feat: add default github repo files

.github/CODEOWNERS

@@ -1,6 +1,14 @@
-# Users referenced in this file will automatically be requested as reviewers for
-# PRs that modify the given paths
-# See https://help.github.com/articles/about-code-owners/, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# GitHub CODEOWNERS file
+# Documentation:
+# - https://help.github.com/articles/about-code-owners/
+# - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
-# All code
+# Syntax:
+# pattern    @user-or-team
+# The last matching pattern takes precedence.
+
+###############################
+# Repository Default Owners
+###############################
+# These owners will be the default owners for everything in the repo
 * @ruzickap

.github/renovate.json5

@@ -25,8 +25,10 @@
     enabled: true,
     schedule: ["before 6am on Sunday"],
   },
+  // Package update rules
   packageRules: [
     {
+      description: "Disable auto-merge for major updates",
       matchUpdateTypes: ["major"],
       automerge: false,
     },
@@ -45,6 +47,7 @@
   ],
   prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}",
   rebaseWhen: "behind-base-branch",
+  // Custom version extraction
   regexManagers: [
     {
       extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",

.github/workflows/codeql-actions.yml

@@ -0,0 +1,40 @@
+name: "CodeQL GitHub Actions"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request:
+    paths:
+      - .github/workflows/*.yml
+  schedule:
+    - cron: 17 10 * * 2
+
+permissions: read-all
+
+jobs:
+  analyze-actions:
+    name: Analyze GitHub Actions
+    runs-on: "ubuntu-latest"
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        with:
+          languages: actions
+          build-mode: none
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: security-extended
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        with:
+          category: "/language:actions"

.github/workflows/mega-linter.yml

@@ -10,34 +10,35 @@ on:
 permissions: read-all
 
 jobs:
+  github-context:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Debug
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+        run: |
+          echo "${GITHUB_CONTEXT}"
+
   mega-linter:
     runs-on: ubuntu-latest
+    if: ${{ (!startsWith(github.ref_name, 'renovate/') && !startsWith(github.ref_name, 'release-please--')) || github.event_name == 'workflow_dispatch' }}
     timeout-minutes: 30
     steps:
       - name: Checkout Code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Restore lychee cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: .lycheecache
-          key: cache-lychee-${{ github.sha }}
-          restore-keys: cache-lychee-
-
       - name: Extract commands from markdown files
         run: |
           set -euxo pipefail
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          brew install mdq
           echo '#!/usr/bin/env bash' > README.sh
-          find . -name '*.md' -print0 | while IFS= read -r -d '' FILE; do
-            # Extract: ```bash ... ```
-            sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh
-            # Extract:   ```bash ... ```
-            sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
-          done
+          readarray -d '' MD_FILES < <(find . -type f -name "*.md" -print0)
+          mdq '```/^bash$|^shell$|^sh$/' --br -o plain "${MD_FILES[@]}" >> README.sh || true
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
-        uses: oxsecurity/megalinter@146333030da68e2e58c6ff826633824fabe01eaf # v8.5.0
+        uses: oxsecurity/megalinter@04cf22b980c2e9c2121553417ed651c944afc8e1 # v8.6.0
         env:
           GITHUB_COMMENT_REPORTER: false
           # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403

.github/workflows/pr-slack-notification.yml

@@ -0,0 +1,163 @@
+name: pr-slack-notification
+
+# Based on: https://github.com/slackapi/slack-github-action/issues/269
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - ready_for_review
+      - review_requested
+      - closed
+  issue_comment:
+    types:
+      - created
+  pull_request_review:
+    types:
+      - submitted
+
+permissions: read-all
+
+defaults:
+  run:
+    shell: bash -euxo pipefail {0}
+
+jobs:
+  github-context:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Debug
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+        run: |
+          echo "${GITHUB_CONTEXT}"
+
+  pr-slack-notification:
+    runs-on: ubuntu-latest
+    name: Sends a message to Slack when a PR is opened
+    if: (github.event.action == 'opened' && github.event.pull_request.draft == false) || github.event.action == 'ready_for_review'
+    steps:
+      - name: Post PR summary message to slack
+        id: message
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            text: "💡 *${{ github.event.pull_request.user.login }}*: <${{ github.event.repository.html_url }}|${{ github.repository }}> - <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}> (+${{ github.event.pull_request.additions }}, -${{ github.event.pull_request.deletions }})"
+
+      - name: Create file with slack message timestamp
+        env:
+          TS: ${{ steps.message.outputs.ts }}
+        run: |
+          echo "${TS}" > slack-message-timestamp.txt
+
+      - name: Cache slack message timestamp
+        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: slack-message-timestamp.txt
+          key: slack-message-timestamp-${{ github.event.pull_request.html_url }}-${{ steps.message.outputs.ts }}
+
+  slack-emoji-react:
+    runs-on: ubuntu-latest
+    name: Adds emoji reaction to slack message when a PR is closed or reviewed
+    if: ${{ startsWith(github.event.pull_request.html_url, 'https') || startsWith(github.event.issue.pull_request.html_url, 'https') }}
+    steps:
+      # gh commands needs to be executed in the repository
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # https://stackoverflow.com/questions/74640750/github-actions-not-finding-cache
+      # I can not use the cache action in this job because the cache is not shared between runs
+      - name: Save slack timestamp as an environment variable
+        id: slack-timestamp
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url || github.event.issue.pull_request.html_url }}
+        run: |
+          SLACK_TIMESTAMP=$(gh cache list --json key --jq "[.[].key|capture(\"${GITHUB_PULL_REQUEST_HTML_URL}-(?<x>.+)\").x][0]")
+          echo "SLACK_TIMESTAMP=${SLACK_TIMESTAMP}" | tee -a "${GITHUB_ENV}"
+          if [[ "${SLACK_TIMESTAMP}" != '' ]]; then
+            echo "github_event_pull_request_html_url=true" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Decide which emoji to add
+        if: ${{ steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' }}
+        env:
+          GITHUB_EVENT_ACTION: ${{ github.event.action }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+          GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }}
+        run: |
+          case "${GITHUB_EVENT_ACTION}" in
+            created)
+              if [[ "${GITHUB_EVENT_NAME}" == 'issue_comment' ]]; then
+                echo "EMOJI=speech_balloon" >> "${GITHUB_ENV}" # 💬
+              fi
+              ;;
+            submitted)
+              case "${GITHUB_EVENT_REVIEW_STATE}" in
+                changes_requested)
+                  echo "EMOJI=repeat" >> "${GITHUB_ENV}" # 🔁
+                  ;;
+                approved)
+                  echo "EMOJI=ok" >> "${GITHUB_ENV}" # 🆗
+                  ;;
+                commented)
+                  echo "EMOJI=speech_balloon" >> "${GITHUB_ENV}" # 💬
+                  ;;
+              esac
+              ;;
+            review_requested)
+              echo "EMOJI=eyes" >> "${GITHUB_ENV}" # 👀
+              ;;
+            *)
+              echo "EMOJI=false" >> "${GITHUB_ENV}"
+              ;;
+          esac
+
+      - name: React to PR summary message in slack with emoji
+        if: ${{ steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' && env.EMOJI != 'false' }}
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: reactions.add
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            timestamp: "${{ env.SLACK_TIMESTAMP }}"
+            name: ${{ env.EMOJI }}
+
+      - name: Update the original message with status Merged ✅
+        if: ${{ github.event.pull_request.merged && steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' }}
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: chat.update
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            ts: "${{ env.SLACK_TIMESTAMP }}"
+            text: "✅ *${{ github.event.pull_request.user.login }}*: <${{ github.event.repository.html_url }}|${{ github.repository }}> - <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}> (+${{ github.event.pull_request.additions }}, -${{ github.event.pull_request.deletions }})"
+            attachments:
+              - color: "28a745"
+                fields:
+                  - title: "Status"
+                    short: true
+                    value: "Merged ✅"
+
+      - name: Update the original message with status Closed ❎
+        if: ${{ github.event.action == 'closed' && github.event.pull_request.merged == false && steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' }}
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: chat.update
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            ts: "${{ env.SLACK_TIMESTAMP }}"
+            text: "❎ *${{ github.event.pull_request.user.login }}*: <${{ github.event.repository.html_url }}|${{ github.repository }}> - <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}> (+${{ github.event.pull_request.additions }}, -${{ github.event.pull_request.deletions }})"
+            attachments:
+              - color: "fa7015"
+                fields:
+                  - title: "Status"
+                    short: true
+                    value: "Closed ❎"

.github/workflows/release-please.yml

@@ -7,15 +7,16 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: read-all
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         id: app-token
         with:
           app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}

.github/workflows/renovate.yml

@@ -43,6 +43,15 @@ env:
 permissions: read-all
 
 jobs:
+  github-context:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Debug
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+        run: |
+          echo "${GITHUB_CONTEXT}"
+
   renovate:
     runs-on: ubuntu-latest
     concurrency:
@@ -52,13 +61,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         id: app-token
         with:
           app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
           private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
 
       - name: 💡 Self-hosted Renovate
-        uses: renovatebot/github-action@67a664fc9b4481b33a3eff6ee9edfb7a7b9dfa1e # v41.0.2
+        uses: renovatebot/github-action@19ba43e1bc58ed95c0ba205dee8b1bc0f27b630d # v42.0.0
         with:
           token: ${{ steps.app-token.outputs.token }}