From 5e1c1a8cbcea3b0095affbe99ecb86a8b36baf2f Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 10 Dec 2024 13:10:06 -0500 Subject: [PATCH 01/12] update CHANGELOG.rst --- CHANGELOG.rst | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ffd7ab3fb..360287dbe 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,36 +2,37 @@ Changelog ========= -v0.54.0 (unreleased) +v0.54.0 (2024-12-11) -------------------- Contributors to this version: Trevor James Smith (:user:`Zeitsperre`), Pascal Bourgault (:user:`aulemahal`), Éric Dupuis (:user:`coxipi`), Sascha Hofmann (:user:`saschahofmann`). New features and enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * Python 3.9 coding conventions have been dropped in favour of Python 3.10+ conventions. (:pull:`1988`). +* ``xclim.indices.chill_unit`` now accepts a new argument ``positive_only`` to compute the daily positive chill units. (:pull:`2003`). Breaking changes ^^^^^^^^^^^^^^^^ * The minimum required version of `dask` has been increased to `2024.8.1`. (:issue:`1992`, :pull:`1991`). * The docstrings of many `xclim` modules, classes, methods, and functions have been slightly adjusted to ensure stricter compliance with established `numpy` docstring conventions. (:pull:`1988`). +* Using different time for ``ref`` and ``hist`` is now explicitly forbidden in many bias adjustment methods (e.g. `EmpiricalQuantileMapping`). Methods that combine ``ref``, ``hist``, and ``sim`` in the same `map_groups` also require that time arrays be equal in size. (:issue:`1903`, :pull:`1995`, :pull:`2013`). +* `xclim` now uses a `src` layout for the codebase. Structure-dependent functions, documentation, and build commands have been adapted to reflect these changes. Developers will need to reinstall `xclim` using `pip install -e .`. (:pull:`1971`). Bug fixes ^^^^^^^^^ * Fixed pickling issue with ``xclim.sdba.Grouper`` and other classes for usage with `dask>=2024.11`. (:issue:`1992`, :pull:`1993`). * Fixed an issue with ``nimbus`` that was causing URL path components to be improperly joined. (:pull:`1997`). -* `base_kws_vars` in `MBCn` is now copied inside the `adjust` function so that in-place changes do not change the dict globally. (:pull:`1999`). -* Fixed a bug in the logic of ``xclim.testing.utils.load_registry`` that impacted the ability to load a `registry.txt` from a non-default repository. (:pull:`2001`). +* ``base_kws_vars`` in `MBCn` is now copied inside the `adjust` function so that in-place changes do not change the dict globally. (:pull:`1999`). +* Fixed a bug in the logic of ``xclim.testing.utils.load_registry`` that impacted the ability to load a ``registry.txt`` from a non-default repository. (:pull:`2001`). Internal changes ^^^^^^^^^^^^^^^^ -* Changed french translations with word "pluvieux" to "avec précipitations". (:issue:`1960`, :pull:`1994`). -* Using different time for `ref` and `hist` is now explicitly forbidden in many bias adjustment methods (e.g. `EmpiricalQuantileMapping`). Methods that combine `ref,hist,sim` in a same `map_groups` also require the time arrays to be equal in size. (:issue:`1903`, :pull:`1995`, :pull:`2013`) -* Nans in `OTC` and `dOTC` are only dropped and put back in place at the lowest level so that the size of time array never changes on xarray levels. (:pull:`1995`, :pull:`2013`) -* `streamflow` entry replaced with `q` in ``variables.yml``. (:issue:`1912`, :pull:`1996`) +* Changed French translations with word "pluvieux" to "avec précipitations". (:issue:`1960`, :pull:`1994`). +* Nan values in `OTC` and `dOTC` are only dropped and replaced at the lowest level so that the size of time arrays never changes on xarray levels. (:pull:`1995`, :pull:`2013`) +* `streamflow` entry replaced with ``"q"`` in ``variables.yml``. (:issue:`1912`, :pull:`1996`). * In order to address 403 (forbidden) request errors when retrieving data from GitHub via ReadTheDocs, the ``nimbus`` class has been modified to use an overloaded `fetch` method that appends a User-Agent header to the request. (:pull:`2001`). * Addressed a very rare race condition that can happen if `pytest` is tearing down the test environment when running across multiple workers. (:pull:`1863`). * The `numpydoc` linting tool has been added to the development dependencies, linting checks, and the `pre-commit` configuration. (:pull:`1988`). -* `xclim` now uses a `src` layout for the codebase. Structure-dependent functions, documentation, and build commands have been adapted to reflect these changes. (:pull:`1971`). * Added a more robust `yamllint` configuration to ensure that all YAML files are linted consistently. (:pull:`1971`). * Addressed a very rare singular matrix error that can happen in ``test_loess_smoothing_nan``. (:pull:`2015`). @@ -39,10 +40,6 @@ CI changes ^^^^^^^^^^ * Added the `green-coding-solutions/eco-ci-energy-estimation` GitHub Action to the workflows to establish energy and carbon usage of CI activity. (:pull:`1863`). -New features and enhancements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* ``chill_unit`` now accepts a new argument `positive_only` to compute the daily positive chill units. (:pull:`2003`). - v0.53.2 (2024-10-31) -------------------- Contributors to this version: Éric Dupuis (:user:`coxipi`), Pascal Bourgault (:user:`aulemahal`), Trevor James Smith (:user:`Zeitsperre`). From 36bf01f388d955d8c88b5000d021d4841a2e5a6f Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 10 Dec 2024 13:10:06 -0500 Subject: [PATCH 02/12] update CHANGELOG.rst --- CHANGELOG.rst | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ffd7ab3fb..360287dbe 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,36 +2,37 @@ Changelog ========= -v0.54.0 (unreleased) +v0.54.0 (2024-12-11) -------------------- Contributors to this version: Trevor James Smith (:user:`Zeitsperre`), Pascal Bourgault (:user:`aulemahal`), Éric Dupuis (:user:`coxipi`), Sascha Hofmann (:user:`saschahofmann`). New features and enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * Python 3.9 coding conventions have been dropped in favour of Python 3.10+ conventions. (:pull:`1988`). +* ``xclim.indices.chill_unit`` now accepts a new argument ``positive_only`` to compute the daily positive chill units. (:pull:`2003`). Breaking changes ^^^^^^^^^^^^^^^^ * The minimum required version of `dask` has been increased to `2024.8.1`. (:issue:`1992`, :pull:`1991`). * The docstrings of many `xclim` modules, classes, methods, and functions have been slightly adjusted to ensure stricter compliance with established `numpy` docstring conventions. (:pull:`1988`). +* Using different time for ``ref`` and ``hist`` is now explicitly forbidden in many bias adjustment methods (e.g. `EmpiricalQuantileMapping`). Methods that combine ``ref``, ``hist``, and ``sim`` in the same `map_groups` also require that time arrays be equal in size. (:issue:`1903`, :pull:`1995`, :pull:`2013`). +* `xclim` now uses a `src` layout for the codebase. Structure-dependent functions, documentation, and build commands have been adapted to reflect these changes. Developers will need to reinstall `xclim` using `pip install -e .`. (:pull:`1971`). Bug fixes ^^^^^^^^^ * Fixed pickling issue with ``xclim.sdba.Grouper`` and other classes for usage with `dask>=2024.11`. (:issue:`1992`, :pull:`1993`). * Fixed an issue with ``nimbus`` that was causing URL path components to be improperly joined. (:pull:`1997`). -* `base_kws_vars` in `MBCn` is now copied inside the `adjust` function so that in-place changes do not change the dict globally. (:pull:`1999`). -* Fixed a bug in the logic of ``xclim.testing.utils.load_registry`` that impacted the ability to load a `registry.txt` from a non-default repository. (:pull:`2001`). +* ``base_kws_vars`` in `MBCn` is now copied inside the `adjust` function so that in-place changes do not change the dict globally. (:pull:`1999`). +* Fixed a bug in the logic of ``xclim.testing.utils.load_registry`` that impacted the ability to load a ``registry.txt`` from a non-default repository. (:pull:`2001`). Internal changes ^^^^^^^^^^^^^^^^ -* Changed french translations with word "pluvieux" to "avec précipitations". (:issue:`1960`, :pull:`1994`). -* Using different time for `ref` and `hist` is now explicitly forbidden in many bias adjustment methods (e.g. `EmpiricalQuantileMapping`). Methods that combine `ref,hist,sim` in a same `map_groups` also require the time arrays to be equal in size. (:issue:`1903`, :pull:`1995`, :pull:`2013`) -* Nans in `OTC` and `dOTC` are only dropped and put back in place at the lowest level so that the size of time array never changes on xarray levels. (:pull:`1995`, :pull:`2013`) -* `streamflow` entry replaced with `q` in ``variables.yml``. (:issue:`1912`, :pull:`1996`) +* Changed French translations with word "pluvieux" to "avec précipitations". (:issue:`1960`, :pull:`1994`). +* Nan values in `OTC` and `dOTC` are only dropped and replaced at the lowest level so that the size of time arrays never changes on xarray levels. (:pull:`1995`, :pull:`2013`) +* `streamflow` entry replaced with ``"q"`` in ``variables.yml``. (:issue:`1912`, :pull:`1996`). * In order to address 403 (forbidden) request errors when retrieving data from GitHub via ReadTheDocs, the ``nimbus`` class has been modified to use an overloaded `fetch` method that appends a User-Agent header to the request. (:pull:`2001`). * Addressed a very rare race condition that can happen if `pytest` is tearing down the test environment when running across multiple workers. (:pull:`1863`). * The `numpydoc` linting tool has been added to the development dependencies, linting checks, and the `pre-commit` configuration. (:pull:`1988`). -* `xclim` now uses a `src` layout for the codebase. Structure-dependent functions, documentation, and build commands have been adapted to reflect these changes. (:pull:`1971`). * Added a more robust `yamllint` configuration to ensure that all YAML files are linted consistently. (:pull:`1971`). * Addressed a very rare singular matrix error that can happen in ``test_loess_smoothing_nan``. (:pull:`2015`). @@ -39,10 +40,6 @@ CI changes ^^^^^^^^^^ * Added the `green-coding-solutions/eco-ci-energy-estimation` GitHub Action to the workflows to establish energy and carbon usage of CI activity. (:pull:`1863`). -New features and enhancements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* ``chill_unit`` now accepts a new argument `positive_only` to compute the daily positive chill units. (:pull:`2003`). - v0.53.2 (2024-10-31) -------------------- Contributors to this version: Éric Dupuis (:user:`coxipi`), Pascal Bourgault (:user:`aulemahal`), Trevor James Smith (:user:`Zeitsperre`). From d4d84bb0943e5ee21e3a829157fc11e3cd38bbe3 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:44:01 -0500 Subject: [PATCH 03/12] Add DOI, mastodon URL, add information about coding conventions --- CHANGELOG.rst | 6 +++--- README.rst | 13 +++++++------ pyproject.toml | 2 ++ 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 360287dbe..2580e34cb 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,7 +16,7 @@ Breaking changes * The minimum required version of `dask` has been increased to `2024.8.1`. (:issue:`1992`, :pull:`1991`). * The docstrings of many `xclim` modules, classes, methods, and functions have been slightly adjusted to ensure stricter compliance with established `numpy` docstring conventions. (:pull:`1988`). * Using different time for ``ref`` and ``hist`` is now explicitly forbidden in many bias adjustment methods (e.g. `EmpiricalQuantileMapping`). Methods that combine ``ref``, ``hist``, and ``sim`` in the same `map_groups` also require that time arrays be equal in size. (:issue:`1903`, :pull:`1995`, :pull:`2013`). -* `xclim` now uses a `src` layout for the codebase. Structure-dependent functions, documentation, and build commands have been adapted to reflect these changes. Developers will need to reinstall `xclim` using `pip install -e .`. (:pull:`1971`). +* `xclim` now uses a `src` layout for the codebase. Structure-dependent functions, documentation, and build commands have been adapted to reflect these changes. Developers will need to reinstall `xclim` using ``pip install -e .``. (:pull:`1971`). Bug fixes ^^^^^^^^^ @@ -28,9 +28,9 @@ Bug fixes Internal changes ^^^^^^^^^^^^^^^^ * Changed French translations with word "pluvieux" to "avec précipitations". (:issue:`1960`, :pull:`1994`). -* Nan values in `OTC` and `dOTC` are only dropped and replaced at the lowest level so that the size of time arrays never changes on xarray levels. (:pull:`1995`, :pull:`2013`) +* Nan values in `OTC` and `dOTC` are only dropped and replaced at the lowest level so that the size of time arrays never changes on `xarray` levels. (:pull:`1995`, :pull:`2013`) * `streamflow` entry replaced with ``"q"`` in ``variables.yml``. (:issue:`1912`, :pull:`1996`). -* In order to address 403 (forbidden) request errors when retrieving data from GitHub via ReadTheDocs, the ``nimbus`` class has been modified to use an overloaded `fetch` method that appends a User-Agent header to the request. (:pull:`2001`). +* In order to address ``Error 403`` (forbidden) requests when retrieving data from GitHub via ReadTheDocs, the ``nimbus`` class has been modified to use an overloaded `fetch` method that appends a modified User-Agent header to the request. (:pull:`2001`). * Addressed a very rare race condition that can happen if `pytest` is tearing down the test environment when running across multiple workers. (:pull:`1863`). * The `numpydoc` linting tool has been added to the development dependencies, linting checks, and the `pre-commit` configuration. (:pull:`1988`). * Added a more robust `yamllint` configuration to ensure that all YAML files are linted consistently. (:pull:`1971`). diff --git a/README.rst b/README.rst index f48a063ac..b56a3ff32 100644 --- a/README.rst +++ b/README.rst @@ -74,8 +74,13 @@ However, xclim will *always* assume the temporal coordinate is named "time". If ds = ds.rename(T="time") +`xclim` code uses the `black`_ formatter, a modified `ruff`_ linting configuration, and (mostly) adheres to the `NumPy docstring`_ style. For more information on coding and development conventions, see the `Contributing Guidelines`_. + +.. _black: https://black.readthedocs.io/en/stable/ +.. _ruff: https://docs.astral.sh/ruff/ .. _CF Conventions: http://cfconventions.org/ .. _CMIP6: https://clipc-services.ceda.ac.uk/dreq/mipVars.html +.. _NumPy docstring: https://numpydoc.readthedocs.io/en/stable/format.html Contributing to xclim --------------------- @@ -132,10 +137,6 @@ This package was created with Cookiecutter_ and the `audreyfeldroy/cookiecutter- :target: https://github.com/Ouranosinc/xclim/discussions :alt: Static Badge -.. |gitter| image:: https://badges.gitter.im/Ouranosinc/xclim.svg - :target: https://gitter.im/Ouranosinc/xclim?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge - :alt: Gitter Chat - .. |build| image:: https://github.com/Ouranosinc/xclim/actions/workflows/main.yml/badge.svg :target: https://github.com/Ouranosinc/xclim/actions/workflows/main.yml :alt: Build Status @@ -204,8 +205,8 @@ This package was created with Cookiecutter_ and the `audreyfeldroy/cookiecutter- :alt: pre-commit.ci status .. |ruff| image:: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json - :target: https://github.com/astral-sh/ruff - :alt: Ruff + :target: https://github.com/astral-sh/ruff + :alt: Ruff .. |status| image:: https://www.repostatus.org/badges/latest/active.svg :target: https://www.repostatus.org/#active diff --git a/pyproject.toml b/pyproject.toml index 8378637e6..40c3a2dd1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -124,6 +124,8 @@ xclim = "xclim.cli:cli" "Source" = "https://github.com/Ouranosinc/xclim/" "Changelog" = "https://xclim.readthedocs.io/en/stable/history.html" "Issue tracker" = "https://github.com/Ouranosinc/xclim/issues" +"Mastodon" = "https://fosstodon.org/@xclim" +"Zenodo" = "https://doi.org/10.5281/zenodo.2795043" "About Ouranos" = "https://www.ouranos.ca/en/" [tool] From 17c350c86230b6d22b268261c993495b90561bf2 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Fri, 13 Dec 2024 10:16:52 -0500 Subject: [PATCH 04/12] significantly secure workflows by restricting injection and not persisting access tokens across steps --- .github/workflows/bump-version.yml | 14 +++++--------- .github/workflows/cache-cleaner.yml | 2 ++ .github/workflows/codeql.yml | 16 +++++++++++----- .github/workflows/dependency-review.yml | 2 ++ .github/workflows/main.yml | 8 ++++++++ .github/workflows/publish-mastodon.yml | 11 +++++++++-- .github/workflows/publish-pypi.yml | 2 ++ .github/workflows/scorecard.yml | 4 +++- .github/workflows/tag-testpypi.yml | 2 ++ .github/workflows/testdata-version.yml | 9 +++++++-- .github/workflows/upstream.yml | 1 + 11 files changed, 52 insertions(+), 19 deletions(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index ae0e002e3..55a3a6017 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -6,10 +6,10 @@ on: - main paths-ignore: - .* - - .github/*/*.md - - .github/*/*.yml - .github/*.md - .github/*.yml + - .github/*/*.md + - .github/*/*.yml - CHANGELOG.rst - CI/*.in - CI/*.txt @@ -56,6 +56,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ steps.token_generator.outputs.token }} + persist-credentials: false - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -68,17 +69,12 @@ jobs: git_user_signingkey: true git_commit_gpgsign: true trust_level: 5 - - name: Current Version - run: | - CURRENT_VERSION="$(grep -E '__version__' src/xclim/__init__.py | cut -d ' ' -f3)" - echo "current_version=${CURRENT_VERSION}" - echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV - name: Install CI libraries run: | python -m pip install --require-hashes -r CI/requirements_ci.txt - name: Conditional Bump run: | - if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then + if [[ $(bump-my-version show-bump | head -n 2 | tail -n 1 | cut -d' ' -f1) =~ -dev(\.\d+)? ]]; then echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version" bump-my-version bump build else @@ -87,9 +83,9 @@ jobs: fi NEW_VERSION="$(grep -E '__version__' src/xclim/__init__.py | cut -d ' ' -f3)" echo "new_version=${NEW_VERSION}" - echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV - name: Push Changes uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 with: force: false branch: ${{ github.ref }} + github_token: '${{ token_generator.outputs.token }}' diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml index 1dbdde016..ecff143ca 100644 --- a/.github/workflows/cache-cleaner.yml +++ b/.github/workflows/cache-cleaner.yml @@ -26,6 +26,8 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Cleanup run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ea1e08d16..5278ab1fd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,17 +5,17 @@ on: branches: - main paths-ignore: + - .github/*/*.yml + - .pre-commit-config.yaml - CHANGELOG.rst - CI/*.txt - Makefile - - pyproject.toml - - tox.ini - - src/xclim/__init__.py - docs/*/*.ipynb - docs/*/*.py - docs/*/*.rst - - .github/*/*.yml - - .pre-commit-config.yaml + - pyproject.toml + - src/xclim/__init__.py + - tox.ini pull_request: branches: - main @@ -51,14 +51,20 @@ jobs: objects.githubusercontent.com:443 pypi.org:443 uploads.github.com:443 + - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@1245696032ecf7d39f87d54daa406e22ddf769a8 with: languages: ${{ matrix.language }} + - name: Autobuild uses: github/codeql-action/autobuild@1245696032ecf7d39f87d54daa406e22ddf769a8 + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@1245696032ecf7d39f87d54daa406e22ddf769a8 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 5134beff1..721dd4bbd 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -41,6 +41,8 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2a28cada2..2c19ed8f3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -63,6 +63,8 @@ jobs: continue-on-error: true - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -138,6 +140,8 @@ jobs: continue-on-error: true - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: @@ -263,6 +267,8 @@ jobs: continue-on-error: true - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Eigen3 (SBCK) if: ${{ matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest' }} run: | @@ -367,6 +373,8 @@ jobs: continue-on-error: true - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 with: diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml index b9c0e6a47..e43d18b17 100644 --- a/.github/workflows/publish-mastodon.yml +++ b/.github/workflows/publish-mastodon.yml @@ -26,12 +26,14 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get Release Description run: | # Fetch the release information using the GitHub API RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ github.event.release.tag_name }}") + "https://api.github.com/repos/${{ github.repository }}/releases/tags/${TAG_NAME}") # Extract the release description from the response RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body) @@ -43,6 +45,8 @@ jobs: CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1) echo "contributors=${CONTRIBUTORS}" >> $GITHUB_ENV + env: + TAG_NAME: ${{ github.event.release.tag_name }} - name: Prepare Message id: render_template @@ -55,7 +59,10 @@ jobs: - name: Message Preview run: | - echo "${{ steps.render_template.outputs.result }}${{ env.contributors }}" + echo "${TEMPLATE}${CONTRIBUTORS}" + env: + TEMPLATE: ${{ steps.render_template.outputs.result }} + CONTRIBUTORS: ${{ env.contributors }} - name: Send toot to Mastodon uses: cbrgm/mastodon-github-action@50b70e53ab0871a90fe364ff96e783c7e3633f15 # v2.1.11 diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index aec9b5786..07b6dbafa 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -30,6 +30,8 @@ jobs: upload.pypi.org:443 - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 40d3a222b..fc54179ce 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -16,7 +16,9 @@ on: - main # Declare default permissions as read only. -permissions: read-all +# Read-all permission is not technically needed for this workflow. +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml index 56d74a0f3..03b43dd57 100644 --- a/.github/workflows/tag-testpypi.yml +++ b/.github/workflows/tag-testpypi.yml @@ -30,6 +30,8 @@ jobs: test.pypi.org:443 - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python3 uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: diff --git a/.github/workflows/testdata-version.yml b/.github/workflows/testdata-version.yml index 8a54d058a..5f7754517 100644 --- a/.github/workflows/testdata-version.yml +++ b/.github/workflows/testdata-version.yml @@ -31,6 +31,8 @@ jobs: github.com:443 - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Find xclim-testdata Tag and CI Testing Branch run: | XCLIM_TESTDATA_TAG="$( \ @@ -43,8 +45,11 @@ jobs: echo "XCLIM_TESTDATA_BRANCH=${XCLIM_TESTDATA_BRANCH}" >> $GITHUB_ENV - name: Report Versions Found run: | - echo "Latest xclim-testdata tag: ${{ env.XCLIM_TESTDATA_TAG }}" - echo "Tag for xclim-testdata in CI: ${{ env.XCLIM_TESTDATA_BRANCH }}" + echo "Latest xclim-testdata tag: ${XCLIM_TESTDATA_TAG}" + echo "Tag for xclim-testdata in CI: ${XCLIM_TESTDATA_BRANCH}" + env: + XCLIM_TESTDATA_TAG: ${{ env.XCLIM_TESTDATA_TAG }} + XCLIM_TESTDATA_BRANCH: ${{ env.XCLIM_TESTDATA_BRANCH }} - name: Find Comment uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 id: fc diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index e33e8a7ff..fe446be9b 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -69,6 +69,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Fetch all history for all branches and tags. + persist-credentials: false - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 with: From 72f455d3705a6e6ef947c08f61bbafbdd6493945 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Fri, 13 Dec 2024 10:40:52 -0500 Subject: [PATCH 05/12] further simplify version checks --- .github/workflows/bump-version.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 55a3a6017..304cb9663 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -74,15 +74,15 @@ jobs: python -m pip install --require-hashes -r CI/requirements_ci.txt - name: Conditional Bump run: | - if [[ $(bump-my-version show-bump | head -n 2 | tail -n 1 | cut -d' ' -f1) =~ -dev(\.\d+)? ]]; then + CURRENT_VERSION=$(bump-my-version show current_version) + if [[ ${CURRENT_VERSION} =~ -dev(\.\d+)? ]]; then echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version" bump-my-version bump build else echo "Version is stable, bumping 'patch' version" bump-my-version bump patch fi - NEW_VERSION="$(grep -E '__version__' src/xclim/__init__.py | cut -d ' ' -f3)" - echo "new_version=${NEW_VERSION}" + echo "new_version=$(bump-my-version show current_version)" - name: Push Changes uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 with: From 78e972e20c394172ac36e03d20e57d0f36a884d5 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:06:36 -0500 Subject: [PATCH 06/12] update CHANGELOG.rst --- CHANGELOG.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5276ccfa8..be96192b6 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -40,6 +40,9 @@ Internal changes CI changes ^^^^^^^^^^ * Added the `green-coding-solutions/eco-ci-energy-estimation` GitHub Action to the workflows to establish energy and carbon usage of CI activity. (:pull:`1863`). +* Various workflow security fixes: (:pull:`2023`) + * Simplified the `bump-version.yml` version string parsing to harden against template injection. + * Further de-escalated privileges for most workflows. New features and enhancements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From 1059c43b0e444a158af8e280302ee4ddcda956d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 12:10:05 +0000 Subject: [PATCH 07/12] Bump mamba-org/setup-micromamba from 2.0.2 to 2.0.3 in the actions group Bumps the actions group with 1 update: [mamba-org/setup-micromamba](https://github.com/mamba-org/setup-micromamba). Updates `mamba-org/setup-micromamba` from 2.0.2 to 2.0.3 - [Release notes](https://github.com/mamba-org/setup-micromamba/releases) - [Commits](https://github.com/mamba-org/setup-micromamba/compare/06375d89d211a1232ef63355742e9e2e564bc7f7...068f1ab4b37ed9b3d9f73da7db90a0cda0a48d29) --- updated-dependencies: - dependency-name: mamba-org/setup-micromamba dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/main.yml | 2 +- .github/workflows/upstream.