apply template

Author: zacharyburnett

.cruft.json

@@ -0,0 +1,23 @@
+{
+  "template": "https://github.com/zacharyburnett/stsci-package-template",
+  "commit": "d6b6a4304821a9cdbc462ffac106eac75087d513",
+  "checkout": null,
+  "context": {
+    "cookiecutter": {
+      "project_name": "stpipe",
+      "package_name": "stpipe",
+      "repository_url": "https://github.com/spacetelescope/stpipe",
+      "project_description": "Provides base classes and command-line tools for implementing calibration pipeline software.",
+      "manage_changelog_with_towncrier": true,
+      "publish_docs_to": "readthedocs.io",
+      "task_runner": "tox",
+      "python_version": ">=3.10",
+      "python_c_extensions": false,
+      "python_build_backend": "setuptools",
+      "crds_observatory": "none",
+      "_template": "https://github.com/zacharyburnett/stsci-package-template",
+      "_commit": "d6b6a4304821a9cdbc462ffac106eac75087d513"
+    }
+  },
+  "directory": "python-package"
+}

.github/dependabot.yml

@@ -1,20 +1,30 @@
 version: 2
-updates:
 
-  # Maintain dependencies for GitHub Actions
+updates:
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directory: ".github/workflows"
+    labels:
+      - no-changelog-entry-needed
     target-branch: "main"
     schedule:
-      interval: "weekly"
-    reviewers:
-      - "zacharyburnett"
+      interval: "monthly"
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns:
+          - "*"
 
-  # Maintain dependencies for pip
   - package-ecosystem: "pip"
     directory: "/"
+    labels:
+      - no-changelog-entry-needed
     target-branch: "main"
     schedule:
-      interval: "weekly"
-    reviewers:
-      - "zacharyburnett"
+      interval: "monthly"
+    cooldown:
+      default-days: 7
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/labeler.yml

@@ -0,0 +1,44 @@
+breaking-change:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'changes/*.breaking.rst'
+
+feature:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'changes/*.feature.rst'
+
+fix:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'changes/*.fix.rst'
+
+documentation:
+  - changed-files:
+    - all-globs-to-any-file: ['*.rst', '!CHANGES.rst', '!changes/*']
+    - any-glob-to-any-file:
+      - 'docs/**/*'
+      - '*.md'
+      - '.readthedocs.yaml'
+      - 'LICENSE'
+      - 'changes/*.docs.rst'
+
+packaging:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'pyproject.toml'
+
+# --------------------------------------- testing ---------------------------------------
+
+automation:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '.github/**'
+
+testing:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '**/tests/**'
+      - '**/regtest/**'
+      - '.github/workflows/test*.yml'
+      - '**/conftest.py'

.github/pull_request_template.md

@@ -1,20 +1,18 @@
-<!-- If this PR closes a JIRA ticket, make sure the title starts with the JIRA issue number,
-for example JP-1234: <Fix a bug> -->
-Resolves [JP-nnnn](https://jira.stsci.edu/browse/JP-nnnn)
-Resolves [RCAL-nnnn](https://jira.stsci.edu/browse/RCAL-nnnn)
+<!-- If this PR addresses a JIRA ticket: -->
+<!-- Resolves [JP-nnnn](https://jira.stsci.edu/browse/JP-nnnn) -->
 
-<!-- If this PR closes a GitHub issue, reference it here by its number -->
-Closes #
+<!-- If this PR will close an existing GitHub issue (that is not already attached to a JIRA ticket): -->
+<!-- Closes # -->
 
-<!-- describe the changes comprising this PR here -->
-This PR addresses ...
+<!-- Describe your changes here: -->
+## Description
+This change ...
 
-<!-- if you can't perform these tasks due to permissions, please ask a maintainer to do them -->
+<!-- If you can't perform these tasks due to permissions, reach out to a maintainer. -->
 ## Tasks
+
+- [ ] If this change affects user-facing code or public API, add news fragment file(s) to `changes/` (see [the changelog instructions](https://github.com/spacetelescope/stpipe/blob/main/changes/README.md)).
+      Otherwise, add the `no-changelog-entry-needed` label.
+
 - [ ] update or add relevant tests
 - [ ] update relevant docstrings and / or `docs/` page
-- [ ] Does this PR change any API used downstream? (if not, label with `no-changelog-entry-needed`)
-  - [ ] write news fragment(s) in `changes/`: `echo "changed something" > changes/<PR#>.<changetype>.rst` (see [changelog readme](https://github.com/spacetelescope/stpipe/blob/main/changes/README.rst) for instructions)
-  - [ ] run regression tests with this branch installed (`stpipe@git+https://github.com/<fork>/stpipe.git@<branch>`)
-    - [ ] [`jwst` regression test](https://github.com/spacetelescope/RegressionTests/actions/workflows/jwst.yml)
-    - [ ] [`romancal` regression test](https://github.com/spacetelescope/RegressionTests/actions/workflows/romancal.yml)

.github/release.yml

@@ -0,0 +1,17 @@
+changelog:
+  categories:
+    - title: Breaking Changes
+      labels:
+        - breaking-change
+    - title: New Features
+      labels:
+        - feature
+    - title: Fixes
+      labels:
+        - fix
+    - title: Documentation Changes
+      labels:
+        - documentation
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/build.yml

@@ -1,15 +1,52 @@
 name: build
 
 on:
+  pull_request:
   release:
     types: [released]
-  pull_request:
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2
-    with:
-      upload_to_pypi: ${{ (github.event_name == 'release') && (github.event.action == 'released') }}
-    secrets:
-      pypi_token: ${{ secrets.PYPI_PASSWORD_STSCI_MAINTAINER }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-tags: true
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        with:
+          # Cache disabled to prevent cache-poisoning attacks on release artifacts.
+          enable-cache: false
+      - run: uv build --sdist --wheel
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: ./dist/
+  publish:
+    if: (github.event_name == 'release') && (github.event.action == 'released')
+    needs: [build]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    # Requires environment protection rules in GitHub Settings:
+    # Settings > Environments > pypi > Add required reviewers
+    environment:
+      name: pypi
+      url: https://pypi.org/p/stpipe
+    steps:
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          pattern: dist*
+          path: dist/
+          merge-multiple: true
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-path: "dist/*"
+      # To upload to PyPI without a token, add this workflow file as a Trusted Publisher in the project settings on the PyPI website
+      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

.github/workflows/changelog.yml

@@ -1,7 +1,5 @@
-name: changelog
-
 on:
-  pull_request:
+  pull_request_target:
     types:
       - labeled
       - unlabeled
@@ -10,30 +8,18 @@ on:
       - reopened
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  changelog-check:
+  check:
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'no-changelog-entry-needed') }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-python@v6
-        with:
-          python-version: 3.12
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - run: pip install .
-      - run: pip install towncrier
-      - run: towncrier check
-      - run: towncrier build --draft | grep -P '#${{ github.event.number }}'
-  changelog-prevent-manual-edit:
-    if: ${{ !contains(github.event.pull_request.labels.*.name, 'allow-manual-changelog-edit') }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
-      - name: prevent direct changes to `CHANGES.rst` (write a towncrier fragment in `changes/` instead; you can override this with the `allow-manual-changelog-edit` label)
-        run: git diff HEAD ${{ github.event.pull_request.base.sha }} --no-patch --exit-code CHANGES.rst
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+      - run: uv run towncrier check
+      - name: search for news fragment matching pull request number
+        run: uv run towncrier build --draft | grep -P '#${{ github.event.number }}'

.github/workflows/label.yml

@@ -0,0 +1,15 @@
+on:
+  pull_request_target:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b  # v6.0.1
+        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/tests.yml

@@ -18,22 +18,31 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+      - run: uvx ruff format --check .
+      - run: uvx ruff check .
   test:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@ccd2f9f4a24f34ea1165a717af125260d93bb5c1  # v2.6.1
     with:
+      fill: true
+      fill_platforms: linux
+      fill_factors: xdist
       envs: |
         - linux: py310-oldestdeps-cov-xdist
-        - linux: py310-xdist
-        - linux: py311-xdist
         - linux: py311-downstreamdeps-cov-xdist
           coverage: 'codecov'
         - linux: py312-xdist-nolegacypath
-        - linux: py313-xdist
-        - linux: py314-cov-xdist
+        - linux: py3-cov-xdist
           coverage: 'codecov'
-        - macos: py314-xdist
+        - macos: py3-xdist
   test_downstream:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@ccd2f9f4a24f34ea1165a717af125260d93bb5c1  # v2.6.1
     with:
       setenv: |
         CRDS_PATH: /tmp/data/crds_cache

.github/workflows/update.yml

@@ -0,0 +1,55 @@
+on:
+  schedule:
+    - cron: "0 2 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # 7.6.0
+        with:
+          enable-cache: false
+      - name: Check for updates to upstream template
+        id: upstream-updates
+        run: |
+          CHANGES=0
+          if [ -f .cruft.json ]; then
+            if ! cruft check; then
+              CHANGES=1
+            fi
+          else
+            echo "No .cruft.json file"
+          fi
+
+          echo "available=$CHANGES" >> "$GITHUB_OUTPUT"
+      - if: steps.upstream-updates.outputs.available
+        name: Apply updates from upstream template
+        run: |
+          uvx cruft update --skip-apply-ask --refresh-private-variables
+          git restore --staged .
+      - if: steps.upstream-updates.outputs.available
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          add-paths: .
+          commit-message: "chore: use Cruft to apply changes from the upstream template"
+          branch: cruft/update
+          delete-branch: true
+          branch-suffix: timestamp
+          title: |
+            [CRUFT] Apply updates from upstream template
+          body: |
+            [Cruft](https://cruft.github.io/cruft/) has detected updates to the upstream Cookiecutter template.
+
+            > [!TIP]
+            > To skip these updates, modify this PR to increment `.cruft.json` only.