ci: 👷 update workflows from t-squared, improve releasing (#267)

# Description

Improves/resolves issues with the release workflow. Comes from t-squared
template.

Closes #209, closes #261

No review needed.

Author: lwjohnst86

.config/cliff.toml

@@ -0,0 +1,130 @@
+[remote]
+# Strictly don't connect to the internet to generate the changelog.
+offline = false
+
+[remote.github]
+owner = "seedcase-project"
+repo = "template-python-package"
+
+[changelog]
+# A Tera template to be rendered for each release in the changelog.
+header = """
+# Changelog
+
+Since we follow
+[Conventional Commits](https://decisions.seedcase-project.org/why-conventional-commits/)
+when writing commit messages, we're able to automatically create formal
+"releases" of the template based on the commit messages. Releases in the
+context of template are when changes occur to the `template/` files or
+to the `copier.yaml` files. The releases are also published to Zenodo
+for easier discovery, archival, and citation purposes. We use
+[Cocogitto](https://decisions.seedcase-project.org/why-semantic-release-with-cocogitto/)
+to be able to automatically create these releases, which uses
+[SemVar](https://semverdoc.org) as the version numbering scheme,
+and [Git Cliff](https://decisions.seedcase-project.org/why-changelog-with-git-cliff/)
+to generate the changelog based on the commit messages.
+
+Because releases are created based on commit messages, a new release is
+created quite often---sometimes several times in a day. This also means
+that any individual release will not have many changes within it. Below
+is a list of the releases we've made so far, along with what was changed
+within each release.
+
+Commits from bots, like `dependabot` or `pre-commit-ci`, are not included in
+the changelog.
+"""
+
+body = """
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+
+{% macro print_commit(commit) -%}
+    - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+        {% if commit.breaking %}**breaking**  {% endif %}\
+        {{ commit.message | upper_first }} \
+        {% if commit.remote.username %} by \
+          {% if commit.remote.username is containing("[bot]") %}
+            `@{{ commit.remote.username }}`\
+          {% else %}\
+            [`@{{ commit.remote.username }}`](https://github.com/{{ commit.remote.username }})\
+          {% endif %}\
+        {% endif %} \
+        ([{{ commit.id | truncate(length=7, end="") }}]({{ self::remote_url() }}/commit/{{ commit.id }}))\
+{% endmacro -%}
+
+{% if version %}\
+    {% if previous.version %}\
+        ## [{{ version | trim_start_matches(pat="v") }}]\
+          ({{ self::remote_url() }}/compare/{{ previous.version }}..{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+    {% else %}\
+        ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+    {% endif %}\
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits
+    | filter(attribute="scope")
+    | sort(attribute="scope") %}
+        {{ self::print_commit(commit=commit) }}
+    {%- endfor %}
+    {% for commit in commits %}
+        {%- if not commit.scope -%}
+            {{ self::print_commit(commit=commit) }}
+        {% endif -%}
+    {% endfor -%}
+{% endfor -%}
+
+{%- if github -%}
+{% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+  ### ❤️ New contributors
+{% endif %}\
+{% for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+  {% if contributor.username is containing("[bot]") %}
+  - `@{{ contributor.username }}` started making automated contributions\
+  {% else %}\
+  - [`@{{ contributor.username }}`](https://github.com/{{ contributor.username }}) made their first contribution
+    {%- if contributor.pr_number %} in \
+      [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }})\
+    {%- endif %}
+  {%- endif %}\
+{%- endfor -%}
+{%- endif %}
+
+"""
+
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+output = "CHANGELOG.md"
+
+[git]
+commit_preprocessors = [
+  # Replace pull request numbers with links to GitHub.
+  { pattern = '\((\w+\s)?#([0-9]+)\)', replace = "[#${2}](https://github.com/seedcase-project/template-python-package/pull/${2})" },
+  # Check spelling of the commit message using https://github.com/crate-ci/typos.
+  # If the spelling is incorrect, it will be fixed automatically.
+  { pattern = '.*', replace_command = 'uvx typos --write-changes -' },
+  # Remove gitmoji, both actual UTF emoji and :emoji:
+  { pattern = ' *(:\w+:|[\p{Emoji_Presentation}\p{Extended_Pictographic}](?:\u{FE0F})?\u{200D}?) *', replace = "" },
+]
+
+commit_parsers = [
+  # Don't include commits from bots.
+  { field = "author.name", pattern = ".*(dependabot|github-actions|pre-commit-ci).*", skip = true },
+  # Don't include the version update commits.
+  { message = ".*update version", skip = true },
+  { message = "^feat", group = "<!-- 0 -->✨ Features" },
+  { message = "^fix", group = "<!-- 1 -->🐛 Fixes" },
+  { message = "^refactor", group = "<!-- 2 -->♻️ Refactor" },
+  { message = "^docs", group = "<!-- 3 -->📝 Documentation" },
+  { message = "^perf", group = "<!-- 4 -->⚡ Performance" },
+  { message = "^style", group = "<!-- 5 -->💄 Styling" },
+  { message = "^test", group = "<!-- 6 -->🧪 Tests" },
+  { message = "^ci", group = "<!-- 7 -->👷 CI/CD" },
+  { message = "^chore|^build", group = "<!-- 8 -->👩‍💻 Miscellaneous" },
+  { message = "^revert", group = "<!-- 9 -->⏪ Revert" },
+  { message = ".*", skip = true },
+]

