ci: update pipelines

[james-d-elliott]

Summary by CodeRabbit

• Chores
  • Updated security and dependency workflows for improved reliability and consistency.
  • Enabled automatic merging of trusted Dependabot updates.
  • Streamlined CI build and test steps with clearer separation and naming.
  • Introduced coverage reporting via Codecov in CI.
  • Minor Go version directive normalization (no functional impact).

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Updates multiple GitHub Actions workflows (CodeQL, Dependency Review, Go CI, Scorecards), adds a new Dependabot automerge workflow, introduces a coverage job to Go CI, standardizes quoting/naming, and tweaks the Go version directive in go.mod from 1.23 to 1.23.0. No source code or public API changes.

Changes

Cohort / File(s)	Summary
CodeQL workflow update \.github/workflows/codeql.yml``	Bumps github/codeql-action (init/autobuild/analyze) to commit 3c3833e… (v3.29.5), renames Autobuild to Build, and standardizes step names/quoting and matrix formatting.
Dependabot automerge workflow (new) \.github/workflows/dependabot.yml``	Adds workflow to auto-merge PRs from dependabot[bot] in go-crypt/crypt using gh CLI; includes harden-runner and fetch-metadata steps with write permissions.
Dependency Review normalization \.github/workflows/dependency-review.yml``	Switches trigger to mapping form, quotes permissions/run-on, adds explicit job name, and quotes step names/values; behavior unchanged.
Go CI restructure + coverage \.github/workflows/go.yml``	Adds Cover job (Go 1.25) with tests and Codecov upload; refactors Build job to explicit Build/Test steps, removes legacy dep bootstrap, and standardizes quoting/naming.
Scorecards workflow normalization \.github/workflows/scorecards.yml``	Renames workflow/job, switches to quoted values, adds explicit branch_protection_rule mapping, updates step names/params, and quotes SARIF config.
Go module metadata \go.mod``	Changes go directive from 1.23 to 1.23.0; toolchain remains go1.25.0.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub
  participant WF as Dependabot Workflow
  participant HR as step-security/harden-runner
  participant FM as dependabot/fetch-metadata
  participant GHCLI as gh CLI
  Note over GH,WF: Dependabot PR opened/updated
  GH->>WF: trigger on pull_request (author: dependabot[bot])
  WF->>HR: Harden Runner (egress-policy='audit')
  WF->>FM: Fetch PR metadata
  WF->>GHCLI: gh pr merge --auto --squash $PR_URL
  GHCLI-->>GH: Enable auto-merge
  Note right of GHCLI: Requires GITHUB_TOKEN

Loading

sequenceDiagram
  autonumber
  participant GH as GitHub
  participant CI as Go CI Workflow
  participant HR as Harden Runner
  participant GO as Setup Go
  participant T as go test
  participant B as go build
  participant CC as Codecov

  Note over GH,CI: Push/PR to master triggers CI
  GH->>CI: start jobs
  rect rgba(200,230,255,0.25)
    note over CI: Build and Test job
    CI->>HR: Harden Runner
    CI->>GO: Setup matrix Go version
    CI->>B: go build -v ./...
    CI->>T: go test -v ./...
  end
  rect rgba(220,255,220,0.25)
    note over CI: Coverage job (new)
    CI->>HR: Harden Runner
    CI->>GO: Setup Go 1.25
    CI->>T: go test -coverprofile=coverage.out
    CI->>CC: Upload coverage (CODECOV_TOKEN)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• [StepSecurity] Apply security best practices #50 — Touches the same CI/security workflows (CodeQL, Scorecards, etc.) with overlapping action/version updates.
• build(deps): bump github/codeql-action from 3.26.5 to 3.26.6 #72 — Updates github/codeql-action versions in .github/workflows/codeql.yml, matching this PR’s CodeQL changes.
• build(deps): update module github.com/go-crypt/x to v0.3.5 #138 — Modifies go.mod Go version directive similarly to 1.23.0.

Poem

I thump my paws on YAML trails,
New jobs hop in with tidy details.
CodeQL sniffs, Scorecards sing,
Dependabot gets merging bling.
Coverage grows—carrots of green—
Go 1.23.0, crisp and clean.
Hippity dev, the pipelines preen! 🥕🚀

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.2.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/product/migration-guide for migration instructions

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 494aaed and b5725a1.

📒 Files selected for processing (6)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/dependabot.yml (1 hunks)
• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/go.yml (2 hunks)
• .github/workflows/scorecards.yml (1 hunks)
• go.mod (1 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️