Add an Ouranos Helper Bot for bumping the main branch version, Workfl…

…ow cleanup, Address security warnings (#1790)   ### Pull Request Checklist: - [ ] This PR addresses an already opened issue (for bug fixes / features) - This PR fixes #xyz - [ ] Tests for the changes have been added (for bug fixes / features) - [ ] (If applicable) Documentation has been added / updated (for bug fixes / features) - [x] CHANGES.rst has been updated (with summary of main changes) - [x] Link to issue (:issue:`number`) and pull request (:pull:`number`) has been added ### What kind of change does this PR introduce? * Adds a GitHub App integration for bumping the main branch when events trigger the `bumpversion.yml` workflow. * bump-my-version has been bumped to the latest version (v0.23.0) * netcdf4 has been pinned for stability reasons ### Does this PR introduce a breaking change? The repository now uses GitHub repository rulesets (recommended) instead of branch protections (older) ### Other information: https://medium.com/@lauravuo/managing-github-branch-protections-4fa37b36ee4f
Ouranosinc · Jun 25, 2024 · 7502365 · 7502365
2 parents a1a1a25 + 3168127
commit 7502365
Show file tree

Hide file tree

Showing 37 changed files with 166 additions and 163 deletions.
diff --git a/.flake8 b/.flake8
@@ -6,9 +6,6 @@ exclude =
  .eggs,
  tests
 ignore =
- AZ100,
- AZ200,
- AZ300,
  C,
  D,
  E,

diff --git a/.github/deactivated/actions-versions-updater.yml b/.github/deactivated/actions-versions-updater.yml
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -24,7 +24,15 @@ jobs:
  allowed-endpoints: >
  api.github.com:443
 
- - uses: actions/add-to-project@9bfe908f2eaa7ba10340b31e314148fcfe6a2458 # v1.0.1
+ - name: Generate App Token
+ id: token_generator
+ uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+ with:
+ app-id: ${{ secrets.OURANOS_HELPER_BOT_ID }}
+ private-key: ${{ secrets.OURANOS_HELPER_BOT_KEY }}
+
+ - name: Add Issue to xclim Project
+ uses: actions/add-to-project@9bfe908f2eaa7ba10340b31e314148fcfe6a2458 # v1.0.1
  with:
  project-url: https://github.com/orgs/Ouranosinc/projects/6
- github-token: ${{ secrets.ADD_TO_PROJECT_TOKEN }}
+ github-token: ${{ steps.token_generator.outputs.token }}
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -9,6 +9,7 @@ on:
  - .github/*/*.md
  - .github/*/*.yml
  - CHANGES.rst
+ - CI/*.txt
  - Makefile
  - docs/*/*.ipynb
  - docs/*/*.py
@@ -19,7 +20,6 @@ on:
  - environment.yml
  - pylintrc
  - pyproject.toml
- - requirements_upstream.txt
  - tox.ini
  - xclim/__init__.py
 
@@ -43,26 +43,31 @@ jobs:
  files.pythonhosted.org:443
  github.com:443
  pypi.org:443
+ - name: Generate App Token
+ id: token_generator
+ uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+ with:
+ app-id: ${{ secrets.OURANOS_HELPER_BOT_ID }}
+ private-key: ${{ secrets.OURANOS_HELPER_BOT_KEY }}
  - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  with:
- persist-credentials: false
+ token: ${{ steps.token_generator.outputs.token }}
  - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
  python-version: "3.x"
  - name: Config Commit Bot
  run: |
- git config --local user.email "bumpversion[bot]@ouranos.ca"
- git config --local user.name "bumpversion[bot]"
+ git config --local user.email "ouranos-helper-bot@ouranos.ca"
+ git config --local user.name "ouranos-helper-bot"
  - name: Current Version
  run: |
  CURRENT_VERSION="$(grep -E '__version__' xclim/__init__.py | cut -d ' ' -f3)"
  echo "current_version=${CURRENT_VERSION}"
  echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
- - name: Install bump-my-version
+ - name: Install CI libraries
  run: |
- python -m pip install bump-my-version==0.21.0
+ python -m pip install -r CI/requirements_ci.txt
  - name: Conditional Bump
- id: bump
  run: |
  if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
  echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version"
@@ -75,8 +80,7 @@ jobs:
  echo "new_version=${NEW_VERSION}"
  echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV
  - name: Push Changes
- uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df
+ uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0
  with:
  force: false
- github_token: ${{ secrets.BUMP_VERSION_TOKEN }}
  branch: ${{ github.ref }}
diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml
@@ -22,7 +22,7 @@ jobs:
  github.com:443
  objects.githubusercontent.com:443
 
