feat: implement repository hygiene and automation infrastructure

[Copilot]

📋 Descrição

O que mudou?

Contribution Framework

• CONTRIBUTING.md (PT-BR): Conventional Commits, branch strategy (main/develop/feature/*/bugfix/*/hotfix/*), review flow
• .github/pull_request_template.md: Structured PR template with impact assessment and testing guidelines

CI/CD Pipeline (.github/workflows/)

• ci.yml: Auto-detects package managers (npm/pip/Go), conditionally runs linters/tests/builds, validates YAML
• markdown-lint.yml: markdownlint-cli2 + link validation (triggers only on *.md changes)
• codeql.yml: Security scanning for JS/Python (PRs + weekly schedule)
• auto-label.yml: Keyword-based PR categorization + size labeling (XS/S/M/L/XL) via GitHub Actions script

Dependency Management

• .github/dependabot.yml: Weekly updates for GitHub Actions, npm, pip, Docker, Go modules
• Conventional Commits format, ignores major versions by default

Documentation

• docs/AUTOMATION.md: Complete workflow reference
• docs/IMPLEMENTATION_SUMMARY.md: Quick-start guide
• Updated README.md with Contributing section

Configuration

• .markdownlint.json, .github/yamllint-config.yml, .github/markdown-link-check-config.json

Por quê?

Enables standardized contribution process, automated quality gates, and dependency security monitoring without manual intervention.

✅ Checklist

• O código segue os padrões do projeto
• Testes foram executados e estão passando
• Documentação foi atualizada (se aplicável)
• Commits seguem o padrão Conventional Commits
• Não há conflitos com a branch base
• Revisão própria do código foi realizada
• Comentários foram adicionados em áreas complexas (se necessário)

🔗 Issue Relacionada

N/A - Infrastructure implementation

🎯 Impacto Esperado

Áreas Afetadas

• Documentação
• Automação/Scripts
• Templates
• CI/CD
• Configuração do Projeto

Impacto de Risco

• Baixo - Mudanças isoladas, sem impacto em funcionalidades existentes

📸 Capturas de Tela (se aplicável)

N/A - Infrastructure and workflow configuration

🧪 Como Testar

1. Open test PR → verify auto-labeling applies (enhancement/bugfix/documentation/refactor + size label)
2. Modify *.md file → confirm markdown-lint workflow triggers
3. Check Security tab → verify CodeQL analysis completes
4. Wait for Dependabot → review weekly dependency PRs (Mondays 09:00 UTC)

Workflow Validation

# YAML syntax validation
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/ci.yml'))"

# Verify permissions are least-privilege
grep -A 3 "permissions:" .github/workflows/*.yml

📝 Notas Adicionais

Least-Privilege Permissions

• CI/Markdown: contents:read, pull-requests:read
• CodeQL: actions:read, contents:read, security-events:write
• Auto-label: contents:read, pull-requests:write, issues:write

Auto-Label Keywords

• enhancement: feat, feature, add, implement, enhance
• bugfix: fix, bug, resolve, correct
• documentation: docs, documentation, readme
• refactor: refactor, cleanup, restructure
• dependencies: dependency, dependabot, upgrade
• ci: ci, workflow, github actions
• security: security, vulnerability, cve

Post-Merge Actions Required

1. Create repository labels matching auto-label workflow expectations
2. Enable Dependabot alerts in repository settings (if not already enabled)

🔍 Revisores Sugeridos

Repository maintainers

Original prompt

Implement repository hygiene and automation features for danielnovais-tech/digital-transform-kit:

1. Contribution Guidelines

• Add a CONTRIBUTING.md (Portuguese is OK) describing:
  • How to open a Pull Request (PR)
  • Commit standards (e.g., Conventional Commits)
  • Review and approval flow
  • Branching rules (e.g., main, develop, feature/*)

2. PR Templates

• Create .github/pull_request_template.md including fields:
  • Description (what changed)
  • Checklist (tests run, documentation updated)
  • Related issue (link)
  • Expected impact (what areas affected)

3. Automated Checks (CI)

• Configure GitHub Actions to run automatically on PRs:
  • Unit tests (if applicable)
  • Linters (e.g., ESLint/Prettier where applicable)
  • Markdown validation/linting for README and docs consistency
  • Build pipeline (if scripts exist)
• Ensure workflows are resilient: if project lacks JS tooling, prefer lightweight checks that still add value (e.g., markdownlint, links, formatting), and conditionally run language-specific steps only when config exists.

