Merge branch 'main' into pyrefact-gui-contextmanager

.flake8

@@ -20,7 +20,7 @@ per-file-ignores =
     # E741 ambiguous variable name 'l'
     man/build_html.py: E501
     man/build_md.py: E501
-    doc/python/m.distance.py: E501
+    doc/examples/python/m.distance.py: E501
     gui/scripts/d.wms.py: E501
     gui/wxpython/image2target/g.gui.image2target.py: E501
     gui/wxpython/photo2image/g.gui.photo2image.py: E501
@@ -29,7 +29,6 @@ per-file-ignores =
     gui/wxpython/animation/g.gui.animation.py: E501
     gui/wxpython/tplot/g.gui.tplot.py: E501
     gui/wxpython/iclass/g.gui.iclass.py: E501
-    gui/wxpython/iclass/statistics.py: F841, F405, F403
     gui/wxpython/location_wizard/wizard.py: E722
     gui/wxpython/mapdisp/main.py: E722
     gui/wxpython/mapdisp/test_mapdisp.py: E501
@@ -41,11 +40,8 @@ per-file-ignores =
     gui/wxpython/menustrings.py: E501
     # C wrappers call libgis.G_gisinit before importing other modules.
     # TODO: Is this really needed?
+    python/grass/jupyter/__init__.py: E501
     python/grass/pygrass/vector/__init__.py: E402
-    python/grass/temporal/datetime_math.py: E722
-    python/grass/temporal/spatial_topology_dataset_connector.py: E722
-    python/grass/temporal/temporal_algebra.py: E722
-    python/grass/temporal/temporal_granularity.py: E722
     # Current benchmarks/tests are changing sys.path before import.
     # Possibly, a different approach should be taken there anyway.
     python/grass/pygrass/tests/benchmark.py: F821

.github/actions/create-upload-suggestions/action.yml

@@ -177,7 +177,7 @@ runs:
         echo "diff-file-name=${INPUT_DIFF_FILE_NAME}" >> "${GITHUB_OUTPUT}"
       env:
         INPUT_DIFF_FILE_NAME: ${{ steps.tool-name-safe.outputs.diff-file-name }}
-    - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       id: upload-diff
       if: >-
         ${{ (steps.files_changed.outputs.files_changed == 'true') &&
@@ -200,7 +200,7 @@ runs:
           echo 'Suggestions can only be added near to lines changed in this PR.'
           echo 'If any fixes can be added as code suggestions, they will be added shortly from another workflow.'
         } >> "${GITHUB_STEP_SUMMARY}"
-    - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       id: upload-changes
       if: >-
         ${{ always() &&

.github/labeler.yml

@@ -145,7 +145,7 @@ notebook:
   - changed-files:
       - any-glob-to-any-file:
           - '**/*.ipynb'
-          - doc/notebooks/**
+          - doc/examples/notebooks/**
           - python/grass/jupyter/**
 C:
   - changed-files:

.github/workflows/additional_checks.yml

@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   additional-checks:
     name: Additional checks

.github/workflows/codeql-analysis.yml

@@ -31,6 +31,7 @@ jobs:
         language:
           - c-cpp
           - python
+          - actions
 
     concurrency:
       group: ${{ github.workflow }}-${{
@@ -56,7 +57,7 @@ jobs:
         if: ${{ matrix.language == 'c-cpp' }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/codeql-config.yml
@@ -81,6 +82,6 @@ jobs:
         run: .github/workflows/build_ubuntu-22.04.sh "${HOME}/install"
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/create_release_draft.yml

@@ -74,7 +74,7 @@ jobs:
           sha256sum ${{ env.GRASS }}.tar.xz > ${{ env.GRASS }}.tar.xz.sha256
       - name: Publish draft distribution to GitHub (for tags only)
         if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           name: GRASS GIS ${{ github.ref_name }}
           body: |

.github/workflows/docker.yml

@@ -22,8 +22,9 @@ on:
   release:
     types: [published]
 
-jobs:
+permissions: {}
 
+jobs:
   # Run for push to configured branches and all published releases.
   # Take care of different os.
   # For main branch, created tags are:
@@ -47,6 +48,10 @@ jobs:
           - ubuntu_wxgui
       fail-fast: false
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -66,7 +71,7 @@ jobs:
             latest=false
             suffix=-${{ matrix.os }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - name: Login to DockerHub
@@ -76,7 +81,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN  }}
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
           push: true
           pull: true

.github/workflows/gcc.yml

@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: ${{ matrix.c }} & ${{ matrix.cpp }}

.github/workflows/macos.yml

@@ -14,6 +14,9 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   macos_build:
     name: macOS build
@@ -50,7 +53,7 @@ jobs:
         # Year and week of year so cache key changes weekly
         run: echo "date=$(date +%Y-%U)" >> "${GITHUB_OUTPUT}"
       - name: Setup Mamba
-        uses: mamba-org/setup-micromamba@068f1ab4b37ed9b3d9f73da7db90a0cda0a48d29 # v2.0.3
+        uses: mamba-org/setup-micromamba@0dea6379afdaffa5d528b3d1dabc45da37f443fc # v2.0.4
         with:
           init-shell: bash
           environment-file: .github/workflows/macos_dependencies.txt
@@ -107,7 +110,7 @@ jobs:
             nc_spm_full_v2alpha2.tar.gz"
       - name: Make HTML test report available
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: testreport-macOS
           path: testreport

.github/workflows/milestones.yml

@@ -5,12 +5,17 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions: {}
+
 jobs:
   assign-milestone:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      # Retreiving the current milestoone from API instead of github context,
+      # Retrieving the current milestone from API instead of github context,
       # so up-to-date information is used when running after being queued or for reruns
       # Otherwise, the information should be available using
       # ${{ github.event.pull_request.milestone.title }}

.github/workflows/osgeo4w.yml

@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: ${{ matrix.os }} build and tests
@@ -138,7 +140,7 @@ jobs:
 
       - name: Make HTML test report available
         if: ${{ always() }}
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: testreport-${{ matrix.os }}
           path: testreport

.github/workflows/periodic_update.yml

@@ -10,12 +10,18 @@ on:
     # See https://crontab.guru/#32_10_*/100,1-7_*_WED
     - cron: "32 10 */100,1-7 * WED"
 
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   update-configure:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Create URL to the run output

.github/workflows/pytest.yml

@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   pytest:
     concurrency:
@@ -123,7 +125,7 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
       - name: Make python-only code coverage test report available
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: python-codecoverage-report-${{ matrix.os }}-${{ matrix.python-version }}
           path: coverage_html_report

.github/workflows/python-code-quality.yml

@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   python-checks:
     name: Python Code Quality Checks
@@ -34,9 +36,9 @@ jobs:
       # renovate: datasource=pypi depName=pylint
       PYLINT_VERSION: "3.3.3"
       # renovate: datasource=pypi depName=bandit
-      BANDIT_VERSION: "1.8.0"
+      BANDIT_VERSION: "1.8.2"
       # renovate: datasource=pypi depName=ruff
-      RUFF_VERSION: "0.8.6"
+      RUFF_VERSION: "0.9.1"
 
     runs-on: ${{ matrix.os }}
     permissions:
@@ -129,13 +131,13 @@ jobs:
           bandit -c pyproject.toml -iii -r . -f sarif -o bandit.sarif --exit-zero
 
       - name: Upload Bandit Scan Results
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: bandit.sarif
           path: bandit.sarif
 
       - name: Upload SARIF File into Security Tab
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: bandit.sarif
 
@@ -192,8 +194,8 @@ jobs:
 
       - name: Test compiling example modules
         run: |
-          ( cd doc/raster/r.example/ && make )
-          ( cd doc/vector/v.example/ && make )
+          ( cd doc/examples/raster/r.example/ && make )
+          ( cd doc/examples/vector/v.example/ && make )
 
       - name: Run Sphinx to check API documentation build
         run: |
@@ -203,7 +205,7 @@ jobs:
           cp -rp dist.$ARCH/docs/html/libpython sphinx-grass
 
       - name: Make Sphinx documentation available
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: sphinx-grass
           path: sphinx-grass

.github/workflows/super-linter.yml

@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   super-linter:
     name: GitHub Super Linter

.github/workflows/ubuntu.yml

@@ -10,6 +10,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   ubuntu:
     concurrency:
@@ -149,7 +151,7 @@ jobs:
 
       - name: Make HTML test report available
         if: ${{ always() }}
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: testreport-${{ matrix.os }}-${{ matrix.config }}-${{ matrix.extra-include }}
           path: testreport

.github/workflows/verify-success.yml

@@ -45,34 +45,36 @@ on:
         type: string
         required: true
         # Can't escape the handlebars in the description
-        description:
+        description: >-
           In the calling job that defines all the needed jobs,
           send `toJson(needs)` inside `$` followed by `{{ }}`
       fail_if_failure:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context was
           failed
       fail_if_cancelled:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context' was
           cancelled
       fail_if_skipped:
         type: boolean
         default: false
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context' was
           skipped
       require_success:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if no job from 'needs_context' was
           successful
 
+permissions: {}
+
 jobs:
   verify-success:
     name: Success

.pre-commit-config.yaml

@@ -37,7 +37,7 @@ repos:
           )
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.8.6
+    rev: v0.9.1
     hooks:
       # Run the linter.
       - id: ruff