From 91a3d0cc81a9161078caa92f9083eb3b3f785975 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 01:40:54 +0000
Subject: [PATCH 1/7] Build(deps): Bump
 https://github.com/zizmorcore/zizmor-pre-commit

Bumps [https://github.com/zizmorcore/zizmor-pre-commit](https://github.com/zizmorcore/zizmor-pre-commit) from v1.19.0 to 1.23.1.
- [Release notes](https://github.com/zizmorcore/zizmor-pre-commit/releases)
- [Commits](https://github.com/zizmorcore/zizmor-pre-commit/compare/v1.19.0...v1.23.1)

---
updated-dependencies:
- dependency-name: https://github.com/zizmorcore/zizmor-pre-commit
  dependency-version: 1.23.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 46f8b949f93..4cedd9b47b8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,6 +16,6 @@ repos:
       - id: chmod
         args: ["644"]
   - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.19.0
+    rev: v1.23.1
     hooks:
       - id: zizmor

From 7e162133f449b5096535bb488e7b6ee3b6469fd7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Apr 2026 01:54:41 +0000
Subject: [PATCH 2/7] Fix zizmor style check failures: pin actions to SHA
 hashes and add dependabot cooldown

Agent-Logs-Url: https://github.com/GenericMappingTools/pygmt/sessions/fd56fdc3-5154-45b2-8aee-0b9578b4b668

Co-authored-by: seisman <3974108+seisman@users.noreply.github.com>
---
 .github/dependabot.yml                        |  2 ++
 .github/workflows/benchmarks.yml              |  2 +-
 .github/workflows/cache_data.yaml             |  4 ++--
 .github/workflows/cache_dvc.yaml              |  4 ++--
 .github/workflows/check-links.yml             |  4 ++--
 .github/workflows/ci_docs.yml                 |  6 +++---
 .github/workflows/ci_doctests.yaml            |  2 +-
 .github/workflows/ci_tests.yaml               |  4 ++--
 .github/workflows/ci_tests_dev.yaml           |  6 +++---
 .github/workflows/ci_tests_legacy.yaml        |  2 +-
 .github/workflows/dvc-diff.yml                |  2 +-
 .github/workflows/format-command.yml          |  6 +++---
 .github/workflows/publish-to-pypi.yml         | 10 +++++-----
 .github/workflows/release-baseline-images.yml |  2 +-
 .github/workflows/style_checks.yaml           |  4 ++--
 .github/workflows/type_checks.yml             |  4 ++--
 .github/workflows/welcome.yml                 |  2 +-
 17 files changed, 34 insertions(+), 32 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 40084a4c37c..37c2e43bba5 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -24,3 +24,5 @@ updates:
     labels:
       - "maintenance"
       - "skip-changelog"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index 0d9906fede7..f5eb6068fe3 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -36,7 +36,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
diff --git a/.github/workflows/cache_data.yaml b/.github/workflows/cache_data.yaml
index 57d82f4ab49..c058d5e38d9 100644
--- a/.github/workflows/cache_data.yaml
+++ b/.github/workflows/cache_data.yaml
@@ -38,7 +38,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
@@ -74,7 +74,7 @@ jobs:
 
       # Upload the downloaded files as artifacts to GitHub
       - name: Upload artifacts to GitHub
-        uses: actions/upload-artifact@v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: gmt-cache
           include-hidden-files: true
diff --git a/.github/workflows/cache_dvc.yaml b/.github/workflows/cache_dvc.yaml
index 7ece3438156..70906278a30 100644
--- a/.github/workflows/cache_dvc.yaml
+++ b/.github/workflows/cache_dvc.yaml
@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
@@ -52,7 +52,7 @@ jobs:
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
 
       - name: Upload DVC cache as artifacts to GitHub
-        uses: actions/upload-artifact@v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: dvc-cache
           include-hidden-files: true
diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml
index f8a4cdbd469..39ac65780f1 100644
--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@@ -26,13 +26,13 @@ jobs:
 
     steps:
     - name: Checkout the repository
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         path: repository
         persist-credentials: false
 
     - name: Checkout the documentation
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         ref: gh-pages
         path: documentation
diff --git a/.github/workflows/ci_docs.yml b/.github/workflows/ci_docs.yml
index fc331552294..a561db1e151 100644
--- a/.github/workflows/ci_docs.yml
+++ b/.github/workflows/ci_docs.yml
@@ -72,7 +72,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
@@ -150,7 +150,7 @@ jobs:
           cd ../..
 
