Merge branch 'main' into dmr-adapter

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,67 @@
+name: 🐞 Bug
+description: >
+  A bug is an issue that differs from documentation or has unexpected behavior.
+title: "[BUG] {{ title }}"
+labels:
+  - Bug
+  - Needs Triage
+body:
+  - type: checkboxes
+    attributes:
+      label: Is this issue already tracked somewhere, or is this a new report?
+      description: Check if a similar issue has already been reported before submitting a new one.
+      options:
+        - label: I've reviewed existing issues and couldn't find a duplicate for this problem.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: Current Behavior
+      description: A concise description of what you're experiencing.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: A concise description of what you expected to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: |
+        Steps to Reproduce
+        1. In this environment...
+        2. With this config...
+        3. Run '...'
+        4. See error...
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Environment
+      description: |
+        Examples:
+        - **OS**: Ubuntu 20.04
+        - **Python**: 3.11.2
+      value: |
+        - OS:
+        - Python:
+      render: markdown
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Additional Context
+      description: |
+        Any additional information that might be helpful in resolving this issue, such as:
+        - Error messages or stack traces
+        - Relevant configuration files or code snippets
+
+        Tip: You can attach files or images by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: 🌟 Community support
+    url: https://github.com/nsidc/earthaccess/discussions/categories/q-a
+    about: Explore this section to ask questions, share insights, and connect with others about Earthdata access and usage.
+  - name: 💡 Suggest a new feature
+    url: https://github.com/nsidc/earthaccess/discussions/new?category=ideas
+    about: Got a brilliant idea? Share your innovative suggestions to help us make amazing improvements!

.github/pull_request_template.md

@@ -24,9 +24,9 @@ created the PR as a non-draft, don't worry, you can still change it to a draft u
 - [ ] Please review our
       [contributing documentation](https://earthaccess.readthedocs.io/en/latest/contributing/)
       before getting started.
-- [ ] Ensure an issue exists representing the problem being solved in this PR.
 - [ ] Populate a descriptive title. For example, instead of "Updated README.md", use a
       title such as "Add testing details to the contributor section of the README".
+      Example PRs: [#763](https://github.com/nsidc/earthaccess/pull/763)
 - [ ] Populate the body of the pull request with:
     - A clear description of the change you are proposing.
     - Links to any issues resolved by this PR with text in the PR description, for
@@ -35,6 +35,7 @@ created the PR as a non-draft, don't worry, you can still change it to a draft u
 - [ ] Update `CHANGELOG.md` with details about your change in a section titled
       `## Unreleased`. If such a section does not exist, please create one. Follow
       [Common Changelog](https://common-changelog.org/) for your additions.
+      Example PRs: [#763](https://github.com/nsidc/earthaccess/pull/763)
 - [ ] Update the documentation and/or the `README.md` with details of changes to the
       earthaccess interface, if any. Consider new environment variables, function names,
       decorators, etc.

.github/workflows/binder-badge.yml

@@ -0,0 +1,11 @@
+name: AddBinderBadge
+on:
+  pull_request_target:
+
+jobs:
+  badge:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: manics/action-binderbadge@v3.0.0
+        with:
+          githubToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/integration-test-review.yml

@@ -0,0 +1,52 @@
+name: Integration Tests PR Comment
+
+on:
+  workflow_run:
+    workflows: [Integration Tests]
+    types: [completed]
+
+jobs:
+  integration-tests-pr-comment:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request_target' &&
+      github.event.workflow_run.conclusion == 'failure'
+    steps:
+      - name: Fetch user permission
+        id: permission
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+
+      - name: Add PR comment when user does not have write permission
+        # The name of the output require-result is a bit confusing, but when its value
+        # is 'false', it means that the triggering actor does NOT have the required
+        # permission.
+        if: steps.permission.outputs.require-result == 'false'
+
+        # If the triggering actor does not have write permission, then we want to add
+        # a PR comment indicating a security review is required because we know that
+        # the integration tests "failed" due to lack of permission (i.e., they were
+        # actually "aborted" without running any tests).
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { number, html_url } = (await github.rest.repos.listPullRequestsAssociatedWithCommit({
+              commit_sha: context.sha,
+              owner: "${{ github.event.workflow_run.head_repository.owner.login }}",
+              repo: "${{ github.event.workflow_run.head_repository.name }}",
+            })).data[0] ?? {};
+
+            if (number) {
+              github.rest.issues.createComment({
+                issue_number: number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: "User [${{ github.triggering_actor }}](${{ github.event.workflow_run.head_repository.owner.html_url }})"
+                  + " does not have permission to run integration tests. A maintainer must perform a security review of the"
+                  + ` [code changes in this pull request](${html_url}/files) and re-run the`
+                  + " [failed integration tests jobs](${{ github.event.workflow_run.html_url }}),"
+                  + " if the code is deemed safe.",
+              });
+            }

