feat: add security-insights.yml for OSPS baseline scanning #75

	on:
	pull_request:
	branches:
	- main

	jobs:
	CI:
	runs-on: ubuntu-latest

	permissions:
	contents: read
	pull-requests: write

	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
	with:
	go-version: stable

	- name: Setup Cue
	run: go install cuelang.org/go/cmd/cue@v0.17.0-0.dev.0.20260320151706-d267795de4d3

	- name: Regenerate types from Gemara spec
	run: \|
	make generate

	- name: Check for uncommitted changes
	run: \|
	if [ -n "$(git status --porcelain)" ]; then
	echo "Error: Generated types are out of sync with the Gemara specification"
	echo "The following files have uncommitted changes:"
	git status --porcelain
	echo ""
	echo "Please run 'make generate' locally and commit the changes."
	exit 1
	else
	echo "Generated types are in sync with the Gemara specification"
	fi

	- name: Vet
	run: \|
	go vet ./...

	- name: Unit tests
	run: \|
	make testcov

	- name: Quality Gate - Test coverage shall be above threshold
	env:
	TESTCOVERAGE_THRESHOLD: 71
	run: \|
	echo "Quality Gate: checking test coverage is above threshold ..."
	echo "Threshold : $TESTCOVERAGE_THRESHOLD %"
	totalCoverage=`go tool cover -func=coverage.out \| grep total \| grep -Eo '[0-9]+\.[0-9]+'`
	echo "Current test coverage : $totalCoverage %"
	if (( $(echo "$totalCoverage $TESTCOVERAGE_THRESHOLD" \| awk '{print ($1 > $2)}') )); then
	echo "OK"
	else
	echo "Current test coverage is below threshold. Please add more unit tests or adjust threshold to a lower value."
	echo "Failed"
	exit 1
	fi

Provide feedback