ci: added workflows

* added codeql scan workflow (on pull request, on push, on weekly
  schedule)
* added vuln scan workflow: trivy  (on push, on weekly schedule)
* added release workflow (on tag). Generates a github release with
  release notes

* added badges to report workflows, releases etc

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>

Author: fredbi

.cliff.toml

@@ -0,0 +1,181 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+header = """
+"""
+
+footer = """
+
+-----
+
+**[{{ remote.github.repo }}]({{ self::remote_url() }}) license terms**
+
+[![License][license-badge]][license-url]
+
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: {{ self::remote_url() }}/?tab=Apache-2.0-1-ov-file#readme
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+
+body = """
+{%- if version %}
+## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+{%- else %}
+## [unreleased]
+{%- endif %}
+{%- if message %}
+  {%- raw %}\n{% endraw %}
+{{ message }}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+{%- if version %}
+  {%- if previous.version %}
+
+**Full Changelog**: <{{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}>
+  {%- endif %}
+{%- else %}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+
+{%- if statistics %}{% if statistics.commit_count %}
+  {%- raw %}\n{% endraw %}
+{{ statistics.commit_count }} commits in this release.
+  {%- raw %}\n{% endraw %}
+{%- endif %}{% endif %}
+-----
+
+{%- for group, commits in commits | group_by(attribute="group") %}
+  {%- raw %}\n{% endraw %}
+### {{ group | upper_first }}
+    {%- raw %}\n{% endraw %}
+    {%- for commit in commits %}
+      {%- if commit.remote.pr_title %}
+        {%- set commit_message = commit.remote.pr_title %}
+      {%- else %}
+        {%- set commit_message = commit.message %}
+      {%- endif %}
+* {{ commit_message | split(pat="\n") | first | trim }}
+      {%- if commit.remote.username %}
+{%- raw %} {% endraw %}by [@{{ commit.remote.username }}](https://github.com/{{ commit.remote.username }})
+      {%- endif %}
+      {%- if commit.remote.pr_number %}
+{%- raw %} {% endraw %}in [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }})
+      {%- endif %}
+{%- raw %} {% endraw %}[...]({{ self::remote_url() }}/commit/{{ commit.id }})
+  {%- endfor %}
+{%- endfor %}
+
+{%- if github %}
+{%- raw %}\n{% endraw -%}
+  {%- set all_contributors = github.contributors | length %}
+  {%- if github.contributors | filter(attribute="username", value="dependabot[bot]") | length < all_contributors %}
+-----
+
+### People who contributed to this release
+  {% endif %}
+  {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %}
+    {%- if contributor.username != "dependabot[bot]" %}
+* [@{{ contributor.username }}](https://github.com/{{ contributor.username }})
+    {%- endif %}
+  {%- endfor %}
+
+  {% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+-----
+    {%- raw %}\n{% endraw %}
+
+### New Contributors
+  {%- endif %}
+
+  {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+    {%- if contributor.username != "dependabot[bot]" %}
+* @{{ contributor.username }} made their first contribution
+      {%- if contributor.pr_number %}
+  in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \
+      {%- endif %}
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+
+{%- raw %}\n{% endraw %}
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+# output file path
+# output = "test.md"
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = false
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = false
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+    # Check spelling of the commit message using https://github.com/crate-ci/typos.
+    # If the spelling is incorrect, it will be fixed automatically.
+    #{ pattern = '.*', replace_command = 'typos --write-changes -' }
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = false
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true },
+    { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true },
+    { field = "author.name", pattern = "dependabot*", group = "<!-- 0A -->Updates" },
+    { message = "([Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "<!-- 05 -->Code quality" },
+    { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "<!-- 03 -->Documentation" },
+    { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "<!-- 00 -->Implemented enhancements" },
+    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^test", group = "<!-- 06 -->Testing" },
+    { message = "(^fix)|(panic)", group = "<!-- 01 -->Fixed bugs" },
+    { message = "(^refact)|(rework)", group = "<!-- 02 -->Refactor" },
+    { message = "(^[Pp]erf)|(performance)", group = "<!-- 04 -->Performance" },
+    { message = "(^[Cc]hore)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^[Rr]evert", group = "<!-- 09 -->Reverted changes" },
+    { message = "(upgrade.*?go)|(go\\s+version)", group = "<!-- 0A -->Updates" },
+    { message = ".*", group = "<!-- 0B -->Other" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Include only the tags that belong to the current branch.
+use_branch_tags = false
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order releases topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "newest"
+# Process submodules commits
+recurse_submodules = false
+
+#[remote.github]
+#owner = "go-openapi"

.github/release.yml

@@ -0,0 +1 @@
+# github release notes configuration

.github/workflows/auto-merge.yml

@@ -2,42 +2,52 @@ name: Dependabot auto-merge
 on: pull_request
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
-      - name: Dependabot metadata
+      -
+        name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
-
-      - name: Auto-approve all dependabot PRs
-        run: gh pr review --approve "$PR_URL"
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
+      -
+        name: Auto-approve all dependabot PRs
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Auto-merge dependabot PRs for development dependencies
-        if: contains(steps.metadata.outputs.dependency-group, 'development-dependencies')
-        run: gh pr merge --auto --rebase "$PR_URL"
+        run: gh pr review --approve "$PR_URL"
+      -
+        name: Auto-merge dependabot PRs for development dependencies
+        if: ${{ contains(steps.metadata.outputs.dependency-group, 'development-dependencies') }}
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Auto-merge dependabot PRs for go-openapi patches
-        if: contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') && (steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch')
         run: gh pr merge --auto --rebase "$PR_URL"
+      -
+        name: Auto-merge dependabot PRs for go-openapi patches
+        if: >-
+          ${{
+            contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') &&
+            (
+              steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+              steps.metadata.outputs.update-type == 'version-update:semver-patch'
+            )
+          }}
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-      - name: Auto-merge dependabot PRs for golang.org updates
-        if: contains(steps.metadata.outputs.dependency-group, 'golang-org-dependencies')
         run: gh pr merge --auto --rebase "$PR_URL"
+      -
+        name: Auto-merge dependabot PRs for golang.org updates
+        if: ${{ contains(steps.metadata.outputs.dependency-group, 'golang-org-dependencies') }}
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run: gh pr merge --auto --rebase "$PR_URL"
 

.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: "CodeQL"
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+    path-ignore:
+      - '**/*.md'
+  schedule:
+    - cron: '39 19 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze.
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      contents: read
+      security-events: write
+      # actions: read # <- is needed only for private repositories
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go','actions']
+    steps:
+    -
+      name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    -
+      # Initializes the CodeQL tools for scanning.
+      name: Initialize CodeQL
+      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
+      with:
+        languages: ${{ matrix.language }}
+    -
+      name: Analyze ${{ matrix.language }}
+      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9