Add GHA pipeline: build, package, release, and stale workflows

[Copilot]

This repo had no CI/CD automation. Adds four GitHub Actions workflows modeled after coraza-nginx, adapted for Apache HTTPD.

Workflows

• build.yml — Triggers on push/PR. Matrix over event and prefork MPMs: Docker build → Apache readiness wait → full test.sh integration suite (including audit/debug log tests via --container) → uploads mod_coraza.so artifact from the event build.

• package.yml — Triggers on release publish. For amd64 and arm64 (native ARM runners): builds libcoraza from source (cached), compiles mod_coraza.so via apxs, creates .deb (/usr/lib/apache2/modules/) and .rpm (/usr/lib64/httpd/modules/) packages with fpm, signs with cosign (keyless OIDC), uploads to the release. Install smoke tests follow: deb on Ubuntu, rpm in a Rocky Linux 9 container.

• release.yml — release-please on main for automated changelogs and version bumps.

• stale.yml — Daily stale sweep: marks after 30 days, closes after 5 more.

Security

All actions are pinned to SHAs (matching coraza-nginx). Explicit permissions: blocks on all workflows; id-token: write scoped only to package.yml for cosign OIDC.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add GHA pipeline</issue_title>
<issue_description>Create GHA actions in this repository. Take a look at the following as base for creating steps for build, package, and release:

• https://github.com/corazawaf/coraza-apache/blob/main/README.md - for build steps
• https://github.com/corazawaf/coraza-nginx/tree/main/.github/workflows - workflows for test, package and release</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add GHA pipeline #1

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[fzipi]

@copilot How can the "release-please" action trigger the "Package and Release" action? Or are they colliding somehow?

[fzipi]

@copilot Update the ubuntu version to be 24.04 on all files.

[Copilot]

Done in 3c7b08a. Updated ubuntu-22.04 → ubuntu-24.04 and ubuntu-22.04-arm → ubuntu-24.04-arm in both build.yml and package.yml (all four occurrences). stale.yml and release.yml already use ubuntu-latest so no changes were needed there.

[Copilot]

@copilot How can the "release-please" action trigger the "Package and Release" action? Or are they colliding somehow?

They form a pipeline rather than colliding:

1. release.yml runs on every push to main and manages a long-lived "release PR". When that PR is merged, release-please creates and publishes a GitHub Release via the API.
2. package.yml listens to on: release: types: [published] — the exact event release-please fires when it publishes that release.

So the flow is: merge to main → release-please merges its PR → GitHub Release published → package.yml kicks off automatically. They never run at the same time; release-please's output (a published release) is package.yml's trigger.