ci: add tooling

.github/workflows/codeql.yml

@@ -0,0 +1,43 @@
+# Copyright AGNTCY Contributors (https://github.com/agntcy)
+# SPDX-License-Identifier: Apache-2.0
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "33 10 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/container-security.yml

@@ -0,0 +1,66 @@
+# Copyright AGNTCY Contributors (https://github.com/agntcy)
+# SPDX-License-Identifier: Apache-2.0
+
+name: Container Security Scan
+
+on:
+  schedule:
+    - cron: "0 3 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+  packages: read
+
+jobs:
+  trivy-scan:
+    name: Trivy Image Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Log in to GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull image
+        run: |
+          set -euo pipefail
+          docker pull ghcr.io/agntcy/oasf-sdk:latest
+          docker image inspect ghcr.io/agntcy/oasf-sdk:latest >/dev/null 2>&1
+
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          image-ref: ghcr.io/agntcy/oasf-sdk:latest
+          format: sarif
+          output: trivy-results.sarif
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          ignore-unfixed: true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy
+
+      - name: Upload raw report artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: trivy-report
+          path: trivy-results.sarif
+          retention-days: 7
+
+      - name: Fail on critical vulnerabilities
+        run: |
+          critical_count=$(grep -c '"level": "error"' trivy-results.sarif || true)
+          if [ "${critical_count}" != "0" ]; then
+            echo "::warning::Critical vulnerabilities detected in container image."
+          fi

.github/workflows/pr.yaml

@@ -0,0 +1,77 @@
+# Copyright AGNTCY Contributors (https://github.com/agntcy)
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  validate_pr_title:
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        id: lint_pr_title
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          ignoreLabels: |
+            ignore-semantic-pr
+          subjectPattern: "^(?![A-Z]).+$"
+          types: |
+            build
+            chore
+            ci
+            deps
+            docs
+            feat
+            fix
+            perf
+            refactor
+            revert
+            style
+            test
+            release
+          scopes: |
+            server
+            pkg
+            proto
+            helm
+            e2e
+            ci
+            deps
+            .*
+          requireScope: false
+
+      - uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
+        if: always() && (steps.lint_pr_title.outputs.error_message != null)
+        with:
+          header: pr-title-lint-error
+          message: |
+            Hey there and thank you for opening this pull request! 👋
+
+            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/),
+            and it looks like your proposed title needs to be adjusted.
+
+            Details:
+
+            ```
+            ${{ steps.lint_pr_title.outputs.error_message }}
+            ```
+
+      - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4
+        with:
+          header: pr-title-lint-error
+          delete: true

.github/workflows/test.yaml

@@ -4,24 +4,65 @@
 name: Unit Tests
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   unit-tests:
     name: Go Unit Tests
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: server/go.mod
+          check-latest: true
+          cache-dependency-path: |
+            server/go.sum
+            pkg/go.sum
+
       - name: Setup Taskfile
         shell: bash
         run: sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b ~/.local/bin
 
-      - name: Run unit tests
+      - name: Run unit tests with coverage
         run: |
-          task test:unit
+          for dir in $(find . -name go.mod -not -path "./e2e/*" -exec dirname {} \;); do
+            echo "Running tests in ${dir}"
+            (cd "${dir}" && go test -race -coverprofile=coverage.out ./...)
+          done
+
+      - name: Merge coverage files
+        run: |
+          : > combined-coverage.out
+          first=true
+          for dir in $(find . -name go.mod -not -path "./e2e/*" -exec dirname {} \;); do
+            if [ -f "${dir}/coverage.out" ]; then
+              if [ "$first" = true ]; then
+                cat "${dir}/coverage.out" >> combined-coverage.out
+                first=false
+              else
+                tail -n +2 "${dir}/coverage.out" >> combined-coverage.out
+              fi
+            fi
+          done
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        with:
+          files: combined-coverage.out
+          flags: unit
+          codecov_yml_path: codecov.yml
+          use_oidc: true

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+  - repo: local
+    hooks:
+      - id: golangci-lint
+        name: golangci-lint
+        description: Run golangci-lint with auto-fix on staged Go files.
+        entry: task lint:golangci-lint FIX=true
+        language: system
+        pass_filenames: false
+        types: [go]
+        require_serial: true

README.md

@@ -1,5 +1,10 @@
 # OASF SDK
 
+![GitHub Release (latest by date)](https://img.shields.io/github/v/release/agntcy/oasf-sdk)
+[![CI](https://github.com/agntcy/oasf-sdk/actions/workflows/lint.yaml/badge.svg?branch=main)](https://github.com/agntcy/oasf-sdk/actions/workflows/lint.yaml)
+[![Coverage](https://codecov.io/gh/agntcy/oasf-sdk/branch/main/graph/badge.svg)](https://codecov.io/gh/agntcy/oasf-sdk)
+[![License](https://img.shields.io/github/license/agntcy/oasf-sdk)](./LICENSE.md)
+
 The OASF SDK contains SDKs related to the [OASF](https://github.com/agntcy/oasf) project.
 
 ## Usage

codecov.yml

@@ -0,0 +1,35 @@
+codecov:
+  require_ci_to_pass: false
+  notify:
+    after_n_builds: 1
+
+comment:
+  layout: "files,diff,flags,tree"
+  hide_project_coverage: false
+  require_changes: false
+  require_base: false
+  require_head: true
+  behavior: default
+
+coverage:
+  precision: 1
+  round: nearest
+  range: 40..90
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 2%
+        informational: true
+    patch:
+      default:
+        target: auto
+        threshold: 1%
+        informational: true
+    changes: false
+
+ignore:
+  - "**/*.pb.go"
+  - "**/mock_*.go"
+  - "**/testdata/**"
+  - "e2e/**"

renovate.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "enabledManagers": ["dockerfile", "github-actions", "gomod"],
+  "packageRules": [
+    {
+      "matchManagers": ["gomod"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "matchManagers": ["dockerfile"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "matchCategories": ["vulnerability"],
+      "enabled": true,
+      "automerge": true,
+      "addLabels": ["security"]
+    }
+  ],
+  "semanticCommits": "enabled",
+  "labels": ["dependencies"]
+}