Merge branch 'main' into update-release-howto-after-8.4.2

Author: echoix

.github/workflows/codeql-analysis.yml

@@ -61,7 +61,7 @@ jobs:
         if: ${{ matrix.language == 'c-cpp' }}
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/codeql-config.yml
@@ -86,6 +86,6 @@ jobs:
         run: .github/workflows/build_ubuntu-24.04.sh "${HOME}/install"
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/docker.yml

@@ -41,26 +41,41 @@ jobs:
   #     releasebranch_8_3-alpine, releasebranch_8_3-debian, releasebranch_8_3-ubuntu
   # For a release, e.g. 8.3.0, created tags are:
   #     8.3.0-alpine, 8.3.0-debian, 8.3.0-ubuntu and latest (with ubuntu)
-  docker-os-matrix:
-    name: ${{ matrix.os }}
+  build:
     runs-on: ubuntu-latest
     concurrency:
       group: >-
-        ${{ github.workflow }}-${{ matrix.os }}-${{ github.event_name }}-
+        ${{ github.workflow }}-${{ matrix.name }}-${{ github.event_name }}-
         ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
       # Cancel in progress in pull requests.
       # Otherwise, limit to one in progress and one queued for each type.
       # Only the latest queued job per event type will be kept, older will be cancelled.
       # The already running job will be completed.
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     strategy:
-      matrix:
-        os:
-          - alpine
-          - debian
-          - ubuntu
-          - ubuntu_wxgui
       fail-fast: false
+      matrix:
+        include:
+          - name: alpine
+            os: alpine
+            dockerfile: docker/alpine/Dockerfile
+            build_args: |-
+              GUI=without
+          - name: debian
+            os: debian
+            dockerfile: docker/debian/Dockerfile
+            build_args: |-
+              GUI=without
+          - name: ubuntu
+            os: ubuntu
+            dockerfile: docker/ubuntu/Dockerfile
+            build_args: |-
+              GUI=without
+          - name: ubuntu_wxgui
+            os: ubuntu
+            dockerfile: docker/ubuntu/Dockerfile
+            build_args: |-
+              GUI=with
 
     permissions:
       attestations: write
@@ -108,7 +123,7 @@ jobs:
           latest="${{
             (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
               == format('refs/tags/{0}', steps.tag-branch.outputs.latest_tag)
-            && matrix.os == 'ubuntu' && steps.tag-branch.outputs.error_latest == 'no' }}"
+            && matrix.name == 'ubuntu' && steps.tag-branch.outputs.error_latest == 'no' }}"
           current="${{
             ( contains(fromJSON('["tag", "release"]'), github.event_name)
               && (github.ref || format('{0}{1}', 'refs/tags/', github.event.release.tag_name))
@@ -139,11 +154,11 @@ jobs:
             type=raw,value=latest,enable=${{ steps.enable.outputs.latest }},suffix=
           flavor: |
             latest=false
-            suffix=-${{ matrix.os }}
+            suffix=-${{ matrix.name }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       - name: Login to GitHub Container Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
@@ -162,8 +177,9 @@ jobs:
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .
+          build-args: ${{ matrix.build_args }}
           tags: ${{ steps.meta.outputs.tags }}
-          file: docker/${{ matrix.os }}/Dockerfile
+          file: ${{ matrix.dockerfile }}
           annotations: ${{ steps.meta.outputs.annotations }}
           provenance: mode=max
           sbom: true
@@ -179,7 +195,7 @@ jobs:
         env:
           STEPS_DOCKER_BUILD_OUTPUTS_DIGEST: ${{ steps.docker_build.outputs.digest }}
       - name: Attest docker.io image
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         # If there isn't a digest, an annotation cannot be added
         if: >-
           ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request'
@@ -190,7 +206,7 @@ jobs:
           subject-digest: ${{ steps.docker_build.outputs.digest }}
           push-to-registry: ${{ github.repository_owner == 'OSGeo' && github.event_name != 'pull_request' }}
       - name: Attest ghcr.io image
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         # If there isn't a digest, an annotation cannot be added
         if: ${{ steps.docker_build.outputs.digest }}
         id: attest-ghcr

.github/workflows/macos.yml

@@ -129,7 +129,7 @@ jobs:
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
         with:
           exclude: gui
           flags: macos-pytest-python

.github/workflows/osgeo4w.yml

@@ -156,7 +156,7 @@ jobs:
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
         with:
           exclude: gui
           flags: ${{ matrix.os }}-pytest-python

.github/workflows/pytest.yml

@@ -152,7 +152,7 @@ jobs:
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1.1.1
+        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1
         with:
           exclude: gui
           flags: pytest-python-${{ matrix.python-version }}

.github/workflows/python-code-quality.yml

@@ -36,7 +36,7 @@ jobs:
       # renovate: datasource=pypi depName=bandit
       BANDIT_VERSION: "1.9.2"
       # renovate: datasource=pypi depName=ruff
-      RUFF_VERSION: "0.14.9"
+      RUFF_VERSION: "0.14.10"
 
     runs-on: ${{ matrix.os }}
     permissions:
@@ -133,7 +133,7 @@ jobs:
           path: bandit.sarif
 
       - name: Upload SARIF File into Security Tab
-        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: bandit.sarif
 

.markdownlint.yml

@@ -1,4 +1,6 @@
 ---
+# yamllint disable-line rule:line-length
+# yaml-language-server: $schema=https://raw.githubusercontent.com/DavidAnson/markdownlint/refs/heads/main/schema/markdownlint-config-schema.json
 default: true
 
 # Fix any fixable errors (depending on the markdownlint wrapper tool used)
@@ -9,5 +11,11 @@ MD041: false # first-line-h1
 # Errors from .html to .md rename (first step in HTML to Markdown conversion)
 MD013:
   code_blocks: false
+  headings: false
   tables: false
 # The block above this is to be eventually removed.
+
+# MD060/table-column-style : Table column style
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md060.md
+MD060:
+  style: any

.pre-commit-config.yaml

@@ -49,15 +49,15 @@ repos:
       - id: detect-private-key
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.14.9
+    rev: v0.14.10
     hooks:
       # Run the linter.
       - id: ruff-check
         args: [--fix, --preview]
       # Run the formatter.
       - id: ruff-format
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.45.0
+    rev: v0.47.0
     hooks:
       - id: markdownlint-fix
   - repo: https://github.com/pycqa/flake8
@@ -89,7 +89,7 @@ repos:
     hooks:
       - id: actionlint
   - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.18.0
+    rev: v1.19.0
     hooks:
       - id: zizmor
   - repo: https://github.com/editorconfig-checker/editorconfig-checker

CONTRIBUTING.md

@@ -25,8 +25,8 @@ linters (automated code quality checks).
 
 There is a series of automated checks which will run on your pull request
 after you create one. You don't need to run all these
-checks locally and, indeed, some of them may fail for your code. This is a part of
-the standard iterative process of integrating changes into the main code,
+checks locally and, indeed, some of them may fail for your code. This is a part
+of the standard iterative process of integrating changes into the main code,
 so if that happens, just see the error messages, go back to your code
 and try again. If you are not sure what to do, let others know in a pull
 request comment.

Dockerfile

@@ -13,7 +13,7 @@ ARG GEOS_VERSION=3.14.1
 # renovate: datasource=github-tags depName=OSGeo/PROJ
 ARG PROJ_VERSION=9.7.1
 # renovate: datasource=github-tags depName=OSGeo/gdal
-ARG GDAL_VERSION=3.12.0
+ARG GDAL_VERSION=3.12.1
 # renovate: datasource=github-tags depName=PDAL/PDAL
 ARG PDAL_VERSION=2.9.2
 # renovate: datasource=github-tags depName=OSGeo/gdal-grass