Updates from making new evanharmon.com website (#28)

* Updates from making new evanharmon.com website

* more updates

* update workflows to new github version due to deprecation

* disable package.json scanning for harmon-stack

* updates

.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Fetch all history for versioning
 

.github/workflows/security.yml

@@ -1,12 +1,12 @@
-name: Security
+name: Security Test
 run-name: ${{ github.actor }} is running Security Actions
 on: [pull_request]
 jobs:
-  security:
+  secrets:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Triggered by a ${{ github.event_name }} event."
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       # E.g., to check for my `~/Local/.secret` file
       - name: Custom check for secret files
         run: ./check_for_pattern.sh . "*secret*"
@@ -22,8 +22,68 @@ jobs:
         run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json
       # Upload Artifacts
       - name: Upload the scan output
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: scan_results
           path: /tmp/scan_output.json
           retention-days: 7
+  sast-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # Node.js dependencies scan
+      # Disabled since harmon-stack doesn not build a package.json file
+      # - name: Setup Node.js
+      #   uses: actions/setup-node@v4
+      #   with:
+      #     node-version: "22"
+      #     cache: "npm"
+      # - name: Install Node dependencies
+      #   run: npm ci
+      # - name: Run Snyk for Node.js
+      #   uses: snyk/actions/node@master
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #   with:
+      #     command: test
+      #     args: >
+      #       --severity-threshold=high
+      #       --show-vulnerable-paths=all
+      # Python dependencies scan
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+      - name: Install Python dependencies
+        run: pip install -r requirements.txt
+      - name: Run Snyk for Python
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: >
+            --file=requirements.txt
+            --severity-threshold=high
+            --show-vulnerable-paths=all
+            # Disabled since harmon-stack doesn not build a package.json file
+  # sast-code:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - name: Setup Node.js
+  #       uses: actions/setup-node@v4
+  #       with:
+  #         node-version: "22"
+  #         cache: "npm"
+  #     - name: Install dependencies
+  #       run: npm ci
+  #     - name: Run Snyk to check for vulnerabilities
+  #       uses: snyk/actions/node@master
+  #       env:
+  #         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+  #       with:
+  #         command: code test
+  #         args: >
+  #           --severity-threshold=high
+  #           --json-file-output=snyk-code-test.json

.github/workflows/validate.yml

@@ -6,7 +6,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Triggered by a ${{ github.event_name }} event."
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
         with:
           python-version: 3.9

README.md

@@ -5,6 +5,7 @@ Author: Evan Harmon
 
 [![Validate](https://github.com/evanharmon1/harmon-stack/actions/workflows/validate.yml/badge.svg)](https://github.com/evanharmon1/harmon-stack/actions/workflows/validate.yml)
 [![Security](https://github.com/evanharmon1/harmon-stack/actions/workflows/security.yml/badge.svg)](https://github.com/evanharmon1/harmon-stack/actions/workflows/security.yml)
+[![Copier](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-orange.json)](https://github.com/copier-org/copier)
 
 ## Usage
 Create a new project with: `copier copy harmon-stack new-project --trust`

template/.editorconfig

@@ -1,3 +1,5 @@
+# https://EditorConfig.org
+
 # Root EditorConfig file
 root = true
 

template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/build.yaml

@@ -0,0 +1,27 @@
+name: Build Test
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version:
+          - 22
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js v${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+      - run: npm ci
+      - run: npm run build
+      # - run: npm test

template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml

@@ -11,7 +11,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Fetch all history for versioning
 

template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml

@@ -6,7 +6,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Triggered by a ${{ github.event_name }} event."
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       # E.g., to check for my `~/Local/.secret` file
       - name: Custom check for secret files
         run: ./check_for_pattern.sh . "*secret*"
@@ -22,8 +22,66 @@ jobs:
         run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json
       # Upload Artifacts
       - name: Upload the scan output
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: scan_results
           path: /tmp/scan_output.json
           retention-days: 7
+  sast-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # Node.js dependencies scan
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+      - name: Install Node dependencies
+        run: npm ci
+      - name: Run Snyk for Node.js
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: >
+            --severity-threshold=high
+            --show-vulnerable-paths=all
+      # Python dependencies scan
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+      - name: Install Python dependencies
+        run: pip install -r requirements.txt
+      - name: Run Snyk for Python
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: >
+            --file=requirements.txt
+            --severity-threshold=high
+            --show-vulnerable-paths=all
+  sast-code:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: code test
+          args: >
+            --severity-threshold=high
+            --json-file-output=snyk-code-test.json

template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml

@@ -1,8 +1,8 @@
-name: Validate
+name: Validate Code
 run-name: ${{ github.actor }} is running Validate Actions
 on: [pull_request]
 jobs:
-  validate:
+  preCommit:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Triggered by a ${{ github.event_name }} event."
@@ -12,3 +12,14 @@ jobs:
           python-version: 3.9
       - uses: pre-commit/[email protected]
       - uses: pre-commit-ci/[email protected]
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npm run check

template/.gitignore

@@ -55,6 +55,7 @@ Thumbs.db
 .meta
 todo.md
 *.code-workspace
+.dccache
 
 #             .env
 #------------------------------------------------------------------------------

template/README.md.jinja

@@ -5,7 +5,12 @@
 Author: {{ author_full_name }}
 
 [![Validate](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/validate.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/validate.yml)
+[![Build](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/build.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/build.yml)
 [![Security](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/security.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/security.yml)
+[![Copier](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-orange.json)](https://github.com/copier-org/copier)
+[![Maintained](https://img.shields.io/badge/maintained%3F-yes-brightgreen.svg?style=flat-square)](https://github.com/onwidget)
+[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/onwidget/astrowind#contributing)
+[![Known Vulnerabilities](https://snyk.io/test/github/onwidget/astrowind/badge.svg?style=flat-square)](https://snyk.io/test/github/onwidget/astrowind)
 
 ## Setup & Installation
 

template/Taskfile.yml.jinja

@@ -1,5 +1,5 @@
 # Taskfile for {{ project_name }}
-version: "3"
+version: '3'
 tasks:
   boostrap:
     cmds:
@@ -13,25 +13,50 @@ tasks:
     silent: true
   validate:
     cmds:
-      - pre-commit run --all-files
-      # - shellcheck osConfig/mac/updateMac.sh
-      # - shellcheck osConfig/mac/setupMac.sh
-      # - shellcheck osConfig/mac/configureMacSettings.sh
+      - task: preCommit
+      - task: check
     silent: true
-  pre-commit:
+  preCommit:
     cmds:
       - pre-commit run --all-files
     silent: true
+  check:
+    cmds:
+      - npm run check:astro
+      - npm run check:eslint
+      - cmd: npm run check:prettier
+        # - shellcheck osConfig/mac/updateMac.sh
+        # - shellcheck osConfig/mac/setupMac.sh
+        # - shellcheck osConfig/mac/configureMacSettings.sh
+        ignore_error: true
+    silent: true
+  fix:
+    cmds:
+      - npm run fix
+    silent: true
   security:
+    cmds:
+      - task: secrets
+      - task: sast
+    ignore_error: true
+    silent: true
+  secrets:
     cmds:
       - ./check_for_pattern.sh . "*secret*"
       - whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL .
-      - task: snyk
     silent: true
-  snyk:
+  sast:
+    cmds:
+      - task: sast-dependencies
+      - task: sast-code
+    silent: true
+  sast-dependencies:
+    cmds:
+      - snyk test --all-projects
+    silent: true
+  sast-code:
     cmds:
-      - snyk test --file=requirements.txt
-      - snyk test --file=package.json
+      - snyk code test
     silent: true
   ghReleaseInit:
     cmds:

template/test/whisperConfig.yml

@@ -1,6 +1,6 @@
 include:
   files:
-    - "**/*"
+    - '**/*'
 
 exclude:
   files: