diff --git a/.github/labeler.yml b/.github/labeler.yml index 50a3cba46..006bae551 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -5,40 +5,51 @@ # we refer here to CI as the 'meta' configuration files for managing the code and integrations with the repository, # not configurations related to the deployment process itself. -API: - - xclim/cli.py +'API': + - changed-files: + - any-glob-to-any-file: + - 'xclim/cli.py' -CI: - - .editorconfig - - .pre-commit-config.yaml - - .readthedocs.yml - - .yamllint.yml - - .github/workflows/* - - docs/Makefile - - pylintrc - - tox.ini - - Makefile +'CI': + - changed-files: + - any-glob-to-any-file: + - '.editorconfig' + - '.pre-commit-config.yaml' + - '.readthedocs.yml' + - '.yamllint.yml' + - '.github/workflows/*' + - 'docs/Makefile' + - 'pylintrc' + - 'tox.ini' + - 'Makefile' -docs: - - .readthedocs.yml - - docs/**/* - - AUTHORS.rst - - CONTRIBUTING.rst - - ISSUE_TEMPLATE/**/* - - ISSUE_TEMPLATE.md - - PULL_REQUEST_TEMPLATE.md - - README.rst +'docs': + - changed-files: + - any-glob-to-any-file: + - '.readthedocs.yml' + - 'docs/**/*' + - 'AUTHORS.rst' + - 'CONTRIBUTING.rst' + - 'ISSUE_TEMPLATE/**/*' + - 'ISSUE_TEMPLATE.md' + - 'PULL_REQUEST_TEMPLATE.md' + - 'README.rst' -indicators: - - xclim/indicators/**/* - - xclim/indicators/**/* - - xclim/indices/**/_*.py - - xclim/data/**/*.json - - xclim/data/**/*.yml +'indicators': + - changed-files: + - any-glob-to-any-file: + - 'xclim/indicators/**/*' + - 'xclim/indices/**/_*.py' + - 'xclim/data/**/*.json' + - 'xclim/data/**/*.yml' -information: - - CONTRIBUTING.rst +'information': + - changed-files: + - any-glob-to-any-file: + - 'CONTRIBUTING.rst' -sdba: - - xclim/sdba/**/* - - tests/test_sdba/*.py +'sdba': + - changed-files: + - any-glob-to-any-file: + - 'xclim/sdba/**/*' + - 'tests/test_sdba/*.py' diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml index 14a9894e4..8dd02f117 100644 --- a/.github/workflows/actions-versions-updater.yml +++ b/.github/workflows/actions-versions-updater.yml @@ -12,12 +12,19 @@ permissions: # added using https://github.com/step-security/secure-repo jobs: build: runs-on: ubuntu-latest - + permissions: + actions: write + contents: write + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Checkout uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 9f5483b8e..24f7c6b50 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -12,7 +12,14 @@ jobs: add-to-project: name: Add Issue to xclim Project runs-on: ubuntu-latest + permissions: + contents: read + repository-projects: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/add-to-project@v0.5.0 with: project-url: https://github.com/orgs/Ouranosinc/projects/6 diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 3f8b8503b..147ae1c30 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -29,6 +29,9 @@ jobs: bump_patch_version: name: Bumpversion Patch runs-on: ubuntu-latest + permissions: + actions: read + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml index f141b39a4..96d1993fb 100644 --- a/.github/workflows/cache-cleaner.yml +++ b/.github/workflows/cache-cleaner.yml @@ -15,7 +15,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 - name: Check out code uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 0d32ba911..19c43a455 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,6 +15,14 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@v4.1.1 - name: 'Dependency Review' diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml index 2fb5e70b2..f3f44a97a 100644 --- a/.github/workflows/first_pull_request.yml +++ b/.github/workflows/first_pull_request.yml @@ -5,10 +5,16 @@ on: types: - opened +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: welcome: name: Welcome runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index a49fad76d..bdec57e9d 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -12,14 +12,24 @@ on: [pull_request_target] # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target permissions: - checks: write contents: read - pull-requests: write jobs: label: + name: Label runs-on: ubuntu-latest + permissions: + checks: write + contents: read + pull-requests: write steps: - - uses: actions/labeler@v5.0.0 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + - uses: actions/labeler@v5.0.0 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/label_on_approval.yml b/.github/workflows/label_on_approval.yml index 4f6139bea..d3eb0017e 100644 --- a/.github/workflows/label_on_approval.yml +++ b/.github/workflows/label_on_approval.yml @@ -10,19 +10,25 @@ on: - review_requested permissions: - checks: write contents: read - pull-requests: write jobs: label_approved: name: Label on Approval + runs-on: ubuntu-latest if: | (!contains(github.event.pull_request.labels.