chore: devops configs and workflows

Signed-off-by: Sam Gammon <[email protected]>

Author: sgammon

.github/CODEOWNERS

@@ -0,0 +1 @@
+*.* @sgammon

.github/dependabot.yml

@@ -0,0 +1,37 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "main"
+    schedule:
+      interval: "daily"
+    assignees:
+      - "sgammon"
+
+  # Maintain dependencies for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    target-branch: "main"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "sgammon"
+
+  # Maintain dependencies for Gradle
+  - package-ecosystem: "gradle"
+    directory: "/"
+    target-branch: "main"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "sgammon"
+
+  # Maintain dependencies for Docker
+  - package-ecosystem: "docker"
+    directory: "/"
+    target-branch: "main"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "sgammon"

.github/dependency-review-config.yml

@@ -0,0 +1,5 @@
+license-check: true
+vulnerability-check: true
+fail-on-severity: "high"
+
+allow-ghsas: []

.github/workflows/module.build.yml

@@ -0,0 +1,199 @@
+---
+name: "Build"
+
+"on":
+  workflow_dispatch:
+    inputs:
+      ## Runner to use
+      runner:
+        description: "Runner"
+        type: string
+        default: "ubuntu-latest"
+
+      ## Whether to build native targets
+      native:
+        description: "Native"
+        type: boolean
+        default: true
+
+      ## Whether to build iOS targets
+      ios:
+        description: "iOS"
+        type: boolean
+        default: true
+
+  workflow_call:
+    inputs:
+      runner:
+        description: "Runner"
+        type: string
+        default: "ubuntu-latest"
+      label:
+        description: "Label"
+        type: string
+        default: "Ubuntu"
+      native:
+        description: "Native"
+        type: boolean
+        default: true
+      ios:
+        description: "iOS"
+        type: boolean
+        default: true
+
+    secrets:
+      ## Secrets: Buildless API key
+      BUILDLESS_APIKEY:
+        required: false
+
+env:
+  BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+  PNPM_VERSION: ${{ vars.PNPM_VERSION || '8.7.5' }}
+  NODE_VERSION: ${{ vars.NODE_VERSION || '20.2.0' }}
+
+jobs:
+  build:
+    name: "Build"
+    runs-on: ${{ inputs.runner || 'ubuntu-latest' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+            fetch-depth: 0
+      - name: "Setup: PNPM"
+        uses: pnpm/action-setup@v2
+        with:
+          version: ${{ env.PNPM_VERSION }}
+      - name: "Setup: Node"
+        uses: buildjet/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - name: "Setup: Install Packages (Frozen)"
+        run: pnpm install --frozen-lockfile
+        if: |
+          (
+            github.event_name != 'pull_request' || (
+            !contains(github.ref, 'deps/') &&
+            !contains(github.ref, 'dependabot/') &&
+            !contains(github.ref, 'renovate/') &&
+            !contains(github.event.pull_request.labels.*.name, 'dependencies') &&
+            !contains(github.event.head_commit.message, 'ci:unlock-deps')
+          ))
+      - name: "Setup: Install Packages (Update)"
+        run: pnpm install --no-frozen-lockfile
+        if: |
+          (
+            github.event_name == 'pull_request' && contains(github.ref, 'deps/') ||
+            github.event_name == 'pull_request' && contains(github.ref, 'dependabot/') ||
+            github.event_name == 'pull_request' && contains(github.ref, 'renovate/') ||
+            github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies') ||
+            contains(github.event.head_commit.message, 'ci:unlock-deps')
+          )
+      - name: "Build: Web"
+        shell: bash
+        env:
+          CI: true
+        run: pnpm run build
+
+  build-ios:
+    name: "Build: iOS"
+    if: inputs.ios && inputs.native
+    runs-on: ${{ inputs.runner || 'ubuntu-latest' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+            fetch-depth: 0
+      - name: "Setup: PNPM"
+        uses: pnpm/action-setup@v2
+        with:
+          version: ${{ env.PNPM_VERSION }}
+      - name: "Setup: Node"
+        uses: buildjet/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - name: "Setup: Install Packages (Frozen)"
+        run: pnpm install --frozen-lockfile
+        if: |
+          (
+            github.event_name != 'pull_request' || (
+            !contains(github.ref, 'deps/') &&
+            !contains(github.ref, 'dependabot/') &&
+            !contains(github.ref, 'renovate/') &&
+            !contains(github.event.pull_request.labels.*.name, 'dependencies') &&
+            !contains(github.event.head_commit.message, 'ci:unlock-deps')
+          ))
+      - name: "Setup: Install Packages (Update)"
+        run: pnpm install --no-frozen-lockfile
+        if: |
+          (
+            github.event_name == 'pull_request' && contains(github.ref, 'deps/') ||
+            github.event_name == 'pull_request' && contains(github.ref, 'dependabot/') ||
+            github.event_name == 'pull_request' && contains(github.ref, 'renovate/') ||
+            github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies') ||
+            contains(github.event.head_commit.message, 'ci:unlock-deps')
+          )
+      - name: "Build: iOS"
+        shell: bash
+        env:
+          CI: true
+        run: pnpm run build:ios
+
+  build-android:
+    name: "Build: Android"
+    if: inputs.native
+    runs-on: ${{ inputs.runner || 'ubuntu-latest' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+            fetch-depth: 0
+      - name: "Setup: PNPM"
+        uses: pnpm/action-setup@v2
+        with:
+          version: ${{ env.PNPM_VERSION }}
+      - name: "Setup: Node"
+        uses: buildjet/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - name: "Setup: Install Packages (Frozen)"
+        run: pnpm install --frozen-lockfile
+        if: |
+          (
+            github.event_name != 'pull_request' || (
+            !contains(github.ref, 'deps/') &&
+            !contains(github.ref, 'dependabot/') &&
+            !contains(github.ref, 'renovate/') &&
+            !contains(github.event.pull_request.labels.*.name, 'dependencies') &&
+            !contains(github.event.head_commit.message, 'ci:unlock-deps')
+          ))
+      - name: "Setup: Install Packages (Update)"
+        run: pnpm install --no-frozen-lockfile
+        if: |
+          (
+            github.event_name == 'pull_request' && contains(github.ref, 'deps/') ||
+            github.event_name == 'pull_request' && contains(github.ref, 'dependabot/') ||
+            github.event_name == 'pull_request' && contains(github.ref, 'renovate/') ||
+            github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'dependencies') ||
+            contains(github.event.head_commit.message, 'ci:unlock-deps')
+          )
+      - name: "Build: Android"
+        shell: bash
+        env:
+          CI: true
+        run: pnpm run build:android

.github/workflows/on.pr.yml

@@ -0,0 +1,61 @@
+---
+name: "PR"
+
+"on":
+    ## Run on PR filings
+    pull_request:
+        paths:
+            - apps/**/*.*
+            - packages/**/*.*
+            - pnpm-lock.yaml
+            - package.json
+            - .github/workflows/*.yml
+
+    ## Run on PR queue check requests
+    merge_group: {}
+
+concurrency:
+    # Cancel previous actions from the same PR: https://stackoverflow.com/a/72408109
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+
+jobs:
+  dependency-review:
+    name: "Dependency Review"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          egress-policy: audit
+      - name: "Checkout Repository"
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7 # v3.0.8
+        with:
+          config-file: "./.github/dependency-review-config.yml"
+
+  test:
+    name: "Tests: ${{ matrix.label }}"
+    uses: ./.github/workflows/module.build.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [ubuntu-latest]
+        label: ["Ubuntu"]
+        include:
+          # Bazel 7
+          - runner: ubuntu-latest
+            label: Ubuntu
+          - runner: macos-latest
+            label: macOS
+          - runner: windows-2022
+            label: Windows
+
+    secrets: inherit
+    with:
+      runner: ${{ matrix.runner }}
+      label: ${{ matrix.label }}

.github/workflows/on.push.yml

@@ -0,0 +1,42 @@
+---
+name: "CI"
+
+"on":
+    ## Run on push
+    push:
+        paths:
+            - apps/**/*.*
+            - packages/**/*.*
+            - pnpm-lock.yaml
+            - package.json
+            - .github/workflows/*.yml
+
+concurrency:
+    # Cancel previous actions from the same PR: https://stackoverflow.com/a/72408109
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+
+jobs:
+  build:
+    name: "Build: ${{ matrix.label }}"
+    uses: ./.github/workflows/module.build.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [ubuntu-latest]
+        label: ["Ubuntu"]
+        include:
+          - runner: ubuntu-latest
+            label: Ubuntu
+          - runner: macos-latest
+            label: macOS
+          - runner: windows-2022
+            label: Windows
+
+    secrets: inherit
+    with:
+      runner: ${{ matrix.runner }}
+      label: ${{ matrix.label }}