From 5d00ed6160bada26f67054858ceb62a9e9cac13d Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 15:33:09 -0500 Subject: [PATCH 01/14] add gitleaks for secrets detection --- .pre-commit-config.yaml | 156 ++++++++++++++++++++-------------------- 1 file changed, 80 insertions(+), 76 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bf52a2687..d63356a1f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,82 +2,86 @@ default_language_version: python: python3 repos: -- repo: https://github.com/asottile/pyupgrade - rev: v3.15.0 - hooks: - - id: pyupgrade - args: ['--py38-plus'] - exclude: 'xclim/core/indicator.py' -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - exclude: '.ipynb|.github/publish-mastodon.template.md' - - id: check-json - - id: check-toml - - id: check-yaml - args: [ '--allow-multiple-documents' ] - - id: debug-statements - - id: pretty-format-json - args: [ '--autofix', '--no-ensure-ascii', '--no-sort-keys' ] - exclude: '.ipynb' -- repo: https://github.com/pappasam/toml-sort - rev: v0.23.1 - hooks: - - id: toml-sort-fix -- repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 - hooks: - - id: yamllint - args: [ '--config-file=.yamllint.yaml' ] -- repo: https://github.com/psf/black-pre-commit-mirror - rev: 23.12.1 - hooks: - - id: black -- repo: https://github.com/PyCQA/isort - rev: 5.13.2 - hooks: - - id: isort -- repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.1.9 - hooks: - - id: ruff -- repo: https://github.com/pycqa/flake8 - rev: 6.1.0 - hooks: - - id: flake8 - additional_dependencies: [ 'flake8-alphabetize', 'flake8-rst-docstrings '] - args: [ '--config=.flake8' ] -- repo: https://github.com/nbQA-dev/nbQA - rev: 1.7.1 - hooks: - - id: nbqa-pyupgrade - args: [ '--py38-plus' ] - - id: nbqa-black - additional_dependencies: [ 'black==23.12.1' ] - - id: nbqa-isort -- repo: https://github.com/kynan/nbstripout - rev: 0.6.1 - hooks: - - id: nbstripout - files: '.ipynb' - args: [ '--extra-keys', 'metadata.kernelspec' ] -- repo: https://github.com/keewis/blackdoc - rev: v0.3.9 - hooks: - - id: blackdoc - additional_dependencies: [ 'black==23.12.1' ] - exclude: '(xclim/indices/__init__.py|docs/installation.rst)' -- repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.27.3 - hooks: - - id: check-github-workflows - - id: check-readthedocs -- repo: meta - hooks: - - id: check-hooks-apply - - id: check-useless-excludes + - repo: https://github.com/asottile/pyupgrade + rev: v3.15.0 + hooks: + - id: pyupgrade + args: ['--py38-plus'] + exclude: 'xclim/core/indicator.py' + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + exclude: '.ipynb|.github/publish-mastodon.template.md' + - id: check-json + - id: check-toml + - id: check-yaml + args: [ '--allow-multiple-documents' ] + - id: debug-statements + - id: pretty-format-json + args: [ '--autofix', '--no-ensure-ascii', '--no-sort-keys' ] + exclude: '.ipynb' + - repo: https://github.com/pappasam/toml-sort + rev: v0.23.1 + hooks: + - id: toml-sort-fix + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.33.0 + hooks: + - id: yamllint + args: [ '--config-file=.yamllint.yaml' ] + - repo: https://github.com/psf/black-pre-commit-mirror + rev: 23.12.1 + hooks: + - id: black + - repo: https://github.com/PyCQA/isort + rev: 5.13.2 + hooks: + - id: isort + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: v0.1.9 + hooks: + - id: ruff + - repo: https://github.com/pycqa/flake8 + rev: 6.1.0 + hooks: + - id: flake8 + additional_dependencies: [ 'flake8-alphabetize', 'flake8-rst-docstrings '] + args: [ '--config=.flake8' ] + - repo: https://github.com/nbQA-dev/nbQA + rev: 1.7.1 + hooks: + - id: nbqa-pyupgrade + args: [ '--py38-plus' ] + - id: nbqa-black + additional_dependencies: [ 'black==23.12.1' ] + - id: nbqa-isort + - repo: https://github.com/kynan/nbstripout + rev: 0.6.1 + hooks: + - id: nbstripout + files: '.ipynb' + args: [ '--extra-keys', 'metadata.kernelspec' ] + - repo: https://github.com/keewis/blackdoc + rev: v0.3.9 + hooks: + - id: blackdoc + additional_dependencies: [ 'black==23.12.1' ] + exclude: '(xclim/indices/__init__.py|docs/installation.rst)' + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.1 + hooks: + - id: gitleaks + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.27.3 + hooks: + - id: check-github-workflows + - id: check-readthedocs + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes ci: autofix_commit_msg: | From 1a0ce7f92da917899f5b76185cd62c4262faa68f Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 15:51:30 -0500 Subject: [PATCH 02/14] add missing hardeniung audits, restrict requests for audited workflows --- .../workflows/actions-versions-updater.yml | 11 +++++-- .github/workflows/add-to-project.yml | 7 +++++ .github/workflows/bump-version.yml | 3 ++ .github/workflows/cache-cleaner.yml | 7 ++++- .github/workflows/dependency-review.yml | 4 +++ .github/workflows/first_pull_request.yml | 6 ++++ .github/workflows/label.yml | 11 +++++-- .github/workflows/label_on_approval.yml | 4 +++ .github/workflows/main.yml | 31 +++++++++++++++++-- .github/workflows/publish-mastodon.yml | 3 ++ .github/workflows/testdata_version.yml | 4 +++ .github/workflows/upstream.yml | 10 +++++- 12 files changed, 91 insertions(+), 10 deletions(-) diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml index 14a9894e4..8dd02f117 100644 --- a/.github/workflows/actions-versions-updater.yml +++ b/.github/workflows/actions-versions-updater.yml @@ -12,12 +12,19 @@ permissions: # added using https://github.com/step-security/secure-repo jobs: build: runs-on: ubuntu-latest - + permissions: + actions: write + contents: write + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Checkout uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 9f5483b8e..24f7c6b50 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -12,7 +12,14 @@ jobs: add-to-project: name: Add Issue to xclim Project runs-on: ubuntu-latest + permissions: + contents: read + repository-projects: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/add-to-project@v0.5.0 with: project-url: https://github.com/orgs/Ouranosinc/projects/6 diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index dc9505d46..f6019f0dd 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -30,6 +30,9 @@ jobs: bump_patch_version: name: Bumpversion Patch runs-on: ubuntu-latest + permissions: + actions: read + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml index f141b39a4..96d1993fb 100644 --- a/.github/workflows/cache-cleaner.yml +++ b/.github/workflows/cache-cleaner.yml @@ -15,7 +15,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 - name: Check out code uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 0d32ba911..3ff60cee3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,6 +15,10 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: 'Checkout Repository' uses: actions/checkout@v4.1.1 - name: 'Dependency Review' diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml index 2fb5e70b2..f3f44a97a 100644 --- a/.github/workflows/first_pull_request.yml +++ b/.github/workflows/first_pull_request.yml @@ -5,10 +5,16 @@ on: types: - opened +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: welcome: name: Welcome runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 6060fe1c1..0bc8031bb 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -18,8 +18,13 @@ permissions: jobs: label: + name: Label runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4.3.0 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/labeler@v4.3.0 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/label_on_approval.yml b/.github/workflows/label_on_approval.yml index 4f6139bea..11cb6cc3b 100644 --- a/.github/workflows/label_on_approval.yml +++ b/.github/workflows/label_on_approval.yml @@ -23,6 +23,10 @@ jobs: (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: Label Approved uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bb9719474..3e98cd544 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -76,7 +76,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - uses: actions/checkout@v4.1.1 - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@v4.7.1 @@ -124,7 +129,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + coveralls.io:443 + esm.ubuntu.com:443 + files.pythonhosted.org:443 + github.com:443 + motd.ubuntu.