chore: add Dependabot configuration and enhance CI workflows

- Introduced a new Dependabot configuration file to automate dependency updates for GitHub Actions, Python packages, Docker images, and Docusaurus site dependencies.
- Updated CI workflows to include additional timeout settings for various jobs, ensuring better resource management during execution.
- Enhanced the Docker publish workflow with image scanning and SBOM generation steps for improved security and compliance.
- Refined the CI workflow to utilize matrix strategies for Python testing across multiple versions, enhancing compatibility checks.

Author: caviri

.github/dependabot.yml

@@ -0,0 +1,107 @@
+version: 2
+
+updates:
+  # GitHub Actions used by workflows in .github/workflows.
+  # Dependabot will update the SHA pin and the trailing `# vX.Y.Z` comment together.
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/Zurich
+    open-pull-requests-limit: 10
+    groups:
+      actions-minor-patch:
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: ci
+      include: scope
+    labels:
+      - dependencies
+      - github-actions
+
+  # Python dependencies declared in pyproject.toml (project + dependency-groups).
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/Zurich
+    open-pull-requests-limit: 10
+    groups:
+      python-minor-patch:
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: deps
+      include: scope
+    labels:
+      - dependencies
+      - python
+
+  # Docker base images used by built artefacts and the devcontainer.
+  # Compose service images (infra/services/**) use docker-compose, handled below.
+  - package-ecosystem: docker
+    directories:
+      - "/tools/images"
+      - "/.devcontainer"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/Zurich
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: deps(docker)
+      include: scope
+    labels:
+      - dependencies
+      - docker
+
+  # Compose-managed images for the local services stack.
+  - package-ecosystem: docker-compose
+    directories:
+      - "/infra/compose"
+      - "/infra/services/oxigraph"
+      - "/infra/services/grimoirelab"
+      - "/infra/services/sparql-proxy"
+      - "/infra/services/neo4j"
+      - "/infra/services/portainer"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/Zurich
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: deps(compose)
+      include: scope
+    labels:
+      - dependencies
+      - docker
+
+  # Docusaurus site dependencies.
+  - package-ecosystem: npm
+    directory: "/docs-site"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: Europe/Zurich
+    open-pull-requests-limit: 5
+    groups:
+      npm-minor-patch:
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: deps(docs)
+      include: scope
+    labels:
+      - dependencies
+      - docs

.github/workflows/ci.yml

@@ -13,6 +13,9 @@ on:
       - "**/*.yml"
       - "**/*.yaml"
       - "**/*.sh"
+      - ".pre-commit-config.yaml"
+      - ".yamllint"
+      - ".markdownlint.jsonc"
   push:
     branches:
       - main
@@ -28,26 +31,34 @@ on:
       - "**/*.yml"
       - "**/*.yaml"
       - "**/*.sh"
+      - ".pre-commit-config.yaml"
+      - ".yamllint"
+      - ".markdownlint.jsonc"
 
 permissions:
   contents: read
   pull-requests: read
 
 concurrency:
-  group: ci-baseline-${{ github.workflow }}-${{ github.ref }}
+  group: ci-baseline-${{ github.ref }}
   cancel-in-progress: true
 
 env:
   # Force JS actions onto Node 24 ahead of the June 2026 GHA default flip.
+  # Several third-party actions still target Node 20; remove this once the
+  # ecosystem fully catches up.
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+  # Pin pre-commit so CI matches what devs run locally. Bump alongside
+  # repo conventions.
+  PRE_COMMIT_VERSION: "4.5.1"
 
 jobs:
   changes:
     name: Detect changed scopes
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     outputs:
       src: ${{ steps.filter.outputs.src }}
-      yaml: ${{ steps.filter.outputs.yaml }}
       markdown: ${{ steps.filter.outputs.markdown }}
       markdown_files: ${{ steps.filter.outputs.markdown_files }}
       shell: ${{ steps.filter.outputs.shell }}
@@ -59,7 +70,7 @@ jobs:
 
       - name: Evaluate changed paths
         id: filter
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@6852f92c20ea7fd3b0c25de3b5112db3a98da050  # v3
         with:
           token: ""
           list-files: csv
@@ -70,10 +81,6 @@ jobs:
               - "pyproject.toml"
               - "uv.lock"
               - ".github/workflows/ci.yml"
-            yaml:
-              - "**/*.yml"
-              - "**/*.yaml"
-              - ".github/workflows/ci.yml"
             markdown:
               - "**/*.md"
             shell:
@@ -83,6 +90,7 @@ jobs:
   pre-commit-quality-gates:
     name: Pre-commit quality gates
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
@@ -91,57 +99,77 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: "3.11"
+          cache: pip
+
+      - name: Cache pre-commit environments
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            pre-commit-${{ runner.os }}-
 
       - name: Install pre-commit
-        run: python -m pip install pre-commit
+        run: python -m pip install "pre-commit==${{ env.PRE_COMMIT_VERSION }}"
 
       - name: Run pre-commit hooks
-        run: pre-commit run --all-files
+        run: pre-commit run --all-files --show-diff-on-failure
 
-  python-lint-and-test:
-    name: Python lint and tests (src)
+  python-tests:
+    name: Python tests (${{ matrix.python-version }})
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     needs: changes
     if: needs.changes.outputs.src == 'true'
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
 
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: "3.11"
+          python-version: ${{ matrix.python-version }}
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
+        with:
+          enable-cache: true
+          cache-dependency-glob: "**/uv.lock"
 
       - name: Install dependencies
-        run: uv sync --group dev --group test
+        run: |
+          uv sync --group dev --group test
+          uv pip install pytest-cov
 
-      - name: Run Ruff
-        run: uv run ruff check src/
+      - name: Run pytest with coverage
+        run: |
+          uv run pytest -q \
+            --cov=src --cov-report=term-missing --cov-report=xml
 
-      - name: Run pytest
-        run: uv run pytest -q
+      - name: Upload coverage XML
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ matrix.python-version }}
+          path: coverage.xml
+          if-no-files-found: warn
 
-  yaml-and-markdown-validation:
-    name: YAML and Markdown validation
+  markdown-validation:
+    name: Markdown validation
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     needs: changes
-    if: needs.changes.outputs.yaml == 'true' || needs.changes.outputs.markdown == 'true'
+    if: needs.changes.outputs.markdown == 'true'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
 
-      - name: Lint YAML
-        if: needs.changes.outputs.yaml == 'true'
-        uses: ibiqlik/action-yamllint@v3
-        with:
-          config_file: .yamllint
-
       - name: Lint Markdown
-        if: needs.changes.outputs.markdown == 'true'
-        uses: DavidAnson/markdownlint-cli2-action@v20
+        uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e  # v20
         with:
           config: .markdownlint.jsonc
           globs: ${{ needs.changes.outputs.markdown_files }}
@@ -150,6 +178,7 @@ jobs:
   shell-script-sanity:
     name: Shell script sanity
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     needs: changes
     if: needs.changes.outputs.shell == 'true'
     steps:

.github/workflows/codeql.yml

@@ -0,0 +1,56 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+  schedule:
+    # Weekly scan to catch newly published rules even when the branch is quiet.
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  # Force JS actions onto Node 24 ahead of the June 2026 GHA default flip.
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+          - javascript-typescript
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"