merge

Ouranosinc · Jan 6, 2025 · 721dd0f · 721dd0f
2 parents 79dd1b0 + 06302f1
commit 721dd0f
Show file tree

Hide file tree

Showing 101 changed files with 5,435 additions and 2,537 deletions.
diff --git a/.cruft.json b/.cruft.json
@@ -1,6 +1,6 @@
 {
-  "template": "/home/tjs/git/cookiecutter-pypackage",
-  "commit": "f391bbd6ee14ab2478c64a1f78b74bd9903cae81",
+  "template": "https://github.com/Ouranosinc/cookiecutter-pypackage",
+  "commit": "14556700478b0afdb158d61dd35db26a77c2b83d",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -11,7 +11,7 @@
       "project_slug": "xscen",
       "project_short_description": "A climate change scenario-building analysis framework, built with xclim/xarray.",
       "pypi_username": "RondeauG",
-      "version": "0.9.0",
+      "version": "0.10.1-dev.1",
       "use_pytest": "y",
       "use_black": "y",
       "use_conda": "y",
@@ -20,9 +20,10 @@
       "add_translations": "y",
       "command_line_interface": "Click",
       "create_author_file": "y",
-      "open_source_license": "Not open source",
+      "open_source_license": "Apache Software License 2.0",
       "generated_with_cruft": "y",
-      "_template": "/home/tjs/git/cookiecutter-pypackage"
+      "__gh_slug": "https://github.com/Ouranosinc/xscen",
+      "_template": "https://github.com/Ouranosinc/cookiecutter-pypackage"
     }
   },
   "directory": null

diff --git a/.flake8 b/.flake8
@@ -6,9 +6,6 @@ exclude =
 	docs/conf.py,
 	tests
 ignore =
-	AZ100,
-	AZ200,
-	AZ300,
 	C,
 	D,
 	E,

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -6,7 +6,7 @@
 - [ ] (If applicable) Documentation has been added / updated (for bug fixes / features).
 - [ ] (If applicable) Tests have been added.
 - [ ] This PR does not seem to break the templates.
-- [ ] CHANGES.rst has been updated (with summary of main changes).
+- [ ] CHANGELOG.rst has been updated (with summary of main changes).
   - [ ] Link to issue (:issue:`number`) and pull request (:pull:`number`) has been added.
 
 ### What kind of change does this PR introduce?

diff --git a/.github/deactivated/actions-versions-updater.yml b/.github/deactivated/actions-versions-updater.yml
diff --git a/.github/deactivated/conda-build.yml b/.github/deactivated/conda-build.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,15 +1,22 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directory: /.github/workflows
     schedule:
-      interval: daily
-      time: '12:00'
-    open-pull-requests-limit: 10
+      interval: monthly
+    groups:
+      actions:
+        patterns:
+          - "*"
 
   - package-ecosystem: pip
     directory: /
     schedule:
-      interval: daily
-      time: '12:00'
-    open-pull-requests-limit: 10
+      interval: monthly
+    groups:
+      python:
+        patterns:
+          - "*"
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -18,17 +18,22 @@
       - '.readthedocs.yml'
       - '.secrets.baseline'
       - '.yamllint.yaml'
+      - 'CI/**/*'
       - 'Makefile'
       - 'docs/Makefile'
       - 'tox.ini'
 
+# label 'docs' all documentation-related steps and files
 'docs':
   - changed_files:
     - any-glob-to-any-file:
+      - '.github/DISCUSSION_TEMPLATE/**/*'
       - '.github/ISSUE_TEMPLATE.md'
       - '.github/ISSUE_TEMPLATE/**/*'
       - '.github/PULL_REQUEST_TEMPLATE.md'
       - '.readthedocs.yml'
+      - 'AUTHORS.rst'
+      - 'CODE_OF_CONDUCT.md'
       - 'CONTRIBUTING.rst'
       - 'README.rst'
       - 'docs/**/*'

diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -1,9 +1,4 @@
-# This workflow requires a personal access token named `BUMP_VERSION_TOKEN` with the following privileges:
-# - Contents: Read and Write
-# - Metadata: Read-Only
-# - Pull Requests: Read and Write
-
-name: "Bump Patch Version"
+name: Bump Patch Version
 
