chore: sync repository standards (#84)

marcusburghardt · web-flow · commit b5505c3524ee · 2026-05-08T11:40:25.000-04:00
* chore: sync repository standards

Updated files:
- .github/workflows/ci_checks.yml
- .github/workflows/ci_dependencies.yml
- .github/workflows/ci_scheduled.yml
- .github/workflows/ci_security.yml
- .github/workflows/ci_crapload.yml
- .mega-linter.yml
- .yamllint.yml
- commitlint.config.js
- .golangci.yml
- .github/pull_request_template.md
- .github/ISSUE_TEMPLATE/bug_report.md
- .github/ISSUE_TEMPLATE/feature_request.md

* chore: sync repository standards

Updated files:
- .github/workflows/ci_security.yml
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,15 @@
+## Summary
+_Please include a summary of the changes and the context of this PR._
+
+## Related Issues
+_Inform any issues relevant to this PR. For example:_
+
+- _Closes #ISSUE_NUMBER_
+
+## Review Hints
+
+- _Review hints here. Replace this text. Don't use the italics format!_
+
+- _Use this optional section to give any relevant information that could help the reviewer to more quickly and assertively understand and test the changes._
+
+- _Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc._
diff --git a/.github/workflows/ci_checks.yml b/.github/workflows/ci_checks.yml
@@ -0,0 +1,22 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  issues: none
+  pull-requests: none
+
+jobs:
+  call_reusable_ci:
+    name: Standardized CI
+    uses: complytime/org-infra/.github/workflows/reusable_ci.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
+    permissions:
+      contents: read
+      issues: read
diff --git a/.github/workflows/ci_crapload.yml b/.github/workflows/ci_crapload.yml
@@ -0,0 +1,102 @@
+# CRAP Load Check
+# ===============
+# Runs CRAP load analysis on pull requests targeting main.
+# Consumes the reusable workflow from org-infra.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: CRAP Load Check
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  crapload:
+    name: CRAP Load Analysis
+    uses: complytime/org-infra/.github/workflows/reusable_crapload_analysis.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
+    permissions:
+      contents: read
+
+  post-comment:
+    name: Post PR Comment
+    needs: crapload
+    if: ${{ !cancelled() }}
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Download comment body
+        id: download
+        continue-on-error: true
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: crapload-analysis
+          path: artifact
+
+      - name: Post or update PR comment
+        continue-on-error: true
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const fs = require('fs');
+            const marker = '<!-- crapload-analysis-marker -->';
+            const bodyPath = 'artifact/crapload-comment-body.md';
+            const runUrl = [
+              context.serverUrl,
+              context.repo.owner,
+              context.repo.repo,
+              'actions/runs',
+              context.runId,
+            ].join('/');
+            const MAX_COMMENT_LENGTH = 60000;
+
+            let body;
+            if (fs.existsSync(bodyPath)) {
+              body = fs.readFileSync(bodyPath, 'utf8');
+              if (body.length > MAX_COMMENT_LENGTH) {
+                const lastNewline = body.lastIndexOf('\n', MAX_COMMENT_LENGTH);
+                body = body.substring(0, lastNewline > 0 ? lastNewline : MAX_COMMENT_LENGTH);
+                body += '\n\n---\n';
+                body += '> **Note:** This report was truncated due to size.';
+                body += ` [View the full analysis in the Job Summary](${runUrl}).`;
+              }
+            } else {
+              body = [
+                marker,
+                '## &#x274C; CRAP Load Analysis',
+                '',
+                'The CRAP Load analysis could not generate a detailed report.',
+                '',
+                `[View the full analysis in the Job Summary](${runUrl}).`,
+              ].join('\n');
+            }
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+
+            const existing = comments.find(c => c.body.includes(marker));
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              });
+            }
diff --git a/.github/workflows/ci_dependencies.yml b/.github/workflows/ci_dependencies.yml
@@ -0,0 +1,106 @@
+name: Dependencies
+
+# --------------------------------------------------------------------------
+# Orchestrates dependency review for all PRs and dependabot-specific
+# processing: structured PR comments with review data and auto-approval
+# for safe dependency updates (non-major, 24h+ release age, no vulnerabilities).
+# --------------------------------------------------------------------------
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  issues: none
+  pull-requests: none
+
+env:
+  MIN_RELEASE_AGE_HOURS: 24
+
+jobs:
+  call_deps_reviewer:
+    name: General
+    uses: complytime/org-infra/.github/workflows/reusable_deps_reviewer.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
+
+  call_dependabot_reviewer:
+    name: Dependabot
+    uses: complytime/org-infra/.github/workflows/reusable_dependabot_reviewer.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
+
+  comment_on_dependabot_prs:
+    name: Dependabot Comment
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    needs: [call_deps_reviewer, call_dependabot_reviewer]
+    permissions:
+      issues: read
+      pull-requests: write  # Necessary to write a comment
+    steps:
+      - name: Comment from Dependabot Reviewer
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        env:
+          REVIEW_CONCLUSION: ${{ needs.call_deps_reviewer.outputs.review_conclusion }}
+          RISK_LEVEL: ${{ needs.call_dependabot_reviewer.outputs.risk_level }}
+          UPDATES_COUNT: ${{ needs.call_dependabot_reviewer.outputs.updates_count }}