       - name: Upload PDF as artifact for previewing on pull requests
-        uses: actions/upload-artifact@v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: github.event_name == 'pull_request' && matrix.os == 'ubuntu-latest'
         with:
           name: artifact-pygmt-docs-pdf
@@ -168,7 +168,7 @@ jobs:
           REF_NAME: ${{ github.ref_name }}
 
       - name: Checkout the gh-pages branch
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: gh-pages
           # Checkout to this folder instead of the current one
diff --git a/.github/workflows/ci_doctests.yaml b/.github/workflows/ci_doctests.yaml
index 43b0fa28eb1..40efc0ec396 100644
--- a/.github/workflows/ci_doctests.yaml
+++ b/.github/workflows/ci_doctests.yaml
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml
index 948a05c0cc1..c7bb21bd415 100644
--- a/.github/workflows/ci_tests.yaml
+++ b/.github/workflows/ci_tests.yaml
@@ -107,7 +107,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
@@ -193,7 +193,7 @@ jobs:
 
       # Upload diff images on test failure
       - name: Upload diff images if any test fails
-        uses: actions/upload-artifact@v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: failure()
         with:
           name: artifact-${{ matrix.os }}-${{ matrix.python-version }}
diff --git a/.github/workflows/ci_tests_dev.yaml b/.github/workflows/ci_tests_dev.yaml
index e311b43d9cb..65b88ddb39c 100644
--- a/.github/workflows/ci_tests_dev.yaml
+++ b/.github/workflows/ci_tests_dev.yaml
@@ -48,7 +48,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
@@ -94,7 +94,7 @@ jobs:
 
       # Checkout current GMT repository
       - name: Checkout the GMT source from ${{ matrix.gmt_git_ref }} branch
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: 'GenericMappingTools/gmt'
           ref: ${{ matrix.gmt_git_ref }}
@@ -187,7 +187,7 @@ jobs:
 
       # Upload diff images on test failure
       - name: Upload diff images if any test fails
-        uses: actions/upload-artifact@v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ failure() }}
         with:
           name: artifact-${{ matrix.os }}-GMT-${{ matrix.gmt_git_ref }}
diff --git a/.github/workflows/ci_tests_legacy.yaml b/.github/workflows/ci_tests_legacy.yaml
index 7ef03db1bec..ae3b9ebecb9 100644
--- a/.github/workflows/ci_tests_legacy.yaml
+++ b/.github/workflows/ci_tests_legacy.yaml
@@ -46,7 +46,7 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
diff --git a/.github/workflows/dvc-diff.yml b/.github/workflows/dvc-diff.yml
index e496352ac4c..669b157d5d1 100644
--- a/.github/workflows/dvc-diff.yml
+++ b/.github/workflows/dvc-diff.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         # fetch all history so that dvc diff works
         fetch-depth: 0
diff --git a/.github/workflows/format-command.yml b/.github/workflows/format-command.yml
index 13f84716b9a..347e443b44f 100644
--- a/.github/workflows/format-command.yml
+++ b/.github/workflows/format-command.yml
@@ -17,14 +17,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Generate token from GenericMappingTools bot
-      - uses: actions/create-github-app-token@v3.0.0
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
       # Checkout the pull request branch
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
@@ -33,7 +33,7 @@ jobs:
 
