Merge pull request #162 from ASFHyP3/develop

Release v0.11.1

.github/dependabot.yml

@@ -1,9 +1,13 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      # Check for updates to GitHub Actions every weekday
-      interval: "daily"
+      interval: weekly
     labels:
-      - "bumpless"
+      - bumpless

.github/workflows/changelog.yml

@@ -11,6 +11,4 @@ on:
       - develop
 jobs:
   call-changelog-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.10.0
-    secrets:
-      USER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.11.0

.github/workflows/create-jira-issue.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   call-create-jira-issue-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.11.0
     secrets:
       JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
       JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}

.github/workflows/labeled-pr.yml

@@ -12,4 +12,4 @@ on:
 
 jobs:
   call-labeled-pr-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.11.0

.github/workflows/release.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   call-release-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.11.0
     with:
       release_prefix: Actions
     secrets:

.github/workflows/reusable-changelog-check.yml

@@ -1,19 +1,14 @@
 on:
   workflow_call:
-    secrets:
-      USER_TOKEN:
-        required: true
 
 jobs:
   changelog-updated:
+    if: ${{ ! contains(github.event.pull_request.labels.*.name, 'bumpless') }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
-      - name: Changelog check
-        uses: Zomzog/changelog-checker@v1.3.0
         with:
-          fileName: CHANGELOG.md
-          noChangelogLabel: bumpless
-        env:
-          GITHUB_TOKEN: ${{ secrets.USER_TOKEN }}
+          fetch-depth: 0
+      - name: Changelog check
+        run: '! git diff --quiet "origin/${{ github.event.pull_request.base.ref }}" -- CHANGELOG.md'
+        shell: bash

.github/workflows/reusable-docker-ecr.yml

@@ -67,14 +67,14 @@ jobs:
 
       - name: Add test tag
         if: github.ref == format('refs/heads/{0}', inputs.develop_branch)
-        uses: akhilerm/tag-push-action@v2.1.0
+        uses: akhilerm/tag-push-action@v2.2.0
         with:
           src: ${{ inputs.ecr_registry }}/${{ env.REPO }}:${{ inputs.version_tag }}
           dst: ${{ inputs.ecr_registry }}/${{ env.REPO }}:test
 
       - name: Add latest tag
         if: github.ref == format('refs/heads/{0}', inputs.release_branch)
-        uses: akhilerm/tag-push-action@v2.1.0
+        uses: akhilerm/tag-push-action@v2.2.0
         with:
           src: ${{ inputs.ecr_registry }}/${{ env.REPO }}:${{ inputs.version_tag }}
           dst: ${{ inputs.ecr_registry }}/${{ env.REPO }}:latest

.github/workflows/reusable-docker-ghcr.yml

@@ -60,14 +60,14 @@ jobs:
 
       - name: Add test tag
         if: ${{ github.ref == format('refs/heads/{0}', inputs.develop_branch) && ! github.event.pull_request.head.repo.fork }}
-        uses: akhilerm/tag-push-action@v2.1.0
+        uses: akhilerm/tag-push-action@v2.2.0
         with:
           src: ghcr.io/${{ env.REPO }}:${{ inputs.version_tag }}
           dst: ghcr.io/${{ env.REPO }}:test
 
       - name: Add latest tag
         if: ${{ github.ref == format('refs/heads/{0}', inputs.release_branch) && ! github.event.pull_request.head.repo.fork }}
-        uses: akhilerm/tag-push-action@v2.1.0
+        uses: akhilerm/tag-push-action@v2.2.0
         with:
           src: ghcr.io/${{ env.REPO }}:${{ inputs.version_tag }}
           dst: ghcr.io/${{ env.REPO }}:latest

.github/workflows/reusable-secrets-analysis.yml

@@ -10,7 +10,7 @@ jobs:
           fetch-depth: 0
 
       - name: Secret Scanning
-        uses: trufflesecurity/trufflehog@v3.63.8
+        uses: trufflesecurity/trufflehog@v3.73.0
         with:
           base: main
           extra_args: --only-verified

.github/workflows/static-analysis.yml

@@ -4,4 +4,4 @@ on: push
 
 jobs:
   call-secrets-analysis-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.11.0

.github/workflows/tag-version.yml

@@ -7,6 +7,6 @@ on:
 
 jobs:
   call-bump-version-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.11.0
     secrets:
       USER_TOKEN: ${{ secrets.TOOLS_BOT_PAK }}

.github/workflows/update-examples.yml

@@ -13,7 +13,7 @@ on:
 
 jobs:
   call-git-object-name-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.11.0
 
   upate_actions_examples:
     needs: call-git-object-name-workflow

CHANGELOG.md

@@ -6,6 +6,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [PEP 440](https://www.python.org/dev/peps/pep-0440/) 
 and uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.11.1]
+
+### Fixed
+- Modified the [`reusable-changelog-check`](.github/workflows/reusable-changelog-check.yml) workflow to remove its dependency on a third-party action. The workflow behavior should remain unchanged except that applying the `bumpless` label now results in the workflow being skipped rather than succeeding. Fixes https://github.com/ASFHyP3/actions/issues/156
+  - When upgrading this reusable action in your repository, remove the following lines from the calling workflow:
+    ```diff
+    -    secrets:
+    -      USER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    ```
+
 ## [0.11.0]
 
 ### Fixed

README.md

@@ -25,7 +25,9 @@ on:
 
 jobs:
   call-bump-version-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.10.0
+    # For first-time setup, create a v0.0.0 tag as shown here:
+    # https://github.com/ASFHyP3/actions#reusable-bump-versionyml
+    uses: ASFHyP3/actions/.github/workflows/reusable-bump-version.yml@v0.11.0
     with:
       user: tools-bot                # Optional; default shown
       email: UAF-asf-apd@alaska.edu  # Optional; default shown
@@ -37,6 +39,15 @@ To tag a new version on any merge to `main`. This workflow uses the optional 'us
 [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 `USER_TOKEN` to define the user who will be creating and pushing the version tag.
 
+For this workflow to run successfully, there must be an annotated tag for the current version number.
+When adding this workflow to a new repo, you should create a `v0.0.0` tag by running the following commands,
+replacing `<commit>` with the hash of the initial commit:
+
+```
+git tag -am 'Marking zeroth release for auto-versioning and CI/CD Tooling' v0.0.0 <commit>
+git push --tags
+```
+
 ### [`reusable-changelog-check.yml`](./.github/workflows/reusable-changelog-check.yml)
 
 Ensures the changelog has been updated. Use like:
@@ -57,9 +68,7 @@ on:
 
 jobs:
   call-changelog-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.10.0
-    secrets:
-      USER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    uses: ASFHyP3/actions/.github/workflows/reusable-changelog-check.yml@v0.11.0
 ```
 
 to ensure the changelog has been updated for any PR to `develop` or `main`. 
@@ -77,7 +86,7 @@ on:
 
 jobs:
   call-create-jira-issue-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-create-jira-issue.yml@v0.11.0
     secrets:
       JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
       JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
@@ -130,13 +139,13 @@ on:
 
 jobs:
   call-version-info-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.11.0
     with:
       conda_env_name: hyp3-plugin
 
   call-docker-ecr-workflow:
     needs: call-version-info-workflow
-    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ecr.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ecr.yml@v0.11.0
     with:
       version_tag: ${{ needs.call-version-info-workflow.outputs.version_tag }}
       ecr_registry: 845172464411.dkr.ecr.us-west-2.amazonaws.com
@@ -171,13 +180,13 @@ on:
 
 jobs:
   call-version-info-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.11.0
     with:
       conda_env_name: hyp3-plugin
 
   call-docker-ghcr-workflow:
     needs: call-version-info-workflow
-    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ghcr.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-docker-ghcr.yml@v0.11.0
     with:
       version_tag: ${{ needs.call-version-info-workflow.outputs.version_tag }}
       user: ${{ github.actor }}
@@ -198,7 +207,7 @@ on: push
 
 jobs:
   call-flake8-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-flake8.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-flake8.yml@v0.11.0
     with:
       local_package_names: hyp3_plugin  # Required; comma-seperated list of names that should be considered local to your application
       excludes: hyp3_plugin/ugly.py     # Optional; comma-separated list of glob patterns to exclude from checks
@@ -217,7 +226,7 @@ on: push
 
 jobs:
   call-ruff-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-ruff.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-ruff.yml@v0.11.0
 ```
 
 to ensure the Python code is styled correctly.
@@ -275,7 +284,7 @@ on:
 
 jobs:
   call-git-object-name-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-git-object-name.yml@v0.11.0
   
   echo-git-object-name-outputs:
     needs: call-git-object-name-workflow
@@ -305,14 +314,14 @@ on:
 
 jobs:
   call-labeled-pr-check-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-labeled-pr-check.yml@v0.11.0
 ```
 to ensure a release label is included on any PR to `main`.
 
 ### [`reusable-pytest.yml`](./.github/workflows/reusable-pytest.yml)
 
-Runs [pytest](https://docs.pytest.org/en/6.2.x/). Requires an `environment.yml` file at the root of the calling
-repository specifying all the runtime and testing dependencies needed. Use like:
+Runs [pytest](https://docs.pytest.org/en/6.2.x/) and [pytest-cov](https://pypi.org/project/pytest-cov/). Requires an `environment.yml` file at the root of the calling
+repository specifying all the runtime and testing dependencies needed, including `pytest` and `pytest-cov`. Use like:
 
 ```yaml
 name: Test
@@ -329,7 +338,7 @@ on:
 
 jobs:
   call-pytest-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-pytest.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-pytest.yml@v0.11.0
     with:
       local_package_name: hyp3_plugin  # Required; package to produce a coverage report for
       fail_fast: false      # Optional; default shown
@@ -358,7 +367,7 @@ on:
 
 jobs:
   call-release-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-release.yml@v0.11.0
     with:
       release_prefix: HyP3-CI
       release_branch: main      # Optional; default shown
@@ -387,7 +396,7 @@ on:
   
 jobs:
   call-release-checklist-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-release-checklist-comment.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-release-checklist-comment.yml@v0.11.0
     permissions:
       pull-requests: write
     with:
@@ -404,8 +413,9 @@ to add a comment to PRs when they are opened to the `main` branch.
 ### [`reusable-secrets-analysis.yml`](./.github/workflows/reusable-secrets-analysis.yml)
 
 Scan a PR for potentially committed secrets using [truffleHog](https://github.com/trufflesecurity/truffleHog).
-Requires this file at the root of the calling repository:
-  * [`.trufflehot.txt`](./.trufflehog.txt)
+
+> [!IMPORTANT]
+> This action assumes your stable release branch is named `main`. 
 
 Use like:
 
@@ -416,7 +426,7 @@ on: push
 
 jobs:
   call-secrets-analysis-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-secrets-analysis.yml@v0.11.0
 ```
 to scan every push for secrets.
 
@@ -442,7 +452,7 @@ on:
 
 jobs:
   call-version-info-workflow:
-    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.10.0
+    uses: ASFHyP3/actions/.github/workflows/reusable-version-info.yml@v0.11.0
     with:
       python_version: '3.9'        # Optional; default shown