update cookiecutter to latest commit (#70)

### What kind of change does this PR introduce? * Updates the cookiecutter to the latest commits * `xhydro` is now Semantic Version v2.0.0-compliant * Added a few workflows (Change file labelling, Cache cleaning, Dependency scans, OpenSSF Scorecard) * Updated pre-commit hook versions * Formatting tools are now pinned to their pre-commit equivalents * `actions-version-updater.yml` has been replaced by `dependabot` ### Does this PR introduce a breaking change? Boilerplate documentation is largely unchanged. Workflows are now more a bit more elegant, including automatic labelling, warnings about unsafe changes to workflows, security-related changes, etc. `actions-versions-updater.yml` has been replaced with `Dependendabot` (it's just better). There's support for evaluating the OpenSSF Scorecard (this can be disabled if we want). Code formatting tools are now hard-pinned. These need to be kept in sync with changes from `pre-commit`. `Dependabot` should do this task automatically via Pull Requests. Versioning scheme is now SemVer 2.0-compliant: * If the version doesn't end in `-dev` or `-dev.##`, `$ bump-my-version bump patch` will be called. This will set the version at `X.Y.Z+1-dev`. Otherwise, `$ bump-my-version bump build` will be called. This is all automated by the `bump-version.yml`. When the version is ready for a release, it's up to the maintainer to call the following: * `$ bump-my-version bump release` (for a patch release; i.e. `1.2.0` → `1.2.1`) or * `$ bump-my-version bump minor` then `$ bump-my-version bump release` (for a minor release; i.e. `1.2.0` → `1.3.0`) ### Other information: Ouranosinc/cookiecutter-pypackage#30
hydrologie · Feb 1, 2024 · 73e24a4 · 73e24a4
2 parents 2075735 + 3247f49
commit 73e24a4
Show file tree

Hide file tree

Showing 32 changed files with 509 additions and 81 deletions.
diff --git a/.coveralls.yml b/.coveralls.yml
diff --git a/.cruft.json b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/Ouranosinc/cookiecutter-pypackage",
-  "commit": "64eceda7d95aeb8937fa9961989d3d617a525c04",
+  "commit": "617b216e87e1ddf008fcca890dfd5dd1ee601f51",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -17,6 +17,7 @@
       "use_conda": "y",
       "add_pyup_badge": "n",
       "make_docs": "y",
+      "add_translations": "y",
       "command_line_interface": "No command-line interface",
       "create_author_file": "y",
       "open_source_license": "Apache Software License 2.0",

diff --git a/...ub/workflows/actions-versions-updater.yml → .../deactivated/actions-versions-updater.yml b/...ub/workflows/actions-versions-updater.yml → .../deactivated/actions-versions-updater.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+      time: '12:00'
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+      time: '12:00'
+    open-pull-requests-limit: 10
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,20 @@
+# label rules used by .github/workflows/label.yml
+
+# label 'ci' all automation-related steps and files
+#   Since this repository is in itself an automation process to deploy a server instance,
+#   we refer here to CI as the 'meta' configuration files for managing the code and integrations with the repository,
+#   not configurations related to the deployment process itself.
+
+# Uncomment the following lines to enable the labeler (requires labels with the same name to exist in the repository)
+
+# label 'ci' all automation-related steps and files
+'CI':
+  - changed-files:
+    - any-glob-to-any-file:
+      - '.editorconfig'
+      - '.flake8'
+      - '.pre-commit-config.yaml'
+      - '.yamllint.yml'
+      - '.github/workflows/*'
+      - 'tox.ini'
+      - 'Makefile'
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -1,3 +1,8 @@
+# This workflow requires a personal access token named `BUMP_VERSION_TOKEN` with the following privileges:
+# - Contents: Read and Write
+# - Metadata: Read-Only
+# - Pull Requests: Read and Write
+
 name: "Bump Patch Version"
 
