feat(gh): add default github repo files

.dockerignore

@@ -1,7 +1,9 @@
+# keep-sorted start
+*.yml
+.*.yaml
 .git
 .github
 demo
 images
 tests
-.*.yaml
-*.yml
+# keep-sorted end

.github/renovate.json5

@@ -1,5 +1,9 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // # keep-sorted start block=yes
+  "git-submodules": {
+    enabled: true,
+  },
   // Keep the extends started with ":" at the end of the list to allow overriding
   extends: [
     "config:recommended",
@@ -12,9 +16,6 @@
     ":enableVulnerabilityAlertsWithLabel(security)",
     ":pinSkipCi",
   ],
-  "git-submodules": {
-    enabled: true,
-  },
   labels: [
     "renovate",
     "renovate/{{replace '.*/' '' depName}}",
@@ -55,4 +56,5 @@
     },
   ],
   separateMinorPatch: true,
+  // # keep-sorted end
 }

.github/workflows/docker-image.yml

@@ -6,18 +6,18 @@ on:
   pull_request:
     types: [opened, synchronize]
     paths:
-      - Dockerfile
       - .dockerignore
-      - entrypoint.sh
       - .github/workflows/docker-image.yml
+      - Dockerfile
+      - entrypoint.sh
   push:
     branches:
       - main
     paths:
-      - Dockerfile
       - .dockerignore
-      - entrypoint.sh
       - .github/workflows/docker-image.yml
+      - Dockerfile
+      - entrypoint.sh
 
 permissions: read-all
 

.github/workflows/mega-linter.yml

@@ -37,7 +37,7 @@ jobs:
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
-        uses: oxsecurity/megalinter@b38cdf1f0cbe056fad4112cb7cd99c2b574c9617 # v8.1.0
+        uses: oxsecurity/megalinter@d8c95fc6f2237031fb9e9322b0f97100168afa6e # v8.2.0
         env:
           GITHUB_COMMENT_REPORTER: false
           # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403

.github/workflows/release-please.yml

@@ -15,15 +15,15 @@ jobs:
   release-please-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
         with:
           release-type: simple
           skip-github-release: true
 
   release-please-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
         id: release
         with:
           release-type: simple
@@ -36,7 +36,7 @@ jobs:
         run: |
           git config user.name github-actions[bot]
           git config user.email 41898282+github-actions[bot]@users.noreply.github.com
-          git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/google-github-actions/release-please-action.git"
+          git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/googleapis/release-please-action.git"
           git tag -d v${{ steps.release.outputs.major }} || true
           git tag -d v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true
           git push origin :v${{ steps.release.outputs.major }} || true

.github/workflows/renovate.yml

@@ -6,10 +6,10 @@ on:
     inputs:
       dryRun:
         type: boolean
-        description: "Dry-Run"
+        description: Dry-Run
       logLevel:
         type: choice
-        description: "Log-Level"
+        description: Log-Level
         default: debug
         options:
           - info
@@ -20,23 +20,25 @@ on:
       - main
       - "!renovate/*"
   schedule:
-    - cron: "0 0-3 * * 0"
+    - cron: 0 0-3 * * 0
 
 env:
+  # keep-sorted start
   # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
-  LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}"
+  LOG_LEVEL: ${{ inputs.logLevel || 'debug' }}
+  RENOVATE_AUTOMERGE: "true"
+  # Renovate Automerge
+  RENOVATE_AUTOMERGE_TYPE: branch
+  # https://docs.renovatebot.com/self-hosted-configuration/#dryrun
+  # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated
+  RENOVATE_DRY_RUN: ${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}
+  # https://docs.renovatebot.com/configuration-options/#platformcommit
+  RENOVATE_PLATFORM_COMMIT: "true"
   # https://docs.renovatebot.com/self-hosted-configuration/#repositories
   RENOVATE_REPOSITORIES: ${{ github.repository }}
   # https://docs.renovatebot.com/self-hosted-configuration/#username
   RENOVATE_USERNAME: ${{ github.repository_owner }}
-  # https://docs.renovatebot.com/configuration-options/#platformcommit
-  RENOVATE_PLATFORM_COMMIT: "true"
-  # https://docs.renovatebot.com/self-hosted-configuration/#dryrun
-  # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated
-  RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}"
-  # Renovate Automerge
-  RENOVATE_AUTOMERGE_TYPE: "branch"
-  RENOVATE_AUTOMERGE: "true"
+  # keep-sorted end
 
 permissions: read-all
 

.github/workflows/stale.yml

@@ -4,7 +4,7 @@ name: stale
 on:
   workflow_dispatch:
   schedule:
-    - cron: "9 9 * * *"
+    - cron: 9 9 * * *
 
 permissions:
   issues: write
@@ -16,6 +16,7 @@ jobs:
     steps:
       - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
+          # keep-sorted start
           close-issue-message: |
             This issue has not seen any activity since it was marked stale.
             Closing.
@@ -32,3 +33,4 @@ jobs:
           stale-pr-message: |
             This PR is stale because it has been open 60 days with no activity.
             Remove stale label or comment or this will be closed in 7 days.
+          # keep-sorted end

.gitignore

@@ -1,5 +1,7 @@
-# pre-commit configuration file
-.pre-commit-config.yaml
-
+# keep-sorted start newline_separated=yes
 # Lychee cache
 .lycheecache
+
+# pre-commit configuration file
+.pre-commit-config.yaml
+# keep-sorted end

.mega-linter.yml

@@ -1,6 +1,7 @@
 # Configuration file for MegaLinter
 # See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation
 
+# keep-sorted start newline_separated=yes
 BASH_SHFMT_ARGUMENTS: --case-indent --indent 2 --space-redirects
 
 DISABLE_LINTERS:
@@ -18,6 +19,7 @@ FILTER_REGEX_EXCLUDE: CHANGELOG.md
 FORMATTERS_DISABLE_ERRORS: false
 
 MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml
+
 MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: CHANGELOG.md
 
 # Remove initial MegaLinter graphic
@@ -33,11 +35,12 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16
 
 REPOSITORY_KICS_ARGUMENTS: --fail-on high
 
-REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed
+REPOSITORY_TRIVY_ARGUMENTS: --severity HIGH,CRITICAL --ignore-unfixed
 
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN
 
 TYPESCRIPT_PRETTIER_ARGUMENTS: --html-whitespace-sensitivity=ignore
 
 VALIDATE_ALL_CODEBASE: true
+# keep-sorted end

.trivyignore

@@ -0,0 +1,3 @@
+# See: https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/
+# We allow root access in our container
+DS002