Skip to content

refactor: 👷 replace reusable workflows with normal workflow steps #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lwjohnst86 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

refactor: 👷 replace reusable workflows with normal workflow steps #284

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c54f02d
refactor: 👷 replace reusable workflows with normal workflow steps
lwjohnst86 May 21, 2026
a612f74
refactor: :pencil2: edits from review
lwjohnst86 May 22, 2026
7de697c
chore: ✏️ automatic pre-commit hook fixes
pre-commit-ci[bot] May 22, 2026
d665413
Merge branch 'main' of https://github.com/seedcase-project/template-p…
lwjohnst86 May 22, 2026
5fa8284
refactor: ✏️ explain about cron meaning
lwjohnst86 May 22, 2026
8c444ac
refactor: 📌 update harden runner version
lwjohnst86 May 22, 2026
bac189e
fix: 🐛 forgot to escape the workflow variables in Jinja
lwjohnst86 May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/add-to-project.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build-website.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand Down Expand Up @@ -41,7 +41,7 @@ jobs:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand All @@ -57,7 +57,7 @@ jobs:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand All @@ -83,7 +83,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Expand Down
59 changes: 59 additions & 0 deletions template/.github/workflows/add-to-project.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Add to project board

on:
issues:
types:
- opened
- reopened
- transferred
pull_request:
types:
- reopened
- opened

# Limit token permissions for security
permissions: read-all

env:
# TODO: Fill in with the correct board number for this repo.
BOARD_NUMBER: ""

jobs:
add-to-project:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
# This is a useful security step to check for unexpected outbound calls from the runner,
# which could indicate a compromised token or runner.
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

Comment thread
lwjohnst86 marked this conversation as resolved.
# Using this security pattern for GitHub Apps is recommended by GitHub and ensures that
# the token is only available for a short time and has limited permissions. Check out
# <https://guidebook.seedcase-project.org/operations/security> for more details.
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
id: app-token
with:
# TODO: Confirm that this variable is set up for this repo.
client-id: "${{ vars.ADD_TO_BOARD_APP_ID }}"
# TODO: Confirm that this secret is set up for this repo.
private-key: "${{ secrets.ADD_TO_BOARD }}"

- name: Add issue or PR to project board
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: "https://github.com/orgs/${{ github.repository_owner }}/projects/${{ env.BOARD_NUMBER }}"
github-token: "${{ steps.app-token.outputs.token }}"

- name: Assign PR to creator
if: ${{ github.event_name == 'pull_request' }}
run: |
gh pr edit $PR --add-assignee $AUTHOR --repo $REPO
env:
REPO: ${{ github.repository }}
AUTHOR: ${{ github.event.pull_request.user.login }}
PR: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
28 changes: 0 additions & 28 deletions template/.github/workflows/add-to-project.yml.jinja
View file
Open in desktop

This file was deleted.

68 changes: 62 additions & 6 deletions template/.github/workflows/build-website.yml.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,73 @@ permissions: read-all

jobs:
build-website:
uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main
runs-on: ubuntu-latest
{%- if hosting_provider == 'gh-pages' %}
with:
hosting-provider: gh-pages
permissions:
contents: write
pages: write
{%- endif %}
secrets:
{% if hosting_provider == 'gh-pages' -%}
github-token: {{ '${{ secrets.GITHUB_TOKEN }}' }}
{%- elif hosting_provider == 'netlify' -%}
netlify-token: {{ '${{ secrets.NETLIFY_AUTH_TOKEN }}' }}
concurrency:
group: build-website-python-group
cancel-in-progress: true
env:
QUARTO_PYTHON: ".venv/bin/python3"
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
# Install a specific version of uv.
# uv recommends to set the version for best practice.
version: "0.11.15"
# To have a faster CI time, enable cache between runs.
enable-cache: true
# Reset the cache if the lock file changes.
cache-dependency-glob: "uv.lock"

- name: "Set up Python"
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version-file: "pyproject.toml"

- name: Install the project and it's dependencies
run: |
uv sync --all-extras --dev
echo "$PWD/.venv/bin" >> "$GITHUB_PATH"

- name: Set up Quarto
uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0

- name: Spell check repo
uses: crate-ci/typos@aca895bf05aec0cb7dffa6f94495e923224d9f17 # v1.46.2

- name: Build function reference docs
run: uv run quartodoc build

{% if hosting_provider == 'netlify' -%}
- name: Publish to Netlify (and render)
if: {{ "${{ inputs.hosting-provider == 'netlify' }}" }}
uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
with:
target: netlify
NETLIFY_AUTH_TOKEN: {{ '${{ secrets.netlify-token }}' }}

{%- elif hosting_provider == 'gh-pages' -%}
# NOTE: If Publishing to GitHub Pages, set the permissions correctly (see above).
- name: Publish to GitHub Pages (and render)
if: {{ "${{ inputs.hosting-provider == 'gh-pages' }}" }}
uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b # v2.2.0
with:
target: gh-pages
env:
GITHUB_TOKEN: {{ '${{ secrets.github-token }}' }}
{%- endif %}
19 changes: 0 additions & 19 deletions template/.github/workflows/check-package.yml
View file
Open in desktop

This file was deleted.

Loading
Loading