anchore
diff --git a/‎.binny.yaml‎
Lines changed: 7 additions & 0 deletions b/‎.binny.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.chronicle.yaml‎
Lines changed: 5 additions & 0 deletions b/‎.chronicle.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/actions/bootstrap/action.yaml‎
Lines changed: 0 additions & 35 deletions b/‎.github/actions/bootstrap/action.yaml‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 41 additions & 16 deletions b/‎.github/dependabot.yml‎
Lines changed: 41 additions & 16 deletions
diff --git a/‎.github/workflows/codeql.yaml‎
Lines changed: 82 additions & 0 deletions b/‎.github/workflows/codeql.yaml‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 55 additions & 0 deletions b/‎.github/workflows/release.yaml‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎.github/workflows/validations.yaml‎
Lines changed: 7 additions & 19 deletions b/‎.github/workflows/validations.yaml‎
Lines changed: 7 additions & 19 deletions
diff --git a/‎.github/zizmor.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/zizmor.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.gitignore‎
Lines changed: 18 additions & 6 deletions b/‎.gitignore‎
Lines changed: 18 additions & 6 deletions
@@ -0,0 +1,7 @@
+# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
+cooldown: 7d
+
+# other binary versions inherited from .binny.yaml file in the anchore/go-make repo (version pinned in .make).
+# If you need to override a tool version, please do so by adding an entry here and go-make will
+# account for the local definition over the go-make shared definitions.
+tools: []
@@ -0,0 +1,5 @@
+# no matter the change, stay v0 for now
+enforce-v0: true
+
+# since github release pages already have titles that are the tag, we don't need to repeat that in the changelog
+title: ""
@@ -1,31 +1,56 @@
+# Dependabot configuration
+#
+# Grouping behavior (see inline comments for details):
+#   - Minor + patch updates: grouped into a single PR per ecosystem
+#   - Major version bumps: individual PR per dependency
+#   - Security updates: individual PR per dependency
+#
+# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
+# Security updates are identified separately via GitHub's Advisory Database and
+# can be any version bump (patch, minor, or major) that fixes a known CVE.
+
 version: 2
+
 updates:
+
   - package-ecosystem: gomod
-    directory: "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
-    labels:
-      - "dependencies"
+    directories:
+      - "/"
+      - "/.make"
     cooldown:
       default-days: 7
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "friday"
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
-    cooldown:
-      default-days: 7
+    groups:
+      go-minor-patch:
+        applies-to: version-updates  # security updates get individual PRs
+        patterns:
+          - "*"
+        update-types:  # major omitted, gets individual PRs
+          - "minor"
+          - "patch"
 
