ci: Add required workflows and dependabot configuration

.github/.trivyignore.yaml

@@ -0,0 +1,2 @@
+# Trivy Ignore File
+# Add patterns here to exclude from security scanning

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/trivy.yaml

@@ -0,0 +1,29 @@
+# Trivy Security Scanner Configuration
+# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/
+
+scan:
+  scanners:
+    - vuln
+    - secret
+
+  skip-dirs:
+    - node_modules
+    - .git
+    - coverage
+    - ci
+
+severity:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+pkg:
+  types:
+    - os
+    - library
+  include-dev-deps: true
+
+format: "sarif"
+ignorefile: ".github/.trivyignore.yaml"
+exit-code: 0

.github/workflows/project-automation.yml

@@ -0,0 +1,11 @@
+name: Project automations
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  add_to_product_board:
+    uses: flowfuse/.github/.github/workflows/project-automation.yml@main
+    secrets:
+      token: ${{ secrets.PROJECT_ACCESS_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,75 @@
+name: Release Container
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Calculate release version
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.semantic.outputs.new_release_version }}
+      new-release-published: ${{ steps.semantic.outputs.new_release_published }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '24'
+
+      - name: Create release
+        id: semantic
+        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  publish:
+    name: Build and Push Image
+    runs-on: ubuntu-latest
+    needs: release
+    if: needs.release.outputs.new-release-published == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Prepare container metadata
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        with:
+          tags: |
+            type=raw,enable=true,priority=200,prefix=,suffix=,value=${{ needs.release.outputs.version }}
+          flavor: |
+            latest=true
+          images: |
+            flowfuse/ingress-migration-tool
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          push: true

.github/workflows/sast-scan.yaml

@@ -0,0 +1,19 @@
+name: SAST Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    name: SAST Scan
+    uses : flowfuse/github-actions-workflows/.github/workflows/sast_scan.yaml@v0.52.0

.releaserc

@@ -0,0 +1,27 @@
+{
+  "branches": ["main"],
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "angular",
+        "parserOpts": {
+          "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES", "BREAKING"]
+        }
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "angular",
+        "parserOpts": {
+          "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES", "BREAKING"]
+        },
+        "writerOpts": {
+          "commitsSort": ["subject", "scope"]
+        }
+      }
+    ],
+    "@semantic-release/github"
+  ]
+}

README.md

@@ -37,3 +37,119 @@ make build-docker
 
 - The tool attempts in-cluster config first, then falls back to `KUBECONFIG` or `~/.kube/config`.
 - It skips ingresses that already use the target class or already have the configured suffix.
+
+## Development
+
+### Prerequisites
+
+- Go 1.25 or later ([Install Go](https://go.dev/doc/install))
+- Make (optional, for using Makefile commands)
+
+### Development Setup
+
+```bash
+# Install dependencies
+go mod download
+
+# Run locally
+go run main.go --help
+```
+
+### Building
+
+```bash
+# Build binary
+make build
+```
+
+Binary will be created in the `./build` directory.
+
+### Code Quality
+
+```bash
+# Run all quality checks
+make check-quality
+
+# Individual commands
+make lint    # Run linter
+make fmt     # Format code
+make vet     # Run go vet
+```
+
+### Cleaning Up
+
+To clean up build artifacts and temporary files, run:
+
+```bash
+make clean
+```
+
+## Contributing
+
+### Commit Message Format
+
+This project uses [Conventional Commits](https://www.conventionalcommits.org/) 
+with Angular preset for automated versioning and releases. 
+
+#### Commit Message Structure
+
+```
+<type>: <description>
+
+[optional body]
+
+[optional footer(s)]
+```
+
+#### Supported Types and Release Impact
+
+| Type | Description | Release Impact |
+|------|-------------|----------------|
+| `feat` | New feature | Minor version bump |
+| `fix` | Bug fix | Patch version bump |
+| `perf` | Performance improvement | Patch version bump |
+| `refactor` | Code refactoring | Patch version bump |
+| `chore` | Maintenance tasks | Patch version bump |
+| `docs` | Documentation changes | Patch version bump |
+| `style` | Code style changes | Patch version bump |
+| `test` | Test changes | Patch version bump |
+
+#### Breaking Changes
+
+For breaking changes, add `BREAKING CHANGE:` in the commit footer or use `!` after the type/scope:
+
+```
+feat! : drop support for running on Kubernetes v1.16
+
+BREAKING CHANGE: The minimum supported Kubernetes version is now v1.17
+```
+
+This will trigger a major version bump.
+
+#### Examples
+
+```bash
+# Feature addition (minor release)
+feat: add support for custom installation directory
+
+# Bug fix (patch release)
+fix: resolve service startup issue on OpenShift
+
+# Breaking change (major release)
+feat! : remove support for local binary execution
+
+BREAKING CHANGE: The tool will no longer support local binary execution. Users must use the tool as Kubernetes Job.
+```
+
+## Release Process
+
+> [!IMPORTANT]
+> A release of the Ingress Migration Tool is not coupled with the main FlowFuse release process. 
+
+To release a new version of the Ingress Migration Tool, follow these steps:
+1. Ensure all changes are committed and follow the commit message format outlined above.
+2. Manually trigger the [Installer Release](https://github.com/FlowFuse/ingress-migration-tool/actions/workflows/release.yaml) workflow 
+3. The worflow will:
+    * Calculate the new version based on commit messages since the last release
+    * Build and push the Docker image to the Docker Hub with the new version tag
+    * Create a new release on GitHub with the changelog