Merge branch 'refs/heads/master' into sbom

StanFromIreland · StanFromIreland · commit 1ac219e6f576 · 2026-04-25T19:07:45.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,4 +7,9 @@ updates:
     groups:
       actions:
         patterns:
-          - "*"
+          - "*"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
@@ -14,27 +14,33 @@ jobs:
       contents: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true  # Needed to push the tag
 
       - name: Get current version
         id: version
         run: |
           VERSION=$(cat VERSION)
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Check if tag already exists
         id: checktag
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          if git rev-parse "v${{ steps.version.outputs.version }}" >/dev/null 2>&1; then
-            echo "skip=true" >> $GITHUB_OUTPUT
+          if git rev-parse "${VERSION}" >/dev/null 2>&1; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
           else
-            echo "skip=false" >> $GITHUB_OUTPUT
+            echo "skip=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Push tag
         if: steps.checktag.outputs.skip == 'false'
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git tag "${{ steps.version.outputs.version }}"
-          git push origin "${{ steps.version.outputs.version }}"
+          git tag "${VERSION}"
+          git push origin "${VERSION}"
diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
@@ -5,9 +5,13 @@ on:
     - cron: '0 9 * * *'  # Runs daily at 9AM UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check-pr-exists:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     outputs:
       pr_exists: ${{ steps.check_pr_exists.outputs.pr_exists }}
     steps:
@@ -16,15 +20,15 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PR_EXISTS=$(gh pr --repo $GITHUB_REPOSITORY \
+          PR_EXISTS=$(gh pr --repo "$GITHUB_REPOSITORY" \
                       list --search "Update tzdata to version" \
                       --json number --jq '.[] | .number')
           if [ -n "$PR_EXISTS" ]; then
             echo "A PR updating the tzdata version already exists: https://github.com/python/tzdata/pulls/${PR_EXISTS}"
-            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_exists=true" >> "$GITHUB_OUTPUT"
             exit 0
           else
-            echo "pr_exists=false" >> $GITHUB_OUTPUT
+            echo "pr_exists=false" >> "$GITHUB_OUTPUT"
           fi
 
   check-for-updates:
@@ -36,12 +40,13 @@ jobs:
     if: needs.check-pr-exists.outputs.pr_exists == 'false'  # Run only if no PR exists
     steps:
       - name: Check out repository (shallow)
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1  # Shallow clone to save time
+          persist-credentials: true  # Needed to push the update
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
@@ -62,7 +67,7 @@ jobs:
           # Check for changes
           if git diff --quiet; then
             echo "No changes detected."
-            echo "CHANGES_DETECTED=false" >> $GITHUB_ENV
+            echo "CHANGES_DETECTED=false" >> "$GITHUB_ENV"
             exit 0
           fi
 
@@ -75,19 +80,19 @@ jobs:
             exit 1
           fi
 
-          if [ $(echo "$news_files" | wc -l) -ne 1 ]; then
+          if [ "$(echo "$news_files" | wc -l)" -ne 1 ]; then
             echo "More than one new file added in news.d, failing the job."
             exit 1
           fi
-          echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
+          echo "CHANGES_DETECTED=true" >> "$GITHUB_ENV"
 
           # Extract TZDATA_VERSION from filename
           TZDATA_VERSION=$(basename "$news_files" .md)
 
           # Extract TZDATA_NEWS from file content
           TZDATA_NEWS=$(cat "$news_files")
 
-          echo "TZDATA_VERSION=$TZDATA_VERSION" >> $GITHUB_ENV
+          echo "TZDATA_VERSION=$TZDATA_VERSION" >> "$GITHUB_ENV"
           {
             echo "TZDATA_NEWS<<EOF"
             echo "$TZDATA_NEWS"
@@ -111,5 +116,5 @@ jobs:
           gh pr create --title "Update tzdata to version $TZDATA_VERSION" \
             --body "$TZDATA_NEWS" \
             --base master \
-            --head $(git rev-parse --abbrev-ref HEAD) \
+            --head "$(git rev-parse --abbrev-ref HEAD)" \
             --label "automatic-updates"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -24,9 +24,11 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -44,12 +46,12 @@ jobs:
         tox -e build
     - name: Publish package (TestPyPI)
       if: github.event_name == 'push'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
       with:
         repository-url: https://test.pypi.org/legacy/
         verbose: true
     - name: Publish package
       if: github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
       with:
         verbose: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -7,6 +7,8 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tests:
 
@@ -25,12 +27,14 @@ jobs:
     env:
       TOXENV: py
     container:
-      image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}
+      image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}  # zizmor: ignore[unpinned-images]
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     - if: ${{ !matrix.use-container }}
       name: Set up Python ${{ matrix.python-version }} on ${{ matrix.os }} (non-containers)
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: true
@@ -51,9 +55,11 @@ jobs:
       TOXENV: ${{ matrix.toxenv }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: ${{ matrix.toxenv }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
       - name: Install tox
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,12 +1,12 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 25.9.0
+    rev: 26.3.1
     hooks:
       - id: black
         language_version: "python3.12"
 
   - repo: https://github.com/pycqa/isort
-    rev: 7.0.0
+    rev: 8.0.1
     hooks:
       - id: isort
         additional_dependencies: [ toml ]
@@ -18,7 +18,28 @@ repos:
       - id: trailing-whitespace
       - id: debug-statements
 
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.12
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor
+
   - repo: https://github.com/asottile/setup-cfg-fmt
-    rev: v3.1.0
+    rev: v3.2.0
     hooks:
     -   id: setup-cfg-fmt
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,22 @@
+# Version 2026.2
+Upstream version 2026b released 2026-04-23T06:06:43+00:00
+
+## Briefly:
+
+British Columbia moved to permanent -07 on 2026-03-09. Some more overflow bugs
+have been fixed in zic.
+
+## Changes to future timestamps
+
+British Columbia’s 2026-03-08 spring forward was its last foreseeable clock
+change, as it moved to permanent -07 thereafter. (Thanks to Arthur David Olson.)
+Although the change to permanent -07 legally took place on 2026-03-09,
+temporarily model the change to occur on 2026-11-01 at 02:00 instead.  This
+works around a limitation in CLDR v48.2 (2026-03-17).  This temporary hack is
+planned to be removed after CLDR is fixed.
+
+---
+
 # Version 2026.1
 Upstream version 2026a released 2026-03-02T06:59:49+00:00
 
diff --git a/README.rst b/README.rst
@@ -4,7 +4,7 @@ tzdata: Python package providing IANA time zone data
 This is a Python package containing ``zic``-compiled binaries for the IANA time
 zone database. It is intended to be a fallback for systems that do not have
 system time zone data installed (or don't have it installed in a standard
-location), as a part of `PEP 615 <https://www.python.org/dev/peps/pep-0615/>`_
+location), as a part of `PEP 615 <https://www.python.org/dev/peps/pep-0615/>`_.
 
 This repository generates a ``pip``-installable package, published on PyPI as
 `tzdata <https://pypi.org/project/tzdata>`_.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2026.1
+2026.2
diff --git a/docs/index.rst b/docs/index.rst
@@ -4,9 +4,10 @@ tzdata: Python package providing IANA time zone data
 This is a Python package containing ``zic``-compiled binaries for the IANA time
 zone database. It is intended to be a fallback for systems that do not have
 system time zone data installed (or don't have it installed in a standard
-location), as a part of `PEP 615 <https://www.python.org/dev/peps/pep-0615/>`_
+location), as a part of `PEP 615 <https://www.python.org/dev/peps/pep-0615/>`_.
 
-This repository generates a ``pip``-installable package, published on PyPI as
+The `python/tzdata <https://github.com/python/tzdata>`_ repository generates a
+``pip``-installable package, published on PyPI as
 `tzdata <https://pypi.org/project/tzdata>`_.
 
 Overview
diff --git a/src/tzdata/__init__.py b/src/tzdata/__init__.py
@@ -1,6 +1,6 @@
 # IANA versions like 2020a are not valid PEP 440 identifiers; the recommended
 # way to translate the version is to use YYYY.n where `n` is a 0-based index.
-__version__ = "2026.1"
+__version__ = "2026.2"
 
 # This exposes the original IANA version number.
-IANA_VERSION = "2026a"
+IANA_VERSION = "2026b"
diff --git a/src/tzdata/zoneinfo/America/Vancouver b/src/tzdata/zoneinfo/America/Vancouver
diff --git a/src/tzdata/zoneinfo/Asia/Ho_Chi_Minh b/src/tzdata/zoneinfo/Asia/Ho_Chi_Minh
diff --git a/src/tzdata/zoneinfo/Asia/Saigon b/src/tzdata/zoneinfo/Asia/Saigon
diff --git a/src/tzdata/zoneinfo/Canada/Pacific b/src/tzdata/zoneinfo/Canada/Pacific
diff --git a/src/tzdata/zoneinfo/tzdata.zi b/src/tzdata/zoneinfo/tzdata.zi
@@ -1,4 +1,4 @@
-# version 2026a
+# version 2026b-dirty
 # redo posix_only
 # This zic input file is in the public domain.
 R d 1916 o - Jun 14 23s 1 S
@@ -2966,7 +2966,9 @@ Z America/Toronto -5:17:32 - LMT 1895
 -5 C E%sT
 Z America/Vancouver -8:12:28 - LMT 1884
 -8 Va P%sT 1987
--8 C P%sT
+-8 C P%sT 2026 Mar 9
+-8 1 PDT 2026 N 1 2
+-7 - MST
 Z America/Whitehorse -9:0:12 - LMT 1900 Au 20
 -9 Y Y%sT 1965
 -9 Yu Y%sT 1966 F 27
diff --git a/src/tzdata/zoneinfo/zone.tab b/src/tzdata/zoneinfo/zone.tab
@@ -124,12 +124,12 @@ CA	+5017-10750	America/Swift_Current	CST - SK (midwest)
 CA	+5333-11328	America/Edmonton	Mountain - AB, BC(E), NT(E), SK(W)
 CA	+690650-1050310	America/Cambridge_Bay	Mountain - NU (west)
 CA	+682059-1334300	America/Inuvik	Mountain - NT (west)
+CA	+4916-12307	America/Vancouver	MST - BC (most areas)
 CA	+4906-11631	America/Creston	MST - BC (Creston)
 CA	+5546-12014	America/Dawson_Creek	MST - BC (Dawson Cr, Ft St John)
 CA	+5848-12242	America/Fort_Nelson	MST - BC (Ft Nelson)
 CA	+6043-13503	America/Whitehorse	MST - Yukon (east)
 CA	+6404-13925	America/Dawson	MST - Yukon (west)
-CA	+4916-12307	America/Vancouver	Pacific - BC (most areas)
 CC	-1210+09655	Indian/Cocos
 CD	-0418+01518	Africa/Kinshasa	Dem. Rep. of Congo (west)
 CD	-1140+02728	Africa/Lubumbashi	Dem. Rep. of Congo (east)
diff --git a/src/tzdata/zoneinfo/zone1970.tab b/src/tzdata/zoneinfo/zone1970.tab
@@ -115,11 +115,11 @@ CA	+5017-10750	America/Swift_Current	CST - SK (midwest)
 CA	+5333-11328	America/Edmonton	Mountain - AB, BC(E), NT(E), SK(W)
 CA	+690650-1050310	America/Cambridge_Bay	Mountain - NU (west)
 CA	+682059-1334300	America/Inuvik	Mountain - NT (west)
+CA	+4916-12307	America/Vancouver	MST - BC (most areas)
 CA	+5546-12014	America/Dawson_Creek	MST - BC (Dawson Cr, Ft St John)
 CA	+5848-12242	America/Fort_Nelson	MST - BC (Ft Nelson)
 CA	+6043-13503	America/Whitehorse	MST - Yukon (east)
 CA	+6404-13925	America/Dawson	MST - Yukon (west)
-CA	+4916-12307	America/Vancouver	Pacific - BC (most areas)
 CH,DE,LI	+4723+00832	Europe/Zurich	Büsingen
 CI,BF,GH,GM,GN,IS,ML,MR,SH,SL,SN,TG	+0519-00402	Africa/Abidjan
 CK	-2114-15946	Pacific/Rarotonga
diff --git a/src/tzdata/zoneinfo/zonenow.tab b/src/tzdata/zoneinfo/zonenow.tab
@@ -58,6 +58,9 @@ XX	-2504-13005	Pacific/Pitcairn	Pitcairn
 # -08/-07 - PST/PDT (North America DST)
 XX	+340308-1181434	America/Los_Angeles	Pacific (PST/PDT) - US & Canada; Mexico near US border
 #
+# -08/-07 - PST/PDT (North America DST) until 2026-11-01 02:00; then MST
+XX	+4916-12307	America/Vancouver	MST - BC (most areas)
+#
 # -07 - MST
 XX	+332654-1120424	America/Phoenix	Mountain Standard (MST) - Arizona; western Mexico; Yukon
 #
diff --git a/update.py b/update.py
@@ -409,11 +409,11 @@ def read_news(tzdb_loc: pathlib.Path, version: str | None = None) -> NewsEntry:
                 break
         else:
             if version is None:
-                message = "No releases found!"
+                message = "No releases found in NEWS file!"
             else:
-                message = f"No release found with version {version}"
+                message = f"No release found with version {version} in NEWS file!"
+            raise ValueError(message)
 
-        assert m is not None
         version_date = datetime.strptime(m.group("date"), "%Y-%m-%d %H:%M:%S %z")
         release_version = m.group("version")
         release_contents, _ = read_block(f_lines)
