Merge pull request #316 from ocefpaf/zizmor_security

Zizmor security

Author: ocefpaf

.github/dependabot.yml

@@ -13,3 +13,14 @@ updates:
       github-actions:
         patterns:
           - '*'
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "pre-commit"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "Bot"
+    cooldown:
+      default-days: 7

.github/workflows/deploy-docs.yml

@@ -1,5 +1,8 @@
 name: Build and Deploy docs
 
+# no permissions by default
+permissions: {}
+
 on:
   pull_request:
   push:
@@ -12,15 +15,21 @@ on:
 jobs:
   build-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    defaults:
+      run:
+        shell: bash -l {0}
 
     steps:
     - name: checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Setup Micromamba
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462  # v2.0.7
       with:
         environment-name: TEST
         init-shell: bash
@@ -31,12 +40,10 @@ jobs:
           --channel conda-forge
 
     - name: Install windrose
-      shell: bash -l {0}
       run: |
         python -m pip install -e . --no-deps --force-reinstall
 
     - name: Build documentation
-      shell: bash -l {0}
       run: |
         set -e
         jupyter nbconvert --to notebook --execute notebooks/usage.ipynb --output=usage-output.ipynb
@@ -47,7 +54,7 @@ jobs:
 
     - name: Deploy
       if: success() && github.event_name == 'release'
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e  # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: docs/_build/html

.github/workflows/pypi.yml

@@ -14,13 +14,24 @@ defaults:
     shell: bash
 
 jobs:
-  packages:
+  pypi-publish:
+    name: Upload release to PyPI
     runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/windrose
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        # Should be enough for setuptools-scm
+        fetch-depth: 100
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       with:
         python-version: "3.x"
 
@@ -48,7 +59,4 @@ jobs:
 
     - name: Publish a Python distribution to PyPI
       if: success() && github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_PASSWORD }}
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0

.github/workflows/tests.yml

@@ -1,5 +1,8 @@
 name: Tests
 
+# no permissions by default
+permissions: {}
+
 on:
   pull_request:
   push:
@@ -10,15 +13,26 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12" ]
-        os: [windows-latest, ubuntu-latest, macos-latest]
+        python-version: [ "3.10", "3.11", "3.12", "3.13", "3.14" ]
+        os: [ ubuntu-latest ]
+        include:
+          - os: windows-latest
+            python-version: "3.14"
+          - os: macos-latest
+            python-version: "3.14"
       fail-fast: false
+    defaults:
+      run:
+        shell: bash -l {0}
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
 
     - name: Setup Micromamba for Python ${{ matrix.python-version }}
-      uses: mamba-org/setup-micromamba@v2
+      uses: mamba-org/setup-micromamba@add3a49764cedee8ee24e82dfde87f5bc2914462 # v2.0.7
       with:
         environment-name: TEST
         init-shell: bash
@@ -29,17 +43,15 @@ jobs:
           --channel conda-forge
 
     - name: Install windrose
-      shell: bash -l {0}
       run: |
         python -m pip install -e . --no-deps --force-reinstall
 
     - name: Tests
-      shell: bash -l {0}
       run: |
         pytest -s -rxs -vv -Werror tests/ --mpl --mpl-generate-summary=html \
         --mpl-results-path="windrose_test_output-${{ matrix.os }}-${{ matrix.python-version }}"
     - name: Store mpl-results
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
       if: failure()
       with:
         name: "windrose_test_output-${{ matrix.os }}-${{ matrix.python-version }}"

.pre-commit-config.yaml

@@ -16,7 +16,7 @@ repos:
       files: requirements-dev.txt
 
 - repo: https://github.com/psf/black-pre-commit-mirror
-  rev: 26.1.0
+  rev: 26.3.1
   hooks:
   - id: black
     language_version: python3
@@ -27,7 +27,7 @@ repos:
     - id: blackdoc
 
 - repo: https://github.com/codespell-project/codespell
-  rev: v2.4.1
+  rev: v2.4.2
   hooks:
     - id: codespell
       exclude: >
@@ -51,12 +51,12 @@ repos:
     - id: add-trailing-comma
 
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.15.4
+  rev: v0.15.8
   hooks:
     - id: ruff
 
 - repo: https://github.com/tox-dev/pyproject-fmt
-  rev: v2.16.2
+  rev: v2.21.0
   hooks:
     - id: pyproject-fmt
 
@@ -80,13 +80,16 @@ repos:
   hooks:
     - id: nb-strip-paths
 
+- repo: https://github.com/woodruffw/zizmor-pre-commit
+  rev: v1.23.1
+  hooks:
+    - id: zizmor
+
 ci:
     autofix_commit_msg: |
         [pre-commit.ci] auto fixes from pre-commit.com hooks
 
         for more information, see https://pre-commit.ci
     autofix_prs: false
-    autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
-    autoupdate_schedule: monthly
     skip: []
     submodules: false

README.md

@@ -4,9 +4,10 @@
 [![License](https://img.shields.io/pypi/l/windrose.svg)](https://pypi.python.org/pypi/windrose/)
 [![Development Status](https://img.shields.io/pypi/status/windrose.svg)](https://pypi.python.org/pypi/windrose/)
 [![Tests](https://github.com/python-windrose/windrose/actions/workflows/tests.yml/badge.svg)](https://github.com/python-windrose/windrose/actions/workflows/tests.yml)
-[![DOI](https://zenodo.org/badge/37549137.svg)](https://zenodo.org/badge/latestdoi/37549137)
+[![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.13133010.svg)](https://doi.org/10.5281/zenodo.13133010)
 [![JOSS](https://joss.theoj.org/papers/10.21105/joss.00268/status.svg)](https://joss.theoj.org/papers/10.21105/joss.00268)
 
+
 # Windrose
 
 A [wind rose](https://en.wikipedia.org/wiki/Wind_rose) is a graphic tool used by meteorologists to give a succinct view of how wind speed and direction are typically distributed at a particular location. It can also be used to describe air quality pollution sources. The wind rose tool uses Matplotlib as a backend. Data can be passed to the package using Numpy arrays or a Pandas DataFrame.

docs/conf.py

@@ -161,6 +161,10 @@
 # (source start file, name, description, authors, manual section).
 man_pages = [(master_doc, "windrose", "windrose Documentation", [author], 1)]
 
+# Zenodo URLs are returning 403 in the checker but are fine.
+linkcheck_ignore = [
+    r"https://zenodo\.org.*",
+]
 
 # -- Options for Texinfo output -------------------------------------------
 

docs/index.rst

@@ -46,8 +46,8 @@ https://docs.github.com/en/pull-requests/collaborating-with-pull-requests
    :target: https://pypi.org/project/windrose/
 .. |Tests| image:: https://github.com/python-windrose/windrose/actions/workflows/tests.yml/badge.svg
    :target: https://github.com/python-windrose/windrose/actions/workflows/tests.yml
-.. |DOI| image:: https://zenodo.org/badge/37549137.svg
-   :target: https://zenodo.org/badge/latestdoi/37549137
+.. |DOI| image:: https://zenodo.org/badge/DOI/10.5281/zenodo.13133010.svg
+  :target: https://doi.org/10.5281/zenodo.13133010
 
 Indices and tables
 ==================

docs/install.rst

@@ -13,7 +13,7 @@ Option libraries:
 -  Pandas https://pandas.pydata.org/ (to feed plot functions easily)
 -  SciPy https://scipy.org/ (to fit data with Weibull distribution)
 -  ffmpeg https://www.ffmpeg.org/ (to output video)
--  click https://click.palletsprojects.com/ (for command line interface tools)
+-  click https://click.palletsprojects.com/en/stable/ (for command line interface tools)
 -  seaborn https://seaborn.pydata.org/ (for easy subplots)
 
 Install latest release version via pip

notebooks/usage.ipynb

@@ -9,7 +9,7 @@
     "This example use randoms values for wind speed and direction(ws and wdnotebooks/windrose_sample_poitiers_csv.ipynb\n",
     "variables). In situation, these variables are loaded with reals values\n",
     "(1-D array), from a database or directly from a text file.\n",
-    "See [this notebook](https://github.com/python-windrose/windrose/blob/master/notebooks/windrose_sample_poitiers_csv.ipynb) for an example of real data."
+    "See [this notebook](https://github.com/python-windrose/windrose/blob/main/notebooks/windrose_sample_poitiers_csv.ipynb) for an example of real data."
    ]
   },
   {
@@ -452,7 +452,7 @@
    "source": [
     "Instead of using object oriented approach like previously shown, some\n",
     "\"shortcut\" functions have been defined: `wrbox`, `wrbar`,\n",
-    "`wrcontour`, `wrcontourf`, `wrpdf`. See [unit tests](https://github.com/python-windrose/windrose/blob/master/tests/test_windrose.py)."
+    "`wrcontour`, `wrcontourf`, `wrpdf`. See [unit tests](https://github.com/python-windrose/windrose/blob/main/tests/test_windrose.py)."
    ]
   },
   {
@@ -520,7 +520,7 @@
     "\n",
     "[![Video3](http://img.youtube.com/vi/UiGC-3aw9TM/0.jpg)](https://www.youtube.com/watch?v=UiGC-3aw9TM)\n",
     "\n",
-    "[Source code](https://github.com/python-windrose/windrose/blob/master/samples/example_animate.py).\n",
+    "[Source code](https://github.com/python-windrose/windrose/blob/main/samples/example_animate.py).\n",
     "\n",
     "This is just a sample for now. API for video need to be created.\n",
     "\n",