Dependency and ci updates, remove coveralls from python deps on CI (#75)

### What kind of change does this PR introduce?

* Updates some CI action versions
* Removes coveralls-python from CI dependencies
* Synchronizes a few versions among Python libraries
* Stages the README to use OSSF Best Practices

### Does this PR introduce a breaking change?

Not really.

### Other information:

Lots of linting builds are failing due to lagging support for Python3.13
by the `coveralls` library. The main developer seems to have abandoned
the project. Might need to figure something out if it doesn't receive an
update soon.

README.rst

@@ -2,7 +2,7 @@
 Cookiecutter PyPackage
 ======================
 
-|build|
+|build| |black| |isort| |ruff|
 
 Cookiecutter_ template for a Python package.
 
@@ -20,7 +20,7 @@ Features
 * `Conda`_ environment file: Optionally use ``conda env create -f environment-dev.yml`` to create a new environment with the correct Python version.
 * Tox_ testing: Setup to easily test for Python 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, and PyPy3.
 * Sphinx_ docs: Documentation ready for generation with, for example, `Read the Docs`_
-* pre-commit_ hook: Run your tests and linting (e.g. `black`, `flake8`, `pylint`, etc.) before you commit your code!
+* pre-commit_ hook: Run your tests and linting (e.g. `black`, `flake8`, `ruff`, `pylint`, etc.) before you commit your code!
 * `pre-commit.ci`_: Automate `pre-commit` checks and corrections in your Pull Requests.
 * bump-my-version_: Pre-configured `SemVer-2.0-compliant`_ version bumping with a single command.
 * dependabot_ for automated dependency updates of both project dependencies and GitHub Actions.
@@ -195,6 +195,18 @@ I also accept pull requests on this, if they're small, atomic, and if they make
     :target: https://github.com/Ouranosinc/cookiecutter-pypackage/actions/workflows/main.yml
     :alt: Build Status
 
+.. |black| image:: https://img.shields.io/badge/code%20style-black-000000.svg
+        :target: https://github.com/psf/black
+        :alt: Python Black
+
+.. |isort| image:: https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat&labelColor=ef8336
+        :target: https://pycqa.github.io/isort/
+        :alt: Isort
+
+.. |ruff| image:: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json
+        :target: https://github.com/astral-sh/ruff
+        :alt: Ruff
+
 .. |docs-upstream|  image:: https://readthedocs.org/projects/cookiecutter-pypackage/badge/?version=latest
     :target: https://cookiecutter-pypackage.readthedocs.io/en/latest/?badge=latest
     :alt: Documentation Status

docs/conf.py

@@ -41,9 +41,8 @@
 templates_path = ['_templates']
 
 # The suffix(es) of source filenames.
-# You can specify multiple suffix as a list of string:
-# source_suffix = ['.rst', '.md']
-source_suffix = '.rst'
+# You can specify multiple suffix as a dictionary of suffix: filetype
+source_suffix = {'.rst': 'restructuredtext'}
 
 # The encoding of source files.
 #source_encoding = 'utf-8-sig'

setup.py

@@ -43,17 +43,17 @@
             "build >=1.2.2",
             "cookiecutter >=2.6.0",
             "coverage >=7.5.1",
-            "flit >=3.9.0,<4.0",
+            "flit >=3.10.1,<4.0",
             "pre-commit >=3.5.0",
             "pytest-cookies >=0.7.0",
             "pytest >=8.2.3",
-            "tox >=4.23.2",
+            "tox >=4.24.1",
             "twine >=5.1.1",
             "watchdog >=4.0.0",
         ],
         "docs": [
             "alabaster >=0.7.13",
-            "sphinx >=7.0.0",
+            "sphinx >=7.1.0",
         ],
     },
 )

tox.ini

@@ -1,6 +1,6 @@
 [tox]
 minversion = 4.23.2
-envlist = py{39,310,311,312,313}, pypy{39,310}, docs
+envlist = py{310,311,312,313}, pypy{310}, docs
 
 [testenv:docs]
 basepython = python

{{cookiecutter.project_slug}}/.github/workflows/bump-version.yml

@@ -55,7 +55,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block
@@ -69,7 +69,7 @@ jobs:
           persist-credentials: false
           fetch-depth: 0
       - name: Set up Python3
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: "3.x"
       - name: Config Commit Bot

{{cookiecutter.project_slug}}/.github/workflows/cache-cleaner.yml

@@ -16,7 +16,7 @@ jobs:
       actions: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block

{{cookiecutter.project_slug}}/.github/workflows/codeql.yml

@@ -54,7 +54,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: audit

{{cookiecutter.project_slug}}/.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block

{{cookiecutter.project_slug}}/.github/workflows/first-pull-request.yml

@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block

{{cookiecutter.project_slug}}/.github/workflows/label.yml

@@ -23,7 +23,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block

{{cookiecutter.project_slug}}/.github/workflows/main.yml

@@ -33,21 +33,29 @@ jobs:
           - "3.x"
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Set up Python__PYTHON_VERSION__
-        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: __PYTHON_VERSION__
           cache: pip
       - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
+      - name: Environment Caching
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            .tox
+          {% raw -%}
+          key: ${{ hashFiles('pyproject.toml', 'tox.ini') }}-lint
+          {%- endraw %}
       - name: Run linting suite
         run: |
           python -m tox -e lint
@@ -67,23 +75,23 @@ jobs:
           - "3.13"
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Set up Python__PYTHON_VERSION__
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: __PYTHON_VERSION__
           cache: pip
       - name: Install CI libraries
         run: |
           python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Environment Caching
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: .tox
           {%- raw %}
@@ -113,15 +121,15 @@ jobs:
         shell: bash -l {0}
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Setup Conda (Micromamba) with Python__PYTHON_VERSION__
-        uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2
+        uses: mamba-org/setup-micromamba@0dea6379afdaffa5d528b3d1dabc45da37f443fc # v2.0.4
         with:
           cache-downloads: true
           environment-file: environment-dev.yml
@@ -157,7 +165,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: audit

{{cookiecutter.project_slug}}/.github/workflows/publish-pypi.yml

@@ -18,7 +18,7 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block
@@ -33,7 +33,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Python3
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: "3.x"
       - name: Install CI libraries
@@ -43,4 +43,4 @@ jobs:
         run: |
           python -m flit build
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4

{{cookiecutter.project_slug}}/.github/workflows/scorecard.yml

@@ -31,7 +31,7 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block

{{cookiecutter.project_slug}}/.github/workflows/tag-testpypi.yml

@@ -17,7 +17,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
       - name: Checkout Repository
@@ -31,7 +31,7 @@ jobs:
           GITHUB_TOKEN: __GITHUB_TOKEN__
         with:
           tag_name: __GITHUB_REF_NAME__
-          name: Release __GITHUB_REF_NAME__
+          name: __GITHUB_REF_NAME__
           draft: true
           prerelease: false
 
@@ -44,7 +44,7 @@ jobs:
       id-token: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block
@@ -59,7 +59,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Python3
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: "3.x"
       - name: Install CI libraries
@@ -69,7 +69,7 @@ jobs:
         run: |
           python -m flit build
       - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true

{{cookiecutter.project_slug}}/.github/workflows/workflow-warning.yml

@@ -26,7 +26,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Harden Runner
-        uses:  step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           disable-sudo: true
           egress-policy: block

{{cookiecutter.project_slug}}/.pre-commit-config.yaml

@@ -25,17 +25,25 @@ repos:
     rev: v0.24.2
     hooks:
       - id: toml-sort-fix
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
+        args: [ '--config-file=.yamllint.yaml' ]
   - repo: https://github.com/pre-commit/pygrep-hooks
     rev: v1.10.0
     hooks:
       - id: python-check-blanket-noqa
+      - id: python-check-blanket-type-ignore
       - id: python-no-eval
       - id: python-no-log-warn
       - id: python-use-type-annotations
+      - id: rst-directive-colons
       - id: rst-inline-touching-normal
+      - id: text-unicode-replacement-char
   {%- if cookiecutter.use_black == 'y' %}
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.10.0
+    rev: 25.1.0
     hooks:
       - id: black
         {% if cookiecutter.make_docs -%}
@@ -50,7 +58,7 @@ repos:
         {%- endif %}
   {%- endif %}
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.8.2
+    rev: v0.9.0
     hooks:
       - id: ruff
         args: [ '--fix' ]
@@ -74,14 +82,15 @@ repos:
     rev: v0.3.9
     hooks:
       - id: blackdoc
-        additional_dependencies: [ 'black==24.10.0' ]
+        additional_dependencies: [ 'black==25.1.0' ]
       - id: blackdoc-autoupdate-black
   {%- endif %}
-  - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.35.1
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.3.0
     hooks:
-      - id: yamllint
-        args: [ '--config-file=.yamllint.yaml' ]
+      - id: codespell
+        additional_dependencies: [ 'tomli' ]
+        args: [ '--toml=pyproject.toml' ]
   - repo: https://github.com/numpy/numpydoc
     rev: v1.8.0
     hooks:

{{cookiecutter.project_slug}}/.readthedocs.yml

@@ -11,9 +11,9 @@ sphinx:
   fail_on_warning: true
 
 build:
-  os: ubuntu-22.04
+  os: "ubuntu-24.04"
   tools:
-    python: "mambaforge-22.9"
+    python: "mambaforge-23.11"
   jobs:
     pre_build:
       - sphinx-apidoc -o docs/apidoc --private --module-first src/{{ cookiecutter.project_slug }}

{{cookiecutter.project_slug}}/CI/requirements_ci.in

@@ -1,6 +1,7 @@
-bump-my-version==0.28.0
-coveralls==4.0.1
-pip==24.3.1
-flit==3.9.0
-tox==4.23.2
-tox-gh==1.4.4
+bump-my-version==0.31.1
+deptry==0.23.0
+flit==3.10.1
+pip==25.0
+pylint==3.3.4
+tox-gh==1.5.0
+tox==4.24.1