Merge branch 'OSGeo:main' into r.random.surface_tests

.dockerignore

@@ -3,8 +3,6 @@ docker
 !docker/alpine/grass_tests.sh
 .gitignore
 .github
-.travis
-.travis.yml
 # Do not copy files from previous compilations
 dist.*
 

.github/labeler.yml

@@ -84,9 +84,7 @@ CI:
   - changed-files:
       - any-glob-to-any-file:
           - .github/**
-          - .travis/**
           - binder/**
-          - .travis.yml
           - renovate.json
           - .pre-commit-config.yaml
 Windows:

.github/workflows/docker.yml

@@ -16,9 +16,16 @@ on:
     branches:
       - main
       - releasebranch_*
-      - '!releasebranch_7_*'
+      - "!releasebranch_7_*"
     # tags: ['*.*.*']
     paths-ignore: [doc/**]
+  pull_request:
+    paths:
+      - .github/workflows/docker.yml
+      - Dockerfile
+      - docker/**
+      - "!docker/**.md"
+  workflow_dispatch:
   release:
     types: [published]
 
@@ -35,10 +42,17 @@ jobs:
   # For a release, e.g. 8.3.0, created tags are:
   #     8.3.0-alpine, 8.3.0-debian, 8.3.0-ubuntu and latest (with ubuntu)
   docker-os-matrix:
-    name: build and push ${{ matrix.os }} for ${{ github.ref }}
-    if: github.repository_owner == 'OSGeo'
+    name: ${{ matrix.os }} for ${{ github.ref }}
     runs-on: ubuntu-latest
-
+    concurrency:
+      group: >-
+        ${{ github.workflow }}-${{ matrix.os }}-${{ github.event_name }}-
+        ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
+      # Cancel in progress in pull requests.
+      # Otherwise, limit to one in progress and one queued for each type.
+      # Only the latest queued job per event type will be kept, older will be cancelled.
+      # The already running job will be completed.
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     strategy:
       matrix:
         os:
@@ -49,32 +63,78 @@ jobs:
       fail-fast: false
 
     permissions:
+      attestations: write
       contents: read
+      id-token: write
       packages: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Get the latest tag and release branches
+        id: tag-branch
+        run: |
+          # Make sure tags are fetched
+          git fetch --tags
+          # Get sorted list of tags, keep the first that has a semver pattern (not RCs)
+          latest_tag="$(git tag --sort=-v:refname \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | head -n 1)"
+          latest_rel_branch="$(git branch --all --list 'origin/*' \
+            --contains "${latest_tag}" --format "%(refname:lstrip=3)")"
+          echo "latest_tag=${latest_tag}" >> "${GITHUB_OUTPUT}"
+          echo "latest_tag is: ${latest_tag}"
+          echo "latest_rel_branch=${latest_rel_branch}" >> "${GITHUB_OUTPUT}"
+          echo "latest_rel_branch is: ${latest_rel_branch}"
+      - name: Get enable values for meta step
+        id: enable
+        run: |
+          latest="${{
+            (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
+              == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
+            && matrix.os == 'ubuntu' }}"
+          current="${{
+            ( contains(fromJSON('["tag", "release"]'), github.event_name)
+              && (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
+                  == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
+            )
+            || github.ref == format('refs/heads/{0}', steps.tag-branch.outputs.latest_rel_branch)
+          }}"
+          echo "latest=${latest}" >> "${GITHUB_OUTPUT}"
+          echo "latest is $latest"
+          echo "current=${current}" >> "${GITHUB_OUTPUT}"
+          echo "current is $current"
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
-          images: osgeo/grass-gis
+          images: |
+            name=docker.io/osgeo/grass-gis,enable=${{ github.repository_owner == 'OSGeo'
+              && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository }}
           tags: |
             type=ref,event=tag
             type=ref,event=branch
-            type=raw,value=current,enable=${{ github.ref == format('refs/heads/{0}', 'releasebranch_8_3') }}
-            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/8.3') && matrix.os == 'ubuntu' }},suffix=
+            type=ref,event=pr
+            type=raw,value=current,enable=${{ steps.enable.outputs.current }}
+            type=raw,value=latest,enable=${{ steps.enable.outputs.latest }},suffix=
           flavor: |
             latest=false
             suffix=-${{ matrix.os }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
-      - name: Login to DockerHub
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        if: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -83,10 +143,39 @@ jobs:
         id: docker_build
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
-          push: true
-          pull: true
+          push: ${{ github.event_name != 'pull_request' }}
           context: .
           tags: ${{ steps.meta.outputs.tags }}
           file: docker/${{ matrix.os }}/Dockerfile
+          annotations: ${{ steps.meta.outputs.annotations }}
+          provenance: mode=max
+          sbom: true
+          # Don't use cache for releases.
+          no-cache: ${{ contains(fromJSON('["tag", "release"]'), github.event_name) && true }}
+          # Don't use gha cache for releases. Cache is not used if `cache-from:` is empty
+          cache-from: >-
+            ${{ !contains(fromJSON('["tag", "release"]'), github.event_name)
+                && format('type=gha,scope={0}', matrix.os) || '' }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.os }}
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+      - name: Attest docker.io image
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        # If there isn't a digest, an annotation cannot be added
+        if: >-
+          ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request'
+            && steps.docker_build.outputs.digest }}
+        id: attest
+        with:
+          subject-name: docker.io/osgeo/grass-gis
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
+      - name: Attest ghcr.io image
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        # If there isn't a digest, an annotation cannot be added
+        if: ${{ steps.docker_build.outputs.digest }}
+        id: attest-ghcr
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: ${{ github.event_name != 'pull_request' }}

