Skip to content
Merged
59 changes: 59 additions & 0 deletions template/.github/workflows/add-to-project.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Add to project board

on:
issues:
types:
- opened
- reopened
- transferred
pull_request:
types:
- reopened
- opened

# Limit token permissions for security
permissions: read-all

env:
# TODO: Fill in with the correct board number for this repo.
BOARD_NUMBER: ""

jobs:
add-to-project:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit

Comment thread
lwjohnst86 marked this conversation as resolved.
# Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
# the token is only available for a short time and has limited permissions. Check out
# <https://guidebook.seedcase-project.org/operations/security> for more details.
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
id: app-token
with:
# TODO: Make sure that the repo has this variable set up.
client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}"
# TODO: Confirm that this secret is set up for this repo.
Comment thread
lwjohnst86 marked this conversation as resolved.
Outdated
private-key: "${{ secrets.ADD_TO_BOARD }}"

- name: Add issue or PR to project board
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: "https://github.com/orgs/${{ github.repository_owner }}/projects/${{ env.BOARD_NUMBER }}"
github-token: "${{ steps.app-token.outputs.token }}"

- name: Assign PR to creator
if: ${{ github.event_name == 'pull_request' }}
run: |
gh pr edit $PR --add-assignee $AUTHOR --repo $REPO
env:
REPO: ${{ github.repository }}
AUTHOR: ${{ github.event.pull_request.user.login }}
PR: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
28 changes: 0 additions & 28 deletions template/.github/workflows/add-to-project.yml.jinja

This file was deleted.

68 changes: 62 additions & 6 deletions template/.github/workflows/build-website.yml.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,73 @@ permissions: read-all

jobs:
build-website:
uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main
runs-on: ubuntu-latest
{%- if hosting_provider == 'gh-pages' %}
with:
hosting-provider: gh-pages
permissions:
contents: write
pages: write
{%- endif %}
secrets:
{% if hosting_provider == 'gh-pages' -%}
github-token: {{ '${{ secrets.GITHUB_TOKEN }}' }}
{%- elif hosting_provider == 'netlify' -%}
netlify-token: {{ '${{ secrets.NETLIFY_AUTH_TOKEN }}' }}
concurrency:
group: build-website-python-group
cancel-in-progress: true
env:
QUARTO_PYTHON: ".venv/bin/python3"
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
# Install a specific version of uv.
# uv recommends to set the version for best practice.
version: "0.11.15"
# To have a faster CI time, enable cache between runs.
enable-cache: true
# Reset the cache if the lock file changes.
cache-dependency-glob: "uv.lock"

- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: "pyproject.toml"

- name: Install the project and it's dependencies
run: |
uv sync --all-extras --dev
echo "$PWD/.venv/bin" >> "$GITHUB_PATH"

- name: Set up Quarto
uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0

- name: Spell check repo
uses: crate-ci/typos@aca895bf05aec0cb7dffa6f94495e923224d9f17 # v1.46.2

- name: Build function reference docs
run: uv run quartodoc build

{% if hosting_provider == 'netlify' -%}
- name: Publish to Netlify (and render)
if: ${{ inputs.hosting-provider == 'netlify' }}
uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
with:
target: netlify
NETLIFY_AUTH_TOKEN: ${{ secrets.netlify-token }}

{%- elif hosting_provider == 'gh-pages' -%}
# NOTE: If Publishing to GitHub Pages, set the permissions correctly (see above).
- name: Publish to GitHub Pages (and render)
if: ${{ inputs.hosting-provider == 'gh-pages' }}
uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
with:
target: gh-pages
env:
GITHUB_TOKEN: ${{ secrets.github-token }}
{%- endif %}
19 changes: 0 additions & 19 deletions template/.github/workflows/check-package.yml

This file was deleted.

152 changes: 152 additions & 0 deletions template/.github/workflows/checks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
name: Checks

on:
pull_request:
branches:
- main
push:
branches:
- main

# Limit token permissions for security
permissions: read-all

jobs:
check-python:
# Permissions needed for pushing to the coverage branch.
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
enable-cache: true

- name: Install justfile
run: sudo apt-get install -y just

- name: Install Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: "pyproject.toml"

- name: Install the project and it's dependencies
run: just install-deps

- name: Check Python style
run: just check-python

- name: Run tests and coverage
run: just test-python

- name: Prepare repo for coverage report
run: |
# So that folder can be committed
rm htmlcov/.gitignore

- name: Push coverage report and badge to branch
uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
with:
branch: coverage
folder: htmlcov
# Keep a simple Git history
single-commit: true

- name: Run security checks
run: just check-security

- name: Run unused code checker
run: just check-unused

check-typos:
runs-on: ubuntu-latest
steps:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
Comment thread
lwjohnst86 marked this conversation as resolved.
Outdated
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Spell check repo
uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1

check-website-build:
runs-on: ubuntu-latest
env:
QUARTO_PYTHON: ".venv/bin/python3"
steps:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
# To have a faster CI time, enable cache between runs.
enable-cache: true
# Reset the cache if the lock file changes.
cache-dependency-glob: "uv.lock"

- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: "pyproject.toml"

- name: Install the project and it's dependencies
run: |
uv sync --all-extras --dev
echo "$PWD/.venv/bin" >> "$GITHUB_PATH"

- name: Set up Quarto
uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0

- name: Build function reference docs
run: uv run quartodoc build

- name: Build function reference docs
run: uvx quartodoc build

# Check that the website builds, but don't publish it
- name: Render Quarto Project
uses: quarto-dev/quarto-actions/render@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0

# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
check-dependencies:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
Comment thread
lwjohnst86 marked this conversation as resolved.

- name: "Checkout Repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: "Dependency Review"
uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
17 changes: 0 additions & 17 deletions template/.github/workflows/dependency-review.yml

This file was deleted.

Loading
Loading