feat(gha): unify GHA - renovate, megalinter, markdown, and others

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Users referenced in this file will automatically be requested as reviewers for
+# PRs that modify the given paths
+# See https://help.github.com/articles/about-code-owners/, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# All code
+* @ruzickap

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,23 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: 'Bug: This is a sample issue title'
+labels: bug
+assignees: ruzickap
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behaviour.
+
+**Expected behaviour**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: GitHub Actions Community Forum
+    url: https://github.com/orgs/community/discussions/
+    about: Please ask questions about GitHub Actions here.
+  - name: GitHub Pages help
+    url: https://help.github.com/en/github/working-with-github-pages
+    about: GitHub Pages documentation here.

.github/ISSUE_TEMPLATE/proposal.md

@@ -0,0 +1,21 @@
+---
+name: Proposal
+about: Suggest an idea for this project
+title: 'Proposal: This is a sample title'
+labels: proposal
+assignees: ruzickap
+
+---
+
+**Is your feature request related to a problem? Please describe**
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/renovate.json5

@@ -1,59 +1,56 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "branchPrefix": "renovate/",
-  "labels": ["renovate", "renovate/{{replace '.*/' '' depName}}", "renovate/{{updateType}}"],
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["patch"],
-      "automergeType": "branch",
-      // Do not wait for tests - this will speed up the whole process - updating many branches + running many tests
-      "ignoreTests": true,
-      "automerge": true,
-    },
-    {
-      "description": "Ignore frequent renovate updates",
-      "matchPackageNames": ["renovatebot/github-action"],
-      "matchUpdateTypes": ["patch"],
-      "enabled": false
-    },
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    ":disableDependencyDashboard",
+    ":docker",
+    ":disableRateLimiting",
+    ":enableVulnerabilityAlertsWithLabel(security)",
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "security:openssf-scorecard",
+  ],
+  "git-submodules": {
+    enabled: true,
+  },
+  labels: [
+    "renovate",
+    "renovate/{{replace '.*/' '' depName}}",
+    "renovate/{{updateType}}",
+  ],
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["before 6am on Sunday"],
+  },
+  packageRules: [
     {
-      "matchPackageNames": ["renovatebot/github-action"],
-      "matchUpdateTypes": ["minor"],
-      "automergeType": "branch",
-      "automerge": true,
-      "ignoreTests": true,
-      "schedule": ["* 0,2,4 1-7 * 0"],
+      matchUpdateTypes: ["major"],
+      automerge: false,
     },
     {
-      "description": "Update all github-actions by default",
-      "matchManagers": ["github-actions"],
-      "automergeType": "branch",
-      "automerge": true,
+      description: "Ignore frequent renovate updates",
+      enabled: false,
+      matchPackageNames: ["renovatebot/github-action"],
+      matchUpdateTypes: ["patch"],
     },
     {
-      "matchManagers": ["git-submodules"],
-      "matchUpdateTypes": ["digest"],
-      "automerge": true,
-      "automergeType": "branch",
+      description: "Update renovatebot/github-action minor updates on Sundays",
+      matchPackageNames: ["renovatebot/github-action"],
+      matchUpdateTypes: ["minor"],
+      schedule: ["* * * * 0"],
     },
   ],
-  "prBodyTemplate": "{{{table}}}{{{notes}}}{{{changelogs}}}",
-  "rebaseWhen": "behind-base-branch",
-  "regexManagers": [
+  prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}",
+  rebaseWhen: "behind-base-branch",
+  regexManagers: [
     {
-      "fileMatch": [
-        "^\\.github/workflows/.*\\.ya?ml$",
-        "^ansible/win-simple\\.yml$",
+      extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",
+      fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>.+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.*[=:]\\s*"?(?<currentValue>.+?)"?\\s',
       ],
-      "matchStrings": [
-        "# renovate: datasource=(?<datasource>.+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.*[=:]\\s*\"?(?<currentValue>.+?)\"?\\s",
-      ],
-      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
-      "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",
+      versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
     },
   ],
-  "git-submodules": {
-    "enabled": true
-  },
-  "separateMinorPatch": true,
+  separateMinorPatch: true,
 }

.github/workflows/mega-linter.yml

@@ -1,3 +1,4 @@
+---
 name: MegaLinter
 
 on:
@@ -12,40 +13,32 @@ jobs:
   build:
     name: MegaLinter
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      statuses: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Restore lychee cache
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          path: .lycheecache
+          key: cache-lychee-${{ github.sha }}
+          restore-keys: cache-lychee-
 
       - name: Extract commands from markdown files
         run: |
           set -euxo pipefail
           echo '#!/usr/bin/env bash' > README.sh
           find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do
-            sed -n "/^\`\`\`\(bash\|shell\).*/,/^\`\`\`$/p" "${FILE}" \
-            | \
-            sed \
-              -e 's/^```\(bash\|shell\).*//' \
-              -e '/^```$/d' \
-            >> README.sh
+            # Extract: ```bash ... ```
+            sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh
+            # Extract:   ```bash ... ```
+            sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
           done
           chmod a+x README.sh
 
-      - name: MegaLinter
-        uses: megalinter/megalinter@v7.1.0
+      - name: 💡 MegaLinter
+        uses: oxsecurity/megalinter@688bc7466d7ab4faa83d614c2e6f9acf42b674dc # v7.8.0
         env:
-          ANSIBLE_ANSIBLE_LINT_PRE_COMMANDS: >-
-            [{"command": "ansible-galaxy collection install -v -r ansible/requirements.yml"}]
-          BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects
-          DISABLE_LINTERS: COPYPASTE_JSCPD,JSON_PRETTIER,MARKDOWN_MARKDOWN_LINK_CHECK,REPOSITORY_DEVSKIM,REPOSITORY_SEMGREP,SPELL_CSPELL,SPELL_PROSELINT,YAML_V8R
-          FILTER_REGEX_EXCLUDE: '(.*\.ps1|CHANGELOG.md)'
-          FORMATTERS_DISABLE_ERRORS: false
           GITHUB_COMMENT_REPORTER: false
           GITHUB_STATUS_REPORTER: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PRINT_ALPACA: false
-          REPOSITORY_KICS_ARGUMENTS: --exclude-paths .github/workflows/renovate.yml
-          # Needed for scanning generated README.sh file
-          VALIDATE_ALL_CODEBASE: true

.github/workflows/packer-templates.yml

@@ -1,12 +1,13 @@
 name: packer-templates
 
 on:
-  push:
-    branches-ignore:
-      - main
-    paths:
-      - "*.json"
-      - .github/workflows/packer-templates.yml
+  workflow_dispatch:
+  # push:
+  #   branches-ignore:
+  #     - main
+  #   paths:
+  #     - "*.json"
+  #     - .github/workflows/packer-templates.yml
 
 permissions: read-all
 
@@ -20,9 +21,13 @@ jobs:
 
       - name: Download Packer
         run: |
+          set -euxo pipefail
+
           PACKER_LATEST_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packer | jq -r -M '.current_version')
           curl -s "https://releases.hashicorp.com/packer/${PACKER_LATEST_VERSION}/packer_${PACKER_LATEST_VERSION}_linux_amd64.zip" --output /tmp/packer_linux_amd64.zip
           sudo unzip -o /tmp/packer_linux_amd64.zip -d /usr/local/bin/
+          packer plugins install github.com/hashicorp/qemu
+          packer plugins install github.com/hashicorp/ansible
 
       - name: Validate Packer templates
         run: |