Cookiecutter update

.cruft.json

@@ -1,6 +1,6 @@
 {
-  "template": "/home/tjs/git/cookiecutter-pypackage",
-  "commit": "f9e0b049711af2023e9a3f5df594f4dbc25b07c1",
+  "template": "https://github.com/Ouranosinc/cookiecutter-pypackage",
+  "commit": "14556700478b0afdb158d61dd35db26a77c2b83d",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -20,10 +20,10 @@
       "add_translations": "y",
       "command_line_interface": "Click",
       "create_author_file": "y",
-      "open_source_license": "Not open source",
+      "open_source_license": "Apache Software License 2.0",
       "generated_with_cruft": "y",
       "__gh_slug": "https://github.com/Ouranosinc/xscen",
-      "_template": "/home/tjs/git/cookiecutter-pypackage"
+      "_template": "https://github.com/Ouranosinc/cookiecutter-pypackage"
     }
   },
   "directory": null

.flake8

@@ -6,9 +6,6 @@ exclude =
 	docs/conf.py,
 	tests
 ignore =
-	AZ100,
-	AZ200,
-	AZ300,
 	C,
 	D,
 	E,

.github/deactivated/conda-build.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9"]
+        python-version: [ "3.9" ]
     steps:
       - uses: actions/[email protected]
         if: ${{ github.event.inputs.tag == '' }}

.github/dependabot.yml

@@ -1,13 +1,22 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directory: /.github/workflows
     schedule:
       interval: monthly
-    open-pull-requests-limit: 10
+    groups:
+      actions:
+        patterns:
+          - "*"
 
   - package-ecosystem: pip
     directory: /
     schedule:
       interval: monthly
-    open-pull-requests-limit: 10
+    groups:
+      python:
+        patterns:
+          - "*"

.github/labeler.yml

@@ -18,17 +18,22 @@
       - '.readthedocs.yml'
       - '.secrets.baseline'
       - '.yamllint.yaml'
+      - 'CI/**/*'
       - 'Makefile'
       - 'docs/Makefile'
       - 'tox.ini'
 
+# label 'docs' all documentation-related steps and files
 'docs':
   - changed_files:
     - any-glob-to-any-file:
+      - '.github/DISCUSSION_TEMPLATE/**/*'
       - '.github/ISSUE_TEMPLATE.md'
       - '.github/ISSUE_TEMPLATE/**/*'
       - '.github/PULL_REQUEST_TEMPLATE.md'
       - '.readthedocs.yml'
+      - 'AUTHORS.rst'
+      - 'CODE_OF_CONDUCT.md'
       - 'CONTRIBUTING.rst'
       - 'README.rst'
       - 'docs/**/*'

.github/workflows/bump-version.yml

@@ -22,6 +22,10 @@ on:
       - .yamllint.yaml
       - AUTHORS.rst
       - CHANGELOG.rst
+      - CI/**/*.in
+      - CI/**/*.py
+      - CI/**/*.txt
+      - CODE_OF_CONDUCT.md
       - CONTRIBUTING.rst
       - MANIFEST.in
       - Makefile
@@ -70,14 +74,13 @@ jobs:
         run: |
           git config --local user.email "bumpversion[bot]@ouranos.ca"
           git config --local user.name "bumpversion[bot]"
-      - name: Install bump-my-version
-        run: |
-          python -m pip install "bump-my-version>=0.18.3"
       - name: Current Version
         run: |
-          bump-my-version show current_version
           CURRENT_VERSION="$(grep -E '__version__' src/xscen/__init__.py | cut -d ' ' -f3)"
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
+      - name: Install CI libraries
+        run: |
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Conditional Bump Version
         run: |
           if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then

.github/workflows/codeql-analysis.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+  pull_request:
   schedule:
     - cron: '30 23 * * 5'
 

.github/workflows/dependency-review.yml

@@ -1,6 +1,7 @@
 # Dependency Review Action
 #
-# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement

.github/workflows/first-pull-request.yml

@@ -13,7 +13,6 @@ jobs:
     name: Welcome
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner
@@ -57,5 +56,5 @@ jobs:
               It appears that this is your first Pull Request. To give credit where it's due, we ask that you add your information to the \`AUTHORS.rst\` and \`.zenodo.json\`:
                - [ ] The relevant author information has been added to \`AUTHORS.rst\` and \`.zenodo.json\`.
 