- - name: Check out code
+ - name: Checkout Repository
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Cleanup

diff --git a/.github/workflows/codeql-analysis.yml → .github/workflows/codeql.yml b/.github/workflows/codeql-analysis.yml → .github/workflows/codeql.yml
@@ -6,15 +6,15 @@ on:
  - main
  paths-ignore:
  - CHANGES.rst
+ - CI/*.txt
  - Makefile
  - pyproject.toml
- - requirements_upstream.txt
  - tox.ini
  - xclim/__init__.py
- - docs/**.ipynb
- - docs/**.py
- - docs/**.rst
- - .github/**.yml
+ - docs/*/*.ipynb
+ - docs/*/*.py
+ - docs/*/*.rst
+ - .github/*/*.yml
  - .pre-commit-config.yaml
  schedule:
  - cron: '30 23 * * 5'
@@ -48,7 +48,7 @@ jobs:
  objects.githubusercontent.com:443
  pypi.org:443
  uploads.github.com:443
- - name: Checkout repository
+ - name: Checkout Repository
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  # Initializes the CodeQL tools for scanning.
  - name: Initialize CodeQL

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -4,7 +4,7 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
-name: 'Dependency Review'
+name: Dependency Review
 on:
  pull_request:
 
@@ -25,8 +25,8 @@ jobs:
  api.github.com:443
  github.com:443
 
- - name: 'Checkout Repository'
+ - name: Checkout Repository
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
- - name: 'Dependency Review'
+ - name: Dependency Review
  uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
diff --git a/.github/workflows/first-pull-request.yml b/.github/workflows/first-pull-request.yml
@@ -24,7 +24,8 @@ jobs:
  allowed-endpoints: >
  api.github.com:443
 
- - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+ - name: Welcome New Contributor
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
  with:
  script: |
  // Get a list of all issues created by the PR opener

diff --git a/.github/workflows/label-on-approval.yml b/.github/workflows/label-on-approval.yml
@@ -62,14 +62,14 @@ jobs:
  egress-policy: block
  allowed-endpoints: >
  api.github.com:443
- - name: Find comment
+ - name: Find Comment
  uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
  id: fc
  with:
  issue-number: ${{ github.event.pull_request.number }}
  comment-author: 'github-actions[bot]'
  body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
- - name: Create comment
+ - name: Create Comment
  if: |
  (steps.fc.outputs.comment-id == '') &&
  (!contains(github.event.pull_request.labels.*.name, 'approved')) &&
@@ -82,7 +82,7 @@ jobs:
  > **Warning**
  > This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
  edit-mode: replace
- - name: Update comment
+ - name: Update Comment
  if: |
  contains(github.event.pull_request.labels.*.name, 'approved')
  uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0

diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -36,6 +36,7 @@ jobs:
  allowed-endpoints: >
  api.github.com:443
 
- - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+ - name: Labeler
+ uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
  with:
  repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -52,14 +52,15 @@ jobs:
  files.pythonhosted.org:443
  github.com:443
  pypi.org:443
- - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Python${{ matrix.python-version }}
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
  python-version: ${{ matrix.python-version }}
- - name: Install pip, pylint, and tox
+ - name: Install CI libraries
  run: |
- python -m pip install flit==3.9 pip==24.0 pylint==3.1 tox==4.15
+ python -m pip install -r CI/requirements_ci.txt
  - name: Run pylint
  run: |
  python -m pylint --rcfile=.pylintrc.toml --disable=import-error --exit-zero xclim
@@ -91,14 +92,15 @@ jobs:
  github.com:443
  pypi.org:443
  raw.githubusercontent.com:443
- - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Python${{ matrix.python-version }}
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
  python-version: ${{ matrix.python-version }}
- - name: Install tox
+ - name: Install CI libraries
  run: |
- python -m pip install flit==3.9 pip==24.0 tox==4.15
+ python -m pip install -r CI/requirements_ci.txt
  - name: Test with tox
  run: |
  python -m tox -e ${{ matrix.tox-env }}
@@ -179,9 +181,9 @@ jobs:
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
  python-version: ${{ matrix.python-version }}
- - name: Install tox
+ - name: Install CI libraries
  run: |
- python -m pip install flit==3.9 pip==24.0 tox==4.15 tox-gh==1.3.1
+ python -m pip install -r CI/requirements_ci.txt
  - name: Test with tox
  run: |
  python -m tox -e ${{ matrix.tox-env }} -- ${{ matrix.markers }}
@@ -223,7 +225,8 @@ jobs:
  pypi.org:443
  raw.githubusercontent.com:443
  repo.anaconda.com:443
- - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
  uses: mamba-org/setup-micromamba@f8b8a1e23a26f60a44c853292711bacfd3eac822 # v1.9.0
  with:
@@ -277,9 +280,16 @@ jobs:
  runs-on: ubuntu-latest
  container: python:3-slim
  steps:
- - name: Coveralls Finished
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ with:
+ sparse-checkout: |
+ CI/requirements_ci.txt
+ - name: Install CI libraries
+ run: |
+ python -m pip install -r CI/requirements_ci.txt
+ - name: Coveralls finished
  run: |
- python -m pip install --upgrade coveralls==4.0
  python -m coveralls --finish
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml
@@ -34,7 +34,7 @@ jobs:
  fosstodon.org:443
  github.com:443
 
- - name: Checkout
+ - name: Checkout Repository
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Current Version

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -27,14 +27,15 @@ jobs:
  github.com:443
  pypi.org:443
  upload.pypi.org:443
- - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Python3
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
  python-version: "3.x"
- - name: Install packaging libraries
+ - name: Install CI libraries
  run: |
- python -m pip install flit==3.9.0
+ python -m pip install -r CI/requirements_ci.txt
  - name: Build a binary wheel and a source tarball
  run: |
  python -m flit build

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -34,12 +34,12 @@ jobs:
  with:
  egress-policy: audit
 
- - name: "Checkout code"
+ - name: Checkout Repository
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
  with:
  persist-credentials: false
 
- - name: "Run analysis"
+ - name: Run Analysis
  uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534
  with:
  results_file: results.sarif
@@ -58,15 +58,15 @@ jobs:
 
  # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  # format to the repository Actions tab.
- - name: "Upload artifact"
+ - name: Upload Artifact
  uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
  with:
  name: SARIF file
  path: results.sarif
  retention-days: 5
 
  # Upload the results to GitHub's code scanning dashboard.
- - name: "Upload to code-scanning"
+ - name: Upload to code-scanning
  uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # 3.23.0
  with:
  sarif_file: results.sarif
diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml
@@ -27,14 +27,15 @@ jobs:
  github.com:443
  pypi.org:443
  test.pypi.org:443
- - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Python3
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
  python-version: "3.x"
- - name: Install packaging libraries
+ - name: Install CI libraries
  run: |
- python -m pip install flit==3.9.0
+ python -m pip install -r CI/requirements_ci.txt
  - name: Build a binary wheel and a source tarball
  run: |
  python -m flit build