From 81716a859417319a7c4fe217f4fc9ca6f41f5814 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Tue, 28 Apr 2026 12:06:46 +1000 Subject: [PATCH 01/28] fix(deps): have Dependabot update the pre-commit hooks (#1156) --- .github/dependabot.yaml | 16 ++++++++++++++++ .pre-commit-config.yaml | 26 +++++++++++++------------- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 5b12fe48..7842a55e 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -1,5 +1,6 @@ # This configuration file enables Dependabot version updates. # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates +# https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories # https://github.com/dependabot/feedback/issues/551 version: 2 @@ -20,6 +21,21 @@ updates: # - - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + commit-message: + prefix: chore + prefix-development: chore + include: scope + open-pull-requests-limit: 13 + target-branch: main + # Add additional reviewers for PRs opened by Dependabot. For more information, see: + # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers + # reviewers: + # + +- package-ecosystem: pre-commit directory: / schedule: interval: weekly diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3820efdf..9cb85235 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,7 +15,7 @@ repos: # Commitizen enforces semantic and conventional commit messages. - repo: https://github.com/commitizen-tools/commitizen - rev: v4.13.9 + rev: 2ca29f9297911f8f5a4e8f97100b7832f045e8d3 # frozen: v4.13.10 hooks: - id: commitizen name: Check conventional commit message @@ -23,7 +23,7 @@ repos: # Sort imports. - repo: https://github.com/pycqa/isort - rev: 7.0.0 + rev: dac090ce4d9ee313d086e2e89ab1acb8c2664fa1 # frozen: 9.0.0a3 hooks: - id: isort name: Sort import statements @@ -32,22 +32,22 @@ repos: # Add Black code formatters. - repo: https://github.com/ambv/black - rev: 25.11.0 + rev: c6755bb741b6481d6b3d3bb563c83fa060db96c9 # frozen: 26.3.1 hooks: - id: black name: Format code args: [--config, pyproject.toml] - repo: https://github.com/asottile/blacken-docs - rev: 1.20.0 + rev: dda8db18cfc68df532abf33b185ecd12d5b7b326 # frozen: 1.20.0 hooks: - id: blacken-docs name: Format code in docstrings args: [--line-length, '120'] - additional_dependencies: [black==25.11.0] + additional_dependencies: [black==26.3.1] # Upgrade and rewrite Python idioms. - repo: https://github.com/asottile/pyupgrade - rev: v3.21.2 + rev: 75992aaa40730136014f34227e0135f63fc951b4 # frozen: v3.21.2 hooks: - id: pyupgrade name: Upgrade code idioms @@ -57,7 +57,7 @@ repos: # Similar to pylint, with a few more/different checks. For more available # extensions: https://github.com/DmytroLitvinov/awesome-flake8-extensions - repo: https://github.com/pycqa/flake8 - rev: 7.3.0 + rev: d93590f5be797aabb60e3b09f2f52dddb02f349f # frozen: 7.3.0 hooks: - id: flake8 name: Check flake8 issues @@ -91,7 +91,7 @@ repos: # Check for potential security issues. - repo: https://github.com/PyCQA/bandit - rev: 1.9.2 + rev: 92ae8b82fb422a639f0ed8d99e96cea769594e08 # frozen: 1.9.4 hooks: - id: bandit name: Check for security issues @@ -103,7 +103,7 @@ repos: # Enable a whole bunch of useful helper hooks, too. # See https://pre-commit.com/hooks.html for more hooks. - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v6.0.0 + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0 hooks: - id: check-ast - id: check-case-conflict @@ -123,7 +123,7 @@ repos: - id: check-yaml - id: check-toml - repo: https://github.com/pre-commit/pygrep-hooks - rev: v1.10.0 + rev: 3a6eb0fadf60b3cccfd80bad9dbb6fae7e47b316 # frozen: v1.10.0 hooks: - id: python-check-blanket-noqa - id: python-check-blanket-type-ignore @@ -138,13 +138,13 @@ repos: # this package's documentation. # Commenting this out because https://github.com/Lucas-C/pre-commit-hooks-markup/issues/13 # - repo: https://github.com/Lucas-C/pre-commit-hooks-markup -# rev: v1.0.1 +# rev: 501f3d60cee13c712492103343bc23efdc7b3d1f # frozen: v1.0.1 # hooks: # - id: rst-linter # Check and prettify the configuration files. - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks - rev: v2.15.0 + rev: 4380fbb73a154b5f5624794c1c78d9719ccc860f # frozen: v2.16.0 hooks: - id: pretty-format-ini args: [--autofix] @@ -156,7 +156,7 @@ repos: # Check GitHub Actions workflow files. - repo: https://github.com/Mateusz-Grzelinski/actionlint-py - rev: v1.7.9.24 + rev: c04ed26e40637cab1aa9879c693832a9c120fb20 # frozen: v1.7.12.24 hooks: - id: actionlint From d36af112b6feeeaaf0be829182d31a169a980ad5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Fri, 22 May 2026 17:50:34 +1000 Subject: [PATCH 02/28] chore(deps-dev): group Dependabot updates for pre-commit into a single PR (#1167) Refs: 81716a859417319a7c4fe217f4fc9ca6f41f5814 --- .github/dependabot.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 7842a55e..ad4a8dc8 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -43,8 +43,12 @@ updates: prefix: chore prefix-development: chore include: scope - open-pull-requests-limit: 13 target-branch: main + # Group updates into one pull request. See also: + # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups-- + groups: + pre-commit: + patterns: ['*'] # Add additional reviewers for PRs opened by Dependabot. For more information, see: # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers # reviewers: From ca95a5cf493b505cc1a2961e618f0c48a65f3ddb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:43:21 +1000 Subject: [PATCH 03/28] chore(deps): bump step-security/harden-runner from 2.16.1 to 2.19.4 (#1189) Signed-off-by: dependabot[bot] --- .github/workflows/_build.yaml | 2 +- .github/workflows/_generate-rebase.yaml | 2 +- .github/workflows/_wiki-documentation.yaml | 2 +- .github/workflows/codeql-analysis.yaml | 2 +- .github/workflows/release.yaml | 6 +++--- .github/workflows/scorecards-analysis.yaml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 0310704e..9f9abb24 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -55,7 +55,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true diff --git a/.github/workflows/_generate-rebase.yaml b/.github/workflows/_generate-rebase.yaml index eaa0cb53..30d6c045 100644 --- a/.github/workflows/_generate-rebase.yaml +++ b/.github/workflows/_generate-rebase.yaml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/_wiki-documentation.yaml b/.github/workflows/_wiki-documentation.yaml index f324a734..445c7874 100644 --- a/.github/workflows/_wiki-documentation.yaml +++ b/.github/workflows/_wiki-documentation.yaml @@ -41,7 +41,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 98699832..d004d92d 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a9c1ec53..3294755c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true @@ -98,7 +98,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true @@ -199,7 +199,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 94664d97..688322aa 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -26,7 +26,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs disable-sudo: true From ce051f05360f5b08bd43396d92eb87d2d0d2386e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:43:29 +1000 Subject: [PATCH 04/28] chore(deps-dev): update hypothesis requirement from <6.151.12,>=6.21.0 to >=6.21.0,<6.152.10 (#1185) Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 7bf0383c..35d99a77 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -63,7 +63,7 @@ hooks = [ test = [ "coverage ==7.6.12; python_version<'3.14'", # https://github.com/pypi/warehouse/pull/17872#issuecomment-2845932281 "faker ==40.13.0", - "hypothesis >=6.21.0,<6.151.12", + "hypothesis >=6.21.0,<6.152.10", "pytest >=9.0.3,<10.0.0", "pytest-benchmark ==5.2.3", "pytest-cases ==3.10.1", From b8d008fef8942b414c95e5f1fc1c95b5b8b6a7fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:46:52 +1000 Subject: [PATCH 05/28] chore(deps-dev): update flit-core requirement from <4.0.0,>=3.2.0 to >=3.12.0,<4.0.0 (#1134) Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 35d99a77..1be483cf 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ # https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html # https://flit.pypa.io/en/latest/pyproject_toml.html [build-system] -requires = ["flit_core >=3.2.0,<4.0.0"] +requires = ["flit_core >=3.12.0,<4.0.0"] build-backend = "flit_core.buildapi" [project] From e9612438952b3afb1446495beecf83a78a62a7e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:47:07 +1000 Subject: [PATCH 06/28] chore(deps): bump oracle/macaron from 0.23.0 to 0.24.0 (#1157) Signed-off-by: dependabot[bot] --- .github/workflows/macaron-analysis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/macaron-analysis.yaml b/.github/workflows/macaron-analysis.yaml index e72f4df3..0252eaac 100644 --- a/.github/workflows/macaron-analysis.yaml +++ b/.github/workflows/macaron-analysis.yaml @@ -28,7 +28,7 @@ jobs: # Check the GitHub Actions workflows in the repository for vulnerabilities. - name: Run Macaron action - uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0 + uses: oracle/macaron@4ddb55e3c9ef2c77b548be55c557078c4476fd9c # v0.24.0 with: repo_path: ./ policy_file: check-github-actions From de681bb1f653fa8103f8f5df6163189f2cca2d66 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:47:39 +1000 Subject: [PATCH 07/28] chore(deps-dev): update pre-commit requirement from <4.6.0,>=3.0.0 to >=3.0.0,<4.7.0 (#1159) Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1be483cf..bcc95abb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -57,7 +57,7 @@ docs = [ "sphinx-markdown-builder >=0.6.4,<1.0.0", ] hooks = [ - "pre-commit >=3.0.0,<4.6.0", + "pre-commit >=3.0.0,<4.7.0", ] # Note that the `custom_exit_code` and `env` plugins may currently be unmaintained. test = [ From 269054af6fc49e5f6f4abfbcd207b7f95c7b28b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:53:26 +1000 Subject: [PATCH 08/28] chore(deps-dev): bump faker from 40.13.0 to 40.19.1 (#1182) Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index bcc95abb..2a5b458e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -62,7 +62,7 @@ hooks = [ # Note that the `custom_exit_code` and `env` plugins may currently be unmaintained. test = [ "coverage ==7.6.12; python_version<'3.14'", # https://github.com/pypi/warehouse/pull/17872#issuecomment-2845932281 - "faker ==40.13.0", + "faker ==40.19.1", "hypothesis >=6.21.0,<6.152.10", "pytest >=9.0.3,<10.0.0", "pytest-benchmark ==5.2.3", From 505a5510b2503bd8df688c9a37dd1acc6915a0af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 09:56:15 +1000 Subject: [PATCH 09/28] chore(deps): bump github/codeql-action from 4.35.1 to 4.36.0 (#1183) Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yaml | 4 ++-- .github/workflows/scorecards-analysis.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index d004d92d..36e173fc 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -54,7 +54,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yaml @@ -67,4 +67,4 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 688322aa..c4f55e45 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -59,6 +59,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: results.sarif From 4352d1fec3afaf7c4f573c806e25cef793bdd59d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 10:36:23 +1000 Subject: [PATCH 10/28] chore(deps-dev): bump commitizen from 4.13.9 to 4.16.2 (#1184) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Troeger --- .github/workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/release.yaml | 4 ++-- pyproject.toml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 8a61b236..e802ad9c 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -36,7 +36,7 @@ jobs: - name: Set up Commitizen run: | pip install --upgrade pip wheel - pip install 'commitizen ==4.13.9' + pip install 'commitizen ==4.16.2' # Run Commitizen to check the title of the PR which triggered this workflow, and check # all commit messages of the PR's branch. If any of the checks fails then this job fails. diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3294755c..0d3b148e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -49,7 +49,7 @@ jobs: - name: Set up Commitizen run: | pip install --upgrade pip wheel - pip install 'commitizen ==4.13.9' + pip install 'commitizen ==4.16.2' - name: Set up user run: | @@ -133,7 +133,7 @@ jobs: - name: Set up Commitizen run: | pip install --upgrade pip wheel - pip install 'commitizen ==4.13.9' + pip install 'commitizen ==4.16.2' - name: Create Release Notes run: cz changelog --dry-run "$(cz version --project)" > RELEASE_NOTES.md diff --git a/pyproject.toml b/pyproject.toml index 2a5b458e..2788c649 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -41,7 +41,7 @@ something = "package.__main__:main" # We keep them listed here to ensure the infrastructure BOM is consistent with what's # installed. Make sure to keep the requirements in sync with the workflows! actions = [ - "commitizen ==4.13.9", + "commitizen ==4.16.2", "twine ==6.2.0", ] dev = [ From 42b8090744b718d563c13e8b8c3742a493b15f0a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 11:00:44 +1000 Subject: [PATCH 11/28] chore(deps-dev): bump pytest-env from 1.2.0 to 1.6.0 (#1116) Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 2788c649..533deef6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -70,7 +70,7 @@ test = [ "pytest-custom_exit_code ==0.3.0", "pytest-cov ==6.3.0", # Uses: coverage[toml] >=7.5 "pytest-doctestplus ==1.7.1", - "pytest-env ==1.2.0", + "pytest-env ==1.6.0", ] [project.urls] From 519989f7f599081b0d7bf2b8f8a4425c233b282e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 11:21:45 +1000 Subject: [PATCH 12/28] chore(deps-dev): bump pytest-cov from 6.3.0 to 7.1.0 (#1115) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Troeger --- .pre-commit-config.yaml | 6 ++---- Makefile | 2 +- pyproject.toml | 7 +------ 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9cb85235..9f0d551d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -160,14 +160,12 @@ repos: hooks: - id: actionlint -# On push to the remote, run all tests. Note that the `COVERAGE_CORE` variable is required -# for Python 3.12+ to make sure Coverage uses the new Python monitoring module. -# See also: https://blog.trailofbits.com/2025/05/01/making-pypis-test-suite-81-faster/#optimizing-coverage-with-python-312s-sysmonitoring +# On push to the remote, run all tests. - repo: local hooks: - id: pytest name: Run unit tests - entry: env COVERAGE_CORE=sysmon pytest --config-file pyproject.toml --cov-config pyproject.toml -m 'not integration and not performance' src/package/ tests/ docs/ + entry: pytest --config-file pyproject.toml --cov-config pyproject.toml -m 'not integration and not performance' src/package/ tests/ docs/ language: python verbose: true always_run: true diff --git a/Makefile b/Makefile index 729531eb..dc213643 100644 --- a/Makefile +++ b/Makefile @@ -171,7 +171,7 @@ check: .PHONY: test test-all test-unit test-integration test-performance test: test-unit test-unit: - COVERAGE_CORE=sysmon python -m pytest --config-file pyproject.toml --cov-config pyproject.toml -m 'not integration and not performance' src/package/ tests/ docs/ + python -m pytest --config-file pyproject.toml --cov-config pyproject.toml -m 'not integration and not performance' src/package/ tests/ docs/ test-integration: python -m pytest --config-file pyproject.toml --no-cov -m integration tests/ test-performance: diff --git a/pyproject.toml b/pyproject.toml index 533deef6..35267c88 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -61,14 +61,13 @@ hooks = [ ] # Note that the `custom_exit_code` and `env` plugins may currently be unmaintained. test = [ - "coverage ==7.6.12; python_version<'3.14'", # https://github.com/pypi/warehouse/pull/17872#issuecomment-2845932281 "faker ==40.19.1", "hypothesis >=6.21.0,<6.152.10", "pytest >=9.0.3,<10.0.0", "pytest-benchmark ==5.2.3", "pytest-cases ==3.10.1", "pytest-custom_exit_code ==0.3.0", - "pytest-cov ==6.3.0", # Uses: coverage[toml] >=7.5 + "pytest-cov ==7.1.0", "pytest-doctestplus ==1.7.1", "pytest-env ==1.6.0", ] @@ -266,10 +265,6 @@ env = [ filterwarnings = [ "error", "always::DeprecationWarning", - # The CoverageWarning warning is issued in two contexts: - # Python 3.10, 3.11: sys.monitoring isn't available in this version, using default core (no-sysmon) - # Python 3.12, 3.13: sys.monitoring can't measure branches in this version, using default core (no-sysmon) - "ignore:sys.monitoring isn't available in this version:coverage.exceptions.CoverageWarning", "always::coverage.exceptions.CoverageWarning", # https://docs.pytest.org/en/latest/how-to/failures.html#warning-about-unraisable-exceptions-and-unhandled-thread-exceptions "error::pytest.PytestUnraisableExceptionWarning", From b18851050ceb5302b75f5945e141a06c4c62d45e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:26:03 +1000 Subject: [PATCH 13/28] docs: fix incorrect heading levels (#1124) --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7d77de8c..d5439b85 100644 --- a/README.md +++ b/README.md @@ -279,7 +279,7 @@ cz changelog cz bump ``` -## Building from a source distribution package +### Building from a source distribution package The source distribution package ([sdist](https://packaging.python.org/en/latest/discussions/package-formats/#what-is-a-source-distribution)) contains everything needed in order to check, test, and build a binary distribution ([wheel](https://packaging.python.org/en/latest/discussions/package-formats/#what-is-a-wheel)) and its documentation; that is particulalry useful for third-party packaging services that build their own software distribution packages using custom processes. @@ -300,7 +300,7 @@ SKIP=check-hooks-apply,check-useless-excludes,actionlint make dist Note that we skip Git hooks that are unnecessary when building from the source distribution. As above, this builds the source package and a binary distribution, and stores both in the `dist/` folder. And, as expected, setting the `SOURCE_DATE_EPOCH` environment variable to the build epoch value of the original sdist and wheel build results in the bit-exact same binary distribution package! -## Using the Simple Index +### Using the Simple Index Once source and/or binary distribution packages have been built, they can be served using a [PEP 503](https://peps.python.org/pep-0503/) compatible package repository. Simply call From bfd57d7ef7b37779f226dc6dc8106c4a517d66b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:26:47 +1000 Subject: [PATCH 14/28] =?UTF-8?q?chore:=20set=20package=20description=20in?= =?UTF-8?q?=20the=20metadata=20instead=20of=20dynamically=20pulling=20it?= =?UTF-8?q?=20from=20the=20package=E2=80=99s=20main=20module=E2=80=99s=20d?= =?UTF-8?q?oc=20string=20(which=20contains=20documentation,=20probably=20n?= =?UTF-8?q?ot=20a=20short=20package=20description)=20(#1125)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 35267c88..9802a309 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -9,9 +9,10 @@ name = "package" requires-python = ">=3.10.0,<3.14.0" authors = [{name = "Author", email = "author@email"}] maintainers = [{name = "Maintainer", email = "maintainer@email"}] -dynamic = ["version", "description"] +dynamic = ["version"] license = "MIT" # https://spdx.org/licenses/MIT.html license-files = ["LICENSE.md"] +description = "An opinionated Python package/application template repository, with SLSA and SBOM support built in, enabled for security scanners, code linters, typing, testing and code coverage monitoring, and release automation for reproducible builds." readme = "README.md" dependencies = [] keywords = [] From b5096ffff494db75ae4e356be3c0cb4dab597413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:28:07 +1000 Subject: [PATCH 15/28] fix: the generated build epoch belongs to the generated wheel, and thus both files should be generated using the same recipe (#1126) Refs: 260075bbfbdf9ad66ee461dc2b82cdff48262f28 --- Makefile | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index dc213643..3d430f75 100644 --- a/Makefile +++ b/Makefile @@ -182,21 +182,17 @@ test-all: test-unit test-integration test-performance # When building these artifacts, we need the environment variable SOURCE_DATE_EPOCH # set to the build date/epoch. For more details, see: https://flit.pypa.io/en/latest/reproducible.html .PHONY: dist -dist: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl: check test-all dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt +dist: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip +dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl: check test-all SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) python -m flit build --setup-py --format wheel -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz: check test-all dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt + echo $(SOURCE_DATE_EPOCH) > dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any-build-epoch.txt +dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz: check test-all SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) python -m flit build --no-setup-py --format sdist dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip: docs-html python -m zipfile -c dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip docs/_build/html/ dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip: docs-md python -m zipfile -c dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip docs/_build/markdown/ -# Keep this goal phony to ensure the epoch is always updated. -.PHONY: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt: - echo $(SOURCE_DATE_EPOCH) > dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt - # Build a PEP-503 compatible Simple Repository directory inside of dist/. For details on # the layout of that directory and the normalized project name, see: https://peps.python.org/pep-0503/ # The directory can then be used to install (hashed) artifacts by using `pip` and From b2c5b24cee8762305c81a7fa557a336344dedc93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:28:31 +1000 Subject: [PATCH 16/28] fix: declare Makefile goal as .PHONY (as it ought to be) (#1127) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3d430f75..af3b56bf 100644 --- a/Makefile +++ b/Makefile @@ -91,7 +91,7 @@ setup: force-upgrade # Install or upgrade an existing virtual environment based on the # package dependencies declared in pyproject.toml. -.PHONY: upgrade force-upgrade +.PHONY: upgrade force-upgrade upgrade-quiet upgrade: .venv/upgraded-on .venv/upgraded-on: pyproject.toml python -m pip install --upgrade pip setuptools From 278f925b2376107d6acd310cceed24e917294d1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:29:14 +1000 Subject: [PATCH 17/28] refactor: simplify handling of the PYTHON environment variable by make (#1128) --- Makefile | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index af3b56bf..53d5a36b 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,9 @@ SHELL := bash PACKAGE_NAME := package PACKAGE_VERSION := $(shell python -c $$'try: import $(PACKAGE_NAME); print($(PACKAGE_NAME).__version__);\nexcept: print("unknown");') +# If a PYTHON environment variable exists then use that, else define it here. +PYTHON ?= python3.13 + # This variable contains the first goal that matches any of the listed goals # here, else it contains an empty string. The net effect is to filter out # whether this current run of `make` requires a Python virtual environment @@ -69,13 +72,8 @@ venv: if [ -d .venv/ ]; then \ echo "Found an inactive Python virtual environment, please activate or nuke it" && exit 1; \ fi - if [ -z "${PYTHON}" ]; then \ - echo "Creating virtual environment in .venv/ for python3.13"; \ - python3.13 -m venv --upgrade-deps --prompt . .venv; \ - else \ - echo "Creating virtual environment in .venv/ for ${PYTHON}"; \ - ${PYTHON} -m venv --upgrade-deps --prompt . .venv; \ - fi + echo "Creating virtual environment in .venv/ for ${PYTHON}"; \ + ${PYTHON} -m venv --upgrade-deps --prompt . .venv; \ touch .venv/pip.conf # Set up a newly created virtual environment. Note: pre-commit uses the From d967648191be7976f54277cdd1514a52d29301ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:31:49 +1000 Subject: [PATCH 18/28] =?UTF-8?q?fix:=20don=E2=80=99t=20print=20warning=20?= =?UTF-8?q?about=20upgrading=20the=20venv=20if=20the=20venv=20wasn?= =?UTF-8?q?=E2=80=99t=20upgraded=20yet=20(#1150)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Makefile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 53d5a36b..ea0ac108 100644 --- a/Makefile +++ b/Makefile @@ -43,9 +43,11 @@ endif # If the project configuration file has been updated (package deps or # otherwise) then warn the user and suggest resolving the conflict. -ifeq ($(shell test pyproject.toml -nt .venv/upgraded-on; echo $$?),0) - $(warning pyproject.toml was updated, consider `make upgrade` if your packages have changed) - $(warning If this is not correct then run `make upgrade-quiet`) +ifneq ($(wildcard .venv/upgraded-on),) + ifeq ($(shell test pyproject.toml -nt .venv/upgraded-on; echo $$?),0) + $(warning pyproject.toml was updated, consider `make upgrade` if your packages have changed) + $(warning If this is not correct then run `make upgrade-quiet`) + endif endif # The SOURCE_DATE_EPOCH environment variable allows the `flit` tool to From d7675413a8cb7762e5d694f0e0098c899bd3e7d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:32:18 +1000 Subject: [PATCH 19/28] fix: make very very sure that pip prune uses only wheels (from the wheelhouse), and prevent accidentally building a wheel (#1151) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ea0ac108..872ca43e 100644 --- a/Makefile +++ b/Makefile @@ -239,7 +239,7 @@ prune: python -m pip wheel --wheel-dir build/wheelhouse/ --requirement build/prune-requirements.txt python -m pip wheel --wheel-dir build/wheelhouse/ . python -m pip uninstall --yes --requirement build/prune-requirements.txt - python -m pip install --no-index --find-links=build/wheelhouse/ --editable . + python -m pip install --no-index --only-binary :all: --find-links=build/wheelhouse/ --editable . rm -fr build/ # Clean test caches and remove build artifacts. From 40f0d3b7c22169a62a234644d54329170a6eb6fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:32:47 +1000 Subject: [PATCH 20/28] docs: mention the Keep a Changelog project in the README and CHANGELOG files for reference (#1178) --- CHANGELOG.md | 6 +++++- README.md | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9165651b..d5bea48b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ -This project follows the [semantic versioning](https://packaging.python.org/en/latest/discussions/versioning/#semantic-versioning-vs-calendar-versioning) and [pre-release versioning](https://packaging.python.org/en/latest/discussions/versioning/) schemes recommended by the Python Packaging Authority [here](https://packaging.python.org/en/latest/specifications/version-specifiers/). +# Changelog + +All notable changes to this project will be documented in this file. + +This project adheres to [semantic versioning](https://packaging.python.org/en/latest/discussions/versioning/#semantic-versioning-vs-calendar-versioning) and [pre-release versioning](https://packaging.python.org/en/latest/discussions/versioning/) schemes recommended by the Python Packaging Authority [here](https://packaging.python.org/en/latest/specifications/version-specifiers/). The format of this file is loosely based on [Keep a Changelog](https://keepachangelog.com/). ## v2.19.1 (2026-04-24) diff --git a/README.md b/README.md index d5439b85..59069f91 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ Documentation is important, and [Sphinx](https://www.sphinx-doc.org/en/master/) ### Versioning and publishing -Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/), and [Changelog](https://en.wikipedia.org/wiki/Changelog) generation are enabled using Github Actions. Furthermore, an optional [Release Notification](https://github.com/jenstroeger/python-package-template/tree/main/.github/workflows/release-notifications.yaml) Action allows Github to push an update notification to a [Slack bot](https://api.slack.com/bot-users) of your choice. For setup instructions, please see [below](#versioning-publishing-and-changelog). +Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/), and [Changelog](https://keepachangelog.com/) generation are enabled using Github Actions. Furthermore, an optional [Release Notification](https://github.com/jenstroeger/python-package-template/tree/main/.github/workflows/release-notifications.yaml) Action allows Github to push an update notification to a [Slack bot](https://api.slack.com/bot-users) of your choice. For setup instructions, please see [below](#versioning-publishing-and-changelog). ### Dependency analysis From bc29c794296843017dd006800ace17840cab8277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:33:05 +1000 Subject: [PATCH 21/28] chore(deps): add documentation link to Dependabot configuration (#1179) --- .github/workflows/dependabot-automerge.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index aef76783..a6f53112 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -1,4 +1,5 @@ # Automatically merge Dependabot PRs upon approval. +# https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enabling-automerge-on-a-pull-request name: Automerge Dependabot PR on: From f3757abf9b977d73092b033fe39c5006dcdb1b01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 11:33:31 +1000 Subject: [PATCH 22/28] fix(deps): add a 3-day cooldown period for Dependabot updates (#1180) --- .github/dependabot.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index ad4a8dc8..fef394fa 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -9,6 +9,8 @@ updates: directory: / schedule: interval: weekly + cooldown: + default-days: 3 commit-message: prefix: chore prefix-development: chore @@ -24,6 +26,8 @@ updates: directory: / schedule: interval: weekly + cooldown: + default-days: 3 commit-message: prefix: chore prefix-development: chore @@ -39,6 +43,8 @@ updates: directory: / schedule: interval: weekly + cooldown: + default-days: 3 commit-message: prefix: chore prefix-development: chore From de3e202df090cab0d003a163f3013fc2fe0b47c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 14:23:12 +1000 Subject: [PATCH 23/28] feat: add support for Python 3.14 (#1153) --- .github/workflows/_build.yaml | 6 ++-- .github/workflows/codeql-analysis.yaml | 2 +- .../workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/release.yaml | 8 ++--- Makefile | 4 +-- README.md | 29 ++++++++++--------- pyproject.toml | 3 +- 7 files changed, 28 insertions(+), 26 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 9f9abb24..27fea479 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -6,7 +6,7 @@ # # Even though we run the build in a matrix to check against different platforms, due to a known # limitation of reusable workflows that do not support setting strategy property from the caller -# workflow, we only generate artifacts for ubuntu-latest and Python 3.13, which can be used to +# workflow, we only generate artifacts for ubuntu-latest and Python 3.14, which can be used to # create a release. For details see: # # https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations @@ -35,7 +35,7 @@ permissions: contents: read env: ARTIFACT_OS: ubuntu-latest # The default OS for release. - ARTIFACT_PYTHON: '3.13' # The default Python version for release. + ARTIFACT_PYTHON: '3.14' # The default Python version for release. jobs: build: @@ -51,7 +51,7 @@ jobs: # It is recommended to pin a Runner version specifically: # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners os: [ubuntu-latest, macos-latest, windows-latest] - python: ['3.10', '3.11', '3.12', '3.13'] + python: ['3.10', '3.11', '3.12', '3.13', '3.14'] steps: - name: Harden Runner diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 36e173fc..474f51d0 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -29,7 +29,7 @@ jobs: matrix: # Learn more about CodeQL language support at https://git.io/codeql-language-support language: [python, actions] - python: ['3.13'] + python: ['3.14'] steps: - name: Harden Runner diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index e802ad9c..b1b3af41 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -29,7 +29,7 @@ jobs: - name: Set up Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: - python-version: '3.13' + python-version: '3.14' # Install Commitizen without using the package's Makefile: that's much faster than # creating a venv and installing heaps of dependencies that aren't required for this job. diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0d3b148e..68955a3d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -44,7 +44,7 @@ jobs: - name: Set up Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: - python-version: '3.13' + python-version: '3.14' - name: Set up Commitizen run: | @@ -111,7 +111,7 @@ jobs: - name: Download artifact uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: - name: artifact-ubuntu-latest-python-3.13 + name: artifact-ubuntu-latest-python-3.14 path: dist # Verify hashes by first computing hashes for the artifacts and then comparing them @@ -128,7 +128,7 @@ jobs: - name: Set up Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: - python-version: '3.13' + python-version: '3.14' - name: Set up Commitizen run: | @@ -250,7 +250,7 @@ jobs: # Github disallows passing environment variables as arguments to a reusable # workflow, so we have to duplicate these values here. Related discussion # here: https://github.com/actions/toolkit/issues/931 - artifact-name: artifact-ubuntu-latest-python-3.13 + artifact-name: artifact-ubuntu-latest-python-3.14 git-user-name: jenstroeger git-user-email: jenstroeger@users.noreply.github.com secrets: diff --git a/Makefile b/Makefile index 872ca43e..5d924016 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ PACKAGE_NAME := package PACKAGE_VERSION := $(shell python -c $$'try: import $(PACKAGE_NAME); print($(PACKAGE_NAME).__version__);\nexcept: print("unknown");') # If a PYTHON environment variable exists then use that, else define it here. -PYTHON ?= python3.13 +PYTHON ?= python3.14 # This variable contains the first goal that matches any of the listed goals # here, else it contains an empty string. The net effect is to filter out @@ -61,7 +61,7 @@ endif .PHONY: all all: check test dist docs -# Create a virtual environment, either for Python3.13 (default) or using +# Create a virtual environment, either for Python3.14 (default) or using # the Python interpreter specified in the PYTHON environment variable. Also # create an empty pip.conf file to ensure that `pip config` modifies this # venv only, unless told otherwise. For more background, see: diff --git a/README.md b/README.md index 59069f91..ca945ebf 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ The badges above give you an idea of what this project template provides. It’s ### Typing -The package requires a minimum of [Python 3.10](https://www.python.org/downloads/release/python-31015/), and it supports [Python 3.11](https://www.python.org/downloads/release/python-31110/), [Python 3.12](https://www.python.org/downloads/release/python-3127/) and [Python 3.13](https://www.python.org/downloads/release/python-3130/) (default). All code requires comprehensive [typing](https://docs.python.org/3/library/typing.html). The [mypy](http://mypy-lang.org/) static type checker and the [flake8-pyi](https://github.com/PyCQA/flake8-pyi) plugin are invoked by git hooks and through a Github Action to enforce continuous type checks on Python source and [stub