-              Please make sure you've read our [contributing guide](CONTRIBUTING.rst). We look forward to reviewing your Pull Request shortly ✨`
+              Please make sure you've read our [contributing guide](https://github.com/Ouranosinc/xscen/blob/main/CONTRIBUTING.rst). We look forward to reviewing your Pull Request shortly ✨`
             })

.github/workflows/label.yml

@@ -6,7 +6,7 @@
 # https://github.com/actions/labeler/blob/master/README.md
 
 name: Labeler
-on: [pull_request_target]
+on: [ pull_request_target ]
   # Note: potential security risk from this action using pull_request_target.
   # Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
   # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
@@ -19,8 +19,6 @@ jobs:
     name: Label
     runs-on: ubuntu-latest
     permissions:
-      checks: write
-      contents: read
       pull-requests: write
     steps:
       - name: Harden Runner

.github/workflows/main.yml

@@ -9,7 +9,7 @@ on:
       - CHANGELOG.rst
       - README.rst
       - pyproject.toml
-      - xscen/__init__.py
+      - src/xscen/__init__.py
   pull_request:
 
 concurrency:
@@ -44,32 +44,26 @@ jobs:
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install tox
+          cache: pip
+      - name: Install CI libraries
         run: |
-          python -m pip install tox
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Run linting suite
         run: |
           python -m tox -e lint
 
   test-pypi:
-    name: ${{ matrix.tox-build }} (Python${{ matrix.python-version }})
+    name: Test with Python${{ matrix.python-version }} (tox, ${{ matrix.os }})
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     env:
       COVERALLS_PARALLEL: true
       COVERALLS_SERVICE_NAME: github
       esmf-version: 8.4.2
     strategy:
       matrix:
-        include:
-          - python-version: "3.9"
-            tox-build: "py39-coveralls"
-          - python-version: "3.10"
-            tox-build: "py310-coveralls"
-          - python-version: "3.11"
-            tox-build: "py311-coveralls"
-          - python-version: "3.12"
-            tox-build: "py312-esmpy-coveralls"
+        os: [ 'ubuntu-latest' ]
+        python-version: [ "3.10", "3.11", "3.12" ] # "3.13"
     defaults:
       run:
         shell: bash -l {0}
@@ -87,16 +81,23 @@ jobs:
           environment-name: xscen-pypi
           create-args: >-
             esmf=${{ env.esmf-version }}
-            mamba
             python=${{ matrix.python-version }}
-            tox
+            tox>=4.17.1
+            tox-gh>=1.3.2
+      - name: Environment Caching
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        with:
+          path: .tox
+          key: ${{ matrix.os }}-Python${{ matrix.python-version }}-${{ hashFiles('pyproject.toml', 'tox.ini') }}
       - name: Test with tox
         run: |
-          python -m tox -e ${{ matrix.tox-build }}
+          python -m tox
         env:
           ESMF_VERSION: ${{ env.esmf-version }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COVERALLS_FLAG_NAME: run-Python${{ matrix.python-version }}
+          COVERALLS_PARALLEL: true
+          COVERALLS_SERVICE_NAME: github
 
 #      - name: Install esmpy
 #        run: |
@@ -122,16 +123,13 @@ jobs:
 #          COVERALLS_SERVICE_NAME: github
 
   test-conda:
-    name: Python${{ matrix.python-version }} (conda)
+    name: Test with Python${{ matrix.python-version }} (Anaconda, ${{ matrix.os }})
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        include:
-          - python-version: "3.9"
-          - python-version: "3.10"
-          - python-version: "3.11"
-          - python-version: "3.12"
+        os: [ 'ubuntu-latest' ]
+        python-version: [ "3.10", "3.11", "3.12" ] # "3.13"
     defaults:
       run:
         shell: bash -l {0}
@@ -156,20 +154,19 @@ jobs:
           micromamba install -y -c conda-forge intake-esm=2023.11.10
       - name: Conda and Mamba versions
         run: |
-          micromamba list
           echo "micromamba $(micromamba --version)"
       - name: Compile catalogs and install xscen
         run: |
           make translate
           python -m pip install --no-user --no-deps .
       - name: Check versions
         run: |
-          conda list
+          micromamba list
           python -m pip check || true
       - name: Test with pytest
         run: |
           python -m pytest --cov xscen
-      - name: Report coverage
+      - name: Report Coverage
         run: |
           python -m coveralls
         env:
@@ -183,12 +180,13 @@ jobs:
       - test-pypi
       - test-conda
     runs-on: ubuntu-latest
-    container: python:3-slim
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
       - name: Coveralls Finished
-        run: |
-          python -m pip install --upgrade coveralls
-          python -m coveralls --finish
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COVERALLS_SERVICE_NAME: github
+        uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
+        with:
+          parallel-finished: true

.github/workflows/publish-pypi.yml

@@ -33,11 +33,11 @@ jobs:
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.x"
-      - name: Install packaging libraries
+      - name: Install CI libraries
         run: |
-          python -m pip install build setuptools wheel
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Build a binary wheel and a source tarball
         run: |
           python -m build --sdist --wheel
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@8a08d616893759ef8e1aa1f2785787c0b97e20d6 # v1.10.0
+        uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1

.github/workflows/scorecard.yml

@@ -80,6 +80,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # 3.25.5
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # 3.26.6
         with:
           sarif_file: results.sarif