*.name, 'approved')) && (github.event.review.state == 'approved') && (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) - runs-on: ubuntu-latest + permissions: + checks: write + contents: read + pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: Label Approved uses: actions/github-script@v7.0.1 with: @@ -36,11 +42,19 @@ jobs: comment_approved: name: Comment Concerning Approved Tag + runs-on: ubuntu-latest if: | (github.event_name == 'pull_request_target') && (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) - runs-on: ubuntu-latest + permissions: + checks: write + contents: read + pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: Find comment uses: peter-evans/find-comment@v2.4.0 id: fc diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ed7eeefbe..f6bd0a992 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -76,7 +76,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@v5.0.0 @@ -124,7 +130,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + coveralls.io:443 + esm.ubuntu.com:443 + files.pythonhosted.org:443 + github.com:443 + motd.ubuntu.com:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 - name: Install Eigen3 if: contains(matrix.tox-env, 'sbck') @@ -167,7 +184,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + coveralls.io:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} uses: mamba-org/setup-micromamba@v1.7.3 diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml index bf16beb9f..c1e0ddf84 100644 --- a/.github/workflows/publish-mastodon.yml +++ b/.github/workflows/publish-mastodon.yml @@ -15,6 +15,9 @@ on: default: true type: boolean +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: toot: name: Generate Mastodon Toot diff --git a/.github/workflows/testdata_version.yml b/.github/workflows/testdata_version.yml index 325833d74..cff8527e0 100644 --- a/.github/workflows/testdata_version.yml +++ b/.github/workflows/testdata_version.yml @@ -20,6 +20,14 @@ jobs: contents: read pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - uses: actions/checkout@v4.1.1 - name: Find xclim-testdata Tag and CI Testing Branch run: | diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index ae1e7cd93..c9f68363f 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -42,7 +42,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + raw.githubusercontent.com:443 - uses: actions/checkout@v4.1.1 with: fetch-depth: 0 # Fetch all history for all branches and tags. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 955a244a6..2d331d8da 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,90 +2,86 @@ default_language_version: python: python3 repos: -- repo: https://github.com/asottile/pyupgrade - rev: v3.15.0 - hooks: - - id: pyupgrade - args: ['--py38-plus'] - exclude: 'xclim/core/indicator.py' -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - exclude: '.ipynb|.github/publish-mastodon.template.md' - - id: check-json - - id: check-toml - - id: check-yaml - args: [ '--allow-multiple-documents' ] - - id: debug-statements - - id: pretty-format-json - args: [ '--autofix', '--no-ensure-ascii', '--no-sort-keys' ] - exclude: '.ipynb' -- repo: https://github.com/pappasam/toml-sort - rev: v0.23.1 - hooks: - - id: toml-sort-fix -- repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 - hooks: - - id: yamllint - args: [ '--config-file=.yamllint.yaml' ] -- repo: https://github.com/psf/black-pre-commit-mirror - rev: 23.12.1 - hooks: - - id: black -- repo: https://github.com/PyCQA/isort - rev: 5.13.2 - hooks: - - id: isort -- repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.1.11 - hooks: - - id: ruff -- repo: https://github.com/pycqa/flake8 - rev: 6.1.0 - hooks: - - id: flake8 - additional_dependencies: [ 'flake8-alphabetize', 'flake8-rst-docstrings '] - args: [ '--config=.flake8' ] -- repo: https://github.com/nbQA-dev/nbQA - rev: 1.7.1 - hooks: - - id: nbqa-pyupgrade - additional_dependencies: [ 'pyupgrade==3.15.0' ] - args: [ '--py38-plus' ] - - id: nbqa-black - additional_dependencies: [ 'black==23.12.1' ] - - id: nbqa-isort - additional_dependencies: [ 'isort==5.13.2' ] -- repo: https://github.com/kynan/nbstripout - rev: 0.6.1 - hooks: - - id: nbstripout - files: '.ipynb' - args: [ '--extra-keys=metadata.kernelspec' ] -- repo: https://github.com/keewis/blackdoc - rev: v0.3.9 - hooks: - - id: blackdoc - additional_dependencies: [ 'black==23.12.1' ] - exclude: '(xclim/indices/__init__.py|docs/installation.rst)' -- repo: https://github.com/codespell-project/codespell - rev: v2.2.6 - hooks: - - id: codespell - additional_dependencies: [ 'tomli' ] - args: [ '--toml=pyproject.toml' ] -- repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.27.3 - hooks: - - id: check-github-workflows - - id: check-readthedocs -- repo: meta - hooks: - - id: check-hooks-apply - - id: check-useless-excludes + - repo: https://github.com/asottile/pyupgrade + rev: v3.15.0 + hooks: + - id: pyupgrade + args: ['--py38-plus'] + exclude: 'xclim/core/indicator.py' + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + exclude: '.ipynb|.github/publish-mastodon.template.md' + - id: check-json + - id: check-toml + - id: check-yaml + args: [ '--allow-multiple-documents' ] + - id: debug-statements + - id: pretty-format-json + args: [ '--autofix', '--no-ensure-ascii', '--no-sort-keys' ] + exclude: '.ipynb' + - repo: https://github.com/pappasam/toml-sort + rev: v0.23.1 + hooks: + - id: toml-sort-fix + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.33.0 + hooks: + - id: yamllint + args: [ '--config-file=.yamllint.yaml' ] + - repo: https://github.com/psf/black-pre-commit-mirror + rev: 23.12.1 + hooks: + - id: black + - repo: https://github.com/PyCQA/isort + rev: 5.13.2 + hooks: + - id: isort + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: v0.1.11 + hooks: + - id: ruff + - repo: https://github.com/pycqa/flake8 + rev: 7.0.0 + hooks: + - id: flake8 + additional_dependencies: [ 'flake8-alphabetize', 'flake8-rst-docstrings '] + args: [ '--config=.flake8' ] + - repo: https://github.com/nbQA-dev/nbQA + rev: 1.7.1 + hooks: + - id: nbqa-pyupgrade + args: [ '--py38-plus' ] + - id: nbqa-black + additional_dependencies: [ 'black==23.12.1' ] + - id: nbqa-isort + - repo: https://github.com/kynan/nbstripout + rev: 0.6.1 + hooks: + - id: nbstripout + files: '.ipynb' + args: [ '--extra-keys', 'metadata.kernelspec' ] + - repo: https://github.com/keewis/blackdoc + rev: v0.3.9 + hooks: + - id: blackdoc + additional_dependencies: [ 'black==23.12.1' ] + exclude: '(xclim/indices/__init__.py|docs/installation.rst)' + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.1 + hooks: + - id: gitleaks + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.27.3 + hooks: + - id: check-github-workflows + - id: check-readthedocs + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes ci: autofix_commit_msg: | diff --git a/CHANGES.rst b/CHANGES.rst index a670f5556..65bf2f89f 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -31,7 +31,7 @@ Internal changes ^^^^^^^^^^^^^^^^ * The `flake8` configuration has been migrated from `setup.cfg` to `.flake8`; `setup.cfg` has been removed. (:pull:`1569`) * The `bump-version.yml` workflow has been adjusted to bump the `patch` version when the last version is determined to have been a `release` version; otherwise, the `build` version is bumped. (:issue:`1557`, :pull:`1569`). -* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`). +* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`, :pull:`1578`). * Updated the CONTRIBUTING.rst directions to showcase the new versioning system. (:issue:`1557`, :pull:`1573`). * The `codespell` library is now a development dependency for the `dev` installation recipe with configurations found within `pyproject.toml`. This is also now a linting step and integrated as a `pre-commit` hook. For more information, see the `codespell documentation `_ (:pull:`1576`). diff --git a/pyproject.toml b/pyproject.toml index ec0cbc64e..0e5de1f8c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -149,7 +149,6 @@ values = [ "release" ] - [tool.codespell] skip = 'xclim/data/*.json,docs/_build,docs/notebooks/xclim_training/*.ipynb,docs/references.bib,__pycache__,*.nc,*.png,*.gz,*.whl' ignore-words-list = "absolue,astroid,bloc,bui,callendar,degreee,environnement,hanel,inferrable,lond,nam,nd,ressources,vas"