Merge PR #370 (Add "Lint" GitHub action and fixed security issues)

This merge brings PR #370 (Add "Lint" GitHub actions and fixed
security issues in other actions, by @yantosca) into the GCPy
development stream.

In PR #370 we have done the following:

1. Added the "lint-ci-workflows` GitHub action
2. Fixed various security issues in GitHub actions
3. Updated badges in README.md and docs/source/index.rst to
   show the results of GitHub actions.

Signed-off-by: Bob Yantosca <[email protected]>

Author: yantosca

.github/workflows/build-gcpy-environment-py312.yml

@@ -18,10 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Checkout the GCPy repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Create "gcpy_env" environment
         uses: mamba-org/setup-micromamba@v1
         with:
@@ -31,9 +35,11 @@ jobs:
           cache-environment: false
           generate-run-shell: true
           post-cleanup: 'all'
+
       - name: Test if "import gcpy" works
         run: python -c "import gcpy"
         shell: micromamba-shell {0}
+
       - name: Test if we can create a plot
         run: python -m gcpy.examples.plotting.create_test_plot
         shell: micromamba-shell {0}

.github/workflows/build-gcpy-environment-py313.yml

@@ -1,7 +1,7 @@
 ---
 #
 # GitHub action to build the GCPy production environment
-# (for Python 3.12) with micromamba
+# (for Python 3.13) with micromamba
 # See: https://github.com/marketplace/actions/setup-micromamba
 #
 name: build-gcpy-environment-py313
@@ -18,10 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Checkout the GCPy repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Create "gcpy_env" environment
         uses: mamba-org/setup-micromamba@v1
         with:
@@ -31,9 +35,11 @@ jobs:
           cache-environment: false
           generate-run-shell: true
           post-cleanup: 'all'
+
       - name: Test if "import gcpy" works
         run: python -c "import gcpy"
         shell: micromamba-shell {0}
+
       - name: Test if we can create a plot
         run: python -m gcpy.examples.plotting.create_test_plot
         shell: micromamba-shell {0}

.github/workflows/build-rtd-environment.yml

@@ -17,10 +17,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Checkout the GCPy repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Create "rtd_env" environment
         uses: mamba-org/setup-micromamba@v1
         with:
@@ -30,6 +34,7 @@ jobs:
           cache-environment: false
           generate-run-shell: true
           post-cleanup: 'all'
+
       - name: Get version numbers of packages
         run: |
           python --version

.github/workflows/codeql.yml

@@ -47,6 +47,9 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/lint-ci-workflows.yml

@@ -0,0 +1,77 @@
+# Workflow to run linting checks on source
+name: Lint
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on pushes to the "main", "dev", or "dev/** branches,
+  # i.e., PR merges
+  push:
+    branches: [ "main", "dev", "dev/**" ]
+
+  # Triggers the workflow on pushes to open pull requests with code changes
+  pull_request:
+    paths:
+      - '.github/workflows/*.yml'
+
+  # Allows you to run this workflow manually from the Actions tab
+  # (usually leave it blank)
+  workflow_dispatch:
+
+# Allow the jobs to read the secret GitHub token
+permissions:
+  contents: read
+
+# Cancel jobs running if new commits are pushed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+# Workflow run - one or more jobs that can run sequentially or in parallel
+jobs:
+
+  # This workflow contains a single job called "lint"
+  lint:
+
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Don't quit the Action at the first 
+    strategy:
+      fail-fast: false
+
+    # GitHub secret token
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    # Steps represent a sequence of tasks that will be
+    # executed as part of the job
+    steps:
+
+      # Checks-out your repository under $GITHUB_WORKSPACE,
+      # so your job can access it
+      - name: Checkout code
+        with:
+          persist-credentials: false
+        uses: actions/checkout@v4
+
+      # Installs Python 3.x
+      - name: Install Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      # Installs Python packages
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m venv ci_venv
+          . ci_venv/bin/activate
+          pip install zizmor==0.9.2
+
+      # Apply GitHub Actions linter, zizmor
+      - name: zizmor
+        if: always()
+        run: |
+          cd ${{ github.workspace }}
+          . ci_venv/bin/activate
+          zizmor .github/workflows/*.yml

.github/workflows/publish-python.yml

@@ -1,39 +1,51 @@
-# This workflow will upload a Python Package using Twine when a release is created
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
+# This workflow will upload a Python Package using Twine when a
+# release is created.  For more information see:
+# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
 
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
 # documentation.
 
