SunPyBot
diff --git a/‎.cruft.json‎
Lines changed: 2 additions & 2 deletions b/‎.cruft.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/asv-regular.yml‎
Lines changed: 21 additions & 13 deletions b/‎.github/workflows/asv-regular.yml‎
Lines changed: 21 additions & 13 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 53 additions & 30 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 53 additions & 30 deletions
diff --git a/‎.github/workflows/ci_benchmarks.yml‎
Lines changed: 13 additions & 3 deletions b/‎.github/workflows/ci_benchmarks.yml‎
Lines changed: 13 additions & 3 deletions
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/sunpy/package-template",
-  "commit": "4268346dead7b529a3d53df19bcf374bb2bbef34",
+  "commit": "28d86966c43434a03346abf6e740b45206792da6",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -32,7 +32,7 @@
         ".github/workflows/sub_package_update.yml"
       ],
       "_template": "https://github.com/sunpy/package-template",
-      "_commit": "4268346dead7b529a3d53df19bcf374bb2bbef34"
+      "_commit": "28d86966c43434a03346abf6e740b45206792da6"
     }
   },
   "directory": null
 
@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
@@ -11,46 +11,54 @@ on:
     #        │  │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
     - cron: "37 3 * * *" # Every day at 3:37am UTC
 
+permissions: {}
+
 jobs:
   asv-run:
     if: ${{ github.repository == 'sunpy/sunpy' }}
     runs-on: ubuntu-latest
+    environment:
+      name: asv-upload
     steps:
       - name: Checkout sunpy repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: "0"
+          persist-credentials: false
+
       - name: Checkout sunpy-benchmarks repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: sunpy/sunpy-benchmarks
           ref: main
           path: asv_results
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v6
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: "3.11"
+          python-version: "3.14"
           architecture: "x64"
+
       - name: Install dependencies
         run: |
           sudo apt-get install -y libopencv-dev
           python -m pip install --upgrade pip
           pip install asv virtualenv
+
       - name: Add machine info for ASV
         run: asv machine --machine GH-Actions --os ubuntu-latest --arch x64 --cpu "2-core unknown" --ram 7GB
-      - name: Run benchmarks for commits since v2.1
-        run: taskset -c 0 asv run --skip-existing-successful --steps 50 v3.0.dev..
-      - name: Install SSH Client 🔑
-        uses: webfactory/ssh-agent@v0.9.1
-        with:
-          ssh-private-key: ${{ secrets.ASV_CI_KEY }}
+
+      - name: Run benchmarks for commits since v5.0
+        run: taskset -c 0 asv run --skip-existing-successful --steps 50 v4.1.dev..
+
       - name: Push results
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
         with:
           branch: main
           folder: asv_results
+          token: ${{ secrets.GH_PAT_TOKEN }}
           repository-name: sunpy/sunpy-benchmarks
-          ssh-key: true
           commit-message: |
             Push new results from GitHub Actions
             repository: ${{ github.repository }}
 
@@ -15,17 +15,16 @@ on:
   pull_request:
   # Allow manual runs through the web UI
   workflow_dispatch:
-  # Trigger on completion of the scheduled_builds.yml file (only on main)
-  workflow_run:
-    workflows: [Scheduled build triggerer]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   core:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       submodules: false
       coverage: codecov
@@ -39,11 +38,10 @@ jobs:
   sdist_verify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6  # zizmor: ignore[unpinned-uses]
         with:
-          fetch-tags: true
-          fetch-depth: 0
-      - uses: actions/setup-python@v6
+          persist-credentials: false
+      - uses: actions/setup-python@v6  # zizmor: ignore[unpinned-uses]
         with:
           python-version: '3.13'
       - run: python -m pip install -U --user build
@@ -52,8 +50,8 @@ jobs:
       - run: python -m twine check dist/*
 
   test:
-    needs: [core]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    needs: [core, sdist_verify]
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       submodules: false
       coverage: codecov
@@ -74,7 +72,7 @@ jobs:
 