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 - name: Install Eigen3 if: contains(matrix.tox-env, 'sbck') @@ -167,7 +183,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + coveralls.io:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} uses: mamba-org/setup-micromamba@v1.6.0 diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml index f5f839da6..70cdffc4a 100644 --- a/.github/workflows/publish-mastodon.yml +++ b/.github/workflows/publish-mastodon.yml @@ -15,6 +15,9 @@ on: default: true type: boolean +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: toot: runs-on: ubuntu-latest diff --git a/.github/workflows/testdata_version.yml b/.github/workflows/testdata_version.yml index 325833d74..74819ec04 100644 --- a/.github/workflows/testdata_version.yml +++ b/.github/workflows/testdata_version.yml @@ -20,6 +20,10 @@ jobs: contents: read pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Find xclim-testdata Tag and CI Testing Branch run: | diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index 3ddaeaca6..9371ec833 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -42,7 +42,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 with: fetch-depth: 0 # Fetch all history for all branches and tags. From 53a243d862da963a1444bd65b4aeb19efeb2599e Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 16:13:27 -0500 Subject: [PATCH 03/14] allow fetching from raw.githubusercontent.com --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3e98cd544..b88496b22 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -82,6 +82,7 @@ jobs: files.pythonhosted.org:443 github.com:443 pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@v4.7.1 From 17291192ff137fba68351a0304e38b9b79c4f8c9 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 16:14:56 -0500 Subject: [PATCH 04/14] harden dependency-review.yml and testdata_version.yml --- .github/workflows/dependency-review.yml | 6 +++++- .github/workflows/testdata_version.yml | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3ff60cee3..19c43a455 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -18,7 +18,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@v4.1.1 - name: 'Dependency Review' diff --git a/.github/workflows/testdata_version.yml b/.github/workflows/testdata_version.yml index 74819ec04..cff8527e0 100644 --- a/.github/workflows/testdata_version.yml +++ b/.github/workflows/testdata_version.yml @@ -23,7 +23,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - uses: actions/checkout@v4.1.1 - name: Find xclim-testdata Tag and CI Testing Branch run: | From aa4af9ff5d15c266bde39251139fb68553721b7c Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:28:02 -0500 Subject: [PATCH 05/14] update to labeler v5 --- .github/labeler.yml | 69 +++++++++++++++++++++++-------------- .github/workflows/label.yml | 6 ++-- 2 files changed, 47 insertions(+), 28 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 50a3cba46..9864fb378 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -6,39 +6,56 @@ # not configurations related to the deployment process itself. API: - - xclim/cli.py + - any: + - changed-files: + - any-glob-to-any-file: + - 'xclim/cli.py' CI: - - .editorconfig - - .pre-commit-config.yaml - - .readthedocs.yml - - .yamllint.yml - - .github/workflows/* - - docs/Makefile - - pylintrc - - tox.ini - - Makefile + - any: + - changed-files: + - any-glob-to-any-file: + - .editorconfig + - .pre-commit-config.yaml + - .readthedocs.yml + - .yamllint.yml + - .github/workflows/* + - docs/Makefile + - pylintrc + - tox.ini + - Makefile docs: - - .readthedocs.yml - - docs/**/* - - AUTHORS.rst - - CONTRIBUTING.rst - - ISSUE_TEMPLATE/**/* - - ISSUE_TEMPLATE.md - - PULL_REQUEST_TEMPLATE.md - - README.rst + - any: + - changed-files: + - any-glob-to-any-file: + - .readthedocs.yml + - docs/**/* + - AUTHORS.rst + - CONTRIBUTING.rst + - ISSUE_TEMPLATE/**/* + - ISSUE_TEMPLATE.md + - PULL_REQUEST_TEMPLATE.md + - README.rst indicators: - - xclim/indicators/**/* - - xclim/indicators/**/* - - xclim/indices/**/_*.py - - xclim/data/**/*.json - - xclim/data/**/*.yml + - any: + - changed-files: + - any-glob-to-any-file: + - xclim/indicators/**/* + - xclim/indices/**/_*.py + - xclim/data/**/*.json + - xclim/data/**/*.yml information: - - CONTRIBUTING.rst + - any: + - changed-files: + - any-glob-to-any-file: + - CONTRIBUTING.rst sdba: - - xclim/sdba/**/* - - tests/test_sdba/*.py + - any: + - changed-files: + - any-glob-to-any-file: + - xclim/sdba/**/* + - tests/test_sdba/*.py diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 2d05d2248..06d031996 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -12,14 +12,16 @@ on: [pull_request_target] # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target permissions: - checks: write contents: read - pull-requests: write jobs: label: name: Label runs-on: ubuntu-latest + permissions: + checks: write + contents: read + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 From 919de2627f84a6a8e973ec526380ec607800ecce Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:32:24 -0500 Subject: [PATCH 06/14] remove 'any' config --- .github/labeler.yml | 80 +++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 43 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 9864fb378..c0e988095 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -6,56 +6,50 @@ # not configurations related to the deployment process itself. API: - - any: - - changed-files: - - any-glob-to-any-file: - - 'xclim/cli.py' + - changed-files: + - any-glob-to-any-file: + - 'xclim/cli.py' CI: - - any: - - changed-files: - - any-glob-to-any-file: - - .editorconfig - - .pre-commit-config.yaml - - .readthedocs.yml - - .yamllint.yml - - .github/workflows/* - - docs/Makefile - - pylintrc - - tox.ini - - Makefile + - changed-files: + - any-glob-to-any-file: + - .editorconfig + - .pre-commit-config.yaml + - .readthedocs.yml + - .yamllint.yml + - .github/workflows/* + - docs/Makefile + - pylintrc + - tox.ini + - Makefile docs: - - any: - - changed-files: - - any-glob-to-any-file: - - .readthedocs.yml - - docs/**/* - - AUTHORS.rst - - CONTRIBUTING.rst - - ISSUE_TEMPLATE/**/* - - ISSUE_TEMPLATE.md - - PULL_REQUEST_TEMPLATE.md - - README.rst + - changed-files: + - any-glob-to-any-file: + - .readthedocs.yml + - docs/**/* + - AUTHORS.rst + - CONTRIBUTING.rst + - ISSUE_TEMPLATE/**/* + - ISSUE_TEMPLATE.md + - PULL_REQUEST_TEMPLATE.md + - README.rst indicators: - - any: - - changed-files: - - any-glob-to-any-file: - - xclim/indicators/**/* - - xclim/indices/**/_*.py - - xclim/data/**/*.json - - xclim/data/**/*.yml + - changed-files: + - any-glob-to-any-file: + - xclim/indicators/**/* + - xclim/indices/**/_*.py + - xclim/data/**/*.json + - xclim/data/**/*.yml information: - - any: - - changed-files: - - any-glob-to-any-file: - - CONTRIBUTING.rst + - changed-files: + - any-glob-to-any-file: + - CONTRIBUTING.rst sdba: - - any: - - changed-files: - - any-glob-to-any-file: - - xclim/sdba/**/* - - tests/test_sdba/*.py + - changed-files: + - any-glob-to-any-file: + - xclim/sdba/**/* + - tests/test_sdba/*.py From 69a5bb757127728769ae3db9b132d80f3298c7e2 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:43:21 -0500 Subject: [PATCH 07/14] use single quotes --- .github/labeler.yml | 60 ++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index c0e988095..006bae551 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -5,51 +5,51 @@ # we refer here to CI as the 'meta' configuration files for managing the code and integrations with the repository, # not configurations related to the deployment process itself. -API: +'API': - changed-files: - any-glob-to-any-file: - 'xclim/cli.py' -CI: +'CI': - changed-files: - any-glob-to-any-file: - - .editorconfig - - .pre-commit-config.yaml - - .readthedocs.yml - - .yamllint.yml - - .github/workflows/* - - docs/Makefile - - pylintrc - - tox.ini - - Makefile + - '.editorconfig' + - '.pre-commit-config.yaml' + - '.readthedocs.yml' + - '.yamllint.yml' + - '.github/workflows/*' + - 'docs/Makefile' + - 'pylintrc' + - 'tox.ini' + - 'Makefile' -docs: +'docs': - changed-files: - any-glob-to-any-file: - - .readthedocs.yml - - docs/**/* - - AUTHORS.rst - - CONTRIBUTING.rst - - ISSUE_TEMPLATE/**/* - - ISSUE_TEMPLATE.md - - PULL_REQUEST_TEMPLATE.md - - README.rst + - '.readthedocs.yml' + - 'docs/**/*' + - 'AUTHORS.rst' + - 'CONTRIBUTING.rst' + - 'ISSUE_TEMPLATE/**/*' + - 'ISSUE_TEMPLATE.md' + - 'PULL_REQUEST_TEMPLATE.md' + - 'README.rst' -indicators: +'indicators': - changed-files: - any-glob-to-any-file: - - xclim/indicators/**/* - - xclim/indices/**/_*.py - - xclim/data/**/*.json - - xclim/data/**/*.yml + - 'xclim/indicators/**/*' + - 'xclim/indices/**/_*.py' + - 'xclim/data/**/*.json' + - 'xclim/data/**/*.yml' -information: +'information': - changed-files: - any-glob-to-any-file: - - CONTRIBUTING.rst + - 'CONTRIBUTING.rst' -sdba: +'sdba': - changed-files: - any-glob-to-any-file: - - xclim/sdba/**/* - - tests/test_sdba/*.py + - 'xclim/sdba/**/*' + - 'tests/test_sdba/*.py' From f4a12048343b209bc6359cd3ef7ebee81f72b239 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:48:08 -0500 Subject: [PATCH 08/14] debugging --- .github/workflows/label.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 06d031996..b53359280 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -6,7 +6,8 @@ # https://github.com/actions/labeler/blob/master/README.md name: Labeler -on: [pull_request_target] +# FIXME: using PULL_REQUEST for debugging purposes. Should be pull_request_target only when merging to master. +on: [pull_request, pull_request_target] # Note: potential security risk from this action using pull_request_target. # Do not add actions in here which need a checkout of the repo, and do not use any caching in here. # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target From 51d9800cab00eca7b5f50de2e4bc1a522ef7a4f1 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:49:56 -0500 Subject: [PATCH 09/14] update harden-workflow config --- .github/workflows/label.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index b53359280..bdec57e9d 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -6,8 +6,7 @@ # https://github.com/actions/labeler/blob/master/README.md name: Labeler -# FIXME: using PULL_REQUEST for debugging purposes. Should be pull_request_target only when merging to master. -on: [pull_request, pull_request_target] +on: [pull_request_target] # Note: potential security risk from this action using pull_request_target. # Do not add actions in here which need a checkout of the repo, and do not use any caching in here. # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target @@ -27,7 +26,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 - uses: actions/labeler@v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" From 48d4edef1a2942d6e1d88505b8f69c96488bb2e5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 23:48:07 +0000 Subject: [PATCH 10/14] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- pyproject.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index a76520be7..b0ba51562 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -148,7 +148,6 @@ values = [ "release" ] - [tool.coverage.run] relative_files = true omit = ["tests/*.py"] From 55e4c4d853dac463d3a79c2c5c42821d0c9ce514 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 19:05:10 -0500 Subject: [PATCH 11/14] pre-commit autoupdate --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d63356a1f..2d331d8da 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,11 +40,11 @@ repos: hooks: - id: isort - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.1.9 + rev: v0.1.11 hooks: - id: ruff - repo: https://github.com/pycqa/flake8 - rev: 6.1.0 + rev: 7.0.0 hooks: - id: flake8 additional_dependencies: [ 'flake8-alphabetize', 'flake8-rst-docstrings '] @@ -70,7 +70,7 @@ repos: additional_dependencies: [ 'black==23.12.1' ] exclude: '(xclim/indices/__init__.py|docs/installation.rst)' - repo: https://github.com/gitleaks/gitleaks - rev: v8.16.1 + rev: v8.18.1 hooks: - id: gitleaks - repo: https://github.com/python-jsonschema/check-jsonschema From 28c6b3bd83910c29f70cc3747679dc6d54e949b1 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 9 Jan 2024 19:08:34 -0500 Subject: [PATCH 12/14] harden label_on_approval.yml --- .github/workflows/label_on_approval.