.github/workflows/integration-test.yml

@@ -2,74 +2,115 @@ name: Integration Tests
 
 on:
   pull_request:
-  push:
     branches:
       - main
     paths:
+      - .github/workflows/integration-test*.yml
       - earthaccess/**
+      - scripts/integration-test.sh
       - tests/**
-      - docs/**
-      - binder/**
+      - uv.lock
+  pull_request_target:
+    branches:
+      - main
+    paths:
+      - .github/workflows/integration-test*.yml
+      - earthaccess/**
+      - scripts/integration-test.sh
+      - tests/**
+      - uv.lock
 
 # When this workflow is queued, automatically cancel any previous running
 # or pending jobs from the same branch
 concurrency:
   group: integration-tests-${{ github.ref }}
   cancel-in-progress: true
 
-defaults:
-  run:
-    shell: bash -l {0}
-
 jobs:
   integration-tests:
+    #
+    # This condition prevents DUPLICATE attempts to run integration tests for
+    # PRs coming from FORKS.
+    #
+    # When a PR originates from a fork, both a pull_request and a
+    # pull_request_target event are triggered.  This means that without a
+    # condition, GitHub will attempt to run integration tests TWICE, once for
+    # each event.
+    #
+    # To prevent this, this condition ensures that integration tests are run
+    # in only ONE of the following cases:
+    #
+    #   1. The event is NOT a pull_request (it's a pull_request_target) and the base
+    #      repo is NOT the head repo (i.e., the PR is from a fork).
+    #   2. The event IS a pull_request AND the base repo IS the head repo
+    #      (i.e., the PR is not from a fork).
+    #
+    if: (github.event_name != 'pull_request') == github.event.pull_request.head.repo.fork
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
       fail-fast: false
 
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Fetch user permission
+        if: github.event_name == 'pull_request_target'
+        id: permission
+        uses: actions-cool/check-user-permission@v2
         with:
-          python-version: ${{ matrix.python-version }}
-      - name: Get full python version
-        id: full-python-version
-        run: echo ::set-output name=version::$(python -c "import sys; print('-'.join(str(v) for v in sys.version_info))")
-      - name: Install poetry
-        uses: abatilo/actions-poetry@v3
-      - name: Configure poetry
+          require: write
+          username: ${{ github.triggering_actor }}
+
+      - name: Check user permission
+        # The name of the output require-result is a bit confusing, but when its value
+        # is 'false', it means that the triggering actor does NOT have the required
+        # permission.
+        if: github.event_name == 'pull_request_target' && steps.permission.outputs.require-result == 'false'
+
+        # If the triggering actor does not have write permission (i.e., this is a
+        # PR from a fork), then we exit, otherwise most of the integration tests will
+        # fail because they require access to secrets.  In this case, a maintainer
+        # will need to make sure the PR looks safe, and if so, manually re-run the
+        # failed pull_request_target jobs.
         run: |
-          poetry config virtualenvs.create true --local
-          poetry config virtualenvs.in-project true --local
-          poetry self add setuptools
-      - name: Set up cache
-        uses: actions/cache@v4
-        id: cache
+          echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY
+          echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY
+          echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY
+          exit 1
+
+      - name: Checkout source
+        uses: actions/checkout@v4
         with:
-          path: .venv
-          key: venv-${{ runner.os }}-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('poetry.lock') }}
-      - name: Ensure cache is healthy
-        if: steps.cache.outputs.cache-hit == 'true'
-        run: poetry run pip --version >/dev/null 2>&1 || rm -rf .venv
-      - name: Install Dependencies
-        if: ${{ !env.ACT }}
-        run: poetry install
-      - name: Install Dependencies
-        if: ${{ env.ACT }}
-        # When using `act` to run the workflow locally, the `poetry install` command
-        # may fail due to network issues when running multiple Docker containers.
-        run: poetry install || poetry install || poetry install
-      - name: Test
+          # Getting the correct commit for a pull_request_target event appears to be
+          # a known, problematic issue: https://github.com/actions/checkout/issues/518
+          # It seems that ideally, we want github.event.pull_request.merge_commit_sha,
+          # but that it is not reliable, and can sometimes be a null values.  It
+          # appears that the most reasonable way to ensure that we are pulling the same
+          # code that triggered things is shown in this issue comment:
+          # https://github.com/actions/checkout/issues/518#issuecomment-1661941548
+          # However, attempts to get that working resulted in getting an empty
+          # github.event.number, so we're resorting to this simpler approach, which
+          # is apparently less than ideal, but seems to be the best we can muster at
+          # this point.
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3.2.2
+        with:
+          enable-cache: true
+
+      - name: Setup nox
+        uses: wntrblm/nox@2024.10.09
+        with:
+          python-versions: ${{ matrix.python-version }}
+
+      - name: Run integration tests
         env:
           EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }}
           EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }}
-          EARTHACCESS_TEST_USERNAME: ${{ secrets.EDL_USERNAME }}
-          EARTHACCESS_TEST_PASSWORD: ${{ secrets.EDL_PASSWORD }}
-        run: poetry run bash scripts/integration-test.sh
-      - name: Upload coverage
+        run: nox -s integration-tests -- --cov=earthaccess --cov-report=term-missing --capture=no --tb=native --log-cli-level=INFO
+
+      - name: Upload coverage report
         # Don't upload coverage when using the `act` tool to run the workflow locally
         if: ${{ !env.ACT }}
         uses: codecov/codecov-action@v4

.github/workflows/issue-manager.yml

@@ -17,7 +17,7 @@ jobs:
   issue-manager:
     runs-on: "ubuntu-latest"
     steps:
-      - uses: "tiangolo/issue-manager@0.5.0"
+      - uses: "tiangolo/issue-manager@0.5.1"
         with:
           token: "${{ secrets.GITHUB_TOKEN }}"
           config: >

.github/workflows/issue-metrics.yml

@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  issues: write
 
 jobs:
   build:
@@ -35,8 +36,18 @@ jobs:
           SEARCH_QUERY: 'repo:${{ github.repository }} is:issue created:${{ env.last_month }} -reason:"not planned"'
 
       - name: Create issue
+        id: create_issue
         uses: peter-evans/create-issue-from-file@v5
         with:
-          title: Monthly issue metrics report
+          title: "Monthly issue metrics report: ${{ env.last_month }}"
+          labels: metrics
           token: ${{ secrets.GITHUB_TOKEN }}
           content-filepath: ./issue_metrics.md
+
+      - name: Close Issue
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh issue close "${{steps.create_issue.outputs.issue-number}}" \
+            --reason "not planned" \
+            --repo ${{ github.repository }}

.github/workflows/publish.yml

@@ -5,13 +5,32 @@ on:
 
 jobs:
   build:
+    name: Build package
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
       - name: verify version matches git tag
         run: scripts/verify_tag.sh
-      - name: Build and publish to pypi
-        uses: JRubics/poetry-publish@v2.0
+
+      - uses: hynek/build-and-inspect-python-package@v2
+
+  publish:
+    name: Publish to PyPI
+    needs: ["build"]
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: Packages
+          path: dist
+
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        # NOTE: This is not the current best practice. Instead, we should use
+        # "trusted publishing":
+        # https://github.com/pypa/gh-action-pypi-publish?tab=readme-ov-file#trusted-publishing
         with:
-          python_version: "3.9"
-          pypi_token: ${{ secrets.PYPI_TOKEN }}
+          password: ${{ secrets.PYPI_TOKEN }}