       # Setup Python environment
       - name: Set up Python and install dependencies
-        uses: actions/setup-python@v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
           pip-install: ruff prek
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
index 90050ad5096..6d1614566fd 100644
--- a/.github/workflows/publish-to-pypi.yml
+++ b/.github/workflows/publish-to-pypi.yml
@@ -43,14 +43,14 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         # fetch all history so that setuptools-scm works
         fetch-depth: 0
         persist-credentials: false
 
     - name: Set up Python and install dependencies
-      uses: actions/setup-python@v6.2.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.14'
         pip-install: build
@@ -72,7 +72,7 @@ jobs:
         ls -lh dist/
 
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v7.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: python-package-distributions
         path: dist/
@@ -91,7 +91,7 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v8.0.1
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: python-package-distributions
         path: dist/
@@ -115,7 +115,7 @@ jobs:
 
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v8.0.1
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: python-package-distributions
         path: dist/
diff --git a/.github/workflows/release-baseline-images.yml b/.github/workflows/release-baseline-images.yml
index b0fb833ef81..cae7dd6d405 100644
--- a/.github/workflows/release-baseline-images.yml
+++ b/.github/workflows/release-baseline-images.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v6.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         persist-credentials: false
 
diff --git a/.github/workflows/style_checks.yaml b/.github/workflows/style_checks.yaml
index 547a174e63e..a5600536f41 100644
--- a/.github/workflows/style_checks.yaml
+++ b/.github/workflows/style_checks.yaml
@@ -26,12 +26,12 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: Set up Python and install dependencies
-        uses: actions/setup-python@v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
           pip-install: ruff prek
diff --git a/.github/workflows/type_checks.yml b/.github/workflows/type_checks.yml
index 537f114ddb8..baac2f80b6a 100644
--- a/.github/workflows/type_checks.yml
+++ b/.github/workflows/type_checks.yml
@@ -35,13 +35,13 @@ jobs:
     steps:
       # Checkout current git repository
       - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       # Setup Python
       - name: Set up Python
-        uses: actions/setup-python@v6.2.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
           # Need to install following packages:
diff --git a/.github/workflows/welcome.yml b/.github/workflows/welcome.yml
index ae9724d953d..0de51247096 100644
--- a/.github/workflows/welcome.yml
+++ b/.github/workflows/welcome.yml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/first-interaction@v3.1.0
+      - uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3.1.0
         with:
           issue_message: |
             👋 Thanks for opening your first issue here!

From 67d035726f8c7c63ccb59f313e225860e458f87c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Apr 2026 02:09:46 +0000
Subject: [PATCH 3/7] Fix remaining zizmor warnings: secrets-outside-env and
 misfeature

Agent-Logs-Url: https://github.com/GenericMappingTools/pygmt/sessions/d14e997e-2c29-4834-ac69-db5afcbad0ff

Co-authored-by: seisman <3974108+seisman@users.noreply.github.com>
---
 .github/workflows/cache_dvc.yaml              |  2 +-
 .github/workflows/ci_tests_dev.yaml           |  2 +-
 .github/workflows/dvc-diff.yml                |  2 +-
 .github/workflows/format-command.yml          | 10 ++++++----
 .github/workflows/publish-to-pypi.yml         |  6 ++++--
 .github/workflows/release-baseline-images.yml |  2 +-
 .github/workflows/style_checks.yaml           |  6 ++++--
 .github/workflows/type_checks.yml             |  7 ++++---
 8 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/cache_dvc.yaml b/.github/workflows/cache_dvc.yaml
index 70906278a30..e6a47386612 100644
--- a/.github/workflows/cache_dvc.yaml
+++ b/.github/workflows/cache_dvc.yaml
@@ -46,7 +46,7 @@ jobs:
 
       - name: Pull baseline image data from dvc remote
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
         run: |
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
diff --git a/.github/workflows/ci_tests_dev.yaml b/.github/workflows/ci_tests_dev.yaml
index 65b88ddb39c..3b26094e658 100644
--- a/.github/workflows/ci_tests_dev.yaml
+++ b/.github/workflows/ci_tests_dev.yaml
@@ -153,7 +153,7 @@ jobs:
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
 
