Apply migration from 0.14.0 to 0.16.0

frequenz-auto-dependabot[bot] · web-flow · commit 24412eb4e246 · 2026-03-27T10:10:47.000Z
=== v0.15.0 ========================================================= Script URL: https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/v0.15.0/cookiecutter/migrate.py ======================================================================== Migrating workflows to use ubuntu-slim runner for lightweight jobs... Updated .github/workflows/ci.yaml: migrated job nox-all to ubuntu-slim Updated .github/workflows/ci.yaml: migrated job test-installation-all to ubuntu-slim Updated .github/workflows/ci.yaml: migrated job create-github-release to ubuntu-slim Updated .github/workflows/ci.yaml: migrated job publish-to-pypi to ubuntu-slim Updated .github/workflows/release-notes-check.yml: migrated job check-release-notes to ubuntu-slim Updated .github/workflows/dco-merge-queue.yml: migrated job DCO to ubuntu-slim Updated .github/workflows/labeler.yml: migrated job Label to ubuntu-slim ======================================================================== Migrating pyproject license metadata to SPDX format... Updated pyproject.toml: migrated license metadata ======================================================================== Adding flake8-datetimez plugin to dev-flake8 dependencies... Updated pyproject.toml: added flake8-datetimez plugin ======================================================================== Fixing dependabot repo-config and mkdocstrings patterns... Skipped .github/dependabot.yml: repo-config patterns already updated Skipped .github/dependabot.yml: mkdocstrings patterns already updated Skipped .github/dependabot.yml (already up to date) ======================================================================== Migrating auto-dependabot workflow to use GitHub App token... Replacing .github/workflows/auto-dependabot.yaml with updated workflow (overwriting any local changes) ======================================================================== Migrating the CI workflows to use a platform matrix... - .github/workflows/ci.yaml Migrated arch+os matrix to platform ======================================================================== Installing repo-config migration workflow... Replacing .github/workflows/repo-config-migration.yaml with updated workflow (overwriting any local changes) Updated .github/workflows/auto-dependabot.yaml: added repo-config group exclusion ======================================================================== Updating 'Protect version branches' GitHub ruleset... Updated ruleset 'Protect version branches': add 'Migrate Repo Config' status check ======================================================================== ✅ Migration script finished successfully ✅ === v0.16.0 ========================================================= Script URL: https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/v0.16.0/cookiecutter/migrate.py ======================================================================== Fixing repo-config migration merge queue trigger... Updated .github/workflows/repo-config-migration.yaml: added merge_group trigger ======================================================================== Fixing mkdocstrings-python v2 paths for api repos... Skipping mkdocs.yml (not an api project) ======================================================================== Migrating protolint and publish-to-pypi runners to ubuntu-24.04... Skipping protolint runner migration (not an api project) Updated .github/workflows/ci.yaml: migrated runner for job publish-to-pypi ======================================================================== Updating 'Protect version branches' GitHub ruleset... Updated ruleset 'Protect version branches': remove copilot_code_review ======================================================================== ✅ Migration script finished successfully ✅ The migration completed successfully.
diff --git a/.github/workflows/auto-dependabot.yaml b/.github/workflows/auto-dependabot.yaml
@@ -1,21 +1,39 @@
 name: Auto-merge Dependabot PR
 
 on:
-  pull_request:
+  # XXX: !!! SECURITY WARNING !!!
+  # pull_request_target has write access to the repo, and can read secrets. We
+  # need to audit any external actions executed in this workflow and make sure no
+  # checked out code is run (not even installing dependencies, as installing
+  # dependencies usually can execute pre/post-install scripts). We should also
+  # only use hashes to pick the action to execute (instead of tags or branches).
+  # For more details read:
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  pull_request_target:
 
