dadrus · dadrus · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,37 +5,56 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
-  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.25.0"
+  GOLANGCI_LINT_VERSION: "v2.9.0"
+
+permissions: {}
 
 jobs:
   lint-code:
     name: Run Linters
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
+    timeout-minutes: 10
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          fetch-depth: 0
+          persist-credentials: false
       - name: Review code
         uses: reviewdog/action-golangci-lint@c76cceaaab89abe74e649d2e34c6c9adc26662d2 # v2.10.0
         with:
-          go_version: 1.25.0
-          golangci_lint_version: v2.4.0
+          go_version: "${{ env.GO_VERSION }}"
+          golangci_lint_version: "${{ env.GOLANGCI_LINT_VERSION }}"
           reporter: github-pr-review
-          fail_on_error: true
+          fail_level: error
 
   check-licenses:
     name: Check Licenses
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: 1.25.0
+          go-version: "${{ env.GO_VERSION }}"
       - name: Get google/go-licenses package
         run: go install github.com/google/go-licenses@v1.6.0
       - name: Check the licenses
@@ -45,22 +64,41 @@ jobs:
   test:
     name: Run Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          ref: ${{ github.head_ref }}
+          persist-credentials: false
           fetch-depth: 0
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: 1.25.0
+          go-version: "${{ env.GO_VERSION }}"
+      - name: Install go-junit-report
+        run: go install github.com/jstemmer/go-junit-report/v2@v2.1.0
       - name: Execute tests
         run: |
-          go test -v -gcflags=all=-l -cover ./... -coverprofile coverage.out -coverpkg ./...
-      - name: Upload code coverage report
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+          set -o pipefail
+          go test -v -coverprofile=coverage.cov -coverpkg=./... ./... 2>&1 | \
+          tee >(go-junit-report -set-exit-code > junit-report.xml)
+      - name: Upload test results to Codecov
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        if: always() && !cancelled()
+        with:
+          report_type: test_results
+          files: junit-report.xml
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload code coverage report to Codecov
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
-          files: coverage.out
+          report_type: coverage
+          files: coverage.cov
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/please-release.yaml b/.github/workflows/please-release.yaml
@@ -0,0 +1,34 @@
+name: please-release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  create-release:
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+      contents: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+      - name: Please Release
+        id: create_release
+        uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1
+        with:
+          target-branch: ${{ github.ref_name }}
+          token: ${{ secrets.RELEASE_TOKEN }}
+          skip-github-pull-request: true
+      - name: Please Release PR
+        if: steps.create_release.outputs.release_created == false
+        uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1
+        with:
+          target-branch: ${{ github.ref_name }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          skip-github-release: true
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -1,5 +1,8 @@
 name: "Security Scan"
 
+env:
+  GO_VERSION: "1.25.0"
+
 on:
   push:
     branches: [main]
@@ -8,17 +11,24 @@ on:
   schedule:
     - cron: '34 0 * * 6'
 
-permissions: read-all
+permissions: {}
 
 jobs:
   trivy-scan:
     name: Trivy Scan
     runs-on: ubuntu-24.04
     permissions:
+      contents: read
       security-events: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master
         with:
@@ -37,14 +47,21 @@ jobs:
     name: CodeQL Scan
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: 1.25.0
+          go-version: "${{ env.GO_VERSION }}"
       - name: Initialize CodeQL
         uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -0,0 +1,3 @@
+{
+  ".": "0.9.0"
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/release-please-config.json b/release-please-config.json
@@ -0,0 +1,17 @@
+{
+  "bump-minor-pre-major": true,
+  "draft": false,
+  "release-type": "go",
+  "changelog-sections": [
+    { "type": "feat", "section": "Features", "hidden": false },
+    { "type": "refactor", "section": "Code Refactorings", "hidden": true },
+    { "type": "perf", "section": "Performance Improvements", "hidden": false },
+    { "type": "fix", "section": "Bug Fixes", "hidden": false },
+    { "type": "docs", "section": "Documentation", "hidden": false },
+    { "type": "deps", "section": "Dependencies", "hidden": false }
+  ],
+  "packages": {
+    ".": {}
+  },
+  "bootstrap-sha": "1bbd17383c654ec6c3885299826543f37f6aac9a"
+}
diff --git a/renovate.json b/renovate.json
@@ -4,6 +4,7 @@
     "config:recommended",
     ":semanticCommitScopeDisabled",
     ":semanticCommitTypeAll(chore)",
+    "docker:pinDigests",
     "helpers:pinGitHubActionDigests",
     ":pinDevDependencies"
   ],
@@ -13,12 +14,21 @@
         "golang"
       ],
       "semanticCommitType": "deps"
+    },
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchFileNames": [
+        ".github/workflows/release.yaml"
+      ],
+      "matchPackageNames": [
+        "slsa-framework/slsa-github-generator"
+      ],
+      "pinDigests": false
     }
   ],
   "configMigration": true,
-  "baseBranchPatterns": [
-    "main"
-  ],
   "assigneesFromCodeOwners": true,
   "addLabels": [
     "dependency"