Merge branch 'main' into docs-styling-icon

OSGeo · Feb 18, 2025 · c28785a · c28785a
2 parents 50f79fc + 7bfe274
commit c28785a
Show file tree

Hide file tree

Showing 20 changed files with 289 additions and 82 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -16,9 +16,16 @@ on:
     branches:
       - main
       - releasebranch_*
-      - '!releasebranch_7_*'
+      - "!releasebranch_7_*"
     # tags: ['*.*.*']
     paths-ignore: [doc/**]
+  pull_request:
+    paths:
+      - .github/workflows/docker.yml
+      - Dockerfile
+      - docker/**
+      - "!docker/**.md"
+  workflow_dispatch:
   release:
     types: [published]
 
@@ -35,10 +42,17 @@ jobs:
   # For a release, e.g. 8.3.0, created tags are:
   #     8.3.0-alpine, 8.3.0-debian, 8.3.0-ubuntu and latest (with ubuntu)
   docker-os-matrix:
-    name: build and push ${{ matrix.os }} for ${{ github.ref }}
-    if: github.repository_owner == 'OSGeo'
+    name: ${{ matrix.os }} for ${{ github.ref }}
     runs-on: ubuntu-latest
-
+    concurrency:
+      group: >-
+        ${{ github.workflow }}-${{ matrix.os }}-${{ github.event_name }}-
+        ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
+      # Cancel in progress in pull requests.
+      # Otherwise, limit to one in progress and one queued for each type.
+      # Only the latest queued job per event type will be kept, older will be cancelled.
+      # The already running job will be completed.
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     strategy:
       matrix:
         os:
@@ -49,32 +63,78 @@ jobs:
       fail-fast: false
 
     permissions:
+      attestations: write
       contents: read
+      id-token: write
       packages: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Get the latest tag and release branches
+        id: tag-branch
+        run: |
+          # Make sure tags are fetched
+          git fetch --tags
+          # Get sorted list of tags, keep the first that has a semver pattern (not RCs)
+          latest_tag="$(git tag --sort=-v:refname \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | head -n 1)"
+          latest_rel_branch="$(git branch --all --list 'origin/*' \
+            --contains "${latest_tag}" --format "%(refname:lstrip=3)")"
+          echo "latest_tag=${latest_tag}" >> "${GITHUB_OUTPUT}"
+          echo "latest_tag is: ${latest_tag}"
+          echo "latest_rel_branch=${latest_rel_branch}" >> "${GITHUB_OUTPUT}"
+          echo "latest_rel_branch is: ${latest_rel_branch}"
+      - name: Get enable values for meta step
+        id: enable
+        run: |
+          latest="${{
+            (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
+              == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
+            && matrix.os == 'ubuntu' }}"
+          current="${{
+            ( contains(fromJSON('["tag", "release"]'), github.event_name)
+              && (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
+                  == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
+            )
+            || github.ref == format('refs/heads/{0}', steps.tag-branch.outputs.latest_rel_branch)
+          }}"
+          echo "latest=${latest}" >> "${GITHUB_OUTPUT}"
+          echo "latest is $latest"
+          echo "current=${current}" >> "${GITHUB_OUTPUT}"
+          echo "current is $current"
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
-          images: osgeo/grass-gis
+          images: |
+            name=docker.io/osgeo/grass-gis,enable=${{ github.repository_owner == 'OSGeo'
+              && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository }}
           tags: |
             type=ref,event=tag
             type=ref,event=branch
-            type=raw,value=current,enable=${{ github.ref == format('refs/heads/{0}', 'releasebranch_8_3') }}
-            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/8.3') && matrix.os == 'ubuntu' }},suffix=
+            type=ref,event=pr
+            type=raw,value=current,enable=${{ steps.enable.outputs.current }}
+            type=raw,value=latest,enable=${{ steps.enable.outputs.latest }},suffix=
           flavor: |
             latest=false
             suffix=-${{ matrix.os }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
-      - name: Login to DockerHub
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        if: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -83,10 +143,39 @@ jobs:
         id: docker_build
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
-          push: true
-          pull: true
+          push: ${{ github.event_name != 'pull_request' }}
           context: .
           tags: ${{ steps.meta.outputs.tags }}
           file: docker/${{ matrix.os }}/Dockerfile
+          annotations: ${{ steps.meta.outputs.annotations }}
+          provenance: mode=max
+          sbom: true
+          # Don't use cache for releases.
+          no-cache: ${{ contains(fromJSON('["tag", "release"]'), github.event_name) && true }}
+          # Don't use gha cache for releases. Cache is not used if `cache-from:` is empty
+          cache-from: >-
+            ${{ !contains(fromJSON('["tag", "release"]'), github.event_name)
+                && format('type=gha,scope={0}', matrix.os) || '' }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.os }}
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+      - name: Attest docker.io image
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        # If there isn't a digest, an annotation cannot be added
+        if: >-
+          ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request'
+            && steps.docker_build.outputs.digest }}
+        id: attest
+        with:
+          subject-name: docker.io/osgeo/grass-gis
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
+      - name: Attest ghcr.io image
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        # If there isn't a digest, an annotation cannot be added
+        if: ${{ steps.docker_build.outputs.digest }}
+        id: attest-ghcr
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: ${{ github.event_name != 'pull_request' }}
diff --git a/.github/workflows/macos_distribute_app.yml b/.github/workflows/macos_distribute_app.yml
@@ -0,0 +1,130 @@
+---
+name: macOS distribute app
+
+# Build and bundle macOS app
+
+on:
+  workflow_dispatch:
+  schedule:
+    # At 07:30 on Thursdays.
+    # See https://crontab.guru/#30_7_*_*_THU
+    - cron: "30 7 * * THU"
+  push:
+    tags:
+      - '**'
+
+permissions: {}
+
+env:
+  KEYCHAIN_PROFILE: notarytool-profile
+
+jobs:
+  macos_build:
+    name: macOS distribute
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}-${{
+        matrix.name }}-${{ matrix.os }}
+      cancel-in-progress: true
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        name:
+          - "x86_64"
+          - "arm64"
+        include:
+          - name: "x86_64"
+            os: macos-13
+            deployment_target: 10.13
+          - name: "arm64"
+            os: macos-14
+            deployment_target: 11
+      fail-fast: false
+
+    steps:
+      - name: Info
+        run: |
+          echo "macOS version $(sw_vers -productVersion)"
+          echo "architecture $(uname -a)"
+      - name: Disabling Spotlight
+        run: sudo mdutil -a -i off
+      - name: Uninstalling Homebrew
+        run: |
+          echo "Moving directories..."
+          sudo mkdir /opt/local-off /opt/homebrew-off
+          test ! -d /usr/local || /usr/bin/sudo /usr/bin/find /usr/local \
+            -mindepth 1 -maxdepth 1 -type d -print -exec /bin/mv {} \
+            /opt/local-off/ \;
+          test ! -d /opt/homebrew || /usr/bin/sudo /usr/bin/find /opt/homebrew \
+            -mindepth 1 -maxdepth 1 -type d -print -exec /bin/mv {} \
+            /opt/homebrew-off/ \;
+          echo "Removing files..."
+          test ! -d /usr/local || /usr/bin/sudo /usr/bin/find /usr/local \
+            -mindepth 1 -maxdepth 1 -type f -print -delete
+          test ! -d /opt/homebrew || /usr/bin/sudo /usr/bin/find /opt/homebrew \
+            -mindepth 1 -maxdepth 1 -type f -print -delete
+          # Rehash to forget about the deleted files
+          hash -r
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Environment info
+        shell: bash -el {0}
+        run: |
+          printenv | sort
+
+      - name: Install the Apple certificate and provisioning profile
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_PROVISION_PROFILE: ${{ secrets.MACOS_PROVISION_PROFILE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
+          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
+        run: |
+          CERT="$RUNNER_TEMP/certificate.p12"
+          INTERMEDIATE_CERT="$RUNNER_TEMP/DeveloperIDG2CA.cer"
+
+          curl -o "$INTERMEDIATE_CERT" https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
+
+          echo -n "$MACOS_CERTIFICATE" | base64 --decode -o "$CERT"
+          echo -n "$MACOS_PROVISION_PROFILE" | base64 --decode -o "$RUNNER_TEMP/embedded.provisionprofile"
+
+          security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security set-keychain-settings -t 15000
+          security import "$INTERMEDIATE_CERT" -k build.keychain -T /usr/bin/codesign
+          security import "$CERT" -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" \
+            build.keychain 1> /dev/null
+
+          echo "Create keychain profile"
+          xcrun notarytool store-credentials "$KEYCHAIN_PROFILE" --apple-id "$MACOS_NOTARIZATION_APPLE_ID"\
+            --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+
+      - name: Create config file
+        shell: bash -el {0}
+        env:
+          Config: ${HOME}/.config/grass/configure-build-${{ matrix.name }}.sh
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+        run: |
+          mkdir -p "${HOME}/.config/grass"
+          echo sdk=\"$(xcrun --show-sdk-path)\" >> ${{ env.Config }}
+          echo deployment_target=\"${{ matrix.deployment_target }}\" >> ${{ env.Config }}
+          echo cs_ident=\"${MACOS_CERTIFICATE_NAME}\" >> ${{ env.Config }}
+          echo cs_keychain_profile=\"${KEYCHAIN_PROFILE}\" >> ${{ env.Config }}
+          echo cs_provisionprofile=\"${RUNNER_TEMP}/embedded.provisionprofile\" >> ${{ env.Config }}
+
+      - name: Build GRASS GIS app
+        run: |
+          ./macos/build_grass_app.bash --with-liblas --notarize -o "${{ runner.temp }}"
+
+      - name: Upload DMG file as artifact
+        if: ${{ success() && !cancelled() }}
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: ${{ env.DMG_NAME }}
+          path: ${{ env.DMG_FILE }}
+          retention-days: 3
diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml
@@ -30,13 +30,13 @@ jobs:
       PYTHON_VERSION: "3.13"
       MIN_PYTHON_VERSION: "3.9"
       # renovate: datasource=pypi depName=flake8
-      FLAKE8_VERSION: "7.1.1"
+      FLAKE8_VERSION: "7.1.2"
       # renovate: datasource=pypi depName=pylint
       PYLINT_VERSION: "3.3.4"
       # renovate: datasource=pypi depName=bandit
       BANDIT_VERSION: "1.8.2"
       # renovate: datasource=pypi depName=ruff
-      RUFF_VERSION: "0.9.5"
+      RUFF_VERSION: "0.9.6"
 
     runs-on: ${{ matrix.os }}
     permissions:

diff --git a/.markdownlint.yml b/.markdownlint.yml
@@ -8,8 +8,6 @@ fix: true
 MD041: false # first-line-h1
 
 # Errors from .html to .md rename (first step in HTML to Markdown conversion)
-no-duplicate-heading: false
-heading-increment: false
 no-inline-html: false
 no-alt-text: false
 line-length: false

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -38,7 +38,7 @@ repos:
           )
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.9.5
+    rev: v0.9.6
     hooks:
       # Run the linter.
       - id: ruff
@@ -50,7 +50,7 @@ repos:
     hooks:
       - id: markdownlint-fix
   - repo: https://github.com/pycqa/flake8
-    rev: 7.1.1
+    rev: 7.1.2
     hooks:
       - id: flake8
         exclude: |

diff --git a/display/d.mon/d.mon.md b/display/d.mon/d.mon.md
@@ -22,7 +22,7 @@ The desired monitor should be started once and need not be restarted
 unless it is stopped for some reason. A monitor may continue to run for
 any length of time, even when no GRASS session is being run.
 
-### Stopping a monitor
+### Listing currently running monitors
 
 A graphics monitor has two different types of status: monitor program
 *not running*, and monitor *running*. A monitor that has been started

diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 as common
+FROM alpine:3.21@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c as common
 
 # Based on:
 # https://github.com/mundialis/docker-grass-gis/blob/master/Dockerfile
@@ -177,7 +177,7 @@ RUN cmake -B build -DAUTOLOAD_DIR=/usr/lib/gdalplugins -DBUILD_TESTING=OFF && \
     cmake --install build
 
 # Get rid of version number here, restore in next stage via symbolic link
-RUN mv $(grass --config path) /usr/local/grass
+RUN mv /usr/local/grass85 /usr/local/grass
 
 # Reduce the image size - Remove unnecessary grass files
 RUN cp /usr/local/grass/gui/wxpython/xml/module_items.xml module_items.xml; \
@@ -206,14 +206,15 @@ COPY --from=build /usr/local/grass* /usr/local/grass/
 COPY --from=build /usr/lib/gdalplugins/*_GRASS.so /usr/lib/gdalplugins/
 # Set GISBASE
 ENV GISBASE /usr/local/grass
+ENV GRASS_GISBASE /usr/local/grass
 
 # run simple LAZ test
 COPY docker/testdata/simple.laz /tmp/
 COPY docker/testdata/test_grass_python.py docker/testdata/test_grass_session.py docker/alpine/grass_tests.sh /scripts/
 
 # run GRASS GIS python session and scan the test LAZ file; some cleanup
 # also show installed version
-RUN ln -sf /usr/local/grass $(grass --config path); \
+RUN ln -sf /usr/local/grass /usr/local/grass85; \
     rm -rf /tmp/grasstest_epsg_25832; \
     $SHELL /scripts/grass_tests.sh; \
     python /scripts/test_grass_session.py && rm -rf /tmp/grasstest_epsg_25832; \

diff --git a/docker/alpine/grass_tests.sh b/docker/alpine/grass_tests.sh
@@ -6,8 +6,8 @@
 apk add --no-cache py3-scikit-learn
 
 echo "Testing the GDAL-GRASS plugins:"
-gdalinfo --formats | grep -p "GRASS Rasters" && \
-ogrinfo --formats | grep -p "GRASS Vectors" || echo "...failed"
+gdalinfo --formats | grep "GRASS Rasters" && \
+ogrinfo --formats | grep "GRASS Vectors" || echo "...failed"
 
 # Test grass-session
 /usr/bin/python3 /scripts/test_grass_session.py

diff --git a/imagery/i.ortho.photo/i.ortho.rectify/i.ortho.rectify.md b/imagery/i.ortho.photo/i.ortho.rectify/i.ortho.rectify.md
@@ -47,7 +47,7 @@ line or the GUI, or it can be invoked as OPTION 8 through
 [i.ortho.photo](i.ortho.photo.md), an interactive terminal is used to
 determine the options.
 
-#### Interactive mode
+### Interactive mode
 
 You are first asked if all images within the imagery group should be
 rectified. If this option is not chosen, you are asked to specify for