├── docs ├── DCO.md ├── LICENSE.md ├── ROADMAP.md ├── index.md ├── ADOPTERS.md ├── CHANGELOG.md ├── SECURITY.md ├── template │ ├── index.md │ ├── README.md │ ├── about │ │ ├── index.md │ │ ├── .nav.yml │ │ ├── README.md │ │ ├── tips-and-tricks.md │ │ └── philosophy.md │ ├── details │ │ ├── index.md │ │ ├── github-actions.md │ │ ├── .nav.yml │ │ ├── README.md │ │ ├── python.md │ │ ├── prose.md │ │ ├── other-languages.md │ │ ├── tests.md │ │ ├── legal.md │ │ └── scheduled-jobs.md │ ├── quickstart │ │ ├── index.md │ │ └── README.md │ ├── configuration │ │ ├── index.md │ │ ├── .nav.yml │ │ ├── README.md │ │ └── basic.md │ ├── release-your-project │ │ ├── index.md │ │ ├── README.md │ │ └── checklist.md │ └── .nav.yml ├── CONTRIBUTING.md ├── GOVERNANCE.md ├── ANNOUNCEMENTS.md ├── CODE_OF_CONDUCT.md ├── SECURITY-DEPENDENCY.md ├── SECURITY-SELF-ASSESSMENT.md ├── scripts │ ├── __init__.py │ ├── README.md │ └── gen_ref_pages.py ├── tutorials │ └── README.md ├── explanations │ └── README.md ├── how-to │ └── README.md ├── .nav.yml └── README.md ├── src ├── opentemplate │ ├── py.typed │ ├── py.typed.license │ └── __init__.py └── README.md ├── LICENSE.md ├── template-setup ├── overwrite │ ├── src │ │ ├── opentemplate │ │ │ ├── py.typed │ │ │ ├── py.typed.license │ │ │ └── __init__.py │ │ └── README.md │ ├── CITATION.cff.license │ ├── ROADMAP.md │ ├── ANNOUNCEMENTS.md │ ├── CODEOWNERS │ ├── tests │ │ ├── README.md │ │ └── test_smoke.py │ ├── CITATION.cff │ ├── ADOPTERS.md │ └── GOVERNANCE.md ├── create-cookiecutter-json.sh └── rename.sh ├── pdm.lock.license ├── CITATION.cff.license ├── .github ├── renovate.json.license ├── rulesets │ ├── branch-all-human.json.license │ ├── branch-bot-human.json.license │ ├── tags-all-everyone.json.license │ ├── branch-all-everyone.json.license │ ├── branch-default-human.json.license │ ├── branch-default-everyone.json.license │ ├── branch-all-everyone.json │ ├── branch-default-everyone.json │ ├── branch-all-human.json │ ├── branch-bot-human.json │ ├── tags-all-everyone.json │ └── branch-default-human.json ├── label-title.yml ├── tools │ ├── find-cog-files.sh │ └── update-actions-names.sh ├── actions │ ├── git-setup │ │ └── action.yml │ ├── pull-request │ │ └── action.yml │ ├── pdm-compatibility │ │ └── action.yml │ ├── sarif-upload │ │ └── action.yml │ └── release-sbom-setup │ │ └── action.yml ├── workflows │ ├── pyproject-reusable.yml │ ├── legal-reusable.yml │ ├── release-check-reusable.yml │ ├── json-reusable.yml │ ├── toml-reusable.yml │ ├── python-reusable.yml │ ├── template-update-reusable.yml │ ├── pytest-reusable.yml │ ├── citation-reusable.yml │ ├── typing-reusable.yml │ ├── yaml-reusable.yml │ ├── github-reusable.yml │ ├── commit-reusable.yml │ ├── generation-reusable.yml │ ├── ini-reusable.yml │ ├── shell-reusable.yml │ ├── github-renovate-reusable.yml │ ├── legal.yml │ ├── commit.yml │ ├── github.yml │ ├── generation.yml │ ├── github-workflows.yml │ ├── release-check.yml │ ├── template-update.yml │ ├── github-actions-reusable.yml │ ├── cache.yml │ ├── github-workflows-reusable.yml │ ├── github-actions.yml │ ├── security-semgrep-update.yml │ ├── text-reusable.yml │ ├── generation-update.yml │ ├── pre-commit-update.yml │ ├── security-osv-scanner-update.yml │ ├── pre-commit.yml │ ├── cache-test.yml │ ├── docs-reusable.yml │ ├── text.yml │ ├── ini-renovate.yml │ ├── docs-renovate.yml │ ├── github-renovate.yml │ ├── yaml-renovate.yml │ ├── json-renovate.yml │ ├── security-scorecard-update.yml │ ├── toml-renovate.yml │ ├── legal-renovate.yml │ ├── shell-renovate.yml │ ├── commit-renovate.yml │ ├── pytest-renovate.yml │ ├── python-renovate.yml │ ├── typing-renovate.yml │ ├── citation-renovate.yml │ ├── markdown-renovate.yml │ ├── pyproject-renovate.yml │ ├── security-semgrep.yml │ ├── generation-renovate.yml │ ├── json.yml │ ├── toml.yml │ ├── shell.yml │ ├── release-check-renovate.yml │ ├── pytest.yml │ ├── python.yml │ ├── security-osv-scanner.yml │ ├── typing.yml │ ├── ini.yml │ ├── tests-renovate.yml │ ├── yaml.yml │ ├── citation.yml │ ├── pyproject.yml │ ├── text-renovate.yml │ ├── markdown.yml │ ├── docs.yml │ ├── tests.yml │ ├── security-scorecard-test.yml │ ├── pre-commit-hooks.yml │ ├── release-sboms-test.yml │ ├── generation-update-test.yml │ ├── pre-commit-config.yml │ ├── security-semgrep-renovate.yml │ ├── release-slsa-provenance-test.yml │ ├── markdown-reusable.yml │ ├── prose.yml │ ├── release-sarifs-reusable.yml │ ├── security-secrets.yml │ ├── renovate.yml │ ├── stale.yml │ ├── github-actionlint.yml │ ├── pull-request.yml │ ├── policy.yml │ ├── github-all-renovate.yml │ ├── labeler.yml │ ├── run-check-reusable.yml │ ├── release-sbom-attest-reusable.yml │ └── security-osv-scanner-reusable.yml ├── ISSUE_TEMPLATE │ └── config.yml ├── PULL_REQUEST_TEMPLATE.md ├── DISCUSSION_TEMPLATE │ ├── show-and-tell.yml │ ├── general.yml │ ├── ideas.yml │ └── announcements.yml ├── reusability │ ├── localize.sh │ └── globalize.sh └── label-path.yml ├── pdm.toml ├── scorecard.yml ├── .conform.yaml ├── ROADMAP.md ├── CHANGELOG.md ├── tests ├── README.md └── test_smoke.py ├── CODEOWNERS ├── .gitattributes ├── ANNOUNCEMENTS.md ├── __pypackages__ └── README.md ├── .editorconfig ├── .vale.ini ├── CITATION.cff ├── ADOPTERS.md ├── GOVERNANCE.md ├── SUPPORT.md ├── DCO.md ├── .yamllint.yml └── SECURITY.md /docs/DCO.md: -------------------------------------------------------------------------------- 1 | ../DCO.md -------------------------------------------------------------------------------- /docs/LICENSE.md: -------------------------------------------------------------------------------- 1 | ../LICENSE.md -------------------------------------------------------------------------------- /docs/ROADMAP.md: -------------------------------------------------------------------------------- 1 | ../ROADMAP.md -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | ../README.md -------------------------------------------------------------------------------- /src/opentemplate/py.typed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | LICENSES/Apache-2.0.txt -------------------------------------------------------------------------------- /docs/ADOPTERS.md: -------------------------------------------------------------------------------- 1 | ../ADOPTERS.md -------------------------------------------------------------------------------- /docs/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ../CHANGELOG.md -------------------------------------------------------------------------------- /docs/SECURITY.md: -------------------------------------------------------------------------------- 1 | ../SECURITY.md -------------------------------------------------------------------------------- /docs/template/index.md: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /docs/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ../CONTRIBUTING.md -------------------------------------------------------------------------------- /docs/GOVERNANCE.md: -------------------------------------------------------------------------------- 1 | ../GOVERNANCE.md -------------------------------------------------------------------------------- /docs/template/README.md: -------------------------------------------------------------------------------- 1 | ../../README.md -------------------------------------------------------------------------------- /docs/template/about/index.md: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /docs/ANNOUNCEMENTS.md: -------------------------------------------------------------------------------- 1 | ../ANNOUNCEMENTS.md -------------------------------------------------------------------------------- /docs/template/details/index.md: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /docs/template/quickstart/index.md: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /docs/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ../CODE_OF_CONDUCT.md -------------------------------------------------------------------------------- /docs/template/configuration/index.md: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /docs/SECURITY-DEPENDENCY.md: -------------------------------------------------------------------------------- 1 | ../SECURITY-DEPENDENCY.md -------------------------------------------------------------------------------- /docs/template/release-your-project/index.md: -------------------------------------------------------------------------------- 1 | README.md -------------------------------------------------------------------------------- /template-setup/overwrite/src/opentemplate/py.typed: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/SECURITY-SELF-ASSESSMENT.md: -------------------------------------------------------------------------------- 1 | ../SECURITY-SELF-ASSESSMENT.md -------------------------------------------------------------------------------- /docs/template/details/github-actions.md: -------------------------------------------------------------------------------- 1 | ../../../.github/workflows/README.md -------------------------------------------------------------------------------- /pdm.lock.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: NONE 2 | 3 | SPDX-License-Identifier: CC0-1.0 4 | -------------------------------------------------------------------------------- /CITATION.cff.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/renovate.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /src/opentemplate/py.typed.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/rulesets/branch-all-human.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/rulesets/branch-bot-human.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/rulesets/tags-all-everyone.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /template-setup/overwrite/CITATION.cff.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/rulesets/branch-all-everyone.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/rulesets/branch-default-human.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /.github/rulesets/branch-default-everyone.json.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /template-setup/overwrite/src/opentemplate/py.typed.license: -------------------------------------------------------------------------------- 1 | SPDX-FileCopyrightText: © 2025 open-nudge 2 | SPDX-FileContributor: szymonmaszke 3 | 4 | SPDX-License-Identifier: Apache-2.0 5 | -------------------------------------------------------------------------------- /pdm.toml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | [python] 7 | use_pyenv = false 8 | use_venv = false 9 | -------------------------------------------------------------------------------- /template-setup/overwrite/ROADMAP.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Roadmap 9 | 10 | 11 | -------------------------------------------------------------------------------- /docs/template/configuration/.nav.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | 8 | nav: 9 | - "index.md" 10 | - "basic.md" 11 | - "advanced.md" 12 | ... 13 | -------------------------------------------------------------------------------- /template-setup/overwrite/ANNOUNCEMENTS.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Announcements 9 | 10 | 11 | -------------------------------------------------------------------------------- /docs/scripts/__init__.py: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | """Mini-module with docstrings preprocessing scripts. 7 | 8 | Consult `/mkdocs.yml` for more information. 9 | """ 10 | -------------------------------------------------------------------------------- /.github/label-title.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | feat: 8 | - "(feat)" 9 | fix: 10 | - "(fix)" 11 | "fix!": 12 | - "(fix!)" 13 | "feat!": 14 | - "(feat!)" 15 | ... 16 | -------------------------------------------------------------------------------- /docs/template/about/.nav.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | 8 | nav: 9 | - "index.md" 10 | - "philosophy.md" 11 | - "comparison.md" 12 | - "tips-and-tricks.md" 13 | - "faq.md" 14 | ... 15 | -------------------------------------------------------------------------------- /scorecard.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | annotations: 8 | - checks: 9 | - "fuzzing" 10 | reasons: 11 | - "not-supported" # See: https://github.com/ossf/scorecard/issues/4549 12 | ... 13 | -------------------------------------------------------------------------------- /docs/template/.nav.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | 8 | nav: 9 | - "index.md" 10 | - "quickstart" 11 | - "release-your-project" 12 | - "configuration" 13 | - "details" 14 | - "about" 15 | ... 16 | -------------------------------------------------------------------------------- /.conform.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | policies: 8 | - type: "commit" 9 | spec: 10 | dco: true 11 | gpg: 12 | required: true 13 | spellcheck: 14 | locale: "US" 15 | ... 16 | -------------------------------------------------------------------------------- /ROADMAP.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Roadmap 9 | 10 | - Add support for [ty](https://github.com/astral-sh/ty) for type checking 11 | instead of `basepyright` once it becomes a little bit more mature. 12 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Changelog 9 | 10 | 11 | 12 | See [releases](https://github.com/open-nudge/opentemplate/releases) 13 | for detailed changelog. 14 | -------------------------------------------------------------------------------- /.github/rulesets/branch-all-everyone.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "branch-all-everyone", 3 | "target": "branch", 4 | "enforcement": "active", 5 | "conditions": { 6 | "ref_name": { 7 | "exclude": [], 8 | "include": [ 9 | "~ALL" 10 | ] 11 | } 12 | }, 13 | "rules": [ 14 | { 15 | "type": "non_fast_forward" 16 | } 17 | ], 18 | "bypass_actors": [] 19 | } 20 | -------------------------------------------------------------------------------- /.github/rulesets/branch-default-everyone.json: -------------------------------------------------------------------------------- 1 | { 2 | "enforcement": "active", 3 | "name": "branch-default-everyone", 4 | "rules": [ 5 | { 6 | "type": "deletion" 7 | } 8 | ], 9 | "conditions": { 10 | "ref_name": { 11 | "include": [ 12 | "~DEFAULT_BRANCH", 13 | "refs/heads/gh-pages" 14 | ], 15 | "exclude": [] 16 | } 17 | }, 18 | "target": "branch" 19 | } 20 | -------------------------------------------------------------------------------- /template-setup/overwrite/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Define the code owners for the repository manually 7 | # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners 8 | # for more information 9 | -------------------------------------------------------------------------------- /tests/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Tests of opentemplate 9 | 10 | - `test_smoke.py` - generic 11 | [smoke tests](https://grafana.com/blog/2024/01/30/smoke-testing/) 12 | to check if the package is importable 13 | 14 | 15 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Define the code owners for the repository manually 7 | # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners 8 | # for more information 9 | # 10 | * @szymonmaszke 11 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Auto-detect and normalize text files 7 | * text=auto eol=lf 8 | 9 | # Declare binary files 10 | *.png binary 11 | *.jpg binary 12 | *.gif binary 13 | *.pdf binary 14 | *.zip binary 15 | *.egg binary 16 | *.whl binary 17 | *.pyd binary 18 | *.so binary 19 | -------------------------------------------------------------------------------- /template-setup/overwrite/tests/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Tests of opentemplate 9 | 10 | - `test_smoke.py` - generic 11 | [smoke tests](https://grafana.com/blog/2024/01/30/smoke-testing/) 12 | to check if the package is importable 13 | 14 | 15 | -------------------------------------------------------------------------------- /tests/test_smoke.py: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | """Smoke tests of the package.""" 7 | 8 | from __future__ import annotations 9 | 10 | import opentemplate 11 | 12 | 13 | def test_version() -> None: 14 | """Smoke test package version.""" 15 | # nosemgrep 16 | assert opentemplate.__version__ != "" 17 | -------------------------------------------------------------------------------- /docs/template/details/.nav.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | 8 | nav: 9 | - "index.md" 10 | - "security.md" 11 | - "tests.md" 12 | - "python.md" 13 | - "documentation.md" 14 | - "github-actions.md" 15 | - "scheduled-jobs.md" 16 | - "legal.md" 17 | - "prose.md" 18 | - "other-languages.md" 19 | ... 20 | -------------------------------------------------------------------------------- /template-setup/overwrite/tests/test_smoke.py: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | """Smoke tests of the package.""" 7 | 8 | from __future__ import annotations 9 | 10 | import opentemplate 11 | 12 | 13 | def test_version() -> None: 14 | """Smoke test package version.""" 15 | # nosemgrep 16 | assert opentemplate.__version__ != "" 17 | -------------------------------------------------------------------------------- /.github/tools/find-cog-files.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # SPDX-FileCopyrightText: © 2025 open-nudge 4 | # SPDX-FileContributor: szymonmaszke 5 | # 6 | # SPDX-License-Identifier: Apache-2.0 7 | 8 | # Find all files with cog tags in a directory 9 | # This list is later used to provide a list of files to update 10 | # in pyproject.toml fix-generation and check-generation 11 | DIRECTORY="${1:-.}" 12 | 13 | find "${DIRECTORY}" -type f -exec grep -l '\[\[\[cog' {} + 14 | -------------------------------------------------------------------------------- /docs/template/quickstart/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Quick start 9 | 10 | `opentemplate` works like a typical Python project but adds automation 11 | and best practices behind the scenes. 12 | 13 | To get started: 14 | 15 | - [Installation](installation.md) – one-click setup 16 | - [Usage](usage.md) – daily workflow with `opennudge` 17 | -------------------------------------------------------------------------------- /src/opentemplate/__init__.py: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | """Official documentation.""" 7 | 8 | from __future__ import annotations 9 | 10 | from importlib.metadata import version 11 | 12 | __version__ = version("opentemplate") 13 | """Latest opentemplate version.""" 14 | 15 | del version 16 | 17 | __all__: list[str] = [ 18 | "__version__", 19 | ] 20 | -------------------------------------------------------------------------------- /docs/scripts/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Documentation scripts 9 | 10 | Place any `markdown` preprocessing scripts ran by `mkdocs` here. 11 | 12 | > [!TIP] 13 | > See `mkdocs.yml` section `plugins.gen-files.scripts` for more details 14 | > and [`mkdocs-gen-files`](https://github.com/oprypin/mkdocs-gen-files) 15 | > for the script running plugin. 16 | -------------------------------------------------------------------------------- /ANNOUNCEMENTS.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Announcements 9 | 10 | ## Initial release 11 | 12 | - __Reddit `r/Python`__: https://www.reddit.com/r/Python/comments/1lim6fb/i_made_a_foss_feature_rich_python_template_with/ 13 | - __Reddit `r/cybersecurity`__: https://www.reddit.com/r/cybersecurity/comments/1lim3k5/i_made_a_foss_python_template_with_cicd_security/ 14 | -------------------------------------------------------------------------------- /template-setup/overwrite/src/opentemplate/__init__.py: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | """Official documentation.""" 7 | 8 | from __future__ import annotations 9 | 10 | from importlib.metadata import version 11 | 12 | __version__ = version("opentemplate") 13 | """Current opentemplate version.""" 14 | 15 | del version 16 | 17 | __all__: list[str] = [ 18 | "__version__", 19 | ] 20 | -------------------------------------------------------------------------------- /src/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Developer documentation 9 | 10 | ## General 11 | 12 | For the public-facing documentation, see the 13 | [project's documentation](https://open-nudge.github.io/opentemplate). 