* feat: add GitOps Update workflow and comprehensive documentation

- Add GitOps Update reusable workflow with multi-environment support (dev/stg/prd/sandbox)
- Add self-release workflow for automated semantic versioning
- Create comprehensive documentation for all workflows:
  - GitOps Update workflow guide
  - API Dog E2E Tests workflow guide
  - PR Security Scan workflow guide
  - Release workflow guide
  - Documentation index with examples and best practices
- Add semantic release configuration (.releaserc.yml)
- Update CONTRIBUTING.md with conventional commits guidelines and release process
- Update README.md with versioning section and documentation links
- Simplify release workflow to use .releaserc.yml configuration

Key Features:
- Multi-environment GitOps updates with automatic tag detection
- Static and dynamic YAML key mapping support
- Optional ArgoCD sync integration
- Docker Hub login to avoid rate limits
- Comprehensive documentation with examples and troubleshooting
- Automated semantic versioning with conventional commits

* chore: change dependabot target branch to develop

* chore: add PR template

* feat(gitops): add convention-based configuration with auto-generated paths and names

- Add convention-based configuration that auto-generates values from repository name
- Auto-generate app name, artifact pattern, commit prefix, and ArgoCD app name
- Auto-generate GitOps file paths based on server and environment
- Make Docker Hub login enabled by default to avoid rate limits
- Simplify ArgoCD sync steps using the action module
- Remove sandbox tag detection (sandbox only updates with production releases)
- Update production releases to sync both prd and sandbox environments
- Reduce required inputs from 11 to just 1 (yaml_key_mappings)
- Update documentation with simplified examples and convention details

* docs: replace real repository names and IDs with fictional examples

- Replace real repository names (plugin-auth, plugin-crm, midaz) with generic examples
- Replace real Apidog environment IDs with fictional values
- Replace organization-specific secret names with generic examples
- Move environment_id from input to secret in api-dog-e2e-tests workflow for better security
- Update all documentation examples to use fictional data

* chore: remove rc rule from .releaserc.yml

* chore: pass dockerfile path as parameter

* chore: pass npm secrets as parameter

* chore: pass npm secrets as parameter

* refactor: simplify GitOps workflow environment detection and file handling

* fix: simplify ArgoCD app name handling in sync workflow

* feat: enhanced Go workflows with monorepo support and Slack notifications (#23)

* feat: add Go workflows and PR validation with GitHub token support

Add comprehensive Go project workflows:
- go-ci.yml: Multi-version CI with linting and cross-platform builds
- go-security.yml: Security scanning with 8 tools (gosec, trivy, etc.)
- go-release.yml: Automated releases with GoReleaser
- go-unit-tests.yml: Fast unit testing with matrix support
- go-coverage-check.yml: Coverage validation with PR comments
- pr-validation.yml: PR validation with semantic titles and auto-labeling

All workflows support GitHub token as optional secret parameter for API operations.
Token defaults to GITHUB_TOKEN if not provided.

Add release-candidate branch to semantic-release configuration.

Update documentation:
- Add workflow usage guides for all new workflows
- Remove emojis from README
- Update branch order to: develop, release-candidate, main

* fix: rename github_token to manage_token to avoid reserved name collision

GitHub Actions reserves the name 'github_token' as a system name,
causing workflow_call to fail with collision error.

Changes:
- Rename secret 'github_token' to 'manage_token' in go-coverage-check.yml
- Rename secret 'github_token' to 'manage_token' in pr-validation.yml
- Update all references (9 total) across both workflows

This aligns with the pattern used in gitops-update.yml and prevents
the "secret name collides with system reserved name" error.

* Upgrade CodeQL Action from v3 to v4

Updated the CodeQL action used for SARIF upload from the deprecated v3
to the current v4 version.

Changes:
- Update github/codeql-action/upload-sarif from v3 to v4

This addresses the deprecation warning:
"CodeQL Action v3 will be deprecated in December 2026"

Benefits of v4:
- Improved performance and stability
- Better permission handling with reusable workflows
- Enhanced compatibility with GitHub's security features
- Long-term support and active maintenance

Reference: https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/

This should also resolve the "Resource not accessible by integration"
errors when uploading SARIF files to GitHub Code Scanning.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: rename github_token to manage_token to avoid reserved name conflict (#21)

* fix: update go-coverage-report version and remove all-checks-pass job

- Update fgrosse/go-coverage-report from @v1 to @v1.2.0 (v1 doesn't exist)
- Remove all-checks-pass job to prevent cascading failures
- Individual checks are sufficient for PR validation

Fixes issues in lerian-cli PR #1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(go-coverage-check): aggregate coverage by package instead of listing individual files

## Problem
The "Coverage by Package" section in PR comments was empty or showing individual file entries instead of aggregated package-level coverage. The AWK script had two issues:

1. Used reserved keyword `func` as variable name (syntax error)
2. Listed individual files with coverage, not package aggregates

## Solution
- Generate markdown table format for better readability
- Extract package path by removing filename from file path
- Accumulate coverage data across all functions in each package
- Calculate average coverage percentage per package
- Sort packages alphabetically for consistent output

## Changes
- Replace bullet list with markdown table (| Package | Coverage |)
- Fix AWK syntax by using `pkg` instead of reserved `func`
- Add aggregation logic to sum coverage across package functions
- Add debug output to show generated coverage report

## Output Example

### Before (Broken)
\`\`\`
## Coverage by Package

- **path/to/file.go**: 85.5%
- **path/to/file.go**: 90.2%
...
\`\`\`

### After (Fixed)
\`\`\`
## Coverage by Package

| Package | Coverage |
|---------|----------|
| \`github.com/org/project/internal/client\` | 95.6% |
| \`github.com/org/project/internal/config\` | 88.7% |
| \`github.com/org/project/internal/output\` | 98.8% |
\`\`\`

## Testing
Tested with Go 1.24 coverage files, verified correct aggregation across multiple packages with varying coverage levels.

* feat(changed-paths): add reusable workflow for detecting changed paths

Adds a new reusable workflow for monorepo CI/CD optimization that detects
changed paths between commits with support for path filtering, path level
trimming, and app name generation for matrix strategies.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add Go PR analysis reusable workflow

New workflow for Go monorepo PR analysis that handles:
- Change detection for specified paths
- Matrix-based execution per changed app
- GolangCI-Lint with configurable version
- Security scanning (gosec, govulncheck)
- Unit tests with coverage
- Coverage threshold check with PR comments
- Build verification

All logic is centralized in this workflow for easy maintenance.

Includes documentation at docs/go-pr-analysis-workflow.md

* feat: upgrade golangci-lint-action to v7 for golangci-lint v2 support

- golangci-lint v2.x requires golangci-lint-action v7
- v6 only supports golangci-lint v1.x

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add detailed coverage report with package breakdown

- Generate coverage by package table in PR comments
- Generate HTML coverage report as artifact
- Add coverage summary to GitHub Actions summary
- Update existing PR comments instead of creating duplicates

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: add debug logging for coverage comment posting

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add monorepo support with filter_paths for release workflow

- Add filter_paths input to detect changes in monorepo apps
- Add prepare_matrix job to build dynamic matrix from changed paths
- If filter_paths provided: detects changes and releases only changed apps
- If filter_paths empty: single app mode, releases from root
- Support per-app working directories via matrix
- Install @semantic-release/changelog for per-app changelogs

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add unified build workflow for Docker images

- Support both DockerHub and GHCR registries
- Optional change detection with filter_paths for monorepo
- Platform strategy: beta/rc = amd64 only, release = amd64+arm64
- Semantic versioning tags
- Optional app name prefix for monorepo apps
- Build caching with GitHub Actions cache
- Default runner: firmino-lxc-runners

Also updated release.yml default runner to firmino-lxc-runners.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: use changed-paths.yml internally for monorepo detection

Updated build.yml, release.yml, and pr-security-scan.yml to use
the local changed-paths.yml workflow instead of external action.

- Removed dependency on LerianStudio/github-actions-changed-paths
- All workflows now use 3-job pattern: detect_changes -> prepare -> main job
- Changed filter_paths to JSON array format for consistency
- Default runner: firmino-lxc-runners

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: improve GHCR authentication and image naming

- Use github.actor for GHCR username (matches existing pipeline)
- Require ghcr_token secret (no fallback)
- Normalize repository owner to lowercase (GHCR requirement)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: use github-actions-changed-paths action in all workflows

Switched from workflow call (./.github/workflows/changed-paths.yml)
to using the action (LerianStudio/github-actions-changed-paths@main)
as a step within jobs.

This approach works because actions can be used from any repository,
while workflow calls with relative paths fail when called from
external repositories.

- build.yml: use action in prepare job
- release.yml: use action in prepare job
- pr-security-scan.yml: already using action (no change)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: remove block scalar from filter_paths to fix action input

The YAML block scalar (|-) was causing issues when passing
filter_paths to the github-actions-changed-paths action.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: move working_directory to action input for semantic-release step

working-directory is only valid for 'run' steps, not 'uses' steps.
The cycjimmy/semantic-release-action accepts working_directory as an input.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: add Node.js setup step for release workflow

Self-hosted runners may not have Node.js installed.
Add actions/setup-node@v4 to ensure npm is available.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: extract version from prefixed tag for Docker metadata

Monorepo tags like 'agent-v1.0.0-beta.1' need the prefix stripped
to get a valid semver 'v1.0.0-beta.1' for docker/metadata-action.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: handle multi-hyphen app names in version extraction

Use sed pattern that finds '-v' followed by digit to properly extract
version from tags like 'control-plane-v1.0.0-beta.1'.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(go-pr-analysis): add single-app mode when filter_paths is empty

When filter_paths is not provided or empty, the workflow now treats
the repository as a single-app repo and runs against the root directory
instead of trying to detect changed directories.

This simplifies usage for non-monorepo Go projects:
- Monorepo: filter_paths: '["apps/api", "apps/worker"]'
- Single-app: filter_paths not set (or empty)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(build): add GitOps artifacts upload support

- Add enable_gitops_artifacts input (default: false)
- Upload tag artifacts for downstream gitops-update workflow
- Artifacts follow pattern: gitops-tags-<app-name>/<app-name>.tag

* feat(workflows): add Slack notifications to all reusable workflows

- Created slack-notify.yml reusable workflow for centralized notifications
- All workflows now notify on both success and failure
- Messages include: repo name, author, failed jobs (on failure), commit, branch
- Graceful degradation when SLACK_WEBHOOK_URL secret not configured
- Uses secrets: inherit pattern for app repos (no per-repo configuration needed)

Updated workflows:
- build.yml
- go-pr-analysis.yml
- pr-validation.yml
- pr-security-scan.yml
- release.yml
- gitops-update.yml
- api-dog-e2e-tests.yml
- go-release.yml

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(workflows): migrate to secrets inherit pattern

- Remove secrets declarations from workflow_call (workflows now use org secrets directly)
- Update secret references to use uppercase org secret names:
  - DOCKER_USERNAME, DOCKER_PASSWORD
  - MANAGE_TOKEN
  - LERIAN_STUDIO_MIDAZ_PUSH_BOT_APP_ID, LERIAN_STUDIO_MIDAZ_PUSH_BOT_PRIVATE_KEY
  - LERIAN_CI_CD_USER_GPG_KEY, LERIAN_CI_CD_USER_GPG_KEY_PASSWORD
  - LERIAN_CI_CD_USER_NAME, LERIAN_CI_CD_USER_EMAIL
  - ARGOCD_GHUSER_TOKEN, ARGOCD_URL
  - TAP_GITHUB_TOKEN, GORELEASER_KEY, NPMRC_TOKEN
- Keep slack-notify.yml with secret input (nested workflow requirement)
- Keep api-dog-e2e-tests.yml unchanged (app-specific secrets, notifications commented out)

App repos now use 'secrets: inherit' for simpler configuration.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(pr-validation): add source branch validation

- Add enforce_source_branches input to enable branch source checking
- Add allowed_source_branches input for configuring allowed patterns
- Add target_branches_for_source_check input for specifying protected branches
- Add pr-source-branch job that validates and adds REQUEST_CHANGES review if invalid
- Supports exact match (develop) and prefix match (hotfix/*) patterns

* fix(pr-security-scan): scan only changed component folder instead of entire repo

- Change scan-ref from '.' to matrix.working_dir
- Only scans the component folder that has changes
- Prevents scanning unrelated folders in monorepos

* feat(go-pr-analysis): add support for private Go modules

- Add go_private_modules input to specify GOPRIVATE pattern
- Configure git authentication using MANAGE_TOKEN for private repos
- Apply to all jobs: lint, security, tests, coverage, build

* fix(go-pr-analysis): clarify coverage report title as Unit Test Coverage

* chore: standardize runner_type parameter with firmino-lxc-runners default

- Renamed runner to runner_type in build.yml and release.yml
- Updated default from ubuntu-* to firmino-lxc-runners in all workflows:
  - build.yml
  - release.yml
  - go-pr-analysis.yml
  - pr-validation.yml
  - pr-security-scan.yml
  - slack-notify.yml
  - go-ci.yml
  - go-coverage-check.yml
  - go-release.yml
  - go-security.yml
  - go-unit-tests.yml
  - changed-paths.yml

* fix: enable CGO for race detector in tests

-race flag requires cgo to be enabled

* fix: remove -race flag from tests (requires gcc not available on custom runners)

* fix: restore -race flag with CGO_ENABLED=1 (gcc now available on runners)

* docs: update documentation and remove duplicate workflows

- Remove go-coverage-check.yml and go-unit-tests.yml (now in go-pr-analysis)
- Add build-workflow.md documentation
- Add slack-notify-workflow.md documentation
- Update go-pr-analysis-workflow.md with private modules, CGO_ENABLED, secrets inherit
- Update pr-validation-workflow.md with source branch validation feature
- Update pr-security-scan-workflow.md with component-scoped scanning
- Update release-workflow.md to use runner_type parameter
- Update README.md with new workflows and remove duplicate entries

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: update self-release.yml to use runner_type and secrets inherit

- Changed runner to runner_type parameter
- Changed explicit secrets to secrets: inherit pattern

* fix: use ubuntu-latest runner for self-release

* ci(deps): bump cycjimmy/semantic-release-action from 4 to 6 (#18)

Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 4 to 6.
- [Release notes](https://github.com/cycjimmy/semantic-release-action/releases)
- [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md)
- [Commits](cycjimmy/semantic-release-action@v4...v6)

---
updated-dependencies:
- dependency-name: cycjimmy/semantic-release-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump actions/checkout from 4 to 6 (#22)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump securego/gosec in the github-actions group (#25)

Bumps the github-actions group with 1 update: [securego/gosec](https://github.com/securego/gosec).


Updates `securego/gosec` from 2.21.4 to 2.22.10
- [Release notes](https://github.com/securego/gosec/releases)
- [Commits](securego/gosec@v2.21.4...v2.22.10)

---
updated-dependencies:
- dependency-name: securego/gosec
  dependency-version: 2.22.10
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump amannn/action-semantic-pull-request from 5 to 6 (#26)

Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5 to 6.
- [Release notes](https://github.com/amannn/action-semantic-pull-request/releases)
- [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md)
- [Commits](amannn/action-semantic-pull-request@v5...v6)

---
updated-dependencies:
- dependency-name: amannn/action-semantic-pull-request
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump golangci/golangci-lint-action from 4 to 9 (#27)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@v4...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump actions/github-script from 7 to 8 (#28)

Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump actions/download-artifact from 4 to 6 (#29)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 6.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v6)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Guilherme Moreira Rodrigues <gui.rodrigues@lerian.studio>
Co-authored-by: Guilherme Moreira Rodrigues <30627541+guimoreirar@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>