feat: ✨ copy over static files to template folder (#117)

# Description

This PR creates the `template` folder and copies over files that don't
have copier variables. Files copied from `template-data-package` and
Sprout.

This PR needs an in-depth review.

## Checklist

- [x] Added or updated tests
- [x] Updated documentation
- [x] Ran `just run-all` -- will fail

---------

Co-authored-by: Luke W. Johnston <[email protected]>

Author: martonvago

template/.cz.toml

@@ -0,0 +1,6 @@
+[tool.commitizen]
+bump_message = "build(version): :bookmark: update version from $current_version to $new_version"
+update_changelog_on_bump = true
+version_provider = "uv"
+# Don't regenerate the changelog on every update
+changelog_incremental = true

template/.editorconfig

@@ -0,0 +1,23 @@
+# EditorConfig settings. Some editors will read these automatically;
+# for those that don't, see here: http://editorconfig.org/
+
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+max_line_length = 88
+
+# Have a bit shorter line length for text docs
+[*.{txt,md,qmd}]
+max_line_length = 72
+indent_size = 4
+
+# Python always uses 4 spaces for tabs
+[*.py]
+indent_style = space
+indent_size = 4

template/.github/pull_request_template.md

@@ -0,0 +1,13 @@
+# Description
+
+This PR DESCRIBE CHANGES.
+
+Closes #
+
+This PR needs a quick/an in-depth review.
+
+## Checklist
+
+- [ ] Added or updated tests
+- [ ] Updated documentation
+- [ ] Ran `just run-all`

template/.github/workflows/build-package.yml

@@ -0,0 +1,19 @@
+name: Build package
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  build:
+    uses: seedcase-project/.github/.github/workflows/reusable-build-python.yml@main
+    # Permissions needed for pushing to the coverage branch.
+    permissions:
+      contents: write

template/.github/workflows/build-website.yml

@@ -0,0 +1,17 @@
+name: Build website
+
+on:
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  build-website:
+    uses: seedcase-project/.github/.github/workflows/reusable-build-docs-with-python.yml@main
+    secrets:
+      netlify-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+      # This is to allow using `gh` CLI
+      github-token: ${{ secrets.GITHUB_TOKEN }}

template/.github/workflows/dependency-review.yml

@@ -0,0 +1,17 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: "Security: Dependency Review"
+on: pull_request
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  dependency-review:
+    uses: seedcase-project/.github/.github/workflows/reusable-dependency-review.yml@main

template/.github/workflows/release-package.yml

@@ -0,0 +1,61 @@
+name: Release package
+
+on:
+  push:
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  release:
+    # This job outputs env variables `previous_version` and `current_version`.
+    # Only give permissions for this job.
+    permissions:
+      contents: write
+    uses: seedcase-project/.github/.github/workflows/reusable-release-project.yml@main
+    with:
+      app-id: ${{ vars.UPDATE_VERSION_APP_ID }}
+    secrets:
+      update-version-gh-token: ${{ secrets.UPDATE_VERSION_TOKEN }}
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    # Only give permissions for this job.
+    permissions:
+      # IMPORTANT: mandatory for trusted publishing.
+      id-token: write
+    environment:
+      name: pypi
+    needs:
+      - release
+    if: ${{ needs.release.outputs.previous_version != needs.release.outputs.current_version }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # Need to explicitly get the current version, otherwise it defaults to current commit
+          # (which is not the same as the release/version commit).
+          ref: ${{ needs.release.outputs.current_version }}
+
+      # This workflow and the publish workflows are based on:
+      # - https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
+      # - https://www.andrlik.org/dispatches/til-use-uv-for-build-and-publish-github-actions/
+      # - https://github.com/astral-sh/trusted-publishing-examples
+      - name: Set up uv
+        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+
+      - name: Build distributions
+        # Builds dists from source and stores them in the dist/ directory.
+        run: uv build
+
+      - name: Publish 📦 to PyPI
+        # Only publish if the option is explicitly set in the calling workflow.
+        run: uv publish --trusted-publishing always

template/.github/workflows/scorecards.yml

@@ -0,0 +1,28 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+name: "Security: Scorecard"
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches:
+      - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Analysis
+    uses: seedcase-project/.github/.github/workflows/reusable-scorecards.yml@main
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write

template/.gitignore

@@ -0,0 +1,86 @@
+# Development files and folders
+_ignore
+bin/
+dev/
+
+# Temporary files
+*.tmp
+
+# Any IDE specific folders
+.idea
+
+# Any .env files
+.env
+.env.*
+**/.env.*
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Python specific content
+venv
+__pycache__/
+*.py[cod]
+
+# Python packaging and distribution
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Python testing and code coverage
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+coverage.*
+.cache
+nosetests.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# MacOS
+.DS_Store
+
+# Quarto
+/.quarto/
+docs/.quarto/
+*.ipynb
+*.quarto_ipynb
+*.storage
+
+# Quartodoc
+/docs/reference/
+objects.json
+
+# Website generation
+_site
+_book
+public
+site
+
+
+# Misc files
+*.log

template/.pre-commit-config.yaml

@@ -0,0 +1,30 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+ci:
+  autofix_commit_msg: "chore(pre-commit): :pencil2: automatic fixes"
+  autoupdate_commit_msg: "ci(pre-commit): :construction_worker: update pre-commit CI version"
+
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.28.0
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v4.8.3
+    hooks:
+      - id: commitizen
+
+  # Use the mirror since the main `typos` repo has tags for different
+  # sub-packages, which confuses pre-commit when it tries to find the latest
+  # version
+  - repo: https://github.com/adhtruong/mirrors-typos
+    rev: v1.34.0
+    hooks:
+      - id: typos