4. Code Review Tools

• Integrate one or more:
  • CodeQL for security analysis
  • Dependabot for dependency updates (where package managers are detected)
  • Codecov (optional, only if test coverage tooling exists)
  • SonarCloud optional (requires external setup; include documentation placeholders if not configured)

5. Labels & Workflow

• Define labels for PR categorization: enhancement, bugfix, documentation, refactor.
• Automate label application based on keywords in PR title/body (GitHub Action). Ensure it works without external services.

Acceptance criteria:

• New files added as above.
• GitHub Actions workflows exist under .github/workflows/ and run on pull_request.
• Repository includes Dependabot config under .github/dependabot.yml with sensible defaults.
• Label automation workflow present and documented.
• All configs use correct YAML syntax and least-privilege permissions.

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This pull request implements a comprehensive repository hygiene and automation infrastructure for the Digital Transform Kit project, establishing standardized contribution processes, automated quality gates, and dependency management without manual intervention.

Changes:

• Added contribution framework with Portuguese guidelines (CONTRIBUTING.md) and structured PR template
• Implemented 4 GitHub Actions workflows for CI/CD, markdown linting, security scanning (CodeQL), and automated PR labeling
• Configured Dependabot for weekly dependency updates across GitHub Actions, npm, pip, Docker, and Go modules
• Created comprehensive documentation (AUTOMATION.md, IMPLEMENTATION_SUMMARY.md) and updated README with contribution guidelines

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
CONTRIBUTING.md	Portuguese contribution guide with Conventional Commits, branch strategy, and review workflow
.github/pull_request_template.md	Structured PR template with checklist, impact assessment, and testing guidelines
.github/workflows/ci.yml	Conditional CI pipeline that auto-detects package managers and runs appropriate linters/tests
.github/workflows/markdown-lint.yml	Markdown quality checks with link validation, triggered only on .md file changes
.github/workflows/codeql.yml	Security scanning for JavaScript and Python with weekly schedule
.github/workflows/auto-label.yml	Keyword-based PR categorization and size labeling using GitHub Actions script
.github/dependabot.yml	Weekly dependency updates for multiple ecosystems with Conventional Commits format
.markdownlint.json	Markdown linting rules configuration with 120-character line limit
.github/yamllint-config.yml	YAML linting rules for workflow validation
.github/markdown-link-check-config.json	Link checking configuration with retry logic for rate limiting
docs/AUTOMATION.md	Complete workflow reference documentation
docs/IMPLEMENTATION_SUMMARY.md	Quick-start guide summarizing implementation
README.md	Updated with Contributing section linking to guidelines and automated checks

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The CodeQL workflow is configured with a hardcoded matrix specifying JavaScript and Python languages, but these languages are described in the documentation as "automatically detected." This is misleading. Additionally, since the repository currently contains no JavaScript or Python files, this workflow will either fail or be skipped on every run, creating noise in the CI results.

Consider either:

1. Removing the language matrix and letting CodeQL auto-detect languages (this will work better as the repository evolves), or
2. Removing the CodeQL workflow until JavaScript or Python code is actually added to the repository, or
3. Adding a conditional check to skip the workflow when no files of these languages exist

[Copilot]

The documentation states that CodeQL "automatically detected" languages for JavaScript and Python, but this is inaccurate. The languages are hardcoded in the workflow matrix configuration, not automatically detected. This should be corrected to accurately reflect that the workflow is explicitly configured to analyze JavaScript and Python code.

Suggested change

	**Languages**: JavaScript, Python (automatically detected)
	**Languages**: JavaScript, Python (configured in the workflow matrix)

[Copilot]

The PR template includes an incomplete placeholder for suggested reviewers on line 71. The line contains only "@" which could cause confusion for contributors filling out the template. This should either be removed, replaced with a more complete example like "@reviewer-username", or include a comment explaining that this line should be deleted if no specific reviewer is needed.

Suggested change

	@
	@reviewer-username

[Copilot]

The Go version is hardcoded to '1.21' which may become outdated over time. Consider using a more flexible version specification like '1.21.x' or '^1.21' to automatically pick up patch updates, or use a matrix strategy to test against multiple Go versions if compatibility across versions is important.

Suggested change

	go-version: '1.21'
	go-version: '1.21.x'

[Copilot]

The commit message configuration for the Docker ecosystem is missing the "prefix-development" field, which is present in the GitHub Actions, npm, and pip configurations. This inconsistency could lead to different commit message formats for Docker dependency updates. For consistency, consider adding "prefix-development: 'chore'" to match the other ecosystem configurations.

[Copilot]

The commit message configuration for the Go modules ecosystem is missing the "prefix-development" field, which is present in the GitHub Actions, npm, and pip configurations. This inconsistency could lead to different commit message formats for Go dependency updates. For consistency, consider adding "prefix-development: 'chore'" to match the other ecosystem configurations.

[Copilot]

There is a discrepancy between the auto-label workflow configuration and its documentation. The workflow includes "update package" as a keyword for the dependencies label, but the documentation in AUTOMATION.md line 119 does not list this keyword. Either the documentation should be updated to include "update package" or the workflow should be updated to match the documented keywords.

Suggested change

	- `dependencies`: dependency, dependencies, dependabot, upgrade
	- `dependencies`: dependency, dependencies, dependabot, upgrade, update package

[Copilot]

The documentation table is incomplete and does not list all keywords used by the auto-label workflow. Missing keywords include:

• enhancement: missing "enhance", "new"
• bugfix: missing "patch", "repair"
• documentation: missing "guide", "comment"
• refactor: missing "optimize", "improve"

The table should be updated to include all keywords that are actually used in the workflow for accurate documentation.

[Copilot]

The keyword list in CONTRIBUTING.md is incomplete compared to the actual auto-label workflow implementation. Missing keywords include:

• enhancement: missing "new"
• bugfix: missing "patch", "repair"
• documentation: missing "guide", "comment"
• refactor: missing "optimize", "improve"

Additionally, the documentation does not mention the special labels that are also automatically applied: dependencies, ci, security, and breaking-change. Contributors should be aware of all available automatic labels and their keywords.

Suggested change

	### Palavras-chave para Labels Automáticos
	- **enhancement**: feat, feature, add, implement, enhance
	- **bugfix**: fix, bug, resolve, correct
	- **documentation**: docs, documentation, readme
	- **refactor**: refactor, cleanup, restructure
	- **`dependencies`**: Atualizações de dependências
	- **`ci`**: Alterações em pipelines, workflows ou automações de CI
	- **`security`**: Correções ou melhorias relacionadas à segurança
	- **`breaking-change`**: Mudanças que quebram compatibilidade com versões anteriores
	### Palavras-chave para Labels Automáticos
	- **enhancement**: feat, feature, add, implement, enhance, new
	- **bugfix**: fix, bug, resolve, correct, patch, repair
	- **documentation**: docs, documentation, readme, guide, comment
	- **refactor**: refactor, cleanup, restructure, optimize, improve
	- **dependencies**: dep, deps, dependency, dependencies, bump
	- **ci**: ci, workflow, pipeline
	- **security**: security, vuln, vulnerability
	- **breaking-change**: breaking change, breaking-change, breaking
	> Observação: a lista acima resume as principais palavras-chave usadas pelo workflow de auto-label. Verifique o arquivo de configuração de workflow para o mapeamento completo e atualizado.