feat: massive upgrade to workflows

Author: mrz1836

.github/.env.shared

@@ -0,0 +1,138 @@
+# ------------------------------------------------------------------------------------
+#  Shared Environment Variables for CI/CD Workflows
+#
+#  Purpose: Centralized configuration for all GitHub Actions workflows.
+#  This file contains static environment variables used across multiple workflows.
+#
+#  Maintainer: @mrz1836
+#
+# ------------------------------------------------------------------------------------
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Custom Project Variables
+# ───────────────────────────────────────────────────────────────────────────────
+CUSTOM_VAR=false             # Add your own custom variables here for use in workflows
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: GitHub Token Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+# Use 'GH_PAT_TOKEN' for private repos or higher API rate limits (5000/hour).
+# The default fallback is 'GITHUB_TOKEN' (rate-limited to 1000/hour).
+PREFERRED_GITHUB_TOKEN=GH_PAT_TOKEN    # Change this per project as needed
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Go Version Matrix
+# ───────────────────────────────────────────────────────────────────────────────
+# If you set both primary and secondary versions to the same value, the workflow will only run once for that version.
+GO_PRIMARY_VERSION=1.24.x              # Main Go version used by primary jobs and runners
+GO_SECONDARY_VERSION=1.24.x            # Additional version for compatibility testing (or if the go.mod version != GO_PRIMARY_VERSION)
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: OS and Runner Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+# This can only be Linux or Mac (there is no support for Windows at this time).
+# Careful using Mac, it's expensive! See: https://docs.github.com/en/billing/managing-billing-for-your-products/about-billing-for-github-actions#minute-multipliers
+PRIMARY_RUNNER=ubuntu-24.04            # This is the primary runner and also used for jobs that require Linux (options are: ubuntu-24.04, ubuntu-22.04, macos-15)
+SECONDARY_RUNNER=ubuntu-24.04          # Set identical to PRIMARY_RUNNER if you want a single test runner (options are: ubuntu-24.04, ubuntu-22.04, macos-15)
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Feature Flags
+# ───────────────────────────────────────────────────────────────────────────────
+ENABLE_CODE_COVERAGE=true              # Enable code coverage reporting (upload to Codecov)
+ENABLE_FUZZ_TESTING=true               # Enable fuzz running tests (requires Go 1.18+)
+ENABLE_LINT=true                       # Enable linting steps (golangci-lint)
+ENABLE_RACE_DETECTION=true             # Enable Go's race detector in tests (-race flag)
+ENABLE_SECURITY_SCANS=true             # Enable tools like gitleaks, govulncheck, nancy
+ENABLE_STATIC_ANALYSIS=true            # Enable static analysis jobs (go vet)
+ENABLE_VERBOSE_TEST_OUTPUT=true        # Enable verbose output for test runs (can slow down CI)
+MAKEFILE_REQUIRED=true                 # Enforce the presence of Makefile for builds (future feature)
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Tool Versions & Config
+# ───────────────────────────────────────────────────────────────────────────────
+GITLEAKS_NOTIFY_USER_LIST=@mrz1836                # User(s) to notify when gitleaks secrets are found (user,user2)
+GITLEAKS_VERSION=8.27.2                           # Version of gitleaks to install and use (X.Y.Z)
+GORELEASER_VERSION=v2.10.2                        # Version of goreleaser to install and use (vX.Y.Z)
+GOVULNCHECK_VERSION=v1.1.4                        # Version of govulncheck to use for Go vuln scanning (vX.Y.Z)
+NANCY_EXCLUDES=CVE-2024-38513,CVE-2022-21698,CVE-2023-45142  # Known acceptable CVEs (cve,cve2,...)
+NANCY_VERSION=v1.0.51                             # Version of nancy to install and use (vX.Y.Z)
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Stale Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+STALE_DAYS_BEFORE_STALE=60                        # Days of inactivity before marking as stale
+STALE_DAYS_BEFORE_CLOSE=14                        # Additional days before closing stale items
+STALE_LABEL=stale                                 # Label to apply to stale items
+STALE_EXEMPT_ISSUE_LABELS=work-in-progress,security,requires-manual-review    # Issues with these labels won't go stale
+STALE_EXEMPT_PR_LABELS=work-in-progress,security,requires-manual-review       # PRs with these labels won't go stale
+STALE_OPERATIONS_PER_RUN=300                      # Maximum API operations per workflow run
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Sync Labels Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+SYNC_LABELS_FILE=.github/labels.yml    # Path to the labels manifest file
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Python Dependencies Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+UPDATE_PYTHON_DEPENDENCIES_BRANCH=chore/update-python-dependencies   # Branch name for python dependency update PRs
+PIP_DIRECTORY=.github/pip                                            # Directory containing all pip requirement files
+UPDATE_PYTHON_DEPENDENCIES_SCHEDULE_UPDATE_MAIN=true                 # Default: Update main requirements on scheduled runs
+UPDATE_PYTHON_DEPENDENCIES_SCHEDULE_UPDATE_PIP_TOOLS=true            # Default: Update pip-tools requirements on scheduled runs
+UPDATE_PYTHON_DEPENDENCIES_SCHEDULE_CREATE_PR=true                   # Default: Create PR on scheduled runs
+UPDATE_PYTHON_DEPENDENCIES_PR_LABELS=dependencies,chore,automated,python  # Labels to apply to PRs (comma-separated)
+UPDATE_PYTHON_DEPENDENCIES_PR_ASSIGNEE=mrz1836                       # Default assignee for PRs
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Pre-commit Hooks Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+UPDATE_PRE_COMMIT_HOOKS_BRANCH=chore/update-pre-commit-hooks      # Branch name for pre-commit update PRs
+PRE_COMMIT_CONFIG_FILE=.pre-commit-config.yaml                    # Path to the pre-commit config file
+UPDATE_PRE_COMMIT_HOOKS_SCHEDULE_CREATE_PR=true                   # Default: Create PR on scheduled runs
+UPDATE_PRE_COMMIT_HOOKS_PR_LABELS=dependencies,chore,automated,pre-commit  # Labels to apply to PRs (comma-separated)
+UPDATE_PRE_COMMIT_HOOKS_PR_ASSIGNEE=mrz1836                       # Default assignee for PRs
+UPDATE_PRE_COMMIT_HOOKS_TEST_ON_UPDATE=true                       # Default: Test hooks after update
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Dependabot Auto-merge Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+DEPENDABOT_MAINTAINER_USERNAME=mrz1836                           # Username to notify for manual reviews
+DEPENDABOT_AUTO_MERGE_PATCH=true                                 # Auto-merge patch updates
+DEPENDABOT_AUTO_MERGE_MINOR_DEV=true                             # Auto-merge minor updates for dev dependencies
+DEPENDABOT_AUTO_MERGE_MINOR_PROD=false                           # Auto-merge minor updates for prod dependencies
+DEPENDABOT_AUTO_MERGE_SECURITY_NON_MAJOR=true                    # Auto-merge security updates (except major)
+DEPENDABOT_ALERT_ON_MAJOR=true                                   # Alert maintainer on major updates
+DEPENDABOT_ALERT_ON_MINOR_PROD=true                              # Alert maintainer on minor prod updates
+DEPENDABOT_MANUAL_REVIEW_LABEL=requires-manual-review            # Label for PRs requiring manual review
+DEPENDABOT_AUTO_MERGE_LABELS=automerge,dependabot                # Labels for auto-merged PRs (comma-separated)
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Auto-merge on Approval Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+AUTO_MERGE_MIN_APPROVALS=1                                       # Minimum approvals required for auto-merge
+AUTO_MERGE_REQUIRE_ALL_REQUESTED_REVIEWS=true                    # Require all requested reviews to be completed
+AUTO_MERGE_ALLOWED_MERGE_TYPES=squash                            # Allowed merge types (squash,merge,rebase) comma-separated
+AUTO_MERGE_DELETE_BRANCH=true                                    # Delete branch after merge
+AUTO_MERGE_SKIP_DRAFT=true                                       # Skip draft PRs
+AUTO_MERGE_SKIP_WIP=true                                         # Skip WIP PRs (title or label)
+AUTO_MERGE_WIP_LABELS=work-in-progress,wip,do-not-merge          # Labels that indicate WIP (comma-separated)
+AUTO_MERGE_COMMENT_ON_ENABLE=true                                # Comment when auto-merge is enabled
+AUTO_MERGE_COMMENT_ON_DISABLE=true                               # Comment when auto-merge is disabled
+AUTO_MERGE_LABELS_TO_ADD=auto-merge-enabled                      # Labels to add when auto-merge is enabled
+AUTO_MERGE_SKIP_BOT_PRS=true                                     # Skip bot PRs (they have separate workflows)
+
+# ───────────────────────────────────────────────────────────────────────────────
+# ENV: Pull Request Management Workflow Configuration
+# ───────────────────────────────────────────────────────────────────────────────
+PR_MANAGEMENT_DEFAULT_ASSIGNEE=mrz1836                           # Default assignee for PRs without one
+PR_MANAGEMENT_SKIP_BOT_USERS=dependabot[bot],mergify[bot],copilot[bot]  # Bot users to skip (comma-separated)
+PR_MANAGEMENT_WELCOME_FIRST_TIME=true                            # Welcome first-time contributors
+PR_MANAGEMENT_APPLY_SIZE_LABELS=true                             # Apply size labels (XS, S, M, L, XL)
+PR_MANAGEMENT_APPLY_TYPE_LABELS=true                             # Apply type labels based on branch/title
+PR_MANAGEMENT_CLEAN_CACHE_ON_CLOSE=true                          # Clean runner cache when PR closes
+PR_MANAGEMENT_DELETE_BRANCH_ON_MERGE=true                        # Delete source branch after merge
+PR_MANAGEMENT_PROTECTED_BRANCHES=master,main,development         # Branches that should never be deleted
+PR_MANAGEMENT_SIZE_XS_THRESHOLD=10                               # Max changes for XS size label
+PR_MANAGEMENT_SIZE_S_THRESHOLD=50                                # Max changes for S size label
+PR_MANAGEMENT_SIZE_M_THRESHOLD=200                               # Max changes for M size label
+PR_MANAGEMENT_SIZE_L_THRESHOLD=500                               # Max changes for L size label

.github/AGENTS.md

@@ -1049,7 +1049,7 @@ CI automatically runs on every PR to verify:
 * Linting (`make lint`)
 * Tests (`make test`)
 * Fuzz tests (if applicable) (`make run-fuzz-tests`)
-* This codebase uses GitHub Actions; test workflows reside in `.github/workflows/run-tests.yml`
+* This codebase uses GitHub Actions; test workflows reside in `.github/workflows/fortress.yml`
 * Pin each external GitHub Action to a **full commit SHA** (e.g., `actions/checkout@2f3b4a2e0e471e13e2ea2bc2a350e888c9cf9b75`) as recommended by GitHub's [security hardening guidance](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-pinned-actions). Dependabot will track and update these pinned versions automatically.
 
 Failing PRs will be blocked. AI agents should iterate until CI passes.

.github/SECURITY.md

@@ -45,7 +45,7 @@ All official security responses are signed with it.
 We regularly scan for known vulnerabilities using:
 
 * [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck): Checks Go code and dependencies for known vulnerabilities using the Go vulnerability database.
-* [`ask nancy`](https://github.com/sonatype-nexus-community/nancy): As part of our CI (see `run-tests.yml`), we run [nancy](https://github.com/sonatype-nexus-community/nancy) to check Go dependencies for vulnerabilities against the OSS Index. This helps us catch issues in third-party packages early.
+* [`ask nancy`](https://github.com/sonatype-nexus-community/nancy): As part of our CI (see `fortress.yml`), we run [nancy](https://github.com/sonatype-nexus-community/nancy) to check Go dependencies for vulnerabilities against the OSS Index. This helps us catch issues in third-party packages early.
 
 Want to run these yourself?
 

.github/actions/load-env/action.yml

@@ -0,0 +1,72 @@
+# ------------------------------------------------------------------------------------
+#  Load Environment Variables Composite Action
+#
+#  Purpose: Loads and parses the .github/.env.shared file into JSON format
+#           for use across all GitHub Actions workflows
+#
+#  Outputs:
+#    env-json: JSON object containing all environment variables from .env.shared
+#
+#  Usage:
+#    - uses: ./.github/actions/load-env
+#      id: load-env
+#
+#  Maintainer: @mrz1836
+#
+# ------------------------------------------------------------------------------------
+
+name: 'Load Environment Variables'
+description: 'Loads environment variables from .github/.env.shared and outputs as JSON'
+
+outputs:
+  env-json:
+    description: 'JSON object containing all environment variables'
+    value: ${{ steps.load-env.outputs.env-json }}
+  primary-runner:
+    description: 'Primary runner OS extracted from environment variables'
+    value: ${{ steps.load-env.outputs.primary-runner }}
+
+runs:
+  using: "composite"
+  steps:
+    # ————————————————————————————————————————————————————————————————
+    # Load and parse environment file
+    # ————————————————————————————————————————————————————————————————
+    - name: 🔧 Load environment variables
+      id: load-env
+      shell: bash
+      run: |
+        echo "📋 Loading environment variables from .github/.env.shared..."
+
+        # Convert .env file to JSON for easy passing between jobs
+        # Strip inline comments and process the file
+        ENV_JSON=$(cat .github/.env.shared | \
+          grep -v '^#' | \
+          grep -v '^$' | \
+          sed 's/#.*$//' | \
+          sed 's/[[:space:]]*$//' | \
+          jq -Rs 'split("\n") | map(select(length > 0) | split("=") | select(length == 2) | {(.[0]): .[1]}) | add')
+
+        # Check to make sure we have an ENV and it is not empty
+        if [[ -z "$ENV_JSON" ]]; then
+            echo "❌ ERROR: Environment variables are empty or not set." >&2
+            exit 1
+        fi
+
+        # Properly escape the JSON for GitHub Actions output
+        echo "env-json<<EOF" >> $GITHUB_OUTPUT
+        echo "$ENV_JSON" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+        echo "✅ Environment variables loaded successfully"
+
+        # Log count of variables loaded (for debugging)
+        VAR_COUNT=$(echo "$ENV_JSON" | jq 'keys | length')
+        echo "📊 Loaded $VAR_COUNT environment variables"
+
+        # Parse env for the primary_runner
+        PRIMARY_RUNNER=$(echo "$ENV_JSON" | jq -r '.PRIMARY_RUNNER')
+        if [[ -z "$PRIMARY_RUNNER" ]]; then
+            echo "❌ PRIMARY_RUNNER is not set in the environment file." >&2
+            exit 1
+        fi
+        echo "primary-runner=$PRIMARY_RUNNER" >> $GITHUB_OUTPUT