chore(deps): update from template

helmut-hoffer-von-ankershoffen · helmut-hoffer-von-ankershoffen · commit 512252eb2195 · 2025-03-18T21:08:21.000+01:00
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,4 +1,4 @@
-_commit: v0.6.15
+_commit: v0.6.20
 _src_path: gh:helmut-hoffer-von-ankershoffen/oe-python-template
 author_email: helmuthva@gmail.com
 author_github_username: helmut-hoffer-von-ankershoffen
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -76,7 +76,7 @@ jobs:
           # Prefix the list here with "+" to use these queries and those in the config file.
 
           # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          # queries: security-extended,security-and-quality
+          queries: security-extended,security-and-quality
 
       # If the analyze step fails for one of the languages you are analyzing with
       # "We were unable to automatically build your code", modify the matrix above
diff --git a/.github/workflows/docker-image-build-publish.yml b/.github/workflows/docker-image-build-publish.yml
@@ -21,18 +21,18 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
 
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
 
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -41,7 +41,7 @@ jobs:
 
 
       - name: Log in to GitHub container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
 
@@ -51,7 +51,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
 
 
@@ -73,7 +73,7 @@ jobs:
 
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: .
           file: ./Dockerfile
@@ -86,7 +86,7 @@ jobs:
 
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.push.outputs.digest }}
diff --git a/.github/workflows/package-build-publish-release.yml b/.github/workflows/package-build-publish-release.yml
@@ -15,12 +15,12 @@ jobs:
       packages: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Generate release notes
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@4a4a951bc43fafe41cd2348d181853f52356bee7 # v4.4.2
         id: git-cliff
         with:
           config: pyproject.toml
@@ -34,9 +34,9 @@ jobs:
 
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1
         with:
-          version: "0.5.9"
+          version: "0.6.7"
           cache-dependency-glob: uv.lock
           enable-cache: true
 
diff --git a/.github/workflows/test-and-report.yml b/.github/workflows/test-and-report.yml
@@ -17,7 +17,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
@@ -30,7 +30,7 @@ jobs:
           sudo apt-get install -y curl jq xsltproc gnupg2 libcairo2
 
       - name: Install uv (python package manager)
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1
         with:
           version: "0.5.9"
           enable-cache: true
@@ -58,7 +58,7 @@ jobs:
           echo "Development build - Current version in pyproject.toml: $TOML_VERSION"
 
       - name: Create .env file
-        uses: SpicyPizza/create-envfile@v2.0
+        uses: SpicyPizza/create-envfile@ace6d4f5d7802b600276c23ca417e669f1a06f6f # v2.0.3
         with:
           envkey_ENV_KEY: "ENV_VALUE"
           fail_on_empty: true
@@ -80,7 +80,7 @@ jobs:
           uv run nox
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         if: ${{ always() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
         with:
           name: test-results
@@ -94,20 +94,20 @@ jobs:
           retention-days: 30
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
         if: ${{ !cancelled() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: helmut-hoffer-von-ankershoffen/oe-python-template-example
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
-        uses: codecov/test-results-action@v1
+        uses: codecov/test-results-action@f2dba722c67b86c6caa034178c6e4d35335f6706 # v1.1.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: SonarQube Scan
         if: ${{ !cancelled() && (env.GITHUB_WORKFLOW_RUNTIME != 'ACT') }}
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@0303d6b62e310685c0e34d0b9cde218036885c4d # v5.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -20,6 +20,7 @@ fi
 which jq &> /dev/null || brew install jq
 which xmllint &> /dev/null || brew install xmllint
 which act &> /dev/null || brew install act
+which pinact &> /dev/null || brew install pinact
 uv run pre-commit install             # install pre-commit hooks, see https://pre-commit.com/
 ```
 
@@ -88,9 +89,10 @@ uv run nox -s test      # run tests
 uv run nox -s lint      # run formatting and linting
 uv run nox -s audit     # run security and license audit, inc. sbom generation
 uv run nox -s docs      # build documentation, output in docs/build/html
+uv run nox -s docs_pdf  # locally build pdf manual to docs/build/latex/oe-python-template-example.pdf
 ```
 
-As a shortcut, you can run build steps using `./n`:
+As a shortcut, you can run build steps using `./n`, e.g.
 
 ```shell
 ./n test
@@ -129,22 +131,20 @@ docker build -t oe-python-template-example .
 docker run --env THE_VAR=THE_VALUE oe-python-template-example --help
 ```
 
-### Copier
-
-Update from template
+### Pinning github actions
 
 ```shell
-uv run nox -s update_from_template
+pinact run  # See https://dev.to/suzukishunsuke/pin-github-actions-to-a-full-length-commit-sha-for-security-2n7p
 ```
 
-### Generate PDF manual
+### Copier
+
+Update from template
 
 ```shell
-brew install mactex # install MacTeX, will take a while and requires sudo
-./n docs_pdf        # build latex, then generate pdf from it. Output in docs/build/latex/oe-python-template-example.pdf
+uv run nox -s update_from_template
 ```
 
-
 ## Pull Request Guidelines
 
 - Before starting to write code read the [code style guide](CODE_STYLE.md) document for mandatory coding style
diff --git a/docs/source/_static/openapi_v1.yaml b/docs/source/_static/openapi_v1.yaml
@@ -1,14 +1,14 @@
 Traceback (most recent call last):
   File "/Users/helmut/Code/oe-python-template-example/.nox/docs-3-13/bin/oe-python-template-example", line 4, in <module>
     from oe_python_template_example.cli import cli
-  File "/Users/helmut/Code/oe-python-template-example/src/oe_python_template_example/cli.py", line 9, in <module>
-    import yaml
-  File "/Users/helmut/Code/oe-python-template-example/.nox/docs-3-13/lib/python3.13/site-packages/yaml/__init__.py", line 8, in <module>
-    from .loader import *
-  File "/Users/helmut/Code/oe-python-template-example/.nox/docs-3-13/lib/python3.13/site-packages/yaml/loader.py", line 8, in <module>
-    from .constructor import *
-  File "/Users/helmut/Code/oe-python-template-example/.nox/docs-3-13/lib/python3.13/site-packages/yaml/constructor.py", line 19, in <module>
-    class BaseConstructor:
-    ...<149 lines>...
-            cls.yaml_multi_constructors[tag_prefix] = multi_constructor
+  File "/Users/helmut/Code/oe-python-template-example/src/oe_python_template_example/cli.py", line 7, in <module>
+    import typer
+  File "/Users/helmut/Code/oe-python-template-example/.nox/docs-3-13/lib/python3.13/site-packages/typer/__init__.py", line 29, in <module>
+    from .main import Typer as Typer
+  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
+  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
+  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
+  File "<frozen importlib._bootstrap_external>", line 1022, in exec_module
+  File "<frozen importlib._bootstrap_external>", line 1118, in get_code
+  File "<frozen importlib._bootstrap_external>", line 1218, in get_data
 KeyboardInterrupt
diff --git a/docs/source/api_v1.rst b/docs/source/api_v1.rst
@@ -3,13 +3,7 @@ API V1
 
 .. only:: html
 
-   .. swagger-plugin:: _static/openapi_v1.yaml
-      :full-page:
+    .. swagger-plugin:: _static/openapi_v1.yaml
+        :full-page:
 
-.. only:: singlehtml
-
-   Visit the `Interactive API Documentation <https://oe-python-template-example.readthedocs.io/en/latest/api_v1.html>`_
-
-.. only:: latex
-
-   Visit the `Interactive API Documentation <https://oe-python-template-example.readthedocs.io/en/latest/api_v1.html>`_
+Visit the `Interactive API Documentation <https: //oe-python-template-example.readthedocs.io/en/latest/api_v1.html>`_
diff --git a/docs/source/api_v2.rst b/docs/source/api_v2.rst
@@ -6,10 +6,4 @@ API V2
    .. swagger-plugin:: _static/openapi_v2.yaml
       :full-page:
 
-.. only:: singlehtml
-
-   Visit the `Interactive API Documentation <https://oe-python-template-example.readthedocs.io/en/latest/api_v2.html>`_
-
-.. only:: latex
-
-   Visit the `Interactive API Documentation <https://oe-python-template-example.readthedocs.io/en/latest/api_v2.html>`_
+Visit the `Interactive API Documentation <https://oe-python-template-example.readthedocs.io/en/latest/api_v2.html>`_
diff --git a/examples/notebook.py b/examples/notebook.py
@@ -10,7 +10,7 @@ def _():
 
     service = Service()
     message = service.get_hello_world()
-    message # type: ignore
+    print(message)
     return Service, message, service
 
 
diff --git a/noxfile.py b/noxfile.py
@@ -7,11 +7,13 @@
 
 import nox
 import tomli
+from nox.command import CommandFailed
 
 nox.options.reuse_existing_virtualenvs = True
 nox.options.default_venv_backend = "uv"
 
 NOT_SKIP_WITH_ACT = "not skip_with_act"
+LATEXMK_VERSION_MIN = 4.86
 
 
 def _setup_venv(session: nox.Session, all_extras: bool = True) -> None:
@@ -84,9 +86,33 @@ def docs(session: nox.Session) -> None:
 
 @nox.session(python=["3.13"], default=False)
 def docs_pdf(session: nox.Session) -> None:
-    """Setup dev environment post project creation."""
+    """Setup dev environment post project creation."""  # noqa: DOC501
     _setup_venv(session)
-    session.run("make", "-C", "docs", "latexpdf", external=True)
+    try:
+        out = session.run("latexmk", "--version", external=True, silent=True)
+
+        version_match = re.search(r"Version (\d+\.\d+\w*)", str(out))
+        if not version_match:
+            session.error("Could not determine latexmk version")
+
+        version_str = version_match.group(1)
+
+        # Parse version (handle cases like "4.86a")
+        match = re.match(r"(\d+\.\d+)", version_str)
+        if not match:
+            session.error(f"Could not parse version number from '{version_str}'")
+        base_version = match.group(1)
+
+        if float(base_version) < LATEXMK_VERSION_MIN:
+            message = f"latexmk version {version_str} is outdated. Please run 'brew upgrade mactex' to upgrade."
+            raise ValueError(message)  # noqa: TRY301
+        session.log(f"latexmk version {version_str} is sufficient")
+        session.run("make", "-C", "docs", "latexpdf", external=True)
+
+    except CommandFailed as e:
+        session.error(f"latexmk is not installed or not in PATH: {e}. Please run 'brew install mactex' to install")
+    except (ValueError, AttributeError) as e:
+        session.error(f"Failed to parse latexmk version information: {e}")
 
 
 @nox.session(python=["3.13"])

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-_commit: v0.6.15`
	`1`	`+_commit: v0.6.20`
`2`	`2`	`_src_path: gh:helmut-hoffer-von-ankershoffen/oe-python-template`
`3`	`3`	`author_email: helmuthva@gmail.com`
`4`	`4`	`author_github_username: helmut-hoffer-von-ankershoffen`