From c54f02d85f30ec55d1c37e1e2f7e8799a5fdd255 Mon Sep 17 00:00:00 2001 From: "Luke W. Johnston" Date: Thu, 21 May 2026 20:28:58 +0200 Subject: [PATCH 1/6] =?UTF-8?q?refactor:=20=F0=9F=91=B7=20replace=20reusab?= =?UTF-8?q?le=20workflows=20with=20normal=20workflow=20steps?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/.github/workflows/add-to-project.yml | 59 +++++++ .../workflows/add-to-project.yml.jinja | 28 ---- .../.github/workflows/build-website.yml.jinja | 68 +++++++- template/.github/workflows/check-package.yml | 19 --- template/.github/workflows/checks.yml | 152 ++++++++++++++++++ .../.github/workflows/dependency-review.yml | 17 -- template/.github/workflows/scorecards.yml | 42 ++++- 7 files changed, 312 insertions(+), 73 deletions(-) create mode 100644 template/.github/workflows/add-to-project.yml delete mode 100644 template/.github/workflows/add-to-project.yml.jinja delete mode 100644 template/.github/workflows/check-package.yml create mode 100644 template/.github/workflows/checks.yml delete mode 100644 template/.github/workflows/dependency-review.yml diff --git a/template/.github/workflows/add-to-project.yml b/template/.github/workflows/add-to-project.yml new file mode 100644 index 0000000..d0a0578 --- /dev/null +++ b/template/.github/workflows/add-to-project.yml @@ -0,0 +1,59 @@ +name: Add to project board + +on: + issues: + types: + - opened + - reopened + - transferred + pull_request: + types: + - reopened + - opened + +# Limit token permissions for security +permissions: read-all + +env: + # TODO: Fill in with the correct board number for this repo. + BOARD_NUMBER: "" + +jobs: + add-to-project: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + # This is a useful security step to check for unexpected outbound calls from the runner, + # which could indicate a compromised token or runner. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + # Using this security pattern for GitHub Apps is recommended by GitHub and ensures that + # the token is only available for a short time and has limited permissions. Check out + # for more details. + - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + id: app-token + with: + # TODO: Make sure that the repo has this variable set up. + client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}" + # TODO: Confirm that this secret is set up for this repo. + private-key: "${{ secrets.ADD_TO_BOARD }}" + + - name: Add issue or PR to project board + uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 + with: + project-url: "https://github.com/orgs/${{ github.repository_owner }}/projects/${{ env.BOARD_NUMBER }}" + github-token: "${{ steps.app-token.outputs.token }}" + + - name: Assign PR to creator + if: ${{ github.event_name == 'pull_request' }} + run: | + gh pr edit $PR --add-assignee $AUTHOR --repo $REPO + env: + REPO: ${{ github.repository }} + AUTHOR: ${{ github.event.pull_request.user.login }} + PR: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/template/.github/workflows/add-to-project.yml.jinja b/template/.github/workflows/add-to-project.yml.jinja deleted file mode 100644 index 54ec674..0000000 --- a/template/.github/workflows/add-to-project.yml.jinja +++ /dev/null @@ -1,28 +0,0 @@ -name: Add to project board - -on: - issues: - types: - - opened - - reopened - - transferred - pull_request: - types: - - reopened - - opened - -# Limit token permissions for security -permissions: read-all - -jobs: - add-to-project: - uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main - permissions: - pull-requests: write - with: - # TODO: Fill in the board number. - board-number: "" - app-id: {{ '${{ vars.ADD_TO_BOARD_APP_ID }}' }} - secrets: - add-to-board-token: {{ '${{ secrets.ADD_TO_BOARD }}' }} - gh-token: {{ '${{ secrets.GITHUB_TOKEN }}' }} diff --git a/template/.github/workflows/build-website.yml.jinja b/template/.github/workflows/build-website.yml.jinja index 4b5543e..aa3dc24 100644 --- a/template/.github/workflows/build-website.yml.jinja +++ b/template/.github/workflows/build-website.yml.jinja @@ -10,7 +10,7 @@ permissions: read-all jobs: build-website: - uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main + runs-on: ubuntu-latest {%- if hosting_provider == 'gh-pages' %} with: hosting-provider: gh-pages @@ -18,9 +18,65 @@ jobs: contents: write pages: write {%- endif %} - secrets: - {% if hosting_provider == 'gh-pages' -%} - github-token: {{ '${{ secrets.GITHUB_TOKEN }}' }} - {%- elif hosting_provider == 'netlify' -%} - netlify-token: {{ '${{ secrets.NETLIFY_AUTH_TOKEN }}' }} + concurrency: + group: build-website-python-group + cancel-in-progress: true + env: + QUARTO_PYTHON: ".venv/bin/python3" + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: Check out repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install uv + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + # Install a specific version of uv. + # uv recommends to set the version for best practice. + version: "0.11.15" + # To have a faster CI time, enable cache between runs. + enable-cache: true + # Reset the cache if the lock file changes. + cache-dependency-glob: "uv.lock" + + - name: "Set up Python" + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version-file: "pyproject.toml" + + - name: Install the project and it's dependencies + run: | + uv sync --all-extras --dev + echo "$PWD/.venv/bin" >> "$GITHUB_PATH" + + - name: Set up Quarto + uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 + + - name: Spell check repo + uses: crate-ci/typos@aca895bf05aec0cb7dffa6f94495e923224d9f17 # v1.46.2 + + - name: Build function reference docs + run: uv run quartodoc build + + {% if hosting_provider == 'netlify' -%} + - name: Publish to Netlify (and render) + if: ${{ inputs.hosting-provider == 'netlify' }} + uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 + with: + target: netlify + NETLIFY_AUTH_TOKEN: ${{ secrets.netlify-token }} + + {%- elif hosting_provider == 'gh-pages' -%} + # NOTE: If Publishing to GitHub Pages, set the permissions correctly (see above). + - name: Publish to GitHub Pages (and render) + if: ${{ inputs.hosting-provider == 'gh-pages' }} + uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 + with: + target: gh-pages + env: + GITHUB_TOKEN: ${{ secrets.github-token }} {%- endif %} diff --git a/template/.github/workflows/check-package.yml b/template/.github/workflows/check-package.yml deleted file mode 100644 index 3a536ba..0000000 --- a/template/.github/workflows/check-package.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Check package - -on: - pull_request: - branches: - - main - push: - branches: - - main - -# Limit token permissions for security -permissions: read-all - -jobs: - build: - uses: seedcase-project/.github/.github/workflows/reusable-check-python.yml@main - # Permissions needed for pushing to the coverage branch. - permissions: - contents: write diff --git a/template/.github/workflows/checks.yml b/template/.github/workflows/checks.yml new file mode 100644 index 0000000..cc1224e --- /dev/null +++ b/template/.github/workflows/checks.yml @@ -0,0 +1,152 @@ +name: Checks + +on: + pull_request: + branches: + - main + push: + branches: + - main + +# Limit token permissions for security +permissions: read-all + +jobs: + check-python: + # Permissions needed for pushing to the coverage branch. + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install uv + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + enable-cache: true + + - name: Install justfile + run: sudo apt-get install -y just + + - name: Install Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version-file: "pyproject.toml" + + - name: Install the project and it's dependencies + run: just install-deps + + - name: Check Python style + run: just check-python + + - name: Run tests and coverage + run: just test-python + + - name: Prepare repo for coverage report + run: | + # So that folder can be committed + rm htmlcov/.gitignore + + - name: Push coverage report and badge to branch + uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0 + with: + branch: coverage + folder: htmlcov + # Keep a simple Git history + single-commit: true + + - name: Run security checks + run: just check-security + + - name: Run unused code checker + run: just check-unused + + check-typos: + runs-on: ubuntu-latest + steps: + # This is a useful security step to check for unexpected outbound calls from the runner, + # which could indicate a compromised token or runner. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Spell check repo + uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1 + + check-website-build: + runs-on: ubuntu-latest + env: + QUARTO_PYTHON: ".venv/bin/python3" + steps: + # This is a useful security step to check for unexpected outbound calls from the runner, + # which could indicate a compromised token or runner. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: Check out repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install uv + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + # To have a faster CI time, enable cache between runs. + enable-cache: true + # Reset the cache if the lock file changes. + cache-dependency-glob: "uv.lock" + + - name: "Set up Python" + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version-file: "pyproject.toml" + + - name: Install the project and it's dependencies + run: | + uv sync --all-extras --dev + echo "$PWD/.venv/bin" >> "$GITHUB_PATH" + + - name: Set up Quarto + uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 + + - name: Build function reference docs + run: uv run quartodoc build + + - name: Build function reference docs + run: uvx quartodoc build + + # Check that the website builds, but don't publish it + - name: Render Quarto Project + uses: quarto-dev/quarto-actions/render@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 + + # Dependency Review Action + # + # This Action will scan dependency manifest files that change as part of a Pull Request, + # surfacing known-vulnerable versions of the packages declared or updated in the PR. + # Once installed, if the workflow run is marked as required, + # PRs introducing known-vulnerable packages will be blocked from merging. + # + # Source repository: https://github.com/actions/dependency-review-action + check-dependencies: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - name: "Checkout Repository" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: "Dependency Review" + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/template/.github/workflows/dependency-review.yml b/template/.github/workflows/dependency-review.yml deleted file mode 100644 index 8b29785..0000000 --- a/template/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,17 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: "Security: Dependency Review" -on: pull_request - -# Limit token permissions for security -permissions: read-all - -jobs: - dependency-review: - uses: seedcase-project/.github/.github/workflows/reusable-dependency-review.yml@main diff --git a/template/.github/workflows/scorecards.yml b/template/.github/workflows/scorecards.yml index 68827d2..230338b 100644 --- a/template/.github/workflows/scorecards.yml +++ b/template/.github/workflows/scorecards.yml @@ -9,7 +9,7 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '20 7 * * 2' + - cron: "20 7 * * 2" push: branches: - main @@ -19,10 +19,46 @@ permissions: read-all jobs: analysis: - name: Analysis - uses: seedcase-project/.github/.github/workflows/reusable-scorecards.yml@main + name: Scorecard analysis + runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v3.29.5 + with: + sarif_file: results.sarif From a612f744f79e1c44c9d7e5075131e65f6dff2b83 Mon Sep 17 00:00:00 2001 From: "Luke W. Johnston" Date: Fri, 22 May 2026 12:43:11 +0200 Subject: [PATCH 2/6] refactor: :pencil2: edits from review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Signe Kirk Brødbæk <40836345+signekb@users.noreply.github.com> --- template/.github/workflows/add-to-project.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/.github/workflows/add-to-project.yml b/template/.github/workflows/add-to-project.yml index d0a0578..1495cdb 100644 --- a/template/.github/workflows/add-to-project.yml +++ b/template/.github/workflows/add-to-project.yml @@ -37,9 +37,9 @@ jobs: - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-token with: - # TODO: Make sure that the repo has this variable set up. - client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}" - # TODO: Confirm that this secret is set up for this repo. + # TODO: Confirm that this variable is set up for this repo. + client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}" + # TODO: Confirm that this secret is set up for this repo. private-key: "${{ secrets.ADD_TO_BOARD }}" - name: Add issue or PR to project board From 7de697c4ae90317aa2f63b9b60a3c7b750a51042 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 10:43:44 +0000 Subject: [PATCH 3/6] =?UTF-8?q?chore:=20=E2=9C=8F=EF=B8=8F=20automatic=20p?= =?UTF-8?q?re-commit=20hook=20fixes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/.github/workflows/add-to-project.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/template/.github/workflows/add-to-project.yml b/template/.github/workflows/add-to-project.yml index 1495cdb..441c59a 100644 --- a/template/.github/workflows/add-to-project.yml +++ b/template/.github/workflows/add-to-project.yml @@ -37,9 +37,9 @@ jobs: - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-token with: - # TODO: Confirm that this variable is set up for this repo. - client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}" - # TODO: Confirm that this secret is set up for this repo. + # TODO: Confirm that this variable is set up for this repo. + client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}" + # TODO: Confirm that this secret is set up for this repo. private-key: "${{ secrets.ADD_TO_BOARD }}" - name: Add issue or PR to project board From 5fa8284811344cac0b15f6b7de1375fa41c5bac5 Mon Sep 17 00:00:00 2001 From: "Luke W. Johnston" Date: Fri, 22 May 2026 12:52:08 +0200 Subject: [PATCH 4/6] =?UTF-8?q?refactor:=20=E2=9C=8F=EF=B8=8F=20explain=20?