   - package-ecosystem: "github-actions"
-    directory: "/.github/actions/bootstrap"
+    directories:
+      - "/"
+      - "/.github/actions/*"
+    cooldown:
+      default-days: 7
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "friday"
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
-    cooldown:
-      default-days: 7
+    groups:
+      actions-minor-patch:
+        applies-to: version-updates  # security updates get individual PRs
+        patterns:
+          - "*"
+        update-types:  # major omitted, gets individual PRs
+          - "minor"
+          - "patch"
@@ -0,0 +1,82 @@
+# CodeQL scans for security vulnerabilities and coding errors across all
+# languages in this repo. Results appear in the "Security" tab under
+# "Code scanning alerts" and are enforced by branch protection rules.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  # Weekly scheduled scan catches newly disclosed vulnerabilities in
+  # existing code, not just changes introduced by PRs.
+  schedule:
+    - cron: '38 11 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      # Required to upload SARIF results to the "Security" tab.
+      security-events: write
+      # Required to fetch internal or private CodeQL packs.
+      packages: read
+      # Only required for workflows in private repositories.
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # GitHub Actions workflow linting — no build needed.
+          - language: actions
+            build-mode: none
+
+          # Go uses "manual" build mode so we control exactly what gets
+          # compiled. The default "autobuild" finds the Makefile and runs
+          # the full CI pipeline (lint, test, snapshot release, etc.),
+          # which is far more work than CodeQL needs. All it requires is
+          # compiled Go source so it can build a type-resolved code graph
+          # for analysis.
+          - language: go
+            build-mode: manual
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+        with:
+          persist-credentials: false
+
+      # Pin the Go toolchain to whatever go.mod declares so CodeQL
+      # analyzes with the same version the project actually uses.
+      # Only runs for the Go matrix entry.
+      - name: Setup Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      # Minimal build for Go.
+      # This replaces autobuild, which would have run the entire Makefile
+      # (installing tools, linting, testing, goreleaser snapshot, etc.).
+      - name: Build (Go)
+        if: matrix.build-mode == 'manual'
+        shell: bash
+        run: go build ./...
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          # The category tag lets GitHub associate SARIF results with the
+          # correct language when branch protection checks for required
+          # code scanning results.
+          category: "/language:${{matrix.language}}"
@@ -0,0 +1,55 @@
+name: "Release"
+
+permissions:
+  contents: read
+
+# there should never be two releases in progress at the same time
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: tag the latest commit on main with the given version (prefixed with v)
+        required: true
+
+jobs:
+
+  version-available:
+    uses: anchore/workflows/.github/workflows/check-version-available.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
+    with:
+      version: ${{ github.event.inputs.version }}
+
+  check-gate:
+    permissions:
+      checks: read   # required for getting the status of specific check names
+    uses: anchore/workflows/.github/workflows/check-gate.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
+    with:
+      # these are checks that should be run on pull-request and merges to main.
+      # we do NOT want to kick off a release if these have not been verified on main.
+      # Please see the validations.yaml workflow for the names that should be used here.
+      checks: '["Static analysis", "Unit tests"]'
+
+  release:
+    needs: [check-gate, version-available]
+    environment: release  # contains secrets needed for release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write   # needed for creating github release objects
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          fetch-depth: 0  # we need the full history to reason about changelogs and tags
+          persist-credentials: true  # needed for pushing a tag
+
+      # setup checkout, go, go-make, binny, and cache go modules
+      - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0
+
+      - name: Create release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
+        run: make ci-release
@@ -1,46 +1,34 @@
 name: "Validations"
-
 on:
   workflow_dispatch:
-  pull_request:
   push:
     branches:
       - main
+  pull_request:
 
 permissions:
   contents: read
 
 jobs:
 
   Static-Analysis:
+    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Static analysis"
     runs-on: ubuntu-24.04
-    permissions:
-      contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Bootstrap environment
-        uses: ./.github/actions/bootstrap
+      # setup checkout, go, go-make, binny, and cache go modules
+      - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0
 
       - name: Run static analysis
         run: make static-analysis
 
-
   Unit-Test:
+    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Unit tests"
     runs-on: ubuntu-24.04
-    permissions:
-      contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Bootstrap environment
-        uses: ./.github/actions/bootstrap
+      # setup checkout, go, go-make, binny, and cache go modules
+      - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0
 
       - name: Run unit tests
         run: make unit
@@ -1,6 +1,6 @@
 rules:
   unpinned-uses:
-    config:
-      policies:
-        # anchore/workflows is an internal repository; using @main is acceptable
-        anchore/*: any
+    ignore:
+      # Allow unpinned uses of trusted internal anchore/workflows actions
+      - oss-project-board-add.yaml
+      - remove-awaiting-response-label.yaml
@@ -1,14 +1,28 @@
+# local development
 go.work
 go.work.sum
+mise.toml
+/specs/
 
-CHANGELOG.md
-VERSION
+# IDEs
+.idea/
+.vscode/
+.history/
+
+# tools and aux data
+.tool
+.tmp
+.task
+
+# release info
+/CHANGELOG.md
+/VERSION
+
+# archives and fixtures
 /test/results
 /dist
 /snapshot
 .server/
-.vscode/
-.history/
 *.fingerprint
 *.tar
 *.jar
@@ -17,7 +31,6 @@ VERSION
 *.jpi
 *.hpi
 *.zip
-.idea/
 *.log
 .images
 .tmp/
@@ -41,4 +54,3 @@ bin/
 .DS_STORE
 
 *.profile
-