ci: improve workflows and release process

Author: tboerger

.github/renovate.json

@@ -1,40 +1,68 @@
 {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "extends": [
-        "config:recommended",
+        "config:best-practices",
+        ":disableRateLimiting",
+        ":prImmediately",
         ":semanticCommits",
         ":semanticCommitType(deps)"
     ],
+    "dockerfile": {
+        "pinDigests": true
+    },
+    "gomod": {
+        "postUpdateOptions": [
+            "gomodUpdateImportPaths",
+            "gomodTidy"
+        ]
+    },
     "packageRules": [
         {
             "description": "Semantic commits for major updates",
             "matchUpdateTypes": [
                 "major"
             ],
-            "semanticCommitType": "major",
-            "semanticCommitScope": "deps",
+            "semanticCommitType": "deps",
+            "semanticCommitScope": "major",
             "automerge": true
         },
         {
             "description": "Semantic commits for minor updates",
             "matchUpdateTypes": [
                 "minor"
             ],
-            "semanticCommitType": "minor",
-            "semanticCommitScope": "deps",
+            "semanticCommitType": "deps",
+            "semanticCommitScope": "minor",
             "automerge": true
         },
         {
             "description": "Semantic commits for patch updates",
             "matchUpdateTypes": [
                 "patch"
             ],
+            "semanticCommitType": "deps",
+            "semanticCommitScope": "patch",
+            "automerge": true
+        },
+        {
+            "description": "Automerge docker digest updates",
+            "groupName": "docker digests",
+            "matchDatasources": [
+                "docker"
+            ],
+            "matchUpdateTypes": [
+                "pin",
+                "pinDigest",
+                "digest"
+            ],
             "semanticCommitType": "patch",
             "semanticCommitScope": "deps",
+            "pinDigests": true,
             "automerge": true
         },
         {
             "description": "Build tool version upgrades",
+            "groupName": "build tools",
             "matchManagers": [
                 "github-actions"
             ],

.github/semantic.yml

@@ -0,0 +1,24 @@
+---
+commitsOnly: true
+anyCommit: true
+allowMergeCommits: true
+allowRevertCommits: true
+
+types:
+  - feat
+  - fix
+  - docs
+  - style
+  - refactor
+  - perf
+  - test
+  - build
+  - ci
+  - chore
+  - revert
+  - major
+  - minor
+  - patch
+  - deps
+
+...

.github/settings.yml

@@ -6,65 +6,148 @@ repository:
 
   private: false
   has_issues: true
-  has_projects: false
   has_wiki: false
   has_downloads: false
 
   default_branch: master
 
-  allow_squash_merge: false
   allow_merge_commit: false
+  allow_squash_merge: true
   allow_rebase_merge: true
 
+  allow_update_branch: true
+  allow_auto_merge: true
+  delete_branch_on_merge: true
+  enable_automated_security_fixes: true
+  enable_vulnerability_alerts: true
+
+rulesets:
+  - name: prevent destruction
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_linear_history
+      - type: deletion
+      - type: non_fast_forward
+
+  - name: check verification
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_status_checks
+        parameters:
+          strict_required_status_checks_policy: true
+          required_status_checks:
+            - context: general
+              integration_id: 15368
+    bypass_actors:
+      - actor_id: 1
+        actor_type: RepositoryRole
+        bypass_mode: always
+      - actor_id: 2
+        actor_type: RepositoryRole
+        bypass_mode: always
+
+  - name: require reviewing
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: pull_request
+        parameters:
+          allowed_merge_methods:
+            - squash
+            - rebase
+          dismiss_stale_reviews_on_push: false
+          require_code_owner_review: false
+          require_last_push_approval: false
+          required_approving_review_count: 0
+          required_review_thread_resolution: false
+    bypass_actors:
+      - actor_id: 1
+        actor_type: RepositoryRole
+        bypass_mode: always
+      - actor_id: 2
+        actor_type: RepositoryRole
+        bypass_mode: always
+
 labels:
   - name: bug
-    color: d73a4a
+    color: fc2929
     description: Something isn't working
-  - name: documentation
-    color: 0075ca
-    description: Improvements or additions to documentation
   - name: duplicate
-    color: cfd3d7
+    color: cccccc
     description: This issue or pull request already exists
   - name: enhancement
-    color: a2eeef
+    color: 84b6eb
     description: New feature or request
   - name: good first issue
     color: 7057ff
     description: Good for newcomers
   - name: help wanted
-    color: 008672
+    color: 159818
     description: Extra attention is needed
   - name: invalid
-    color: e4e669
+    color: e6e6e6
     description: This doesn't seem right
   - name: question
-    color: d876e3
+    color: cc317c
     description: Further information is requested
   - name: renovate
     color: 1d76db
     description: Automated action from Renovate
   - name: wontfix
-    color: ffffff
+    color: 5319e7
     description: This will not be worked on
   - name: hacktoberfest
     color: d4c5f9
     description: Contribution at Hacktoberfest appreciated
-
-branches:
-  - name: master
-    protection:
-      required_pull_request_reviews: null
-      required_status_checks:
-        strict: true
-        contexts:
-          - check
-      enforce_admins: false
-      restrictions:
-        apps:
-          - renovate
-        users:
-          - tboerger
-        teams: []
+  - name: ready
+    color: ededed
+    description: This is ready to be worked on
+  - name: in progress
+    color: ededed
+    description: This is currently worked on
+  - name: infra
+    color: 006b75
+    description: Related to the infrastructure
+  - name: lint
+    color: fbca04
+    description: Related to linting tools
+  - name: poc
+    color: c2e0c6
+    description: Proof of concept for new feature
+  - name: rebase
+    color: ffa8a5
+    description: Branch requires a rebase
+  - name: third-party
+    color: e99695
+    description: Depends on third-party tool or library
+  - name: translation
+    color: b60205
+    description: Change or issue related to translations
+  - name: ci
+    color: b60105
+    description: Related to Continous Integration
+  - name: docs
+    color: b60305
+    description: Related to documentation
+  - name: outdated
+    color: cccccc
+    description: This is out of scope and outdated
 
 ...

.github/workflows/automerge.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: automerge
 
 "on":
@@ -18,19 +19,16 @@ jobs:
 
     steps:
       - name: Fetch metadata
-        id: metadata
         uses: dependabot/fetch-metadata@v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Approve request
-        id: approve
         run: gh pr review --approve "${{github.event.pull_request.html_url}}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable automerge
-        id: automerge
         run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
         env:
           GH_TOKEN: ${{ secrets.PERSONAL_TOKEN }}

.github/workflows/flake.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: flake
 
 "on":
@@ -15,21 +16,17 @@ jobs:
 
     steps:
       - name: Checkout source
-        id: source
         uses: actions/checkout@v6
         with:
           token: ${{ secrets.PERSONAL_TOKEN }}
 
       - name: Install nix
-        id: nix
         uses: cachix/install-nix-action@v31
 
       - name: Update flake
-        id: flake
         run: nix flake update
 
       - name: Source rebase
-        id: rebase
         run: git pull --autostash --rebase
 
       - name: Commit changes

.github/workflows/general.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: general
 
 "on":
@@ -7,8 +8,11 @@ name: general
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
-  check:
+  general:
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/release.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: release
 
 "on":
@@ -15,6 +16,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Setup nodejs
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+        with:
+          node-version: lts/*
+
       - name: Checkout source
         uses: actions/checkout@v6
         with:
@@ -28,10 +34,11 @@ jobs:
       - name: Install releaser
         run: |
           npm install -g \
-            conventional-changelog-conventionalcommits@6.1.0 \
-            semantic-release@23.1.1 \
+            semantic-release@25.0.2 \
             @semantic-release/changelog \
-            @semantic-release/git
+            @semantic-release/git \
+            @semantic-release/github \
+            conventional-changelog-conventionalcommits
 
       - name: Run releaser
         env: