chore: improve open source release workflow and best practices (#767)

* feat: add structured issue templates and security workflow

- Add bug report template with platform, version, and reproduction steps
- Add feature request template with priority and context fields
- Add CodeQL security analysis workflow
- Add dependency review for pull requests

* fix(ci): update GitHub Actions and Xcode versions

- Update actions/cache from v3 to v4 for better performance
- Fix Xcode version consistency to 16.3 across workflows
- Improve caching reliability and build performance

* feat(deps): enhance Dependabot configuration

- Add npm and github-actions ecosystem monitoring
- Configure consistent commit message prefixes
- Add reviewer assignment for dependency updates
- Improve dependency management automation

* fix(release): improve version update script robustness

- Add semantic version format validation
- Add file existence checks before modification
- Implement error recovery with backup restoration
- Add comprehensive error handling and logging
- Prevent invalid version formats from being applied

* feat(release): enhance semantic-release configuration

- Add release-notes-generator for proper GitHub release notes
- Configure conventional commits preset with detailed release rules
- Add structured changelog generation with categorized sections
- Enable success comments and release labeling on issues/PRs
- Add missing semantic-release dependencies for enhanced functionality

Fixes release automation not generating proper release notes and changelog entries.

* fix(release): add attestations permission for GitHub workflow

- Add attestations: write permission for enhanced security
- Prepare for future SLSA provenance generation
- Align with GitHub security best practices

* docs(changelog): add missing release entries for v2.31.x

- Add v2.31.2 with dependency updates
- Add v2.31.1 with storage and realtime bug fixes
- Add v2.31.0 with new features and improvements
- Organize entries by type: Features, Bug Fixes, Dependencies, Tests
- Maintain consistency with existing changelog format

* chore(deps): update package-lock.json

- Update lockfile for new semantic-release dependencies
- Ensure dependency integrity and version consistency

* fix(deps): remove reviewer assignment from Dependabot config

- Remove hardcoded reviewer assignments
- Allow team flexibility in handling dependency updates
- Rely on CODEOWNERS for review assignments instead

* fix(security): run CodeQL analysis on macOS runner

- Change from ubuntu-latest to macos-latest for Swift CodeQL analysis
- Swift analysis requires macOS environment to function properly
- Resolves IncompatibleOs error in CodeQL autobuild process

* chore: remove release-please manifest file

- Remove .release-please-manifest.json as project migrated to semantic-release
- Clean up obsolete release-please configuration
- Semantic-release handles version management automatically

* fix(security): use manual build for CodeQL analysis

- Replace autobuild with manual xcodebuild command targeting Supabase library
- Use macOS destination and Debug configuration as per Makefile settings
- Skip macro validation for compatibility
- Prevents CodeQL from building Examples target instead of main library

* refactor(security): use Makefile for CodeQL build step

- Replace inline xcodebuild with standardized Makefile target
- Use PLATFORM=MACOS and XCODEBUILD_ARGUMENT=build parameters
- Ensures consistency with project build conventions
- Leverages existing build configuration and flags

* chore: remove disabled workflows and improve release dependency

- Remove .github/workflows_disabled directory with obsolete workflow files
- Add CI dependency check to release workflow to ensure all tests pass
- Wait for CI workflow completion before allowing releases
- Clean up repository from unused workflow configurations

Author: grdsdev

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,81 @@
+name: Bug Report
+description: File a bug report to help us improve
+title: "[Bug]: "
+labels: ["bug", "triage"]
+assignees: []
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: What version of supabase-swift are you running?
+      placeholder: ex. 2.31.2
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Platform
+      description: What platform are you using?
+      options:
+        - iOS
+        - macOS
+        - tvOS
+        - watchOS
+        - visionOS
+        - Linux
+        - Other
+    validations:
+      required: true
+
+  - type: input
+    id: swift-version
+    attributes:
+      label: Swift Version
+      description: What version of Swift are you using?
+      placeholder: ex. 5.10
+    validations:
+      required: true
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: Please provide clear steps to reproduce the issue
+      placeholder: |
+        1. Import Supabase
+        2. Create client with '...'
+        3. Call method '...'
+        4. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: code-sample
+    attributes:
+      label: Code Sample
+      description: Please provide a minimal code sample that reproduces the issue
+      render: swift
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,62 @@
+name: Feature Request
+description: Suggest an idea for supabase-swift
+title: "[Feature]: "
+labels: ["enhancement", "triage"]
+assignees: []
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a new feature! Please fill out the sections below.
+
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Searched existing issues?
+      description: Please search existing issues to avoid duplicates
+      options:
+        - label: I have searched the existing issues
+          required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem Description
+      description: Is your feature request related to a problem? Please describe.
+      placeholder: I'm always frustrated when...
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: Describe the solution you'd like
+      placeholder: I would like to see...
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternative Solutions
+      description: Describe any alternative solutions or features you've considered
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority
+      description: How important is this feature to you?
+      options:
+        - Low - Nice to have
+        - Medium - Would significantly improve my workflow
+        - High - Blocking my use case
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional Context
+      description: Add any other context, screenshots, or examples about the feature request

.github/dependabot.yml

@@ -5,7 +5,24 @@
 
 version: 2
 updates:
-  - package-ecosystem: "swift" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "swift"
+    directory: "/"
     schedule:
       interval: "weekly"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"

.github/workflows/ci.yml

@@ -72,7 +72,7 @@ jobs:
       - name: List available devices
         run: xcrun simctl list devices available
       - name: Cache derived data
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/.derivedData
@@ -134,15 +134,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Cache derived data
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.derivedData
           key: |
             deriveddata-examples-${{ hashFiles('**/Sources/**/*.swift', '**/Tests/**/*.swift', '**/Examples/**/*.swift') }}
           restore-keys: |
             deriveddata-examples-
-      - name: Select Xcode 16
-        run: sudo xcode-select -s /Applications/Xcode_16.0.app
+      - name: Select Xcode 16.3
+        run: sudo xcode-select -s /Applications/Xcode_16.3.app
       - name: Set IgnoreFileSystemDeviceInodeChanges flag
         run: defaults write com.apple.dt.XCBuild IgnoreFileSystemDeviceInodeChanges -bool YES
       - name: Update mtime for incremental builds

.github/workflows/release.yml

@@ -11,14 +11,27 @@ permissions:
   contents: read
 
 jobs:
+  check-ci-status:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Wait for CI workflow
+        uses: lewagon/[email protected]
+        with:
+          ref: ${{ github.ref }}
+          check-name: 'CI'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 30
+
   release:
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'skip ci')"
+    needs: [check-ci-status]
     permissions:
       contents: write
       issues: write
       pull-requests: write
       id-token: write
+      attestations: write
 
     steps:
       - name: Generate token

.github/workflows/security.yml

@@ -0,0 +1,54 @@
+name: Security
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 1'  # Weekly on Mondays
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: macos-latest
+    timeout-minutes: 360
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ swift ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Build Supabase library
+        run: make XCODEBUILD_ARGUMENT=build PLATFORM=MACOS xcodebuild
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: moderate