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/label_on_approval.yml b/.github/workflows/label_on_approval.yml index 11cb6cc3b..d3eb0017e 100644 --- a/.github/workflows/label_on_approval.yml +++ b/.github/workflows/label_on_approval.yml @@ -10,18 +10,20 @@ on: - review_requested permissions: - checks: write contents: read - pull-requests: write jobs: label_approved: name: Label on Approval + runs-on: ubuntu-latest if: | (!contains(github.event.pull_request.labels.*.name, 'approved')) && (github.event.review.state == 'approved') && (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) - runs-on: ubuntu-latest + permissions: + checks: write + contents: read + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 @@ -40,11 +42,19 @@ jobs: comment_approved: name: Comment Concerning Approved Tag + runs-on: ubuntu-latest if: | (github.event_name == 'pull_request_target') && (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) - runs-on: ubuntu-latest + permissions: + checks: write + contents: read + pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: Find comment uses: peter-evans/find-comment@v2.4.0 id: fc From d5d7023af62c0f490250e1d1590000e31308bee2 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Wed, 10 Jan 2024 15:43:18 -0500 Subject: [PATCH 13/14] update CHANGES.rst --- CHANGES.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index a670f5556..65bf2f89f 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -31,7 +31,7 @@ Internal changes ^^^^^^^^^^^^^^^^ * The `flake8` configuration has been migrated from `setup.cfg` to `.flake8`; `setup.cfg` has been removed. (:pull:`1569`) * The `bump-version.yml` workflow has been adjusted to bump the `patch` version when the last version is determined to have been a `release` version; otherwise, the `build` version is bumped. (:issue:`1557`, :pull:`1569`). -* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`). +* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`, :pull:`1578`). * Updated the CONTRIBUTING.rst directions to showcase the new versioning system. (:issue:`1557`, :pull:`1573`). * The `codespell` library is now a development dependency for the `dev` installation recipe with configurations found within `pyproject.toml`. This is also now a linting step and integrated as a `pre-commit` hook. For more information, see the `codespell documentation `_ (:pull:`1576`). From 784b418be74e36293457dc37e56787db338a34f9 Mon Sep 17 00:00:00 2001 From: "bumpversion[bot]" Date: Wed, 10 Jan 2024 21:00:04 +0000 Subject: [PATCH 14/14] =?UTF-8?q?Bump=20version:=200.47.5-dev.2=20?= =?UTF-8?q?=E2=86=92=200.47.5-dev.3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pyproject.toml | 3 ++- xclim/__init__.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 0e5de1f8c..da066981e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -123,7 +123,7 @@ target-version = [ ] [tool.bumpversion] -current_version = "0.47.5-dev.2" +current_version = "0.47.5-dev.3" commit = true commit_args = "--no-verify" tag = false @@ -149,6 +149,7 @@ values = [ "release" ] + [tool.codespell] skip = 'xclim/data/*.json,docs/_build,docs/notebooks/xclim_training/*.ipynb,docs/references.bib,__pycache__,*.nc,*.png,*.gz,*.whl' ignore-words-list = "absolue,astroid,bloc,bui,callendar,degreee,environnement,hanel,inferrable,lond,nam,nd,ressources,vas" diff --git a/xclim/__init__.py b/xclim/__init__.py index 8897ee8cf..59f2f7f17 100644 --- a/xclim/__init__.py +++ b/xclim/__init__.py @@ -15,7 +15,7 @@ __author__ = """Travis Logan""" __email__ = "logan.travis@ouranos.ca" -__version__ = "0.47.5-dev.2" +__version__ = "0.47.5-dev.3" _module_data = _files("xclim.data")