nfelt14 · renovate · Sep 3, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -2,21 +2,20 @@
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "dependencyDashboard": true,
     "extends": [
-        "config:best-practices"
+        "config:best-practices",
+        "group:githubArtifactActions"
     ],
     "ignoreDeps": [
         "tektronix/python-package-ci-cd"
     ],
-    "ignorePaths": [
-        "**/requirements.txt"
-    ],
     "packageRules": [
         {
             "addLabels": [
                 "docker",
                 "dependencies"
             ],
             "additionalBranchPrefix": "docker-deps/",
+            "commitMessageSuffix": " in all dependant actions",
             "description": "Add docker and dependencies labels to Docker dependency updates",
             "matchManagers": [
                 "dockerfile"
@@ -49,23 +48,51 @@
             "semanticCommitScope": "python-deps"
         },
         {
+            "commitMessageSuffix": " in all dependant reusable workflows",
+            "description": "Add commit suffix for reusable workflows",
+            "matchFileNames": [
+                "/_reusable-.*\\.ya?ml/"
+            ],
+            "matchManagers": [
+                "github-actions"
+            ]
+        },
+        {
+            "commitMessageSuffix": "{{#unless isGroup}} in dev workflows{{/unless}}",
+            "description": "Group together all dev workflow dependency updates",
+            "groupName": "dev workflow dependencies",
+            "matchFileNames": [
+                "!/_reusable-.*\\.ya?ml/"
+            ],
+            "matchManagers": [
+                "github-actions"
+            ]
+        },
+        {
+            "automerge": true,
+            "description": "Automatically merge all patch updates",
+            "matchUpdateTypes": [
+                "patch"
+            ]
+        },
+        {
+            "automerge": false,
             "description": "Group together all python-semantic-release dependencies",
             "groupName": "python-semantic-release dependencies",
             "matchPackageNames": [
-                "^python-semantic-release"
+                "/^python-semantic-release/"
             ]
         },
         {
-            "commitMessageSuffix": " for the {{depTypes}} group(s)",
-            "description": "Add commit suffix for the dependency group in pyproject.toml",
-            "matchDepTypes": [
-                "*"
-            ],
+            "commitMessageSuffix": "{{#if (equals parentDir '')}} for {{#each depTypes}}{{replace '-' '/' this}}{{#unless @last}} and {{/unless}}{{/each}}{{else}} in all dependant actions {{/if}}",
+            "description": "Add commit suffix for the dependency group (or parent directory)",
             "matchFileNames": [
-                "pyproject.toml"
+                "pyproject.toml",
+                "**/requirements.txt"
             ],
             "matchManagers": [
-                "poetry"
+                "poetry",
+                "pip_requirements"
             ],
             "matchPackageNames": [
                 "*"

diff --git a/.github/workflows/_reusable-sbom-scan.yml b/.github/workflows/_reusable-sbom-scan.yml
@@ -11,7 +11,7 @@ jobs:
   create-and-scan-sbom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v4.1.6
       - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version-file: pyproject.toml
@@ -25,7 +25,7 @@ jobs:
           format: spdx-json
           output-file: ${{ github.event.repository.name }}-sbom.spdx.json
       - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1  # v1.4.2
-        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
+        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && !contains(fromJSON('["dependabot[bot]", "renovate[bot]"]'), github.actor) }}
         with:
           subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
       - name: Scan SBOM
@@ -35,14 +35,23 @@ jobs:
           sbom: ${{ github.event.repository.name }}-sbom.spdx.json
           fail-build: true
           severity-cutoff: low
+      - name: Scan SBOM (print results to console)
+        if: ${{ always() && contains(fromJSON('["success", "failure"]'), steps.scan.outcome) }}
+        uses: anchore/scan-action@bc9adf64917dd9444d6cf4dd68620c34ca3a5f69  # v4.1.1
+        with:
+          output-format: table
+          sbom: ${{ github.event.repository.name }}-sbom.spdx.json
+          fail-build: false
+          severity-cutoff: low
       - name: Upload SBOM scan SARIF report as a workflow artifact
+        if: ${{ always() && contains(fromJSON('["success", "failure"]'), steps.scan.outcome) }}
         uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
         with:
           name: sarif_artifact
           path: ${{ steps.scan.outputs.sarif }}
           if-no-files-found: error
       - name: Upload SBOM scan SARIF report to GitHub UI Security tab
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ always() && github.event_name != 'pull_request' && contains(fromJSON('["success", "failure"]'), steps.scan.outcome) }}
         uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93  # v3.26.6
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/_reusable-test-code.yml b/.github/workflows/_reusable-test-code.yml
@@ -86,6 +86,7 @@ jobs:
       - name: Install tox
         run: python -m pip install tox
       - name: Run tox
+        id: run-tox
         run: tox -ve tests
       - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
         if: ${{ !cancelled() }}
@@ -97,7 +98,7 @@ jobs:
             .coverage*
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673  # v4.5.0
-        if: ${{ inputs.upload-to-codecov && github.repository == env.REPO_NAME && !cancelled() }}
+        if: ${{ always() && inputs.upload-to-codecov && github.repository == env.REPO_NAME && contains(fromJSON('["success", "failure"]'), steps.run-tox.outcome) }}
         with:
           token: ${{ secrets.codecov-token }}
           files: ./.coverage_tests.xml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -11,7 +11,7 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c  # v4.3.4
         with:
           fail-on-severity: low

diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -127,7 +127,7 @@ jobs:
           dependency-dict: '{"dev": ["pyright"]}'
           pre-commit-hook-skip-list: remove-tabs,forbid-tabs,check-readthedocs,check-dependabot,check-github-actions,check-github-workflows,commitizen,blacken-docs,yamlfix,hadolint,mdformat,markdown-link-check,check-poetry,toml-sort-fix,pyright,poetry-audit,ruff,ruff-format,docformatter,renovate-config-validator
           export-dependency-groups: |
-            update_development_dependencies:actions/update_development_dependencies,
+            actions-update_development_dependencies:actions/update_development_dependencies,
             tests
   test-fetch_pr_number:
     runs-on: ubuntu-latest
@@ -189,6 +189,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/update-python-dependencies.yml b/.github/workflows/update-python-dependencies.yml
diff --git a/actions/update_development_dependencies/requirements.txt b/actions/update_development_dependencies/requirements.txt
@@ -11,7 +11,7 @@ cleo==2.1.0 ; python_version >= "3.12" and python_version < "3.13"
 click==8.1.7 ; python_version >= "3.12" and python_version < "3.13"
 colorama==0.4.6 ; python_version >= "3.12" and python_version < "3.13" and (os_name == "nt" or platform_system == "Windows")
 crashtest==0.4.1 ; python_version >= "3.12" and python_version < "3.13"
-cryptography==43.0.0 ; python_version >= "3.12" and python_version < "3.13" and sys_platform == "linux"
+cryptography==43.0.1 ; python_version >= "3.12" and python_version < "3.13" and sys_platform == "linux"
 distlib==0.3.8 ; python_version >= "3.12" and python_version < "3.13"
 distro==1.9.0 ; python_version >= "3.12" and python_version < "3.13"
 dulwich==0.21.7 ; python_version >= "3.12" and python_version < "3.13"

diff --git a/doc_config/requirements.txt b/doc_config/requirements.txt
diff --git a/pyproject.toml b/pyproject.toml
@@ -32,23 +32,33 @@ version = "1.2.0"
 [tool.poetry.dependencies]
 python = "~3.12"  # This needs to stay in sync with all CI workflows
 
-[tool.poetry.group.create_unique_testpypi_version.dependencies]
+[tool.poetry.group.actions-create_unique_testpypi_version.dependencies]
 poetry-core = "1.9.0"
 pypi-simple = "1.5.0"
 tomli = "2.0.1"
 tomli-w = "1.0.0"
 
+[tool.poetry.group.actions-find_unreleased_changelog_items.dependencies]
+
+[tool.poetry.group.actions-update_development_dependencies.dependencies]
+poetry-plugin-export = "1.7.1"
+pre-commit = "3.8.0"
+pypi-simple = "1.5.0"
+toml-sort = "0.23.1"
+yamlfix = "1.17.0"
+
 [tool.poetry.group.dev.dependencies]
 pip = "^24.0"
 poetry-audit-plugin = "^0.4.0"
+poetry-plugin-export = "1.7.1"
 poetry-pre-commit-plugin = "^0.1.2"
-pre-commit = "^3.8.0"
+pre-commit = "3.8.0"
 pyright = "1.1.378"
 tox = "^4.18.0"
 tox-gh-actions = "^3.2.0"
 
 [tool.poetry.group.docs.dependencies]
-codespell = "^2.2.6"
+codespell = "^1.17.1"
 mkdocs = "^1.6.0"
 mkdocs-ezglossary-plugin = "^1.6.10"
 mkdocs-macros-plugin = "^1.0.5"
@@ -58,9 +68,7 @@ mkdocs-spellcheck = "^1.1.0"
 pygments = "^2.17.2"
 pymdown-extensions = "^10.8.1"
 symspellpy = "^6.7.7"
-tomli = "^2.0.0"
-
-[tool.poetry.group.find_unreleased_changelog_items.dependencies]
+tomli = "2.0.1"
 
 [tool.poetry.group.tests.dependencies]
 coverage = "^7.5.0"
@@ -73,13 +81,6 @@ pytest-github-report = "^0.0.1"
 pytest-html = "^4.1.1"
 pytest-order = "^1.2.1"
 
-[tool.poetry.group.update_development_dependencies.dependencies]
-poetry-plugin-export = "1.7.1"
-pre-commit = "3.8.0"
-pypi-simple = "1.5.0"
-toml-sort = "0.23.1"
-yamlfix = "1.17.0"
-
 [tool.pyright]
 ignore = [
   "temp_*.py"
@@ -217,9 +218,8 @@ setenv =
     GITHUB_STEP_SUMMARY = {tox_root}/.results_{envname}/github_report.md
 
 [testenv:docs]
-deps =
-    -r doc_config/requirements.txt
 commands_pre =
+    poetry install --only docs
 commands =
     python -c "import shutil; shutil.rmtree('.results_{envname}', ignore_errors=True)"
     mkdocs --verbose build --site-dir .results_{envname}
@@ -228,3 +228,6 @@ commands =
 commands =
     pytest -v -k "test_docs" --showlocals --junitxml={tox_root}/.results_{envname}/results.xml --self-contained-html --html={tox_root}/.results_{envname}/results.html
 """
+
+[tool.yamlfix]
+comments_min_spaces_from_content = 1