chore(deps-dev): bump frequenz-repo-config from 0.17.0 to 0.18.0 in the repo-config group across 1 directory (#285)

Bumps the repo-config group with 1 update in the / directory:
[frequenz-repo-config](https://github.com/frequenz-floss/frequenz-repo-config-python).

Updates `frequenz-repo-config` from 0.17.0 to 0.18.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/releases">frequenz-repo-config's
releases</a>.</em></p>
<blockquote>
<h2>v0.18.0</h2>
<h1>Frequenz Repository Configuration Release Notes</h1>
<h2>Summary</h2>
<p>This release focuses on finishing the automation of dependabot
updates, adding more automated upgrade workflows and fixing some
problems with the previous release.</p>
<h2>Upgrading</h2>
<h3>Cookiecutter template</h3>
<p>All upgrading should be done via the migration script or regenerating
the templates.</p>
<pre lang="bash"><code>curl -sSLf
https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/&lt;tag&gt;/cookiecutter/migrate.py
| python3 -I
</code></pre>
<h2>New Features</h2>
<h3>Cookiecutter template</h3>
<ul>
<li>The cookiecutter now asks whether a repository is private, defaults
that answer from the selected license, and uses it to toggle
private-repository workflow behavior, public publishing jobs, and the
link to GitHub Discussions in the issue template chooser.</li>
<li>All dependencies have been updated in the templates.</li>
<li>API projects now ship a dedicated <code>grpc-migration.yaml</code>
workflow that runs after Dependabot bumps
<code>grpcio</code>/<code>grpcio-tools</code>/<code>protobuf</code> and
rewrites the matching runtime <code>&gt;=</code> floors in
<code>pyproject.toml</code>.</li>
<li>API projects now have a better grpcio/protobuf updates grouping in
Dependabot, which should make upgrading easier, and plays nicer with the
new <code>grpc-migration.yaml</code> workflow.</li>
<li>API projects should now use the new API-specific <em>Protect version
branches</em> ruleset variant, which includes the required <code>Fix
gRPC/protobuf runtime floors</code> check without affecting non-API
Python projects.</li>
<li>Workflows using the <code>gh-action-dependabot-migrate</code> are
upgraded to the latest version, which avoids unnecessary version
iterations.</li>
<li>Add an <code>isort-migration.yaml</code> workflow that automatically
reorders imports when Dependabot upgrades <code>isort</code>.</li>
</ul>
<h2>Bug Fixes</h2>
<h3>Cookiecutter template</h3>
<ul>
<li>The unused cross-arch QEMU-based testing infrastructure has been
removed. The <code>.github/containers/nox-cross-arch/</code> and
<code>.github/containers/test-installation/</code> directories, as well
as the &quot;Cross-Arch Testing&quot; section in
<code>CONTRIBUTING.md</code>.</li>
<li>Private repositories now are generated with credentials uncommented
and the publishing workflows disabled.</li>
<li>The issue template chooser (<code>config.yml</code>) no longer
includes the <code>contact_links</code> section for private
repositories, since GitHub Discussions are typically disabled for
them.</li>
<li>Normalized the GitHub Action hashes for
<code>gh-action-setup-git</code> and
<code>gh-action-setup-python-with-deps</code> to point to the actual
commit object, which is what Dependabot expects.</li>
<li>API projects now configure black with <code>extend-exclude =
'^/submodules/'</code> so the formatting check doesn't descend into
external git submodules that don't follow our formatting rules.</li>
<li>API projects now configure isort with <code>skip_glob =
[&quot;submodules/*&quot;]</code> so the import-sorting check doesn't
descend into external git submodules that don't follow our rules.</li>
<li><code>CONTRIBUTING.md</code>
<ul>
<li>Fixed the nox example commands in to use the correct
<code>tests/</code> directory instead of the non-existent
<code>test/</code> directory.</li>
<li>Fixed the wrong mention to PyPI publishing when releasing for
private repositories.</li>
</ul>
</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Add how to re-trigger a migration to the docs by <a
href="https://github.com/llucax"><code>@​llucax</code></a> in <a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/pull/559">frequenz-floss/frequenz-repo-config-python#559</a></li>
<li>Remove unused cross-arch files and docs by <a
href="https://github.com/llucax"><code>@​llucax</code></a> in <a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/pull/547">frequenz-floss/frequenz-repo-config-python#547</a></li>
<li>build(deps): bump frequenz-floss/gh-action-setup-python-with-deps
from 0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 to
e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/pull/561">frequenz-floss/frequenz-repo-config-python#561</a></li>
<li>build(deps): bump frequenz-floss/gh-action-nox from 1.1.0 to 1.1.1
in the compatible group by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/pull/560">frequenz-floss/frequenz-repo-config-python#560</a></li>
<li>build(deps): bump frequenz-floss/gh-action-setup-git from
16952aac3ccc01d27412fe0dea3ea946530dcace to
f9d86a01228ee1cadaac5224d4d7626f1eb23f90 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/pull/562">frequenz-floss/frequenz-repo-config-python#562</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/953600229a68741824999432b9b49d9a0bc56bec"><code>9536002</code></a>
Update template versions and prepare the v0.18.0 release (<a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/issues/590">#590</a>)</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/085121516fb788293325e56808edecbd31f564f4"><code>0851215</code></a>
Prepare release notes for v0.18.0</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/bee542d201b4b66ce71df2f17044dcf76869356a"><code>bee542d</code></a>
template: Bump dependencies</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/80402d2a3969e3d19d2671eb98b6ac47ca422e2b"><code>80402d2</code></a>
build(deps): bump the compatible group with 2 updates (<a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/issues/589">#589</a>)</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/df8ba243393801fd97e2b46cddfb68bef00848c7"><code>df8ba24</code></a>
build(deps): bump the compatible group with 2 updates</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/e5f4e3968e5bc86758c46c41bdca5999dd80746c"><code>e5f4e39</code></a>
Add <code>isort</code> dependabot auto-migration workflow (<a
href="https://redirect.github.com/frequenz-floss/frequenz-repo-config-python/issues/585">#585</a>)</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/3afcb70310b690cc8eef4e631423af8d221b9f21"><code>3afcb70</code></a>
Update release notes</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/e86009be83504bd3751139775388b0cb078f0c2e"><code>e86009b</code></a>
Add isort submodules migration step</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/22be0eed5d3b5866dd348b0161de314eca66d5a5"><code>22be0ee</code></a>
template: Make isort exclude submodules from API projects</li>
<li><a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/commit/a45950072bfd4e287dffafb8096c0d42ddff7e47"><code>a459500</code></a>
isort: Exclude golden tests</li>
<li>Additional commits viewable in <a
href="https://github.com/frequenz-floss/frequenz-repo-config-python/compare/v0.17.0...v0.18.0">compare
view</a></li>
</ul>
</details>
<br />

Author: daniel-zullo-frequenz

.cookiecutter-replay.json

@@ -8,6 +8,7 @@
     "keywords": "client, api, python, trading, electricity-trading",
     "github_org": "frequenz-floss",
     "license": "MIT",
+    "private_repo": "no",
     "author_name": "Frequenz Energy-as-a-Service GmbH",
     "author_email": "floss@frequenz.com",
     "python_package": "frequenz.client.electricity_trading",
@@ -36,6 +37,10 @@
       "MIT",
       "Proprietary"
     ],
+    "private_repo": [
+      "{{ 'yes' if cookiecutter.license == 'Proprietary' else 'no' }}",
+      "{{ 'no' if cookiecutter.license == 'Proprietary' else 'yes' }}"
+    ],
     "author_name": "Frequenz Energy-as-a-Service GmbH",
     "author_email": "floss@frequenz.com",
     "python_package": "{{cookiecutter | python_package}}",

.github/containers/nox-cross-arch/arm64-ubuntu-20.04-python-3.11.Dockerfile

@@ -29,6 +29,7 @@ updates:
         exclude-patterns:
           # pydoclint has shipped breaking changes in patch updates often
           - "pydoclint"
+          - "isort"
       minor:
         update-types:
           - "minor"
@@ -49,6 +50,7 @@ updates:
           - "mkdocstrings[python]"
           - "pydoclint"
           - "pytest-asyncio"
+          - "isort"
       # We group repo-config updates as it uses optional dependencies that are
       # considered different dependencies otherwise, and will create one PR for
       # each if we don't group them.

.github/containers/nox-cross-arch/entrypoint.bash

@@ -23,7 +23,8 @@ jobs:
     if: >
       github.actor == 'dependabot[bot]' &&
       !contains(github.event.pull_request.title, 'the repo-config group') &&
-      !contains(github.event.pull_request.title, 'Bump black from ')
+      !contains(github.event.pull_request.title, 'Bump black from ') &&
+      !contains(github.event.pull_request.title, 'Bump isort from ')
     runs-on: ubuntu-slim
     steps:
       - name: Generate GitHub App token

.github/containers/test-installation/Dockerfile

@@ -66,7 +66,7 @@ jobs:
           # Read/update pull request metadata and labels.
           permission-pull-requests: write
       - name: Migrate
-        uses: frequenz-floss/gh-action-dependabot-migrate@eb100d3cf732b4808a7776eee8f303521efd494b  # v1.2.1
+        uses: frequenz-floss/gh-action-dependabot-migrate@27763fb5eb56476d91abe00132e8a0614171f92f # v1.2.0
         with:
           migration-script: |
             import os
@@ -81,6 +81,7 @@ jobs:
             subprocess.run([sys.executable, "-Im", "black", "."], check=True)
           token: ${{ steps.create-app-token.outputs.token }}
           auto-merge-on-changes: "false"
+          version-iteration: "false"
           sign-commits: "true"
           auto-merged-label: "tool:auto-merged"
           migrated-label: "tool:black:migration:executed"

