Merge branch 'main' into ci_add_publish_workflow

.github/labeler.yml

@@ -143,6 +143,12 @@ Python:
       - any-glob-to-any-file:
         - '**/*.py'
         - '**/pyproject.toml'
+notebook:
+  - changed-files:
+      - any-glob-to-any-file:
+        - '**/*.ipynb'
+        - doc/notebooks/**
+        - python/grass/jupyter/**
 C:
   - changed-files:
       - any-glob-to-any-file: '**/*.c'

.github/workflows/apt.txt

@@ -13,6 +13,7 @@ libpdal-dev
 libpng-dev
 libproj-dev
 libreadline-dev
+libsvm-dev
 libzstd-dev
 pdal
 proj-bin

.github/workflows/build_ubuntu-22.04.sh

@@ -38,6 +38,7 @@ export INSTALL_PREFIX=$1
     --with-bzlib \
     --with-blas \
     --with-lapack \
+    --with-libsvm \
     --with-readline \
     --with-openmp \
     --with-pdal \

.github/workflows/clang-format-check.yml

@@ -6,20 +6,88 @@ on:
       - main
       - releasebranch_*
   pull_request:
-    branches:
-      - main
-      - releasebranch_*
+  workflow_dispatch:
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
-  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+permissions: {}
 jobs:
   formatting-check:
     name: Formatting Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-      - name: Run clang-format style check for C/C++/Protobuf programs.
-        uses: jidicula/clang-format-action@v4.11.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - uses: DoozyX/clang-format-lint-action@11b773b1598aa4ae3b32f023701bca5201c3817d # v0.17
+        with:
+          source: "."
+          clangFormatVersion: 15
+          inplace: True
+      - name: Verify Changed files
+        uses: tj-actions/verify-changed-files@d774a4c7ebe335445d79c7b44138f56a76058ba0 # v19.0.0
+        id: verify-changed-files
+      - id: git-changed-files
+        run: |
+          {
+            echo 'CHANGED_FILES<<EOF'
+            git ls-files --other --modified --exclude-standard
+            echo EOF
+          } >> "$GITHUB_OUTPUT"
+      - name: List all changed files tracked and untracked files
+        run: |
+          echo "Changed files: ${{ steps.git-changed-files.outputs.CHANGED_FILES }}"
+      - name: Add job summary without changed files
+        if: ${{ steps.verify-changed-files.outputs.files_changed == 'false' }}
+        run: |
+          {
+            echo "### Changed files:"
+            echo "No files were changed by clang-format"
+          } >> "$GITHUB_STEP_SUMMARY"
+      - name: Add job summary with changed files
+        if: ${{ steps.verify-changed-files.outputs.files_changed == 'true' }}
+        run: |
+          {
+            echo '### Changed files:'
+            echo '```'
+            echo "${CHANGED_FILES}"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+        env:
+          CHANGED_FILES: ${{ steps.git-changed-files.outputs.CHANGED_FILES }}
+      - name: Create unified diff of changes
+        if: ${{ steps.verify-changed-files.outputs.files_changed == 'true' }}
+        run: git diff --unified=0 --no-color --output=diff-clang-format.patch
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: ${{ steps.verify-changed-files.outputs.files_changed == 'true' }}
+        with:
+          name: diff
+          if-no-files-found: ignore
+          retention-days: 1
+          path: |
+            diff-clang-format.patch
+      - name: Add note to summary explaining that code suggestions will be applied if it is a PR
+        if: ${{ (github.event_name == 'pull_request') && (steps.verify-changed-files.outputs.files_changed == 'true') }}
+        run: |
+          {
+            echo ''
+            echo 'Suggestions can only be added near to lines changed in this PR.'
+            echo 'If any fixes can be added as code suggestions, they will be added shortly from another workflow.'
+          } >> "$GITHUB_STEP_SUMMARY"
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        if: always()
         with:
-          clang-format-version: '15'
-          check-path: .
+          name: formatted-clang-format
+          retention-days: 10
+          path: |
+            .clang-format
+            ${{ steps.git-changed-files.outputs.CHANGED_FILES }}
+      - name: Explain that more files need to be fixed
+        if: ${{ steps.verify-changed-files.outputs.files_changed == 'true' }}
+        run: |
+          {
+            echo ''
+            # shellcheck disable=SC2016
+            echo 'All fixed files are included in the `formatted-*` artifact. This artifact can be downloaded and copied to the repository to replace unformatted files with the formatted files.'
+          } >> "$GITHUB_STEP_SUMMARY"
+          exit 1

.github/workflows/coverity.yml

@@ -0,0 +1,20 @@
+name: Coverity Scan
+on:
+  workflow_dispatch: # run whenever a contributor calls it
+  schedule: 
+    - cron: '48 5 * * *' # Run at 05:48
+    # Coverity will let GRASS do a scan a maximum of twice per day, so this schedule will help GRASS fit within that limit with some additional space for manual runs
+
+jobs:
+  build:
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Coverity Scan
+        uses: synopsys-sig/synopsys-action@cef5e38596faf5d2787bbff78a5d7255a9f7682b # v1.8.0
+        with:
+          ### SCANNING: Required fields
+          coverity_url: ${{ secrets.COVERITY_URL }}               # The URL to Coverity
+          coverity_user: ${{ secrets.COVERITY_USER }}             # The user for the Coverity project
+          coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} # The password for the Coverity user

.github/workflows/label.yml

@@ -20,6 +20,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
-          sync-labels: true
+          sync-labels: false

.github/workflows/periodic_update.yml

@@ -25,15 +25,15 @@ jobs:
       - name: "Check that autoconf scripts are up-to-date:"
         run: |
           rm -f config.guess config.sub
-          wget http://git.savannah.gnu.org/cgit/config.git/plain/config.guess
-          wget http://git.savannah.gnu.org/cgit/config.git/plain/config.sub
+          wget http://git.savannah.gnu.org/cgit/config.git/plain/config.guess && chmod +x config.guess
+          wget http://git.savannah.gnu.org/cgit/config.git/plain/config.sub && chmod +x config.sub
       # Display changes, only to follow along in the logs.
       - run: git diff config.guess config.sub
       - name: Double check if files are modified
         run: git status --ignored
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2
         with:
           commit-message: "config.guess + config.sub: updated from http://git.savannah.gnu.org/cgit/config.git/plain/"
           branch: periodic/update-configure

.github/workflows/post-pr-reviews.yml

@@ -0,0 +1,45 @@
+---
+name: Post PR code suggestions
+
+on:
+  workflow_run:
+    workflows: ["ClangFormat Check"]
+    types:
+      - completed
+permissions: {}
+jobs:
+  post-suggestions:
+    runs-on: ubuntu-latest
+    # Only run on failures, since no changes are needed on success
+    if: >
+      (github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'failure')
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Create a .git directory needed by reviewdog
+        run: git init
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        id: diff
+        continue-on-error: true
+        with:
+          name: diff
+          github-token: ${{ github.token }}
+          run-id: ${{github.event.workflow_run.id }}
+      - uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
+      - run: |
+          GITHUB_ACTIONS="" reviewdog \
+              -name="${INPUT_TOOL_NAME:-reviewdog-suggester}" \
+              -f=diff \
+              -f.diff.strip=1 \
+              -filter-mode=nofilter \
+              -guess \
+              -reporter="github-pr-review" < "${TMPFILE}"
+        env:
+          TMPFILE: diff-clang-format.patch
+          INPUT_TOOL_NAME: clang-format
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CI_COMMIT: ${{ github.event.workflow_run.head_sha }}
+          CI_REPO_OWNER: ${{ github.event.workflow_run.repository.owner.login }}
+          CI_REPO_NAME: ${{ github.event.workflow_run.repository.name }}
+          # CI_PULL_REQUEST: "" # Populated from reviewdog's "-guess" flag since hard to get

