seedcase-project
diff --git a/‎template/.github/workflows/add-to-project.yml‎
Lines changed: 59 additions & 0 deletions b/‎template/.github/workflows/add-to-project.yml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎template/.github/workflows/add-to-project.yml.jinja‎
Lines changed: 0 additions & 28 deletions b/‎template/.github/workflows/add-to-project.yml.jinja‎
Lines changed: 0 additions & 28 deletions
diff --git a/‎template/.github/workflows/build-website.yml.jinja‎
Lines changed: 62 additions & 6 deletions b/‎template/.github/workflows/build-website.yml.jinja‎
Lines changed: 62 additions & 6 deletions
diff --git a/‎template/.github/workflows/check-package.yml‎
Lines changed: 0 additions & 19 deletions b/‎template/.github/workflows/check-package.yml‎
Lines changed: 0 additions & 19 deletions
diff --git a/‎template/.github/workflows/checks.yml‎
Lines changed: 152 additions & 0 deletions b/‎template/.github/workflows/checks.yml‎
Lines changed: 152 additions & 0 deletions
diff --git a/‎template/.github/workflows/dependency-review.yml‎
Lines changed: 0 additions & 17 deletions b/‎template/.github/workflows/dependency-review.yml‎
Lines changed: 0 additions & 17 deletions
@@ -0,0 +1,59 @@
+name: Add to project board
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+  pull_request:
+    types:
+      - reopened
+      - opened
+
+# Limit token permissions for security
+permissions: read-all
+
+env:
+  # TODO: Fill in with the correct board number for this repo.
+  BOARD_NUMBER: ""
+
+jobs:
+  add-to-project:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      # Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
+      # the token is only available for a short time and has limited permissions. Check out
+      # <https://guidebook.seedcase-project.org/operations/security> for more details.
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        id: app-token
+        with:
+          # TODO: Make sure that the repo has this variable set up.
+          client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}"
+          # TODO: Confirm that this secret is set up for this repo.
+          private-key: "${{ secrets.ADD_TO_BOARD }}"
+
+      - name: Add issue or PR to project board
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: "https://github.com/orgs/${{ github.repository_owner }}/projects/${{ env.BOARD_NUMBER }}"
+          github-token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Assign PR to creator
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          gh pr edit $PR --add-assignee $AUTHOR --repo $REPO
+        env:
+          REPO: ${{ github.repository }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -10,17 +10,73 @@ permissions: read-all
 
 jobs:
   build-website:
-    uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main
+    runs-on: ubuntu-latest
     {%- if hosting_provider == 'gh-pages' %}
     with:
       hosting-provider: gh-pages
     permissions:
       contents: write
       pages: write
     {%- endif %}
-    secrets:
-      {% if hosting_provider == 'gh-pages' -%}
-      github-token: {{ '${{ secrets.GITHUB_TOKEN }}' }}
-      {%- elif hosting_provider == 'netlify' -%}
-      netlify-token: {{ '${{ secrets.NETLIFY_AUTH_TOKEN }}' }}
+    concurrency:
+      group: build-website-python-group
+      cancel-in-progress: true
+    env:
+        QUARTO_PYTHON: ".venv/bin/python3"
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          # Install a specific version of uv.
+          # uv recommends to set the version for best practice.
+          version: "0.11.15"
+          # To have a faster CI time, enable cache between runs.
+          enable-cache: true
+          # Reset the cache if the lock file changes.
+          cache-dependency-glob: "uv.lock"
+
+      - name: "Set up Python"
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install the project and it's dependencies
+        run: |
+            uv sync --all-extras --dev
+            echo "$PWD/.venv/bin" >> "$GITHUB_PATH"
+
+      - name: Set up Quarto
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+      - name: Spell check repo
+        uses: crate-ci/typos@aca895bf05aec0cb7dffa6f94495e923224d9f17 # v1.46.2
+
+      - name: Build function reference docs
+        run: uv run quartodoc build
+
+      {% if hosting_provider == 'netlify' -%}
+      - name: Publish to Netlify (and render)
+        if: ${{ inputs.hosting-provider == 'netlify' }}
+        uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+        with:
+          target: netlify
+          NETLIFY_AUTH_TOKEN: ${{ secrets.netlify-token }}
+
+      {%- elif hosting_provider == 'gh-pages' -%}
+      # NOTE: If Publishing to GitHub Pages, set the permissions correctly (see above).
+      - name: Publish to GitHub Pages (and render)
+        if: ${{ inputs.hosting-provider == 'gh-pages' }}
+        uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+        with:
+          target: gh-pages
+        env:
+          GITHUB_TOKEN: ${{ secrets.github-token }}
       {%- endif %}
@@ -0,0 +1,152 @@
+name: Checks
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  check-python:
+    # Permissions needed for pushing to the coverage branch.
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+
+      - name: Install justfile
+        run: sudo apt-get install -y just
+
+      - name: Install Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install the project and it's dependencies
+        run: just install-deps
+
+      - name: Check Python style
+        run: just check-python
+
+      - name: Run tests and coverage
+        run: just test-python
+
+      - name: Prepare repo for coverage report
+        run: |
+          # So that folder can be committed
+          rm htmlcov/.gitignore
+
+      - name: Push coverage report and badge to branch
+        uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
+        with:
+          branch: coverage
+          folder: htmlcov
+          # Keep a simple Git history
+          single-commit: true
+
+      - name: Run security checks
+        run: just check-security
+
+      - name: Run unused code checker
+        run: just check-unused
+
+  check-typos:
+    runs-on: ubuntu-latest
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Spell check repo
+        uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1
+
+  check-website-build:
+    runs-on: ubuntu-latest
+    env:
+      QUARTO_PYTHON: ".venv/bin/python3"
+    steps:
+      # This is a useful security step to check for unexpected outbound calls from the runner,
+      # which could indicate a compromised token or runner.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          # To have a faster CI time, enable cache between runs.
+          enable-cache: true
+          # Reset the cache if the lock file changes.
+          cache-dependency-glob: "uv.lock"
+
+      - name: "Set up Python"
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install the project and it's dependencies
+        run: |
+          uv sync --all-extras --dev
+          echo "$PWD/.venv/bin" >> "$GITHUB_PATH"
+
+      - name: Set up Quarto
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+      - name: Build function reference docs
+        run: uv run quartodoc build
+
+      - name: Build function reference docs
+        run: uvx quartodoc build
+
+      # Check that the website builds, but don't publish it
+      - name: Render Quarto Project
+        uses: quarto-dev/quarto-actions/render@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
+
+  # Dependency Review Action
+  #
+  # This Action will scan dependency manifest files that change as part of a Pull Request,
+  # surfacing known-vulnerable versions of the packages declared or updated in the PR.
+  # Once installed, if the workflow run is marked as required,
+  # PRs introducing known-vulnerable packages will be blocked from merging.
+  #
+  # Source repository: https://github.com/actions/dependency-review-action
+  check-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: "Checkout Repository"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2