Updates from package template (#919)

* Update cruft with batchpr

* Fix issues

* More fixes

* Update ci again

* matrix

* tweak cron trigger

---------

Co-authored-by: Stuart Mumford <[email protected]>

Author: SunPyBot

.cruft.json

@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/sunpy/package-template",
-  "commit": "4268346dead7b529a3d53df19bcf374bb2bbef34",
+  "commit": "93c8bc491584f214226a039a35d0cbebe305cd31",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -23,6 +23,7 @@
       "include_example_code": "n",
       "include_cruft_update_github_workflow": "y",
       "use_extended_ruff_linting": "y",
+      "matrix_room_id": "!TWSJXVpyflnZOzmSQz:matrix.org",
       "_sphinx_theme": "sunpy",
       "_parent_project": "",
       "_install_requires": "",
@@ -32,7 +33,7 @@
         ".github/workflows/sub_package_update.yml"
       ],
       "_template": "https://github.com/sunpy/package-template",
-      "_commit": "4268346dead7b529a3d53df19bcf374bb2bbef34"
+      "_commit": "93c8bc491584f214226a039a35d0cbebe305cd31"
     }
   },
   "directory": null

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 7

.github/workflows/ci.yml

@@ -20,9 +20,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   core:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       submodules: false
       coverage: codecov
@@ -35,8 +37,10 @@ jobs:
   sdist_verify:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@v6  # zizmor: ignore[unpinned-uses]
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v6  # zizmor: ignore[unpinned-uses]
         with:
           python-version: '3.13'
       - run: python -m pip install -U --user build
@@ -46,7 +50,7 @@ jobs:
 
   test:
     needs: [core, sdist_verify]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       submodules: false
       coverage: codecov
@@ -63,7 +67,7 @@ jobs:
 
   docs:
     needs: [core]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       default_python: '3.13'
       submodules: false
@@ -87,7 +91,7 @@ jobs:
         github.event_name == 'pull_request' &&
         contains(github.event.pull_request.labels.*.name, 'Run cron CI')
       )
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v1
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       default_python: '3.13'
       submodules: false
@@ -98,7 +102,7 @@ jobs:
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-  publish:
+  build_dists:
     # Build wheels on PRs only when labelled. Releases will only be published if tagged ^v.*
     # see https://github-actions-workflows.openastronomy.org/en/latest/publish.html#upload-to-pypi
     if: |
@@ -108,24 +112,50 @@ jobs:
         contains(github.event.pull_request.labels.*.name, 'Run publish')
       )
     needs: [test, docs]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish_pure_python.yml@v2  # zizmor: ignore[unpinned-uses]
     with:
       python-version: '3.13'
       test_extras: 'all,tests'
       test_command: 'pytest -p no:warnings --doctest-rst --pyargs ndcube'
       submodules: false
-    secrets:
-      pypi_token: ${{ secrets.pypi_token }}
+      save_artifacts: true
+      upload_to_pypi: false
+
+  publish:
+    if: startsWith(github.ref, 'refs/tags/v')
+    name: Upload to PyPI
+    runs-on: ubuntu-latest
+    needs: [build_dists]
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v8  # zizmor: ignore[unpinned-uses]
+        with:
+          merge-multiple: true
+          pattern: dist-*
+          path: dist
+
+      - run: ls -lha dist/
+
+      - name: Run upload
+        uses: pypa/[email protected]  # zizmor: ignore[unpinned-uses]
 
   notify:
-    if: always() && github.event_name == 'workflow_dispatch'
-    needs: [publish, cron]
+    if: ${{ !cancelled() && (github.event_name == 'workflow_dispatch' || github.event_name == 'schedule') }}
+    needs: [build_dists, cron]
     runs-on: ubuntu-latest
+    environment:
+      name: matrix
     steps:
-      - uses: Cadair/matrix-notify-action@main
+      - uses: Cadair/matrix-notify-action@main  # zizmor: ignore[unpinned-uses]
         with:
-          matrix_token: ${{ secrets.matrix_access_token }}
+          workflow_description: "CI Workflow"
+          matrix_token: ${{ secrets.MATRIX_ACCESS_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          homeserver: ${{ secrets.matrix_homeserver }}
+          homeserver: ${{ secrets.MATRIX_HOMESERVER }}
           roomid: '!TWSJXVpyflnZOzmSQz:matrix.org'
-          ignore_pattern: '.*Load tox.*'
+          ignore_pattern: '.*(Load|report overall).*'
+          summarise_success: true

.github/workflows/scheduled_builds.yml

@@ -1,4 +1,4 @@
-name: Scheduled builds
+name: Scheduled build triggerer
 
 on:
   # Allow manual runs through the web UI
@@ -9,13 +9,31 @@ on:
     #        │ │ ┌───────── day of the month (1 - 31)
     #        │ │ │ ┌───────── month (1 - 12 or JAN-DEC)
     #        │ │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
-    - cron: '0 7 * * 1'  # Every day at 07:00 UTC
+    - cron: '0 7 * * 3'  # Every Wed at 07:00 UTC
+
+permissions: {}
 
 jobs:
-  dispatch_workflows:
+  dispatch_release_branches:
+    if: github.repository == 'sunpy/ndcube'
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - branch: "main"
+          - branch: "2.3"
     steps:
-      - run: gh workflow run ci.yml --repo sunpy/ndcube --ref main
-      - run: gh workflow run ci.yml --repo sunpy/ndcube --ref 2.3
-    env:
-      GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Trigger workflow dispatch for CI workflow
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: CI
+          ref: "${{ matrix.branch }}"
+
+      - name: Trigger workflow dispatch for Cron workflow
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: Cron
+          ref: "${{ matrix.branch }}"

