security update: gunicorn, magpie, docker base

.github/ISSUE_TEMPLATE/bug-report.md

@@ -1,30 +1,35 @@
 ---
 name: Bug Report
 about: Create a report to help us improve
-title: \[BUG\]
+title: \[BUG]
 labels: bug
 assignees: fmigneault
-
 ---
 
-**Describe the bug**
+## Describe the bug
+
+<!--
 A clear and concise description of what the bug is.
+-->
+
+## To Reproduce
 
-**To Reproduce**
 Steps to reproduce the behavior:
+
 1. Deploy process with payload '...'
 2. Execute using payload '....'
 3. Result '....'
 4. Error message '...'
 
-**Expected behavior**
+## Expected behavior
+
+<!--
 A clear and concise description of what you expected to happen.
+-->
 
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
+## Environment
 
-**Desktop (please complete the following information):**
- - OS: \[e.g. Linux|Windows\] (if running locally)
- - Browser \[e.g. chrome, safari\] (if running as a service)
- - Instance: URL
- - Version \["1.2.3", see `/version` endpoint\]
+- OS: \[e.g. Linux|Windows] (if running locally)
+- Browser \[e.g. chrome, safari] (if running as a service)
+- Instance: URL
+- Version \["1.2.3", see `/version` endpoint]

.github/ISSUE_TEMPLATE/feature-request.md

@@ -1,21 +1,31 @@
 ---
 name: Feature Request
 about: Suggest an idea for this project
-title: \[Feature\]
+title: \[Feature]
 labels: feature
 assignees: fmigneault
-
 ---
 
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. 
-Ex. I would like to be able to authenticate using \[...\]
+## Describe the request
+
+<!--
+A clear and concise description of what the problem is.
+-->
+
+## Expected behavior
 
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
+<!--
+A clear and concise description of what you expected to happen.
+-->
 
-**Describe alternatives you've considered**
+## Alternatives considered
+
+<!--
 A clear and concise description of any alternative solutions or features you've considered.
+-->
+
+## Additional context
 
-**Additional context**
+<!--
 Add any other context or screenshots about the feature request here.
+-->

.github/workflows/tests.yml

@@ -29,7 +29,6 @@ jobs:
     env:
       # override make command to install directly in active python
       CONDA_COMMAND: ""
-      CHECKS_EXCLUDE: types
     strategy:
       matrix:
         os: [ubuntu-latest]
@@ -43,10 +42,6 @@ jobs:
             python-version: "3.10"
             allow-failure: false
             test-case: check-only
-          - os: ubuntu-latest
-            python-version: "3.10"
-            allow-failure: true
-            test-case: check-types-only
           # docker smoke tests
           - os: ubuntu-latest
             python-version: "3.10"
@@ -89,7 +84,7 @@ jobs:
         run: make install-pkg install-dev
       - if: ${{ matrix.test-case == 'check-only' }}
         name: Install Extra Test Dependencies
-        run: make install-npm
+        run: make install-dev
       - name: Display Packages
         run: pip freeze
       - name: Display Version
@@ -106,9 +101,10 @@ jobs:
         run: make stop ${{ matrix.test-case }}
         continue-on-error: false
       - name: Upload coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v2
         if: ${{ success() && matrix.test-case == 'coverage' }}
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           files: ./reports/coverage.xml
           fail_ci_if_error: true
           verbose: true

.gitignore

@@ -12,7 +12,7 @@ share
 
 ## Node
 node_modules
-package.json
+!package.json
 package-lock.json
 
 ## Makefile

.remarkignore

@@ -0,0 +1,13 @@
+# To save time scanning
+.idea/
+.vscode/
+*.egg-info/
+downloads/
+env/
+
+# actual items to ignore
+.pytest_cache/
+node_modules/
+docs/_build/
+docs/build/
+reports/

CHANGES.rst

@@ -7,18 +7,26 @@ Changes
 `Unreleased <https://github.com/Ouranosinc/cowbird/tree/master>`_ (latest)
 ------------------------------------------------------------------------------------
 
-* Nothing yet.
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
+* Pin ``gunicorn>=22`` to address CVE-2024-1135.
+* Pin Docker base to ``python:3.11-alpine3.19`` for various security fixes.
+* Update ``magpie==4.0.0`` for corresponding fixes
+  (see `Changes: magpie @ 4.0.0 <https://github.com/Ouranosinc/Magpie/blob/master/CHANGES.rst#400-2024-04-26>`_).
+* Pin ``watchdog>=4`` for latest typing additions.
 
 `2.3.0 <https://github.com/Ouranosinc/cowbird/tree/2.3.0>`_ (2023-11-30)
 ------------------------------------------------------------------------------------
 
+Features / Changes
+~~~~~~~~~~~~~~~~~~~~~
 * Add optional key ``field`` and ``regex`` to be used in the ``sync_permissions`` section found in the config.
   This allows to sync permissions using a field other than ``resource_full_name`` when creating the ``name:type``
   from the segment ``ex.: /field1::type1/field2::type2``. Adds support to use ``resource_display_name``.
 * The ``regex`` is used to extract the desired information from the ``nametype_path``. It should be used to do an
   exact match. This new search overrides the default way of matching each segment with the ``nametype_path``.
   In the case where a ``regex`` is found in the target segment, the data will be formed using the same ``resource_type``
-  for every match in the same segment. Similary, as using ``- name: "**"`` in the config to match multiple segment,
+  for every match in the same segment. Similarly, as using ``- name: "**"`` in the config to match multiple segment,
   it is possible to use a ``regex`` to match multiple resources in the same segment with ``regex: '(?<=:).*\/?(?=\/)'``
 
 `2.2.0 <https://github.com/Ouranosinc/cowbird/tree/2.2.0>`_ (2023-11-16)