diff --git a/.github/workflows/auto-dependabot.yaml b/.github/workflows/auto-dependabot.yaml index e87d5fb..d3f5aa1 100644 --- a/.github/workflows/auto-dependabot.yaml +++ b/.github/workflows/auto-dependabot.yaml @@ -1,21 +1,39 @@ name: Auto-merge Dependabot PR on: - pull_request: + # XXX: !!! SECURITY WARNING !!! + # pull_request_target has write access to the repo, and can read secrets. We + # need to audit any external actions executed in this workflow and make sure no + # checked out code is run (not even installing dependencies, as installing + # dependencies usually can execute pre/post-install scripts). We should also + # only use hashes to pick the action to execute (instead of tags or branches). + # For more details read: + # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + pull_request_target: permissions: - contents: write + contents: read pull-requests: write jobs: auto-merge: - if: github.actor == 'dependabot[bot]' + name: Auto-merge Dependabot PR + if: > + github.actor == 'dependabot[bot]' && + !contains(github.event.pull_request.title, 'the repo-config group') runs-on: ubuntu-slim steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} + private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} + - name: Auto-merge Dependabot PR - uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0 + uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ steps.app-token.outputs.token }} dependency-type: 'all' auto-merge: 'true' merge-method: 'merge' diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 95f10f8..aac4b34 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -28,11 +28,9 @@ jobs: strategy: fail-fast: false matrix: - arch: - - amd64 - - arm - os: + platform: - ubuntu-24.04 + - ubuntu-24.04-arm python: - "3.11" - "3.12" @@ -41,7 +39,7 @@ jobs: # that uses the same venv to run multiple linting sessions - "ci_checks_max" - "pytest_min" - runs-on: ${{ matrix.os }}${{ matrix.arch != 'amd64' && format('-{0}', matrix.arch) || '' }} + runs-on: ${{ matrix.platform }} steps: - name: Run nox @@ -60,7 +58,7 @@ jobs: needs: ["nox"] # We skip this job only if nox was also skipped if: always() && needs.nox.result != 'skipped' - runs-on: ubuntu-24.04 + runs-on: ubuntu-slim env: DEPS_RESULT: ${{ needs.nox.result }} steps: @@ -105,15 +103,13 @@ jobs: strategy: fail-fast: false matrix: - arch: - - amd64 - - arm - os: + platform: - ubuntu-24.04 + - ubuntu-24.04-arm python: - "3.11" - "3.12" - runs-on: ${{ matrix.os }}${{ matrix.arch != 'amd64' && format('-{0}', matrix.arch) || '' }} + runs-on: ${{ matrix.platform }} steps: - name: Setup Git @@ -161,7 +157,7 @@ jobs: needs: ["test-installation"] # We skip this job only if test-installation was also skipped if: always() && needs.test-installation.result != 'skipped' - runs-on: ubuntu-24.04 + runs-on: ubuntu-slim env: DEPS_RESULT: ${{ needs.test-installation.result }} steps: @@ -276,7 +272,7 @@ jobs: # discussions to create the release announcement in the discussion forums contents: write discussions: write - runs-on: ubuntu-24.04 + runs-on: ubuntu-slim steps: - name: Download distribution files uses: actions/download-artifact@v8 diff --git a/.github/workflows/dco-merge-queue.yml b/.github/workflows/dco-merge-queue.yml index fb1cd90..d9597ad 100644 --- a/.github/workflows/dco-merge-queue.yml +++ b/.github/workflows/dco-merge-queue.yml @@ -5,7 +5,7 @@ on: jobs: DCO: - runs-on: ubuntu-latest + runs-on: ubuntu-slim if: ${{ github.actor != 'dependabot[bot]' }} steps: - run: echo "This DCO job runs on merge_queue event and doesn't check PR contents" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 8d02c13..c327e7f 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,7 +7,7 @@ jobs: permissions: contents: read pull-requests: write - runs-on: ubuntu-latest + runs-on: ubuntu-slim steps: - name: Labeler # XXX: !!! SECURITY WARNING !!! diff --git a/.github/workflows/release-notes-check.yml b/.github/workflows/release-notes-check.yml index b8d7509..263c3e2 100644 --- a/.github/workflows/release-notes-check.yml +++ b/.github/workflows/release-notes-check.yml @@ -15,7 +15,7 @@ on: jobs: check-release-notes: name: Check release notes are updated - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: pull-requests: read steps: diff --git a/.github/workflows/repo-config-migration.yaml b/.github/workflows/repo-config-migration.yaml index d214ed2..57a54c3 100644 --- a/.github/workflows/repo-config-migration.yaml +++ b/.github/workflows/repo-config-migration.yaml @@ -42,7 +42,7 @@ jobs: steps: - name: Generate token id: create-app-token - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} diff --git a/pyproject.toml b/pyproject.toml index 542cb6d..e833b07 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 82.0.1", "setuptools_scm[toml] == 10.0.5", - "frequenz-repo-config[lib] == 0.14.0", + "frequenz-repo-config[lib] == 0.17.0", ] build-backend = "setuptools.build_meta" @@ -13,7 +13,8 @@ build-backend = "setuptools.build_meta" name = "frequenz-client-electricity-trading" description = "Electricity Trading API client for Python" readme = "README.md" -license = { text = "MIT" } +license = "MIT" +license-files = ["LICENSE"] keywords = [ "frequenz", "python", @@ -29,7 +30,6 @@ keywords = [ classifiers = [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", - "License :: OSI Approved :: MIT License", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3 :: Only", "Topic :: Software Development :: Libraries", @@ -62,6 +62,7 @@ email = "floss@frequenz.com" [project.optional-dependencies] dev-flake8 = [ "flake8 == 7.3.0", + "flake8-datetimez == 20.10.0", "flake8-docstrings == 1.7.0", "flake8-pyproject == 1.2.4", # For reading the flake8 config from pyproject.toml "pydoclint == 0.8.3", @@ -78,7 +79,7 @@ dev-mkdocs = [ "mkdocs-material == 9.7.6", "mkdocstrings[python] == 1.0.3", "mkdocstrings-python == 2.0.3", - "frequenz-repo-config[lib] == 0.14.0", + "frequenz-repo-config[lib] == 0.17.0", ] dev-mypy = [ "mypy == 1.19.1", @@ -89,7 +90,7 @@ dev-mypy = [ # For checking the noxfile, docs/ script, and tests "frequenz-client-electricity-trading[dev-mkdocs,dev-noxfile,dev-pytest]", ] -dev-noxfile = ["nox == 2026.2.9", "frequenz-repo-config[lib] == 0.14.0"] +dev-noxfile = ["nox == 2026.2.9", "frequenz-repo-config[lib] == 0.17.0"] dev-pylint = [ "pylint == 4.0.5", # For checking the noxfile, docs/ script, and tests @@ -97,7 +98,7 @@ dev-pylint = [ ] dev-pytest = [ "pytest == 9.0.2", - "frequenz-repo-config[extra-lint-examples] == 0.14.0", + "frequenz-repo-config[extra-lint-examples] == 0.17.0", "pytest-mock == 3.15.1", "pytest-asyncio == 1.3.0", "async-solipsism == 0.9",