14 | 15 | Read on for developer-specific documentation. 16 | 17 | ## Internal documentation 18 | 19 | TBD 20 | 21 | 22 | -------------------------------------------------------------------------------- /.github/rulesets/branch-all-human.json: -------------------------------------------------------------------------------- 1 | { 2 | "enforcement": "active", 3 | "name": "branch-all-human", 4 | "rules": [ 5 | { 6 | "type": "required_signatures" 7 | } 8 | ], 9 | "bypass_actors": [ 10 | { 11 | "actor_id": 2740, 12 | "actor_type": "Integration", 13 | "bypass_mode": "pull_request" 14 | } 15 | ], 16 | "conditions": { 17 | "ref_name": { 18 | "include": [ 19 | "~ALL" 20 | ], 21 | "exclude": [ 22 | "refs/heads/gh-pages" 23 | ] 24 | } 25 | }, 26 | "target": "branch" 27 | } 28 | -------------------------------------------------------------------------------- /.github/rulesets/branch-bot-human.json: -------------------------------------------------------------------------------- 1 | { 2 | "enforcement": "active", 3 | "name": "branch-bot-human", 4 | "rules": [ 5 | { 6 | "type": "creation" 7 | }, 8 | { 9 | "type": "update" 10 | } 11 | ], 12 | "bypass_actors": [ 13 | { 14 | "actor_id": 2740, 15 | "actor_type": "Integration", 16 | "bypass_mode": "pull_request" 17 | } 18 | ], 19 | "conditions": { 20 | "ref_name": { 21 | "include": [ 22 | "refs/heads/bot*" 23 | ], 24 | "exclude": [] 25 | } 26 | }, 27 | "target": "branch" 28 | } 29 | -------------------------------------------------------------------------------- /template-setup/overwrite/src/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Developer documentation 9 | 10 | ## General 11 | 12 | For the public-facing documentation, see the 13 | [project's documentation](https://open-nudge.github.io/opentemplate). 14 | 15 | Read on for developer-specific documentation. 16 | 17 | ## Internal documentation 18 | 19 | TBD 20 | 21 | 22 | -------------------------------------------------------------------------------- /.github/rulesets/tags-all-everyone.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "tags-all-everyone", 3 | "target": "tag", 4 | "enforcement": "active", 5 | "conditions": { 6 | "ref_name": { 7 | "exclude": [], 8 | "include": [ 9 | "~ALL" 10 | ] 11 | } 12 | }, 13 | "rules": [ 14 | { 15 | "type": "deletion" 16 | }, 17 | { 18 | "type": "non_fast_forward" 19 | }, 20 | { 21 | "type": "required_linear_history" 22 | }, 23 | { 24 | "type": "required_signatures" 25 | }, 26 | { 27 | "type": "update" 28 | } 29 | ], 30 | "bypass_actors": [] 31 | } 32 | -------------------------------------------------------------------------------- /template-setup/overwrite/CITATION.cff: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2024 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | cff-version: "1.2.0" 8 | abstract: >- 9 | All-in-one Python template. One click. Everything included. 10 | message: "If you use this software, please cite it as below." 11 | authors: 12 | - family-names: "open-nudge" 13 | url: "https://github.com/open-nudge/opentemplate" 14 | repository-code: "https://github.com/open-nudge/opentemplate" 15 | title: "opentemplate" 16 | license: "Apache-2.0" 17 | keywords: 18 | - "python" 19 | -------------------------------------------------------------------------------- /docs/template/configuration/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Configuration 9 | 10 | Most settings for `opentemplate` are managed in `pyproject.toml`, 11 | with full flexibility for customization if needed. 12 | 13 | Start here: 14 | 15 | - [Basic](basic.md) – common settings for most use cases 16 | - [Advanced](advanced.md) – for adding tool groups or complex changes 17 | 18 | > [!TIP] 19 | > For deeper insight and easier adjustments, 20 | > see the [Details documentation](../details/index.md). 21 | -------------------------------------------------------------------------------- /docs/tutorials/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Tutorials 9 | 10 | > [!NOTE] 11 | > __A tutorial is a lesson__, that takes a student by the hand through a 12 | > learning experience. 13 | 14 | Place your tutorials in this directory, each in a separate file. 15 | You can use `markdown` or jupyter notebooks (suggested for tutorials), 16 | which will be automatically converted to markdown 17 | 18 | > [!TIP] 19 | > Read more in 20 | > [diataxis documentation](https://diataxis.fr/start-here/#tutorials) 21 | -------------------------------------------------------------------------------- /.github/actions/git-setup/action.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Git Setup" 8 | description: "Setup git credentials for pushing etc." 9 | 10 | runs: 11 | using: "composite" 12 | steps: 13 | - name: "Setup git" 14 | shell: "bash" 15 | # yamllint disable rule:line-length 16 | run: | 17 | git config --global user.email github-actions[bot]@users.noreply.github.com 18 | git config --global user.name github-actions[bot] 19 | # yamllint enable rule:line-length 20 | ... 21 | -------------------------------------------------------------------------------- /__pypackages__/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Development dependencies (PEP582) 9 | 10 | This folder contains project dependencies 11 | as defined by (rejected) [PEP582 specification](https://peps.python.org/pep-0582/). 12 | 13 | This approach allows us to: 14 | 15 | - Manage dependencies in a well-defined manner 16 | - Install/update dependencies for all Python versions 17 | - Keep dependencies separated (within `.git` folder instead of `venv`) 18 | - Test without using third party tools such as `tox` or `nox` 19 | -------------------------------------------------------------------------------- /docs/explanations/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Explanations 9 | 10 | > [!NOTE] 11 | > __Explanatory guides provide context and background.__ 12 | > They serve the need to understand and put things in a bigger picture. 13 | 14 | Place your explanations in this directory, each in a separate file. 15 | You can use `markdown` (suggested for guides) or jupyter notebooks, 16 | which will be automatically converted to markdown 17 | 18 | > [!TIP] 19 | > Read more in 20 | > [diataxis documentation](https://diataxis.fr/start-here/#explanation) 21 | -------------------------------------------------------------------------------- /docs/how-to/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # How-to guides 9 | 10 | > [!NOTE] 11 | > __A how-to guide addresses a real-world goal or problem__, 12 | > by providing practical directions to help the user who is in that situation. 13 | 14 | Place your how-to guides in this directory, each in a separate file. 15 | You can use `markdown` or jupyter notebooks (suggested for how-to guides), 16 | that will be automatically converted to markdown. 17 | 18 | > [!TIP] 19 | > Read more in 20 | > [diataxis documentation](https://diataxis.fr/start-here/#how-to-guides) 21 | -------------------------------------------------------------------------------- /.github/workflows/pyproject-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pyproject Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | pyproject-reusable: 16 | name: "pyproject Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "pyproject" 24 | ... 25 | -------------------------------------------------------------------------------- /.github/workflows/legal-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Legal Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | legal-reusable: 16 | name: "Legal Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "legal" 24 | full-checkout: true 25 | ... 26 | -------------------------------------------------------------------------------- /.github/workflows/release-check-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Release Check Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | release-check-reusable: 16 | name: "Release Check Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "release" 24 | ... 25 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | [DEFAULT] 7 | root = true 8 | 9 | [*] 10 | charset = utf-8 11 | end_of_line = lf 12 | indent_size = 2 13 | indent_style = space 14 | insert_final_newline = true 15 | trim_trailing_whitespace = true 16 | 17 | [*.py] 18 | indent_style = space 19 | indent_size = 4 20 | 21 | [*.{md,txt}] 22 | indent_style = space 23 | indent_size = unset 24 | 25 | [{DCO.md,docs/DCO.md,LICENSE.md,docs/LICENSE.md}] 26 | charset = unset 27 | end_of_line = unset 28 | indent_size = unset 29 | indent_style = unset 30 | insert_final_newline = unset 31 | trim_trailing_whitespace = unset 32 | -------------------------------------------------------------------------------- /docs/template/about/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # About 9 | 10 | In this section you can learn more about `opentemplate` itself; 11 | what is the motivation, how it compares and useful tips 12 | 13 | > [!CAUTION] 14 | > You don’t need to read this to use `opentemplate`, but a quick skim can be helpful. 15 | 16 | Explore: 17 | 18 | - [Philosophy](philosophy.md) – core ideas and goals 19 | - [Comparison](comparison.md) – how it stacks up against other tools 20 | - [Tips and Tricks](tips-and-tricks.md) – get more out of `opentemplate` 21 | - [FAQ](faq.md) – common questions answered 22 | -------------------------------------------------------------------------------- /docs/template/release-your-project/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Release your project 9 | 10 | This section explains how to release a project based on `opentemplate`. 11 | 12 | Release when: 13 | 14 | - You are ready to share the project (publicly or privately). 15 | - Pipelines and `pre-commit` checks have passed (tests, security, etc.). 16 | 17 | > [!CAUTION] 18 | > Create a GitHub tag on a release page; everything else is automated. 19 | 20 | Start here: 21 | 22 | - [Checklist](checklist.md) – steps to complete before release 23 | - [Process](process.md) – how the release works 24 | -------------------------------------------------------------------------------- /.github/workflows/json-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "JSON Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | json-reusable: 16 | name: "JSON Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "json" 24 | sparse-checkout: | 25 | **.json 26 | ... 27 | -------------------------------------------------------------------------------- /.github/workflows/toml-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "TOML Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | json-reusable: 16 | name: "TOML Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "toml" 24 | sparse-checkout: | 25 | **.toml 26 | ... 27 | -------------------------------------------------------------------------------- /.github/workflows/python-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Python Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | python-reusable: 16 | name: "Python Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "python" 24 | sparse-checkout: | 25 | **.py 26 | ... 27 | -------------------------------------------------------------------------------- /.github/workflows/template-update-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Template Update Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | template-update-reusable: 16 | name: "Template Update Reusable" 17 | permissions: 18 | contents: "write" # Needed to update repository contents 19 | timeout-minutes: 10 20 | runs-on: "ubuntu-latest" 21 | steps: 22 | - name: "Placeholder operation" 23 | run: > 24 | echo "Placeholder operation, template update not implemented :(" 25 | ... 26 | -------------------------------------------------------------------------------- /.github/workflows/pytest-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pytest Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | pytest-reusable: 16 | name: "pytest Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "pytest" 24 | sparse-checkout: | 25 | tests/**.py 26 | ... 27 | -------------------------------------------------------------------------------- /.github/workflows/citation-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Citation Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | citation-reusable: 16 | name: "Citation Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "citation" 24 | sparse-checkout: | 25 | CITATION.cff 26 | ... 27 | -------------------------------------------------------------------------------- /.github/workflows/typing-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Typing Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | typing-reusable: 16 | name: "Typing Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "typing" 24 | core: true 25 | sparse-checkout: | 26 | **.py 27 | ... 28 | -------------------------------------------------------------------------------- /template-setup/overwrite/ADOPTERS.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Adopters of opentemplate 9 | 10 | This page lists organizations, companies and projects using opentemplate. 11 | 12 | > [!IMPORTANT] 13 | > If you are using opentemplate and want to be featured here, 14 | > __[open a new issue using adopters template](https://github.com/open-nudge/opentemplate/issues/new/choose).__ 15 | 16 | ## Organizations 17 | 18 | 19 | 20 | ## Companies 21 | 22 | 23 | 24 | ## Projects 25 | 26 | 27 | -------------------------------------------------------------------------------- /.github/workflows/yaml-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "YAML Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | yaml-reusable: 16 | name: "YAML Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "yaml" 24 | sparse-checkout: | 25 | .gitignore 26 | **.yml 27 | **.yaml 28 | ... 29 | -------------------------------------------------------------------------------- /.github/workflows/github-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | github-reusable: 16 | name: "GitHub Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "github" 24 | sparse-checkout: | 25 | .github/workflows/* 26 | .github/actions/*/action.yml 27 | ... 28 | -------------------------------------------------------------------------------- /.github/workflows/commit-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Commit Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | commit-reusable: 16 | name: "Commit Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "commit" 24 | arguments: >- 25 | <(git log -1 --format=%s) 26 | ref: "${{ github.event.pull_request.head.sha }}" 27 | ... 28 | -------------------------------------------------------------------------------- /.github/workflows/generation-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Generation Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | generation-reusable: 16 | name: "Generation Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "generation" 24 | full-checkout: true 25 | additional-allowed-endpoints: > 26 | endoflife.date:443 27 | ... 28 | -------------------------------------------------------------------------------- /.github/workflows/ini-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Ini Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | ini-reusable: 16 | name: "Ini Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "ini" 24 | arguments: ".editorconfig $(find -path '*.ini')" 25 | sparse-checkout: | 26 | .editorconfig 27 | **.ini 28 | ... 29 | -------------------------------------------------------------------------------- /.github/workflows/shell-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Shell Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | shell-reusable: 16 | name: "Shell Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "shell" 24 | sparse-checkout: | 25 | **.sh 26 | arguments: > 27 | $(find . -name '*.sh' ! -path './.venv/*') 28 | ... 29 | -------------------------------------------------------------------------------- /.github/workflows/github-renovate-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Renovate Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | github-renovate-reusable: 16 | name: "GitHub Renovate Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "renovate" 24 | group: "github" 25 | cone: true 26 | sparse-checkout: | 27 | .github 28 | ... 29 | -------------------------------------------------------------------------------- /.github/workflows/legal.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Legal" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | legal: 26 | name: "Legal" 27 | permissions: 28 | contents: "read" 29 | # yamllint disable rule:line-length 30 | uses: "open-nudge/opentemplate/.github/workflows/legal-reusable.yml@main" # zizmor: ignore[unpinned-uses] 31 | # yamllint enable rule:line-length 32 | ... 33 | -------------------------------------------------------------------------------- /.github/workflows/commit.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Commit" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | commit: 26 | name: "Commit" 27 | permissions: 28 | contents: "read" 29 | # yamllint disable rule:line-length 30 | uses: "open-nudge/opentemplate/.github/workflows/commit-reusable.yml@main" # zizmor: ignore[unpinned-uses] 31 | # yamllint enable rule:line-length 32 | ... 33 | -------------------------------------------------------------------------------- /.github/workflows/github.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/workflows/*.yml" 15 | - ".github/actions/*/action.yml" 16 | - ".github/actions/pdm-*.yml" 17 | merge_group: 18 | types: 19 | - "checks_requested" 20 | 21 | permissions: {} # yamllint disable-line rule:braces 22 | 23 | jobs: 24 | github: 25 | name: "GitHub" 26 | permissions: 27 | contents: "read" 28 | # yamllint disable rule:line-length 29 | uses: "open-nudge/opentemplate/.github/workflows/github-reusable.yml@main" # zizmor: ignore[unpinned-uses] 30 | # yamllint enable rule:line-length 31 | ... 32 | -------------------------------------------------------------------------------- /.github/workflows/generation.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Generation" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | generation: 26 | name: "Generation" 27 | permissions: 28 | contents: "read" 29 | # yamllint disable rule:line-length 30 | uses: "open-nudge/opentemplate/.github/workflows/generation-reusable.yml@main" # zizmor: ignore[unpinned-uses] 31 | # yamllint enable rule:line-length 32 | ... 33 | -------------------------------------------------------------------------------- /.github/workflows/github-workflows.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Workflows" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/workflows/*.yml" 15 | - ".github/actions/*.yml" 16 | merge_group: 17 | types: 18 | - "checks_requested" 19 | 20 | permissions: {} # yamllint disable-line rule:braces 21 | 22 | jobs: 23 | github-workflows: 24 | name: "GitHub Workflows" 25 | permissions: 26 | contents: "read" 27 | # yamllint disable rule:line-length 28 | uses: "open-nudge/opentemplate/.github/workflows/github-workflows-reusable.yml@main" # zizmor: ignore[unpinned-uses] 29 | # yamllint enable rule:line-length 30 | ... 31 | -------------------------------------------------------------------------------- /.github/workflows/release-check.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Release Check" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | citation: 26 | name: "Release Check" 27 | permissions: 28 | contents: "read" 29 | # yamllint disable rule:line-length 30 | uses: "open-nudge/opentemplate/.github/workflows/release-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 31 | # yamllint enable rule:line-length 32 | ... 33 | -------------------------------------------------------------------------------- /.github/workflows/template-update.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Template Update" 8 | 9 | on: 10 | schedule: 11 | - cron: "0 3 * * 6" 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | concurrency: 17 | group: > 18 | ${{ github.workflow_ref }}-${{ github.ref }} 19 | cancel-in-progress: true 20 | 21 | jobs: 22 | template-update: 23 | name: "Template Update" 24 | permissions: 25 | contents: "write" # Needed to update repository contents 26 | # yamllint disable rule:line-length 27 | uses: "open-nudge/opentemplate/.github/workflows/template-update-reusable.yml@main" # zizmor: ignore[unpinned-uses] 28 | # yamllint enable rule:line-length 29 | ... 