feat(gh): add default github repo files (#549)

Author: ruzickap

.github/renovate.json5

@@ -1,5 +1,9 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // # keep-sorted start block=yes
+  "git-submodules": {
+    enabled: true,
+  },
   // Keep the extends started with ":" at the end of the list to allow overriding
   extends: [
     "config:recommended",
@@ -12,9 +16,6 @@
     ":enableVulnerabilityAlertsWithLabel(security)",
     ":pinSkipCi",
   ],
-  "git-submodules": {
-    enabled: true,
-  },
   labels: [
     "renovate",
     "renovate/{{replace '.*/' '' depName}}",
@@ -55,4 +56,5 @@
     },
   ],
   separateMinorPatch: true,
+  // # keep-sorted end
 }

.github/workflows/mega-linter.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Checkout Code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Restore lychee cache
         uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
@@ -37,7 +37,7 @@ jobs:
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
-        uses: oxsecurity/megalinter@b38cdf1f0cbe056fad4112cb7cd99c2b574c9617 # v8.1.0
+        uses: oxsecurity/megalinter@d8c95fc6f2237031fb9e9322b0f97100168afa6e # v8.2.0
         env:
           GITHUB_COMMENT_REPORTER: false
           # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403

.github/workflows/renovate.yml

@@ -23,20 +23,22 @@ on:
     - cron: 0 0-3 * * 0
 
 env:
+  # keep-sorted start
   # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
   LOG_LEVEL: ${{ inputs.logLevel || 'debug' }}
+  RENOVATE_AUTOMERGE: "true"
+  # Renovate Automerge
+  RENOVATE_AUTOMERGE_TYPE: branch
+  # https://docs.renovatebot.com/self-hosted-configuration/#dryrun
+  # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated
+  RENOVATE_DRY_RUN: ${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}
+  # https://docs.renovatebot.com/configuration-options/#platformcommit
+  RENOVATE_PLATFORM_COMMIT: "true"
   # https://docs.renovatebot.com/self-hosted-configuration/#repositories
   RENOVATE_REPOSITORIES: ${{ github.repository }}
   # https://docs.renovatebot.com/self-hosted-configuration/#username
   RENOVATE_USERNAME: ${{ github.repository_owner }}
-  # https://docs.renovatebot.com/configuration-options/#platformcommit
-  RENOVATE_PLATFORM_COMMIT: "true"
-  # https://docs.renovatebot.com/self-hosted-configuration/#dryrun
-  # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated
-  RENOVATE_DRY_RUN: ${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}
-  # Renovate Automerge
-  RENOVATE_AUTOMERGE_TYPE: branch
-  RENOVATE_AUTOMERGE: "true"
+  # keep-sorted end
 
 permissions: read-all
 
@@ -48,7 +50,7 @@ jobs:
     permissions: write-all
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         id: app-token

.github/workflows/stale.yml

@@ -16,6 +16,7 @@ jobs:
     steps:
       - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
+          # keep-sorted start
           close-issue-message: |
             This issue has not seen any activity since it was marked stale.
             Closing.
@@ -32,3 +33,4 @@ jobs:
           stale-pr-message: |
             This PR is stale because it has been open 60 days with no activity.
             Remove stale label or comment or this will be closed in 7 days.
+          # keep-sorted end

.mega-linter.yml

@@ -1,10 +1,12 @@
 # Configuration file for MegaLinter
 # See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation
 
+# keep-sorted start newline_separated=yes
+ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: ansible/.ansible-lint
+
 ANSIBLE_ANSIBLE_LINT_PRE_COMMANDS:
   - command: ansible-galaxy install -r ansible/requirements.yml
     cwd: "workspace"
-ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: ansible/.ansible-lint
 
 BASH_SHFMT_ARGUMENTS: --case-indent --indent 2 --space-redirects
 
@@ -23,6 +25,7 @@ FILTER_REGEX_EXCLUDE: CHANGELOG.md
 FORMATTERS_DISABLE_ERRORS: false
 
 MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml
+
 MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: CHANGELOG.md
 
 # Remove initial MegaLinter graphic
@@ -38,11 +41,12 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16
 
 REPOSITORY_KICS_ARGUMENTS: --fail-on high
 
-REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed
+REPOSITORY_TRIVY_ARGUMENTS: --severity HIGH,CRITICAL --ignore-unfixed
 
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN
 
 TYPESCRIPT_PRETTIER_ARGUMENTS: --html-whitespace-sensitivity=ignore
 
 VALIDATE_ALL_CODEBASE: true
+# keep-sorted end