 on:
   push:
@@ -21,7 +16,11 @@ on:
       - .secrets.baseline
       - .yamllint.yaml
       - AUTHORS.rst
-      - CHANGES.rst
+      - CHANGELOG.rst
+      - CI/**/*.in
+      - CI/**/*.py
+      - CI/**/*.txt
+      - CODE_OF_CONDUCT.md
       - CONTRIBUTING.rst
       - MANIFEST.in
       - Makefile
@@ -32,11 +31,10 @@ on:
       - environment-dev.yml
       - environment.yml
       - pyproject.toml
-      - setup.py
+      - src/xscen/__init__.py
       - templates
       - tests/*.py
       - tox.ini
-      - xscen/__init__.py
 
 permissions:
   contents: read
@@ -47,35 +45,47 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       actions: read
-      contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.github.com:443
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-      - uses: actions/[email protected]
+      - name: Generate App Token
+        id: token_generator
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ secrets.OURANOS_HELPER_BOT_ID }}
+          private-key: ${{ secrets.OURANOS_HELPER_BOT_KEY }}
+      - name: Checkout Repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
-          persist-credentials: false
-      - uses: actions/[email protected]
+          token: ${{ steps.token_generator.outputs.token }}
+      - name: Set up Python3
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.x"
-      - name: Config Commit Bot
-        run: |
-          git config --local user.email "bumpversion[bot]@ouranos.ca"
-          git config --local user.name "bumpversion[bot]"
-      - name: Install bump-my-version
-        run: |
-          python -m pip install "bump-my-version>=0.18.3"
+      - name: Import GPG Key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.OURANOS_HELPER_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.OURANOS_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          trust_level: 5
       - name: Current Version
         run: |
-          bump-my-version show current_version
-          CURRENT_VERSION="$(grep -E '__version__' xscen/__init__.py | cut -d ' ' -f3)"
+          CURRENT_VERSION="$(grep -E '__version__' src/xscen/__init__.py | cut -d ' ' -f3)"
+          echo "current_version=${CURRENT_VERSION}"
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
+      - name: Install CI libraries
+        run: |
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Conditional Bump Version
         run: |
           if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
@@ -85,10 +95,11 @@ jobs:
             echo "Version is stable, bumping 'patch' version"
             bump-my-version bump patch
           fi
-          bump-my-version show-bump
+          NEW_VERSION="$(grep -E '__version__' src/xscen/__init__.py | cut -d ' ' -f3)"
+          echo "new_version=${NEW_VERSION}"
+          echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV
       - name: Push Changes
-        uses: ad-m/[email protected]
+        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0
         with:
           force: false
-          github_token: ${{ secrets.BUMP_VERSION_TOKEN }}
           branch: ${{ github.ref }}
diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml
@@ -16,7 +16,7 @@ jobs:
       actions: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -25,7 +25,8 @@ jobs:
             github.com:443
             objects.githubusercontent.com:443
 
-      - uses: actions/[email protected]
+      - name: Checkout Repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Cleanup
         run: |

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+  pull_request:
   schedule:
     - cron: '30 23 * * 5'
 
@@ -25,7 +26,7 @@ jobs:
           - 'python'
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -37,7 +38,7 @@ jobs:
             pypi.org:443
             uploads.github.com:443
       - name: Checkout repository
-        uses: actions/checkout@v4.1.3
+        uses: actions/checkout@v4.2.1
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@codeql-bundle-20230524

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,6 +1,7 @@
 # Dependency Review Action
 #
-# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
@@ -16,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -25,8 +26,8 @@ jobs:
             api.github.com:443
             github.com:443
 
-      - name: 'Checkout Repository'
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - name: Checkout Repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
-      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@0659a74c94536054bfa5aeb92241f70d680cc78e
+      - name: Dependency Review
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,9 +6,6 @@ exclude = @@
     	docs/conf.py,
     	tests
     ignore =
-    	AZ100,
-    	AZ200,
-    	AZ300,
     	C,
     	D,
     	E,
@@ Expand Down @@