Merge branch 'main' into issue-366

.github/release.yml

@@ -1,19 +1,40 @@
 ---
-
 # https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
 
 changelog:
   exclude:
     labels:
-      - ignore-for-release
+      - duplicate
+      - invalid
+      - modulesync
+      - question
       - skip-changelog
+      - wont-fix
+      - wontfix
+      - github_actions
+
   categories:
     - title: Breaking Changes 🛠
       labels:
-        - breaking-change
+        - backwards-incompatible
+
     - title: New Features 🎉
       labels:
         - enhancement
+
+    - title: Bug Fixes 🐛
+      labels:
+        - bug
+
+    - title: Documentation Updates 📚
+      labels:
+        - documentation
+        - docs
+
+    - title: Dependency Updates ⬆️
+      labels:
+        - dependencies
+
     - title: Other Changes
       labels:
         - "*"

.github/workflows/build_docker.yml

@@ -6,6 +6,7 @@ on:
       - 'main'
     tags:
       - '*'
+  workflow_dispatch:
 
 env:
   TAG: ${{ github.ref_name == 'main' && 'development' || github.ref_name }}

.github/workflows/ci.yaml

@@ -58,7 +58,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Build Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           tags: 'ci/hdm:${{ github.sha }}'
@@ -74,3 +74,24 @@ jobs:
     name: Test suite
     steps:
       - run: echo Test suite completed
+
+  dependabot:
+    permissions:
+      contents: write
+    name: 'Dependabot auto-merge'
+    needs:
+      - tests
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/[email protected]
+        with:
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
+
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/release.yml

@@ -15,40 +15,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      # - name: Set up Ruby
-      #   uses: ruby/setup-ruby@v1
-      #   with:
-      #     bundler-cache: true
-
-      # - name: Prep Environment
-      #   run: |
-      #     bundle config set --local with 'release'
-      #     bundle install
-      #     mkdir -p build
-
-      # - name: Get previous Tag
-      #   id: get-previous-tag
-      #   run: |
-      #     EXCLUDES=$(git describe --abbrev=0 --tags)
-      #     PTAG=$(git describe --abbrev=0 --tags --exclude="${EXCLUDES}")
-      #     echo "previous_tag=${PTAG}" >> "$GITHUB_OUTPUT"
-
-      # - name: Generate Changelog
-      #   env:
-      #     CHANGELOG_GITHUB_TOKEN: ${{ github.token }}
-      #   run: |
-      #     bundle exec github_changelog_generator \
-      #     --user ${{ github.repository_owner }} \
-      #     --project "hdm" \
-      #     --since-tag ${{ steps.get-previous-tag.outputs.previous_tag }} \
-      #     --future-release ${{ github.ref_name }} \
-      #     --output build/changelog.md
-
-      # - name: Create Release
-      #   env:
-      #     GH_TOKEN: ${{ github.token }}
-      #   run: gh release create ${{ github.ref_name }} --notes-file build/changelog.md --title "Release ${{ github.ref_name }}"
-
       - name: Create Release
         env:
           GH_TOKEN: ${{ github.token }}

.github/workflows/security_scanning.yml

@@ -0,0 +1,44 @@
+---
+name: Security Scanning 🕵️
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          tags: 'ci/hdm:${{ github.sha }}'
+          push: false
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: 'ci/hdm:${{ github.sha }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

.gitignore

@@ -8,6 +8,7 @@
 /.bundle
 /.vendor
 /vendor/bundle
+/vendor/ruby
 
 # Ignore the default SQLite database.
 /db/*.sqlite3

.ruby-version

@@ -1 +1 @@
-ruby-3.3.1
+ruby-3.3.5

.tool-versions

@@ -1 +1 @@
-ruby 3.3.1
+ruby 3.3.5