Update documentation

.copier-answers.yml

@@ -1,6 +1,6 @@
 # WARNING: Do not edit this file manually.
 # Any changes will be overwritten by Copier.
-_commit: v0.5.0-11-g88c9a0e
+_commit: v0.7.0
 _src_path: gh:easyscience/templates
 lib_docs_url: https://easyscience.github.io/utils
 lib_doi: 10.5281/zenodo.18163581

.github/workflows/docs.yml

@@ -14,16 +14,16 @@
 name: Docs build and deployment
 
 on:
-  # Trigger the workflow on pull request
-  pull_request:
-    # Selected branches
-    branches: [master, main, develop]
   # Trigger the workflow on push
   push:
     # Selected branches
-    branches: [master, main, develop]
+    branches: [develop] # master and main are already verified in PR
     # Runs on creating a new tag starting with 'v', e.g. 'v1.0.3'
     tags: ['v*']
+  # Trigger the workflow on pull request
+  pull_request:
+    # Selected branches
+    branches: [master, main, develop]
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 

.github/workflows/quality.yml

@@ -10,8 +10,7 @@ name: Code quality checks
 on:
   # Trigger the workflow on push
   push:
-    # Every branch
-    branches: ['**']
+    branches-ignore: [master, main] # Already verified in PR
     # Do not run this workflow on creating a new tag starting with
     # 'v', e.g. 'v1.0.3' (see publish-pypi.yml)
     tags-ignore: ['v*']

.github/workflows/security.yml

@@ -1,40 +1,93 @@
-# Integrates a collection of open source static analysis tools with
-# GitHub code scanning.
-# https://github.com/github/ossar-action
+# Code scanning (CodeQL) for vulnerabilities and insecure coding patterns.
+#
+# What this workflow does
+# - Runs GitHub CodeQL analysis and uploads results to your repository's Security tab.
+# - Triggers on PRs (so findings appear as PR checks) and on pushes to `develop`.
+# - Runs on a weekly schedule.
+#
+# Where to find results on GitHub
+# - Repository → Security → Code scanning alerts
+#   (You can filter by tool = CodeQL and by branch.)
+#
+# Where to configure on GitHub
+# - Repository → Settings → Advanced Security
+#   Enable "GitHub Advanced Security" (if available) and configure CodeQL there.
+# - Repository → Security → Code scanning alerts
+#   This page shows findings produced by this workflow.
+#
+# Notes about the scheduled run
+# - Scheduled workflows are triggered from the repository's *default branch*.
+#   If your default branch is `master` but you want the scheduled scan to analyze
+#   `develop`, this workflow checks out `develop` explicitly for scheduled runs.
+#
+# References
+# - CodeQL Action: https://github.com/github/codeql-action
+# - Advanced setup docs: https://docs.github.com/en/code-security/code-scanning
 
-name: Security scans
+name: Security scans with CodeQL
 
 on:
-  # Trigger the workflow on pull request
+  # Run on pull requests so results show up as PR checks and code
+  # scanning alerts.
   pull_request:
+    branches: [master, main, develop]
 
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
+  # Run on pushes (e.g., after merging PRs).
+  push:
+    branches: [master, main, develop]
+
+  # Run weekly. (Cron is in UTC.)
+  schedule:
+    - cron: '0 3 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
 
 jobs:
-  scan-security-ossar:
-    # OSSAR runs on windows-latest.
-    # ubuntu-latest and macos-latest support coming soon
-    runs-on: windows-latest
+  codeql:
+    name: Code scanning
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Keep this list tight to avoid noise and speed up runs.
+        language: [python, actions]
 
     steps:
+      # Scheduled workflows run from the default branch.
+      # We explicitly analyze `develop` on the schedule to keep the scan
+      # focused on the active dev branch.
+      - name: Checkout repository (scheduled → develop)
+        if: ${{ github.event_name == 'schedule' }}
+        uses: actions/checkout@v5
+        with:
+          ref: develop
+
       - name: Checkout repository
+        if: ${{ github.event_name != 'schedule' }}
         uses: actions/checkout@v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
         with:
-          # We must fetch at least the immediate parents so that if this is
-          # a pull request then we can checkout the head.
-          fetch-depth: 2
+          languages: ${{ matrix.language }}
 
-      # If this run was triggered by a pull request event, then checkout
-      # the head of the pull request instead of the merge commit.
-      - run: git checkout HEAD^2
-        if: ${{ github.event_name == 'pull_request' }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
 
-      - name: Run open source static analysis tools
-        uses: github/ossar-action@main
-        id: ossar
+  print-link:
+    name: Print results link
+    runs-on: ubuntu-latest
 
-      - name: Upload results to Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ steps.ossar.outputs.sarifFile }}
+    needs: codeql
+    permissions: {} # no special perms needed just to print links
+
+    steps:
+      - name: Add Code Scanning link to job summary
+        run: |
+          echo "## 🔎 CodeQL Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "View Code Scanning alerts here:" >> $GITHUB_STEP_SUMMARY
+          echo "${{ github.server_url }}/${{ github.repository }}/security/code-scanning" >> $GITHUB_STEP_SUMMARY

.github/workflows/test.yml

@@ -20,8 +20,7 @@ name: Code and package tests
 on:
   # Trigger the workflow on push
   push:
-    # Every branch
-    branches: ['**']
+    branches-ignore: [master, main] # Already verified in PR
     # But do not run this workflow on creating a new tag starting with
     # 'v', e.g. 'v1.0.3' (see publish-pypi.yml)
     tags-ignore: ['v*']

.github/workflows/tutorial-tests.yml

@@ -4,7 +4,7 @@ on:
   # Trigger the workflow on push
   push:
     # Selected branches
-    branches: [master, main, develop]
+    branches: [develop] # master and main are already verified in PR
   # Trigger the workflow on pull request
   pull_request:
     branches: ['**']