30 | -------------------------------------------------------------------------------- /.vale.ini: -------------------------------------------------------------------------------- 1 | ; SPDX-FileCopyrightText: © 2025 open-nudge 2 | ; SPDX-FileContributor: szymonmaszke 3 | ; 4 | ; SPDX-License-Identifier: Apache-2.0 5 | 6 | [DEFAULT] 7 | MinAlertLevel = suggestion 8 | 9 | Packages = Google, RedHat, Microsoft, alex, proselint, write-good, Readability 10 | 11 | [*.{md,html,py,sh}] 12 | BasedOnStyles = Vale, RedHat, alex, proselint, write-good, Readability 13 | 14 | RedHat.ReadabilityGrade = NO 15 | RedHat.GitLinks = NO 16 | Vale.Spelling = NO 17 | write-good.Passive = NO 18 | 19 | [*.md] 20 | proselint.Annotations = NO 21 | 22 | [*.sh] 23 | RedHat.TermsErrors = NO 24 | 25 | [*.py] 26 | RedHat.Spacing = NO 27 | RedHat.PassiveVoice = NO 28 | RedHat.Definitions = NO 29 | write-good.E-Prime = NO 30 | 31 | [{DCO.md,docs/DCO.md,LICENSE.md,docs/LICENSE.md}] 32 | BasedOnStyles = Vale 33 | 34 | [formats] 35 | mdx = md 36 | cff = yaml 37 | -------------------------------------------------------------------------------- /CITATION.cff: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2024 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | cff-version: "1.2.0" 8 | abstract: >- 9 | All-in-one Python template. One click. Everything included. 10 | message: "If you use this software, please cite it as below." 11 | authors: 12 | - family-names: "open-nudge" 13 | url: "https://github.com/open-nudge/opentemplate" 14 | repository-code: "https://github.com/open-nudge/opentemplate" 15 | title: "opentemplate" 16 | license: "Apache-2.0" 17 | keywords: 18 | - "python" 19 | - "template" 20 | - "open source" 21 | - "security" 22 | - "automation" 23 | - "developer experience" 24 | - "devsec" 25 | - "devsecops" 26 | - "best practices" 27 | - "hardening" 28 | - "nudge" 29 | - "github actions" 30 | - "sbom" 31 | - "attestation" 32 | -------------------------------------------------------------------------------- /.github/workflows/github-actions-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Actions Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | github-actions-reusable: 16 | name: "GitHub Actions Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "github-actions" 24 | arguments: ".github/actions/*/action.yml" 25 | group: "github" 26 | sparse-checkout: | 27 | .github/actions/*/action.yml 28 | ... 29 | -------------------------------------------------------------------------------- /.github/workflows/cache.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Cache" 8 | 9 | on: 10 | push: 11 | branches: 12 | - "main" 13 | workflow_dispatch: 14 | 15 | permissions: {} # yamllint disable-line rule:braces 16 | 17 | concurrency: 18 | group: > 19 | ${{ github.workflow_ref }}-${{ github.ref }} 20 | cancel-in-progress: true 21 | 22 | jobs: 23 | cache: 24 | name: "Cache" 25 | # Skip initial commit 26 | if: > 27 | github.event.head_commit.message != 'Initial commit' 28 | permissions: 29 | contents: "read" 30 | # yamllint disable rule:line-length 31 | uses: "open-nudge/opentemplate/.github/workflows/cache-reusable.yml@main" # zizmor: ignore[unpinned-uses] 32 | # yamllint enable rule:line-length 33 | ... 34 | -------------------------------------------------------------------------------- /.github/workflows/github-workflows-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Workflows Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | github-workflows-reusable: 16 | name: "GitHub Workflows Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | check: "github-workflows" 24 | arguments: ".github/workflows/*.yml" 25 | group: "github" 26 | sparse-checkout: | 27 | .github/workflows 28 | cone: true 29 | ... 30 | -------------------------------------------------------------------------------- /docs/template/about/tips-and-tricks.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Tips and tricks 9 | 10 | This guide provides useful tips for working with the `opentemplate`-based projects. 11 | 12 | ## Committing 13 | 14 | > [!IMPORTANT] 15 | > You can use `git commit` normally; `pre-commit` will not allow you commit 16 | > without passing all the checks. 17 | 18 | `opentemplate` offers the following commit options: 19 | 20 | - `pdm run commit` – Runs `git commit` with `--signoff --gpg-sign`. 21 | 22 | - `pdm run commit-type` – Prompts for a commit message and type 23 | (`feat`, `fix`, `feat!`, `fix!`). 24 | 25 | - `pdm run commit-guided` – Opens an editor with commit type options. 26 | 27 | > [!IMPORTANT] 28 | > This feature will likely be moved to a separate tool in the future. 29 | -------------------------------------------------------------------------------- /.github/workflows/github-actions.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Actions" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/*/action.yml" 15 | - ".github/workflows/github-actions*.yml" 16 | - ".github/workflows/run-*reusable.yml" 17 | merge_group: 18 | types: 19 | - "checks_requested" 20 | 21 | permissions: {} # yamllint disable-line rule:braces 22 | 23 | jobs: 24 | github-actions: 25 | name: "GitHub Actions" 26 | permissions: 27 | contents: "read" 28 | # yamllint disable rule:line-length 29 | uses: "open-nudge/opentemplate/.github/workflows/github-actions-reusable.yml@main" # zizmor: ignore[unpinned-uses] 30 | # yamllint enable rule:line-length 31 | ... 32 | -------------------------------------------------------------------------------- /.github/workflows/security-semgrep-update.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security Semgrep Update" 8 | 9 | on: 10 | schedule: 11 | - cron: "0 3 * * 6" 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | jobs: 17 | security-semgrep-update: 18 | permissions: 19 | actions: "read" # https://github.com/github/codeql-action/issues/2117 20 | security-events: "write" # Needed to to upload SARIF file to tab 21 | contents: "read" 22 | name: "Security Semgrep Update" 23 | # yamllint disable rule:line-length 24 | uses: "open-nudge/opentemplate/.github/workflows/security-semgrep-reusable.yml@main" # zizmor: ignore[unpinned-uses] 25 | # yamllint enable rule:line-length 26 | with: 27 | sarif: true 28 | ... 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | blank_issues_enabled: false 8 | contact_links: 9 | - name: "Security Issues" 10 | about: "Check the security policy." 11 | - name: "Question, Problem" 12 | about: "Ask a general question in GitHub Discussions." 13 | url: > 14 | https://github.com/open-nudge/opentemplate/discussions/categories/q-a 15 | - name: "Projects" 16 | about: "Share projects built with opentemplate." 17 | url: > 18 | https://github.com/open-nudge/opentemplate/discussions/categories/show-and-tell 19 | - name: "Tips and Tricks" 20 | about: > 21 | Share useful code snippets, tips, or resources related to opentemplate. 22 | url: > 23 | https://github.com/open-nudge/opentemplate/discussions/categories/show-and-tell 24 | ... 25 | -------------------------------------------------------------------------------- /.github/workflows/text-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Text Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | text-reusable: 16 | name: "Text Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | # Workaround for __pypackages__/README.md 24 | # It is collected automatically by pre-commit-hooks 25 | command: > 26 | rm -rf .git && 27 | git init --initial-branch main && 28 | pdm run check-text 29 | group: "text" 30 | full-checkout: true 31 | ... 32 | -------------------------------------------------------------------------------- /.github/workflows/generation-update.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Generation Update" 8 | 9 | on: 10 | schedule: 11 | - cron: "0 3 * * 6" 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | concurrency: 17 | group: > 18 | ${{ github.workflow_ref }}-${{ github.ref }} 19 | cancel-in-progress: true 20 | 21 | jobs: 22 | generation-update: 23 | name: "Generation Update" 24 | permissions: 25 | contents: "read" 26 | pull-requests: "write" # Needed to create pull requests 27 | # yamllint disable rule:line-length 28 | uses: "open-nudge/opentemplate/.github/workflows/generation-update-reusable.yml@main" # zizmor: ignore[unpinned-uses] 29 | # yamllint enable rule:line-length 30 | with: 31 | pull-request: true 32 | ... 33 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit-update.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pre-commit Update" 8 | 9 | on: 10 | schedule: 11 | - cron: "0 3 * * 6" 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | concurrency: 17 | group: > 18 | ${{ github.workflow_ref }}-${{ github.ref }} 19 | cancel-in-progress: true 20 | 21 | jobs: 22 | pre-commit-update: 23 | name: "pre-commit Update" 24 | permissions: 25 | contents: "read" 26 | pull-requests: "write" # Needed to create pull request with update 27 | # yamllint disable rule:line-length 28 | uses: "open-nudge/opentemplate/.github/workflows/pre-commit-reusable.yml@main" # zizmor: ignore[unpinned-uses] 29 | # yamllint enable rule:line-length 30 | with: 31 | pull-request: true 32 | ... 33 | -------------------------------------------------------------------------------- /.github/workflows/security-osv-scanner-update.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security OSV-Scanner Update" 8 | 9 | on: 10 | schedule: 11 | - cron: "0 3 * * 6" 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | jobs: 17 | security-osv-scanner-update: 18 | permissions: 19 | actions: "read" # https://github.com/github/codeql-action/issues/2117 20 | security-events: "write" # Needed to to upload SARIF file to tab 21 | contents: "read" 22 | name: "Security OSV-Scanner Update" 23 | # yamllint disable rule:line-length 24 | uses: "open-nudge/opentemplate/.github/workflows/security-osv-scanner-reusable.yml@main" # zizmor: ignore[unpinned-uses] 25 | # yamllint enable rule:line-length 26 | with: 27 | sarif: true 28 | ... 29 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 10 | ## Checklist 11 | 12 | - [] I agree to follow this project's [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 13 | - [] I have read this project's [Contributing Guide](https://github.com/open-nudge/opentemplate/blob/main/CONTRIBUTING.md) 14 | - [] I have created relevant issue(s) and linked them in the PR description 15 | 16 | 17 | 18 | > Closes # 19 | 20 | 21 | 22 | 28 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pre-commit" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | workflow_dispatch: 17 | 18 | permissions: {} # yamllint disable-line rule:braces 19 | 20 | concurrency: 21 | group: >- 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | cancel-in-progress: true 24 | 25 | jobs: 26 | pre-commit: 27 | name: "pre-commit" 28 | permissions: 29 | contents: "read" 30 | pull-requests: "write" # Needed to create pull request with update 31 | # yamllint disable rule:line-length 32 | uses: "open-nudge/opentemplate/.github/workflows/pre-commit-reusable.yml@main" # zizmor: ignore[unpinned-uses] 33 | # yamllint enable rule:line-length 34 | ... 35 | -------------------------------------------------------------------------------- /.github/workflows/cache-test.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Cache Test" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/pdm-*.yml" 15 | - ".github/workflows/cache-test.yml" 16 | - ".github/workflows/cache-reusable.yml" 17 | - ".github/workflows/cache-reusable-item.yml" 18 | merge_group: 19 | types: 20 | - "checks_requested" 21 | workflow_dispatch: 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | jobs: 26 | cache-test: 27 | name: "Cache Test" 28 | permissions: 29 | contents: "read" 30 | # yamllint disable rule:line-length 31 | uses: "open-nudge/opentemplate/.github/workflows/cache-reusable.yml@main" # zizmor: ignore[unpinned-uses] 32 | # yamllint enable rule:line-length 33 | ... 34 | -------------------------------------------------------------------------------- /ADOPTERS.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Adopters of opentemplate 9 | 10 | This page lists organizations, companies and projects using opentemplate. 11 | 12 | > [!IMPORTANT] 13 | > If you are using opentemplate and want to be featured here, 14 | > __[open a new issue using adopters template](https://github.com/open-nudge/opentemplate/issues/new/choose).__ 15 | 16 | ## Organizations 17 | 18 | 19 | 20 | - [opennudge](https://github.com/open-nudge) - The organization behind opentemplate 21 | 22 | ## Companies 23 | 24 | 25 | 26 | ## Projects 27 | 28 | - [cogeol](https://github.com/open-nudge/cogeol) - Align 29 | with supported Python versions - automated with endoflife.date 30 | 31 | 32 | -------------------------------------------------------------------------------- /.github/workflows/docs-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Docs Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | docs-reusable: 16 | name: "Docs Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | command: | 24 | pdm run check-docs 25 | group: "docs" 26 | core: true 27 | fetch-depth: 0 28 | sparse-checkout: | 29 | **.md 30 | **.py 31 | mkdocs.yml 32 | additional-allowed-endpoints: > 33 | fonts.google.com:443 34 | fonts.gstatic.com:443 35 | ... 36 | -------------------------------------------------------------------------------- /.github/rulesets/branch-default-human.json: -------------------------------------------------------------------------------- 1 | { 2 | "enforcement": "active", 3 | "name": "branch-default-human", 4 | "rules": [ 5 | { 6 | "parameters": { 7 | "required_approving_review_count": "PLACEHOLDER_REVIEWERS", 8 | "require_last_push_approval": "PLACEHOLDER_LAST_PUSH_APPROVAL", 9 | "require_code_owner_review": true, 10 | "dismiss_stale_reviews_on_push": true, 11 | "required_review_thread_resolution": true, 12 | "automatic_copilot_code_review_enabled": true, 13 | "allowed_merge_methods": [ 14 | "squash" 15 | ] 16 | }, 17 | "type": "pull_request" 18 | } 19 | ], 20 | "bypass_actors": [ 21 | { 22 | "actor_id": 2740, 23 | "actor_type": "Integration", 24 | "bypass_mode": "pull_request" 25 | } 26 | ], 27 | "conditions": { 28 | "ref_name": { 29 | "include": [ 30 | "~DEFAULT_BRANCH" 31 | ], 32 | "exclude": [] 33 | } 34 | }, 35 | "target": "branch" 36 | } 37 | -------------------------------------------------------------------------------- /.github/workflows/text.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Text" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths-ignore: 14 | - "DCO.md" 15 | - "docs/DCO.md" 16 | - "LICENSE.md" 17 | - "docs/LICENSE.md" 18 | - "LICENSES/*" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | text: 32 | name: "Text" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/text-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/ini-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Ini Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | ini-renovate: 26 | name: "Ini Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-ini' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/ini-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/docs-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Docs Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | docs-renovate: 26 | name: "Docs Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-docs' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/docs-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/github-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/renovate.json" 15 | - ".github/workflows/renovate.yml" 16 | - ".github/workflows/github-renovate-reusable.yml" 17 | - ".github/actions/pdm-*.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | jobs: 26 | github-renovate: 27 | name: "GitHub Renovate" 28 | permissions: 29 | contents: "read" 30 | # yamllint disable rule:line-length 31 | uses: "open-nudge/opentemplate/.github/workflows/github-renovate-reusable.yml@main" # zizmor: ignore[unpinned-uses] 32 | # yamllint enable rule:line-length 33 | ... 34 | -------------------------------------------------------------------------------- /.github/workflows/yaml-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "YAML Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | yaml-renovate: 26 | name: "YAML Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-yaml' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/yaml-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/json-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "JSON Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | json-renovate: 26 | name: "JSON Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-multiple' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/json-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/security-scorecard-update.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security Scorecard Update" 8 | 9 | on: 10 | schedule: 11 | - cron: "0 3 * * 6" 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | jobs: 17 | security-scorecard-update: 18 | permissions: 19 | actions: "read" # https://github.com/github/codeql-action/issues/2117 20 | security-events: "write" # Needed to to upload SARIF file to tab 21 | id-token: "write" # Needed for GitHub OIDC token if publish_results 22 | contents: "read" 23 | name: "Security Scorecard Update" 24 | # yamllint disable rule:line-length 25 | uses: "open-nudge/opentemplate/.github/workflows/security-scorecard-reusable.yml@main" # zizmor: ignore[unpinned-uses] 26 | # yamllint enable rule:line-length 27 | with: 28 | sarif: true 29 | ... 30 | -------------------------------------------------------------------------------- /.github/workflows/toml-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "TOML Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | toml-renovate: 26 | name: "TOML Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-multiple' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/toml-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/legal-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Legal Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | legal-renovate: 26 | name: "Legal Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-legal' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/legal-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/shell-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Shell Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | shell-renovate: 26 | name: "Shell Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-shell' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/shell-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/commit-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Commit Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | commit-renovate: 26 | name: "Commit Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-commit' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/commit-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/pytest-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pytest Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | pytest-renovate: 26 | name: "pytest Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-multiple' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/pytest-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/python-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Python Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | python-renovate: 26 | name: "Python Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-python' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/python-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/typing-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Typing Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | typing-renovate: 26 | name: "Typing Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-typing' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/typing-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /docs/.nav.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | 8 | ignore: "*README.md" 9 | 10 | nav: 11 | - Overview: "index.md" 12 | - Reference: "reference/" 13 | - glob: "*/" 14 | ignore_no_matches: true 15 | flatten_single_child_sections: false 16 | - For contributors: 17 | - Contributing guide: "CONTRIBUTING.md" 18 | - Roadmap: "ROADMAP.md" 19 | - Changelog: "CHANGELOG.md" 20 | - Governance: "GOVERNANCE.md" 21 | - Security: 22 | - General: "SECURITY.md" 23 | - Dependency policy: "SECURITY-DEPENDENCY.md" 24 | - Self assessment: "SECURITY-SELF-ASSESSMENT.md" 25 | - Legal: 26 | - Code of conduct: "CODE_OF_CONDUCT.md" 27 | - License: "LICENSE.md" 28 | - Developer certificate of origin: "DCO.md" 29 | - Hall of fame: 30 | - Adopters: "ADOPTERS.md" 31 | - Announcements: "ANNOUNCEMENTS.md" 32 | - Template: "template" 33 | ... 34 | -------------------------------------------------------------------------------- /.github/workflows/citation-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Citation Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | citation-renovate: 26 | name: "Citation Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-citation' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/citation-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/markdown-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Markdown Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | markdown-renovate: 26 | name: "Markdown Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-markdown' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/markdown-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/pyproject-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pyproject Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | pyproject-renovate: 26 | name: "pyproject Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-pyproject' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/pyproject-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/security-semgrep.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security Semgrep" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | security-semgrep: 26 | permissions: 27 | actions: "read" # https://github.com/github/codeql-action/issues/2117 28 | security-events: "write" # Needed to to upload SARIF file to tab 29 | contents: "read" 30 | name: "Security Semgrep" 31 | # yamllint disable rule:line-length 32 | uses: "open-nudge/opentemplate/.github/workflows/security-semgrep-reusable.yml@main" # zizmor: ignore[unpinned-uses] 33 | # yamllint enable rule:line-length 34 | ... 35 | -------------------------------------------------------------------------------- /.github/workflows/generation-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Generation Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | generation-renovate: 26 | name: "Generation Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-generation' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/generation-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/json.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "JSON" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.json" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/json.yml" 17 | - ".github/workflows/json-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | json: 32 | name: "JSON" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/json-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/toml.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "TOML" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.toml" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/toml.yml" 17 | - ".github/workflows/toml-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | toml: 32 | name: "TOML" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/toml-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/shell.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Shell" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.sh" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/shell.yml" 17 | - ".github/workflows/shell-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | shell: 32 | name: "Shell" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/shell-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/release-check-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Release Check Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | cancel-in-progress: true 21 | group: > 22 | ${{ github.workflow_ref }}-${{ github.ref }} 23 | 24 | jobs: 25 | release-check-renovate: 26 | name: "Release Check Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && github.ref == 'refs/heads/bot/dependencies-dev-release' 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/release-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/pytest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pytest" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "tests/**.py" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/pytest.yml" 17 | - ".github/workflows/pytest-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | json: 32 | name: "pytest" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/pytest-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/python.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Python" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.py" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/python.yml" 17 | - ".github/workflows/python-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | python: 32 | name: "Python" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/python-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/security-osv-scanner.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security OSV-Scanner" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | security-osv-scanner: 26 | permissions: 27 | actions: "read" # https://github.com/github/codeql-action/issues/2117 28 | security-events: "write" # Needed to to upload SARIF file to tab 29 | contents: "read" 30 | name: "Security OSV-Scanner" 31 | # yamllint disable rule:line-length 32 | uses: "open-nudge/opentemplate/.github/workflows/security-osv-scanner-reusable.yml@main" # zizmor: ignore[unpinned-uses] 33 | # yamllint enable rule:line-length 34 | ... 35 | -------------------------------------------------------------------------------- /.github/workflows/typing.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Typing" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.py" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/typing.yml" 17 | - ".github/workflows/typing-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | typing: 32 | name: "Typing" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/typing-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/ini.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Ini" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.ini" 15 | - ".editorconfig" 16 | - ".github/actions/pdm-*.yml" 17 | - ".github/workflows/ini.yml" 18 | - ".github/workflows/ini-reusable.yml" 19 | - ".github/workflows/run-*reusable.yml" 20 | merge_group: 21 | types: 22 | - "checks_requested" 23 | 24 | permissions: {} # yamllint disable-line rule:braces 25 | 26 | concurrency: 27 | group: > 28 | ${{ github.workflow_ref }}-${{ github.ref }} 29 | cancel-in-progress: true 30 | 31 | jobs: 32 | ini: 33 | name: "Ini" 34 | permissions: 35 | contents: "read" 36 | # yamllint disable rule:line-length 37 | uses: "open-nudge/opentemplate/.github/workflows/ini-reusable.yml@main" # zizmor: ignore[unpinned-uses] 38 | # yamllint enable rule:line-length 39 | ... 40 | -------------------------------------------------------------------------------- /.github/workflows/tests-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Tests Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | jobs: 20 | # Special case, as changes to normal dependencies should also trigger tests 21 | tests-renovate: 22 | name: "Tests Renovate" 23 | if: | 24 | github.event.pull_request.user.login == 'renovate[bot]' 25 | && 26 | ( 27 | github.ref == 'refs/heads/bot/dependencies' 28 | || github.ref == 'refs/heads/bot/dependencies-dev-test' 29 | ) 30 | permissions: 31 | contents: "read" 32 | # yamllint disable rule:line-length 33 | uses: "open-nudge/opentemplate/.github/workflows/tests-reusable.yml@main" # zizmor: ignore[unpinned-uses] 34 | # yamllint enable rule:line-length 35 | ... 36 | -------------------------------------------------------------------------------- /.github/workflows/yaml.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "YAML" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.yml" 15 | - "**.yaml" 16 | - ".github/actions/pdm-*.yml" 17 | - ".github/workflows/yaml.yml" 18 | - ".github/workflows/yaml-reusable.yml" 19 | - ".github/workflows/run-*reusable.yml" 20 | merge_group: 21 | types: 22 | - "checks_requested" 23 | 24 | permissions: {} # yamllint disable-line rule:braces 25 | 26 | concurrency: 27 | group: > 28 | ${{ github.workflow_ref }}-${{ github.ref }} 29 | cancel-in-progress: true 30 | 31 | jobs: 32 | yaml: 33 | name: "YAML" 34 | permissions: 35 | contents: "read" 36 | # yamllint disable rule:line-length 37 | uses: "open-nudge/opentemplate/.github/workflows/yaml-reusable.yml@main" # zizmor: ignore[unpinned-uses] 38 | # yamllint enable rule:line-length 39 | ... 40 | -------------------------------------------------------------------------------- /template-setup/create-cookiecutter-json.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # SPDX-FileCopyrightText: © 2025 open-nudge 4 | # SPDX-FileContributor: szymonmaszke 5 | # 6 | # SPDX-License-Identifier: Apache-2.0 7 | 8 | # shellcheck disable=SC3040,SC2312 9 | set -eu 10 | 11 | ####################################### 12 | # 13 | # Create cookiecutter.json file. 14 | # 15 | # This code will create a proper file, 16 | # which is (usually) created 17 | # in GH Actions. 18 | # 19 | # See .github/actions/template-setup/action.yml 20 | # 21 | # Args: 22 | # Pairs of key and value. 23 | # Should provide an even number of arguments. 24 | # WARNING: Arguments count is not verified 25 | # 26 | ####################################### 27 | 28 | cat << _EOT_ > "${1}" 29 | { 30 | $( 31 | shift 32 | for _ in $(seq 1 2 $#); do 33 | echo " \"${1}\": ${2}," 34 | shift 2 35 | done) 36 | "_copy_without_render": [ 37 | ".github/actions", 38 | ".github/workflows", 39 | ".git", 40 | "template", 41 | "cliff.toml" 42 | ] 43 | } 44 | _EOT_ 45 | -------------------------------------------------------------------------------- /.github/workflows/citation.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Citation" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "CITATION.cff" 15 | - ".github/workflows/citation.yml" 16 | - ".github/workflows/citation-reusable.yml" 17 | - ".github/actions/pdm-*.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | citation: 32 | name: "Citation" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/citation-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/pyproject.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pyproject" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "pyproject.toml" 15 | - ".github/actions/pdm-*.yml" 16 | - ".github/workflows/pyproject.yml" 17 | - ".github/workflows/pyproject-reusable.yml" 18 | - ".github/workflows/run-*reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: > 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | pyproject: 32 | name: "pyproject" 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/pyproject-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /.github/workflows/text-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Text Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | text-renovate: 26 | name: "Text Renovate" 27 | if: | 28 | github.event.pull_request.user.login == 'renovate[bot]' 29 | && ( 30 | github.ref == 'refs/heads/bot/dependencies-dev-text' 31 | || github.ref == 'refs/heads/bot/dependencies-dev-multiple' 32 | ) 33 | permissions: 34 | contents: "read" 35 | # yamllint disable rule:line-length 36 | uses: "open-nudge/opentemplate/.github/workflows/text-reusable.yml@main" # zizmor: ignore[unpinned-uses] 37 | # yamllint enable rule:line-length 38 | ... 39 | -------------------------------------------------------------------------------- /docs/template/details/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Details 9 | 10 | This section covers specific parts of `opentemplate` in-depth; 11 | how they work and how to adjust them if needed. 12 | 13 | > [!CAUTION] 14 | > You don’t need to read this to use `opentemplate`, but a quick skim can be helpful. 15 | 16 | Explore the topics: 17 | 18 | - [Security](security.md) – security measures and policies provided by `opentemplate` 19 | - [Tests](tests.md) – how Python testing is managed 20 | - [Python](python.md) – linters and quality checks 21 | - [Documentation](documentation.md) – building and validating docs 22 | - [GitHub Actions](github-actions.md) – CI setup and workflows 23 | - [Scheduled jobs](scheduled-jobs.md) – automated updates and security checks 24 | - [Legal](legal.md) – licensing and copyright via [REUSE](https://reuse.software/) 25 | - [Prose](prose.md) – checks for docstrings, markdown etc. 26 | - [Other languages](other-languages.md) – QA for bash, JSON, etc. 27 | -------------------------------------------------------------------------------- /.github/workflows/markdown.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Markdown" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.md" 15 | - "!LICENSE.md" 16 | - "!docs/LICENSE.md" 17 | - "!LICENSES/*" 18 | - ".github/workflows/markdown.yml" 19 | - ".github/workflows/markdown-reusable.yml" 20 | - ".github/workflows/run-*reusable.yml" 21 | merge_group: 22 | types: 23 | - "checks_requested" 24 | 25 | permissions: {} # yamllint disable-line rule:braces 26 | 27 | concurrency: 28 | group: > 29 | ${{ github.workflow_ref }}-${{ github.ref }} 30 | cancel-in-progress: true 31 | 32 | jobs: 33 | markdown: 34 | name: "Markdown" 35 | permissions: 36 | contents: "read" 37 | # yamllint disable rule:line-length 38 | uses: "open-nudge/opentemplate/.github/workflows/markdown-reusable.yml@main" # zizmor: ignore[unpinned-uses] 39 | # yamllint enable rule:line-length 40 | ... 41 | -------------------------------------------------------------------------------- /.github/workflows/docs.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Docs" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.md" 15 | - "mkdocs.yml" 16 | - "docs/**" 17 | - "src/**.py" 18 | - ".github/actions/pdm-*.yml" 19 | - ".github/workflows/docs.yml" 20 | - ".github/workflows/docs-reusable.yml" 21 | - ".github/workflows/run-*reusable.yml" 22 | merge_group: 23 | types: 24 | - "checks_requested" 25 | 26 | permissions: {} # yamllint disable-line rule:braces 27 | 28 | concurrency: 29 | cancel-in-progress: true 30 | group: > 31 | ${{ github.workflow_ref }}-${{ github.ref }} 32 | 33 | jobs: 34 | docs: 35 | name: "Docs" 36 | permissions: 37 | contents: "read" 38 | # yamllint disable rule:line-length 39 | uses: "open-nudge/opentemplate/.github/workflows/docs-reusable.yml@main" # zizmor: ignore[unpinned-uses] 40 | # yamllint enable rule:line-length 41 | ... 42 | -------------------------------------------------------------------------------- /.github/tools/update-actions-names.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # SPDX-FileCopyrightText: © 2025 open-nudge 4 | # SPDX-FileContributor: szymonmaszke 5 | # 6 | # SPDX-License-Identifier: Apache-2.0 7 | 8 | # Change the name of all actions in a directory from X to Y 9 | # Usage: 10 | # ./tools/update-actions-names.sh [directory] 11 | # Ensure at least two arguments are provided 12 | if [ "$#" -lt 2 ]; then 13 | echo "Usage: $0 [directory]" 14 | exit 1 15 | fi 16 | 17 | X="$1" 18 | Y="$2" 19 | DIRECTORY="${3:-./workflows}" 20 | 21 | for file in "${DIRECTORY}"/*.yml; do 22 | [ -f "${file}" ] || continue # Skip if no files match 23 | 24 | awk -v x="${X}" -v y="${Y}" ' 25 | { 26 | gsub("uses: \./\.github/actions/" x, "uses: \./\.github/actions/" y); 27 | print; 28 | }' "${file}" > "${file}.tmp" 29 | 30 | # Compare original and modified file, only replace if different 31 | if ! cmp -s "${file}" "${file}.tmp"; then 32 | mv "${file}.tmp" "${file}" 33 | printf 'Updated: %s' "${file}" 34 | else 35 | rm "${file}.tmp" 36 | fi 37 | 38 | done 39 | -------------------------------------------------------------------------------- /.github/workflows/tests.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Tests" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "src/**" 15 | - "tests/**" 16 | - "pyproject.toml" 17 | - "pdm.lock" 18 | - ".github/actions/pdm-*.yml" 19 | - ".github/workflows/tests.yml" 20 | - ".github/workflows/tests-reusable.yml" 21 | - ".github/workflows/run-reusable.yml" 22 | merge_group: 23 | types: 24 | - "checks_requested" 25 | workflow_dispatch: 26 | 27 | permissions: {} # yamllint disable-line rule:braces 28 | 29 | concurrency: 30 | group: > 31 | ${{ github.workflow_ref }}-${{ github.ref }} 32 | cancel-in-progress: true 33 | 34 | jobs: 35 | python-tests: 36 | name: "Tests" 37 | permissions: 38 | contents: "read" 39 | # yamllint disable rule:line-length 40 | uses: "open-nudge/opentemplate/.github/workflows/tests-reusable.yml@main" # zizmor: ignore[unpinned-uses] 41 | # yamllint enable rule:line-length 42 | ... 43 | -------------------------------------------------------------------------------- /.github/workflows/security-scorecard-test.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security Scorecard Test" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/workflows/security-scorecard-test.yml" 15 | - ".github/workflows/security-scorecard-reusable.yml" 16 | merge_group: 17 | types: 18 | - "checks_requested" 19 | workflow_dispatch: 20 | 21 | permissions: {} # yamllint disable-line rule:braces 22 | 23 | jobs: 24 | security-scorecard-test: 25 | name: "Security Scorecard Test" 26 | permissions: 27 | actions: "read" # https://github.com/github/codeql-action/issues/2117 28 | security-events: "write" # Needed to to upload SARIF file to tab 29 | id-token: "write" # Needed for GitHub OIDC token if publish_results 30 | contents: "read" 31 | # yamllint disable rule:line-length 32 | uses: "open-nudge/opentemplate/.github/workflows/security-scorecard-reusable.yml@main" # zizmor: ignore[unpinned-uses] 33 | # yamllint enable rule:line-length 34 | ... 35 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit-hooks.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pre-commit Hooks" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/pdm-*.yml" 15 | - ".pre-commit-hooks.yaml" 16 | - ".github/workflows/pre-commit-hooks.yml" 17 | - ".github/workflows/run-*reusable.yml" 18 | merge_group: 19 | types: 20 | - "checks_requested" 21 | 22 | permissions: {} # yamllint disable-line rule:braces 23 | 24 | concurrency: 25 | group: > 26 | ${{ github.workflow_ref }}-${{ github.ref }} 27 | cancel-in-progress: true 28 | 29 | jobs: 30 | pre-commit: 31 | name: "pre-commit" 32 | permissions: 33 | contents: "read" 34 | # yamllint disable rule:line-length 35 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 36 | # yamllint enable rule:line-length 37 | with: 38 | check: "pre-commit-hooks" 39 | group: "pre-commit" 40 | sparse-checkout: | 41 | .pre-commit-hooks.yaml 42 | ... 43 | -------------------------------------------------------------------------------- /.github/workflows/release-sboms-test.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Release SBOMs Test" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/pdm-*/action.yml" 15 | - ".github/actions/git-setup/action.yml" 16 | - ".github/actions/release-sbom-setup/action.yml" 17 | - ".github/workflows/release-sboms-test.yml" 18 | - ".github/workflows/release-sboms-reusable.yml" 19 | merge_group: 20 | types: 21 | - "checks_requested" 22 | workflow_dispatch: 23 | 24 | permissions: {} # yamllint disable-line rule:braces 25 | 26 | jobs: 27 | release-sboms-test: 28 | name: "Release SBOMs Test" 29 | permissions: 30 | id-token: "write" # Needed to get GH Token to attest 31 | attestations: "write" # Needed to upload attestation 32 | contents: "read" 33 | # yamllint disable rule:line-length 34 | uses: "open-nudge/opentemplate/.github/workflows/release-sboms-reusable.yml@main" # zizmor: ignore[unpinned-uses] 35 | # yamllint enable rule:line-length 36 | ... 37 | -------------------------------------------------------------------------------- /.github/workflows/generation-update-test.