Bump the actions group in /.github/workflows with 4 updates + Update cookiecutter (#113)

Author: dependabot[bot]

.cruft.json

@@ -1,21 +1,20 @@
 {
   "template": "https://github.com/Ouranosinc/cookiecutter-pypackage.git",
-  "commit": "760bcbb2540bd973d57ea1aa1f1b24759f6d0955",
+  "commit": "66708e5e15f00caaaaf1748bf0a7e041bc5c6243",
   "checkout": null,
   "context": {
     "cookiecutter": {
       "full_name": "Abel Aoun",
       "email": "aoun.abel@gmail.com",
       "github_username": "xarray-contrib",
+      "orcid_id": "0000-0003-2289-2890",
       "project_name": "xncml",
       "project_slug": "xncml",
       "project_short_description": "Tools for manipulating NcML (NetCDF Markup Language) files with/for xarray",
       "pypi_username": "bzah",
       "version": "0.5.1",
       "use_pytest": "y",
-      "use_black": "n",
       "use_conda": "n",
-      "add_pyup_badge": "n",
       "make_docs": "y",
       "add_translations": "n",
       "command_line_interface": "No command-line interface",
@@ -24,7 +23,7 @@
       "generated_with_cruft": "y",
       "__gh_slug": "https://github.com/xarray-contrib/xncml",
       "_template": "https://github.com/Ouranosinc/cookiecutter-pypackage.git",
-      "_commit": "760bcbb2540bd973d57ea1aa1f1b24759f6d0955"
+      "_commit": "66708e5e15f00caaaaf1748bf0a7e041bc5c6243"
     }
   },
   "directory": null

.flake8

@@ -10,6 +10,7 @@ ignore =
 	D,
 	E,
 	F,
+	RST210,
 	W503
 per-file-ignores =
 rst-roles =

.github/dependabot.yml

@@ -6,7 +6,7 @@ updates:
   - package-ecosystem: github-actions
     directory: /.github/workflows
     schedule:
-      interval: monthly
+      interval: "quarterly"
     groups:
       actions:
         patterns:
@@ -15,7 +15,7 @@ updates:
   - package-ecosystem: pip
     directory: /
     schedule:
-      interval: monthly
+      interval: "quarterly"
     groups:
       ci:
         patterns:

.github/workflows/codeql.yml

@@ -65,7 +65,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -94,6 +94,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -32,4 +32,4 @@ jobs:
           persist-credentials: false
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1

.github/workflows/main.yml

@@ -24,8 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version:
-          - "3.x"
+        python-version: [ "3.13" ]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -61,11 +60,7 @@ jobs:
     strategy:
       matrix:
         os: [ 'ubuntu-latest' ]
-        python-version:
-          - "3.10"
-          - "3.11"
-          - "3.12"
-          - "3.13"
+        python-version: [ "3.10", "3.11", "3.12", "3.13" ]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/publish-pypi.yml

@@ -16,6 +16,9 @@ jobs:
     permissions:
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
+    strategy:
+      matrix:
+        python: [ "3.13" ]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -28,19 +31,24 @@ jobs:
             pypi.org:443
             ruf-repo-cdn.sigstore.dev:443
             upload.pypi.org:443
+
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+
       - name: Set up Python3
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: "3.x"
+          python-version: ${{ matrix.python }}
+
       - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
+
       - name: Build a binary wheel and a source tarball
         run: |
           python -m flit build
+
       - name: Publish distribution 📦 to PyPI
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

.github/workflows/tag-testpypi.yml

@@ -19,13 +19,20 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            test.pypi.org:443
+
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+
       - name: Create Release
-        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # 2.3.3
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # 2.4.1
         env:
           # This token is provided by Actions, you do not need to create your own token
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -42,6 +49,9 @@ jobs:
     permissions:
       # IMPORTANT: this permission is mandatory for trusted publishing
       id-token: write
+    strategy:
+      matrix:
+        python: [ "3.13" ]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -54,20 +64,25 @@ jobs:
             pypi.org:443
             ruf-repo-cdn.sigstore.dev:443
             test.pypi.org:443
+
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+
       - name: Set up Python3
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: "3.x"
+          python-version: ${{ matrix.python }}
+
       - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
+
       - name: Build a binary wheel and a source tarball
         run: |
           python -m flit build
+
       - name: Publish distribution 📦 to Test PyPI
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:

.github/workflows/workflow-warning.yml

@@ -31,6 +31,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+
       - name: Find Warning Comment
         uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
         id: fc_warning
@@ -39,12 +40,13 @@ jobs:
           comment-author: 'github-actions[bot]'
           body-includes: |
             This Pull Request modifies GitHub workflows and is coming from a fork.
+
       - name: Create Warning Comment
         if: |
           (steps.fc_warning.outputs.comment-id == '') &&
           (!contains(github.event.pull_request.labels.*.name, 'approved')) &&
           (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         with:
           comment-id: ${{ steps.fc_warning.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -53,17 +55,19 @@ jobs:
             > This Pull Request modifies GitHub Workflows and is coming from a fork.
             **It is very important for the reviewer to ensure that the workflow changes are appropriate.**
           edit-mode: replace
+
       - name: Find Note Comment
         uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
         id: fc_note
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
           body-includes: Workflow changes in this Pull Request have been approved!
+
       - name: Update Comment
         if: |
           contains(github.event.pull_request.labels.*.name, 'approved')
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         with:
           comment-id: ${{ steps.fc_note.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.pre-commit-config.yaml

@@ -11,24 +11,26 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
-      - id: trailing-whitespace
-      - id: end-of-file-fixer
-        exclude: '.ipynb'
-      - id: fix-byte-order-marker
       - id: name-tests-test
         args: [ '--pytest-test-first' ]
       - id: no-commit-to-branch
         args: [ '--branch', 'main' ]
       - id: check-docstring-first
       - id: check-merge-conflict
       - id: check-json
+      - id: pretty-format-json
+        args: [ '--autofix', '--no-ensure-ascii', '--no-sort-keys' ]
+        exclude: '.ipynb'
       - id: check-toml
       - id: check-yaml
         args: [ '--allow-multiple-documents' ]
       - id: debug-statements
-      - id: pretty-format-json
-        args: [ '--autofix', '--no-ensure-ascii', '--no-sort-keys' ]
+      - id: end-of-file-fixer
         exclude: '.ipynb'
+      - id: fix-byte-order-marker
+      - id: name-tests-test
+        args: [ '--pytest-test-first' ]
+      - id: trailing-whitespace
   - repo: https://github.com/pappasam/toml-sort
     rev: v0.24.3
     hooks:
@@ -52,8 +54,8 @@ repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: v0.13.3
     hooks:
-      - id: ruff
-        args: [ '--fix' ]
+      - id: ruff-check
+        args: [ '--fix', '--show-fixes' ]
       - id: ruff-format
   - repo: https://github.com/pycqa/flake8
     rev: 7.3.0
@@ -66,7 +68,7 @@ repos:
     hooks:
       - id: vulture
 #  - repo: https://github.com/pre-commit/mirrors-mypy
-#    rev: v1.14.1
+#    rev: v1.18.2
 #    hooks:
 #      - id: mypy
   - repo: https://github.com/codespell-project/codespell
@@ -76,7 +78,7 @@ repos:
         additional_dependencies: [ 'tomli' ]
         args: [ '--toml=pyproject.toml' ]
 #  - repo: https://github.com/numpy/numpydoc
-#    rev: v1.8.0
+#    rev: v1.9.0
 #    hooks:
 #      - id: numpydoc-validation
 #        exclude: ^docs/|^tests/