually approved for additional testing!
           reactions: |
             hooray
           edit-mode: append

.github/workflows/label.yml

@@ -24,12 +24,10 @@ jobs:
     name: Label
     runs-on: ubuntu-latest
     permissions:
-      checks: write
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block