python-graphblas · eriknw · Feb 17, 2025 · Jul 1, 2024 · Jul 1, 2024 · Aug 29, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: 'github-actions'
-    directory: '/'
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
-      interval: 'weekly'
+      interval: "weekly"
diff --git a/.github/workflows/debug.yml b/.github/workflows/debug.yml
@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       debug_enabled:
-        description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
+        description: "Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)"
         required: false
         default: false
 
@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup conda env
         run: |
           source "$CONDA/etc/profile.d/conda.sh"

diff --git a/.github/workflows/imports.yml b/.github/workflows/imports.yml
@@ -14,7 +14,7 @@ jobs:
       pyver: ${{ steps.pyver.outputs.selected }}
     steps:
       - name: RNG for os
-        uses: ddradar/choose-random-action@v2.0.2
+        uses: ddradar/choose-random-action@v3.0.0
         id: os
         with:
           contents: |
@@ -26,27 +26,32 @@ jobs:
             1
             1
       - name: RNG for Python version
-        uses: ddradar/choose-random-action@v2.0.2
+        uses: ddradar/choose-random-action@v3.0.0
         id: pyver
         with:
           contents: |
             3.10
             3.11
             3.12
+            3.13
           weights: |
             1
             1
             1
+            1
   test_imports:
     needs: rngs
     runs-on: ${{ needs.rngs.outputs.os }}
     # runs-on: ${{ matrix.os }}
     # strategy:
     #   matrix:
-    #     python-version: ["3.10", "3.11", "3.12"]
+    #     python-version: ["3.10", "3.11", "3.12", "3.13"]
     #     os: ["ubuntu-latest", "macos-latest", "windows-latest"]
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ needs.rngs.outputs.pyver }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -17,6 +17,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.10"

diff --git a/.github/workflows/publish_pypi.yml b/.github/workflows/publish_pypi.yml
@@ -3,7 +3,7 @@ name: Publish to PyPI
 on:
   push:
     tags:
-      - '20*'
+      - "20*"
 
 jobs:
   build_and_deploy:
@@ -17,6 +17,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -35,7 +36,7 @@ jobs:
       - name: Check with twine
         run: python -m twine check --strict dist/*
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.8.11
+        uses: pypa/gh-action-pypi-publish@v1.9.0
         with:
           user: __token__
           password: ${{ secrets.PYPI_TOKEN }}
diff --git a/.github/workflows/test_and_build.yml b/.github/workflows/test_and_build.yml
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,16 @@
+rules:
+  use-trusted-publishing:
+    # TODO: we should update to use trusted publishing
+    ignore:
+      - publish_pypi.yml
+  excessive-permissions:
+    # It is probably good practice to use narrow permissions
+    ignore:
+      - debug.yml
+      - imports.yml
+      - publish_pypi.yml
+      - test_and_build.yml
+  template-injection:
+    # We use templates pretty heavily
+    ignore:
+      - test_and_build.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -11,12 +11,12 @@ ci:
   autoupdate_commit_msg: "chore: update pre-commit hooks"
   autofix_commit_msg: "style: pre-commit fixes"
   skip: [pylint, no-commit-to-branch]
-fail_fast: true
+fail_fast: false
 default_language_version:
-    python: python3
+  python: python3
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v5.0.0
     hooks:
       - id: check-added-large-files
       - id: check-case-conflict
@@ -25,6 +25,10 @@ repos:
       - id: check-ast
       - id: check-toml
       - id: check-yaml
+      - id: check-executables-have-shebangs
+      - id: check-vcs-permalinks
+      - id: destroyed-symlinks
+      - id: detect-private-key
       - id: debug-statements
       - id: end-of-file-fixer
         exclude_types: [svg]
@@ -33,72 +37,68 @@ repos:
       - id: name-tests-test
         args: ["--pytest-test-first"]
   - repo: https://github.com/abravalheri/validate-pyproject
-    rev: v0.16
+    rev: v0.23
     hooks:
       - id: validate-pyproject
         name: Validate pyproject.toml
   # I don't yet trust ruff to do what autoflake does
   - repo: https://github.com/PyCQA/autoflake
-    rev: v2.2.1
+    rev: v2.3.1
     hooks:
       - id: autoflake
         args: [--in-place]
   # We can probably remove `isort` if we come to trust `ruff --fix`,
   # but we'll need to figure out the configuration to do this in `ruff`
   - repo: https://github.com/pycqa/isort
-    rev: 5.13.2
+    rev: 6.0.0
     hooks:
       - id: isort
   # Let's keep `pyupgrade` even though `ruff --fix` probably does most of it
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.0
+    rev: v3.19.1
     hooks:
       - id: pyupgrade
         args: [--py310-plus]
   - repo: https://github.com/MarcoGorelli/auto-walrus
-    rev: v0.2.2
+    rev: 0.3.4
     hooks:
       - id: auto-walrus
         args: [--line-length, "100"]
   - repo: https://github.com/psf/black
-    rev: 24.1.1
+    rev: 25.1.0
     hooks:
       - id: black
       - id: black-jupyter
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.2.1
+    rev: v0.9.6
     hooks:
       - id: ruff
         args: [--fix-only, --show-fixes]
   # Let's keep `flake8` even though `ruff` does much of the same.
   # `flake8-bugbear` and `flake8-simplify` have caught things missed by `ruff`.
   - repo: https://github.com/PyCQA/flake8
-    rev: 7.0.0
+    rev: 7.1.2
     hooks:
       - id: flake8
-        additional_dependencies: &flake8_dependencies
-        # These versions need updated manually
-        - flake8==7.0.0
-        - flake8-bugbear==24.1.17
-        - flake8-simplify==0.21.0
-  - repo: https://github.com/asottile/yesqa
-    rev: v1.5.0
-    hooks:
-      - id: yesqa
-        additional_dependencies: *flake8_dependencies
+        args: ["--config=.flake8"]
+        additional_dependencies:
+          &flake8_dependencies # These versions need updated manually
+          - flake8==7.1.2
+          - flake8-bugbear==24.12.12
+          - flake8-simplify==0.21.0
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.2.6
+    rev: v2.4.1
     hooks:
       - id: codespell
         types_or: [python, rst, markdown]
         additional_dependencies: [tomli]
         files: ^(graphblas|docs)/
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.2.1
+    rev: v0.9.6
     hooks:
       - id: ruff
   - repo: https://github.com/sphinx-contrib/sphinx-lint
-    rev: v0.9.1
+    rev: v1.0.0
     hooks:
       - id: sphinx-lint
         args: [--enable, all, "--disable=line-too-long,leaked-markup"]
@@ -110,9 +110,39 @@ repos:
       - id: pyroma
         args: [-n, "10", .]
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: "v0.9.0.6"
+    rev: "v0.10.0.1"
     hooks:
-    - id: shellcheck
+      - id: shellcheck
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: v3.5.1
+    hooks:
+      - id: prettier
+  - repo: https://github.com/ComPWA/taplo-pre-commit
+    rev: v0.9.3
+    hooks:
+      - id: taplo-format
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+      - id: actionlint
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.31.1
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+      - id: check-readthedocs
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.3.1
+    hooks:
+      - id: zizmor
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
   - repo: local
     hooks:
       # Add `--hook-stage manual` to pre-commit command to run (very slow)
@@ -126,9 +156,9 @@ repos:
         args: [graphblas/]
         pass_filenames: false
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v5.0.0
     hooks:
-      - id: no-commit-to-branch  # no commit directly to main
+      - id: no-commit-to-branch # no commit directly to main
 #
 # Maybe:
 #
@@ -145,8 +175,10 @@ repos:
 #        additional_dependencies: [tomli]
 #
 #  - repo: https://github.com/PyCQA/bandit
-#    rev: 1.7.4
+#    rev: 1.8.2
 #    hooks:
 #      - id: bandit
+#        args: ["-c", "pyproject.toml"]
+#        additional_dependencies: ["bandit[toml]"]
 #
-# blacken-docs, blackdoc prettier, mypy, pydocstringformatter, velin, flynt, yamllint
+# blacken-docs, blackdoc, mypy, pydocstringformatter, velin, flynt
diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -0,0 +1,6 @@
+---
+extends: default
+rules:
+  document-start: disable
+  line-length: disable
+  truthy: disable
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -13,13 +13,13 @@ educational level, family status, culture, or political belief.
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic
+- The use of sexualized language or imagery
+- Personal attacks
+- Trolling or insulting/derogatory comments
+- Public or private harassment
+- Publishing other's private information, such as physical or electronic
   addresses, without explicit permission
-* Other unethical or unprofessional conduct
+- Other unethical or unprofessional conduct
 
 Project maintainers have the right and responsibility to remove, edit, or
 reject comments, commits, code, wiki edits, issues, and other contributions
@@ -52,7 +52,7 @@ that is deemed necessary and appropriate to the circumstances. Maintainers are
 obligated to maintain confidentiality with regard to the reporter of an
 incident.
 
-This Code of Conduct is adapted from the [Numba Code of Conduct][numba],  which is based on the [Contributor Covenant][homepage],
+This Code of Conduct is adapted from the [Numba Code of Conduct][numba], which is based on the [Contributor Covenant][homepage],
 version 1.3.0, available at
 [https://contributor-covenant.org/version/1/3/0/][version],
 and the [Swift Code of Conduct][swift].