.github/workflows/stale_bot.yml

@@ -9,11 +9,16 @@ on:
 #            │ │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
     - cron: '0 5 * * *' # Every day at 05:00 UTC
 
+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         operations-per-run: 50

.github/workflows/sub_package_update.yml

@@ -13,18 +13,20 @@ on:
     #        │ │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
     - cron: '0 7 * * 1'  # Every Monday at 7am UTC
 
+permissions: {}
+
 jobs:
   update:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
-    strategy:
-      fail-fast: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6  # zizmor: ignore[unpinned-uses]
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@v6  # zizmor: ignore[unpinned-uses]
         with:
           python-version: "3.14"
 
@@ -50,8 +52,8 @@ jobs:
         id: cruft_update
         if: steps.check.outputs.has_changes == '1'
         run: |
-          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
-          git config --global user.name "${{ github.actor }}"
+          git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git config --global user.name "${GITHUB_ACTOR}"
 
           cruft_output=$(cruft update --skip-apply-ask --refresh-private-variables)
           echo $cruft_output
@@ -77,7 +79,7 @@ jobs:
 
       - name: Create pull request
         if: steps.cruft_json.outputs.has_changes == '1'
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@v8  # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           add-paths: "."
@@ -103,7 +105,7 @@ jobs:
       issues: write
     steps:
       - name: Open an issue if workflow fails
-        uses: actions/github-script@v7
+        uses: actions/github-script@v7  # zizmor: ignore[unpinned-uses]
         with:
           github-token: ${{ github.token }}
           # This script is adapted from https://github.com/scientific-python/issue-from-pytest-log-action
@@ -151,7 +153,7 @@ jobs:
                 repo: variables.name,
                 body: issue_body,
                 title: variables.title,
-                labels: [variables.label],
+                labels: [variables.label, "pre-commit.ci autofix"],
               });
             } else {
               await github.rest.issues.update({

.pre-commit-config.yaml

@@ -1,35 +1,56 @@
 repos:
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
     # This should be before any formatting hooks like isort
   - repo: https://github.com/astral-sh/ruff-pre-commit
     rev: "v0.15.4"
     hooks:
       - id: ruff
         args: ["--fix"]
+        types: [python]
+        # Define here once and then reference using YAML anchor
+        exclude: &exclude_dirs ^ndcube/(data|extern)/
   - repo: https://github.com/PyCQA/isort
     rev: 8.0.1
     hooks:
       - id: isort
-        exclude: ".*(.fits|.fts|.fit|.header|.txt|tca.*|extern.*|ndcube/extern)$"
+        types: [python]
+        exclude: *exclude_dirs
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
       - id: check-ast
+        types: [python]
+        exclude: *exclude_dirs
       - id: check-case-conflict
+        types: [python]
+        exclude: *exclude_dirs
       - id: trailing-whitespace
-        exclude: ".*(.fits|.fts|.fit|.header|.txt)$"
+        types_or: [python, rst]
       - id: check-yaml
+        types: [yaml]
+        exclude: *exclude_dirs
+      - id: check-toml
+        types: [toml]
+        exclude: *exclude_dirs
       - id: debug-statements
+        types: [python]
+        exclude: *exclude_dirs
       - id: check-added-large-files
         args: ["--enforce-all", "--maxkb=1054"]
       - id: end-of-file-fixer
-        exclude: ".*(.fits|.fts|.fit|.header|.txt|tca.*|.json)$|^CITATION.rst$"
+        types_or: [python, rst]
       - id: mixed-line-ending
-        exclude: ".*(.fits|.fts|.fit|.header|.txt|tca.*)$"
+        types_or: [python, rst]
   - repo: https://github.com/codespell-project/codespell
     rev: v2.4.1
     hooks:
       - id: codespell
         args: [ "--write-changes" ]
+        types_or: [python, rst]
+        exclude: *exclude_dirs
 ci:
   autofix_prs: false
   autoupdate_schedule: "quarterly"

README.rst

@@ -61,20 +61,22 @@ For more information or to ask questions about ndcube, check out:
 .. _ndcube Documentation: https://docs.sunpy.org/projects/ndcube/
 .. _ndcube Chat Channel: https://app.element.io/#/room/#ndcube:openastronomy.org
 
+
 Contributing
 ------------
 
-If you would like to get involved, check out the `Newcomers Guide`_ section of the sunpy docs.
-This shows how to get setup with a "sunpy" workflow but the same applies for ndcube, you will just need to replace sunpy with ndcube.
+We love contributions! ndcube is open source,
+built on open source, and we'd love to have you hang out in our community.
 
+If you would like to get involved, check out the `Developers Guide`_ section of the SunPy docs.
+Stop by our chat room `#ndcube:openastronomy.org`_ if you have any questions.
 Help is always welcome so let us know what you like to work on, or check out the `issues page`_ for the list of known outstanding items.
 
-.. _Newcomers Guide: https://docs.sunpy.org/en/latest/dev_guide/contents/newcomers.html
-.. _issues page: https://github.com/sunpy/ndcube/issues
-
-Code of Conduct
----------------
+For more information on contributing to SunPy, please read our `Newcomers' guide`_.
 
-When you are interacting with the SunPy community you are asked to follow our `Code of Conduct`_.
+.. _Developers Guide: https://docs.sunpy.org/en/latest/dev_guide/index.html
+.. _`#ndcube:openastronomy.org`: https://app.element.io/#/room/#ndcube:openastronomy.org
+.. _issues page: https://github.com/sunpy/ndcube/issues
+.. _Newcomers' guide: https://docs.sunpy.org/en/latest/dev_guide/contents/newcomers.html
 
-.. _Code of Conduct: https://sunpy.org/coc
+When you are interacting with the SunPy community you are asked at to follow our `code of conduct <https://sunpy.org/coc>`__.