.github/workflows/python-code-quality.yml

@@ -32,8 +32,11 @@ jobs:
             black-version: "23.1.0"
             flake8-version: "3.9.2"
             pylint-version: "2.12.2"
+            bandit-version: "1.7.8"
 
     runs-on: ${{ matrix.os }}
+    permissions:
+      security-events: write
 
     steps:
       - name: Versions
@@ -44,6 +47,7 @@ jobs:
           echo Black: ${{ matrix.black-version }}
           echo Flake8: ${{ matrix.flake8-version }}
           echo Pylint: ${{ matrix.pylint-version }}
+          echo Bandit: ${{matrix.bandit-version}}
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
@@ -68,6 +72,7 @@ jobs:
           pip install black==${{ matrix.black-version }}
           pip install flake8==${{ matrix.flake8-version }}
           pip install pylint==${{ matrix.pylint-version }} pytest-github-actions-annotate-failures
+          pip install bandit[sarif]==${{matrix.bandit-version}}
 
       - name: Run Black
         run: |
@@ -81,6 +86,21 @@ jobs:
         run: |
           flake8 --count --statistics --show-source --jobs=$(nproc) python/grass/{script,jupyter}/testsuite/
 
+      - name: Bandit Vulnerability Scan
+        run: |
+          bandit -c pyproject.toml -iii -r . -f sarif -o bandit.sarif --exit-zero
+
+      - name: Upload Bandit Scan Results
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: bandit.sarif
+          path: bandit.sarif
+
+      - name: Upload SARIF File into Security Tab
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: bandit.sarif
+
       - name: Create installation directory
         run: |
           mkdir $HOME/install
@@ -149,6 +169,7 @@ jobs:
           name: sphinx-grass
           path: sphinx-grass
           retention-days: 3
+
   python-success:
     name: Python Code Quality Result
     needs:

.github/workflows/super-linter.yml

@@ -34,7 +34,7 @@ jobs:
           # list of files that changed across commits
           fetch-depth: 0
       - name: Lint code base
-        uses: super-linter/super-linter/slim@v6.1.1
+        uses: super-linter/super-linter/slim@v6.3.0
         env:
           DEFAULT_BRANCH: main
           # To report GitHub Actions status checks
@@ -45,6 +45,7 @@ jobs:
           # Python (supported using Pylint) and C/C++ (not supported) are
           # handled separately due to the complexity of the settings.
           # VALIDATE_BASH: true
+          VALIDATE_BASH_EXEC: true
           # VALIDATE_CSS: true
           # VALIDATE_DOCKER: true
           VALIDATE_JAVASCRIPT_ES: true

.github/workflows/test_thorough.bat

@@ -2,4 +2,4 @@ set grass=%1
 set python=%2
 
 call %grass% --tmp-location XY --exec g.download.location url=https://grass.osgeo.org/sampledata/north_carolina/nc_spm_full_v2alpha2.tar.gz path=%USERPROFILE%
-call %grass% --tmp-location XY --exec %python% -m grass.gunittest.main --grassdata %USERPROFILE% --location nc_spm_full_v2alpha2 --location-type nc --min-success 60
+call %grass% --tmp-location XY --exec %python% -m grass.gunittest.main --grassdata %USERPROFILE% --location nc_spm_full_v2alpha2 --location-type nc --min-success 80

.gitignore

@@ -49,3 +49,4 @@ test_keyvalue_result.txt
 
 # ignore paths generated by helper tools
 node_modules
+include/VERSION_GIT

Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.6
+# syntax=docker/dockerfile:1.7
 
 # Note: This file must be kept in sync in ./Dockerfile and ./docker/ubuntu/Dockerfile.
 #       Changes to this file must be copied over to the other file.