More fixes

Author: Cadair

.cruft.json

@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/sunpy/package-template",
-  "commit": "44ff5c06778e86b845dab595ebf338ba876d495e",
+  "commit": "82eeab1ff6d8412193f03432404f97f13d81ce4d",
   "checkout": null,
   "context": {
     "cookiecutter": {
@@ -32,7 +32,7 @@
         ".github/workflows/sub_package_update.yml"
       ],
       "_template": "https://github.com/sunpy/package-template",
-      "_commit": "44ff5c06778e86b845dab595ebf338ba876d495e"
+      "_commit": "82eeab1ff6d8412193f03432404f97f13d81ce4d"
     }
   },
   "directory": null

.github/workflows/asv-regular.yml

@@ -11,46 +11,54 @@ on:
     #        │  │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
     - cron: "37 3 * * *" # Every day at 3:37am UTC
 
+permissions: {}
+
 jobs:
   asv-run:
     if: ${{ github.repository == 'sunpy/sunpy' }}
     runs-on: ubuntu-latest
+    environment:
+      name: asv-upload
     steps:
       - name: Checkout sunpy repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: "0"
+          persist-credentials: false
+
       - name: Checkout sunpy-benchmarks repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: sunpy/sunpy-benchmarks
           ref: main
           path: asv_results
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v6
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: "3.11"
+          python-version: "3.14"
           architecture: "x64"
+
       - name: Install dependencies
         run: |
           sudo apt-get install -y libopencv-dev
           python -m pip install --upgrade pip
           pip install asv virtualenv
+
       - name: Add machine info for ASV
         run: asv machine --machine GH-Actions --os ubuntu-latest --arch x64 --cpu "2-core unknown" --ram 7GB
-      - name: Run benchmarks for commits since v2.1
-        run: taskset -c 0 asv run --skip-existing-successful --steps 50 v3.0.dev..
-      - name: Install SSH Client 🔑
-        uses: webfactory/ssh-agent@v0.9.1
-        with:
-          ssh-private-key: ${{ secrets.ASV_CI_KEY }}
+
+      - name: Run benchmarks for commits since v5.0
+        run: taskset -c 0 asv run --skip-existing-successful --steps 50 v4.1.dev..
+
       - name: Push results
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
         with:
           branch: main
           folder: asv_results
+          token: ${{ secrets.GH_PAT_TOKEN }}
           repository-name: sunpy/sunpy-benchmarks
-          ssh-key: true
           commit-message: |
             Push new results from GitHub Actions
             repository: ${{ github.repository }}

.github/workflows/ci.yml

@@ -15,9 +15,6 @@ on:
   pull_request:
   # Allow manual runs through the web UI
   workflow_dispatch:
-  # Trigger on completion of the scheduled_builds.yml file (only on main)
-  workflow_run:  # zizmor: ignore[dangerous-triggers]  # TODO: Fix our cron job hell
-    workflows: [Scheduled build triggerer]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -144,7 +141,7 @@ jobs:
       submodules: false
       save_artifacts: true
       upload_to_pypi: false
-      upload_to_anaconda: ${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
+      upload_to_anaconda: ${{ github.event_name == 'workflow_dispatch' }}
       anaconda_user: scientific-python-nightly-wheels
       anaconda_package: sunpy
       anaconda_keep_n_latest: 1
@@ -168,7 +165,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     name: Upload to PyPI
     runs-on: ubuntu-latest
-    needs: [build_dists]
+    needs: [build_dists, publish_pure]
     permissions:
       id-token: write
     environment:
@@ -187,7 +184,7 @@ jobs:
         uses: pypa/gh-action-pypi-publish@v1  # zizmor: ignore[unpinned-uses]
 
   notify:
-    if: always() && (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_run')
+    if: ${{ !cancelled() && github.event_name == 'workflow_dispatch' }}
     needs: [publish_pure, online]
     environment:
       name: matrix
@@ -199,5 +196,5 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           homeserver: ${{ secrets.matrix_homeserver }}
           roomid: '!JYqfIVJjWANcHnfktY:cadair.com'
-          ignore_pattern: '.*Load.*'
+          ignore_pattern: '.*(Load|report overall).*'
           summarise_success: true

.github/workflows/ci_benchmarks.yml

@@ -8,6 +8,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   benchmarks:
     if: |
@@ -16,21 +18,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sunpy repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
+
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.14"
+
       - name: Install dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y libopencv-dev
           python -m pip install --upgrade pip
           pip install asv virtualenv
+
       - name: Add machine info for ASV
         run: asv machine --yes
+
       - name: Run benchmarks
         id: asv
         shell: bash -e {0}
@@ -48,7 +55,10 @@ jobs:
           status=${PIPESTATUS[0]}
           echo "EOF" >> $GITHUB_OUTPUT
           exit $status
+
       - name: Post the summary
         if: always()
         run: |
-          echo "${{ steps.asv.outputs.TEXT }}" | egrep "\| *Change *\| *Before *\[|BENCHMARKS NOT SIGNIFICANTLY CHANGED." -A 1000 | tee -a $GITHUB_STEP_SUMMARY
+          echo "$ASV_TEXT" | egrep "\| *Change *\| *Before *\[|BENCHMARKS NOT SIGNIFICANTLY CHANGED." -A 1000 | tee -a $GITHUB_STEP_SUMMARY
+        env:
+          ASV_TEXT: "${{ steps.asv.outputs.TEXT }}"

.github/workflows/cron.yml

@@ -1,9 +1,6 @@
 name: Cron
 
 on:
-  # Trigger on completion of the scheduled_builds.yml file (only on main)
-  workflow_run:
-    workflows: [Scheduled build triggerer]
   # Manual runs through the web UI and also non-main cron job triggering
   workflow_dispatch:
   # We also want this workflow triggered if the 'Run cron CI' label is added
@@ -37,7 +34,7 @@ jobs:
   cron:
     # Run on all triggers other than pull_request unless there's a label
     if: (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'Run cron CI'))
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@main
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@a138926f6e4f9667d1306c24f24f5bdcaa01fbab # v2.5.0
     with:
       default_python: '3.12'
       submodules: false
@@ -62,14 +59,14 @@ jobs:
     permissions:
       issues: write
     steps:
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: py314-devdeps-reportlog-(ubuntu-latest)
           path: pytest-log
 
       - run: ls -lha pytest-log/
 
-      - uses: scientific-python/issue-from-pytest-log-action@558a3dfdd251069b328d3fded994824ddbefc47b  # v1.4.0
+      - uses: scientific-python/issue-from-pytest-log-action@8e905db353437cda1d6a773de245343fbfc940dd # v1.5.0
         with:
           log-path: pytest-log/pytest-log.jsonl
           issue-title: "Cron devdeps build failure"
@@ -78,7 +75,7 @@ jobs:
   cron-online:
     # Run on all triggers other than pull_request unless there's a label
     if: (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'Run cron CI'))
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@main
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@a138926f6e4f9667d1306c24f24f5bdcaa01fbab # v2.5.0
     with:
       default_python: '3.12'
       submodules: false
@@ -102,37 +99,43 @@ jobs:
     if: (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'Run cron CI'))
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           lfs: true
-      - uses: conda-incubator/setup-miniconda@v3
+          persist-credentials: false
+
+      - uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0
         with:
           activate-environment: sunpy-test
           environment-file: sunpy-dev-env.yml
           python-version: "3.13"
           conda-remove-defaults: "true"
+
       - name: Install sunpy
         shell: bash -el {0}
         run: |
           pip install --no-deps --no-build-isolation .
+
       - name: Run test
         shell: bash -el {0}
         run: |
           conda list
           cd /tmp
           pytest -vvv -r a --pyargs sunpy --cov-report=xml --cov=sunpy --cov-config=$GITHUB_WORKSPACE/pyproject.toml $GITHUB_WORKSPACE/docs -n auto --color=yes
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }}  # zizmor: ignore[secrets-outside-env]
           files: ./coverage.xml
 
   notify:
-    if: always() && (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_run')
+    if: ${{ !cancelled() && github.event_name == 'workflow_dispatch' }}
     needs: [cron, cron-online, conda]
     runs-on: ubuntu-latest
+    environment:
+      name: matrix
     steps:
-      - uses: Cadair/matrix-notify-action@main
+      - uses: Cadair/matrix-notify-action@31c7cc36051ee7dc4157a22c1f13dbc7d68e5120 # v2
         with:
           matrix_token: ${{ secrets.matrix_access_token }}
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scheduled_builds.yml

@@ -17,21 +17,30 @@ on:
     #        │ │ │ │ ┌───────── day of the week (0 - 6 or SUN-SAT)
     - cron: '0 7 * * 1,3,5'  # Every Mon,Wed,Fri at 07:00 UTC
 
+permissions: {}
+
 jobs:
   dispatch_release_branches:
     if: github.repository == 'sunpy/sunpy'
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         include:
-          # We do not include main here as the workflows on main are
-          # triggered by the workflow_run trigger, therefore we only
-          # need to list any non-main branches here.
+          - branch: "main"
           - branch: "7.0"
           - branch: "7.1"
     steps:
-      - run: gh workflow run ci.yml --repo sunpy/sunpy --ref ${{ matrix.branch }}
-      - run: gh workflow run cron.yml --repo sunpy/sunpy --ref ${{ matrix.branch }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Trigger workflow dispatch for CI workflow
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: CI
+          ref: "${{ matrix.branch }}"
+
+      - name: Trigger workflow dispatch for Cron workflow
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        with:
+          workflow: Cron
+          ref: "${{ matrix.branch }}"

.github/workflows/stale_bot.yml

@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v10
+    - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         operations-per-run: 50

.pre-commit-config.yaml

@@ -40,7 +40,6 @@ repos:
         exclude: *exclude_dirs
       - id: check-added-large-files
         args: ["--enforce-all", "--maxkb=1054"]
-        exclude: ""
       - id: end-of-file-fixer
         types_or: [python, rst]
       - id: mixed-line-ending
@@ -51,11 +50,6 @@ repos:
       - id: typos
         types_or: [python, rst]
         exclude: *exclude_dirs
-  - repo: meta
-    hooks:
-      - id: check-hooks-apply
-      # This may fail if you do not have matching files in the data/ or extern/ directories
-      - id: check-useless-excludes
   - repo: local
     hooks:
       - id: generate-sunpy-net-hek-attrs