diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2812bc91a..0da56aa41 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,4 +13,6 @@ updates: interval: monthly ignore: - dependency-name: "sangonzal/repository-traffic-action" - versions: "v1" + versions: ["v1"] + cooldown: + default-days: 7 diff --git a/.github/workflows/binder-badge.yml b/.github/workflows/binder-badge.yml index 22e7195e5..06dc3cb1e 100644 --- a/.github/workflows/binder-badge.yml +++ b/.github/workflows/binder-badge.yml @@ -1,11 +1,40 @@ +# Add Binder Link for testing a branch when a PR comment with `/binder` is made +# https://mybinder.readthedocs.io/en/latest/howto/gh-actions-badges.html#example-2-comment-with-a-binder-badge-in-response-to-a-comment name: AddBinderBadge -on: - pull_request_target: +on: [issue_comment] # issues and PRs are equivalent in terms of comments for the GitHub API + +permissions: {} jobs: - badge: - runs-on: ubuntu-latest + trigger-chatops: + # Make sure the comment is on a PR, and contains the command "/binder" + if: (github.event.issue.pull_request != null) && contains(github.event.comment.body, '/binder') + runs-on: ubuntu-slim + permissions: + pull-requests: write + steps: - - uses: manics/action-binderbadge@main + # Use the GitHub API to: + # (1) Get the branch name of the PR that has been commented on with "/binder" + # (2) make a comment on the PR with the binder badge + - name: comment on PR with Binder link + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: - githubToken: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // Get the branch name + github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.issue.number + }).then( (pr) => { + + // use the branch name to make a comment on the PR with a Binder badge + var BRANCH_NAME = pr.data.head.ref + github.rest.issues.createComment({ + issue_number: context.payload.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: `[![Binder](https://mybinder.org/badge_logo.svg)](https://mybinder.org/v2/gh/${context.repo.owner}/${context.repo.repo}/${BRANCH_NAME}) :point_left: Launch a binder notebook on this branch` + }) + }) diff --git a/.github/workflows/get_pypi_stats.yml b/.github/workflows/get_pypi_stats.yml index 0c3f1b7b3..d84edac0b 100644 --- a/.github/workflows/get_pypi_stats.yml +++ b/.github/workflows/get_pypi_stats.yml @@ -6,11 +6,15 @@ on: # Trigger manually at https://github.com/icesat2py/icepyx/actions/workflows/get_pypi_stats.yml workflow_dispatch: +permissions: {} + jobs: # This workflow contains a single job called "pypi_stats" pypi_stats: # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: + contents: write # for Git to git push if: github.repository_owner == 'icesat2py' # Steps represent a sequence of tasks that will be executed as part of the job @@ -19,6 +23,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: "traffic" + persist-credentials: false # Calculates pypi stats and clones and stores in CSV file - name: Update pypi stats files diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 8301a6ef6..918f83776 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -50,6 +50,7 @@ jobs: uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 diff --git a/.github/workflows/linter_actions.yml b/.github/workflows/linter_actions.yml index e91b2a17c..3ef6a675d 100644 --- a/.github/workflows/linter_actions.yml +++ b/.github/workflows/linter_actions.yml @@ -5,11 +5,16 @@ on: branches: - development - main + +permissions: {} + jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Use the Ruff linter to annotate code style / best-practice issues # NOTE: More config provided in pyproject.toml diff --git a/.github/workflows/traffic_action.yml b/.github/workflows/traffic_action.yml index 3d5f1103a..2816dacac 100644 --- a/.github/workflows/traffic_action.yml +++ b/.github/workflows/traffic_action.yml @@ -7,11 +7,15 @@ on: # Trigger manually at https://github.com/icesat2py/icepyx/actions/workflows/publish_to_pypi.yml workflow_dispatch: +permissions: {} + jobs: # This workflow contains a single job called "traffic" traffic: # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: + contents: write # for Git to git push if: github.repository_owner == 'icesat2py' # Steps represent a sequence of tasks that will be executed as part of the job @@ -20,10 +24,11 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: "traffic" + persist-credentials: true # Calculates traffic and clones and stores in CSV file - name: GitHub traffic - uses: sangonzal/repository-traffic-action@v.0.1.6 + uses: sangonzal/repository-traffic-action@404df77a0bfb110f8977fe14ddba62451ec868b7 # v.0.1.6 env: TRAFFIC_ACTION_TOKEN: ${{ secrets.TRAFFIC_ACTION_TOKEN }} diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml index 844af8aac..154a423fd 100644 --- a/.github/workflows/typecheck.yml +++ b/.github/workflows/typecheck.yml @@ -7,6 +7,7 @@ on: - main - development +permissions: {} jobs: test: @@ -16,6 +17,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: diff --git a/.github/workflows/uml_action.yml b/.github/workflows/uml_action.yml index 4e730cc53..d55424bb3 100644 --- a/.github/workflows/uml_action.yml +++ b/.github/workflows/uml_action.yml @@ -1,20 +1,27 @@ name: Update UML diagrams + on: pull_request_review: types: [submitted] branches: development workflow_dispatch: +permissions: {} + jobs: diagrams: if: github.event.review.state == 'approved' name: Update UML diagrams runs-on: ubuntu-latest + permissions: + contents: write # for Git to git push + steps: - name: Check out repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.ref }} + persist-credentials: true - name: set up environment run: | pip install -U pip diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml index ffd17b2f6..5f1c581d6 100644 --- a/.github/workflows/unit_test.yml +++ b/.github/workflows/unit_test.yml @@ -10,9 +10,7 @@ on: - "development" workflow_run: workflows: [Update UML diagrams] - types: - - completed - + types: [completed] # When this workflow is queued, automatically cancel any previous running # or pending jobs from the same branch @@ -20,6 +18,7 @@ concurrency: group: "unit-tests-${{ github.ref }}" cancel-in-progress: true +permissions: {} jobs: test: @@ -33,6 +32,7 @@ jobs: - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0