seedcase-project
diff --git a/‎.github/workflows/add-to-project.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/add-to-project.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/build-website.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build-website.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/checks.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/checks.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎template/.github/workflows/add-to-project.yml‎
Lines changed: 59 additions & 0 deletions b/‎template/.github/workflows/add-to-project.yml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎template/.github/workflows/add-to-project.yml.jinja‎
Lines changed: 0 additions & 28 deletions b/‎template/.github/workflows/add-to-project.yml.jinja‎
Lines changed: 0 additions & 28 deletions
diff --git a/‎template/.github/workflows/build-website.yml.jinja‎
Lines changed: 62 additions & 6 deletions b/‎template/.github/workflows/build-website.yml.jinja‎
Lines changed: 62 additions & 6 deletions
diff --git a/‎template/.github/workflows/check-package.yml‎
Lines changed: 0 additions & 19 deletions b/‎template/.github/workflows/check-package.yml‎
Lines changed: 0 additions & 19 deletions
@@ -26,7 +26,7 @@ jobs:
       # This is a useful security step to check for unexpected outbound calls from the runner,
       # which could indicate a compromised token or runner.
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
 
@@ -21,7 +21,7 @@ jobs:
       # This is a useful security step to check for unexpected outbound calls from the runner,
       # which could indicate a compromised token or runner.
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
 
@@ -11,7 +11,7 @@ jobs:
       # This is a useful security step to check for unexpected outbound calls from the runner,
       # which could indicate a compromised token or runner.
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
@@ -41,7 +41,7 @@ jobs:
       # This is a useful security step to check for unexpected outbound calls from the runner,
       # which could indicate a compromised token or runner.
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
@@ -57,7 +57,7 @@ jobs:
       # This is a useful security step to check for unexpected outbound calls from the runner,
       # which could indicate a compromised token or runner.
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
@@ -83,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
 
@@ -24,7 +24,7 @@ jobs:
       # This is a useful security step to check for unexpected outbound calls from the runner,
       # which could indicate a compromised token or runner.
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
 
@@ -0,0 +1,59 @@
+name: Add to project board
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+  pull_request:
+    types:
+      - reopened
+      - opened
+
+# Limit token permissions for security
+permissions: read-all
+
+env:
+  # TODO: Add the correct board number for this repo.
+  BOARD_NUMBER: ""
+
+jobs:
+  add-to-project:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      # Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
+      # the token is only available for a short time and has limited permissions. Check out
+      # <https://guidebook.seedcase-project.org/operations/security> for more details.
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        id: app-token
+        with:
+          # TODO: Confirm that this variable is set up for this repo.
+          client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}"
+          # TODO: Confirm that this secret is set up for this repo.
+          private-key: "${{ secrets.ADD_TO_BOARD }}"
+
+      - name: Add issue or PR to project board
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: "https://github.com/orgs/${{ github.repository_owner }}/projects/${{ env.BOARD_NUMBER }}"
+          github-token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Assign PR to creator
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          gh pr edit $PR --add-assignee $AUTHOR --repo $REPO
+        env:
+          REPO: ${{ github.repository }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -10,17 +10,73 @@ permissions: read-all
 
 jobs:
   build-website:
-    uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main
+    runs-on: ubuntu-latest
     {%- if hosting_provider == 'gh-pages' %}
     with:
       hosting-provider: gh-pages
     permissions:
       contents: write
       pages: write
     {%- endif %}
-    secrets:
-      {% if hosting_provider == 'gh-pages' -%}
-      github-token: {{ '${{ secrets.GITHUB_TOKEN }}' }}
-      {%- elif hosting_provider == 'netlify' -%}
-      netlify-token: {{ '${{ secrets.NETLIFY_AUTH_TOKEN }}' }}
+    concurrency:
+      group: build-website-python-group
+      cancel-in-progress: true
+    env:
+        QUARTO_PYTHON: ".venv/bin/python3"
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          # Install a specific version of uv.
+          # uv recommends to set the version for best practice.
+          version: "0.11.15"
+          # To have a faster CI time, enable cache between runs.
+          enable-cache: true
+          # Reset the cache if the lock file changes.
+          cache-dependency-glob: "uv.lock"
+
+      - name: "Set up Python"
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install the project and it's dependencies
+        run: |
+            uv sync --all-extras --dev
+            echo "$PWD/.venv/bin" >> "$GITHUB_PATH"
+
+      - name: Set up Quarto
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+      - name: Spell check repo
+        uses: crate-ci/typos@aca895bf05aec0cb7dffa6f94495e923224d9f17 # v1.46.2
+
+      - name: Build function reference docs
+        run: uv run quartodoc build
+
+      {% if hosting_provider == 'netlify' -%}
+      - name: Publish to Netlify (and render)
+        if: {{ "${{ inputs.hosting-provider == 'netlify' }}" }}
+        uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+        with:
+          target: netlify
+          NETLIFY_AUTH_TOKEN: {{ '${{ secrets.netlify-token }}' }}
+
+      {%- elif hosting_provider == 'gh-pages' -%}
+      # NOTE: If Publishing to GitHub Pages, set the permissions correctly (see above).
+      - name: Publish to GitHub Pages (and render)
+        if: {{ "${{ inputs.hosting-provider == 'gh-pages' }}" }}
+        uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+        with:
+          target: gh-pages
+        env:
+          GITHUB_TOKEN: {{ '${{ secrets.github-token }}' }}
       {%- endif %}