hydrologie · Zeitsperre · Sep 24, 2024 · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024
diff --git a/.cruft.json b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/Ouranosinc/cookiecutter-pypackage",
-  "commit": "b9dc57245a77dd3c465a444d4943884ee92157ea",
+  "commit": "1d9ee5f08d3e8e4f78a4aabb75e2ce4eff8750bf",
   "checkout": null,
   "context": {
     "cookiecutter": {

diff --git a/.github/deactivated/actions-versions-updater.yml b/.github/deactivated/actions-versions-updater.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,13 +1,25 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /.github/workflows/
+    directory: /.github/workflows
     schedule:
       interval: monthly
-    open-pull-requests-limit: 10
+    groups:
+      actions:
+        patterns:
+          - "*"
 
   - package-ecosystem: pip
     directory: /
     schedule:
       interval: monthly
-    open-pull-requests-limit: 10
+    groups:
+      ci:
+        patterns:
+          - "CI/*"
+      python:
+        patterns:
+          - "pyproject.toml"
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -1,81 +1,89 @@
-# This workflow requires a personal access token named `BUMP_VERSION_TOKEN` with the following privileges:
-# - Contents: Read and Write
-# - Metadata: Read-Only
-# - Pull Requests: Read and Write
-
 name: "Bump Patch Version"
 
 on:
   push:
     branches:
-      - master
+      - main
     paths-ignore:
       - .cruft.json
       - .editorconfig
-      - .github/**.yml
+      - .github/*/*.md
+      - .github/*/*.yml
       - .gitignore
-      - .gitattributes
-      - .nojekyll
       - .pre-commit-config.yaml
+      - .readthedocs.yml
       - .yamllint.yaml
+      - .zenodo.json
       - AUTHORS.rst
       - CHANGELOG.rst
       - CI/**/*.in
       - CI/**/*.py
       - CI/**/*.txt
       - CODE_OF_CONDUCT.md
       - CONTRIBUTING.rst
-      - docs/notebooks/**.ipynb
+      - Makefile
       - docs/*.py
       - docs/*.rst
+      - docs/notebooks
       - environment-dev.yml
       - environment-docs.yml
-      - Makefile
       - pyproject.toml
       - tests/**.py
       - tox.ini
       - src/xdatasets/__init__.py
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 jobs:
   bump_patch_version:
+    name: Bumpversion Patch
     runs-on: ubuntu-latest
     permissions:
       actions: read
-      contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.github.com:443
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-      - name: Checkout Repository (no persist-credentials)
+      - name: Generate App Token
+        id: token_generator
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ secrets.HYDROLOGIE_HELPER_BOT_ID }}
+          private-key: ${{ secrets.HYDROLOGIE_HELPER_BOT_KEY }}
+      - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
-          persist-credentials: false
-          fetch-depth: 0
+          token: ${{ steps.token_generator.outputs.token }}
       - name: Set up Python3
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.x"
-      - name: Config Commit Bot
-        run: |
-          git config --local user.email "bumpversion[bot]@hydrologie.com"
-          git config --local user.name "bumpversion[bot]"
+      - name: Import GPG Key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.HYDROLOGIE_HELPER_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.HYDROLOGIE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          trust_level: 5
       - name: Current Version
         run: |
           CURRENT_VERSION="$(grep -E '__version__' src/xdatasets/__init__.py | cut -d ' ' -f3)"
+          echo "current_version=${CURRENT_VERSION}"
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
       - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
-      - name: Conditional Bump Version
+      - name: Conditional Bump
         run: |
           if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
             echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version"
@@ -84,10 +92,11 @@ jobs:
             echo "Version is stable, bumping 'patch' version"
             bump-my-version bump patch
           fi
-          bump-my-version show-bump
+          NEW_VERSION="$(grep -E '__version__' src/xdatasets/__init__.py | cut -d ' ' -f3)"
+          echo "new_version=${NEW_VERSION}"
+          echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV
       - name: Push Changes
         uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0
         with:
           force: false
-          github_token: ${{ secrets.BUMP_VERSION_TOKEN }}
           branch: ${{ github.ref }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -40,6 +40,7 @@ jobs:
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
+          cache: pip
       - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
@@ -48,18 +49,19 @@ jobs:
           python -m tox -e lint
 
