icesat2py · weiji14 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,4 +13,6 @@ updates:
       interval: monthly
     ignore:
       - dependency-name: "sangonzal/repository-traffic-action"
-        versions: "v1"
+        versions: ["v1"]
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/binder-badge.yml b/.github/workflows/binder-badge.yml
@@ -1,11 +1,40 @@
+# Add Binder Link for testing a branch when a PR comment with `/binder` is made
+# https://mybinder.readthedocs.io/en/latest/howto/gh-actions-badges.html#example-2-comment-with-a-binder-badge-in-response-to-a-comment
 name: AddBinderBadge
-on:
-  pull_request_target:
+on: [issue_comment] # issues and PRs are equivalent in terms of comments for the GitHub API
+
+permissions: {}
 
 jobs:
-  badge:
-    runs-on: ubuntu-latest
+  trigger-chatops:
+    # Make sure the comment is on a PR, and contains the command "/binder"
+    if: (github.event.issue.pull_request != null) && contains(github.event.comment.body, '/binder')
+    runs-on: ubuntu-slim
+    permissions:
+      pull-requests: write
+
     steps:
-      - uses: manics/action-binderbadge@main
+      # Use the GitHub API to:
+      #  (1) Get the branch name of the PR that has been commented on with "/binder"
+      #  (2) make a comment on the PR with the binder badge
+      - name: comment on PR with Binder link
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            // Get the branch name
+            github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.issue.number
+            }).then( (pr) => {
+
+              // use the branch name to make a comment on the PR with a Binder badge
+              var BRANCH_NAME = pr.data.head.ref
+              github.rest.issues.createComment({
+                issue_number: context.payload.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: `[![Binder](https://mybinder.org/badge_logo.svg)](https://mybinder.org/v2/gh/${context.repo.owner}/${context.repo.repo}/${BRANCH_NAME}) :point_left: Launch a binder notebook on this branch`
+              })
+            })
diff --git a/.github/workflows/get_pypi_stats.yml b/.github/workflows/get_pypi_stats.yml
@@ -6,11 +6,15 @@ on:
   # Trigger manually at https://github.com/icesat2py/icepyx/actions/workflows/get_pypi_stats.yml
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # This workflow contains a single job called "pypi_stats"
   pypi_stats:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for Git to git push
     if: github.repository_owner == 'icesat2py'
 
     # Steps represent a sequence of tasks that will be executed as part of the job
@@ -19,6 +23,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: "traffic"
+        persist-credentials: false
 
     # Calculates pypi stats and clones and stores in CSV file
     - name: Update pypi stats files

diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
@@ -50,6 +50,7 @@ jobs:
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

diff --git a/.github/workflows/linter_actions.yml b/.github/workflows/linter_actions.yml
@@ -5,11 +5,16 @@ on:
     branches:
       - development
       - main
+
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       # Use the Ruff linter to annotate code style / best-practice issues
       # NOTE: More config provided in pyproject.toml

diff --git a/.github/workflows/traffic_action.yml b/.github/workflows/traffic_action.yml
@@ -7,11 +7,15 @@ on:
   # Trigger manually at https://github.com/icesat2py/icepyx/actions/workflows/publish_to_pypi.yml
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   # This workflow contains a single job called "traffic"
   traffic:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for Git to git push
     if: github.repository_owner == 'icesat2py'
 
     # Steps represent a sequence of tasks that will be executed as part of the job
@@ -20,10 +24,11 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: "traffic"
+        persist-credentials: true
 
     # Calculates traffic and clones and stores in CSV file
     - name: GitHub traffic
-      uses: sangonzal/repository-traffic-action@v.0.1.6
+      uses: sangonzal/repository-traffic-action@404df77a0bfb110f8977fe14ddba62451ec868b7 # v.0.1.6
       env:
         TRAFFIC_ACTION_TOKEN: ${{ secrets.TRAFFIC_ACTION_TOKEN }}
 

diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
@@ -7,6 +7,7 @@ on:
       - main
       - development
 
+permissions: {}
 
 jobs:
   test:
@@ -16,6 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:

diff --git a/.github/workflows/uml_action.yml b/.github/workflows/uml_action.yml
@@ -1,20 +1,27 @@
 name: Update UML diagrams
+
 on:
   pull_request_review:
     types: [submitted]
     branches: development
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   diagrams:
     if: github.event.review.state == 'approved'
     name: Update UML diagrams
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for Git to git push
+
     steps:
       - name: Check out repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}
+          persist-credentials: true
       - name: set up environment
         run: |
           pip install -U pip

diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml
@@ -10,16 +10,15 @@ on:
       - "development"
   workflow_run:
     workflows: [Update UML diagrams]
 env: 
   TRAFFIC_ACTION_TOKEN: ${{ secrets.TRAFFIC_ACTION_TOKEN }} 
 env: 
   TRAFFIC_ACTION_TOKEN: ${{ secrets.TRAFFIC_ACTION_TOKEN }} 
-    types:
-      - completed
-
+    types: [completed]
 
 # When this workflow is queued, automatically cancel any previous running
 # or pending jobs from the same branch
 concurrency:
   group: "unit-tests-${{ github.ref }}"
   cancel-in-progress: true
 
+permissions: {}
 
 jobs:
   test:
@@ -33,6 +32,7 @@ jobs:
       - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0