       - name: Download DVC cache as artifacts from GitHub
         if: steps.dvc-pull.outcome == 'failure'
diff --git a/.github/workflows/dvc-diff.yml b/.github/workflows/dvc-diff.yml
index 669b157d5d1..aa4b4cce2da 100644
--- a/.github/workflows/dvc-diff.yml
+++ b/.github/workflows/dvc-diff.yml
@@ -59,7 +59,7 @@ jobs:
       env:
         REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
       run: |
         echo -e "## Summary of changed images\n" > report.md
         echo -e "This is an auto-generated report of images that have changed on the DVC remote\n" >> report.md
diff --git a/.github/workflows/format-command.yml b/.github/workflows/format-command.yml
index 347e443b44f..174f6355809 100644
--- a/.github/workflows/format-command.yml
+++ b/.github/workflows/format-command.yml
@@ -20,8 +20,8 @@ jobs:
       - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.APP_ID }} # zizmor: ignore[secrets-outside-env]
+          private-key: ${{ secrets.APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
 
       # Checkout the pull request branch
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -32,11 +32,13 @@ jobs:
           persist-credentials: true
 
       # Setup Python environment
-      - name: Set up Python and install dependencies
+      - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-          pip-install: ruff prek
+
+      - name: Install dependencies
+        run: pip install ruff prek
 
       - name: List installed packages
         run: python -m pip list
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
index 6d1614566fd..fdb6080b556 100644
--- a/.github/workflows/publish-to-pypi.yml
+++ b/.github/workflows/publish-to-pypi.yml
@@ -49,11 +49,13 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Set up Python and install dependencies
+    - name: Set up Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.14'
-        pip-install: build
+
+    - name: Install dependencies
+      run: pip install build
 
     # This step is only necessary for testing purposes and for TestPyPI
     - name: Fix up version string for TestPyPI
diff --git a/.github/workflows/release-baseline-images.yml b/.github/workflows/release-baseline-images.yml
index cae7dd6d405..e7839f77c24 100644
--- a/.github/workflows/release-baseline-images.yml
+++ b/.github/workflows/release-baseline-images.yml
@@ -35,7 +35,7 @@ jobs:
         dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
         dvc pull && ls -lhR pygmt/tests/baseline/
       env:
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
 
     - name: Create the baseline image asset in zip format
       run: |
diff --git a/.github/workflows/style_checks.yaml b/.github/workflows/style_checks.yaml
index a5600536f41..874431f9771 100644
--- a/.github/workflows/style_checks.yaml
+++ b/.github/workflows/style_checks.yaml
@@ -30,11 +30,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up Python and install dependencies
+      - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-          pip-install: ruff prek
+
+      - name: Install dependencies
+        run: pip install ruff prek
 
       - name: List installed packages
         run: python -m pip list
diff --git a/.github/workflows/type_checks.yml b/.github/workflows/type_checks.yml
index baac2f80b6a..13c02fb6cae 100644
--- a/.github/workflows/type_checks.yml
+++ b/.github/workflows/type_checks.yml
@@ -44,13 +44,14 @@ jobs:
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
+
+      - name: Install dependencies
+        run: |
           # Need to install following packages:
           # 1. required packages
           # 2. type checker and stub packages
           # 3. other packages that are used somewhere in PyGMT
-          pip-install: |
-            numpy pandas xarray packaging
-            mypy pandas-stubs pyarrow-stubs
+          pip install numpy pandas xarray packaging mypy pandas-stubs pyarrow-stubs
 
       - name: List install packages
         run: python -m pip list

From 640c348e094917ece107fd5dbdac08c0e5d76b20 Mon Sep 17 00:00:00 2001
From: Dongdong Tian <seisman.info@gmail.com>
Date: Thu, 2 Apr 2026 10:11:16 +0800
Subject: [PATCH 4/7] Revert "Fix remaining zizmor warnings:
 secrets-outside-env and misfeature"

