attune-io · SebTardif · May 27, 2026 · May 27, 2026
@@ -36,6 +36,16 @@ updates:
         patterns:
           - "*"
 
+  - package-ecosystem: pip
+    directory: /docs
+    schedule:
+      interval: monthly
+    labels:
+      - dependencies
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore(deps)"
+
   - package-ecosystem: docker
     directory: /
     schedule:

@@ -0,0 +1,23 @@
+name: Release Please
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    name: Release Please
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+      - uses: googleapis/release-please-action@8b8fd2cc23b2e18957157a9d923d75aa0c6f6ad5 # v4
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
@@ -100,6 +100,13 @@ jobs:
           cosign sign --yes \
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
 
+      - name: Attest container image
+        uses: actions/attest-build-provenance@96b4a1ef7235a096b17240c259729fdd70c83d45 # v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
+
       - name: Generate SBOM
         uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
         with:

@@ -0,0 +1,3 @@
+{
+  ".": "0.1.0"
+}
@@ -240,6 +240,38 @@ and open a backport PR targeting that release branch.
 If the cherry-pick has conflicts, the backport PR is created with conflict
 markers for manual resolution.
 
+## Go Module Layout and Dependabot
+
+The project uses a **single-module layout** with one `go.mod` at the repo
+root. All packages (`api/`, `cmd/`, `internal/`, `pkg/`, `test/`) are part
+of the same module.
+
+Dependabot is configured for four ecosystems:
+
+| Ecosystem | Directory | Interval | Notes |
+|-----------|-----------|----------|-------|
+| `gomod` | `/` | weekly | K8s deps grouped separately |
+| `github-actions` | `/` | weekly | All actions grouped |
+| `pip` | `/docs` | monthly | MkDocs site dependencies |
+| `docker` | `/` | weekly | Base image updates |
+
+**If you add a new `go.mod`** (e.g., `tools/go.mod` for build tooling):
+
+1. Add a corresponding entry in `.github/dependabot.yml`
+2. Create a `go.work` file at the repo root:
+   ```
+   go 1.26
+   use (
+       .
+       ./tools
+   )
+   ```
+3. Add `go.work` and `go.work.sum` to version control
+4. Update `make verify` to run `go mod tidy` in the new module directory
+
+Currently there is no `go.work` file because the single-module layout does
+not require one.
+
 ## Code of Conduct
 
 This project follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
@@ -0,0 +1,11 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "release-type": "go",
+      "changelog-path": "CHANGELOG.md",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true
+    }
+  }
+}