feat: add gha defaults (#1)

* feat: add gha defaults

* fix: fix README.md and add proper name to pr-slack

Author: ruzickap

.checkov.yml

@@ -0,0 +1,3 @@
+skip-check:
+  # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty
+  - CKV_GHA_7

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Users referenced in this file will automatically be requested as reviewers for
+# PRs that modify the given paths
+# See https://help.github.com/articles/about-code-owners/, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# All code
+* @ruzickap

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,22 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "Bug: This is a sample issue title"
+labels: bug
+assignees: ruzickap
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behaviour.
+
+**Expected behaviour**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: GitHub Actions Community Forum
+    url: https://github.com/orgs/community/discussions/
+    about: Please ask questions about GitHub Actions here.
+  - name: GitHub Pages help
+    url: https://help.github.com/en/github/working-with-github-pages
+    about: GitHub Pages documentation here.

.github/ISSUE_TEMPLATE/proposal.md

@@ -0,0 +1,20 @@
+---
+name: Proposal
+about: Suggest an idea for this project
+title: "Proposal: This is a sample title"
+labels: proposal
+assignees: ruzickap
+---
+
+**Is your feature request related to a problem? Please describe**
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/renovate.json5

@@ -0,0 +1,60 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // # keep-sorted start block=yes
+  "git-submodules": {
+    enabled: true,
+  },
+  // Keep the extends started with ":" at the end of the list to allow overriding
+  extends: [
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "security:openssf-scorecard",
+    ":disableDependencyDashboard",
+    ":disableRateLimiting",
+    ":docker",
+    ":enableVulnerabilityAlertsWithLabel(security)",
+    ":pinSkipCi",
+  ],
+  labels: [
+    "renovate",
+    "renovate/{{replace '.*/' '' depName}}",
+    "renovate/{{updateType}}",
+  ],
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["before 6am on Sunday"],
+  },
+  packageRules: [
+    {
+      matchUpdateTypes: ["major"],
+      automerge: false,
+    },
+    {
+      description: "Ignore frequent renovate updates",
+      enabled: false,
+      matchPackageNames: ["renovatebot/github-action"],
+      matchUpdateTypes: ["patch"],
+    },
+    {
+      description: "Update renovatebot/github-action minor updates on Sundays",
+      matchPackageNames: ["renovatebot/github-action"],
+      matchUpdateTypes: ["minor"],
+      schedule: ["* * * * 0"],
+    },
+  ],
+  prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}",
+  rebaseWhen: "behind-base-branch",
+  regexManagers: [
+    {
+      extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",
+      fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>.+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.*[=:]\\s*"?(?<currentValue>.+?)"?\\s',
+      ],
+      versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
+    },
+  ],
+  separateMinorPatch: true,
+  // # keep-sorted end
+}

.github/workflows/codeql-actions.yml

@@ -0,0 +1,40 @@
+name: "CodeQL GitHub Actions"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request:
+    paths:
+      - .github/workflows/*.yml
+  schedule:
+    - cron: 17 10 * * 2
+
+permissions: read-all
+
+jobs:
+  analyze-actions:
+    name: Analyze GitHub Actions
+    runs-on: "ubuntu-latest"
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          languages: actions
+          build-mode: none
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: security-extended
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          category: "/language:actions"

.github/workflows/mega-linter.yml

@@ -0,0 +1,38 @@
+---
+name: mega-linter
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - main
+
+permissions: read-all
+
+jobs:
+  mega-linter:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Extract commands from markdown files
+        run: |
+          set -euxo pipefail
+          echo '#!/usr/bin/env bash' > README.sh
+          find . -name '*.md' -print0 | while IFS= read -r -d '' FILE; do
+            # Extract: ```bash ... ```
+            sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh
+            # Extract:   ```bash ... ```
+            sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
+          done
+          chmod a+x README.sh
+
+      - name: 💡 MegaLinter
+        uses: oxsecurity/megalinter@ec124f7998718d79379a3c5b39f5359952baf21d # v8.4.2
+        env:
+          GITHUB_COMMENT_REPORTER: false
+          # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403
+          GITHUB_STATUS_REPORTER: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-slack-notification.yml