.github/dependabot.yml

@@ -39,7 +39,7 @@ jobs:
           submodules: true
 
       - name: Setup Python
-        uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2
+        uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
           dependencies: .[dev-mkdocs]

.github/workflows/auto-dependabot.yaml

@@ -88,7 +88,7 @@ jobs:
           submodules: true
 
       - name: Setup Python
-        uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2
+        uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
           dependencies: build
@@ -145,7 +145,7 @@ jobs:
             > pyproject.toml
 
       - name: Setup Python
-        uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2
+        uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2
         with:
           python-version: ${{ matrix.python }}
           dependencies: dist/*.whl
@@ -186,7 +186,7 @@ jobs:
           submodules: true
 
       - name: Setup Python
-        uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2
+        uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
           dependencies: .[dev-mkdocs]
@@ -226,7 +226,7 @@ jobs:
           submodules: true
 
       - name: Setup Python
-        uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2
+        uses: frequenz-floss/gh-action-setup-python-with-deps@e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 # v1.0.2
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
           dependencies: .[dev-mkdocs]

.github/workflows/black-migration.yaml

@@ -0,0 +1,92 @@
+# Automatic isort migration for Dependabot PRs
+#
+# When Dependabot upgrades isort, this workflow installs the new version and
+# runs `isort .` so the PR already contains any import-ordering changes
+# introduced by the upgrade, while leaving the PR open for review.
+#
+# isort follows SemVer but its release policy
+# (https://github.com/PyCQA/isort/blob/main/docs/major_releases/release_policy.md)
+# explicitly allows intentional formatting changes in minor releases, and
+# patch releases may also adjust output in smaller bug-fix ways.  Because of
+# that, isort is excluded from the regular `patch` and `minor` Dependabot
+# groups: every isort bump produces an individual `Bump isort from …` PR and
+# is routed through this migration workflow.
+#
+# The companion auto-dependabot workflow skips those PRs so they're handled
+# exclusively by this migration workflow.
+#
+# XXX: !!! SECURITY WARNING !!!
+# pull_request_target has write access to the repo, and can read secrets.
+# This is required because Dependabot PRs are treated as fork PRs: the
+# GITHUB_TOKEN is read-only and secrets are unavailable with a plain
+# pull_request trigger.  The action mitigates the risk by:
+#   - Never executing code from the PR (the migration script is embedded
+#     in this workflow file on the base branch, not taken from the PR).
+#   - Gating migration steps on github.actor == 'dependabot[bot]'.
+#   - Running checkout with persist-credentials: false and isolating
+#     push credentials from the migration script environment.
+# For more details read:
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: isort Migration
+
+on:
+  merge_group:  # To allow using this as a required check for merging
+  pull_request_target:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+
+permissions:
+  # Commit reformatted files back to the PR branch.
+  contents: write
+  # Create and normalize migration state labels.
+  issues: write
+  # Read/update pull request metadata and comments.
+  pull-requests: write
+
+jobs:
+  isort-migration:
+    name: Migrate isort
+    # Skip if it was triggered by the merge queue. We only need the workflow to
+    # be executed to meet the "Required check" condition for merging, but we
+    # don't need to actually run the job, having the job present as Skipped is
+    # enough.
+    if: |
+      github.event_name == 'pull_request_target' &&
+      github.actor == 'dependabot[bot]' &&
+      contains(github.event.pull_request.title, 'Bump isort from ')
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Generate token
+        id: create-app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
+          private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
+          # Push reformatted files to the PR branch.
+          permission-contents: write
+          # Create and normalize migration state labels.
+          permission-issues: write
+          # Read/update pull request metadata and labels.
+          permission-pull-requests: write
+      - name: Migrate
+        uses: frequenz-floss/gh-action-dependabot-migrate@27763fb5eb56476d91abe00132e8a0614171f92f # v1.2.0
+        with:
+          migration-script: |
+            import os
+            import subprocess
+            import sys
+
+            version = os.environ["MIGRATION_VERSION"].lstrip("v")
+            subprocess.run(
+                [sys.executable, "-Im", "pip", "install", f"isort=={version}"],
+                check=True,
+            )
+            subprocess.run([sys.executable, "-Im", "isort", "."], check=True)
+          token: ${{ steps.create-app-token.outputs.token }}
+          auto-merge-on-changes: "false"
+          version-iteration: "false"
+          sign-commits: "true"
+          auto-merged-label: "tool:auto-merged"
+          migrated-label: "tool:isort:migration:executed"
+          intervention-pending-label: "tool:isort:migration:intervention-pending"
+          intervention-done-label: "tool:isort:migration:intervention-done"