Pin dependencies in workflows (#1744)

### What kind of change does this PR introduce?

* Pins the dependencies of pip-related packages in GitHub Workflows
* Synchronizes more dependencies between configs
* Adds the latest coveralls (supports Python3.12)

### Does this PR introduce a breaking change?

No.

### Other information:

Pinning dependencies in GitHub Workflows is a suggestion from the
Security Hardening linter. (see:
https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies)

.github/workflows/bump-version.yml

@@ -60,7 +60,7 @@ jobs:
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
       - name: Install bump-my-version
         run: |
-          python -m pip install bump-my-version
+          python -m pip install bump-my-version==0.21.0
       - name: Conditional Bump
         id: bump
         run: |

.github/workflows/main.yml

@@ -59,7 +59,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install pip, pylint, and tox
         run: |
-          python -m pip install flit pip~=24.0 pylint tox~=4.0
+          python -m pip install flit==3.9 pip==24.0 pylint==3.1 tox==4.15
       - name: Run pylint
         run: |
           python -m pylint --rcfile=.pylintrc.toml --disable=import-error --exit-zero xclim
@@ -98,7 +98,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
         run: |
-          python -m pip install flit pip~=24.0 tox~=4.0
+          python -m pip install flit==3.9 pip==24.0 tox==4.15
       - name: Test with tox
         run: |
           python -m tox -e ${{ matrix.tox-env }}
@@ -181,7 +181,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
         run: |
-          python -m pip install flit pip~=24.0 tox~=4.0 tox-gh
+          python -m pip install flit==3.9 pip==24.0 tox==4.15 tox-gh==1.3.1
       - name: Test with tox
         run: |
           python -m tox -e ${{ matrix.tox-env }} -- ${{ matrix.markers }}
@@ -279,7 +279,7 @@ jobs:
     steps:
       - name: Coveralls Finished
         run: |
-          python -m pip install --upgrade coveralls
+          python -m pip install --upgrade coveralls==4.0
           python -m coveralls --finish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-pypi.yml

@@ -34,7 +34,7 @@ jobs:
           python-version: "3.x"
       - name: Install packaging libraries
         run: |
-          python -m pip install flit
+          python -m pip install flit==3.9.0
       - name: Build a binary wheel and a source tarball
         run: |
           python -m flit build

.github/workflows/tag-testpypi.yml

@@ -34,7 +34,7 @@ jobs:
           python-version: "3.x"
       - name: Install packaging libraries
         run: |
-          python -m pip install flit
+          python -m pip install flit==3.9.0
       - name: Build a binary wheel and a source tarball
         run: |
           python -m flit build

CHANGES.rst

@@ -2,6 +2,14 @@
 Changelog
 =========
 
+v0.50.0 (unreleased)
+--------------------
+Contributors to this version: Trevor James Smith (:user:`Zeitsperre`).
+
+Internal changes
+^^^^^^^^^^^^^^^^
+* Synchronized tooling versions across ``pyproject.toml`` and ``tox.ini`` and pinned them to the latest stable releases in GitHub Workflows. (:pull:`1744`).
+
 v0.49.0 (2024-05-02)
 --------------------
 Contributors to this version: Trevor James Smith (:user:`Zeitsperre`), Pascal Bourgault (:user:`aulemahal`), Juliette Lavoie (:user:`juliettelavoie`), David Huard (:user:`huard`), Gabriel Rondeau-Genesse (:user:`RondeauG`), Javier Diez-Sierra (:user:`JavierDiezSierra`), Sarah Gammon (:user:`SarahG-579462`), Éric Dupuis (:user:`coxipi`).

environment.yml

@@ -35,11 +35,12 @@ dependencies:
   - cairosvg
   - codespell
   - coverage
+  - coveralls >=4.0.0
   - distributed >=2.0
   - filelock
   - flake8
   - flake8-rst-docstrings
-  - flit
+  - flit >=3.9.0
   - furo >=2023.9.10
   - h5netcdf
   - ipykernel
@@ -57,9 +58,9 @@ dependencies:
   - pandas-stubs
   - platformdirs
   - pooch
-  - pre-commit
+  - pre-commit >=3.7
   - pybtex
-  - pylint
+  - pylint >=3.1
   - pytest <8.0  # Pinned due to breakage with xdoctest. See: https://github.com/Erotemic/xdoctest/issues/151
   - pytest-cov
   - pytest-socket
@@ -73,7 +74,7 @@ dependencies:
   - sphinx-mdinclude
   - sphinxcontrib-bibtex
   - tokenize-rt
-  - tox >=4.0
+  - tox >=4.15.0
 #  - tox-conda  # Will be added when a tox@v4.0+ compatible plugin is released.
   - vulture # ==2.11  # The conda-forge version is out of date.
   - xdoctest

pyproject.toml

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["flit_core >=3.8,<4"]
+requires = ["flit_core >=3.9,<4"]
 build-backend = "flit_core.buildapi"
 
 [project]
@@ -60,7 +60,8 @@ dev = [
   "bump-my-version >=0.17.1",
   "codespell",
   "coverage[toml]",
-  "flake8",
+  "coveralls >=4.0.0",
+  "flake8 >=7.0.0",
   "flake8-alphabetize",
   "flake8-rst-docstrings",
   "h5netcdf",
@@ -71,11 +72,11 @@ dev = [
   "nbqa",
   "nbval",
   "netCDF4 >=1.4",
-  "pandas-stubs>=2.2",
+  "pandas-stubs >=2.2",
   "platformdirs >=3.2",
-  "pre-commit >=2.9",
+  "pre-commit >=3.7",
   "pybtex",
-  "pylint",
+  "pylint >=3.1",
   "pytest <8.0", # Pinned due to breakage with xdoctest. See: https://github.com/Erotemic/xdoctest/issues/151
   "pytest-cov",
   "pytest-socket",

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-min_version = 4.5
+min_version = 4.15
 env_list =
     lint
     docs
@@ -13,7 +13,7 @@ labels =
     test = py39, py310-upstream-doctest, py311, notebooks_doctests, offline-prefetch
 requires =
     pip >= 24.0
-    flit
+    flit >=3.9
 opts = -vv
 
 [gh]
@@ -29,10 +29,10 @@ skip_install = True
 extras =
 deps =
     codespell
-    flake8
+    flake8 >=7.0.0
     flake8-alphabetize
     flake8-rst-docstrings
-    black[jupyter]==24.4.1
+    black[jupyter]==24.4.2
     blackdoc==0.3.9
     isort==5.13.2
     nbqa