fix(ci): align workflows with shared workflows 1.30.0 boilerplate

[bedatty]

Lib SystemPlane

---

Description

Aligns the repository .github/ with the LerianStudio shared-workflows convention (pinned @v1.30.0), using lib-commons as the reference. Replaces the bespoke release.yml (inline GPG/app-token/semantic-release/backmerge) and the hand-rolled go-combined-analysis.yml with the shared reusable workflows, and adds the missing standardized pieces (PR validation, PR security scan, routines, labeler/labels mirror).

Repo-specific decisions preserved:

• Integration tests stay enabled via the shared go-pr-analysis (enable_integration_tests: true, make test-integration LOW_RESOURCE=1) — this repo has real testcontainers (mongo/postgres) coverage that lib-commons does not.
• AC15 perf gate kept as a custom job (go test -tags=unit -run=^TestPerf_ ./...), same pattern lib-commons uses.
• enable_docker_scan: false (no Dockerfile); no ignore_file (no .trivyignore).
• Scopes (pr_title_scopes, labeler, labels) derived from the repo structure: admin, client, debounce, mongodb, postgres, store, systemplanetest, core, plus the standard transversal scopes.

Type of Change

• ci: CI pipeline or workflow changes

Breaking Changes

None.

Testing

• Validated by the workflows triggered on this PR (PR Validation, Go Combined Analysis, PR Security Scan).

Test evidence / Actions run: see the Checks tab on this PR.

Architectural Checklist

• CI pinned to shared workflows @v1.30.0 (backmerge @v1)
• .github/** excluded from code-analysis paths-ignore, but kept in security scan triggers (supply-chain)
• PRs enforced to target develop (enforce_source_branches)

Related Issues

Closes #

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

This PR consolidates GitHub Actions workflows and CI/CD configuration by migrating to shared reusable workflows, expanding Dependabot automation rules with scheduling and grouping, introducing comprehensive PR label management and governance (template, validation, labeling rules), and adding new security and routine automation workflows.

Changes

GitHub Actions and CI/CD Consolidation

Layer / File(s)	Summary
Dependency and Label Configuration .github/dependabot.yml, .github/labels.yml, .github/labeler.yml	Dependabot configuration expanded with schedule specificity (day, time, timezone), open-PR limits, and update grouping for gomod and github-actions. Complete label ecosystem added covering scopes, change types, PR sizing, triage/stale controls, and automation labels. PR labeler maps file path changes to labels across admin, client, storage, scripts, CI, docs, tests, and dependency areas.
Pull Request Template and Validation .github/pull_request_template.md, .github/workflows/pr-validation.yml	PR template restructured with sections for description, change type, breaking changes, testing evidence, and architectural checklist. Validation workflow enforces allowed source branches (develop, hotfix/*) and restricts PR title scopes to a fixed allowlist (admin, ci, docs, deps, mongodb, postgres, tests, etc.).
Go Analysis Workflow Migration .github/workflows/go-combined-analysis.yml	Prior standalone jobs (golangci-lint, unit/build, integration, GoSec) consolidated into single go-analysis job calling shared workflow at v1.30.0. Trigger simplified with paths-ignore for docs/license, permissions reduced to read-only, and perf-gate job maintained with minimal steps.
Pull Request Security Scanning Workflow .github/workflows/pr-security-scan.yml	New workflow scanning PRs targeting develop and main, ignoring doc/license changes, with Docker and CodeQL explicitly disabled while inheriting secrets from shared security workflow.
Release and Backmerge Workflow Migration .github/workflows/release.yml	Prior in-repo release validation, semantic versioning, GPG configuration, and backmerge logic replaced with release job (conditional changelog on main) and backmerge job (label/rule inputs) both delegating to shared workflows at v1.30.0.
Repository Routine Automation Workflow .github/workflows/routine.yml	New workflow handling repository maintenance tasks via shared workflow, triggered on schedule (weekly cron), push to main when labels.yml changes, PR close, and manual dispatch with routine selection and dry-run toggle.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Check	Status	Blocking
Source Branch	✅ success	yes
PR Title	✅ success	yes
PR Description	✅ success	yes
PR Size	✅ success	no
Auto Labels	✅ success	no
PR Metadata	✅ success	no

---

_{🔍 View workflow run}

[lerian-studio]

📊 Unit Test Coverage Report: app

Metric	Value
Overall Coverage	38.1% ⚠️ BELOW THRESHOLD
Threshold	80%

Coverage by Package

Package	Coverage
github.com/LerianStudio/lib-systemplane/admin	80.3%
github.com/LerianStudio/lib-systemplane/examples/manager	0.0%
github.com/LerianStudio/lib-systemplane/internal/client	46.2%
github.com/LerianStudio/lib-systemplane/internal/debounce	73.1%
github.com/LerianStudio/lib-systemplane/internal/manager	74.4%
github.com/LerianStudio/lib-systemplane/internal/mongodb	15.7%
github.com/LerianStudio/lib-systemplane/internal/postgres	7.2%
github.com/LerianStudio/lib-systemplane/systemplanetest	0.0%
github.com/LerianStudio/lib-systemplane	0.0%

---

Generated by Go PR Analysis workflow

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[lerian-studio]

🔒 Security Scan Results — lib-systemplane

✅ PR Mergeable — no blocking findings

Stage	Status	Blocking?
Filesystem Scan	✅ Clean	—
Docker Image Scan	➖ Skipped	—
Docker Hub Health Score	➖ Skipped	—
Pre-release Version Check	✅ Clean	—

Trivy

Filesystem Scan

✅ No vulnerabilities or secrets found.

---

Pre-release Version Check

✅ No unstable version pins found.

---

_{🔍 View full scan logs}