Add CodeQL scanning for Actions, Dependabot updates for go.mod (#26)

Also, this removes `go.work` files because:

1. Dependabot does not support updating this.
2. This file is not recommended to be checked into version control.

Author: bioball

.github/PklProject

@@ -18,9 +18,9 @@ amends "pkl:Project"
 
 dependencies {
   ["pkl.impl.ghactions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0"
+    uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.1"
   }
   ["com.github.actions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.0"
+    uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.6.0"
   }
 }

.github/PklProject.deps.json

@@ -3,16 +3,16 @@
   "resolvedDependencies": {
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.1",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.6.0",
       "checksums": {
-        "sha256": "fd515da685ea126678c3ec684e84a4f992d43481cc1d75cb866cd55775f675f9"
+        "sha256": "10e27d63df4a4520d8a9375962406ca5ffe74f396bd3cb1c19b1f8358505010a"
       }
     },
     "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.5.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.7.1",
       "checksums": {
-        "sha256": "2c1e0d9efcd65b3c3207bf535c325ebc0ec2ab169187b324c4bb70821cac0e51"
+        "sha256": "93cdf1bdd3e7f6c1c83f49791b8c02fbee9ac2e721d299cad6c15d142fd5d762"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.experimental.deepToTyped@1": {
@@ -24,16 +24,16 @@
     },
     "package://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.0.3",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/pkl.github.dependabotManagedActions@1.1.3",
       "checksums": {
-        "sha256": "d368900942efb88ed51a98f9614748b06c74ba43423f045fcd6dedb5dbdc0bea"
+        "sha256": "521feb6f5ff12075ebad0758799fe7ec2675d231a0e0f5456694c8d4822a8171"
       }
     },
     "package://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1": {
       "type": "remote",
-      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.0",
+      "uri": "projectpackage://pkg.pkl-lang.org/pkl-pantry/com.github.dependabot@1.0.4",
       "checksums": {
-        "sha256": "02ef6f25bfca5b1d095db73ea15de79d2d2c6832ebcab61e6aba90554382abcb"
+        "sha256": "c7391119f946d7761d0ca0cc358ed8fe2bdfc691411087ccac89637bd96fec4a"
       }
     }
   }

.github/dependabot.yml

@@ -1,6 +1,18 @@
 version: 2
 updates:
+- package-ecosystem: gomod
+  cooldown:
+    default-days: 7
+    exclude:
+    - github.com/apple/pkl-go
+  directories:
+  - /buildtimeeval
+  - /simple
+  schedule:
+    interval: weekly
 - package-ecosystem: github-actions
+  cooldown:
+    default-days: 7
   directory: /
   ignore:
   - dependency-name: '*'

.github/index.pkl

@@ -31,22 +31,23 @@ local test: Workflow = new {
           with {
             `go-version` = "1.26"
             `check-latest` = true
-            `cache-dependency-path` = "go.work.sum"
           }
         }
         new SetupPkl { version = "0.31.0" }.step
         new {
           name = "go generate"
           run =
+            // language=bash
             """
-            go list -f '{{.Dir}}/...' -m | xargs go generate
+            find . -name 'go.mod' -execdir go generate ./... \\;
             """
         }
         new {
           name = "go test"
           run =
+            // language=bash
             """
-            go list -f '{{.Dir}}/...' -m | xargs go test
+            find . -name 'go.mod' -execdir go test ./... \\;
             """
         }
         new {
@@ -67,3 +68,24 @@ prb = test
 build = test
 
 main = test
+
+dependabot {
+  updates {
+    new {
+      `package-ecosystem` = "gomod"
+      directories {
+        "/buildtimeeval"
+        "/simple"
+      }
+      cooldown {
+        `default-days` = 7
+        exclude {
+          "github.com/apple/pkl-go"
+        }
+      }
+      schedule {
+        interval = "weekly"
+      }
+    }
+  }
+}

.github/workflows/__lockfile__.yml

@@ -22,3 +22,7 @@ jobs:
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
     - name: actions/upload-artifact@v5
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+    - name: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+    - name: github/codeql-action/init@v4
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4

.github/workflows/build.yml

@@ -24,7 +24,6 @@ jobs:
       with:
         go-version: '1.26'
         check-latest: true
-        cache-dependency-path: go.work.sum
     - name: Setup Pkl
       id: setup-pkl
       env:
@@ -40,9 +39,9 @@ jobs:
         echo "$DIR" >> "$GITHUB_PATH"
         echo "pkl_exec=$PKL_EXEC" >> "$GITHUB_OUTPUT"
     - name: go generate
-      run: go list -f '{{.Dir}}/...' -m | xargs go generate
+      run: find . -name 'go.mod' -execdir go generate ./... \;
     - name: go test
-      run: go list -f '{{.Dir}}/...' -m | xargs go test
+      run: find . -name 'go.mod' -execdir go test ./... \;
     - name: pkl format
       run: pkl format --diff-name-only .
   hawkeye-check:

.github/workflows/codeql.yml

@@ -0,0 +1,28 @@
+# Generated from Workflow.pkl. DO NOT EDIT.
+'on':
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+  schedule:
+  - cron: 29 17 * * 4
+jobs:
+  analyze-actions:
+    name: Analyze (actions)
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        languages: actions
+        build-mode: none
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+      with:
+        category: /language:actions

.github/workflows/main.yml

@@ -22,7 +22,6 @@ jobs:
       with:
         go-version: '1.26'
         check-latest: true
-        cache-dependency-path: go.work.sum
     - name: Setup Pkl
       id: setup-pkl
       env:
@@ -38,9 +37,9 @@ jobs:
         echo "$DIR" >> "$GITHUB_PATH"
         echo "pkl_exec=$PKL_EXEC" >> "$GITHUB_OUTPUT"
     - name: go generate
-      run: go list -f '{{.Dir}}/...' -m | xargs go generate
+      run: find . -name 'go.mod' -execdir go generate ./... \;
     - name: go test
-      run: go list -f '{{.Dir}}/...' -m | xargs go test
+      run: find . -name 'go.mod' -execdir go test ./... \;
     - name: pkl format
       run: pkl format --diff-name-only .
   hawkeye-check:

.github/workflows/prb.yml

@@ -18,7 +18,6 @@ jobs:
       with:
         go-version: '1.26'
         check-latest: true
-        cache-dependency-path: go.work.sum
     - name: Setup Pkl
       id: setup-pkl
       env:
@@ -34,9 +33,9 @@ jobs:
         echo "$DIR" >> "$GITHUB_PATH"
         echo "pkl_exec=$PKL_EXEC" >> "$GITHUB_OUTPUT"
     - name: go generate
-      run: go list -f '{{.Dir}}/...' -m | xargs go generate
+      run: find . -name 'go.mod' -execdir go generate ./... \;
     - name: go test
-      run: go list -f '{{.Dir}}/...' -m | xargs go test
+      run: find . -name 'go.mod' -execdir go test ./... \;
     - name: pkl format
       run: pkl format --diff-name-only .
   hawkeye-check:

.gitignore

@@ -2,4 +2,8 @@
 .DS_Store
 .pkl-lsp/
 
-*.msgpack
+*.msgpack
+
+# go.work files aren't meant to be checked into version control.
+go.work
+go.work.sum