files](https://peps.python.org/pep-0484/#stub-files). Make sure to add type hints to your code or to use [stub files](https://mypy.readthedocs.io/en/stable/stubs.html) for types, to ensure that users of your package can `import` and type-check your code (see also [PEP 561](https://www.python.org/dev/peps/pep-0561/)). +The package requires a minimum of [Python 3.10](https://www.python.org/downloads/release/python-31020/), and it supports [Python 3.11](https://www.python.org/downloads/release/python-31115/), [Python 3.12](https://www.python.org/downloads/release/python-31213/), [Python 3.13](https://www.python.org/downloads/release/python-31313/), and [Python 3.14](https://www.python.org/downloads/release/python-3144/) ( (default). All code requires comprehensive [typing](https://docs.python.org/3/library/typing.html). The [mypy](http://mypy-lang.org/) static type checker and the [flake8-pyi](https://github.com/PyCQA/flake8-pyi) plugin are invoked by git hooks and through a Github Action to enforce continuous type checks on Python source and [stub files](https://peps.python.org/pep-0484/#stub-files). Make sure to add type hints to your code or to use [stub files](https://mypy.readthedocs.io/en/stable/stubs.html) for types, to ensure that users of your package can `import` and type-check your code (see also [PEP 561](https://www.python.org/dev/peps/pep-0561/)). ### Quality assurance @@ -105,7 +105,7 @@ If you’d like to start your own Python project from scratch, you can either co To develop your new package, first create a [virtual environment](https://docs.python.org/3/tutorial/venv.html) by either using the [Makefile](https://www.gnu.org/software/make/manual/make.html#toc-An-Introduction-to-Makefiles): ```bash -make venv # Create a new virtual environment in .venv folder using Python 3.13. +make venv # Create a new virtual environment in .venv folder using Python 3.14. ``` or for a specific version of Python: @@ -117,7 +117,7 @@ PYTHON=python3.12 make venv # Same virtual environment for a different Python v or manually: ```bash -python3.13 -m venv .venv # Or use .venv313 for more than one local virtual environments. +python3.14 -m venv .venv # Or use .venv314 for more than one local virtual environments. ``` When working with this Makefile _it is important to always [activate the virtual environment](https://docs.python.org/3/library/venv.html)_ because some of the [git hooks](#git-hooks) (see below) depend on that: @@ -184,14 +184,14 @@ Note that the unit tests include [doctest](https://docs.python.org/3/library/doc Both statement and branch coverage are being tracked using [coverage](https://github.com/nedbat/coveragepy) and the [pytest-cov](https://github.com/pytest-dev/pytest-cov) plugin for pytest when running unit tests, and it measures how much code in the `src/package/` folder is covered by tests: ``` =========================================== test session starts =========================================== -platform darwin -- Python 3.13.9, pytest-8.4.2, pluggy-1.6.0 -- /path/to/python-package-template/.venv/bin/python +platform darwin -- Python 3.14.5, pytest-9.0.3, pluggy-1.6.0 -- /path/to/python-package-template/.venv/bin/python cachedir: .pytest_cache +benchmark: 5.2.3 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000) hypothesis profile 'default-with-verbose-verbosity' -> verbosity=Verbosity.verbose -benchmark: 5.2.0 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000) rootdir: /path/to/python-package-template configfile: pyproject.toml -plugins: cases-3.9.1, hypothesis-6.138.16, env-1.1.5, cov-6.3.0, custom-exit-code-0.3.0, doctestplus-1.4.0, Faker-37.6.0, benchmark-5.2.0 -collected 6 items / 2 deselected / 4 selected +plugins: benchmark-5.2.3, cov-7.1.0, env-1.6.0, Faker-40.19.1, custom-exit-code-0.3.0, doctestplus-1.7.1, cases-3.10.1, hypothesis-6.152.9 +collected 6 items / 2 deselected / 4 selected src/package/something.py::package.something.Something.do_something PASSED [ 25%] tests/unit/test_something.py::test_something_hypothesis PASSED [ 50%] @@ -199,7 +199,7 @@ tests/unit/test_something.py::test_something_cases[_case_boolean] PASSED docs/source/index.rst::index.rst PASSED [100%] ============================================= tests coverage ============================================== -____________________________ coverage: platform darwin, python 3.13.9-final-0 _____________________________ +____________________________ coverage: platform darwin, python 3.14.5-final-0 _____________________________ Name Stmts Miss Branch BrPart Cover Missing ---------------------------------------------------------------------- @@ -217,20 +217,21 @@ tests/unit/test_something.py::test_something_hypothesis: - Stopped because nothing left to do + ============================================ slowest durations ============================================ -0.10s setup src/package/something.py::package.something.Something.do_something -0.01s call tests/unit/test_something.py::test_something_hypothesis +0.05s setup src/package/something.py::package.something.Something.do_something +0.00s call tests/unit/test_something.py::test_something_hypothesis 0.00s call src/package/something.py::package.something.Something.do_something 0.00s setup tests/unit/test_something.py::test_something_cases[_case_boolean] 0.00s call docs/source/index.rst::index.rst 0.00s setup docs/source/index.rst::index.rst -0.00s teardown src/package/something.py::package.something.Something.do_something -0.00s teardown tests/unit/test_something.py::test_something_cases[_case_boolean] -0.00s call tests/unit/test_something.py::test_something_cases[_case_boolean] 0.00s setup tests/unit/test_something.py::test_something_hypothesis +0.00s call tests/unit/test_something.py::test_something_cases[_case_boolean] +0.00s teardown src/package/something.py::package.something.Something.do_something 0.00s teardown docs/source/index.rst::index.rst +0.00s teardown tests/unit/test_something.py::test_something_cases[_case_boolean] 0.00s teardown tests/unit/test_something.py::test_something_hypothesis -===================================== 4 passed, 2 deselected in 0.23s ===================================== +===================================== 4 passed, 2 deselected in 0.16s ===================================== ``` Note that code that’s not covered by tests is listed under the `Missing` column, and branches not taken too. The net effect of enforcing 100% code and branch coverage is that every new major and minor feature, every code change, and every fix are being tested (keeping in mind that high _coverage_ does not imply comprehensive, meaningful _test data_). diff --git a/pyproject.toml b/pyproject.toml index 9802a309..b8c51148 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "flit_core.buildapi" [project] name = "package" -requires-python = ">=3.10.0,<3.14.0" +requires-python = ">=3.10.0,<3.15.0" authors = [{name = "Author", email = "author@email"}] maintainers = [{name = "Maintainer", email = "maintainer@email"}] dynamic = ["version"] @@ -27,6 +27,7 @@ classifiers = [ "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: 3.14", "Programming Language :: Python :: 3 :: Only", "Programming Language :: Python :: Implementation :: CPython", "Topic :: Software Development :: Libraries :: Python Modules", From a4ee9506b37bc260e11b94b295994e387a470e7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 14:23:26 +1000 Subject: [PATCH 24/28] refactor: add Makefile variables for both source and binary distributions, and simplify rules a bit using these variables (#1129) --- Makefile | 49 ++++++++++++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/Makefile b/Makefile index 5d924016..100d5355 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,17 @@ SHELL := bash PACKAGE_NAME := package PACKAGE_VERSION := $(shell python -c $$'try: import $(PACKAGE_NAME); print($(PACKAGE_NAME).__version__);\nexcept: print("unknown");') +# Put together the file names for both the source distribution package (sdist) +# and the binary distribution package (wheel). For more details on these two, +# see: https://packaging.python.org/en/latest/discussions/package-formats/ +# +# For the wheel, users may require additional code to generate the Python tag +# (py3), the ABI tag (none), and the platform tag (any) for the final wheel +# file name. +PACKAGE_BASE_NAME := $(PACKAGE_NAME)-$(PACKAGE_VERSION) +PACKAGE_SDIST_NAME := $(PACKAGE_BASE_NAME).tar.gz +PACKAGE_WHEEL_NAME := $(PACKAGE_BASE_NAME)-py3-none-any.whl + # If a PYTHON environment variable exists then use that, else define it here. PYTHON ?= python3.14 @@ -107,7 +118,7 @@ upgrade-quiet: # Generate a Software Bill of Materials (SBOM). .PHONY: sbom sbom: requirements - python -m cyclonedx_py requirements --output-reproducible --output-format json --output-file dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json + python -m cyclonedx_py requirements --output-reproducible --output-format json --output-file dist/$(PACKAGE_BASE_NAME)-sbom.json # Generate a requirements.txt file containing version and integrity hashes for all # packages currently installed in the virtual environment. There's no easy way to @@ -129,14 +140,14 @@ requirements.txt: pyproject.toml [[ $$pkg =~ (.*)==(.*) ]] && curl -s https://pypi.org/pypi/$${BASH_REMATCH[1]}/$${BASH_REMATCH[2]}/json | python -c "import json, sys; print(''.join(f''' \\\\\n --hash=sha256:{pkg['digests']['sha256']}''' for pkg in json.load(sys.stdin)['urls']));" >> requirements.txt; \ done echo -e -n "$(PACKAGE_NAME)==$(PACKAGE_VERSION)" >> requirements.txt - if [ -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz ]; then \ - echo -e -n " \\\\\n $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash')" >> requirements.txt; \ + if [ -f dist/$(PACKAGE_SDIST_NAME) ]; then \ + echo -e -n " \\\\\n $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_SDIST_NAME) | grep '^\-\-hash')" >> requirements.txt; \ fi - if [ -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl ]; then \ - echo -e -n " \\\\\n $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl | grep '^\-\-hash')" >> requirements.txt; \ + if [ -f dist/$(PACKAGE_WHEEL_NAME) ]; then \ + echo -e -n " \\\\\n $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_WHEEL_NAME) | grep '^\-\-hash')" >> requirements.txt; \ fi echo "" >> requirements.txt - cp requirements.txt dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-requirements.txt + cp requirements.txt dist/$(PACKAGE_BASE_NAME)-requirements.txt # Audit the currently installed packages. Skip packages that are installed in # editable mode (like the one in development here) because they may not have @@ -182,16 +193,16 @@ test-all: test-unit test-integration test-performance # When building these artifacts, we need the environment variable SOURCE_DATE_EPOCH # set to the build date/epoch. For more details, see: https://flit.pypa.io/en/latest/reproducible.html .PHONY: dist -dist: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl: check test-all +dist: dist/$(PACKAGE_WHEEL_NAME) dist/$(PACKAGE_SDIST_NAME) dist/$(PACKAGE_BASE_NAME)-docs-html.zip dist/$(PACKAGE_BASE_NAME)-docs-md.zip +dist/$(PACKAGE_WHEEL_NAME): check test-all SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) python -m flit build --setup-py --format wheel - echo $(SOURCE_DATE_EPOCH) > dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any-build-epoch.txt -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz: check test-all + echo $(SOURCE_DATE_EPOCH) > dist/$(PACKAGE_BASE_NAME)-py3-none-any-build-epoch.txt +dist/$(PACKAGE_SDIST_NAME): check test-all SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) python -m flit build --no-setup-py --format sdist -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip: docs-html - python -m zipfile -c dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip docs/_build/html/ -dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip: docs-md - python -m zipfile -c dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip docs/_build/markdown/ +dist/$(PACKAGE_BASE_NAME)-docs-html.zip: docs-html + python -m zipfile -c dist/$(PACKAGE_BASE_NAME)-docs-html.zip docs/_build/html/ +dist/$(PACKAGE_BASE_NAME)-docs-md.zip: docs-md + python -m zipfile -c dist/$(PACKAGE_BASE_NAME)-docs-md.zip docs/_build/markdown/ # Build a PEP-503 compatible Simple Repository directory inside of dist/. For details on # the layout of that directory and the normalized project name, see: https://peps.python.org/pep-0503/ @@ -199,13 +210,13 @@ dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip: docs-md # its `--extra-index-url` argument: https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-extra-index-url PROJECT_NAME := $(shell python -c $$'import re; print(re.sub(r"[-_.]+", "-", "$(PACKAGE_NAME)").lower());') .PHONY: simple-index -simple-index: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz +simple-index: dist/$(PACKAGE_WHEEL_NAME) dist/$(PACKAGE_SDIST_NAME) mkdir -p dist/simple-index/$(PROJECT_NAME) echo -e "\nSimple Index$(PACKAGE_NAME)" > dist/simple-index/index.html - echo -e "\nSimple Index: $(PROJECT_NAME)$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz" > dist/simple-index/$(PROJECT_NAME)/index.html - cp -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/simple-index/$(PROJECT_NAME)/ - cp -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/simple-index/$(PROJECT_NAME)/ - python -m tarfile --create dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-pep503-simple-index.tar dist/simple-index/ + echo -e "\nSimple Index: $(PROJECT_NAME)$(PACKAGE_WHEEL_NAME)$(PACKAGE_SDIST_NAME)" > dist/simple-index/$(PROJECT_NAME)/index.html + cp -f dist/$(PACKAGE_WHEEL_NAME) dist/simple-index/$(PROJECT_NAME)/ + cp -f dist/$(PACKAGE_SDIST_NAME) dist/simple-index/$(PROJECT_NAME)/ + python -m tarfile --create dist/$(PACKAGE_BASE_NAME)-pep503-simple-index.tar dist/simple-index/ # Build the HTML and Markdown documentation from the package's source. DOCS_SOURCE := $(shell git ls-files docs/source) From 8d1285cb0b9cbd3ac315ff61adb6396996aa6513 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 14:23:53 +1000 Subject: [PATCH 25/28] fix: update pylint settings and remove perflint because it does not (currently) work for pylint 4 (#1123) --- pyproject.toml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index b8c51148..fb300b47 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -50,8 +50,7 @@ dev = [ "flit >=3.2.0,<4.0.0", "mypy >=1.0.0,!=1.20.2,<1.21", "pip-audit >=2.4.4,<3.0.0", - "pylint >=3.0.0,<4.1.0", - "perflint >=0.8.0,<1.0.0", + "pylint >=4.0.0,<4.1.0", "cyclonedx-bom >=7.0.0,<8.0.0", ] docs = [ @@ -178,9 +177,7 @@ ignore_missing_imports = true # https://pylint.pycqa.org/en/latest/user_guide/configuration/index.html [tool.pylint.main] fail-under = 10.0 -suggestion-mode = true load-plugins = [ - "perflint", # A Linter for performance anti-patterns. "pylint.extensions.bad_builtin", "pylint.extensions.broad_try_clause", "pylint.extensions.check_elif", @@ -214,6 +211,7 @@ disable = [ "too-many-arguments", "too-many-boolean-expressions", "too-many-branches", + "too-many-function-args", "too-many-instance-attributes", "too-many-lines", "too-many-locals", From 2e613d0a9a8943aaa23bf7639f3d16234514973b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jens=20Tr=C3=B6ger?= Date: Mon, 25 May 2026 14:41:17 +1000 Subject: [PATCH 26/28] fix: make the generated Simple Index (see PEP 503) better navigatable (#1130) --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 100d5355..b1827425 100644 --- a/Makefile +++ b/Makefile @@ -212,8 +212,8 @@ PROJECT_NAME := $(shell python -c $$'import re; print(re.sub(r"[-_.]+", "-", "$( .PHONY: simple-index simple-index: dist/$(PACKAGE_WHEEL_NAME) dist/$(PACKAGE_SDIST_NAME) mkdir -p dist/simple-index/$(PROJECT_NAME) - echo -e "\nSimple Index$(PACKAGE_NAME)" > dist/simple-index/index.html - echo -e "\nSimple Index: $(PROJECT_NAME)$(PACKAGE_WHEEL_NAME)$(PACKAGE_SDIST_NAME)" > dist/simple-index/$(PROJECT_NAME)/index.html + echo -e "\nSimple Index$(PACKAGE_NAME)" > dist/simple-index/index.html + echo -e "\nSimple Index: $(PROJECT_NAME)" > dist/simple-index/$(PROJECT_NAME)/index.html cp -f dist/$(PACKAGE_WHEEL_NAME) dist/simple-index/$(PROJECT_NAME)/ cp -f dist/$(PACKAGE_SDIST_NAME) dist/simple-index/$(PROJECT_NAME)/ python -m tarfile --create dist/$(PACKAGE_BASE_NAME)-pep503-simple-index.tar dist/simple-index/ From bc41899d7cae2502fc08725d24ce5916631eeb35 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 14:43:38 +1000 Subject: [PATCH 27/28] chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 (#1076) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/_build.yaml | 2 +- .github/workflows/codeql-analysis.yaml | 2 +- .github/workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/release.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 27fea479..a0bbb039 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -66,7 +66,7 @@ jobs: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python }} diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 474f51d0..80e92916 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -42,7 +42,7 @@ jobs: uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Set up Python ${{ matrix.python }} - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python }} diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index b1b3af41..08b16826 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -27,7 +27,7 @@ jobs: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 68955a3d..37fda068 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -42,7 +42,7 @@ jobs: token: ${{ secrets.REPO_ACCESS_TOKEN }} - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' @@ -126,7 +126,7 @@ jobs: # Create the Release Notes using commitizen. - name: Set up Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' From 62cfc175de04b77a6faa8d64236fa48718bf8f8c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 May 2026 14:44:13 +1000 Subject: [PATCH 28/28] chore(deps): bump actions/checkout from 6.0.0 to 6.0.2 (#1078) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/_build.yaml | 2 +- .github/workflows/_generate-rebase.yaml | 2 +- .github/workflows/_wiki-documentation.yaml | 2 +- .github/workflows/codeql-analysis.yaml | 2 +- .github/workflows/macaron-analysis.yaml | 2 +- .github/workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/release.yaml | 6 +++--- .github/workflows/scorecards-analysis.yaml | 2 +- .github/workflows/sync-with-upstream.yaml | 4 ++-- 9 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index a0bbb039..f3118e7e 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -61,7 +61,7 @@ jobs: disable-sudo: true - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/_generate-rebase.yaml b/.github/workflows/_generate-rebase.yaml index 30d6c045..54869af8 100644 --- a/.github/workflows/_generate-rebase.yaml +++ b/.github/workflows/_generate-rebase.yaml @@ -39,7 +39,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ secrets.REPO_ACCESS_TOKEN }} diff --git a/.github/workflows/_wiki-documentation.yaml b/.github/workflows/_wiki-documentation.yaml index 445c7874..2edbbe8d 100644 --- a/.github/workflows/_wiki-documentation.yaml +++ b/.github/workflows/_wiki-documentation.yaml @@ -49,7 +49,7 @@ jobs: # Check out the repository's Wiki repo into the wiki/ folder. The token is required # only for private repositories. - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.REPO_ACCESS_TOKEN }} repository: ${{ format('{0}.wiki', github.repository) }} diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 80e92916..f722bbbb 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -39,7 +39,7 @@ jobs: disable-sudo: true - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 diff --git a/.github/workflows/macaron-analysis.yaml b/.github/workflows/macaron-analysis.yaml index 0252eaac..8b94386f 100644 --- a/.github/workflows/macaron-analysis.yaml +++ b/.github/workflows/macaron-analysis.yaml @@ -22,7 +22,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 08b16826..adf6c1a6 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -22,7 +22,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 37fda068..1ac67953 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -36,7 +36,7 @@ jobs: disable-sudo: true - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ secrets.REPO_ACCESS_TOKEN }} @@ -104,7 +104,7 @@ jobs: disable-sudo: true - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -205,7 +205,7 @@ jobs: disable-sudo: true - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index c4f55e45..2491d95b 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -32,7 +32,7 @@ jobs: disable-sudo: true - name: Check out repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/sync-with-upstream.yaml b/.github/workflows/sync-with-upstream.yaml index 0f0599f3..e77f8f35 100644 --- a/.github/workflows/sync-with-upstream.yaml +++ b/.github/workflows/sync-with-upstream.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Check out template repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # If you decide to change the upstream template repository to a private one, uncomment # the following argument to pass the required token to be able to check it out. @@ -31,7 +31,7 @@ jobs: path: template - name: Check out current repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.REPO_ACCESS_TOKEN }} fetch-depth: 0