+          DEP_NAME: ${{ needs.call_dependabot_reviewer.outputs.dep_name }}
+          DEP_VERSION: ${{ needs.call_dependabot_reviewer.outputs.dep_version }}
+          RELEASE_AGE_HOURS: ${{ needs.call_dependabot_reviewer.outputs.release_age_hours }}
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            🤖 **Standardized Dependabot Review Summary** 🤖
+
+            This PR was processed by the organization's reusable CI pipeline.
+
+            | Criterion | Status | Detail |
+            |-----------|--------|--------|
+            | **Dependencies Review** | **${{ env.REVIEW_CONCLUSION }}** | [View logs](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
+            | **Calculated Risk** | **${{ env.RISK_LEVEL }}** | `${{ env.DEP_NAME }}` v${{ env.DEP_VERSION }} |
+            | **Release Age** | **${{ (env.RELEASE_AGE_HOURS == '-1' || env.RELEASE_AGE_HOURS == '') && 'unknown' || format('{0}h', env.RELEASE_AGE_HOURS) }}** | ${{ (env.RELEASE_AGE_HOURS == '-1' || env.RELEASE_AGE_HOURS == '') && 'Release date unavailable — manual review required' || format('Released {0} hours ago', env.RELEASE_AGE_HOURS) }} |
+            | **Dependency Usage** | ${{ env.UPDATES_COUNT == '0' && 'unavailable' || format('{0} repos', env.UPDATES_COUNT) }} | Informational only — does not affect approval |
+
+            **Auto-approval:** ${{ env.RISK_LEVEL != 'high' && env.REVIEW_CONCLUSION == 'success' && env.RELEASE_AGE_HOURS != '-1' && fromJSON(env.RELEASE_AGE_HOURS) >= fromJSON(env.MIN_RELEASE_AGE_HOURS) && '✅ Approved' || '⏳ Manual review required' }}
+
+            ---
+
+            Maintainer check list:
+            1. Ensure the PR passed all CI tests (required status checks).
+            2. Investigate failures for Major updates or any manual review requirement.
+            3. Don't overlook breaking changes and changelog information.
+            4. If the scorecard value is low, consider to contribute to make it higher. Everybody wins!
+            5. Be diligent. When in doubt, ask another maintainer for additional review.
+
+  approve_dependabot_prs:
+    name: Dependabot Auto-approve
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    needs: [call_deps_reviewer, call_dependabot_reviewer]
+    permissions:
+      pull-requests: write  # Necessary to approve a PR
+    steps:
+      - name: Auto-approve if Confident
+        if: >-
+          needs.call_dependabot_reviewer.outputs.risk_level != 'high' &&
+          needs.call_deps_reviewer.outputs.review_conclusion == 'success' &&
+          needs.call_dependabot_reviewer.outputs.release_age_hours != '-1' &&
+          fromJSON(needs.call_dependabot_reviewer.outputs.release_age_hours) >= fromJSON(env.MIN_RELEASE_AGE_HOURS)
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const risk = '${{ needs.call_dependabot_reviewer.outputs.risk_level }}';
+            const review = '${{ needs.call_deps_reviewer.outputs.review_conclusion }}';
+            const releaseAge = '${{ needs.call_dependabot_reviewer.outputs.release_age_hours }}';
+
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              event: 'APPROVE',
+              body: `Automatically approved: risk=${risk}, review=${review}, release_age=${releaseAge}h.`
+            });
+            console.log(`Dependabot PR approved: risk=${risk}, review=${review}, release_age=${releaseAge}h`);
diff --git a/.github/workflows/ci_scheduled.yml b/.github/workflows/ci_scheduled.yml
@@ -0,0 +1,21 @@
+name: Scheduled Jobs
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+  actions: none
+  id-token: none
+  security-events: none
+
+jobs:
+  call_reusable_scheduled:
+    name: OSV-Scanner and Scorecards
+    permissions:
+      contents: read
+      actions: read           # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117
+      security-events: write  # Require writing security events to upload SARIF file to security tab
+      id-token: write         # Needed to access GitHub's OIDC token which verifies the authenticity of the result when publishing it.
+    uses: complytime/org-infra/.github/workflows/reusable_scheduled.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml
@@ -0,0 +1,36 @@
+name: Security Checks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  actions: none
+  id-token: none
+  security-events: none
+  packages: none
+
+jobs:
+  call_reusable_vuln_scan:
+    name: OSV-Scanner
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    uses: complytime/org-infra/.github/workflows/reusable_vuln_scan.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
+    with:
+      # OSV focuses on known CVEs in dependencies; Trivy adds broader coverage
+      enable_trivy_source: false
+
+  call_reusable_security:
+    name: OpenSSF Scorecards
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    uses: complytime/org-infra/.github/workflows/reusable_security.yml@baf5b2e21e61581b4a3a129795286e8592e6afbb # v0.1.0
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,20 @@
+version: "2"
+run:
+  skip-dirs:
+    - vendor
+linters:
+  default: standard   # https://golangci-lint.run/usage/linters/#enabled-by-default
+  enable:
+    - gosec           # Security checks for Go code
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+formatters:
+  enable:
+    - goimports       # Checks import statements are formatted
+  exclusions:
+    generated: lax
diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -0,0 +1,16 @@
+# https://megalinter.io/latest/supported-linters/
+ADDITIONAL_EXCLUDED_DIRECTORIES:
+  - vendor
+ENABLE_LINTERS:
+  - ACTION_ACTIONLINT
+  - ANSIBLE_ANSIBLE_LINT
+  - BASH_SHELLCHECK
+  - DOCKERFILE_HADOLINT
+  - GO_GOLANGCI_LINT
+  - MARKDOWN_MARKDOWNLINT
+  - PYTHON_RUFF
+  - PROTOBUF_PROTOLINT
+  - REPOSITORY_GITLEAKS
+  - REPOSITORY_KICS
+  - YAML_YAMLLINT
+REPOSITORY_KICS_ARGUMENTS: "--fail-on high"
diff --git a/.yamllint.yml b/.yamllint.yml
diff --git a/commitlint.config.js b/commitlint.config.js