   docs:
     needs: [core]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       default_python: '3.13'
       submodules: false
@@ -95,7 +93,7 @@ jobs:
   online:
     if: "!startsWith(github.event.ref, 'refs/tags/v')"
     needs: [docs]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       default_python: '3.13'
       submodules: false
@@ -118,7 +116,7 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-  publish:
+  build_dists:
     # Build wheels on PRs only when labelled. Releases will only be published if tagged ^v.*
     # see https://github-actions-workflows.openastronomy.org/en/latest/publish.html#upload-to-pypi
     if: |
@@ -128,50 +126,75 @@ jobs:
         contains(github.event.pull_request.labels.*.name, 'Run publish')
       )
     needs: [test, docs]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
-      upload_to_anaconda: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
-      anaconda_user: scientific-python-nightly-wheels
-      anaconda_package: sunpy
-      anaconda_keep_n_latest: 1
-      sdist: false
-      test_extras: 'tests'
-      test_command: 'pytest -p no:warnings --doctest-rst --pyargs sunpy'
-      submodules: false
+      sdist: false  # Built with a universal wheel below
       targets: |
         - cp3{12,13,14}-manylinux*_x86_64
         - cp3{12,13,14}-macosx_x86_64
         - cp3{12,13,14}-macosx_arm64
         - cp3{12,13,14}-win_amd64
         - target: cp3{12,13,14}-manylinux_aarch64
           runs-on: ubuntu-24.04-arm
+      test_extras: 'tests'
+      test_command: 'pytest -p no:warnings --doctest-rst --pyargs sunpy'
+      submodules: false
+      save_artifacts: true
+      upload_to_pypi: false
+      upload_to_anaconda: ${{ github.event_name == 'workflow_dispatch' }}
+      anaconda_user: scientific-python-nightly-wheels
+      anaconda_package: sunpy
+      anaconda_keep_n_latest: 1
     secrets:
-      pypi_token: ${{ secrets.pypi_token }}
       anaconda_token: ${{ secrets.anaconda_org_upload_token }}
 
   publish_pure:
-    needs: [publish]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2
+    needs: [test, docs]
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       python-version: "3.13"
       test_extras: 'tests'
       test_command: 'pytest -p no:warnings --doctest-rst -m "not mpl_image_compare" --pyargs sunpy'
       submodules: false
       env: |
         SUNPY_NO_BUILD_ANA_EXTENSION: 1
-    secrets:
-      pypi_token: ${{ secrets.pypi_token }}
+      save_artifacts: true
+      upload_to_pypi: false
+
+  publish:
+    if: startsWith(github.ref, 'refs/tags/v')
+    name: Upload to PyPI
+    runs-on: ubuntu-latest
+    needs: [build_dists, publish_pure]
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v7  # zizmor: ignore[unpinned-uses]
+        with:
+          merge-multiple: true
+          pattern: dist-*
+          path: dist
+
+      - run: ls -lha dist/
+
+      - name: Run upload
+        uses: pypa/gh-action-pypi-publish@v1.13.0  # zizmor: ignore[unpinned-uses]
 
   notify:
-    if: always() && (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_run')
+    if: ${{ !cancelled() && github.event_name == 'workflow_dispatch' }}
     needs: [publish_pure, online]
+    environment:
+      name: matrix
     runs-on: ubuntu-latest
     steps:
-      - uses: Cadair/matrix-notify-action@main
+      - uses: Cadair/matrix-notify-action@main  # zizmor: ignore[unpinned-uses]
         with:
           matrix_token: ${{ secrets.matrix_access_token }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           homeserver: ${{ secrets.matrix_homeserver }}
           roomid: '!JYqfIVJjWANcHnfktY:cadair.com'
-          ignore_pattern: '.*Load.*'
+          ignore_pattern: '.*(Load|report overall).*'
           summarise_success: true
@@ -8,6 +8,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   benchmarks:
     if: |
@@ -16,21 +18,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sunpy repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
+
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.14"
+
       - name: Install dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y libopencv-dev
           python -m pip install --upgrade pip
           pip install asv virtualenv
+
       - name: Add machine info for ASV
         run: asv machine --yes
+
       - name: Run benchmarks
         id: asv
         shell: bash -e {0}
@@ -48,7 +55,10 @@ jobs:
           status=${PIPESTATUS[0]}
           echo "EOF" >> $GITHUB_OUTPUT
           exit $status
+
       - name: Post the summary
         if: always()
         run: |
-          echo "${{ steps.asv.outputs.TEXT }}" | egrep "\| *Change *\| *Before *\[|BENCHMARKS NOT SIGNIFICANTLY CHANGED." -A 1000 | tee -a $GITHUB_STEP_SUMMARY
+          echo "$ASV_TEXT" | egrep "\| *Change *\| *Before *\[|BENCHMARKS NOT SIGNIFICANTLY CHANGED." -A 1000 | tee -a $GITHUB_STEP_SUMMARY
+        env:
+          ASV_TEXT: "${{ steps.asv.outputs.TEXT }}"