CSHS-CWRA · Zeitsperre · Feb 10, 2026 · Feb 9, 2026 · Dec 22, 2025 · Dec 22, 2025
diff --git a/.cruft.json b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/Ouranosinc/cookiecutter-pypackage",
-  "commit": "273d570f627b0ac0fb07c2457f0072e492bff6d7",
+  "commit": "14cbc49f79a6bba2502c8b3a593ff0babaf661ed",
   "context": {
     "cookiecutter": {
       "full_name": "David Huard",
@@ -22,7 +22,7 @@
       "generated_with_cruft": "y",
       "__gh_slug": "https://github.com/CSHS-CWRA/RavenPy",
       "_template": "https://github.com/Ouranosinc/cookiecutter-pypackage",
-      "_commit": "273d570f627b0ac0fb07c2457f0072e492bff6d7"
+      "_commit": "14cbc49f79a6bba2502c8b3a593ff0babaf661ed"
     }
   },
   "directory": null,

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,19 +13,23 @@ updates:
       actions:
         patterns:
           - "*"
+        update-types:
+          - patch
+          - minor
+          - major
     cooldown:
       default-days: 7
 
   - package-ecosystem: pip
-    directory: /
+    directory: /CI
     schedule:
       interval: "quarterly"
-    groups:
-      ci:
-        patterns:
-          - "CI/*"
       python:
         patterns:
-          - "pyproject.toml"
+          - "requirements_ci.*"
+        update-types:
+          - patch
+          - minor
+          - major
     cooldown:
       default-days: 7
diff --git a/.github/workflows/auto-accept-ci-changes.yml b/.github/workflows/auto-accept-ci-changes.yml
@@ -0,0 +1,72 @@
+name: Dependabot CI Updates
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  dependabot-auto-approve:
+    name: Auto-approve and auto-merge safe Dependabot updates
+    runs-on: ubuntu-latest
+    if: >
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      contains(github.event.pull_request.labels.*.name, 'dependencies')
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - name: Fetch Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Stop workflow if not minor update or patch update
+        id: skip-condition
+        if: >
+          steps.dependabot-metadata.outputs.update-type != 'version-update:semver-minor' &&
+          steps.dependabot-metadata.outputs.update-type != 'version-update:semver-patch'
+        run: |
+          echo "Not a minor or patch update; skipping auto-approval."
+          echo "skip=true" >> $GITHUB_OUTPUT
+
+      - name: Checkout Repository
+        if: steps.skip-condition.outputs.skip != 'true'
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
+
+      - name: Approve Changes
+        if: steps.skip-condition.outputs.skip != 'true'
+        run: |
+          decision="$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)"
+          if [ "$decision" != "APPROVED" ]; then
+            gh pr review --approve "$PR_URL"
+          else
+            echo "PR already approved: skipping approval."
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+
+      - name: Enable auto-merge on Pull Request
+        if: steps.skip-condition.outputs.skip != 'true'
+        run: |
+          gh pr merge --auto --merge "$PR_URL"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -29,6 +29,8 @@ Internal changes
 * Pinned `pydantic` below v2.12 due to breaking changes in their API. (PR #548)
   * Unpinned `pydantic` as newer 2.12 patch releases appear to have addressed regressions. (PR #559).
 * Pinned `pydap` >=3.5.6 and `h5netcdf` >=1.5.0 to ensure modern versions with better `xarray` support are installed by default. (PR #559).
+* Updated the cookiecutter template to the latest version (#569):
+  * Added a workflow for automatically accepting and merging periodic updates from Dependabot affecting CI dependencies.
 
 .. _changes_0.19.1:
 

diff --git a/CI/requirements_ci.in b/CI/requirements_ci.in
@@ -1,9 +1,10 @@
-bump-my-version==1.2.3
-deptry==0.23.1
-exceptiongroup==1.3.0
+bump-my-version==1.2.6
+deptry==0.24.0
+exceptiongroup==1.3.1
 flit==3.12.0
 pip==25.3
-pylint==3.3.9
+pydantic==2.12.5
+pylint==4.0.4
 tomli==2.3.0
+tox==4.33.0
 tox-gh==1.5.0
-tox==4.30.3