improve automations (#57)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

Author: wagoodman

.binny.yaml

@@ -0,0 +1,66 @@
+# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases)
+cooldown: 7d
+tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
+  - name: binny
+    version:
+      want: v0.13.0
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.3
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
+  # used for linting
+  - name: golangci-lint
+    version:
+      want: v2.11.4
+    method: github-release
+    with:
+      repo: golangci/golangci-lint
+
+  # used for organizing imports during static analysis
+  - name: gosimports
+    version:
+      want: v0.3.8
+    method: github-release
+    with:
+      repo: rinchsan/gosimports
+
+  # used during static analysis for license compliance
+  - name: bouncer
+    version:
+      want: v0.4.0
+    method: github-release
+    with:
+      repo: wagoodman/go-bouncer
+
+  # used for showing the changelog at release
+  - name: glow
+    version:
+      want: v2.1.1
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  # used for running all local and CI tasks
+  - name: task
+    version:
+      want: v3.49.1
+    method: github-release
+    with:
+      repo: go-task/task
+
+  # used for creating GitHub releases in CI
+  - name: gh
+    version:
+      want: v2.89.0
+    method: github-release
+    with:
+      repo: cli/cli

.github/dependabot.yml

@@ -1,22 +1,43 @@
 version: 2
 
 updates:
+
   - package-ecosystem: gomod
     directory: "/"
-    schedule:
-      interval: "daily"
     cooldown:
       default-days: 7
+    schedule:
+      interval: "weekly"
+      day: "friday"
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    groups:
+      go-minor-patch:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
   - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
+    directories:
+      - "/"
+      - "/.github/actions/*"
     cooldown:
       default-days: 7
+    schedule:
+      interval: "weekly"
+      day: "friday"
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    groups:
+      actions-minor-patch:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"

.github/scripts/go-mod-tidy-check.sh

@@ -0,0 +1,57 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '38 11 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+
+          - language: go
+            build-mode: manual
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Build (Go)
+        if: matrix.build-mode == 'manual'
+        shell: bash
+        run: go build ./...
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/codeql.yaml

@@ -0,0 +1,45 @@
+name: "Release"
+
+permissions:
+  contents: read
+  checks: read
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: tag the latest commit on main with the given version (prefixed with v)
+        required: true
+
+jobs:
+
+  version-available:
+    uses: anchore/workflows/.github/workflows/check-version-available.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
+    with:
+      version: ${{ github.event.inputs.version }}
+
+  check-gate:
+    uses: anchore/workflows/.github/workflows/check-gate.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
+    with:
+      checks: '["Static analysis", "Unit tests"]'
+
+  release:
+    needs: [check-gate, version-available]
+    environment: release
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      # setup checkout, go, go-make, binny, and cache go modules
+      - uses: anchore/go-make/.github/actions/setup@1747ccaf5ab9a24fc6beaff2c4665007fe656462 # dev branch!
+
+      - name: Create release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
+          RELEASE_VERSION: ${{ github.event.inputs.version }}
+        run: make ci-release

.github/workflows/release.yaml

@@ -28,6 +28,5 @@ jobs:
       - name: "Run zizmor"
         uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
         with:
-          # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
           advanced-security: true
           inputs: .github

.github/workflows/validate-github-actions.yaml

@@ -9,82 +9,26 @@ on:
 permissions:
   contents: read
 
-env:
-  GO_VERSION: "1.24.x"
-  GO_CACHE_KEY: efa04b89c1b1
-
 jobs:
 
   Static-Analysis:
+    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Static analysis"
     runs-on: ubuntu-24.04
-    permissions:
-      contents: read
     steps:
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Restore tool cache
-        id: tool-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
-        with:
-          path: ${{ github.workspace }}/.tmp
-          key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
-
-      - name: Restore go cache
-        id: go-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
-        with:
-          path: ~/go/pkg/mod
-          key:  ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-             ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-
-
-      - name: (cache-miss) Bootstrap all project dependencies
-        if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
-        run: make bootstrap
+      # setup checkout, go, go-make, binny, and cache go modules
+      - uses: anchore/go-make/.github/actions/setup@1747ccaf5ab9a24fc6beaff2c4665007fe656462 # dev branch!
 
       - name: Run static analysis
         run: make static-analysis
 
   Unit-Test:
+    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Unit tests"
     runs-on: ubuntu-24.04
-    permissions:
-      contents: read
     steps:
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Restore tool cache
-        id: tool-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
-        with:
-          path: ${{ github.workspace }}/.tmp
-          key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
-
-      - name: Restore go cache
-        id: go-cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
-        with:
-          path: ~/go/pkg/mod
-          key:  ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-             ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-
-
-      - name: (cache-miss) Bootstrap all project dependencies
-        if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
-        run: make bootstrap
+      # setup checkout, go, go-make, binny, and cache go modules
+      - uses: anchore/go-make/.github/actions/setup@1747ccaf5ab9a24fc6beaff2c4665007fe656462 # dev branch!
 
       - name: Run unit tests
         run: make unit

.github/workflows/validations.yaml

@@ -1,14 +1,23 @@
+# IDE
+.server/
+.vscode/
+.history/
+.idea/
+
+# local development
 go.work
 go.work.sum
+/specs
+mise.toml
 
-/example
+# releases
 CHANGELOG.md
+VERSION
 /test/results
 /dist
 /snapshot
-.server/
-.vscode/
-.history/
+
+# assets
 *.fingerprint
 *.tar
 *.jar
@@ -17,10 +26,10 @@ CHANGELOG.md
 *.jpi
 *.hpi
 *.zip
-.idea/
 *.log
 .images
 .tmp/
+.tool/
 coverage.txt
 bin/
 
@@ -40,4 +49,5 @@ bin/
 # macOS Finder metadata
 .DS_STORE
 
-*.profile
+*.profile
+