 permissions:
-  contents: write
+  contents: read
   pull-requests: write
 
 jobs:
   auto-merge:
-    if: github.actor == 'dependabot[bot]'
-    runs-on: ubuntu-latest
+    name: Auto-merge Dependabot PR
+    if: >
+      github.actor == 'dependabot[bot]' &&
+      !contains(github.event.pull_request.title, 'the repo-config group')
+    runs-on: ubuntu-slim
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
+          private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
+
       - name: Auto-merge Dependabot PR
-        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1  # v1.3.2
+        uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           dependency-type: 'all'
           auto-merge: 'true'
           merge-method: 'merge'
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -28,11 +28,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch:
-          - amd64
-          - arm
-        os:
+        platform:
           - ubuntu-24.04
+          - ubuntu-24.04-arm
         python:
           - "3.11"
           - "3.12"
@@ -41,7 +39,7 @@ jobs:
           # that uses the same venv to run multiple linting sessions
           - "ci_checks_max"
           - "pytest_min"
-    runs-on: ${{ matrix.os }}${{ matrix.arch != 'amd64' && format('-{0}', matrix.arch) || '' }}
+    runs-on: ${{ matrix.platform }}
 
     steps:
       - name: Run nox
@@ -60,7 +58,7 @@ jobs:
     needs: ["nox"]
     # We skip this job only if nox was also skipped
     if: always() && needs.nox.result != 'skipped'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
     env:
       DEPS_RESULT: ${{ needs.nox.result }}
     steps:
@@ -105,15 +103,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch:
-          - amd64
-          - arm
-        os:
+        platform:
           - ubuntu-24.04
+          - ubuntu-24.04-arm
         python:
           - "3.11"
           - "3.12"
-    runs-on: ${{ matrix.os }}${{ matrix.arch != 'amd64' && format('-{0}', matrix.arch) || '' }}
+    runs-on: ${{ matrix.platform }}
 
     steps:
       - name: Setup Git
@@ -161,7 +157,7 @@ jobs:
     needs: ["test-installation"]
     # We skip this job only if test-installation was also skipped
     if: always() && needs.test-installation.result != 'skipped'
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
     env:
       DEPS_RESULT: ${{ needs.test-installation.result }}
     steps:
@@ -276,7 +272,7 @@ jobs:
       # discussions to create the release announcement in the discussion forums
       contents: write
       discussions: write
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
     steps:
       - name: Download distribution files
         uses: actions/download-artifact@v6
diff --git a/.github/workflows/dco-merge-queue.yml b/.github/workflows/dco-merge-queue.yml
@@ -5,7 +5,7 @@ on:
 
 jobs:
   DCO:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - run: echo "This DCO job runs on merge_queue event and doesn't check PR contents"
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -7,7 +7,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - name: Labeler
         # XXX: !!! SECURITY WARNING !!!
diff --git a/.github/workflows/release-notes-check.yml b/.github/workflows/release-notes-check.yml
@@ -16,7 +16,7 @@ on:
 jobs:
   check-release-notes:
     name: Check release notes are updated
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     steps:
       - name: Check for a release notes update
         if: github.event_name == 'pull_request'
diff --git a/pyproject.toml b/pyproject.toml
@@ -13,12 +13,12 @@ build-backend = "setuptools.build_meta"
 name = "frequenz-channels"
 description = "Channel implementations for Python"
 readme = "README.md"
-license = { text = "MIT" }
+license = "MIT"
+license-files = ["LICENSE"]
 keywords = ["frequenz", "python", "lib", "library", "channels", "channel"]
 classifiers = [
   "Development Status :: 5 - Production/Stable",
   "Intended Audience :: Developers",
-  "License :: OSI Approved :: MIT License",
   "Programming Language :: Python :: 3",
   "Programming Language :: Python :: 3 :: Only",
   "Topic :: Software Development :: Libraries",
@@ -38,6 +38,7 @@ email = "floss@frequenz.com"
 [project.optional-dependencies]
 dev-flake8 = [
   "flake8 == 7.3.0",
+  "flake8-datetimez == 20.10.0",
   "flake8-docstrings == 1.7.0",
   "flake8-pyproject == 1.2.4", # For reading the flake8 config from pyproject.toml
   "pydoclint == 0.7.6",