   test-pypi:
-    name: test-${{ matrix.tox-env }} (Python${{ matrix.python-version }})
+    name: Test with Python${{ matrix.python-version }} (tox, ${{ matrix.os }}, ESMF ${{ matrix.esmf-version }})
     needs: lint
-    runs-on: ubuntu-latest
-    env:
-      ESMF_VERSION: "v8.5.0"
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
+        esmf-version: [ "v8.5.0" ]
+        os: [ 'ubuntu-latest' ]
         python-version:
           - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
+#          - "3.13"
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -77,30 +79,37 @@ jobs:
           ESMF_NETCDF: nc-config
         with:
           cache: true
-          version: ${{ env.ESMF_VERSION }}
+          version: ${{ matrix.esmf-version }}
       - name: Set up Python${{ matrix.python-version }}
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install tox
+          cache: pip
+      - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
+      - name: Environment Caching
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        with:
+          path: .tox
+          key: ${{ matrix.os }}-Python${{ matrix.python-version }}-${{ hashFiles('pyproject.toml', 'tox.ini') }}
       - name: Test with tox
         run: |
           tox
         env:
-          ESMF_VERSION: ${{ env.ESMF_VERSION }}
+          ESMF_VERSION: ${{ matrix.esmf-version }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COVERALLS_FLAG_NAME: run-${{ matrix.python-version }}
           COVERALLS_PARALLEL: true
           COVERALLS_SERVICE_NAME: github
 
   test-conda:
-    name: Test with Python${{ matrix.python-version }} (Anaconda)
+    name: Test with Python${{ matrix.python-version }} (Anaconda, ${{ matrix.os }})
     needs: lint
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
+        os: [ 'ubuntu-latest' ]
         python-version: [ "3.9", "3.10", "3.11", "3.12" ]
     defaults:
       run:
@@ -147,19 +156,13 @@ jobs:
       - test-pypi
       - test-conda
     runs-on: ubuntu-latest
-    container: python:3-slim
     steps:
-      - name: Checkout Repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
-          sparse-checkout: |
-            CI/requirements_ci.txt
-      - name: Install CI libraries
-        run: |
-          python -m pip install --require-hashes -r CI/requirements_ci.txt
+          disable-sudo: true
+          egress-policy: audit
       - name: Coveralls Finished
-        run: |
-          coveralls --finish
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COVERALLS_SERVICE_NAME: github
+        uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
+        with:
+          parallel-finished: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -67,6 +67,7 @@ repos:
     hooks:
       - id: blackdoc
         additional_dependencies: [ 'black==24.8.0' ]
+      - id: blackdoc-autoupdate-black
   - repo: https://github.com/kynan/nbstripout
     rev: 0.7.1
     hooks:

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -24,6 +24,11 @@ Changes
     * All `pip`-based dependencies used to run in CI are now managed by a CI/requirements_ci.txt that uses hashes of packages for security.
     * Documentation has been added for ``$ make initialize-translations``.
 * Fixed a bug where `clip_polygon` would not work if not given a `unique_id` during a `Query`. (:pull:`143`).
+* The bumpversion workflow now uses the Hydrologie Helper Bot to make signed commits. (:pull:`156`).
+* Updated the cookiecutter template to the latest commit. (:pull:`156`):
+    * Updated development dependencies to the latest versions.
+    * Staged support for Python3.13.
+    * Added environment caching to existing workflows.
 
 .. _changes_0.3.6:
 

diff --git a/docs/conf.py b/docs/conf.py
@@ -17,6 +17,7 @@
 # relative to the documentation root, use os.path.abspath to make it
 # absolute, like shown here.
 #
+import datetime
 import os
 import sys
 
@@ -62,22 +63,23 @@
 }
 
 nbsphinx_execute = "always"
+# The `getting_started` notebook is dependent on Amazon S3 servers that are not guaranteed available.
+# Therefore, we allow errors when building the documentation.
+nbsphinx_allow_errors = True
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ["_templates"]
 
 # The suffix(es) of source filenames.
-# You can specify multiple suffix as a list of string:
-#
-# source_suffix = ['.rst', '.md']
-source_suffix = [".rst"]
+# You can specify multiple suffix as a dictionary of suffix: filetype
+source_suffix = {".rst": "restructuredtext"}
 
 # The master toctree document.
 master_doc = "index"
 
 # General information about the project.
 project = "Xdatasets"
-copyright = "2023, Sebastien Langlois"
+copyright = f"2023-{datetime.datetime.now().year}, Sebastien Langlois"
 author = "Sebastien Langlois"
 
 # The version info for the project you're documenting, acts as replacement