.github/workflows/macos_distribute_app.yml

@@ -0,0 +1,130 @@
+---
+name: macOS distribute app
+
+# Build and bundle macOS app
+
+on:
+  workflow_dispatch:
+  schedule:
+    # At 07:30 on Thursdays.
+    # See https://crontab.guru/#30_7_*_*_THU
+    - cron: "30 7 * * THU"
+  push:
+    tags:
+      - '**'
+
+permissions: {}
+
+env:
+  KEYCHAIN_PROFILE: notarytool-profile
+
+jobs:
+  macos_build:
+    name: macOS distribute
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}-${{
+        matrix.name }}-${{ matrix.os }}
+      cancel-in-progress: true
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        name:
+          - "x86_64"
+          - "arm64"
+        include:
+          - name: "x86_64"
+            os: macos-13
+            deployment_target: 10.13
+          - name: "arm64"
+            os: macos-14
+            deployment_target: 11
+      fail-fast: false
+
+    steps:
+      - name: Info
+        run: |
+          echo "macOS version $(sw_vers -productVersion)"
+          echo "architecture $(uname -a)"
+      - name: Disabling Spotlight
+        run: sudo mdutil -a -i off
+      - name: Uninstalling Homebrew
+        run: |
+          echo "Moving directories..."
+          sudo mkdir /opt/local-off /opt/homebrew-off
+          test ! -d /usr/local || /usr/bin/sudo /usr/bin/find /usr/local \
+            -mindepth 1 -maxdepth 1 -type d -print -exec /bin/mv {} \
+            /opt/local-off/ \;
+          test ! -d /opt/homebrew || /usr/bin/sudo /usr/bin/find /opt/homebrew \
+            -mindepth 1 -maxdepth 1 -type d -print -exec /bin/mv {} \
+            /opt/homebrew-off/ \;
+          echo "Removing files..."
+          test ! -d /usr/local || /usr/bin/sudo /usr/bin/find /usr/local \
+            -mindepth 1 -maxdepth 1 -type f -print -delete
+          test ! -d /opt/homebrew || /usr/bin/sudo /usr/bin/find /opt/homebrew \
+            -mindepth 1 -maxdepth 1 -type f -print -delete
+          # Rehash to forget about the deleted files
+          hash -r
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Environment info
+        shell: bash -el {0}
+        run: |
+          printenv | sort
+
+      - name: Install the Apple certificate and provisioning profile
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_PROVISION_PROFILE: ${{ secrets.MACOS_PROVISION_PROFILE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
+          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
+        run: |
+          CERT="$RUNNER_TEMP/certificate.p12"
+          INTERMEDIATE_CERT="$RUNNER_TEMP/DeveloperIDG2CA.cer"
+
+          curl -o "$INTERMEDIATE_CERT" https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
+
+          echo -n "$MACOS_CERTIFICATE" | base64 --decode -o "$CERT"
+          echo -n "$MACOS_PROVISION_PROFILE" | base64 --decode -o "$RUNNER_TEMP/embedded.provisionprofile"
+
+          security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security set-keychain-settings -t 15000
+          security import "$INTERMEDIATE_CERT" -k build.keychain -T /usr/bin/codesign
+          security import "$CERT" -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" \
+            build.keychain 1> /dev/null
+
+          echo "Create keychain profile"
+          xcrun notarytool store-credentials "$KEYCHAIN_PROFILE" --apple-id "$MACOS_NOTARIZATION_APPLE_ID"\
+            --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+
+      - name: Create config file
+        shell: bash -el {0}
+        env:
+          Config: ${HOME}/.config/grass/configure-build-${{ matrix.name }}.sh
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+        run: |
+          mkdir -p "${HOME}/.config/grass"
+          echo sdk=\"$(xcrun --show-sdk-path)\" >> ${{ env.Config }}
+          echo deployment_target=\"${{ matrix.deployment_target }}\" >> ${{ env.Config }}
+          echo cs_ident=\"${MACOS_CERTIFICATE_NAME}\" >> ${{ env.Config }}
+          echo cs_keychain_profile=\"${KEYCHAIN_PROFILE}\" >> ${{ env.Config }}
+          echo cs_provisionprofile=\"${RUNNER_TEMP}/embedded.provisionprofile\" >> ${{ env.Config }}
+
+      - name: Build GRASS GIS app
+        run: |
+          ./macos/build_grass_app.bash --with-liblas --notarize -o "${{ runner.temp }}"
+
+      - name: Upload DMG file as artifact
+        if: ${{ success() && !cancelled() }}
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: ${{ env.DMG_NAME }}
+          path: ${{ env.DMG_FILE }}
+          retention-days: 3

.github/workflows/python-code-quality.yml

@@ -30,13 +30,13 @@ jobs:
       PYTHON_VERSION: "3.13"
       MIN_PYTHON_VERSION: "3.9"
       # renovate: datasource=pypi depName=flake8
-      FLAKE8_VERSION: "7.1.1"
+      FLAKE8_VERSION: "7.1.2"
       # renovate: datasource=pypi depName=pylint
       PYLINT_VERSION: "3.3.4"
       # renovate: datasource=pypi depName=bandit
       BANDIT_VERSION: "1.8.2"
       # renovate: datasource=pypi depName=ruff
-      RUFF_VERSION: "0.9.5"
+      RUFF_VERSION: "0.9.6"
 
     runs-on: ${{ matrix.os }}
     permissions:

.gitignore

@@ -44,6 +44,15 @@ daag*.s
 # notebook helper files
 .ipynb_checkpoints
 
+# python environment
+venv/
+env/
+.venv/
+.env/
+
+# VSCode Settings
+.vscode/
+
 # ignore gunittest helper and result files
 testreport/*
 testsuite/examples/testreports/

.markdownlint.yml

@@ -8,13 +8,7 @@ fix: true
 MD041: false # first-line-h1
 
 # Errors from .html to .md rename (first step in HTML to Markdown conversion)
-no-duplicate-heading: false
-heading-increment: false
 no-inline-html: false
 no-alt-text: false
 line-length: false
 # The block above this is to be eventually removed.
-
-no-emphasis-as-heading: false
-link-fragments: false
-no-space-in-links: false

.pre-commit-config.yaml

@@ -38,7 +38,7 @@ repos:
           )
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.9.5
+    rev: v0.9.6
     hooks:
       # Run the linter.
       - id: ruff
@@ -50,7 +50,7 @@ repos:
     hooks:
       - id: markdownlint-fix
   - repo: https://github.com/pycqa/flake8
-    rev: 7.1.1
+    rev: 7.1.2
     hooks:
       - id: flake8
         exclude: |