governance+ci: hardening (templates, CoC, release workflow, stronger CodeQL) (#3)

* governance+ci: add issue/PR templates, Code of Conduct; add release workflow with attestation; expand CodeQL queries

* ci: add Dependabot for GitHub Actions (weekly)

Author: nickotmazgin

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,37 @@
+name: Bug report
+description: Report a problem with the extension
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill this out!
+  - type: input
+    id: gnome
+    attributes:
+      label: GNOME Shell version
+      placeholder: 44, 45, etc
+    validations:
+      required: true
+  - type: dropdown
+    id: session
+    attributes:
+      label: Session
+      options:
+        - Wayland
+        - Xorg
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      placeholder: What happened?
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant logs
+      description: Output of `journalctl --user -b 0 -o cat | grep -i comfort-control`
+      render: shell

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,19 @@
+name: Feature request
+description: Suggest an idea or improvement
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem to solve
+      placeholder: What’s the user need?
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      placeholder: Describe the solution you’d like
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      placeholder: Mockups, examples, references

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,10 @@
+## Summary
+
+Describe the change and motivation.
+
+## Checklist
+- [ ] Tested on supported GNOME versions
+- [ ] No new warnings in journalctl
+- [ ] Updated docs if needed
+
+Fixes #

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5

.github/workflows/codeql.yml

@@ -27,6 +27,9 @@ jobs:
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@4248455a6f2335bc3b7a8a62932f000050ec8f13
+        with:
+          queries: security-and-quality
+          languages: ${{ matrix.language }}
         with:
           languages: ${{ matrix.language }}
 

.github/workflows/release.yml

@@ -0,0 +1,42 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  attestations: write
+  id-token: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Install build deps
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y zip libglib2.0-bin
+
+      - name: Prepare build
+        run: |
+          set -e
+          if [ -d schemas ]; then glib-compile-schemas schemas; fi
+          ZIP="comfort-control-github-${GITHUB_REF_NAME}.zip"
+          echo "ZIP_NAME=$ZIP" >> $GITHUB_ENV
+          zip -r "$ZIP" . \
+            -x '.git/*' '.github/*' 'screenshots/*'
+
+      - name: Attach provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ${{ env.ZIP_NAME }}
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@de2c0eb2d6b4e54f5a75a42c46b67f7b9a6c0c4b
+        with:
+          files: ${{ env.ZIP_NAME }}

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+# Code of Conduct
+
+We follow the Contributor Covenant. Be respectful, helpful, and constructive.
+
+For issues, contact: nickotmazgin.dev@gmail.com