This reverts commit 67d035726f8c7c63ccb59f313e225860e458f87c.
---
 .github/workflows/cache_dvc.yaml              |  2 +-
 .github/workflows/ci_tests_dev.yaml           |  2 +-
 .github/workflows/dvc-diff.yml                |  2 +-
 .github/workflows/format-command.yml          | 10 ++++------
 .github/workflows/publish-to-pypi.yml         |  6 ++----
 .github/workflows/release-baseline-images.yml |  2 +-
 .github/workflows/style_checks.yaml           |  6 ++----
 .github/workflows/type_checks.yml             |  7 +++----
 8 files changed, 15 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/cache_dvc.yaml b/.github/workflows/cache_dvc.yaml
index e6a47386612..70906278a30 100644
--- a/.github/workflows/cache_dvc.yaml
+++ b/.github/workflows/cache_dvc.yaml
@@ -46,7 +46,7 @@ jobs:
 
       - name: Pull baseline image data from dvc remote
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
         run: |
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
diff --git a/.github/workflows/ci_tests_dev.yaml b/.github/workflows/ci_tests_dev.yaml
index 3b26094e658..65b88ddb39c 100644
--- a/.github/workflows/ci_tests_dev.yaml
+++ b/.github/workflows/ci_tests_dev.yaml
@@ -153,7 +153,7 @@ jobs:
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
 
       - name: Download DVC cache as artifacts from GitHub
         if: steps.dvc-pull.outcome == 'failure'
diff --git a/.github/workflows/dvc-diff.yml b/.github/workflows/dvc-diff.yml
index aa4b4cce2da..669b157d5d1 100644
--- a/.github/workflows/dvc-diff.yml
+++ b/.github/workflows/dvc-diff.yml
@@ -59,7 +59,7 @@ jobs:
       env:
         REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
       run: |
         echo -e "## Summary of changed images\n" > report.md
         echo -e "This is an auto-generated report of images that have changed on the DVC remote\n" >> report.md
diff --git a/.github/workflows/format-command.yml b/.github/workflows/format-command.yml
index 174f6355809..347e443b44f 100644
--- a/.github/workflows/format-command.yml
+++ b/.github/workflows/format-command.yml
@@ -20,8 +20,8 @@ jobs:
       - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
-          app-id: ${{ secrets.APP_ID }} # zizmor: ignore[secrets-outside-env]
-          private-key: ${{ secrets.APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
       # Checkout the pull request branch
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -32,13 +32,11 @@ jobs:
           persist-credentials: true
 
       # Setup Python environment
-      - name: Set up Python
+      - name: Set up Python and install dependencies
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-
-      - name: Install dependencies
-        run: pip install ruff prek
+          pip-install: ruff prek
 
       - name: List installed packages
         run: python -m pip list
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
index fdb6080b556..6d1614566fd 100644
--- a/.github/workflows/publish-to-pypi.yml
+++ b/.github/workflows/publish-to-pypi.yml
@@ -49,13 +49,11 @@ jobs:
         fetch-depth: 0
         persist-credentials: false
 
-    - name: Set up Python
+    - name: Set up Python and install dependencies
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.14'
-
-    - name: Install dependencies
-      run: pip install build
+        pip-install: build
 
     # This step is only necessary for testing purposes and for TestPyPI
     - name: Fix up version string for TestPyPI
diff --git a/.github/workflows/release-baseline-images.yml b/.github/workflows/release-baseline-images.yml
index e7839f77c24..cae7dd6d405 100644
--- a/.github/workflows/release-baseline-images.yml
+++ b/.github/workflows/release-baseline-images.yml
@@ -35,7 +35,7 @@ jobs:
         dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
         dvc pull && ls -lhR pygmt/tests/baseline/
       env:
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
 
