Merge remote-tracking branch 'upstream/main' into cola5

* upstream/main: (57 commits)
  Allow lasso selection sensors in a plot_evoked_topo (mne-tools#12071)
  MAINT: Fix doc build (mne-tools#13076)
  BUG: Improve sklearn compliance (mne-tools#13065)
  [pre-commit.ci] pre-commit autoupdate (mne-tools#13073)
  MAINT: Add Numba to 3.13 test (mne-tools#13075)
  Bump autofix-ci/action from ff86a557419858bb967097bfc916833f5647fa8c to 551dded8c6cc8a1054039c8bc0b8b48c51dfc6ef in the actions group (mne-tools#13071)
  [BUG] Correct annotation onset for exportation to EDF and EEGLAB (mne-tools#12656)
  New feature for removing heart artifacts from EEG or ESG data using a Principal Component Analysis - Optimal Basis Sets (PCA-OBS) algorithm (mne-tools#13037)
  [BUG] Fix taper weighting in computation of TFR multitaper power (mne-tools#13067)
  [FIX] Reading an EDF with preload=False and mixed frequency (mne-tools#13069)
  Fix evoked topomap colorbars, closes mne-tools#13050 (mne-tools#13063)
  [pre-commit.ci] pre-commit autoupdate (mne-tools#13060)
  BUG: Fix bug with interval calculation (mne-tools#13062)
  [DOC] extend documentation for add_channels (mne-tools#13051)
  Add `combine_tfr` to API (mne-tools#13054)
  Add `combine_spectrum()` function and allow `grand_average()` to support `Spectrum` data (mne-tools#13058)
  BUG: Fix bug with helium anon (mne-tools#13056)
  [ENH] Add option to store and return TFR taper weights (mne-tools#12910)
  BUG: viz plot window's 'title' argument showed no effect. (mne-tools#12828)
  MAINT: Ensure limited set of tests are skipped (mne-tools#13053)
  ...

.circleci/config.yml

@@ -218,6 +218,9 @@ jobs:
       - restore_cache:
           keys:
             - data-cache-phantom-kit
+      - restore_cache:
+          keys:
+            - data-cache-ds004388
       - run:
           name: Get data
           # This limit could be increased, but this is helpful for finding slow ones
@@ -252,7 +255,7 @@ jobs:
           name: Check sphinx log for warnings (which are treated as errors)
           when: always
           command: |
-            ! grep "^.* WARNING: .*$" sphinx_log.txt
+            ! grep "^.*\(WARNING\|ERROR\): " sphinx_log.txt
       - run:
           name: Show profiling output
           when: always
@@ -393,6 +396,10 @@ jobs:
           key: data-cache-phantom-kit
           paths:
             - ~/mne_data/MNE-phantom-KIT-data  # (1 G)
+      - save_cache:
+          key: data-cache-ds004388
+          paths:
+            - ~/mne_data/ds004388  # (1.8 G)
 
 
   linkcheck:

.github/workflows/autofix.yml

@@ -13,10 +13,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'
       - run: pip install --upgrade towncrier pygithub gitpython numpy
       - run: python ./.github/actions/rename_towncrier/rename_towncrier.py
       - run: python ./tools/dev/ensure_headers.py
-      - uses: autofix-ci/action@ff86a557419858bb967097bfc916833f5647fa8c
+      - uses: autofix-ci/action@551dded8c6cc8a1054039c8bc0b8b48c51dfc6ef

.github/workflows/automerge.yml

@@ -0,0 +1,17 @@
+name: Bot auto-merge
+on: pull_request  # yamllint disable-line rule:truthy
+
+jobs:
+  autobot:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    # Names can be found with gh api /repos/mne-tools/mne-python/pulls/12998 -q .user.login for example
+    if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.user.login == 'github-actions[bot]') && github.repository == 'mne-tools/mne-python'
+    steps:
+      - name: Enable auto-merge for bot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/check_changelog.yml

