ci: add scans

.editorconfig

@@ -1,18 +1,25 @@
 root = true
 
 [*]
-charset = utf-8
-end_of_line = lf
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
+charset=utf-8
+end_of_line=lf
+indent_size=2
+indent_style=space
+insert_final_newline=true
+tab_width=2
+trim_trailing_whitespace=true
 
-[*.{json, yaml, yml}]
-indent_size = 2
+[*.{bat,cmd,ps1}]
+end_of_line=crlf
 
-[*.md]
-trim_trailing_whitespace = false
+[*.{md,mdx}]
+trim_trailing_whitespace=false
 
-[Makefile]
-indent_style = tab
+[*.{py,rs}]
+indent_size=4
+tab_width=4
+
+[{*.{go,lua,tsv},go.{mod,sum},Makefile}]
+indent_size=4
+indent_style=tab
+tab_width=4

.github/workflows/ci.yml

@@ -11,26 +11,28 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
+
 jobs:
   python:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
         python: [3.12]
 
-    name: python
     runs-on: ${{ matrix.os }}
     env:
       ENVIRONMENT: ci
     steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - name: Set up UV
-        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5
+      - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5
 
-      - name: Set up Python
-        id: setup-python
+      - id: setup-python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: ${{ matrix.python }}
@@ -39,39 +41,35 @@ jobs:
         if: ${{ runner.os != 'Windows' }}
         run: |
           mkdir -p .venv
-          echo "$(realpath .venv)/bin" >> ${GITHUB_PATH}
+          echo "$(realpath .venv)/bin" >> "${GITHUB_PATH}"
 
       - name: Set up environment (Windows)
         if: ${{ runner.os == 'Windows' }}
         run: |
           New-Item -Type Directory -Force .venv
-          "$(Resolve-Path .venv)/Scripts" | Out-File -FilePath ${env:GITHUB_PATH} -Append
+          "$(Resolve-Path .venv)/Scripts" | Out-File -FilePath "${env:GITHUB_PATH}" -Append
 
-      - name: Install dependencies
-        run: uv sync
+      - run: uv sync
 
-      - name: Lint and test
-        run: make lint test
+      - run: make lint test
 
   docker:
-    name: docker
     permissions:
       contents: read
       packages: write
+
     runs-on: ubuntu-latest
     env:
       GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           sparse-checkout: |
             Dockerfile
             uv.lock
 
-      - name: Cache buildkit mounts
-        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
         with:
           path: |
             var-cache-apt
@@ -82,8 +80,7 @@ jobs:
             buildkit-mounts-${{ runner.os }}
             buildkit-mounts-${{ runner.os }}
 
-      - name: Inject cache into docker
-        uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3
+      - uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3
         with:
           cache-map: |
             {
@@ -93,11 +90,9 @@ jobs:
               "root-cache-uv": "/root/.cache/uv"
             }
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+      - uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
 
-      - name: Build CI image
-        id: build-ci
+      - id: build-ci
         env:
           ENVIRONMENT: ci
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
@@ -108,25 +103,21 @@ jobs:
             ${{ env.GHCR_IMAGE_NAME }}:cache
           load: true
 
-      - name: Run CI image
-        run: docker run --rm ${{ steps.build-ci.outputs.imageid }}
+      - run: docker run --rm ${{ steps.build-ci.outputs.imageid }}
 
-      - name: Docker metadata
-        id: docker_metadata
+      - id: docker_metadata
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
         with:
           images: ${{ env.GHCR_IMAGE_NAME }}
 
-      - name: Login to GHCR
-        if: ${{ github.event_name != 'pull_request' }}
+      - if: ${{ github.event_name != 'pull_request' }}
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push dev image
-        if: ${{ github.event_name != 'pull_request' }}
+      - if: ${{ github.event_name != 'pull_request' }}
         env:
           ENVIRONMENT: dev
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
@@ -139,10 +130,7 @@ jobs:
           tags: ${{ env.GHCR_IMAGE_NAME }}:dev
           push: ${{ github.event_name != 'pull_request' }}
 
-      - name: Build and push prod image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          ENVIRONMENT: prod
+      - if: ${{ github.event_name != 'pull_request' }}
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
         with:
           cache-from: |
@@ -153,3 +141,5 @@ jobs:
           labels: ${{ steps.docker_metadata.outputs.labels }}
           annotations: ${{ steps.docker_metadata.outputs.annotations }}
           push: ${{ github.event_name != 'pull_request' }}
+        env:
+          ENVIRONMENT: prod

.github/workflows/dependabot.yml

@@ -0,0 +1,35 @@
+name: dependabot
+on:
+  pull_request:
+    branches: [main]
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
+
+jobs:
+  dependabot:
+    permissions:
+      contents: write
+      pull-requests: write
+
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - id: metadata
+        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2
+
+      - name: log metadata
+        run: echo "${DEPENDABOT_METADATA}"
+        env:
+          DEPENDABOT_METADATA: ${{ toJson(steps.metadata.outputs) }}
+
+      - name: automerge
+        if: ${{ !contains(steps.metadata.outputs.update-type, 'major' ) }}
+        run: gh pr merge --auto --squash "${PR_NUMBER}"
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}

.github/workflows/ossf.yml

@@ -0,0 +1,46 @@
+name: ossf
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
+
+jobs:
+  ossf:
+    permissions:
+      contents: read
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+      # Needed for Code scanning upload
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
+          publish_results: true
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+        with:
+          sarif_file: results.sarif

.github/workflows/pr.yml

@@ -1,66 +1,46 @@
 name: pr
-
 on:
   pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
+    types: [opened, synchronize, reopened, edited]
+    branches: [main]
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
 
 jobs:
   lint-title:
     permissions:
       pull-requests: read
+
     runs-on: ubuntu-latest
     steps:
-      - name: semantic-pull-request
-        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
 
   label:
     permissions:
       contents: read
       pull-requests: write
+
     runs-on: ubuntu-latest
     steps:
-      - name: labeler
-        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
 
   label-size:
     permissions:
       contents: read
       pull-requests: write
+
     runs-on: ubuntu-latest
     steps:
-      - name: size-label
-        uses: pascalgn/size-label-action@f8edde36b3be04b4f65dcfead05dc8691b374348 # v0.5.5
+      - uses: pascalgn/size-label-action@f8edde36b3be04b4f65dcfead05dc8691b374348 # v0.5.5
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           IGNORED: |
             package-lock.json
             *.lock
             docs/**
-
-  dependabot:
-    if: github.actor == 'dependabot[bot]'
-    permissions:
-      contents: write
-      pull-requests: write
-    runs-on: ubuntu-latest
-    steps:
-      - id: metadata
-        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2
-
-      - name: log metadata
-        env:
-          DEPENDABOT_METADATA: ${{ toJson(steps.metadata.outputs) }}
-        run: echo ${DEPENDABOT_METADATA}
-
-      - name: automerge
-        if: ${{ !contains(steps.metadata.outputs.update-type, 'major' ) }}
-        run: gh pr merge --auto --squash ${PR_NUMBER}
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-          GH_TOKEN: ${{ github.token }}