     - name: Create the baseline image asset in zip format
       run: |
diff --git a/.github/workflows/style_checks.yaml b/.github/workflows/style_checks.yaml
index 874431f9771..a5600536f41 100644
--- a/.github/workflows/style_checks.yaml
+++ b/.github/workflows/style_checks.yaml
@@ -30,13 +30,11 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up Python
+      - name: Set up Python and install dependencies
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-
-      - name: Install dependencies
-        run: pip install ruff prek
+          pip-install: ruff prek
 
       - name: List installed packages
         run: python -m pip list
diff --git a/.github/workflows/type_checks.yml b/.github/workflows/type_checks.yml
index 13c02fb6cae..baac2f80b6a 100644
--- a/.github/workflows/type_checks.yml
+++ b/.github/workflows/type_checks.yml
@@ -44,14 +44,13 @@ jobs:
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-
-      - name: Install dependencies
-        run: |
           # Need to install following packages:
           # 1. required packages
           # 2. type checker and stub packages
           # 3. other packages that are used somewhere in PyGMT
-          pip install numpy pandas xarray packaging mypy pandas-stubs pyarrow-stubs
+          pip-install: |
+            numpy pandas xarray packaging
+            mypy pandas-stubs pyarrow-stubs
 
       - name: List install packages
         run: python -m pip list

From aeeadfbebd00f2771b56e34e28034ad7db5056a7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 2 Apr 2026 02:43:33 +0000
Subject: [PATCH 5/7] Fix zizmor warnings with inline ignore comments instead
 of restructuring

Agent-Logs-Url: https://github.com/GenericMappingTools/pygmt/sessions/4d06361c-0f56-4718-8b9d-651a83a18d5f

Co-authored-by: seisman <3974108+seisman@users.noreply.github.com>
---
 .github/workflows/cache_dvc.yaml              | 2 +-
 .github/workflows/ci_tests_dev.yaml           | 2 +-
 .github/workflows/dvc-diff.yml                | 2 +-
 .github/workflows/format-command.yml          | 6 +++---
 .github/workflows/publish-to-pypi.yml         | 2 +-
 .github/workflows/release-baseline-images.yml | 2 +-
 .github/workflows/style_checks.yaml           | 2 +-
 .github/workflows/type_checks.yml             | 2 +-
 8 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/cache_dvc.yaml b/.github/workflows/cache_dvc.yaml
index 70906278a30..e6a47386612 100644
--- a/.github/workflows/cache_dvc.yaml
+++ b/.github/workflows/cache_dvc.yaml
@@ -46,7 +46,7 @@ jobs:
 
       - name: Pull baseline image data from dvc remote
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
         run: |
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
diff --git a/.github/workflows/ci_tests_dev.yaml b/.github/workflows/ci_tests_dev.yaml
index 65b88ddb39c..3b26094e658 100644
--- a/.github/workflows/ci_tests_dev.yaml
+++ b/.github/workflows/ci_tests_dev.yaml
@@ -153,7 +153,7 @@ jobs:
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
 
       - name: Download DVC cache as artifacts from GitHub
         if: steps.dvc-pull.outcome == 'failure'
diff --git a/.github/workflows/dvc-diff.yml b/.github/workflows/dvc-diff.yml
index 669b157d5d1..aa4b4cce2da 100644
--- a/.github/workflows/dvc-diff.yml
+++ b/.github/workflows/dvc-diff.yml
@@ -59,7 +59,7 @@ jobs:
       env:
         REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
       run: |
         echo -e "## Summary of changed images\n" > report.md
         echo -e "This is an auto-generated report of images that have changed on the DVC remote\n" >> report.md
diff --git a/.github/workflows/format-command.yml b/.github/workflows/format-command.yml
index 347e443b44f..d8e57ce9592 100644
--- a/.github/workflows/format-command.yml
+++ b/.github/workflows/format-command.yml
@@ -20,8 +20,8 @@ jobs:
       - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.APP_ID }} # zizmor: ignore[secrets-outside-env]
+          private-key: ${{ secrets.APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
 
       # Checkout the pull request branch
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -36,7 +36,7 @@ jobs:
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-          pip-install: ruff prek
+          pip-install: ruff prek # zizmor: ignore[misfeature]
 
       - name: List installed packages
         run: python -m pip list
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
index 6d1614566fd..8dea00aa0d9 100644
--- a/.github/workflows/publish-to-pypi.yml
+++ b/.github/workflows/publish-to-pypi.yml
@@ -53,7 +53,7 @@ jobs:
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.14'
-        pip-install: build
+        pip-install: build # zizmor: ignore[misfeature]
 
     # This step is only necessary for testing purposes and for TestPyPI
     - name: Fix up version string for TestPyPI
diff --git a/.github/workflows/release-baseline-images.yml b/.github/workflows/release-baseline-images.yml
index cae7dd6d405..e7839f77c24 100644
--- a/.github/workflows/release-baseline-images.yml
+++ b/.github/workflows/release-baseline-images.yml
@@ -35,7 +35,7 @@ jobs:
         dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
         dvc pull && ls -lhR pygmt/tests/baseline/
       env:
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
 
     - name: Create the baseline image asset in zip format
       run: |
diff --git a/.github/workflows/style_checks.yaml b/.github/workflows/style_checks.yaml
index a5600536f41..e8b41d18cb3 100644
--- a/.github/workflows/style_checks.yaml
+++ b/.github/workflows/style_checks.yaml
@@ -34,7 +34,7 @@ jobs:
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.14'
-          pip-install: ruff prek
+          pip-install: ruff prek # zizmor: ignore[misfeature]
 
       - name: List installed packages
         run: python -m pip list
diff --git a/.github/workflows/type_checks.yml b/.github/workflows/type_checks.yml
index baac2f80b6a..c166c72b19c 100644
--- a/.github/workflows/type_checks.yml
+++ b/.github/workflows/type_checks.yml
@@ -48,7 +48,7 @@ jobs:
           # 1. required packages
           # 2. type checker and stub packages
           # 3. other packages that are used somewhere in PyGMT
-          pip-install: |
+          pip-install: | # zizmor: ignore[misfeature]
             numpy pandas xarray packaging
             mypy pandas-stubs pyarrow-stubs
 

From 57cd39ef70f11f27d12da0cc005a736a57aa4b1a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Apr 2026 02:19:23 +0000
Subject: [PATCH 6/7] Fix secrets-outside-env by adding environment: pr-tests
 instead of ignore comments

Agent-Logs-Url: https://github.com/GenericMappingTools/pygmt/sessions/34c68390-57cf-4c45-b6a2-75a9571e867a

Co-authored-by: seisman <3974108+seisman@users.noreply.github.com>
---
 .github/workflows/cache_dvc.yaml              | 3 ++-
 .github/workflows/ci_tests_dev.yaml           | 3 ++-
 .github/workflows/dvc-diff.yml                | 3 ++-
 .github/workflows/format-command.yml          | 5 +++--
 .github/workflows/release-baseline-images.yml | 3 ++-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/cache_dvc.yaml b/.github/workflows/cache_dvc.yaml
index e6a47386612..d9eac614e1e 100644
--- a/.github/workflows/cache_dvc.yaml
+++ b/.github/workflows/cache_dvc.yaml
@@ -29,6 +29,7 @@ jobs:
   dvc_cache:
     name: Cache DVC baseline images
     runs-on: ubuntu-latest
+    environment: pr-tests
     defaults:
       run:
         shell: bash -l {0}
@@ -46,7 +47,7 @@ jobs:
 
       - name: Pull baseline image data from dvc remote
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
         run: |
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
diff --git a/.github/workflows/ci_tests_dev.yaml b/.github/workflows/ci_tests_dev.yaml
index 3b26094e658..87ea333ce03 100644
--- a/.github/workflows/ci_tests_dev.yaml
+++ b/.github/workflows/ci_tests_dev.yaml
@@ -34,6 +34,7 @@ jobs:
   test_gmt_dev:
     name: ${{ matrix.os }} - GMT ${{ matrix.gmt_git_ref }}
     runs-on: ${{ matrix.os }}
+    environment: pr-tests
     if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run/test-gmt-dev')
     strategy:
       fail-fast: false
@@ -153,7 +154,7 @@ jobs:
           dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
           dvc pull --no-run-cache --verbose && ls -lhR pygmt/tests/baseline/
         env:
-          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
 
