Merge branch 'main' into DEVOPS-545-poetry-autoversioning

Author: saicheranb

.github/workflows/pre-commit.yml

@@ -2,6 +2,7 @@ name: pre-commit
 
 permissions:
   contents: read
+  statuses: write
 
 on:
   pull_request:

.github/workflows/reusable-jira-pr_add_jira_summary.yml

@@ -9,9 +9,13 @@ on:
       JIRA_BASE_URL:
         required: true
         description: 'The base URL of your JIRA instance'
-      JIRA_BASIC_AUTH:
+      JIRA_USER_EMAIL:
         required: true
-        description: 'The base64-encoded username:password for your JIRA instance'
+        description: 'The email address for your JIRA account'
+      JIRA_API_TOKEN:
+        required: true
+        description: 'The API token for your JIRA account'
+
 
 jobs:
   add_jira_summary:
@@ -20,7 +24,9 @@ jobs:
     env:
       JIRA_PATTERN: "([A-Z]+)[-# ]*([0-9]+)"
       JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
-      JIRA_BASIC_AUTH: ${{ secrets.JIRA_BASIC_AUTH }}
+      JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+      JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
     steps:
 
     - name: Find JIRA issue key from branch
@@ -39,7 +45,7 @@ jobs:
       id: jira_summary_from_branch
       run: >
         curl -sS -X GET
-        -H "Authorization: Basic $JIRA_BASIC_AUTH"
+        -u "${JIRA_USER_EMAIL}:${JIRA_API_TOKEN}"
         -H "Content-Type: application/json"
         "$JIRA_BASE_URL/rest/api/2/issue/${{ steps.jira_key_from_branch.outputs.issue_key }}"
         | echo "summary=$(jq -r '.fields.summary // empty' | xargs)" >> $GITHUB_OUTPUT
@@ -61,7 +67,7 @@ jobs:
       id: jira_summary_from_title
       run: >
         curl -sS -X GET
-        -H "Authorization: Basic $JIRA_BASIC_AUTH"
+        -u "${JIRA_USER_EMAIL}:${JIRA_API_TOKEN}"
         -H "Content-Type: application/json"
         "$JIRA_BASE_URL/rest/api/2/issue/${{ steps.jira_key_from_title.outputs.issue_key }}"
         | echo "summary=$(jq -r '.fields.summary // empty' | xargs)" >> $GITHUB_OUTPUT

.github/workflows/reusable-pre_commit.yml

@@ -17,6 +17,11 @@ on:
         required: false
         type: string
         default: "3.10"
+      lfs:
+        description: 'Boolean to indicate if Github LFS is needed'
+        required: false
+        type: boolean
+        default: false
       timeout-minutes:
         description: 'Timeout in minutes for the job'
         required: false
@@ -50,6 +55,7 @@ jobs:
           echo "base-depth=$depth" >> $GITHUB_OUTPUT
       - uses: actions/checkout@v4
         with:
+          lfs: ${{ inputs.lfs }}
           # for non PR events, check out to depth 1 (the default)
           fetch-depth: ${{ steps.base-depth.outputs.base-depth || 1}}
       - name: Fetch target branch

.github/workflows/reusable-python-build_poetry_package.yml

@@ -16,11 +16,6 @@ on:
             description: 'Python version to use (e.g. 3.10)'
             required: true
             type: string
-        lfs:
-            description: 'Boolean to indicate if Github LFS is needed'
-            required: false
-            type: boolean
-            default: false
         version-tag:
             description: 'Version tag of the package to build'
             required: true
@@ -33,6 +28,11 @@ on:
             description: 'OS to build against (e.g. "ubuntu-latest")'
             required: true
             type: string
+        lfs:
+            description: 'Boolean to indicate if Github LFS is needed'
+            required: false
+            type: boolean
+            default: false
         timeout-minutes:
             description: 'Timeout in minutes for the job'
             required: true

.github/workflows/reusable-python-build_setuptools_package.yml

@@ -11,11 +11,6 @@ on:
             description: 'Python version to use (e.g. 3.10)'
             required: true
             type: string
-        lfs:
-            description: 'Boolean to indicate if Github LFS is needed'
-            required: false
-            type: boolean
-            default: false
         version-tag:
             description: 'Version tag of the package to build'
             required: true
@@ -28,6 +23,11 @@ on:
             description: 'OS to build against (e.g. "ubuntu-latest")'
             required: true
             type: string
+        lfs:
+            description: 'Boolean to indicate if Github LFS is needed'
+            required: false
+            type: boolean
+            default: false
         timeout-minutes:
             description: 'Timeout in minutes for the job'
             required: true

.github/workflows/reusable-python-publish_rattler_package.yml

@@ -11,11 +11,6 @@ on:
             description: 'Python version to use (e.g. 3.10)'
             required: true
             type: string
-        lfs:
-            description: 'Boolean to indicate if Github LFS is needed'
-            required: false
-            type: boolean
-            default: true
         conda-channels:
             description: 'List of conda channels to pull from (e.g. ["conda-forge", "pytorch"])'
             required: true
@@ -33,6 +28,11 @@ on:
             required: false
             type: string
             default: 'ubuntu-latest'
+        lfs:
+            description: 'Boolean to indicate if Github LFS is needed'
+            required: false
+            type: boolean
+            default: true
         timeout-minutes:
             description: 'Timeout in minutes for the job'
             required: false

.github/workflows/reusable-python-pytest.yml

@@ -95,7 +95,7 @@ jobs:
           JFROG_ARTIFACTORY_URL: ${{ secrets.JFROG_ARTIFACTORY_URL }}
           JFROG_ARTIFACTORY_TOKEN: ${{ secrets.JFROG_ARTIFACTORY_TOKEN }}
 
-      - uses: MiraGeoscience/CI-tools/.github/actions/reusable-python-setup_poetry@DEVOPS-545-poetry-autoversioning
+      - uses: MiraGeoscience/CI-tools/.github/actions/reusable-python-setup_poetry@main
         name: Setup poetry env
         if: ${{ inputs.package-manager == 'poetry' }}
         with:

.github/workflows/reusable-python-static_analysis.yml

@@ -25,6 +25,11 @@ on:
         description: 'List of repository names to resolve on (e.g. ["public-dev-pypi"])'
         required: false
         type: string
+      lfs:
+        description: 'Boolean to indicate if Github LFS is needed'
+        required: false
+        type: boolean
+        default: false
       timeout-minutes:
         description: 'Timeout in minutes for the job'
         required: false
@@ -61,7 +66,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          lfs: false
+          lfs: ${{ inputs.lfs }}
           fetch-depth: 0
       - name: Set up Python version
         uses: actions/setup-python@v5
@@ -76,7 +81,7 @@ jobs:
           JFROG_ARTIFACTORY_URL: ${{ secrets.JFROG_ARTIFACTORY_URL }}
           JFROG_ARTIFACTORY_TOKEN: ${{ secrets.JFROG_ARTIFACTORY_TOKEN }}
 
-      - uses: MiraGeoscience/CI-tools/.github/actions/reusable-python-setup_poetry@DEVOPS-545-poetry-autoversioning
+      - uses: MiraGeoscience/CI-tools/.github/actions/reusable-python-setup_poetry@main
         name: Setup poetry env
         if: ${{ inputs.package-manager == 'poetry' }}
         with:

.github/workflows/reusable-zizmor-security.yml

@@ -0,0 +1,24 @@
+name: Zizmor analysis
+
+on:
+  workflow_call:
+
+jobs:
+  zizmor:
+    name: Security Scan
+    if: ${{ (github.event_name != 'pull_request') || (github.event.pull_request.draft == false) }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run Zizmor Security Scan
+        continue-on-error: true
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018
+        with:
+          advanced-security: false