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Generation Update Test" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/pdm-*.yml" 15 | - ".github/actions/git-setup/action.yml" 16 | - ".github/actions/pull-request/action.yml" 17 | - ".github/workflows/generation-update*.yml" 18 | merge_group: 19 | types: 20 | - "checks_requested" 21 | workflow_dispatch: 22 | 23 | permissions: {} # yamllint disable-line rule:braces 24 | 25 | concurrency: 26 | group: >- 27 | ${{ github.workflow_ref }}-${{ github.ref }} 28 | cancel-in-progress: true 29 | 30 | jobs: 31 | generation-update-test: 32 | name: "Generation Update Test" 33 | permissions: 34 | contents: "read" 35 | pull-requests: "write" # Needed to create pull requests 36 | # yamllint disable rule:line-length 37 | uses: "open-nudge/opentemplate/.github/workflows/generation-update-reusable.yml@main" # zizmor: ignore[unpinned-uses] 38 | # yamllint enable rule:line-length 39 | ... 40 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit-config.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "pre-commit Config" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/pdm-*.yml" 15 | - ".pre-commit-config.yaml" 16 | - ".github/workflows/pre-commit-config.yml" 17 | - ".github/workflows/run-*reusable.yml" 18 | merge_group: 19 | types: 20 | - "checks_requested" 21 | 22 | permissions: {} # yamllint disable-line rule:braces 23 | 24 | concurrency: 25 | group: > 26 | ${{ github.workflow_ref }}-${{ github.ref }} 27 | cancel-in-progress: true 28 | 29 | jobs: 30 | pre-commit: 31 | name: "pre-commit" 32 | permissions: 33 | contents: "read" 34 | # yamllint disable rule:line-length 35 | uses: "open-nudge/opentemplate/.github/workflows/run-check-reusable.yml@main" # zizmor: ignore[unpinned-uses] 36 | # yamllint enable rule:line-length 37 | with: 38 | check: "pre-commit-config" 39 | group: "pre-commit" 40 | sparse-checkout: | 41 | .pre-commit-config.yaml 42 | ... 43 | -------------------------------------------------------------------------------- /.github/workflows/security-semgrep-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security Semgrep Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | security-semgrep-renovate: 26 | permissions: 27 | actions: "read" # https://github.com/github/codeql-action/issues/2117 28 | security-events: "write" # Needed to to upload SARIF file to tab 29 | contents: "read" 30 | if: | 31 | github.event.pull_request.user.login == 'renovate[bot]' 32 | && github.ref == 'refs/heads/bot/dependencies-dev-security' 33 | name: "Security Semgrep Renovate" 34 | # yamllint disable rule:line-length 35 | uses: "open-nudge/opentemplate/.github/workflows/security-semgrep-reusable.yml@main" # zizmor: ignore[unpinned-uses] 36 | # yamllint enable rule:line-length 37 | ... 38 | -------------------------------------------------------------------------------- /.github/workflows/release-slsa-provenance-test.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Cache Test" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/workflows/release-slsa-provenance-test.yml" 15 | - ".github/workflows/release-slsa-provenance-reusable.yml" 16 | merge_group: 17 | types: 18 | - "checks_requested" 19 | workflow_dispatch: 20 | 21 | permissions: {} # yamllint disable-line rule:braces 22 | 23 | jobs: 24 | release-slsa-provenance-test: 25 | name: "Release SLSA Provenance Test" 26 | if: > 27 | github.event.repository.visibility == 'public' 28 | permissions: 29 | # IMPORTANT: this permission is mandatory for trusted publishing 30 | actions: "read" # To read the workflow path. 31 | contents: "write" # To add assets to a release. 32 | id-token: "write" # To sign the provenance. 33 | # yamllint disable rule:line-length 34 | uses: "open-nudge/opentemplate/.github/workflows/release-slsa-provenance-reusable.yml@main" # zizmor: ignore[unpinned-uses] 35 | with: 36 | test: true 37 | ... 38 | -------------------------------------------------------------------------------- /.github/actions/pull-request/action.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Pull Request" 8 | description: > 9 | Make a pull request from the current branch 10 | inputs: 11 | branch-name: 12 | description: "Branch name to create a PR from" 13 | required: true 14 | commit-message: 15 | description: "Commit message" 16 | required: true 17 | token: 18 | description: "GitHub token" 19 | default: "{{ github.token }}" 20 | 21 | runs: 22 | using: "composite" 23 | steps: 24 | - name: "Push changes" 25 | shell: "bash" 26 | env: 27 | BRANCH_NAME: "${{ inputs.branch-name }}" 28 | COMMIT_MESSAGE: "${{ inputs.commit-message }}" 29 | run: | 30 | git add --all 31 | git commit -s -m "fix: ${COMMIT_MESSAGE} [template]" 32 | git push -u origin "${BRANCH_NAME}" 33 | - name: "Create pull request" 34 | shell: "bash" 35 | env: 36 | GITHUB_TOKEN: "${{ inputs.token }}" 37 | run: > 38 | gh pr create 39 | --title "fix: ${COMMIT_MESSAGE} [template]" 40 | --base main 41 | --head "${BRANCH_NAME}" 42 | ... 43 | -------------------------------------------------------------------------------- /.github/actions/pdm-compatibility/action.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "PDM Compatibility" 8 | description: > 9 | Compatibility bridge between local PDM and GitHub Actions. 10 | 11 | inputs: 12 | restore: 13 | description: > 14 | Whether to restore the __pypackages__ and pdm.toml files. 15 | If unspecified, they will be moved to the temporary directory. 16 | required: false 17 | default: "false" 18 | 19 | runs: 20 | using: "composite" 21 | steps: 22 | - name: "Remove __pypackages__ and pdm.toml" 23 | if: > 24 | inputs.restore == 'false' 25 | shell: "bash" 26 | env: 27 | TEMPORARY: "${{ runner.temp }}" 28 | run: | 29 | mv __pypackages__ "${TEMPORARY}/" 2>/dev/null || true 30 | mv pdm.toml "${TEMPORARY}/" 2>/dev/null || true 31 | - name: "Restore __pypackages__ and pdm.toml" 32 | if: > 33 | inputs.restore == 'true' 34 | shell: "bash" 35 | env: 36 | TEMPORARY: "${{ runner.temp }}" 37 | run: | 38 | mv "${TEMPORARY}/__pypackages__" ./ 2>/dev/null || true 39 | mv "${TEMPORARY}/pdm.toml" ./ 2>/dev/null || true 40 | ... 41 | -------------------------------------------------------------------------------- /.github/workflows/markdown-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Markdown Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | markdown-reusable: 16 | name: "Markdown Reusable" 17 | permissions: 18 | contents: "read" 19 | # yamllint disable rule:line-length 20 | uses: "open-nudge/opentemplate/.github/workflows/run-reusable.yml@main" # zizmor: ignore[unpinned-uses] 21 | # yamllint enable rule:line-length 22 | with: 23 | # Workaround for __pypackages__/README.md 24 | # It is collected automatically by md-dead-link-check 25 | command: > 26 | rm -rf .git && 27 | git init --initial-branch main && 28 | pdm run check-markdown 29 | $(find . -name '*.md' 30 | ! -name 'DCO.md' 31 | ! -name 'LICENSE.md' 32 | ! -path './LICENSES/*' 33 | ! -path './.venv/*' 34 | ! -path './__pypackages__/*' 35 | ! -path './template-setup/settings-issue/*' 36 | ! -path './template-setup/overwrite/*') 37 | group: "markdown" 38 | sparse-checkout: | 39 | **.md 40 | ... 41 | -------------------------------------------------------------------------------- /GOVERNANCE.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Governance 9 | 10 | This document describes the roles and responsibilities of the maintainers. 11 | 12 | ## Decision process 13 | 14 | - We welcome all contributors and maintainers, 15 | see [CONTRIBUTING.md](CONTRIBUTING.md) on __any project-related topics__. 16 | - _open-nudge_ reserves the right to make final 17 | decisions on the project (the roadmap, features, releases, 18 | general project direction and so on) 19 | 20 | ## Roles 21 | 22 | - __External contributors__ - anyone who is not a maintainer (can submit PRs, 23 | issues, and so on) 24 | - __Maintainers__ - people who have write access to the repository (can merge 25 | PRs, open/close issues and so on) 26 | - __Specific roles__ (e.g. release manager, security leader) are under 27 | the discretion of _open-nudge_ 28 | 29 | ## Questions 30 | 31 | In case of specific questions, open a new discussion or contact one of the 32 | maintainers directly. 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /template-setup/overwrite/GOVERNANCE.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Governance 9 | 10 | This document describes the roles and responsibilities of the maintainers. 11 | 12 | ## Decision process 13 | 14 | - We welcome all contributors and maintainers, 15 | see [CONTRIBUTING.md](CONTRIBUTING.md) on __any project-related topics__. 16 | - _open-nudge_ reserves the right to make final 17 | decisions on the project (the roadmap, features, releases, 18 | general project direction and so on) 19 | 20 | ## Roles 21 | 22 | - __External contributors__ - anyone who is not a maintainer (can submit PRs, 23 | issues, and so on) 24 | - __Maintainers__ - people who have write access to the repository (can merge 25 | PRs, open/close issues and so on) 26 | - __Specific roles__ (e.g. release manager, security leader) are under 27 | the discretion of _open-nudge_ 28 | 29 | ## Questions 30 | 31 | In case of specific questions, open a new discussion or contact one of the 32 | maintainers directly. 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /docs/template/about/philosophy.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # `opentemplate` Philosophy 9 | 10 | ## Open 11 | 12 | Transparent and community-driven; everyone can contribute, suggest changes, 13 | and voice opinions. 14 | 15 | ## Ethical nudging 16 | 17 | Encourages best practices by: 18 | 19 | - Simplifying setup 20 | - Reducing cognitive load (e.g., commit scope automation) 21 | - Providing sensible defaults 22 | - Making skipping best practices harder than following them 23 | - Keeping explanations concise 24 | - Automating reliably 25 | 26 | > [!NOTE] 27 | > Inspired by [nudge theory](https://en.wikipedia.org/wiki/Nudge_theory). 28 | 29 | ## Adjustable 30 | 31 | No one-size-fits-all is possible. `opentemplate` 32 | enables intuitive customization by: 33 | 34 | - Centralized config (`pyproject.toml`) 35 | - Documented examples of adjustments provided 36 | - Forkable for full control 37 | 38 | ## Secure 39 | 40 | Integrates `devsecops` best practices (inspired by Python, Go) if: 41 | 42 | - No added developer burden 43 | - Benefits greatly outweigh daily usage costs 44 | 45 | ## State-of-the-Art practices 46 | 47 | Follows modern best practices under the following conditions: 48 | 49 | - Derived from reliable sources 50 | - Not overly experimental 51 | - Aligned with core principles 52 | 53 | > [!CAUTION] 54 | > Some practices may be opinionated and should be adjusted. 55 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Support 9 | 10 | ## Code Of Conduct violations 11 | 12 | If you noticed anyone violating the [Code of Conduct](./CODE_OF_CONDUCT.md), 13 | in this repository, report it directly to the project maintainers: 14 | 15 | - __Publicly:__ mentioning via `@` (e.g. `@maintainer-user-name`) under the issue 16 | or pull request where the violation occurred. 17 | - __Anonymously:__ Sending an email to the address of the repository owner 18 | as provided on their GitHub profile. 19 | 20 | 21 | 22 | > [!NOTE] 23 | > Additionally, especially for severe violations, report it 24 | > directly to the GitHub team by following the instructions 25 | > [here](https://docs.github.com/en/github/building-a-strong-community/reporting-abuse-or-spam) 26 | 27 | 28 | 29 | ## Project information 30 | 31 | To find project-related support, check the following resources: 32 | 33 | - To learn more about using this project, see the 34 | [__documentation__](https://open-nudge.github.io/opentemplate). 35 | - To discuss the project, you can join the 36 | [__discussions__](https://github.com/open-nudge/opentemplate/discussions). 37 | and follow the provided template. 38 | - To report a bug or request a feature, you can 39 | [__open an issue__](https://github.com/open-nudge/opentemplate/issues) 40 | and follow the provided template. 41 | -------------------------------------------------------------------------------- /DCO.md: -------------------------------------------------------------------------------- 1 | 6 | 7 | # Developer Certificate of Origin 8 | 9 | Version 1.1 10 | 11 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 12 | 13 | Everyone is permitted to copy and distribute verbatim copies of this 14 | license document, but changing it is not allowed. 15 | 16 | Developer's Certificate of Origin 1.1 17 | 18 | By making a contribution to this project, I certify that: 19 | 20 | (a) The contribution was created in whole or in part by me and I 21 | have the right to submit it under the open source license 22 | indicated in the file; or 23 | 24 | (b) The contribution is based upon previous work that, to the best 25 | of my knowledge, is covered under an appropriate open source 26 | license and I have the right under that license to submit that 27 | work with modifications, whether created in whole or in part 28 | by me, under the same open source license (unless I am 29 | permitted to submit under a different license), as indicated 30 | in the file; or 31 | 32 | (c) The contribution was provided directly to me by some other 33 | person who certified (a), (b) or (c) and I have not modified 34 | it. 35 | 36 | (d) I understand and agree that this project and the contribution 37 | are public and that a record of the contribution (including all 38 | personal information I submit with it, including my sign-off) is 39 | maintained indefinitely and may be redistributed consistent with 40 | this project or the open source license(s) involved. 41 | -------------------------------------------------------------------------------- /.github/DISCUSSION_TEMPLATE/show-and-tell.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | labels: 8 | - "announcement" 9 | body: 10 | - type: "markdown" 11 | attributes: 12 | value: "Thanks for your interest in opentemplate!" 13 | - type: "checkboxes" 14 | id: "terms" 15 | attributes: 16 | label: "Terms" 17 | # yamllint disable rule:line-length 18 | description: > 19 | By submitting this announcement, you agree to follow this project's 20 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 21 | options: 22 | - label: > 23 | I agree to follow this project's 24 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 25 | required: true 26 | # yamllint enable rule:line-length 27 | - type: "input" 28 | id: "version" 29 | attributes: 30 | label: "Software Version" 31 | description: "What version of this software is your project using?" 32 | placeholder: "vX.Y.Z" 33 | validations: 34 | required: true 35 | - type: "textarea" 36 | id: "announcements" 37 | attributes: 38 | label: "Announcement" 39 | description: "Add your project announcement here." 40 | validations: 41 | required: true 42 | - type: "markdown" 43 | attributes: 44 | value: "Thank you for completing the form!" 45 | ... 46 | -------------------------------------------------------------------------------- /docs/template/details/python.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Python 9 | 10 | > [!IMPORTANT] 11 | > For testing details, see the [tests](tests.md) documentation. 12 | 13 | As the project's core language, `Python` undergoes the most extensive linting. 14 | 15 | ## Checks and fixes 16 | 17 | The following tools are used, in order: 18 | 19 | - __Code formatting and linting:__ [`ruff`](https://github.com/astral-sh/ruff) 20 | (all checks enabled by default) 21 | - __Type checking:__ [`basedpyright`](https://github.com/DetachHead/basedpyright) 22 | (run as a separate `typing` step) 23 | - __Docstring coverage:__ [`interrogate`](https://github.com/econchick/interrogate) 24 | (checks all functions, classes, and modules, including private ones) 25 | - __Static dependency analysis:__ [`FawltyDeps`](https://github.com/tweag/FawltyDeps) 26 | (may produce false positives; see [Adjustments](#adjustments)) 27 | 28 | ## Adjustments 29 | 30 | You can configure most of the settings in `pyproject.toml` 31 | (see [Configuration](../configuration/index.md)), for example: 32 | 33 | - __Lower docstring coverage threshold:__ Adjust `fail-under` 34 | in `[tool.interrogate]`. 35 | - __Handle false positives in `FawltyDeps`:__ Add dependencies to 36 | `ignore_undeclared`, `ignore_undefined` or `ignore_unused` under 37 | `[tool.fawltydeps]` (__ensure correctness before ignoring__). 38 | 39 | ## Code sources 40 | 41 | - `pyproject.toml` 42 | - `.github/workflows/python*.yml` 43 | -------------------------------------------------------------------------------- /.yamllint.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | locale: "en_US.UTF-8" 8 | extends: "default" 9 | 10 | ignore-from-file: ".gitignore" 11 | 12 | rules: 13 | anchors: 14 | forbid-undeclared-aliases: true 15 | forbid-duplicated-anchors: true 16 | forbid-unused-anchors: true 17 | braces: 18 | forbid: true 19 | level: "error" 20 | brackets: 21 | forbid: true 22 | level: "error" 23 | comments: 24 | require-starting-space: true 25 | ignore-shebangs: true 26 | min-spaces-from-content: 1 27 | level: "error" 28 | comments-indentation: 29 | level: "error" 30 | document-end: 31 | present: true 32 | level: "error" 33 | document-start: 34 | present: true 35 | level: "error" 36 | empty-lines: "enable" 37 | empty-values: 38 | forbid-in-block-mappings: false 39 | forbid-in-flow-mappings: true 40 | forbid-in-block-sequences: true 41 | indentation: 42 | spaces: 2 43 | indent-sequences: true 44 | check-multi-line-strings: true 45 | key-duplicates: "enable" 46 | key-ordering: "disable" 47 | line-length: 48 | max: 80 49 | allow-non-breakable-words: true 50 | allow-non-breakable-inline-mappings: false 51 | new-line-at-end-of-file: "enable" 52 | new-lines: "enable" 53 | octal-values: "disable" 54 | quoted-strings: 55 | quote-type: "double" 56 | required: true 57 | allow-quoted-quotes: false 58 | trailing-spaces: "enable" 59 | truthy: 60 | check-keys: false 61 | ... 62 | -------------------------------------------------------------------------------- /.github/actions/sarif-upload/action.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "SBOM Upload" 8 | description: > 9 | Predefined SBOM upload including GitHub SHAs and proper identifiers 10 | 11 | inputs: 12 | file: 13 | description: > 14 | Name of the artifact in the GitHub Actions UI 15 | default: "" 16 | name: 17 | description: > 18 | A path to the file to upload (and artifact name) 19 | default: "" 20 | sarif: 21 | description: > 22 | Whether the artifact is a SARIF file 23 | default: "false" 24 | 25 | runs: 26 | using: "composite" 27 | steps: 28 | - name: "Upload artifact" 29 | # yamllint disable rule:line-length 30 | uses: "actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02" # v4.6.2 31 | # yamllint enable rule:line-length 32 | if: > 33 | inputs.name != '' 34 | with: 35 | name: "${{ inputs.name }}" 36 | path: "${{ inputs.file }}" 37 | retention-days: 7 38 | overwrite: true 39 | - name: "Upload SARIF file to GitHub Advanced Security Dashboard" 40 | if: > 41 | inputs.sarif == 'true' 42 | # SARIF upload may fail if there is no integration enabled 43 | continue-on-error: true 44 | # yamllint disable rule:line-length 45 | uses: "github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e" # v3.28.19 46 | # yamllint enable rule:line-length 47 | with: 48 | sarif_file: "${{ inputs.file }}" 49 | ... 50 | -------------------------------------------------------------------------------- /.github/workflows/prose.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Prose" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - "**.md" 15 | - "**.py" 16 | - "**.sh" 17 | - "!LICENSE.md" 18 | - "!docs/LICENSE.md" 19 | - "!LICENSES/*" 20 | - ".github/workflows/prose.yml" 21 | merge_group: 22 | types: 23 | - "checks_requested" 24 | 25 | permissions: {} # yamllint disable-line rule:braces 26 | 27 | concurrency: 28 | group: > 29 | ${{ github.workflow_ref }}-${{ github.ref }} 30 | cancel-in-progress: true 31 | 32 | jobs: 33 | prose: 34 | name: "Prose" 35 | permissions: 36 | contents: "read" 37 | timeout-minutes: 10 38 | runs-on: "ubuntu-latest" 39 | container: 40 | # yamllint disable rule:line-length 41 | image: "docker.io/jdkato/vale@sha256:a744bc4f8164bceab6bda0fad6253dcd9cdab2365b437aa5e08fe4f07d6e3357" # v3.8.0 42 | # yamllint enable rule:line-length 43 | steps: 44 | - name: "Checkout repository" 45 | # yamllint disable rule:line-length 46 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 47 | # yamllint enable rule:line-length 48 | # Exclude license files from the checkout 49 | # Sparse checkout does not work within the Vale container 50 | with: 51 | persist-credentials: false 52 | - name: "Sync Vale Packages" 53 | run: > 54 | /bin/vale sync 55 | - name: "Prose Linter" 56 | run: > 57 | /bin/vale . 58 | ... 59 | -------------------------------------------------------------------------------- /.github/workflows/release-sarifs-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Release SARIFs Reusable" 8 | 9 | on: 10 | workflow_call: 11 | 12 | permissions: {} # yamllint disable-line rule:braces 13 | 14 | jobs: 15 | ############################################################################### 16 | # 17 | # SECURITY JOBS 18 | # 19 | ############################################################################### 20 | sarif-osv-scanner: 21 | permissions: 22 | actions: "read" # https://github.com/github/codeql-action/issues/2117 23 | security-events: "write" # Needed to to upload SARIF file to tab 24 | contents: "read" 25 | name: "Sarif OSV-Scanner" 26 | # yamllint disable rule:line-length 27 | uses: "open-nudge/opentemplate/.github/workflows/security-osv-scanner-reusable.yml@main" # zizmor: ignore[unpinned-uses] 28 | # yamllint enable rule:line-length 29 | with: 30 | name: "osv-scanner-${{ github.sha }}" 31 | file: "osv-scanner-${{ github.sha }}.sarif" 32 | 33 | sarif-semgrep: 34 | permissions: 35 | actions: "read" # https://github.com/github/codeql-action/issues/2117 36 | security-events: "write" # Needed to upload SARIF to security tab 37 | contents: "read" 38 | name: "Sarif Semgrep" 39 | # yamllint disable rule:line-length 40 | uses: "open-nudge/opentemplate/.github/workflows/security-semgrep-reusable.yml@main" # zizmor: ignore[unpinned-uses] 41 | # yamllint enable rule:line-length 42 | with: 43 | name: "semgrep-${{ github.sha }}" 44 | file: "semgrep-${{ github.sha }}.sarif" 45 | ... 46 | -------------------------------------------------------------------------------- /.github/DISCUSSION_TEMPLATE/general.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | body: 8 | - type: "markdown" 9 | attributes: 10 | value: "Thanks for your interest in opentemplate!" 11 | - type: "markdown" 12 | attributes: 13 | value: > 14 | Please consider other categories before submitting a general question. 15 | - type: "checkboxes" 16 | id: "terms" 17 | attributes: 18 | label: "Terms" 19 | # yamllint disable rule:line-length 20 | description: > 21 | By submitting this discussion, you agree to follow this project's 22 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 23 | options: 24 | - label: > 25 | I agree to follow this project's 26 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 27 | required: true 28 | # yamllint enable rule:line-length 29 | - type: "checkboxes" 30 | id: "verification" 31 | attributes: 32 | label: "Verification" 33 | description: > 34 | Did you check that no other category fits your question better? 35 | options: 36 | - label: > 37 | I verified that the question is not related to any other category. 38 | required: true 39 | - type: "textarea" 40 | id: "general" 41 | attributes: 42 | label: "General" 43 | description: > 44 | Add discussions that do not fit into any other category below. 45 | validations: 46 | required: true 47 | - type: "markdown" 48 | attributes: 49 | value: "Thank you for completing the form!" 50 | ... 51 | -------------------------------------------------------------------------------- /docs/scripts/gen_ref_pages.py: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | """Generate the code reference pages and navigation. 7 | 8 | Adjusted from: 9 | https://mkdocstrings.github.io/recipes/#bind-pages-to-sections-themselves 10 | 11 | Adjusted in order to: 12 | 13 | - disregard files starting with `_` as these are considered private 14 | 15 | __Please note:__ 16 | 17 | - This file might need to be edited to fit your needs. 18 | - This file might need refactoring. 19 | """ 20 | 21 | from __future__ import annotations 22 | 23 | import pathlib 24 | 25 | import mkdocs_gen_files 26 | 27 | 28 | def main() -> None: 29 | """Generate the code reference pages and navigation.""" 30 | nav = mkdocs_gen_files.Nav() 31 | 32 | for path in sorted(pathlib.Path("src").rglob("*.py")): 33 | module_path = path.relative_to("src").with_suffix("") 34 | doc_path = path.relative_to("src").with_suffix(".md") 35 | full_doc_path = pathlib.Path("reference", doc_path) 36 | 37 | parts = tuple(module_path.parts) 38 | 39 | if parts[-1] == "__init__": 40 | parts = parts[:-1] 41 | doc_path = doc_path.with_name("index.md") 42 | full_doc_path = full_doc_path.with_name("index.md") 43 | elif parts[-1].startswith("_"): 44 | continue 45 | 46 | nav[parts] = doc_path.as_posix() 47 | 48 | with mkdocs_gen_files.open(full_doc_path, "w") as fd: 49 | ident = ".".join(parts) 50 | fd.write(f"::: {ident}") 51 | 52 | mkdocs_gen_files.set_edit_path(full_doc_path, path) 53 | 54 | with mkdocs_gen_files.open("reference/SUMMARY.md", "w") as nav_file: 55 | nav_file.writelines(nav.build_literate_nav()) 56 | 57 | 58 | main() 59 | -------------------------------------------------------------------------------- /.github/workflows/security-secrets.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security Secrets" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | jobs: 20 | security-secrets: 21 | timeout-minutes: 10 22 | permissions: 23 | # Only need to read contents 24 | contents: "read" 25 | name: "Security Secrets" 26 | runs-on: "ubuntu-latest" 27 | steps: 28 | - name: "Harden Runner" # zizmor: ignore[known-vulnerable-actions] 29 | # yamllint disable rule:line-length 30 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 31 | # yamllint enable rule:line-length 32 | with: 33 | # Uses docker container, 34 | # disable-sudo-and-containers impossible 35 | disable-sudo: true 36 | egress-policy: "block" 37 | allowed-endpoints: > 38 | ghcr.io:443 39 | github.com:443 40 | pkg-containers.githubusercontent.com:443 41 | - name: "Checkout repository" 42 | # yamllint disable rule:line-length 43 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 44 | # yamllint enable rule:line-length 45 | with: 46 | fetch-depth: 0 47 | persist-credentials: false 48 | - name: "TruffleHog OSS" 49 | # yamllint disable rule:line-length 50 | uses: "trufflesecurity/trufflehog@90694bf9af66e7536abc5824e7a87246dbf933cb" # v3.88.35 51 | # yamllint enable rule:line-length 52 | with: 53 | extra_args: "--debug --only-verified" 54 | ... 55 | -------------------------------------------------------------------------------- /template-setup/rename.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # SPDX-FileCopyrightText: © 2025 open-nudge 4 | # SPDX-FileContributor: szymonmaszke 5 | # 6 | # SPDX-License-Identifier: Apache-2.0 7 | 8 | # Check for required arguments 9 | if [ "${#}" -lt 8 ]; then 10 | echo "Usage: $0 \ 11 | \ 12 | \ 13 | \ 14 | " 15 | exit 1 16 | fi 17 | 18 | TEMPLATE_REPOSITORY="${1}" 19 | REPOSITORY="${2}" 20 | TEMPLATE_OWNER="${3}" 21 | OWNER="${4}" 22 | TEMPLATE_DESCRIPTION="${5}" 23 | DESCRIPTION="${6}" 24 | SKIP_N_LINES="${7}" 25 | EXCLUDE_LIST="${8}" 26 | 27 | # Build find exclude options 28 | EXCLUDE_ARGS="" 29 | if [ -n "${EXCLUDE_LIST}" ]; then 30 | for item in ${EXCLUDE_LIST}; do 31 | EXCLUDE_ARGS="${EXCLUDE_ARGS} -path ${item} -prune -o" 32 | done 33 | fi 34 | 35 | # shellcheck disable=SC2086 36 | find . ${EXCLUDE_ARGS} -type f \ 37 | -exec sh -c ' 38 | process_file() { 39 | file="${1}" 40 | temp_file="${file}.tmp" 41 | echo "Processing: ${file}" 42 | 43 | awk -v skip="${2}" \ 44 | -v old_repo="${3}" -v new_repo="${4}" \ 45 | -v old_owner="${5}" -v new_owner="${6}" \ 46 | -v old_desc="${7}" -v new_desc="${8}" " 47 | NR <= skip {print; next} 48 | /templateskip|SPDX-FileCopyrightText/ { 49 | print; next 50 | } 51 | { 52 | gsub(old_repo, new_repo); 53 | gsub(old_owner, new_owner); 54 | gsub(old_desc, new_desc); 55 | print; 56 | }" "${file}" > "${temp_file}" && mv "${temp_file}" "${file}" 57 | }; process_file "$@"' _ {} "${SKIP_N_LINES}" \ 58 | "${TEMPLATE_REPOSITORY}" "${REPOSITORY}" \ 59 | "${TEMPLATE_OWNER}" "${OWNER}" \ 60 | "${TEMPLATE_DESCRIPTION}" "${DESCRIPTION}" \; 61 | 62 | echo "String replacements completed." 63 | -------------------------------------------------------------------------------- /.github/DISCUSSION_TEMPLATE/ideas.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | labels: 8 | - "feat" 9 | body: 10 | - type: "markdown" 11 | attributes: 12 | value: "Thanks for your interest in opentemplate!" 13 | - type: "markdown" 14 | attributes: 15 | value: > 16 | If your feature request relates to a problem, bug, 17 | or general implementation plan, 18 | consider submitting an issue instead. 19 | - type: "markdown" 20 | attributes: 21 | value: > 22 | Link to the issue tracker: 23 | [issues](https://github.com/open-nudge/opentemplate/issues/new/choose) 24 | - type: "checkboxes" 25 | id: "terms" 26 | attributes: 27 | label: "Terms" 28 | # yamllint disable rule:line-length 29 | description: > 30 | By submitting this idea, you agree to follow this project's 31 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 32 | options: 33 | - label: > 34 | I agree to follow this project's 35 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 36 | required: true 37 | # yamllint enable rule:line-length 38 | - type: "input" 39 | id: "version" 40 | attributes: 41 | label: "Software Version" 42 | description: "What version of this software does your idea relate to?" 43 | placeholder: "vX.Y.Z" 44 | validations: 45 | required: true 46 | - type: "textarea" 47 | id: "idea" 48 | attributes: 49 | label: "Idea" 50 | description: "Describe your idea in detail." 51 | validations: 52 | required: true 53 | - type: "markdown" 54 | attributes: 55 | value: "Thank you for completing the form!" 56 | ... 57 | -------------------------------------------------------------------------------- /.github/workflows/renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/renovate.json" 15 | - ".github/workflows/renovate.yml" 16 | merge_group: 17 | types: 18 | - "checks_requested" 19 | 20 | permissions: {} # yamllint disable-line rule:braces 21 | 22 | jobs: 23 | renovate: 24 | name: "Renovate" 25 | permissions: 26 | contents: "read" 27 | timeout-minutes: 10 28 | runs-on: "ubuntu-latest" 29 | steps: 30 | - name: "Harden Runner" 31 | # yamllint disable rule:line-length 32 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 33 | # yamllint enable rule:line-length 34 | with: 35 | disable-sudo-and-containers: true 36 | egress-policy: "block" 37 | allowed-endpoints: > 38 | github.com:443 39 | nodejs.org:443 40 | objects.githubusercontent.com:443 41 | registry.npmjs.org:443 42 | - name: "Checkout Repository" 43 | # yamllint disable rule:line-length 44 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 45 | # yamllint enable rule:line-length 46 | with: 47 | sparse-checkout: ".github/renovate.json" 48 | sparse-checkout-cone-mode: false 49 | persist-credentials: false 50 | - name: "Validate Renovate Configuration" 51 | # yamllint disable rule:line-length 52 | uses: "suzuki-shunsuke/github-action-renovate-config-validator@c22827f47f4f4a5364bdba19e1fe36907ef1318e" # v1.1.1 53 | # yamllint enable rule:line-length 54 | with: 55 | config_file_path: ".github/renovate.json" 56 | ... 57 | -------------------------------------------------------------------------------- /docs/template/details/prose.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Prose 9 | 10 | This document covers non-code aspects of `opentemplate`, 11 | including prose checks, documentation, and related files. 12 | 13 | ## Checks and Fixes 14 | 15 | ### Markdown 16 | 17 | Markdown is the primary format for project documentation. 18 | The following tools ensure consistency and quality: 19 | 20 | - __Formatting:__ [`mdformat`](https://github.com/hukkin/mdformat) 21 | - __Linting:__ [`pymarkdownlnt`](https://github.com/jackdewinter/pymarkdown) 22 | (similar to [`markdownlint`](https://github.com/DavidAnson/markdownlint)) 23 | - __Dead link checking:__ [`md-dead-link-check`](https://github.com/AlexanderDokuchaev/md-dead-link-check) 24 | 25 | ### `vale` 26 | 27 | [`vale`](https://github.com/errata-ai/vale) checks writing style and grammar. 28 | `pre-commit` and GitHub Actions run it on any text files 29 | (__internet access is required__). 30 | 31 | > [!TIP] 32 | > To exclude specific checks, update `.vale.ini` instead of `pyproject.toml`. 33 | > See [Vale's documentation](https://vale.sh/docs/vale-ini) for details. 34 | 35 | > [!CAUTION] 36 | > Many of the findings of type `suggestion` and `warning` 37 | > __will be false positives__. Use your judgment when addressing them. 38 | 39 | ## Documentation Files 40 | 41 | - __`ROADMAP.md`__ – Planned features and changes. 42 | __Update before each release or remove.__ 43 | - __`ADOPTERS.md`__ – List of project adopters, categorized. 44 | - __`ANNOUNCEMENTS.md`__ – Updates on releases, discussions, and other project news. 45 | - __`CONTRIBUTING.md`__ – Guidelines for contributing. 46 | - __`SUPPORT.md`__ – Support channels and Code of Conduct information. 47 | 48 | ## Code Sources 49 | 50 | - `pyproject.toml` 51 | - `.pre-commit-config.yaml` 52 | - `.github/workflows/prose.yml` 53 | -------------------------------------------------------------------------------- /.github/reusability/localize.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # SPDX-FileCopyrightText: © 2025 open-nudge 4 | # SPDX-FileContributor: szymonmaszke 5 | # 6 | # SPDX-License-Identifier: Apache-2.0 7 | 8 | # Change global references to local references in GitHub Actions workflows 9 | # skip_files should be a comma-separated list of files to skip 10 | # Usage: ./reusability/localize.sh [directory] [skip_files] 11 | 12 | directory="${1:-./workflows}" 13 | skip_files="${2:-}" # Comma-separated list of files to skip 14 | repo="${3:-open-nudge/opentemplate}" # Customizable repository reference 15 | 16 | # shellcheck disable=SC3045,SC3011 17 | IFS=',' read -r -a skip_array <<< "${skip_files}" 18 | 19 | # shellcheck disable=SC3045 20 | find "${directory}" -type f -name '*.yml' -print0 | while IFS= read -r -d '' file; do 21 | [ -f "${file}" ] || continue # Skip if no files match 22 | 23 | # Check if file should be skipped 24 | # shellcheck disable=SC3054 25 | for skip in "${skip_array[@]}"; do 26 | if [ "$(basename "${file}")" = "${skip}" ]; then 27 | printf 'Skipped: %s\n' "${file}" 28 | continue 2 29 | fi 30 | done 31 | 32 | awk -v repo="${repo}" ' 33 | { 34 | if ($0 ~ "uses: \"" repo "/.github/") { 35 | # Replace repo with local path 36 | gsub("uses: \"" repo "/.github/", "uses: \"./.github/"); 37 | 38 | # Remove @ref from quoted uses (e.g., @main) 39 | gsub(/@[^"]+/, ""); 40 | 41 | # Remove comment after the closing quote (optional) 42 | sub(/"[[:space:]]+#.*/, "\""); 43 | } 44 | print; 45 | }' "${file}" > "${file}.tmp" 46 | 47 | # Compare original and modified file, only replace if different 48 | if ! cmp -s "${file}" "${file}.tmp"; then 49 | mv "${file}.tmp" "${file}" 50 | printf 'Updated: %s\n' "${file}" 51 | else 52 | rm "${file}.tmp" 53 | fi 54 | 55 | done 56 | -------------------------------------------------------------------------------- /.github/DISCUSSION_TEMPLATE/announcements.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | labels: 8 | - "announcement" 9 | body: 10 | - type: "checkboxes" 11 | id: "terms" 12 | attributes: 13 | label: "Terms" 14 | # yamllint disable rule:line-length 15 | description: > 16 | By submitting this announcement, you agree to follow our 17 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 18 | # yamllint enable rule:line-length 19 | options: 20 | # yamllint disable rule:line-length 21 | - label: > 22 | I agree to follow this project's 23 | [Code of Conduct](https://github.com/open-nudge/opentemplate/blob/main/CODE_OF_CONDUCT.md) 24 | required: true 25 | # yamllint enable rule:line-length 26 | - type: "checkboxes" 27 | id: "authorization" 28 | attributes: 29 | label: "Authorization" 30 | description: > 31 | By submitting this issue, you confirm that you have the authority 32 | to make an announcement on behalf of the project. 33 | options: 34 | - label: > 35 | I have the authority to make an announcement 36 | on behalf of the project. 37 | required: true 38 | - type: "input" 39 | id: "version" 40 | attributes: 41 | label: "Software Version" 42 | description: "What version of this software is this announcement for?" 43 | placeholder: "vX.Y.Z" 44 | validations: 45 | required: true 46 | - type: "textarea" 47 | id: "announcements" 48 | attributes: 49 | label: "Announcement" 50 | description: "Add your announcement below." 51 | validations: 52 | required: true 53 | - type: "markdown" 54 | attributes: 55 | value: "Thank you for completing the form!" 56 | ... 57 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Stale" 8 | on: 9 | schedule: 10 | - cron: "0 3 * * 6" 11 | workflow_call: 12 | workflow_dispatch: 13 | 14 | permissions: {} # yamllint disable-line rule:braces 15 | 16 | jobs: 17 | stale: 18 | timeout-minutes: 10 19 | name: "Stale" 20 | permissions: 21 | issues: "write" # Needed to close stale issues 22 | pull-requests: "write" # Needed to close stale pull requests 23 | runs-on: "ubuntu-latest" 24 | steps: 25 | - name: "Harden Runner" 26 | # yamllint disable rule:line-length 27 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 28 | # yamllint enable rule:line-length 29 | with: 30 | disable-sudo-and-containers: true 31 | egress-policy: "block" 32 | allowed-endpoints: > 33 | api.github.com:443 34 | github.com:443 35 | - name: "Mark stale PRs" 36 | # yamllint disable rule:line-length 37 | uses: "actions/stale@5bef64f19d7facfb25b37b414482c7164d639639" # v9.1.0 38 | # yamllint enable rule:line-length 39 | with: 40 | stale-pr-message: > 41 | This pull request did not receive any commits in the last 7 days. 42 | Marking pull request as stale (push additional commits or 43 | merge to unstale it). 44 | close-pr-message: > 45 | This PR was stale for the last 7 days. 46 | Closing the PR (one can reopen it at any time 47 | by committing and/or merging). 48 | days-before-pr-stale: 14 49 | days-before-pr-close: 28 50 | stale-pr-label: "stale" 51 | close-pr-label: "expired" 52 | remove-pr-stale-when-updated: true 53 | labels-to-remove-when-unstale: "stale" 54 | ... 55 | -------------------------------------------------------------------------------- /.github/reusability/globalize.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | # SPDX-FileCopyrightText: © 2025 open-nudge 4 | # SPDX-FileContributor: szymonmaszke 5 | # 6 | # SPDX-License-Identifier: Apache-2.0 7 | 8 | # Change local references to global references in GitHub Actions workflows 9 | # skip_files should be a comma-separated list of files to skip 10 | # Usage: ./reusability/globalize.sh [directory] [skip_files] [ref] [comment] 11 | 12 | directory="${1:-./workflows}" 13 | skip_files="${2:-}" # Comma-separated list of files to skip 14 | repo="${3:-open-nudge/opentemplate}" # Customizable repository reference 15 | ref="${4:-main}" 16 | comment="${5:-"# zizmor: ignore[unpinned-uses]"}" # Optional comment 17 | 18 | # shellcheck disable=SC3045,SC3011 19 | IFS=',' read -r -a skip_array <<< "${skip_files}" 20 | 21 | # shellcheck disable=SC3045 22 | find "${directory}" -type f -name '*.yml' -print0 | while IFS= read -r -d '' file; do 23 | [ -f "${file}" ] || continue # Skip if no files match 24 | 25 | # Check if file should be skipped 26 | # shellcheck disable=SC3054 27 | for skip in "${skip_array[@]}"; do 28 | if [ "$(basename "${file}")" = "${skip}" ]; then 29 | printf 'Skipped: %s\n' "${file}" 30 | continue 2 31 | fi 32 | done 33 | 34 | awk -v repo="${repo}" -v ref="${ref}" -v comment="${comment}" ' 35 | { 36 | if ($0 ~ /uses: "\.\/\.github\//) { 37 | gsub(/uses: "\.\/\.github\//, "uses: \"" repo "/.github/"); 38 | sub(/"$/, "@" ref "\""); # Add @ref before the closing quote 39 | if (comment != "") { 40 | $0 = $0 " " comment; 41 | } 42 | } 43 | print; 44 | }' "${file}" > "${file}.tmp" 45 | 46 | # Compare original and modified file, only replace if different 47 | if ! cmp -s "${file}" "${file}.tmp"; then 48 | mv "${file}.tmp" "${file}" 49 | printf 'Updated: %s\n' "${file}" 50 | else 51 | rm "${file}.tmp" 52 | fi 53 | 54 | done 55 | -------------------------------------------------------------------------------- /.github/workflows/github-actionlint.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub actionlint" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/workflows/*" 15 | - ".github/actions/*" 16 | merge_group: 17 | types: 18 | - "checks_requested" 19 | 20 | permissions: {} # yamllint disable-line rule:braces 21 | 22 | concurrency: 23 | group: > 24 | ${{ github.workflow_ref }}-${{ github.ref }} 25 | cancel-in-progress: true 26 | 27 | jobs: 28 | github-actionlint: 29 | name: "GitHub actionlint" 30 | timeout-minutes: 30 31 | permissions: 32 | contents: "read" 33 | runs-on: "ubuntu-latest" 34 | steps: 35 | - name: "Harden Runner" # zizmor: ignore[known-vulnerable-actions] 36 | # yamllint disable rule:line-length 37 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 38 | # yamllint enable rule:line-length 39 | with: 40 | # Uses docker container, 41 | # disable-sudo-and-containers impossible 42 | disable-sudo: true 43 | egress-policy: "block" 44 | allowed-endpoints: | 45 | github.com:443 46 | - name: "Checkout repository" 47 | # yamllint disable rule:line-length 48 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 49 | # yamllint enable rule:line-length 50 | with: 51 | sparse-checkout: | 52 | .github/workflows 53 | .github/actions 54 | persist-credentials: false 55 | - name: "Check workflow files" 56 | # yamllint disable rule:line-length 57 | uses: "docker://rhysd/actionlint:1.7.1@sha256:435ecdb63b1169e80ca3e136290072548c07fc4d76a044cf5541021712f8f344" # v1.7.1 58 | # yamllint enable rule:line-length 59 | with: 60 | args: "-color" 61 | ... 62 | -------------------------------------------------------------------------------- /.github/label-path.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | actions: 8 | - changed-files: 9 | - any-glob-to-any-file: 10 | - ".github/**" 11 | 12 | deps: 13 | - changed-files: 14 | - any-glob-to-any-file: 15 | - ".github/renovate.json" 16 | - "pyproject.toml" 17 | - "pdm.lock" 18 | - ".pre-commit-config.yaml" 19 | - ".github/workflows/renovate-*.yml" 20 | 21 | config: 22 | - changed-files: 23 | - any-glob-to-any-file: 24 | - ".conform.yaml" 25 | - ".editorconfig" 26 | - ".yamllint.yml" 27 | - ".gitignore" 28 | - "pyproject.toml" 29 | - "commitlint.config.js" 30 | - ".pre-commit-config.yaml" 31 | - ".github/renovate.json" 32 | - "mkdocs.yml" 33 | 34 | docs: 35 | - changed-files: 36 | - any-glob-to-any-file: 37 | - "/**.md" 38 | - "mkdocs.yml" 39 | - "docs/**" 40 | - ".github/**/*docs*.yml" 41 | - ".github/actions/ISSUE_TEMPLATE/**" 42 | - ".github/actions/PULL_REQUEST_TEMPLATE.md" 43 | - ".github/actions/DISCUSSION_TEMPLATE/**" 44 | legal: 45 | - changed-files: 46 | - any-glob-to-any-file: 47 | - "LICENSE.md" 48 | - "CODEOWNERS" 49 | - "CODE_OF_CONDUCT.md" 50 | - "COPYRIGHT.txt" 51 | - "DCO.md" 52 | 53 | security: 54 | - changed-files: 55 | - any-glob-to-any-file: 56 | - "SECURITY-*.md" 57 | - ".github/**/*security*.yml" 58 | 59 | tests: 60 | - changed-files: 61 | - any-glob-to-any-file: 62 | - "tests/**" 63 | - ".github/**/*test*.yml" 64 | 65 | src: 66 | - changed-files: 67 | - any-glob-to-any-file: 68 | - "src/**" 69 | 70 | python: 71 | - changed-files: 72 | - any-glob-to-any-file: 73 | - "src/**.py" 74 | - "tests/**.py" 75 | - ".github/**/*python*.yml" 76 | ... 77 | -------------------------------------------------------------------------------- /.github/workflows/pull-request.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Pull Request" 8 | 9 | on: 10 | pull_request_target: # zizmor: ignore[dangerous-triggers] 11 | types: 12 | - "opened" 13 | - "edited" 14 | - "synchronize" 15 | - "reopened" 16 | branches: 17 | - "main" 18 | merge_group: 19 | types: 20 | - "checks_requested" 21 | 22 | permissions: {} # yamllint disable-line rule:braces 23 | 24 | concurrency: 25 | group: > 26 | ${{ github.workflow_ref }}-${{ github.ref }} 27 | cancel-in-progress: true 28 | 29 | jobs: 30 | pull-request: 31 | timeout-minutes: 10 32 | name: "Pull Request" 33 | permissions: 34 | pull-requests: "read" # Needed to process pull request data 35 | runs-on: "ubuntu-latest" 36 | steps: 37 | - name: "Harden Runner" 38 | # yamllint disable rule:line-length 39 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 40 | # yamllint enable rule:line-length 41 | with: 42 | disable-sudo-and-containers: true 43 | egress-policy: "block" 44 | allowed-endpoints: | 45 | api.github.com:443 46 | - name: "Lint Pull Request" 47 | # yamllint disable rule:line-length 48 | uses: "amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017" # v5.5.3 49 | # yamllint enable rule:line-length 50 | with: 51 | types: | 52 | fix 53 | feat 54 | requireScope: false 55 | disallowScopes: | 56 | .+ 57 | subjectPattern: "^(?![A-Z]).+$" 58 | subjectPatternError: | 59 | The subject "{subject}" found in the pull request title "{title}" 60 | didn't match the configured pattern. Please ensure that the subject 61 | doesn't start with an uppercase character. 62 | env: 63 | GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 64 | ... 65 | -------------------------------------------------------------------------------- /docs/template/details/other-languages.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Other languages 9 | 10 | > [!IMPORTANT] 11 | > Although these checks are about other languages, the tooling 12 | > is largely Python-based, and the configuration is in the `pyproject.toml` 13 | 14 | Except Python a few other "complementary" languages (mostly markup) 15 | are verified by both `pre-commit` and CI pipelines, namely: 16 | 17 | - Generic text checks - [`codespell`](https://github.com/codespell-project/codespell) 18 | verifies spelling and compliance with [`editorconfig`](https://editorconfig.org/) 19 | is checked by 20 | [`editorconfig-checker`](https://github.com/editorconfig-checker/editorconfig-checker). 21 | Additionally `opentemplate` looks for merge conflict strings and whether 22 | scripts with `shebang` (`#`) is executable 23 | - `yaml` - responsible for GitHub Actions workflows, `mkdocs.yml`, 24 | `.pre-commit-config.yaml`, performed by 25 | [adrienverge/yamllint](https://github.com/adrienverge/yamllint) 26 | - `pyproject.toml` - responsible for Python project configuration, 27 | validated by [abravalheri/validate-pyproject](https://github.com/abravalheri/validate-pyproject) 28 | - `json` - responsible mainly for `renovate.json`, performed by 29 | [pre-commit/pre-commit-hooks](https://github.com/pre-commit/pre-commit-hooks) 30 | - `toml` - basic syntax correctness checks 31 | - `ini` responsible for `.editorconfig` and `.vale.ini`, 32 | performed by [danieljrmay/pyinilint](https://gitlab.com/danieljrmay/pyinilint) 33 | - `markdown` - any `markdown` files, see [prose](prose.md) for more information) 34 | - `CITATION.cff` - checked by 35 | [citation-file-format/cffconvert](https://github.com/citation-file-format/cffconvert) 36 | 37 | As with other commands, they have `check-` and 38 | (if available) `fix-` variants and follow standard 39 | procedure as outlined in the [configuration section](../configuration/index.md). 40 | 41 | ## Code Sources 42 | 43 | - `pyproject.toml` 44 | - `.pre-commit-config.yaml` 45 | - `.github/workflows/*.yml` 46 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Documentation 9 | 10 | Perform adaptations in the `mkdocs.yml` if you want to change 11 | the properties of the documentation (e.g. theme, title, and so on). 12 | 13 | ## Sections 14 | 15 | ### Provided 16 | 17 | The following sections are provided: 18 | 19 | - Reference - code reference, public API documentation, etc., 20 | __automatically generated from the codebase__ 21 | - For contributors - how to contribute to the project, guidelines, 22 | governance and similar 23 | - Security - security-related information of the project 24 | - Legal - legal information, licenses and similar 25 | - Hall of fame - list of adopters and announcements 26 | 27 | > [!TIP] 28 | > See `mkdocs.yml` for more details 29 | 30 | ### Predefined 31 | 32 | Predefined sections (each in a separate folder) 33 | which you can fill up with your content: 34 | 35 | - [`tutorials`](./tutorials/README.md) 36 | - [`how-tos`](./how-to/README.md) 37 | - [`explanations`](./explanations/README.md) 38 | 39 | > [!TIP] 40 | > See the README.md in each folder for more details 41 | 42 | > [!NOTE] 43 | > If you do not need one of the above sections, you do not have to delete it. 44 | > These will not be included automatically if there is no content. 45 | 46 | ### Advised 47 | 48 | Sections below are not predefined, nor mandatory, but you may consider adding 49 | them: 50 | 51 | - About - general information about the project which may include: 52 | - History - history of the project (naming, milestones, fun facts) 53 | - Alternatives - similar software and comparisons 54 | - Benchmarks - performance, possibly compared to alternatives 55 | - FAQ - frequently asked questions 56 | - Hall of fame additions, which may include: 57 | - Testimonials - quotes from adopters 58 | - Case studies - detailed stories of adopters 59 | - Sponsorship - information about sponsors 60 | - Acknowledgements - thank you notes 61 | - Contributors - list of contributors 62 | 63 | ## Resources 64 | 65 | - [Diátaxis](https://diataxis.fr/) - a conceptual framework for documentation 66 | -------------------------------------------------------------------------------- /docs/template/details/tests.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Tests 9 | 10 | This document outlines the testing process of `opentemplate`-based projects. 11 | 12 | ## Features 13 | 14 | - Uses [`pytest`](https://github.com/pytest-dev/pytest) for testing. 15 | - Measures test coverage with [`pytest-cov`](https://github.com/pytest-dev/pytest-cov) 16 | (default threshold: `100%`). 17 | - __Local testing:__ Runs on the latest three Python versions, 18 | following [SPEC 0](https://scientific-python.org/specs/spec-0000/). 19 | - __CI testing:__ Runs across multiple Python versions and 20 | OSs (Linux, macOS, Windows) via GitHub Actions. 21 | - __Randomized test execution__ ensures independence. 22 | - Includes [`Hypothesis`](https://github.com/HypothesisWorks/hypothesis) 23 | for property-based testing. 24 | 25 | > [!NOTE] 26 | > `tox` is not used; instead, tests are run with different interpreters 27 | > locally and across CI runners. 28 | 29 | ## Writing tests 30 | 31 | - All tests are in the `tests` directory, named `test_.py`. 32 | - Tests should follow `pytest` style. 33 | - __Recommended:__ Use [`Hypothesis`](https://github.com/HypothesisWorks/hypothesis) 34 | for property-based testing, as required 35 | by [OSSF Scorecard](https://github.com/ossf/scorecard). 36 | 37 | > [!TIP] 38 | > `opentemplate` does not enforce a specific testing style, 39 | > but methodologies like Test/Behavior Driven Development may be beneficial. 40 | 41 | ## Checks and fixes 42 | 43 | Tests should be documented, formatted, and typed as they will be checked like 44 | regular source code. 45 | 46 | > [!TIP] 47 | > See the [Python section](python.md) for more information. 48 | 49 | ## Adjustments 50 | 51 | > [!NOTE] 52 | > All changes apply to the CI as well. 53 | 54 | - To change coverage requirements, update the `fail_under` 55 | flag in `[tool.coverage.reports]` section in `pyproject.toml` 56 | - To change the test runner, update the `tests` script in 57 | the `pyproject.toml` file. 58 | 59 | ## Code sources 60 | 61 | - `pyproject.toml` 62 | - `.github/workflows/tests*.yml` 63 | - `.github/workflows/typing*.yml` 64 | -------------------------------------------------------------------------------- /.github/workflows/policy.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Policy" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | merge_group: 14 | types: 15 | - "checks_requested" 16 | 17 | permissions: {} # yamllint disable-line rule:braces 18 | 19 | concurrency: 20 | group: > 21 | ${{ github.workflow_ref }}-${{ github.ref }} 22 | cancel-in-progress: true 23 | 24 | jobs: 25 | pr-policy-enforcer: 26 | timeout-minutes: 10 27 | name: "Policy" 28 | # Renovate bot disabled as it is not signing the commit 29 | if: > 30 | github.event.pull_request.user.login != 'renovate[bot]' 31 | permissions: 32 | contents: "read" 33 | runs-on: "ubuntu-latest" 34 | steps: 35 | - name: "Harden Runner" # zizmor: ignore[known-vulnerable-actions] 36 | # yamllint disable rule:line-length 37 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 38 | # yamllint enable rule:line-length 39 | with: 40 | # Uses docker container, 41 | # disable-sudo-and-containers impossible 42 | disable-sudo: true 43 | egress-policy: "block" 44 | allowed-endpoints: > 45 | api.github.com:443 46 | github.com:443 47 | - name: "Checkout Repository" 48 | # yamllint disable rule:line-length 49 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 50 | # yamllint enable rule:line-length 51 | with: 52 | sparse-checkout: | 53 | .conform.yaml 54 | sparse-checkout-cone-mode: false 55 | persist-credentials: false 56 | # Necessary for the conform action to work (commit ranges) 57 | # See here: https://github.com/siderolabs/conform/issues/231 58 | fetch-depth: 2 59 | - name: "Check policy compliance" 60 | # yamllint disable rule:line-length 61 | uses: "siderolabs/conform@43d9fb6d85d5f01b391245805eefd258db160197" # v0.1.0-alpha.30 62 | # yamllint enable rule:line-length 63 | with: 64 | token: "${{ secrets.GITHUB_TOKEN }}" 65 | ... 66 | -------------------------------------------------------------------------------- /docs/template/configuration/basic.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Basic 9 | 10 | This guide covers essential adjustments to the template. 11 | 12 | > [!CAUTION] 13 | > Keep changes minimal to simplify updates. 14 | > If your changes relate to a specific section, you may want to 15 | > consult [details documentation](../details/index.md). 16 | 17 | ## `pyproject.toml` 18 | 19 | Most adjustments are made in `pyproject.toml`, which controls: 20 | 21 | - __Developer Dependencies__ – Managed in `[dependency-groups]` 22 | (each dependency prefixed by `dev`). 23 | - __Tool Settings__ – Configures tools like 24 | [`ruff`](https://docs.astral.sh/ruff/configuration/) 25 | section `[tool.]`. 26 | - __Developer Commands__ – Defined under `[tool.pdm.scripts]` 27 | (usually `check-` or `fix-`). 28 | 29 | > [!NOTE] 30 | > Sections are ordered by importance and assumed frequency of change. 31 | 32 | ## `pre-commit` 33 | 34 | Some tools not integrated with `pyproject.toml` can be configured 35 | by editing `.pre-commit-config.yaml`. 36 | 37 | > [!TIP] 38 | > Non-`pyproject.toml` configurations are at the beginning of the file. 39 | 40 | More details: [pre-commit documentation](https://pre-commit.com/#usage) 41 | 42 | ## GitHub Actions 43 | 44 | `opentemplate` minimizes manual GitHub Actions configuration, allowing 45 | modifications through `pyproject.toml`. 46 | 47 | To add or edit actions, edit files in `.github/workflows/` folder. 48 | 49 | > [!TIP] 50 | > See [GitHub Actions Guide](../details/github-actions.md) for more information. 51 | 52 | ## Other adjustments 53 | 54 | For other modifications, check: 55 | 56 | - Relevant documentation sections (mostly [details documentation](../details/index.md)). 57 | - [FAQ](../about/faq.md) for general questions. 58 | - [Tips and Tricks](../about/tips-and-tricks.md) 59 | 60 | > [!IMPORTANT] 61 | > __Need Help?__ Search the docs for specific files or directories. 62 | > If you can’t find what you need, please 63 | > [open an issue](https://github.com/open-nudge/opentemplate/issues). 64 | 65 | ## Code sources 66 | 67 | - `pyproject.toml` 68 | - `.pre-commit-config.yaml` 69 | - `.github/workflows/` 70 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Security 9 | 10 | Report any security vulnerabilities you find according to these 11 | guidelines. 12 | 13 | ## General 14 | 15 | - Please adhere to [Code of Conduct](./CODE_OF_CONDUCT.md) at all times. 16 | 17 | ## Reporting a vulnerability 18 | 19 | - If you discover a vulnerability, report it directly to the code 20 | maintainers, __preferably using GitHub's 21 | [Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability)__. 22 | - If you cannot find a way to report it, or have received no 23 | response after repeated attempts, 24 | __[contact the creators directly](https://github.com/open-nudge).__ 25 | 26 | Thank you. 27 | 28 | ## Security measures 29 | 30 | This project strives to implement 31 | [Open Source Security Foundation](https://openssf.org/) 32 | (OSSF) [Best Practices](https://www.bestpractices.dev/en). 33 | 34 | Some of the security measures undertaken in this project include: 35 | 36 | - [OSSF Scorecard](https://github.com/ossf/scorecard) 37 | - [Security file](./SECURITY.md) 38 | - [Security Insights Specification](https://github.com/open-nudge/opentemplate/blob/main/SECURITY-INSIGHTS.yml) 39 | as defined [here](https://github.com/ossf/security-insights-spec) 40 | - [Security Self Assessment](SECURITY-SELF-ASSESSMENT.md) 41 | - [Security Dependencies Policy](SECURITY-DEPENDENCY.md) 42 | - [Renovate Bot](https://github.com/open-nudge/opentemplate/blob/main/.github/renovate.json) 43 | for automated dependency updates 44 | - [Software Bills Of Material (SBOMs)](https://github.com/open-nudge/opentemplate/releases) 45 | - [Sigstore signing](https://github.com/open-nudge/opentemplate/releases) 46 | as seen [here](https://github.com/sigstore/sigstore-python) 47 | - GitHub Actions CI/CD pipelines with minimal permissions 48 | - GitHub Actions CI/CD pipelines hardened via [Harden Runner](https://github.com/step-security/harden-runner) 49 | - [Pre-commit hooks](https://pre-commit.com/) for local code quality 50 | and security verification 51 | -------------------------------------------------------------------------------- /.github/workflows/github-all-renovate.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "GitHub Renovate" 8 | 9 | on: 10 | pull_request: 11 | branches: 12 | - "main" 13 | paths: 14 | - ".github/actions/*/action.yml" 15 | - ".github/workflows/*.yml" 16 | - ".github/renovate.json" 17 | merge_group: 18 | types: 19 | - "checks_requested" 20 | 21 | permissions: {} # yamllint disable-line rule:braces 22 | 23 | jobs: 24 | github: 25 | name: "GitHub" 26 | if: | 27 | github.event.pull_request.user.login == 'renovate[bot]' 28 | && github.ref == 'refs/heads/bot/dependencies-dev-github' 29 | permissions: 30 | contents: "read" 31 | # yamllint disable rule:line-length 32 | uses: "open-nudge/opentemplate/.github/workflows/github-reusable.yml@main" # zizmor: ignore[unpinned-uses] 33 | # yamllint enable rule:line-length 34 | 35 | github-actions: 36 | name: "GitHub Actions" 37 | if: | 38 | github.event.pull_request.user.login == 'renovate[bot]' 39 | && github.ref == 'refs/heads/bot/dependencies-dev-github' 40 | permissions: 41 | contents: "read" 42 | # yamllint disable rule:line-length 43 | uses: "open-nudge/opentemplate/.github/workflows/github-actions-reusable.yml@main" # zizmor: ignore[unpinned-uses] 44 | # yamllint enable rule:line-length 45 | 46 | github-workflows: 47 | name: "GitHub Workflows" 48 | if: | 49 | github.event.pull_request.user.login == 'renovate[bot]' 50 | && github.ref == 'refs/heads/bot/dependencies-dev-github' 51 | permissions: 52 | contents: "read" 53 | # yamllint disable rule:line-length 54 | uses: "open-nudge/opentemplate/.github/workflows/github-workflows-reusable.yml@main" # zizmor: ignore[unpinned-uses] 55 | # yamllint enable rule:line-length 56 | 57 | github-renovate: 58 | name: "GitHub Renovate" 59 | if: | 60 | github.event.pull_request.user.login == 'renovate[bot]' 61 | && github.ref == 'refs/heads/bot/dependencies-dev-github' 62 | permissions: 63 | contents: "read" 64 | # yamllint disable rule:line-length 65 | uses: "open-nudge/opentemplate/.github/workflows/github-renovate-reusable.yml@main" # zizmor: ignore[unpinned-uses] 66 | # yamllint enable rule:line-length 67 | ... 68 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Labeler" 8 | 9 | on: 10 | pull_request_target: # zizmor: ignore[dangerous-triggers] 11 | types: 12 | - "opened" 13 | - "edited" 14 | - "synchronize" 15 | - "reopened" 16 | merge_group: 17 | types: 18 | - "checks_requested" 19 | 20 | permissions: {} # yamllint disable-line rule:braces 21 | 22 | jobs: 23 | labeler: 24 | timeout-minutes: 10 25 | name: "Labeler" 26 | permissions: 27 | pull-requests: "write" # Needed to create label 28 | runs-on: "ubuntu-latest" 29 | steps: 30 | - name: "Harden Runner" 31 | # yamllint disable rule:line-length 32 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 33 | # yamllint enable rule:line-length 34 | with: 35 | disable-sudo-and-containers: true 36 | egress-policy: "block" 37 | allowed-endpoints: > 38 | api.github.com:443 39 | files.pythonhosted.org:443 40 | github.com:443 41 | pypi.org:443 42 | - name: "Checkout repository" 43 | # yamllint disable rule:line-length 44 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 45 | # yamllint enable rule:line-length 46 | with: 47 | sparse-checkout: | 48 | .github 49 | sparse-checkout-cone-mode: true 50 | persist-credentials: false 51 | - name: "Label PR" 52 | # yamllint disable rule:line-length 53 | uses: "actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9" # v5.0.0 54 | # yamllint enable rule:line-length 55 | with: 56 | configuration-path: "./.github/label-path.yml" 57 | repo-token: "${{ secrets.GITHUB_TOKEN }}" 58 | sync-labels: true 59 | - name: "PR Labeler" 60 | # yamllint disable rule:line-length 61 | uses: "github/issue-labeler@c1b0f9f52a63158c4adc09425e858e87b32e9685" # v3.4 62 | # yamllint enable rule:line-length 63 | with: 64 | configuration-path: ".github/label-title.yml" 65 | enable-versioned-regex: 0 66 | sync-labels: 1 67 | include-title: 1 68 | include-body: 0 69 | ... 70 | -------------------------------------------------------------------------------- /docs/template/release-your-project/checklist.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Release checklist 9 | 10 | > [!NOTE] 11 | > While automation handles most of the release process, 12 | > some project-specific details require manual updates. 13 | 14 | ## [README](../../index.md) 15 | 16 | 1. Update __`Features`__ section with ~5 key points. 17 | 18 | 1. Keep __`Usage`__ clear and concise. 19 | 20 | 1. Add `__Examples__`: 21 | 22 | 1. Basic usage 23 | 24 | 1. Common task 25 | 26 | 1. Advanced/expert-level usage 27 | 28 | > [!CAUTION] 29 | > Review [README](../../index.md) after changes to ensure coherence. 30 | 31 | ## pyproject.toml 32 | 33 | > [!CAUTION] 34 | > Do not edit sections starting with `DO NOT EDIT UNTIL end marker` 35 | > and ending with `[[[end]]]`. 36 | 37 | - `[project.classifiers]` – Add relevant 38 | [PyPI classifiers](https://pypi.org/classifiers/). 39 | - `[project.dependencies]` and `[project.optional-dependencies]` – Double-check 40 | correctness. 41 | 42 | > [!TIP] 43 | > For public projects after the first release, remove `exclude_links` 44 | > in `[tool.md_dead_link_check]` to validate all links. 45 | 46 | ## Documentation 47 | 48 | > [!CAUTION] 49 | > Adjust `/docs` structure and content as needed. 50 | 51 | You should consult the [documentation guide](../details/documentation.md) 52 | for more details. 53 | 54 | > [!NOTE] 55 | > Content in folders like `/docs/tutorials` is auto-included via 56 | > [`mkdocs-awesome-pages`](https://github.com/lukasgeiter/mkdocs-awesome-pages-plugin) 57 | > if any content is present there. 58 | 59 | > [!CAUTION] 60 | > Manually validate `mkdocs.yml` and generated docs. 61 | 62 | ## Security 63 | 64 | - Verify and update `CODEOWNERS` 65 | ([docs](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)). 66 | - Complete `TBD` sections in `SECURITY-SELF-ASSESSMENT.md` 67 | ([CNCF guide](https://tag-security.cncf.io/community/assessments/guide/self-assessment/#non-goals)). 68 | - __Optional:__ Add more contact details to [`SECURITY.md`](../../SECURITY.md). 69 | 70 | ## Documents 71 | 72 | - Ensure `ROADMAP.md` outlines plans for the next release (if applicable). 73 | - __Optional:__ Add more governance details to [`GOVERNANCE.md`](../../GOVERNANCE.md). 74 | -------------------------------------------------------------------------------- /.github/actions/release-sbom-setup/action.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Setup SBOMs" 8 | description: "Setup form SBOMs creation to be later attested." 9 | 10 | inputs: 11 | identifier: 12 | description: "Identifier of the artifact to save later." 13 | required: true 14 | files: 15 | description: "Files to hash. Can also be a command" 16 | required: true 17 | extension: 18 | description: "Extension of the SBOM file." 19 | default: ".json" 20 | 21 | outputs: 22 | artifact: 23 | description: "Name of the artifact to download." 24 | value: "${{ steps.setup.outputs.artifact }}" 25 | sbom: 26 | description: "Path to the SBOM." 27 | value: "${{ steps.setup.outputs.sbom }}" 28 | sbom-directory: 29 | description: "Directory to store SBOMs." 30 | value: "${{ steps.setup.outputs.sbom-directory }}" 31 | 32 | runs: 33 | using: "composite" 34 | steps: 35 | - name: "Perform setup" 36 | id: "setup" 37 | shell: "bash" 38 | env: 39 | IDENTIFIER: "${{ inputs.identifier }}" 40 | SBOM_DIRECTORY: "sbom-${{ github.sha }}" 41 | SBOM: "${{ inputs.identifier }}${{ inputs.extension }}" 42 | run: | 43 | mkdir "${SBOM_DIRECTORY}" 44 | echo "artifact=${IDENTIFIER}" >> "${GITHUB_OUTPUT}" 45 | echo "sbom-directory=${SBOM_DIRECTORY}" >> "${GITHUB_OUTPUT}" 46 | echo "sbom=${SBOM_DIRECTORY}/${SBOM}" >> "${GITHUB_OUTPUT}" 47 | # See here for more information about the sum: 48 | # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-artifacts-built-across-multiple-operating-systems 49 | - name: "Hash Files (Linux/MacOS)" # zizmor: ignore[template-injection] 50 | if: > 51 | runner.os != 'Windows' 52 | shell: "bash" 53 | env: 54 | OUTPUT_FILE: "sbom-${{ github.sha }}/checksums.txt" 55 | run: > 56 | shasum -a 256 ${{ inputs.files }} > "${OUTPUT_FILE}" 57 | - name: "Hash Files (Windows)" # zizmor: ignore[template-injection] 58 | if: > 59 | runner.os == 'Windows' 60 | shell: "bash" 61 | env: 62 | OUTPUT_FILE: "sbom-${{ github.sha }}/checksums.txt" 63 | run: > 64 | sha256sum -t ${{ inputs.files }} > "${OUTPUT_FILE}" 65 | - name: "Check checksums" 66 | shell: "bash" 67 | env: 68 | OUTPUT_FILE: "sbom-${{ github.sha }}/checksums.txt" 69 | run: | 70 | cat "${OUTPUT_FILE}" 71 | ... 72 | -------------------------------------------------------------------------------- /.github/workflows/run-check-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Check" 8 | 9 | on: 10 | workflow_call: 11 | inputs: 12 | # COMMAND 13 | check: 14 | description: "Prefix for the concurrency group" 15 | required: true 16 | type: "string" 17 | arguments: 18 | description: "Additional arguments to pass to the run command" 19 | type: "string" 20 | default: "" 21 | # CHECKOUT 22 | full-checkout: 23 | description: "Whether to clone the full repository" 24 | required: false 25 | type: "boolean" 26 | default: false 27 | sparse-checkout: 28 | description: "Additional files to sparse checkout." 29 | type: "string" 30 | default: "" 31 | cone: 32 | description: "Whether to use cone mode for sparse checkout" 33 | type: "boolean" 34 | default: false 35 | ref: 36 | description: "The ref to checkout" 37 | required: false 38 | type: "string" 39 | # PDM INSTALLATION 40 | group: 41 | description: > 42 | The group of the dependency to install. 43 | Same as `check` if unspecified. 44 | required: false 45 | type: "string" 46 | default: "" 47 | core: 48 | description: "Whether to install core (+ optional) dependencies" 49 | type: "boolean" 50 | default: false 51 | # ADDITIONAL 52 | timeout-minutes: 53 | description: "Timeout in minutes" 54 | required: false 55 | type: "number" 56 | default: 30 57 | additional-allowed-endpoints: 58 | description: "Additional endpoints to allow" 59 | required: false 60 | type: "string" 61 | 62 | permissions: {} # yamllint disable-line rule:braces 63 | 64 | jobs: 65 | run-check-reusable: 66 | name: "Check" 67 | permissions: 68 | contents: "read" 69 | # yamllint disable rule:line-length 70 | uses: "open-nudge/opentemplate/.github/workflows/run-reusable.yml@main" # zizmor: ignore[unpinned-uses] 71 | # yamllint enable rule:line-length 72 | with: 73 | command: | 74 | pdm run check-${{ inputs.check }} ${{ inputs.arguments }} 75 | group: "${{ inputs.group || inputs.check }}" 76 | core: "${{ inputs.core }}" 77 | full-checkout: "${{ inputs.full-checkout }}" 78 | sparse-checkout: "${{ inputs.sparse-checkout }}" 79 | cone: "${{ inputs.cone }}" 80 | ref: "${{ inputs.ref }}" 81 | timeout-minutes: "${{ inputs.timeout-minutes }}" 82 | additional-allowed-endpoints: "${{ inputs.additional-allowed-endpoints }}" 83 | ... 84 | -------------------------------------------------------------------------------- /.github/workflows/release-sbom-attest-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Release SBOM Attest Reusable" 8 | 9 | on: 10 | workflow_call: 11 | inputs: 12 | # SBOM 13 | artifact: 14 | description: > 15 | Name of the artifact to download. 16 | NOTE: SBOM should be in JSON format and be named as the artifact. 17 | type: "string" 18 | required: true 19 | # Other 20 | continue-on-error: 21 | description: "Whether to continue on error" 22 | type: "boolean" 23 | default: true 24 | 25 | permissions: {} # yamllint disable-line rule:braces 26 | 27 | jobs: 28 | release-sbom-attest-reusable: 29 | name: "Release SBOM Attest Reusable" 30 | permissions: 31 | id-token: "write" # Needed to get GH Token to attest 32 | attestations: "write" # Needed to upload attestation 33 | timeout-minutes: 30 34 | runs-on: "ubuntu-latest" 35 | continue-on-error: "${{ inputs.continue-on-error }}" 36 | env: 37 | ATTESTATION_NAME: "attestation-${{ inputs.artifact }}.intoto.jsonl" 38 | steps: 39 | - name: "Harden Runner" 40 | # yamllint disable rule:line-length 41 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 42 | # yamllint enable rule:line-length 43 | with: 44 | disable-sudo-and-containers: true 45 | egress-policy: "block" 46 | allowed-endpoints: > 47 | api.github.com:443 48 | fulcio.sigstore.dev:443 49 | rekor.sigstore.dev:443 50 | - name: "Download artifacts" 51 | # yamllint disable rule:line-length 52 | uses: "actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093" # v4.3.0 53 | # yamllint enable rule:line-length 54 | with: 55 | name: "${{ inputs.artifact }}" 56 | - name: "Attest SBOM" 57 | # yamllint disable rule:line-length 58 | uses: "actions/attest-sbom@115c3be05ff3974bcbd596578934b3f9ce39bf68" # v2.2.0 59 | # yamllint enable rule:line-length 60 | id: "attestation" 61 | with: 62 | sbom-path: "${{ inputs.artifact }}.json" 63 | subject-checksums: "checksums.txt" 64 | - name: "Rename attestation" 65 | env: 66 | BUNDLE_PATH: "${{ steps.attestation.outputs.bundle-path }}" 67 | run: > 68 | mv "${BUNDLE_PATH}" "${ATTESTATION_NAME}" 69 | - name: "Upload SBOM attestation" 70 | # yamllint disable rule:line-length 71 | uses: "actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02" # v4.6.2 72 | # yamllint enable rule:line-length 73 | with: 74 | name: "attestation-${{ inputs.artifact }}" 75 | path: "attestation-${{ inputs.artifact }}.intoto.jsonl" 76 | ... 77 | -------------------------------------------------------------------------------- /.github/workflows/security-osv-scanner-reusable.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: © 2025 open-nudge 2 | # SPDX-FileContributor: szymonmaszke 3 | # 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | --- 7 | name: "Security OSV-Scanner Reusable" 8 | 9 | on: 10 | workflow_call: 11 | inputs: 12 | name: 13 | description: "Name of the artifact (default: '' - no artifact upload)" 14 | type: "string" 15 | default: "" 16 | sarif: 17 | description: "Upload SARIF file to CodeQL" 18 | type: "boolean" 19 | default: false 20 | continue-on-error: 21 | description: "Whether to continue on error" 22 | type: "boolean" 23 | default: false 24 | file: 25 | description: "Name/path of the created SARIF file" 26 | type: "string" 27 | default: "osv-scanner.sarif" 28 | 29 | permissions: {} # yamllint disable-line rule:braces 30 | 31 | jobs: 32 | security-osv-scanner-reusable: 33 | name: "Security OSV-Scanner Reusable" 34 | runs-on: "ubuntu-latest" 35 | timeout-minutes: 30 36 | permissions: 37 | actions: "read" # https://github.com/github/codeql-action/issues/2117 38 | security-events: "write" # Needed to to upload SARIF file to tab 39 | contents: "read" 40 | steps: 41 | 42 | - name: "Harden Runner" # zizmor: ignore[known-vulnerable-actions] 43 | # yamllint disable rule:line-length 44 | uses: "step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0" # v2.12.0 45 | # yamllint enable rule:line-length 46 | with: 47 | # Uses docker container, 48 | # disable-sudo-and-containers impossible 49 | disable-sudo: true 50 | egress-policy: "block" 51 | allowed-endpoints: > 52 | api.deps.dev:443 53 | api.github.com:443 54 | api.osv.dev:443 55 | github.com:443 56 | - name: "Checkout repository" 57 | # yamllint disable rule:line-length 58 | uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4.2.2 59 | # yamllint enable rule:line-length 60 | with: 61 | persist-credentials: false 62 | - name: "Run scanner" 63 | # yamllint disable rule:line-length 64 | uses: "google/osv-scanner/actions/scanner@a2a23858b9650035f019219937f91ae615474b4d" # v2.0.2 65 | # yamllint enable rule:line-length 66 | continue-on-error: "${{ inputs.continue-on-error }}" 67 | with: 68 | scan-args: |- 69 | --format=sarif 70 | --output=${{ inputs.file }} 71 | --recursive 72 | --licenses=MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,Unlicense,Zlib,OFL-1.1,0BSD,PSF-2.0 73 | ./ 74 | - name: "Upload files" 75 | # yamllint disable rule:line-length 76 | uses: "open-nudge/opentemplate/.github/actions/sarif-upload@main" # zizmor: ignore[unpinned-uses] 77 | # yamllint enable rule:line-length 78 | with: 79 | name: "${{ inputs.name }}" 80 | file: "${{ inputs.file }}" 81 | sarif: "${{ inputs.sarif }}" 82 | ... 83 | -------------------------------------------------------------------------------- /docs/template/details/legal.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Legal 9 | 10 | > [!CAUTION] 11 | > This document is not a legal advice. Consult a professional for legal questions. 12 | 13 | This document outlines the legal aspects of `opentemplate`. 14 | 15 | ## Compliance and fixes 16 | 17 | ### REUSE compliance 18 | 19 | Repositories created from this template follow [REUSE](https://reuse.software/) framework, 20 | meaning: 21 | 22 | - Every file includes an [SPDX](https://spdx.dev/use/specifications/) 23 | header with `license` and copyright details. 24 | - Headers are either language-specific comments or `.license` 25 | files when comments aren't supported. 26 | 27 | > [!IMPORTANT] 28 | > Each contributor will be added to the SPDX headers. 29 | > See [`SPDX-FileContributor`](https://spdx.github.io/spdx-spec/v2.2.2/file-information/#8.14) 30 | > for more details. 31 | 32 | - The `pre-commit` hook automatically adds missing headers (`fix-legal` in `pyproject.toml`). 33 | - `check-legal` in `pyproject.toml` ensures compliance and runs after `fix-legal`. 34 | 35 | ### License compliance 36 | 37 | [`google/osv-scanner`](https://github.com/google/osv-scanner) checks dependency licenses. 38 | Allowed licenses (subject to change): 39 | 40 | > MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, Unlicense, Zlib, OFL-1.1, 0BSD, PSF-2.0 41 | 42 | ## Adjustments 43 | 44 | ### Changing license 45 | 46 | - Run `pdm run reuse download ` 47 | __and link the [`/LICENSE.md`](../../LICENSE.md) file__ 48 | to appropriate file in `licenses/`. 49 | - Change `license` in `pyproject.toml` to the new SPDX identifier. 50 | 51 | ### Modifying license compliance 52 | 53 | > [!IMPORTANT] 54 | > Adjust project licensing as needed. 55 | 56 | To update allowed licenses for `osv-scanner`: 57 | 58 | - Modify `.pre-commit-config.yaml` (`id: osv-scanner`) for local changes. 59 | - Update `.github/workflows/reusable-security-osv-scanner.yml` for CI. 60 | 61 | ## Documents 62 | 63 | - __[`/LICENSE.md`](../../LICENSE.md)__ (Apache-2.0 by default) 64 | should be a symbolic link to the actual license file in `licenses/`. 65 | - __`LICENSES/`__ folder contains all project licenses 66 | (e.g., `pdm.lock` is [`CC0-1.0`](https://creativecommons.org/publicdomain/zero/1.0/deed.en)). 67 | - __[`CODE_OF_CONDUCT.md`](../../CODE_OF_CONDUCT.md)__ follows the 68 | [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/). 69 | - __[`DCO.md`](../../DCO.md)__ (Developer Certificate of Origin) must remain unchanged; 70 | all commits must be signed off ([details](https://wiki.linuxfoundation.org/dco)). 71 | - __[`GOVERNANCE.md`](../../GOVERNANCE.md)__ outlines project governance. 72 | - __`CITATION.cff`__ provides citation details 73 | 74 | > [!TIP] 75 | > See [GitHub guide](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-citation-files) 76 | > for more information. 77 | 78 | ## Code Sources 79 | 80 | - `pyproject.toml` 81 | - `.github/workflows/legal*.yml` 82 | -------------------------------------------------------------------------------- /docs/template/details/scheduled-jobs.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | # Scheduled jobs 9 | 10 | `opentemplate` runs scheduled jobs weekly, typically on weekends. 11 | 12 | > [!TIP] 13 | > All cron-like jobs are in `/.github/workflows` and use the 14 | > `on: schedule` trigger. 15 | 16 | ## Jobs 17 | 18 | Most scheduled jobs focus on security (`security-_` workflows) 19 | and are run periodically as vulnerabilities evolve, namely: 20 | 21 | - __Security posture analysis:__ [`ossf/scorecard`](https://github.com/ossf/scorecard) 22 | - __Vulnerability scanning:__ [`google/osv-scanner`](https://github.com/google/osv-scanner) 23 | - __Bug detection and code quality:__ [`semgrep/semgrep`](https://github.com/semgrep/semgrep) 24 | 25 | ## Dependency automation 26 | 27 | Automating dependency updates ensures security and stability. 28 | 29 | ### Renovate 30 | 31 | > [!IMPORTANT] 32 | > Only relevant workflows run when `renovate` opens a PR 33 | > (e.g., `markdown` checks for `dev-markdown` updates). 34 | 35 | - Updates run on weekends. 36 | - Dependencies are grouped by `dev-`. 37 | - Updates are handled by `github-actions[bot]`. 38 | 39 | #### Adjustments 40 | 41 | > [!CAUTION] 42 | > If adding a `dev` dependency in `pyproject.toml`, 43 | > update `.github/renovate.json` accordingly. 44 | 45 | New `dev-` groups require: 46 | 47 | - A corresponding entry in `renovate.json`. 48 | - (Probably) a new `.github/workflows/renovate-.yml` workflow. 49 | 50 | > [!NOTE] 51 | > `.github/workflows/-renovate.yml` should run only when the 52 | > branch name matches `dependencies-dev-`. 53 | 54 | > [!TIP] 55 | > See the [GitHub Actions section](github-actions.md) for more details. 56 | 57 | ### pre-commit 58 | 59 | Independent `pre-commit` hooks update weekly. All hooks run against the 60 | latest `main` branch state to ensure updates are correct. 61 | 62 | > [!NOTE] 63 | > `renovate` does not update `pre-commit` hooks due to maintainers' 64 | > policy ([details](https://docs.renovatebot.com/modules/manager/pre-commit/#additional-information)). 65 | 66 | ## Content generation 67 | 68 | [`cog`](https://github.com/nedbat/cog) automates content generation based on 69 | source code comments (`DO NOT EDIT UNTIL end marker` in `pyproject.toml`). 70 | 71 | Additionally, [`opennudge/cogeol`](https://github.com/nedbat/cog) 72 | integrates [Python's end-of-life](https://endoflife.date/) data to simplify management. 73 | 74 | Together with GitHub Actions, these ensure: 75 | 76 | - Support for the latest three Python versions. 77 | - CI/CD always runs appropriate versions. 78 | - PRs are opened for new releases and scheduled deprecations. 79 | 80 | ## Template updates 81 | 82 | > [!NOTE] 83 | > Template updates are not __currently__ automated; the workflow is a 84 | > placeholder for future use. 85 | 86 | ## Code sources 87 | 88 | - `.github/renovate.json` 89 | - `.github/workflows/pre-commit-update*.yml` 90 | - `.github/workflows/security-osv-scanner-update*.yml` 91 | - `.github/workflows/security-semgrep*.yml` 92 | - `.github/workflows/*-renovate.yml` 93 | - `.github/workflows/generation*.yml` 94 | --------------------------------------------------------------------------------