@@ -5,6 +5,9 @@ on:  # yamllint disable-line rule:truthy
     types: [opened, synchronize, labeled, unlabeled]
     branches: ["main"]
 
+permissions:
+  contents: read
+
 jobs:
   changelog_checker:
     name: Check towncrier entry in doc/changes/devel/

.github/workflows/circle_artifacts.yml

@@ -1,4 +1,7 @@
 on: [status]  # yamllint disable-line rule:truthy
+permissions:
+  contents: read
+  statuses: write
 jobs:
   circleci_artifacts_redirector_job:
     if: "${{ startsWith(github.event.context, 'ci/circleci: build_docs') }}"

.github/workflows/codeql-analysis.yml

@@ -39,6 +39,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
@@ -48,11 +50,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -61,7 +63,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

.github/workflows/credit.yml

@@ -6,19 +6,20 @@ on:  # yamllint disable-line rule:truthy
     - cron: '0 0 1 * *'  # At 00:00 on day-of-month 1
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   update_credit:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Update
     runs-on: ubuntu-latest
     env:
       GH_TOKEN: ${{ github.token }}
       GITHUB_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: true
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'
@@ -37,8 +38,8 @@ jobs:
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
           git checkout -b credit
-          git commit -am "MAINT: Update code credit [ci skip]"
+          git commit -am "MAINT: Update code credit"
           git push origin credit
-          PR_NUM=$(gh pr create --base main --head credit --title "MAINT: Update code credit" --body "Created by \"${{ github.workflow }}\" GitHub action." --label "no-changelog-entry-needed")
+          PR_NUM=$(gh pr create --base main --head credit --title "MAINT: Update code credit" --body "Created by credit [GitHub action](https://github.com/mne-tools/mne-python/actions/runs/${{ github.run_id }})." --label "no-changelog-entry-needed")
           echo "Opened https://github.com/mne-tools/mne-python/pull/${PR_NUM}" >> $GITHUB_STEP_SUMMARY
         if: steps.status.outputs.dirty == 'true'

.github/workflows/release.yml

@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.10'

.github/workflows/tests.yml

@@ -18,6 +18,8 @@ jobs:
     timeout-minutes: 3
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'
@@ -56,6 +58,9 @@ jobs:
       fail-fast: false
       matrix:
         include:
+          - os: ubuntu-latest
+            python: '3.13'
+            kind: pip
           - os: ubuntu-latest
             python: '3.12'
             kind: pip-pre
@@ -81,44 +86,44 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - run: ./tools/github_actions_env_vars.sh
       # Xvfb/OpenGL
       - uses: pyvista/setup-headless-display-action@v3
         with:
           qt: true
           pyvista: false
+          wm: false
       # Python (if pip)
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python }}
         if: startswith(matrix.kind, 'pip')
       # Python (if conda)
-      - name: Remove numba and dipy
-        run: |  # TODO: Remove when numba 0.59 and dipy 1.8 land on conda-forge
-          sed -i '/numba/d' environment.yml
-          sed -i '/dipy/d' environment.yml
-          sed -i 's/- mne$/- mne-base/' environment.yml
-        if: matrix.os == 'ubuntu-latest' && startswith(matrix.kind, 'conda') && matrix.python == '3.12'
+      - name: Fixes for conda
+        run: |
+          # For some reason on Linux we get crashes
+          if [[ "$RUNNER_OS" == "Linux" ]]; then
+            sed -i "/numba/d" environment.yml
+          elif [[ "$RUNNER_OS" == "macOS" ]]; then
+            sed -i "" "s/  - PySide6 .*/  - PySide6 <6.8/g" environment.yml
+          fi
+        if: matrix.kind == 'conda' || matrix.kind == 'mamba'
       - uses: mamba-org/setup-micromamba@v2
         with:
           environment-file: ${{ env.CONDA_ENV }}
           environment-name: mne
           create-args: >-
             python=${{ env.PYTHON_VERSION }}
-            mamba
-            nomkl
         if: ${{ !startswith(matrix.kind, 'pip') }}
-      # Make sure we have the right Python
-      - run: python -c "import platform; assert platform.machine() == 'arm64', platform.machine()"
-        if: matrix.os == 'macos-14'
-      - run: ./tools/github_actions_dependencies.sh
+      - run: bash ./tools/github_actions_dependencies.sh
       # Minimal commands on Linux (macOS stalls)
-      - run: ./tools/get_minimal_commands.sh
-        if: ${{ startswith(matrix.os, 'ubuntu') }}
-      - run: ./tools/github_actions_infos.sh
+      - run: bash ./tools/get_minimal_commands.sh
+        if: startswith(matrix.os, 'ubuntu') && matrix.kind != 'minimal' && matrix.kind != 'old'
+      - run: bash ./tools/github_actions_infos.sh
       # Check Qt
-      - run: ./tools/check_qt_import.sh $MNE_QT_BACKEND
-        if: ${{ env.MNE_QT_BACKEND != '' }}
+      - run: bash ./tools/check_qt_import.sh $MNE_QT_BACKEND
+        if: env.MNE_QT_BACKEND != ''
       - name: Run tests with no testing data
         run: MNE_SKIP_TESTING_DATASET_TESTS=true pytest -m "not (ultraslowtest or pgtest)" --tb=short --cov=mne --cov-report xml -vv -rfE mne/
         if: matrix.kind == 'minimal'
@@ -127,8 +132,8 @@ jobs:
         with:
           key: ${{ env.TESTING_VERSION }}
           path: ~/mne_data
-      - run: ./tools/github_actions_download.sh
-      - run: ./tools/github_actions_test.sh
+      - run: bash ./tools/github_actions_download.sh
+      - run: bash ./tools/github_actions_test.sh  # for some reason on macOS we need to run "bash X" in order for a failed test run to show up
       - uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.mailmap

@@ -2,6 +2,7 @@ Adam Li <[email protected]> Adam Li <[email protected]>
 Adam Li <[email protected]> Adam Li <[email protected]>
 Alan Leggitt <[email protected]> leggitta <[email protected]>
 Alessandro Tonin <[email protected]> Lychfindel <[email protected]>
+Alex Lepauvre <[email protected]> Alex lepauvre <[email protected]>
 Alex Rockhill <[email protected]> Alex <[email protected]>
 Alex Rockhill <[email protected]> Alex <[email protected]>
 Alex Rockhill <[email protected]> Alex Rockhill <[email protected]>
@@ -356,4 +357,4 @@ Yousra Bekhti <[email protected]> Yousra BEKHTI <[email protected]>
 Yousra Bekhti <[email protected]> yousrabk <[email protected]>
 Zhi Zhang <[email protected]> ZHANG Zhi <[email protected]>
 Zhi Zhang <[email protected]> ZHANG Zhi <[email protected]>
-Ziyi ZENG <[email protected]>
+Ziyi ZENG <[email protected]> ZIYI ZENG <[email protected]>

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 repos:
   # Ruff mne
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.8.0
+    rev: v0.9.2
     hooks:
       - id: ruff
         name: ruff lint mne
@@ -70,16 +70,21 @@ repos:
         name: Copy dependency changes from pyproject.toml to environment.yml
         language: python
         entry: ./tools/hooks/update_environment_file.py
-        files: pyproject.toml
+        files: '^(pyproject.toml|tools/hooks/update_environment_file.py)$'
   - repo: local
     hooks:
       - id: dependency-sync
         name: Copy core dependencies from pyproject.toml to README.rst
         language: python
         entry: ./tools/hooks/sync_dependencies.py
-        files: pyproject.toml
-        additional_dependencies: ["mne"]
+        files: '^(pyproject.toml|tools/hooks/sync_dependencies.py)$'
+        additional_dependencies: ["mne==1.9.0"]
 
+  # zizmor
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.2.2
+    hooks:
+      - id: zizmor
 
 # these should *not* be run on CIs:
 ci: