feat: ✨ copy over static files to template folder

Author: martonvago

.gitignore

@@ -2,6 +2,7 @@
 _ignore
 bin/
 dev/
+_temp/
 
 # Temporary files
 *.tmp

README.md

@@ -1,6 +1,9 @@
 # Template for Seedcase Python packages
 
-This repository contains a template for setting up new Python package projects in Seedcase. The first step is to create a new repository using this template. This can easily be done by clicking the "Use this template" button on the repository page or by using the GitHub CLI:
+This repository contains a template for setting up new Python package
+projects in Seedcase. The first step is to create a new repository using
+this template. This can easily be done by clicking the "Use this
+template" button on the repository page or by using the GitHub CLI:
 
 ``` bash
 # NAME is the name to give the new repository
@@ -9,15 +12,18 @@ gh repo create NAME --template seedcase-project/template-python-project
 
 ## Setting things up after cloning
 
-Search for `NAME` and `REPO` and replace them with the name of your project and the repository name. Then look for any `TODO` items.
+Search for `NAME` and `REPO` and replace them with the name of your
+project and the repository name. Then look for any `TODO` items.
 
 ## Setting things up
 
-Use the commands found in [`spaid`](https://github.com/seedcase-project/spaid) repo to run the next setup steps.
+Use the commands found in
+[`spaid`](https://github.com/seedcase-project/spaid) repo to run the
+next setup steps.
 
 Need to install these packages after:
 
 ``` bash
 uv add --dev pre-commit ruff typos pytest bandit commitizen \
-    genbadge jupyter pytest-cov quartodoc
+    genbadge jupyter pytest-cov quartodoc types-tabulate mypy vulture
 ```

template/.cz.toml

@@ -0,0 +1,6 @@
+[tool.commitizen]
+bump_message = "build(version): :bookmark: update version from $current_version to $new_version"
+update_changelog_on_bump = true
+version_provider = "uv"
+# Don't regenerate the changelog on every update
+changelog_incremental = true

template/.editorconfig

@@ -0,0 +1,23 @@
+# EditorConfig settings. Some editors will read these automatically;
+# for those that don't, see here: http://editorconfig.org/
+
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+max_line_length = 88
+
+# Have a bit shorter line length for text docs
+[*.{txt,md,qmd}]
+max_line_length = 72
+indent_size = 4
+
+# Python always uses 4 spaces for tabs
+[*.py]
+indent_style = space
+indent_size = 4

template/.github/pull_request_template.md

@@ -0,0 +1,13 @@
+# Description
+
+This PR DESCRIBE CHANGES.
+
+Closes #
+
+This PR needs a quick/an in-depth review.
+
+## Checklist
+
+- [ ] Added or updated tests
+- [ ] Updated documentation
+- [ ] Ran `just run-all`

template/.github/workflows/build-package.yml

@@ -0,0 +1,19 @@
+name: Build package
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  build:
+    uses: seedcase-project/.github/.github/workflows/reusable-build-python.yml@main
+    # Permissions needed for pushing to the coverage branch.
+    permissions:
+      contents: write

template/.github/workflows/build-website.yml

@@ -0,0 +1,17 @@
+name: Build website
+
+on:
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  build-website:
+    uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main
+    secrets:
+      netlify-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+      # This is to allow using `gh` CLI
+      github-token: ${{ secrets.GITHUB_TOKEN }}

template/.github/workflows/dependency-review.yml

@@ -0,0 +1,17 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: "Security: Dependency Review"
+on: pull_request
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  dependency-review:
+    uses: seedcase-project/.github/.github/workflows/reusable-dependency-review.yml@main

template/.github/workflows/release-package.yml

@@ -0,0 +1,61 @@
+name: Release package
+
+on:
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  release:
+    # This job outputs env variables `previous_version` and `current_version`.
+    # Only give permissions for this job.
+    permissions:
+      contents: write
+    uses: seedcase-project/.github/.github/workflows/reusable-release-project.yml@main
+    with:
+      app-id: ${{ vars.UPDATE_VERSION_APP_ID }}
+    secrets:
+      update-version-gh-token: ${{ secrets.UPDATE_VERSION_TOKEN }}
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    # Only give permissions for this job.
+    permissions:
+      # IMPORTANT: mandatory for trusted publishing.
+      id-token: write
+    environment:
+      name: pypi
+    needs:
+      - release
+    if: ${{ needs.release.outputs.previous_version != needs.release.outputs.current_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # Need to explicitly get the current version, otherwise it defaults to current commit
+          # (which is not the same as the release/version commit).
+          ref: ${{ needs.release.outputs.current_version }}
+
+      # This workflow and the publish workflows are based on:
+      # - https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
+      # - https://www.andrlik.org/dispatches/til-use-uv-for-build-and-publish-github-actions/
+      # - https://github.com/astral-sh/trusted-publishing-examples
+      - name: Set up uv
+        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+
+      - name: Build distributions
+        # Builds dists from source and stores them in the dist/ directory.
+        run: uv build
+
+      - name: Publish 📦 to PyPI
+        # Only publish if the option is explicitly set in the calling workflow.
+        run: uv publish --trusted-publishing always

template/.github/workflows/scorecards.yml

@@ -0,0 +1,28 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+name: "Security: Scorecard"
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Analysis
+    uses: seedcase-project/.github/.github/workflows/reusable-scorecards.yml@main
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write