diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3af63e53..68e6cbc7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,12 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + cooldown: + default-days: 14 + semver-major-days: 28 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 8 diff --git a/.github/workflows/deploy-alpha.yml b/.github/workflows/deploy-alpha.yml index 9db5ad24..d45d9103 100644 --- a/.github/workflows/deploy-alpha.yml +++ b/.github/workflows/deploy-alpha.yml @@ -7,11 +7,15 @@ on: jobs: last-minute-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[develop] @@ -19,6 +23,8 @@ jobs: build-packages: name: Build, sign, and release packages on github + environment: + name: build-pypi runs-on: ubuntu-latest needs: [last-minute-test] permissions: @@ -27,12 +33,13 @@ jobs: env: GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[build] @@ -43,22 +50,21 @@ jobs: run: .github/scripts/check_version.py --alpha - run: python -m build . - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@cd06a1783504a0c8e550f0d0cd47d3bbae8d71bd + uses: sigstore/gh-action-sigstore-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Create a GitHub release - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b - with: - tag: v${{ steps.get_version.outputs.version }} - name: Release ${{ steps.get_version.outputs.version }} - draft: true + run: | + gh release create "v${ steps.get_version.outputs.version }" \ + --title="Release ${ steps.get_version.outputs.version }" \ + --generate-notes -d - run: >- gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** --repo '${{ github.repository }}' - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: build path: | @@ -76,7 +82,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ @@ -95,7 +101,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 64e40e2c..58dbb89c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,11 +7,15 @@ on: jobs: last-minute-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[develop] @@ -20,6 +24,8 @@ jobs: build-packages: name: Build, sign, and release packages on github + environment: + name: build-pypi runs-on: ubuntu-latest needs: [last-minute-test] permissions: @@ -28,12 +34,13 @@ jobs: env: GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[build] @@ -44,22 +51,21 @@ jobs: run: .github/scripts/check_version.py - run: python -m build . - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@cd06a1783504a0c8e550f0d0cd47d3bbae8d71bd + uses: sigstore/gh-action-sigstore-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Create a GitHub release - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b - with: - tag: v${{ steps.get_version.outputs.version }} - name: Release ${{ steps.get_version.outputs.version }} - draft: true + run: | + gh release create "v${ steps.get_version.outputs.version }" \ + --title="Release ${ steps.get_version.outputs.version }" \ + --generate-notes -d - run: >- gh release upload 'v${{ steps.get_version.outputs.version }}' dist/** --repo '${{ github.repository }}' - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: build path: | @@ -78,7 +84,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ @@ -97,7 +103,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 with: name: build path: dist/ diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8edde003..de04eb5f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,17 +9,20 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: python-version: ["3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} - run: pip install --upgrade pip @@ -42,7 +45,7 @@ jobs: - run: pip install --user . montepy[develop] - run: pip freeze - name: Upload build artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f if: ${{ matrix.python-version == '3.13'}} with: name: build @@ -63,9 +66,11 @@ jobs: sly-version: "0.4" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: set up python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ matrix.python-version }} - run: pip install numpy~=${{ matrix.numpy-version }} @@ -84,13 +89,13 @@ jobs: if: ${{ success() || failure() }} - name: Upload test report if: ${{ matrix.python-version == '3.14' && matrix.numpy-version == '2.3' && (success() || failure() )}} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: test path: test_report.xml - name: Upload coverage report if: ${{ matrix.python-version == '3.14' && matrix.numpy-version == '2.3' && (success() || failure() )}} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: coverage path: coverage.xml @@ -107,20 +112,23 @@ jobs: doc-build: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.12 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[doc,build] - run: cd doc && make html SPHINXOPTS="-W --keep-going -E" name: Build site strictly - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with: name: website path: doc/build @@ -131,14 +139,17 @@ jobs: doc-test: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[doc,build,demo-test,test] @@ -155,12 +166,16 @@ jobs: format-test: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[format] @@ -168,11 +183,15 @@ jobs: profile: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[test] @@ -185,11 +204,15 @@ jobs: benchmark: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: set up python 3.14 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: 3.14 - run: pip install . montepy[test] @@ -199,12 +222,16 @@ jobs: changelog-test: runs-on: ubuntu-latest + permissions: + contents: read if: github.ref != 'refs/heads/main' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Check for changes - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@668c092af3649c4b664c54e4b704aa46782f6f7c id: changes with: filters: | diff --git a/.github/workflows/rtd_link.yml b/.github/workflows/rtd_link.yml index 529bd484..c9a3463b 100644 --- a/.github/workflows/rtd_link.yml +++ b/.github/workflows/rtd_link.yml @@ -8,6 +8,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: readthedocs/actions/preview@v1 + - uses: readthedocs/actions/preview@31a30360a2d7530806bff6855aa209167f06a89c with: project-slug: "montepy"