complete rework

Signed-off-by: Frédéric BIDON <fredbi@yahoo.com>

Author: fredbi

.cliff.toml

@@ -0,0 +1,181 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+[changelog]
+header = """
+"""
+
+footer = """
+
+-----
+
+**[{{ remote.github.repo }}]({{ self::remote_url() }}) license terms**
+
+[![License][license-badge]][license-url]
+
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: {{ self::remote_url() }}/?tab=Apache-2.0-1-ov-file#readme
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+
+body = """
+{%- if version %}
+## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }}
+{%- else %}
+## [unreleased]
+{%- endif %}
+{%- if message %}
+  {%- raw %}\n{% endraw %}
+{{ message }}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+{%- if version %}
+  {%- if previous.version %}
+
+**Full Changelog**: <{{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}>
+  {%- endif %}
+{%- else %}
+  {%- raw %}\n{% endraw %}
+{%- endif %}
+
+{%- if statistics %}{% if statistics.commit_count %}
+  {%- raw %}\n{% endraw %}
+{{ statistics.commit_count }} commits in this release.
+  {%- raw %}\n{% endraw %}
+{%- endif %}{% endif %}
+-----
+
+{%- for group, commits in commits | group_by(attribute="group") %}
+  {%- raw %}\n{% endraw %}
+### {{ group | upper_first }}
+    {%- raw %}\n{% endraw %}
+    {%- for commit in commits %}
+      {%- if commit.remote.pr_title %}
+        {%- set commit_message = commit.remote.pr_title %}
+      {%- else %}
+        {%- set commit_message = commit.message %}
+      {%- endif %}
+* {{ commit_message | split(pat="\n") | first | trim }}
+      {%- if commit.remote.username %}
+{%- raw %} {% endraw %}by [@{{ commit.remote.username }}](https://github.com/{{ commit.remote.username }})
+      {%- endif %}
+      {%- if commit.remote.pr_number %}
+{%- raw %} {% endraw %}in [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }})
+      {%- endif %}
+{%- raw %} {% endraw %}[...]({{ self::remote_url() }}/commit/{{ commit.id }})
+  {%- endfor %}
+{%- endfor %}
+
+{%- if github %}
+{%- raw %}\n{% endraw -%}
+  {%- set all_contributors = github.contributors | length %}
+  {%- if github.contributors | filter(attribute="username", value="dependabot[bot]") | length < all_contributors %}
+-----
+
+### People who contributed to this release
+  {% endif %}
+  {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* [@{{ contributor.username }}](https://github.com/{{ contributor.username }})
+    {%- endif %}
+  {%- endfor %}
+
+  {% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+-----
+    {%- raw %}\n{% endraw %}
+
+### New Contributors
+  {%- endif %}
+
+  {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+    {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %}
+* @{{ contributor.username }} made their first contribution
+      {%- if contributor.pr_number %}
+  in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \
+      {%- endif %}
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+
+{%- raw %}\n{% endraw %}
+
+{%- macro remote_url() -%}
+  https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}
+{%- endmacro -%}
+"""
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+# output file path
+# output = "test.md"
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = false
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = false
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+    # Check spelling of the commit message using https://github.com/crate-ci/typos.
+    # If the spelling is incorrect, it will be fixed automatically.
+    #{ pattern = '.*', replace_command = 'typos --write-changes -' }
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = false
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true },
+    { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true },
+    { field = "author.name", pattern = "dependabot*", group = "<!-- 0A -->Updates" },
+    { message = "([Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "<!-- 08 -->Security" },
+    { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "<!-- 05 -->Code quality" },
+    { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "<!-- 03 -->Documentation" },
+    { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "<!-- 00 -->Implemented enhancements" },
+    { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^test", group = "<!-- 06 -->Testing" },
+    { message = "(^fix)|(panic)", group = "<!-- 01 -->Fixed bugs" },
+    { message = "(^refact)|(rework)", group = "<!-- 02 -->Refactor" },
+    { message = "(^[Pp]erf)|(performance)", group = "<!-- 04 -->Performance" },
+    { message = "(^[Cc]hore)", group = "<!-- 07 -->Miscellaneous tasks" },
+    { message = "^[Rr]evert", group = "<!-- 09 -->Reverted changes" },
+    { message = "(upgrade.*?go)|(go\\s+version)", group = "<!-- 0A -->Updates" },
+    { message = ".*", group = "<!-- 0B -->Other" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Include only the tags that belong to the current branch.
+use_branch_tags = false
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order releases topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "newest"
+# Process submodules commits
+recurse_submodules = false
+
+#[remote.github]
+#owner = "go-openapi"

.github/workflows/README.md

@@ -0,0 +1,58 @@
+# CI workflows
+
+## Shared workflows
+
+### Dependencies automation
+
+* auto-merge.yml:
+  * auto-merge dependabot updates,  with dependency group rules
+  * auto-merge go-openapi bot updates
+
+### Test automation
+
+* go-test.yml: go unit tests
+* monorepo-go-test.yml: go unit tests for monorepos
+
+* collect-coverage.yml: (common) collect & publish test coverage (to codecov)
+* collect-reports.yml: (common) collect & publish test reports (to codecov and github)
+
+### Security 
+
+* codeql.yml: CodeQL workflow for go and github actions
+* scanner.yml: trivy & govulncheck scans
+
+### Release automation
+
+* bump-release.yml: manually triggered workflow to cut a release
+* tag-release.yml: cut a release on push tag
+* release.yml: (common) release & release notes build
+
+### Code quality
+
+* collect-coverage.yml: common collect & publish test coverage (to codecov)
+* collect-reports.yml: common collect & publish test reports (to codecov and github)
+
+### Documentation quality
+
+* contributors.yml: updates CONTRIBUTORS.md
+* doc-update.yml: lint & spellcheck on markdown updates
+* pr-comment.yml: common PR commment workflow
+
+## Test workflows
+
+* local-auto-merge.yml
+* local-bump-release.yml
+* local-codeql.yml
+* local-contributors.yml
+* local-doc-update.yml
+* local-go-test.yml
+* local-monorepo-go-test.yml
+* local-release.yml
+* local-scanner.yml
+* local-tag-release.yml
+
+## Configuration files
+
+* .cliff
+
+scripts

.github/workflows/auto-merge.yml

@@ -6,6 +6,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   dependabot:
     permissions:
@@ -31,46 +35,24 @@ jobs:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
         run: gh pr merge --auto --rebase "$PR_URL"
+
+  actions-bot:
+    # description: |
+    #   Auto merge for go-openapi bot.
+    #   The regular actions-bot user cannot approve and merge its own pull requests,
+    #   We use another bot user to update content to be approved/auto-merged by actions-bot.
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'bot-go-openapi[bot]' }}
+    env:
+      PR_URL: ${{github.event.pull_request.html_url}}
+      GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+    steps:
       -
-        name: Auto-merge dependabot PRs for go-openapi patches
-        if: >-
-          ${{
-            contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') &&
-            (
-              steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
-              steps.metadata.outputs.update-type == 'version-update:semver-patch'
-            )
-          }}
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-        run: gh pr merge --auto --rebase "$PR_URL"
+        name: Auto-approve all bot-go-openapi PRs
+        run: gh pr review --approve "$PR_URL"
       -
-        name: Auto-merge dependabot PRs for golang.org updates
-        if: ${{ contains(steps.metadata.outputs.dependency-group, 'golang-org-dependencies') }}
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        name: Auto-merge bot-go-openapi PRs
         run: gh pr merge --auto --rebase "$PR_URL"
-
-  # Auto merge is current disabled: we need automatic PRs to swap identity (e.g. using a Github App),
-  # so the pull_request event is properly captured and the PR can validate.
-  #actions-bot:
-  #  permissions:
-  #    contents: write
-  #    pull-requests: write
-  #  runs-on: ubuntu-latest
-  #  if: ${{ github.event.pull_request.user.login == 'github-actions[bot]' }}
-  #  steps:
-  #    -
-  #      name: Auto-approve all github-actions bot PRs
-  #      env:
-  #        PR_URL: ${{github.event.pull_request.html_url}}
-  #        GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-  #      run: gh pr review --approve "$PR_URL"
-  #    -
-  #      name: Auto-merge github-actions bot PRs
-  #      env:
-  #        PR_URL: ${{github.event.pull_request.html_url}}
-  #        GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-  #      run: gh pr merge --auto --rebase "$PR_URL"