= =?UTF-8?q?about=20cron=20meaning?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/.github/workflows/scorecards.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/template/.github/workflows/scorecards.yml b/template/.github/workflows/scorecards.yml index 230338b..dda0924 100644 --- a/template/.github/workflows/scorecards.yml +++ b/template/.github/workflows/scorecards.yml @@ -9,6 +9,8 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: + # Default used by the scorecard action. + # Runs every Tuesday at 7:20am UTC. See https://crontab.guru/#20_7_*_*_2 - cron: "20 7 * * 2" push: branches: From 8c444acac81ccbdf2870ff39d5fa16ad02205ac0 Mon Sep 17 00:00:00 2001 From: "Luke W. Johnston" Date: Fri, 22 May 2026 12:52:25 +0200 Subject: [PATCH 5/6] =?UTF-8?q?refactor:=20=F0=9F=93=8C=20update=20harden?= =?UTF-8?q?=20runner=20version?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/add-to-project.yml | 2 +- .github/workflows/build-website.yml | 2 +- .github/workflows/checks.yml | 8 ++++---- .github/workflows/release.yml | 2 +- template/.github/workflows/add-to-project.yml | 2 +- template/.github/workflows/checks.yml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 092bd37..84bb311 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -26,7 +26,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit diff --git a/.github/workflows/build-website.yml b/.github/workflows/build-website.yml index 9414f0b..aa52582 100644 --- a/.github/workflows/build-website.yml +++ b/.github/workflows/build-website.yml @@ -21,7 +21,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 1bc9177..c422ff4 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -11,7 +11,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit @@ -41,7 +41,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit @@ -57,7 +57,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit @@ -83,7 +83,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9eebcdf..92ee1a5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit diff --git a/template/.github/workflows/add-to-project.yml b/template/.github/workflows/add-to-project.yml index 441c59a..36e37f8 100644 --- a/template/.github/workflows/add-to-project.yml +++ b/template/.github/workflows/add-to-project.yml @@ -27,7 +27,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit diff --git a/template/.github/workflows/checks.yml b/template/.github/workflows/checks.yml index cc1224e..7bd8009 100644 --- a/template/.github/workflows/checks.yml +++ b/template/.github/workflows/checks.yml @@ -73,7 +73,7 @@ jobs: # This is a useful security step to check for unexpected outbound calls from the runner, # which could indicate a compromised token or runner. - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit @@ -141,7 +141,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: egress-policy: audit From bac189e13547720a47370cf54023deb2f8fb61fa Mon Sep 17 00:00:00 2001 From: "Luke W. Johnston" Date: Fri, 22 May 2026 12:57:29 +0200 Subject: [PATCH 6/6] =?UTF-8?q?fix:=20=F0=9F=90=9B=20forgot=20to=20escape?= =?UTF-8?q?=20the=20workflow=20variables=20in=20Jinja?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/.github/workflows/build-website.yml.jinja | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/template/.github/workflows/build-website.yml.jinja b/template/.github/workflows/build-website.yml.jinja index aa3dc24..b4c6c51 100644 --- a/template/.github/workflows/build-website.yml.jinja +++ b/template/.github/workflows/build-website.yml.jinja @@ -64,19 +64,19 @@ jobs: {% if hosting_provider == 'netlify' -%} - name: Publish to Netlify (and render) - if: ${{ inputs.hosting-provider == 'netlify' }} + if: {{ "${{ inputs.hosting-provider == 'netlify' }}" }} uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 with: target: netlify - NETLIFY_AUTH_TOKEN: ${{ secrets.netlify-token }} + NETLIFY_AUTH_TOKEN: {{ '${{ secrets.netlify-token }}' }} {%- elif hosting_provider == 'gh-pages' -%} # NOTE: If Publishing to GitHub Pages, set the permissions correctly (see above). - name: Publish to GitHub Pages (and render) - if: ${{ inputs.hosting-provider == 'gh-pages' }} + if: {{ "${{ inputs.hosting-provider == 'gh-pages' }}" }} uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0 with: target: gh-pages env: - GITHUB_TOKEN: ${{ secrets.github-token }} + GITHUB_TOKEN: {{ '${{ secrets.github-token }}' }} {%- endif %}