       - name: Download DVC cache as artifacts from GitHub
         if: steps.dvc-pull.outcome == 'failure'
diff --git a/.github/workflows/dvc-diff.yml b/.github/workflows/dvc-diff.yml
index aa4b4cce2da..d7d932a71e4 100644
--- a/.github/workflows/dvc-diff.yml
+++ b/.github/workflows/dvc-diff.yml
@@ -22,6 +22,7 @@ jobs:
   dvc-diff:
     name: DVC image diff
     runs-on: ubuntu-latest
+    environment: pr-tests
 
     steps:
     - name: Checkout
@@ -59,7 +60,7 @@ jobs:
       env:
         REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
       run: |
         echo -e "## Summary of changed images\n" > report.md
         echo -e "This is an auto-generated report of images that have changed on the DVC remote\n" >> report.md
diff --git a/.github/workflows/format-command.yml b/.github/workflows/format-command.yml
index d8e57ce9592..5ddffd796dd 100644
--- a/.github/workflows/format-command.yml
+++ b/.github/workflows/format-command.yml
@@ -12,6 +12,7 @@ permissions: {}
 
 jobs:
   format:
+    environment: pr-tests
     permissions:
       contents: write # for Git to git push
     runs-on: ubuntu-latest
@@ -20,8 +21,8 @@ jobs:
       - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
-          app-id: ${{ secrets.APP_ID }} # zizmor: ignore[secrets-outside-env]
-          private-key: ${{ secrets.APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
       # Checkout the pull request branch
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/release-baseline-images.yml b/.github/workflows/release-baseline-images.yml
index e7839f77c24..085340c6b8b 100644
--- a/.github/workflows/release-baseline-images.yml
+++ b/.github/workflows/release-baseline-images.yml
@@ -15,6 +15,7 @@ jobs:
   upload-baseline:
     name: Upload baseline images
     runs-on: ubuntu-latest
+    environment: pr-tests
     if: github.repository == 'GenericMappingTools/pygmt'
 
     permissions:
@@ -35,7 +36,7 @@ jobs:
         dvc remote modify upstream url https://${DAGSHUB_TOKEN}@dagshub.com/GenericMappingTools/pygmt.dvc --local
         dvc pull && ls -lhR pygmt/tests/baseline/
       env:
-        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        DAGSHUB_TOKEN: ${{ secrets.DAGSHUB_TOKEN }}
 
     - name: Create the baseline image asset in zip format
       run: |

From 3f51f7a8cb21ec61298c162dfad24ea4770ffc88 Mon Sep 17 00:00:00 2001
From: actions-bot <58130806+actions-bot@users.noreply.github.com>
Date: Fri, 3 Apr 2026 02:34:12 +0000
Subject: [PATCH 7/7] [format-command] fixes

---
 pygmt/tests/test_clib_to_numpy.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pygmt/tests/test_clib_to_numpy.py b/pygmt/tests/test_clib_to_numpy.py
index 6dc716bc309..af2c0ec8733 100644
--- a/pygmt/tests/test_clib_to_numpy.py
+++ b/pygmt/tests/test_clib_to_numpy.py
@@ -54,7 +54,7 @@ def _check_result(result, expected_dtype):
         pytest.param([1, 2, 3], np.int64, id="int"),
         pytest.param([1.0, 2.0, 3.0], np.float64, id="float"),
         pytest.param(
-            [complex(+1), complex(-2j), complex("-Infinity+NaNj")],
+            [complex(+1), (-2j), complex("-Infinity+NaNj")],
             np.complex128,
             id="complex",
         ),