-name: Upload GCPy to PyPI
+name: Publish GCPy to PyPI as geoschem-gcpy
 
 on:
   release:
     types: [published]
 
-permissions:
-  contents: read
-
 jobs:
+
   deploy:
 
+    permissions:
+      id-token: write
+      contents: read
+
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install build
-    - name: Build package
-      run: python -m build
-    - name: Publish package
-      uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_KEY }}
+
+      - name: Checkout GCPy code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+
+      - name: Build GCPy
+        run: python -m build
+
+      # NOTE: We have defined https://github.com/geoschem/gcpy
+      # as a Trusted Publisher for geoschem-gcpy at PyPI.org
+      - name: Publish geoschem-gcpy
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true

CHANGELOG.md

@@ -8,13 +8,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 - Added `gcpy/profile/vtune_plot_hotspots.py` to plot a bargraph of hotspots from Intel VTune reports
 - Added ReadTheDocs documentation for plotting hotspots from Intel VTune reports
+- Added "Lint" GitHub Action to check other actions for security issues
+- Added `gcpy_environment_py314.ym1` to specify the GCPy environment packages with Python 3.14 
+- Added GitHub action `build-gcpy-environment-py314.yml` to test building the GCPy environment with Python 3.14
 
 ### Changed
 - Modified criteria for terminating read of log files in `benchmark_scrape_gcclassic_timers.py` to avoid being spoofed by  output that is attached by Intel VTune
 - Moved `gprofng_text_to_data_units` to function `text_to_data_units` in `gcpy/plot/core.py` so that it can be used by `gprofng_functions` and `vtune_plot_hotspots`
+- Updated GitHub badges in `README.md` and `docs/source/index.rst`
 
 ### Fixed
 - Fix grid area calculation scripts of `grid_area` in `gcpy/gcpy/cstools.py`
+- Fixed various security issues in GitHub Actions workflows
 
 ## [1.6.2] - 2025-06-12
 ### Added

README.md

@@ -1,18 +1,20 @@
 # GCPy: Python toolkit for GEOS-Chem
 
 <p>
-   <a href="https://github.com/geoschem/gcpy/releases"><img src="https://img.shields.io/github/v/release/geoschem/gcpy?label=Latest%20Stable%20Release"></a>
-   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/version.svg" /> </a>
-   <a href="https://img.shields.io/pypi/v/geoschem-gcpy"><img alt="PyPI - Version" src="https://img.shields.io/pypi/v/geoschem-gcpy"></a>
-   <a href="https://github.com/geoschem/gcpy/releases/"><img src="https://img.shields.io/github/release-date/geoschem/gcpy"></a>
+   <a href="https://github.com/geoschem/gcpy/releases"><img src="https://img.shields.io/github/v/release/geoschem/gcpy?label=Latest%20Stable%20Release" alt="Latest release" /></a>
+   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/version.svg" alt="Anaconda version" /> </a>
+   <a href="https://img.shields.io/pypi/v/geoschem-gcpy"><img src="https://img.shields.io/pypi/v/geoschem-gcpy" alt="PyPI version" /></a>
+   <a href="https://github.com/geoschem/gcpy/releases/"><img src="https://img.shields.io/github/release-date/geoschem/gcpy" alt="Release date" /></a>
+   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/platforms.svg" alt="Platforms" /> </a> 
    <br />
-   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/platforms.svg" /> </a>
-   <a href="https://doi.org/10.5281/zenodo.3689589"><img src="https://zenodo.org/badge/DOI/10.5281/zenodo.3689589.svg" alt="DOI"></a>
-   <a href="https://github.com/geoschem/gcpy/blob/main/LICENSE.txt"><img src="https://img.shields.io/badge/License-MIT-blue.svg"></a>
+   <a href="https://doi.org/10.5281/zenodo.3689589"><img src="https://zenodo.org/badge/DOI/10.5281/zenodo.3689589.svg" alt="DOI" /></a>
+   <a href="https://github.com/geoschem/gcpy/blob/main/LICENSE.txt"><img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License" /></a>
+   <a href="https://gcpy.readthedocs.io/en/latest/"><img src="https://img.shields.io/readthedocs/gcpy?label=ReadTheDocs" alt="ReadTheDocs" /></a>
+   <a href="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py312.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py312.yml/badge.svg" alt="build-gcpy-environment-py312" /></a>
    <br />
-   <a href="https://gcpy.readthedocs.io/en/latest/"><img src="https://img.shields.io/readthedocs/gcpy?label=ReadTheDocs"></a>
-   <a href="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment.yml/badge.svg"></a>
-   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/downloads.svg" /> </a>  
+   <a href="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py313.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py313.yml/badge.svg" alt="build-gcpy-environment-py313" /></a>
+   <a href="https://github.com/geoschem/gcpy/actions/workflows/build-rtd-environment.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-rtd-environment.yml/badge.svg" alt="build-rtd-environment /></a>
+   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"><img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/downloads.svg" alt="Downloads" /> </a>  
 </p>
 
 **GCPy** is a Python-based toolkit containing useful functions for working specifically with the GEOS-Chem model of atmospheric chemistry and composition.

docs/environment_files/gcpy_environment_py313.yml

@@ -6,14 +6,6 @@
 # for GCPy, use this command:
 #
 # $ mamba env create -n gcpy_env --file=/path/to/gcpy/environment.yml
-#
-# NOTE: This combination of packages may produce a warning
-#
-#   VersionWarning: ESMF installation version 8.8.0, ESMPy version 8.8.0b0
-#
-# that you can disable by adding this to your ~/.bashrc
-#
-#   export PYTHONWARNINGS="ignore"
 # =====================================================================
 name: gcpy_env
 channels:

docs/source/index.rst

@@ -5,18 +5,20 @@ GCPy: The GEOS-Chem Python toolkit
 .. raw:: html
 
    <p>
-   <a href="https://github.com/geoschem/gcpy/releases"><img src="https://img.shields.io/github/v/release/geoschem/gcpy?label=Latest%20Stable%20Release"></a>
-   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/version.svg" /> </a>
-   <a href="https://img.shields.io/pypi/v/geoschem-gcpy"><img alt="PyPI - Version" src="https://img.shields.io/pypi/v/geoschem-gcpy"></a>
-   <a href="https://github.com/geoschem/gcpy/releases/"><img src="https://img.shields.io/github/release-date/geoschem/gcpy"></a>
-   <br />
-   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/platforms.svg" /> </a>
-   <a href="https://doi.org/10.5281/zenodo.3689589"><img src="https://zenodo.org/badge/DOI/10.5281/zenodo.3689589.svg" alt="DOI"></a>
-   <a href="https://github.com/geoschem/gcpy/blob/main/LICENSE.txt"><img src="https://img.shields.io/badge/License-MIT-blue.svg"></a>
-   <br />
-   <a href="https://gcpy.readthedocs.io/en/latest/"><img src="https://img.shields.io/readthedocs/gcpy?label=ReadTheDocs"></a>
-   <a href="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment.yml/badge.svg"></a>
-   <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/downloads.svg" /> </a>  
+      <a href="https://github.com/geoschem/gcpy/releases"><img src="https://img.shields.io/github/v/release/geoschem/gcpy?label=Latest%20Stable%20Release" alt="Latest release" /></a>
+      <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/version.svg" alt="Anaconda version" /> </a>
+      <a href="https://img.shields.io/pypi/v/geoschem-gcpy"><img src="https://img.shields.io/pypi/v/geoschem-gcpy" alt="PyPI version" /></a>
+      <a href="https://github.com/geoschem/gcpy/releases/"><img src="https://img.shields.io/github/release-date/geoschem/gcpy" alt="Release date" /></a>
+      <a href="https://anaconda.org/conda-forge/geoschem-gcpy"> <img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/platforms.svg" alt="Platforms" /> </a> 
+      <br />
+      <a href="https://doi.org/10.5281/zenodo.3689589"><img src="https://zenodo.org/badge/DOI/10.5281/zenodo.3689589.svg" alt="DOI" /></a>
+      <a href="https://github.com/geoschem/gcpy/blob/main/LICENSE.txt"><img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License" /></a>
+      <a href="https://gcpy.readthedocs.io/en/latest/"><img src="https://img.shields.io/readthedocs/gcpy?label=ReadTheDocs" alt="ReadTheDocs" /></a>
+      <a href="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py312.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py312.yml/badge.svg" alt="build-gcpy-environment-py312" /></a>
+      <br />
+      <a href="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py313.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-gcpy-environment-py313.yml/badge.svg" alt="build-gcpy-environment-py313" /></a>
+      <a href="https://github.com/geoschem/gcpy/actions/workflows/build-rtd-environment.yml"><img src="https://github.com/geoschem/gcpy/actions/workflows/build-rtd-environment.yml/badge.svg" alt="build-rtd-environment /></a>
+      <a href="https://anaconda.org/conda-forge/geoschem-gcpy"><img src="https://anaconda.org/conda-forge/geoschem-gcpy/badges/downloads.svg" alt="Downloads" /> </a>  
    </p>
 
 Welcome to the GCPy ReadTheDocs documentation! This site provides documentation