chore: sync files with stordco/common-config-elixir

.credo.exs

@@ -81,7 +81,7 @@
         # You can customize the priority of any check
         # Priority values are: `low, normal, high, higher`
         #
-        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 2, if_called_more_often_than: 2]},
+        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 4, if_called_more_often_than: 2]},
         {Credo.Check.Design.DuplicatedCode, false},
         # You can also customize the exit_status of each check.
         # If you don't want TODO comments to cause `mix credo` to fail, just

.github/pull_request_template.md

@@ -1,3 +1,9 @@
+## Related Ticket(s)
+
+<!--
+Enter the Jira issue below in the following format: PROJECT-##
+-->
+
 ## Checklist
 
 <!--

.github/release-please-config.json → .github/release-please-config-stable.json

@@ -7,6 +7,11 @@
       "section": "Features",
       "hidden": false
     },
+    {
+      "type": "hotfix",
+      "section": "Hotfixes",
+      "hidden": true
+    },
     {
       "type": "fix",
       "section": "Bug Fixes",
@@ -22,9 +27,7 @@
   "draft-pull-request": false,
   "packages": {
     ".": {
-      "extra-files": [
-        "README.md"
-      ],
+      "extra-files": ["README.md"],
       "release-type": "elixir"
     }
   },

.github/workflows/ci.yaml

@@ -46,7 +46,7 @@ jobs:
 
       - id: changed
         name: Get Changed Files
-        uses: tj-actions/changed-files@v43
+        uses: tj-actions/changed-files@v44
         with:
           files_yaml: |
             database:
@@ -55,8 +55,14 @@ jobs:
             docker:
               - '.github/workflows/ci.yaml'
               - 'Dockerfile'
+            documentation:
+              - 'docs/**'
+              - 'priv/documentation/**'
+              - '**.ex'
+              - '**.md'
             elixir:
               - '.github/workflows/ci.yaml'
+              - '.tool-versions'
               - 'priv/**'
               - '**.ex'
               - '**.exs'
@@ -92,6 +98,9 @@ jobs:
     needs: [Changed]
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -128,7 +137,7 @@ jobs:
         run: mix dialyzer --format github
 
   Documentation:
-    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.documentation == 'true' }}
     needs: [Changed]
     runs-on: ubuntu-latest
 
@@ -209,3 +218,34 @@ jobs:
           - elixir: 1.15
             otp: 26
 
+  Trivy_Filesystem:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') }}
+    name: Trivy Filesystem Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Elixir
+        uses: stordco/actions-elixir/setup@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
+
+      - name: Trivy Scan
+        uses: stordco/actions-trivy@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          scan-type: fs
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_SECURITY_ALERTS }}
+          update-db: false
+

.github/workflows/pr.yaml

@@ -30,7 +30,7 @@ jobs:
               return;
             }
 
-            const REGEX = /^(feat!|fix!|fix|feat|chore|(fix|feat|chore)\(\w.*\)):\s(\[\w{1,8}-\d{1,8}\]|.*).*/;
+            const REGEX = /^(feat!|fix!|hotfix!|fix|feat|chore|hotfix|(fix|feat|chore|hotfix)\(\w.*\)):\s(\[\w{1,8}-\d{1,8}\]|.*).*/;
 
             if (!REGEX.test(title)) {
               core.setFailed("Pull request title does not follow conventional commits");
@@ -43,7 +43,10 @@ jobs:
                 fix: [JIRA-1234] fix an existing feature
                 feat: [JIRA-1234] a new feature to release
                 feat!: a breaking change
+                hotfix: needed in production immediately
 
-            Note: Adding ! (i.e. \`feat!:\`) represents a breaking change and will result in a SemVer major release.
+            Adding ! (i.e. \`feat!:\`) represents a breaking change and will result in a SemVer major release.
+
+            Starting a commit with \`hotfix\` will result in a seperate hotfix release PR.
                 `.trim());
             }

.github/workflows/release.yaml

@@ -12,15 +12,15 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  Please:
+  Stable:
     runs-on: ubuntu-latest
 
     steps:
       - id: release
         name: Release
-        uses: google-github-actions/release-please-action@v4
+        uses: googleapis/release-please-action@v4
         with:
-          config-file: .github/release-please-config.json
+          config-file: .github/release-please-config-stable.json
           manifest-file: .github/release-please-manifest.json
           target-branch: main
           token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/staging.yaml

@@ -26,6 +26,9 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -38,7 +41,7 @@ jobs:
           oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
           oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
-      - name: Build
+      - name: Docs
         run: mix docs
 
       - name: Set CNAME

.github/workflows/trivy.yaml

@@ -0,0 +1,32 @@
+# This file is synced with stordco/common-config-elixir. Any changes will be overwritten.
+
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Run daily at midnight UTC
+  workflow_dispatch: # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}

.trivy/fs-config.yaml

@@ -0,0 +1,18 @@
+# This file is synced with stordco/common-config-elixir. Any changes will be overwritten.
+
+exit-code: '1'
+format: 'json'
+output: 'trivy-fs-results.json'
+scanners:
+  - vuln
+severity:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+  - UNKNOWN
+timeout: '3m'
+vulnerability:
+  type:
+    - os
+    - library