Update cruft with batchpr

Author: Cadair

.cruft.json

@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/sunpy/package-template",
-  "commit": "4268346dead7b529a3d53df19bcf374bb2bbef34",
+  "commit": "44ff5c06778e86b845dab595ebf338ba876d495e",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -32,7 +32,7 @@
         ".github/workflows/sub_package_update.yml"
       ],
       "_template": "https://github.com/sunpy/package-template",
-      "_commit": "4268346dead7b529a3d53df19bcf374bb2bbef34"
+      "_commit": "44ff5c06778e86b845dab595ebf338ba876d495e"
     }
   },
   "directory": null

.github/dependabot.yml

@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7

.github/workflows/ci.yml

@@ -16,16 +16,18 @@ on:
   # Allow manual runs through the web UI
   workflow_dispatch:
   # Trigger on completion of the scheduled_builds.yml file (only on main)
-  workflow_run:
+  workflow_run:  # zizmor: ignore[dangerous-triggers]  # TODO: Fix our cron job hell
     workflows: [Scheduled build triggerer]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   core:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       submodules: false
       coverage: codecov
@@ -39,11 +41,10 @@ jobs:
   sdist_verify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6  # zizmor: ignore[unpinned-uses]
         with:
-          fetch-tags: true
-          fetch-depth: 0
-      - uses: actions/setup-python@v6
+          persist-credentials: false
+      - uses: actions/setup-python@v6  # zizmor: ignore[unpinned-uses]
         with:
           python-version: '3.13'
       - run: python -m pip install -U --user build
@@ -52,8 +53,8 @@ jobs:
       - run: python -m twine check dist/*
 
   test:
-    needs: [core]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    needs: [core, sdist_verify]
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       submodules: false
       coverage: codecov
@@ -74,7 +75,7 @@ jobs:
 
   docs:
     needs: [core]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       default_python: '3.13'
       submodules: false
@@ -95,7 +96,7 @@ jobs:
   online:
     if: "!startsWith(github.event.ref, 'refs/tags/v')"
     needs: [docs]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       default_python: '3.13'
       submodules: false
@@ -118,7 +119,7 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-  publish:
+  build_dists:
     # Build wheels on PRs only when labelled. Releases will only be published if tagged ^v.*
     # see https://github-actions-workflows.openastronomy.org/en/latest/publish.html#upload-to-pypi
     if: |
@@ -128,46 +129,71 @@ jobs:
         contains(github.event.pull_request.labels.*.name, 'Run publish')
       )
     needs: [test, docs]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
-      upload_to_anaconda: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
-      anaconda_user: scientific-python-nightly-wheels
-      anaconda_package: sunpy
-      anaconda_keep_n_latest: 1
-      sdist: false
-      test_extras: 'tests'
-      test_command: 'pytest -p no:warnings --doctest-rst --pyargs sunpy'
-      submodules: false
+      sdist: true
       targets: |
         - cp3{12,13,14}-manylinux*_x86_64
         - cp3{12,13,14}-macosx_x86_64
         - cp3{12,13,14}-macosx_arm64
         - cp3{12,13,14}-win_amd64
         - target: cp3{12,13,14}-manylinux_aarch64
           runs-on: ubuntu-24.04-arm
+      test_extras: 'tests'
+      test_command: 'pytest -p no:warnings --doctest-rst --pyargs sunpy'
+      submodules: false
+      save_artifacts: true
+      upload_to_pypi: false
+      upload_to_anaconda: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
+      anaconda_user: scientific-python-nightly-wheels
+      anaconda_package: sunpy
+      anaconda_keep_n_latest: 1
     secrets:
-      pypi_token: ${{ secrets.pypi_token }}
       anaconda_token: ${{ secrets.anaconda_org_upload_token }}
 
   publish_pure:
     needs: [publish]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       python-version: "3.13"
       test_extras: 'tests'
       test_command: 'pytest -p no:warnings --doctest-rst -m "not mpl_image_compare" --pyargs sunpy'
       submodules: false
       env: |
         SUNPY_NO_BUILD_ANA_EXTENSION: 1
-    secrets:
-      pypi_token: ${{ secrets.pypi_token }}
+      save_artifacts: true
+      upload_to_pypi: false
+
+  publish:
+    if: startsWith(github.ref, 'refs/tags/v')
+    name: Upload to PyPI
+    runs-on: ubuntu-latest
+    needs: [build_dists]
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v7  # zizmor: ignore[unpinned-uses]
+        with:
+          merge-multiple: true
+          pattern: dist-*
+          path: dist
+
+      - run: ls -lha dist/
+
+      - name: Run upload
+        uses: pypa/gh-action-pypi-publish@v1  # zizmor: ignore[unpinned-uses]
 
   notify:
     if: always() && (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_run')
     needs: [publish_pure, online]
+    environment:
+      name: matrix
     runs-on: ubuntu-latest
     steps:
-      - uses: Cadair/matrix-notify-action@main
+      - uses: Cadair/matrix-notify-action@main  # zizmor: ignore[unpinned-uses]
         with:
           matrix_token: ${{ secrets.matrix_access_token }}
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/sub_package_update.yml

@@ -13,18 +13,20 @@ on:
     #        │ │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
     - cron: '0 7 * * 1'  # Every Monday at 7am UTC
 
+permissions: {}
+
 jobs:
   update:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
-    strategy:
-      fail-fast: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6  # zizmor: ignore[unpinned-uses]
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@v6  # zizmor: ignore[unpinned-uses]
         with:
           python-version: "3.14"
 
@@ -50,8 +52,8 @@ jobs:
         id: cruft_update
         if: steps.check.outputs.has_changes == '1'
         run: |
-          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
-          git config --global user.name "${{ github.actor }}"
+          git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git config --global user.name "${GITHUB_ACTOR}"
 
           cruft_output=$(cruft update --skip-apply-ask --refresh-private-variables)
           echo $cruft_output
@@ -77,7 +79,7 @@ jobs:
 
       - name: Create pull request
         if: steps.cruft_json.outputs.has_changes == '1'
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@v8  # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           add-paths: "."
@@ -104,7 +106,7 @@ jobs:
       issues: write
     steps:
       - name: Open an issue if workflow fails
-        uses: actions/github-script@v7
+        uses: actions/github-script@v7  # zizmor: ignore[unpinned-uses]
         with:
           github-token: ${{ github.token }}
           # This script is adapted from https://github.com/scientific-python/issue-from-pytest-log-action
@@ -152,7 +154,7 @@ jobs:
                 repo: variables.name,
                 body: issue_body,
                 title: variables.title,
-                labels: [variables.label],
+                labels: [variables.label, "pre-commit.ci autofix"],
               });
             } else {
               await github.rest.issues.update({

.pre-commit-config.yaml

@@ -1,32 +1,61 @@
-exclude: ".*(.csv|.fits|.fts|.fit|.header|.txt|tca.*|.json|.asdf)$|^CITATION.rst|tools\/|sunpy\/extern\/|sunpy\/io\/src\/ana\/"
 repos:
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
     # This should be before any formatting hooks like isort
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: "v0.15.4"
     hooks:
       - id: ruff
         args: ["--fix"]
+        types: [python]
+        # Define here once and then reference using YAML anchor
+        exclude: &exclude_dirs ^sunpy/(data|extern)/
   - repo: https://github.com/PyCQA/isort
     rev: 8.0.1
     hooks:
       - id: isort
+        types: [python]
+        exclude: *exclude_dirs
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
       - id: check-ast
+        types: [python]
+        exclude: *exclude_dirs
       - id: check-case-conflict
+        types: [python]
+        exclude: *exclude_dirs
       - id: trailing-whitespace
+        types_or: [python, rst]
       - id: check-yaml
+        types: [yaml]
+        exclude: *exclude_dirs
+      - id: check-toml
+        types: [toml]
+        exclude: *exclude_dirs
       - id: debug-statements
+        types: [python]
+        exclude: *exclude_dirs
       - id: check-added-large-files
         args: ["--enforce-all", "--maxkb=1054"]
         exclude: ""
       - id: end-of-file-fixer
+        types_or: [python, rst]
       - id: mixed-line-ending
+        types_or: [python, rst]
   - repo: https://github.com/adhtruong/mirrors-typos
     rev: v1.38.1
     hooks:
       - id: typos
+        types_or: [python, rst]
+        exclude: *exclude_dirs
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      # This may fail if you do not have matching files in the data/ or extern/ directories
+      - id: check-useless-excludes
   - repo: local
     hooks:
       - id: generate-sunpy-net-hek-attrs