Workflow Adjustments (#53)

### Changes * Actions have been updated to more recent versions * `pip`-based dpeendencies used to run on CI are now managed by a `CI/requirements_ci.txt` that uses hashes of packages for security * Warnings in Pull Requests from forks are now less buggy * The `yamllint` configuration is a bit stricter but is now consistent for all YAML files in the repository, including the GitHub Workflows * Documentation has been added for `make initialize-translations` * A new pre-commit hook for validating numpy doctsrings has been added (using `numpydoc`). * Dependencies have been updated and synchronized * The top-level repository workflow is now using security hardening and hashed commits where possible
Ouranosinc · Jul 23, 2024 · 9f09316 · 9f09316
2 parents 58525bb + affa6eb
commit 9f09316
Show file tree

Hide file tree

Showing 25 changed files with 640 additions and 111 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,9 +12,9 @@ updates:
     open-pull-requests-limit: 5
 
   - package-ecosystem: github-actions
-    directory: "/{{cookiecutter.project_slug}}/.github/workflows/"
+    directory: '/{{cookiecutter.project_slug}}/.github/workflows/'
     schedule:
-      interval: "weekly"
+      interval: "monthly"
     open-pull-requests-limit: 10
 
   - package-ecosystem: pip

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,11 @@ on:
       - main
   pull_request:
 
+concurrency:
+  # For a given workflow, if we push to the same branch, cancel all previous builds on that branch except on main.
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
@@ -26,27 +31,33 @@ jobs:
             python-version: "pypy3.10"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
-        with:
-          egress-policy: audit
-      - name: Cancel previous runs
-        uses: styfle/cancel-workflow-action@0.12.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
-          access_token: ${{ github.token }}
-      - uses: actions/checkout@v4
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+          disable-sudo: true
+          egress-policy: block
+          # PyPy packages requires access to Rust binaries
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            index.crates.io:443
+            pypi.org:443
+            static.crates.io:443
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set up Python${{ matrix.python-version }}
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
         run: |
-            python -m pip install tox
+            python -m pip install --require-hashes -r requirements.txt
       - name: Run bake test suite
         run:
             python -m tox -e ${{ matrix.tox-env }}
-      - name: Archive package
-        if: ${{ matrix.tox-env == 'py39' }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: cookie-cutter
-          path: src/dist
+      # - name: Archive package
+      #   if: ${{ matrix.tox-env == 'py39' }}
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: cookie-cutter
+      #     path: src/dist
diff --git a/requirements.in b/requirements.in
@@ -0,0 +1 @@
+tox==4.16.0
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,62 @@
+#
+# This file is autogenerated by pip-compile with Python 3.8
+# by the following command:
+#
+#    pip-compile --generate-hashes --output-file=requirements.txt requirements.in
+#
+cachetools==5.4.0 \
+    --hash=sha256:3ae3b49a3d5e28a77a0be2b37dbcb89005058959cb2323858c2657c4a8cab474 \
+    --hash=sha256:b8adc2e7c07f105ced7bc56dbb6dfbe7c4a00acce20e2227b3f355be89bc6827
+    # via tox
+chardet==5.2.0 \
+    --hash=sha256:1b3b6ff479a8c414bc3fa2c0852995695c4a026dcd6d0633b2dd092ca39c1cf7 \
+    --hash=sha256:e1cf59446890a00105fe7b7912492ea04b6e6f06d4b742b2c788469e34c82970
+    # via tox
+colorama==0.4.6 \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+    # via tox
+distlib==0.3.8 \
+    --hash=sha256:034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784 \
+    --hash=sha256:1530ea13e350031b6312d8580ddb6b27a104275a31106523b8f123787f494f64
+    # via virtualenv
+filelock==3.15.4 \
+    --hash=sha256:2207938cbc1844345cb01a5a95524dae30f0ce089eba5b00378295a17e3e90cb \
+    --hash=sha256:6ca1fffae96225dab4c6eaf1c4f4f28cd2568d3ec2a44e15a08520504de468e7
+    # via
+    #   tox
+    #   virtualenv
+packaging==24.1 \
+    --hash=sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002 \
+    --hash=sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124
+    # via
+    #   pyproject-api
+    #   tox
+platformdirs==4.2.2 \
+    --hash=sha256:2d7a1657e36a80ea911db832a8a6ece5ee53d8de21edd5cc5879af6530b1bfee \
+    --hash=sha256:38b7b51f512eed9e84a22788b4bce1de17c0adb134d6becb09836e37d8654cd3
+    # via
+    #   tox
+    #   virtualenv
+pluggy==1.5.0 \
+    --hash=sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1 \
+    --hash=sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669
+    # via tox
+pyproject-api==1.7.1 \
+    --hash=sha256:2dc1654062c2b27733d8fd4cdda672b22fe8741ef1dde8e3a998a9547b071eeb \
+    --hash=sha256:7ebc6cd10710f89f4cf2a2731710a98abce37ebff19427116ff2174c9236a827
+    # via tox
+tomli==2.0.1 \
+    --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \
+    --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f
+    # via
+    #   pyproject-api
+    #   tox
+tox==4.16.0 \
+    --hash=sha256:43499656f9949edb681c0f907f86fbfee98677af9919d8b11ae5ad77cb800748 \
+    --hash=sha256:61e101061b977b46cf00093d4319438055290ad0009f84497a07bf2d2d7a06d0
+    # via -r requirements.in
+virtualenv==20.26.3 \
+    --hash=sha256:4c43a2a236279d9ea36a0d76f98d84bd6ca94ac4e0f4a3b9d46d05e10fea542a \
+    --hash=sha256:8cc4a31139e796e9a7de2cd5cf2489de1217193116a8fd42328f1bd65f434589
+    # via tox
diff --git a/requirements_dev.txt b/requirements_dev.txt
@@ -6,6 +6,6 @@ flit>=3.9.0
 pre-commit>=3.5.0
 pytest-cookies>=0.7.0
 pytest>=8.2.0
-tox>=4.15.0
+tox>=4.16.0
 twine>=5.0.0
 watchdog>=4.0.0
diff --git a/tox.ini b/tox.ini
@@ -17,7 +17,6 @@ commands =
 setenv =
     PYTEST_ADDOPTS = "--color=yes"
     PYTHONPATH = {toxinidir}
-    TOX = 1
 deps =
     -r{toxinidir}/requirements_dev.txt
 download = True

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/bump-version.yml b/{{cookiecutter.project_slug}}/.github/workflows/bump-version.yml
@@ -51,7 +51,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -65,21 +65,20 @@ jobs:
           persist-credentials: false
           fetch-depth: 0
       - name: Set up Python3
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: "3.x"
       - name: Config Commit Bot
         run: |
           git config --local user.email "bumpversion[bot]@ouranos.ca"
           git config --local user.name "bumpversion[bot]"
-      - name: Install bump-my-version
-        run: |
-          python -m pip install "bump-my-version>=0.18.3"
       - name: Current Version
         run: |
-          bump-my-version show current_version
           CURRENT_VERSION="$(grep -E '__version__' src/{{ cookiecutter.project_slug }}/__init__.py | cut -d ' ' -f3)"
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
+      - name: Install CI libraries
+        run: |
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Conditional Bump Version
         run: |
           if [[ __ENV_CURRENT_VERSION__ =~ -dev(\.\d+)? ]]; then

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/cache-cleaner.yml b/{{cookiecutter.project_slug}}/.github/workflows/cache-cleaner.yml
@@ -16,7 +16,7 @@ jobs:
       actions: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -26,7 +26,7 @@ jobs:
             objects.githubusercontent.com:443
 
       - name: Checkout Repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Cleanup
         run: |

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/dependency-review.yml b/{{cookiecutter.project_slug}}/.github/workflows/dependency-review.yml
@@ -1,6 +1,7 @@
 # Dependency Review Action
 #
-# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
@@ -16,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/first-pull-request.yml b/{{cookiecutter.project_slug}}/.github/workflows/first-pull-request.yml
@@ -5,13 +5,18 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   welcome:
     name: Welcome
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/label.yml b/{{cookiecutter.project_slug}}/.github/workflows/label.yml
@@ -20,12 +20,10 @@ jobs:
     name: Label
     runs-on: ubuntu-latest
     permissions:
-      checks: write
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/main.yml b/{{cookiecutter.project_slug}}/.github/workflows/main.yml
@@ -33,18 +33,18 @@ jobs:
           - "3.x"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - name: Checkout Repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Python__PYTHON_VERSION__
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: __PYTHON_VERSION__
-      - name: Install tox
+      - name: Install CI libraries
         run: |
-          python -m pip install tox
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Run linting suite
         run: |
           python -m tox -e lint
@@ -68,18 +68,18 @@ jobs:
             python-version: "3.12"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Python__PYTHON_VERSION__
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: __PYTHON_VERSION__
-      - name: Install tox
+      - name: Install CI libraries
         run: |
-          python -m pip install tox
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Test with tox
         run: |
           python -m tox -e __TOX_ENV__
@@ -96,19 +96,19 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12"]
+        python-version: [ "3.9", "3.10", "3.11", "3.12" ]
     defaults:
       run:
         shell: bash -l {0}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Conda (Micromamba) with Python__PYTHON_VERSION__
-        uses: mamba-org/setup-micromamba@422500192359a097648154e8db4e39bdb6c6eed7 # v1.8.1
+        uses: mamba-org/setup-micromamba@f8b8a1e23a26f60a44c853292711bacfd3eac822 # v1.9.0
         with:
           cache-downloads: true
           environment-file: environment-dev.yml
@@ -146,9 +146,16 @@ jobs:
     runs-on: ubuntu-latest
     container: python:3-slim
     steps:
-      - name: Coveralls Finished
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          sparse-checkout: |
+            CI/requirements_ci.txt
+      - name: Install CI libraries
+        run: |
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
+      - name: Coveralls finished
         run: |
-          python -m pip install --upgrade coveralls
           python -m coveralls --finish
         env:
           GITHUB_TOKEN: __GITHUB_TOKEN__

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/publish-pypi.yml b/{{cookiecutter.project_slug}}/.github/workflows/publish-pypi.yml
@@ -18,7 +18,7 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -30,12 +30,12 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Python3
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: "3.x"
-      - name: Install packaging libraries
+      - name: Install CI libraries
         run: |
-          python -m pip install flit
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Build a binary wheel and a source tarball
         run: |
           python -m flit build

diff --git a/{{cookiecutter.project_slug}}/.github/workflows/scorecard.yml b/{{cookiecutter.project_slug}}/.github/workflows/scorecard.yml
@@ -29,7 +29,7 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block