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2c19ed8f3..353a0014c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -376,7 +376,7 @@ jobs: with: persist-credentials: false - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} - uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 + uses: mamba-org/setup-micromamba@068f1ab4b37ed9b3d9f73da7db90a0cda0a48d29 # v2.0.3 with: cache-downloads: true cache-environment: true diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index fe446be9b..3d21ebaa6 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -71,7 +71,7 @@ jobs: fetch-depth: 0 # Fetch all history for all branches and tags. persist-credentials: false - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} - uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 + uses: mamba-org/setup-micromamba@068f1ab4b37ed9b3d9f73da7db90a0cda0a48d29 # v2.0.3 with: cache-downloads: true cache-environment: true From 30bbb0e318ef3530085fd9d20e0b9e51bae101a9 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:12:20 -0500 Subject: [PATCH 08/12] update release date Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index de91fb51d..a4d922613 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,7 +2,7 @@ Changelog ========= -v0.54.0 (2024-12-12) +v0.54.0 (2024-12-16) -------------------- Contributors to this version: Trevor James Smith (:user:`Zeitsperre`), Pascal Bourgault (:user:`aulemahal`), Éric Dupuis (:user:`coxipi`), Sascha Hofmann (:user:`saschahofmann`). From a76da5dfc7ec11febba77543a33ffe443ce843ae Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:18:23 -0500 Subject: [PATCH 09/12] use signoff by default Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 561490523..5972813d8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -140,7 +140,7 @@ target-version = [ [tool.bumpversion] current_version = "0.53.3-dev.17" commit = true -commit_args = "--no-verify" +commit_args = "--no-verify --signoff" tag = false allow_dirty = false parse = "(?P\\d+)\\.(?P\\d+)\\.(?P\\d+)(\\-(?P[a-z]+)(\\.(?P\\d+)))?" From 39d73358d93c9c964e02a8b610622af378a11138 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:18:42 -0500 Subject: [PATCH 10/12] =?UTF-8?q?Bump=20version:=200.53.3-dev.17=20?= =?UTF-8?q?=E2=86=92=200.54.0-dev.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- pyproject.toml | 2 +- src/xclim/__init__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5972813d8..2135fc1e8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -138,7 +138,7 @@ target-version = [ ] [tool.bumpversion] -current_version = "0.53.3-dev.17" +current_version = "0.54.0-dev.0" commit = true commit_args = "--no-verify --signoff" tag = false diff --git a/src/xclim/__init__.py b/src/xclim/__init__.py index 29a057cab..273bf8e3d 100644 --- a/src/xclim/__init__.py +++ b/src/xclim/__init__.py @@ -13,7 +13,7 @@ __author__ = """Travis Logan""" __email__ = "logan.travis@ouranos.ca" -__version__ = "0.53.3-dev.17" +__version__ = "0.54.0-dev.0" with _resources.as_file(_resources.files("xclim.data")) as _module_data: From 6589a5bb17172a10cc3030f2a3f183f2cd9cfb2a Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:54:03 -0500 Subject: [PATCH 11/12] fix token Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/workflows/bump-version.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 304cb9663..741c83a45 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -88,4 +88,4 @@ jobs: with: force: false branch: ${{ github.ref }} - github_token: '${{ token_generator.outputs.token }}' + github_token: ${{ steps.token_generator.outputs.token }} From e9a3e10053190b9d5e11f92ecb15beebd6e2629b Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 16 Dec 2024 16:22:02 -0500 Subject: [PATCH 12/12] =?UTF-8?q?Bump=20version:=200.54.0-dev.0=20?= =?UTF-8?q?=E2=86=92=200.54.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- pyproject.toml | 2 +- src/xclim/__init__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 2135fc1e8..e701b45c8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -138,7 +138,7 @@ target-version = [ ] [tool.bumpversion] -current_version = "0.54.0-dev.0" +current_version = "0.54.0" commit = true commit_args = "--no-verify --signoff" tag = false diff --git a/src/xclim/__init__.py b/src/xclim/__init__.py index 273bf8e3d..52f8cc550 100644 --- a/src/xclim/__init__.py +++ b/src/xclim/__init__.py @@ -13,7 +13,7 @@ __author__ = """Travis Logan""" __email__ = "logan.travis@ouranos.ca" -__version__ = "0.54.0-dev.0" +__version__ = "0.54.0" with _resources.as_file(_resources.files("xclim.data")) as _module_data: