Skip to content

Commit 0ae5b14

Browse files
committed
Merge remote-tracking branch 'origin/develop' into wt/741-develop-merge
# Conflicts: # uv.lock
2 parents 09c15a1 + fc656da commit 0ae5b14

5 files changed

Lines changed: 57 additions & 44 deletions

File tree

.github/dependabot.yml

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,17 @@
1818
# atomic to revert, large enough to actually be reviewed.
1919
# - Major bumps stay as individual PRs (potentially breaking; each
2020
# deserves its own review).
21+
# - Security updates are grouped too (one batched PR per ecosystem) so a
22+
# same-day burst of advisories arrives as a single PR, not one per package.
2123
# - No auto-merge anywhere. Lockfile diffs are uninspectable; we eyeball
2224
# the version metadata and source links before merging.
2325
#
24-
# Note: cooldown does NOT apply to security-updates (the GHSA-driven PRs).
25-
# Those still fire on the CVE-publication timeline, which is the right
26-
# tradeoff for shapepipe — fix CVEs fast, but don't auto-merge them either.
26+
# Note: cooldown and the monthly schedule do NOT apply to security-updates
27+
# (the GHSA-driven PRs) — only to version-updates. Security PRs still fire on
28+
# the CVE-publication timeline, which is the right tradeoff for shapepipe (fix
29+
# CVEs fast). The `applies-to: security-updates` groups below don't change that
30+
# timing; they only collapse a burst into one PR. Each `groups` block needs an
31+
# explicit `applies-to`, hence the paired version/security groups per ecosystem.
2732

2833
version: 2
2934

@@ -39,8 +44,12 @@ updates:
3944
semver-major-days: 30
4045
groups:
4146
lockfile-minor-patch:
47+
applies-to: version-updates
4248
patterns: ["*"]
4349
update-types: ["minor", "patch"]
50+
lockfile-security:
51+
applies-to: security-updates
52+
patterns: ["*"]
4453
open-pull-requests-limit: 3
4554
labels:
4655
- "dependencies"
@@ -55,6 +64,10 @@ updates:
5564
default-days: 14
5665
groups:
5766
actions:
67+
applies-to: version-updates
68+
patterns: ["*"]
69+
actions-security:
70+
applies-to: security-updates
5871
patterns: ["*"]
5972
open-pull-requests-limit: 2
6073
labels:

.github/workflows/cd.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ jobs:
3838

3939
steps:
4040
- name: Checkout repository
41-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
41+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4242

4343
- name: Resolve version slug
4444
id: slug
@@ -55,12 +55,12 @@ jobs:
5555
echo "dir=$dir" >> "$GITHUB_OUTPUT"
5656
5757
- name: Set up Docker Buildx
58-
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
58+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
5959
with:
6060
driver-opts: network=host
6161

6262
- name: Build dev image
63-
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
63+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
6464
with:
6565
context: .
6666
target: dev
@@ -82,7 +82,7 @@ jobs:
8282
"
8383
8484
- name: Upload built HTML as artifact
85-
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
85+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
8686
with:
8787
name: docs-html-${{ steps.slug.outputs.slug }}
8888
path: docs/_build

.github/workflows/deploy-image.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -37,24 +37,24 @@ jobs:
3737
packages: write
3838
steps:
3939
- name: Checkout repository
40-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
40+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
4141

4242
- name: Set up Docker Buildx
43-
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
43+
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
4444
with:
4545
driver-opts: network=host
4646

4747
# Two parallel tag sets. `dev` is the default (no suffix, e.g. `:latest`,
4848
# `:develop`); `runtime` carries a `-runtime` suffix.
4949
- name: Tags — dev (default)
5050
id: meta-dev
51-
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
51+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
5252
with:
5353
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
5454

5555
- name: Tags — runtime
5656
id: meta-runtime
57-
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
57+
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
5858
with:
5959
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
6060
flavor: |
@@ -66,7 +66,7 @@ jobs:
6666

6767
# Build runtime first (smaller, used to smoke-test pipeline binaries)
6868
- name: Build runtime (load)
69-
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
69+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
7070
with:
7171
context: .
7272
target: runtime
@@ -96,7 +96,7 @@ jobs:
9696
9797
# Build dev (reuses cached `base` layer)
9898
- name: Build dev (load)
99-
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
99+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
100100
with:
101101
context: .
102102
target: dev
@@ -131,15 +131,15 @@ jobs:
131131
# ----------------------------------------------------------------
132132
- name: Log in to the Container registry
133133
if: github.event_name == 'push'
134-
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
134+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
135135
with:
136136
registry: ${{ env.REGISTRY }}
137137
username: ${{ github.actor }}
138138
password: ${{ secrets.GITHUB_TOKEN }}
139139

140140
- name: Push runtime
141141
if: github.event_name == 'push'
142-
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
142+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
143143
with:
144144
context: .
145145
target: runtime
@@ -150,7 +150,7 @@ jobs:
150150

151151
- name: Push dev
152152
if: github.event_name == 'push'
153-
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
153+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
154154
with:
155155
context: .
156156
target: dev

pyproject.toml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ dependencies = [
4040
"skaha>=1.7",
4141
"sqlitedict>=2.0",
4242
"termcolor",
43-
"tqdm>=4.63",
43+
"tqdm>=4.68.1",
4444
"vos>=3.6",
4545
"ngmix>=2.4",
4646
]
@@ -55,9 +55,9 @@ doc = [
5555
"sphinx-book-theme"
5656
]
5757
jupyter = [
58-
"ipython>=8.18",
59-
"jupyterlab>=4.5.7",
60-
"snakemake>=9.21.0",
58+
"ipython>=9.14.1",
59+
"jupyterlab>=4.5.9",
60+
"snakemake>=9.22.0",
6161
]
6262
lint = [
6363
"black",
@@ -68,7 +68,7 @@ release = [
6868
"twine",
6969
]
7070
test = [
71-
"hypothesis>=6.100",
71+
"hypothesis>=6.155.2",
7272
"pytest>=8.3",
7373
"pytest-cov>=5.0",
7474
"pytest-pycodestyle>=2.4",

uv.lock

Lines changed: 23 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)