 on:
@@ -38,6 +43,15 @@ jobs:
       actions: read
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
       - uses: actions/checkout@v4.1.1
         with:
           persist-credentials: false
@@ -48,14 +62,23 @@ jobs:
         run: |
           git config --local user.email "bumpversion[bot]@hydrologie.com"
           git config --local user.name "bumpversion[bot]"
+      - name: Install bump-my-version
+        run: |
+          python -m pip install "bump-my-version>=0.17.1"
       - name: Current Version
-        run: echo "current_version=$(grep -E '__version__'  xhydro/__init__.py | cut -d ' ' -f3)"
-      - name: Bump Patch Version
         run: |
-          pip install bump-my-version
-          echo "Bumping version"
-          bump-my-version bump --tag patch
-          echo "new_version=$(grep -E '__version__'  xhydro/__init__.py | cut -d ' ' -f3)"
+          bump-my-version show current_version
+          CURRENT_VERSION="$(grep -E '__version__' xhydro/__init__.py | cut -d ' ' -f3)"
+          echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
+      - name: Conditional Bump Version
+        run: |
+          if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
+            echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version"
+            bump-my-version show new_version --increment build
+          else
+            echo "Version is stable, bumping 'patch' version"
+            bump-my-version show new_version --increment patch
+          fi
       - name: Push Changes
         uses: ad-m/github-push-action@v0.8.0
         with:

diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml
@@ -0,0 +1,47 @@
+# Example taken from https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#managing-caches
+name: Cleanup Caches on Pull Request Merge
+on:
+  pull_request:
+    types:
+      - closed
+
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  cleanup:
+    name: Cleanup
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+
+      - uses: actions/checkout@v4.1.1
+
+      - name: Cleanup
+        run: |
+          gh extension install actions/gh-actions-cache
+
+          REPO=${{ github.repository }}
+          BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
+
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
+
+          ## Setting this to not fail the workflow while deleting cache keys.
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR
+          do
+              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,31 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976
diff --git a/.github/workflows/first_pull_request.yml → .github/workflows/first-pull-request.yml b/.github/workflows/first_pull_request.yml → .github/workflows/first-pull-request.yml
@@ -16,6 +16,14 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - uses: actions/github-script@v7.0.1
         with:
           script: |
@@ -45,7 +53,7 @@ jobs:
               repo: context.repo.repo,
               body: `**Welcome**, new contributor!
 
-              It appears that this is your first Pull Request. To give credit where it's due, we ask that you add your information to the \`AUTHORS.rst\` and \`.zenodo.json\`.:
+              It appears that this is your first Pull Request. To give credit where it's due, we ask that you add your information to the \`AUTHORS.rst\` and \`.zenodo.json\`:
                - [ ] The relevant author information has been added to \`AUTHORS.rst\` and \`.zenodo.json\`.
 
               Please make sure you've read our [contributing guide](CONTRIBUTING.rst). We look forward to reviewing your Pull Request shortly ✨`

diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -0,0 +1,37 @@
+# This workflow will triage pull requests and apply a label based on the
+# paths that are modified in the pull request.
+#
+# To use this workflow, you will need to set up a .github/labeler.yml
+# file with configuration.  For more information, see:
+# https://github.com/actions/labeler/blob/master/README.md
+
+name: Labeler
+on:
+  pull_request_target:
+  # Note: potential security risk from this action using pull_request_target.
+  # Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
+  # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+
+permissions:
+  contents: read
+
+jobs:
+  label:
+    name: Label
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
+      - uses: actions/labeler@v5.0.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -5,16 +5,21 @@ on:
     branches:
       - main
     paths-ignore:
+      - .cruft.json
       - CHANGES.rst
       - README.rst
-      - setup.cfg
       - pyproject.toml
+      - tests/test_xhydro.py
       - xhydro/__init__.py
   pull_request:
 
+concurrency:
+  # For a given workflow, if we push to the same branch, cancel all previous builds on that branch except on master.
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
 permissions:
   contents: read
-  pull-requests: read
 
 jobs:
   lint:
@@ -25,11 +30,7 @@ jobs:
         python-version:
           - "3.x"
     steps:
-      - name: Cancel previous runs
-        uses: styfle/cancel-workflow-action@0.12.1
-        with:
-          access_token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@v4
       - name: Set up Python${{ matrix.python-version }}
         uses: actions/setup-python@v5.0.0
         with:
@@ -48,11 +49,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.9", "3.10", "3.11"]
+        include:
+          - python-version: "3.9"
+          - python-version: "3.10"
+          - python-version: "3.11"
+#          - python-version: "3.12"
     defaults:
       run:
         shell: bash -l {0}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4.1.1
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
         uses: mamba-org/setup-micromamba@v1.8.0

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -17,6 +17,10 @@ jobs:
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4.1.1
       - name: Set up Python3
         uses: actions/setup-python@v5.0.0