.copier-answers.yml

@@ -0,0 +1,7 @@
+# Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
+_commit: 0.7.0
+_src_path: gh:seedcase-project/t-squared
+for_seedcase: true
+github_repo: template-python-package
+github_user: seedcase-project
+hosting_provider: netlify

.cz.toml

@@ -14,14 +14,43 @@ on:
 # Limit token permissions for security
 permissions: read-all
 
+env:
+  BOARD_NUMBER: "24"
+
 jobs:
   add-to-project:
-    uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main
+    runs-on: ubuntu-latest
     permissions:
       pull-requests: write
-    with:
-      board-number: 18
-      app-id: ${{ vars.ADD_TO_BOARD_APP_ID }}
-    secrets:
-      add-to-board-token: ${{ secrets.ADD_TO_BOARD }}
-      gh-token: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      # Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
+      # the token is only available for a short time and has limited permissions. Check out
+      # <https://guidebook.seedcase-project.org/operations/security> for more details.
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        id: app-token
+        with:
+          client-id: ${{ vars.ADD_TO_BOARD_APP_ID }}
+          private-key: ${{ secrets.ADD_TO_BOARD }}
+
+      - name: Add issue or PR to project board
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: "https://github.com/orgs/${{ github.repository_owner }}/projects/${{ env.BOARD_NUMBER }}"
+          github-token: ${{ steps.app-token.outputs.token }}
+
+      - name: Assign PR to creator
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          gh pr edit $PR --add-assignee $AUTHOR --repo $REPO
+        env:
+          REPO: ${{ github.repository }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/add-to-project.yml

@@ -9,7 +9,30 @@ on:
 permissions: read-all
 
 jobs:
-  build-website:
-    uses: seedcase-project/.github/.github/workflows/reusable-build-docs.yml@main
-    secrets:
-      netlify-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+  build-deploy:
+    runs-on: ubuntu-latest
+    # Stop builds from running more than one at a time, to save resources and also
+    # to limit conflicts when uploading to the hosting provider.
+    concurrency:
+      group: build-website-group
+      cancel-in-progress: true
+
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Quarto
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+      - name: Render and publish to Netlify
+        uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+        with:
+          target: netlify
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}

.github/workflows/build-website.yml

@@ -0,0 +1,94 @@
+name: Checks
+
+on: pull_request
+
+permissions: read-all
+
+jobs:
+  check-template:
+    runs-on: ubuntu-latest
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+
+      - name: Install justfile
+        run: uv tool install rust-just
+
+      # Set this user so that the checks create Git commits.
+      - name: Set bot user
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Check template creation
+        run: just test-all
+
+  check-typos:
+    runs-on: ubuntu-latest
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Spell check repo
+        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1
+
+  check-website-build:
+    runs-on: ubuntu-latest
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Quarto
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+      # Check that the website builds, but don't publish it
+      - name: Render Quarto Project
+        uses: quarto-dev/quarto-actions/render@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+  # Dependency Review Action
+  #
+  # This Action will scan dependency manifest files that change as part of a Pull Request,
+  # surfacing known-vulnerable versions of the packages declared or updated in the PR.
+  # Once installed, if the workflow run is marked as required,
+  # PRs introducing known-vulnerable packages will be blocked from merging.
+  #
+  # Source repository: https://github.com/actions/dependency-review-action
+  check-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: "Checkout Repository"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2