@@ -0,0 +1,139 @@
+name: pr-slack-notification
+
+# Based on: https://github.com/slackapi/slack-github-action/issues/269
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - ready_for_review
+      - review_requested
+      - closed
+  issue_comment:
+    types:
+      - created
+  pull_request_review:
+    types:
+      - submitted
+
+permissions: read-all
+
+defaults:
+  run:
+    shell: bash -euxo pipefail {0}
+
+jobs:
+  github-context:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Debug
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+        run: |
+          echo "${GITHUB_CONTEXT}"
+
+  pr-slack-notification:
+    runs-on: ubuntu-latest
+    name: Sends a message to Slack when a PR is opened
+    if: (github.event.action == 'opened' && github.event.pull_request.draft == false) || github.event.action == 'ready_for_review'
+    steps:
+      - name: Post PR summary message to slack
+        id: message
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            text: "💡 *${{ github.event.pull_request.user.login }}*: <${{ github.event.repository.html_url }}|${{ github.repository }}> - <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}> (+${{ github.event.pull_request.additions }}, -${{ github.event.pull_request.deletions }})"
+
+      - name: Create file with slack message timestamp
+        run: |
+          echo "${{ steps.message.outputs.ts }}" > slack-message-timestamp.txt
+
+      - name: Cache slack message timestamp
+        uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: slack-message-timestamp.txt
+          key: slack-message-timestamp-${{ github.event.pull_request.html_url }}-${{ steps.message.outputs.ts }}
+
+  slack-emoji-react:
+    runs-on: ubuntu-latest
+    name: Adds emoji reaction to slack message when a PR is closed or reviewed
+    if: ${{ startsWith(github.event.pull_request.html_url, 'https') || startsWith(github.event.issue.pull_request.html_url, 'https') }}
+    steps:
+      # gh commands needs to be executed in the repository
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # https://stackoverflow.com/questions/74640750/github-actions-not-finding-cache
+      # I can not use the cache action in this job because the cache is not shared between runs
+      - name: Save slack timestamp as an environment variable
+        id: slack-timestamp
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          SLACK_TIMESTAMP=$(gh cache list --json key --jq '.[].key|capture("${{ github.event.pull_request.html_url || github.event.issue.pull_request.html_url }}-(?<x>.+)").x')
+          echo "SLACK_TIMESTAMP=${SLACK_TIMESTAMP}" | tee -a "${GITHUB_ENV}"
+          if [[ "${SLACK_TIMESTAMP}" != '' ]]; then
+            echo "github_event_pull_request_html_url=true" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Decide which emoji to add
+        if: ${{ steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' }}
+        run: |
+          case "${{ github.event.action }}" in
+            created)
+              if [[ "${{ github.event_name }}" == 'issue_comment' ]]; then
+                echo "EMOJI=speech_balloon" >> "${GITHUB_ENV}" # 💬
+              fi
+              ;;
+            submitted)
+              case "${{ github.event.review.state }}" in
+                changes_requested)
+                  echo "EMOJI=repeat" >> "${GITHUB_ENV}" # 🔁
+                  ;;
+                approved)
+                  echo "EMOJI=ok" >> "${GITHUB_ENV}" # 🆗
+                  ;;
+                commented)
+                  echo "EMOJI=speech_balloon" >> "${GITHUB_ENV}" # 💬
+                  ;;
+              esac
+              ;;
+            review_requested)
+              echo "EMOJI=eyes" >> "${GITHUB_ENV}" # 👀
+              ;;
+            *)
+              echo "EMOJI=false" >> "${GITHUB_ENV}"
+              ;;
+          esac
+
+      - name: React to PR summary message in slack with emoji
+        if: ${{ steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' && env.EMOJI != 'false' }}
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: reactions.add
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            timestamp: "${{ env.SLACK_TIMESTAMP }}"
+            name: ${{ env.EMOJI }}
+
+      - name: Update the original message with success
+        if: ${{ github.event.pull_request.merged && steps.slack-timestamp.outputs.github_event_pull_request_html_url == 'true' }}
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        with:
+          method: chat.update
+          token: ${{ secrets.MY_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.MY_SLACK_CHANNEL_ID }}
+            ts: "${{ env.SLACK_TIMESTAMP }}"
+            text: "✅ *${{ github.event.pull_request.user.login }}*: <${{ github.event.repository.html_url }}|${{ github.repository }}> - <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} - ${{ github.event.pull_request.title }}> (+${{ github.event.pull_request.additions }}, -${{ github.event.pull_request.deletions }})"
+            attachments:
+              - color: "28a745"
+                fields:
+                  - title: "Status"
+                    short: true
+                    value: "Merged ✅"

.github/workflows/release-please.yml

@@ -0,0 +1,28 @@
+---
+name: release-please
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        id: app-token
+        with:
+          app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+        with:
+          release-type: simple
+          token: ${{ steps.app-token.outputs.token }}