chore: add release-please automation and replace coana with socket (#89)

* add release-please automation and PR title linting

* add pre-major version bump settings for 0.x semver

* chore: formatting:

* chore: replace coana with socket tier 1 reachability analysis

* chore: formatting:

* fix: add secrets inherit and fix publish job ID

* chore: pin actions to SHA and add renovate config

* chore: formatting:

Author: nicknisi

.github/workflows/ci.yml

@@ -11,8 +11,8 @@ jobs:
     name: Pre-merge Checks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
 

.github/workflows/coana-analysis.yml

@@ -0,0 +1,16 @@
+name: Lint PR Title
+
+on:
+  pull_request_target:
+    types: [opened, edited, synchronize]
+
+permissions:
+  pull-requests: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/coana-guardrail.yml

@@ -0,0 +1,36 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
+        with:
+          app-id: ${{ vars.SDK_BOT_APP_ID }}
+          private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        id: release
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+  publish:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    uses: ./.github/workflows/release.yml
+    secrets: inherit

.github/workflows/lint-pr-title.yml

@@ -1,11 +1,8 @@
 name: Release
 
 on:
-  # Support manually pushing a new release
-  workflow_dispatch: {}
-  # Trigger when a release is published
-  release:
-    types: [published]
+  workflow_dispatch:
+  workflow_call:
 
 defaults:
   run:
@@ -19,26 +16,17 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           registry-url: "https://registry.npmjs.org"
 
       - name: Install Dependencies
-        run: |
-          npm install
+        run: npm install
 
       - name: Build project
-        run: |
-          npm run build
+        run: npm run build
 
-      - name: Push Release
-        if: ${{ !github.event.release.prerelease }}
-        run: |
-          npm publish --tag latest --access=public --provenance
-
-      - name: Push Pre-Release
-        if: ${{ github.event.release.prerelease }}
-        run: |
-          npm publish --tag next --access=public --provenance
+      - name: Publish
+        run: npm publish --tag latest --access=public --provenance --no-git-checks

.github/workflows/release-please.yml

@@ -0,0 +1,40 @@
+name: Socket Tier 1 Reachability Analysis
+
+on:
+  schedule:
+    # every day at 12 AM
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+    inputs:
+      tags:
+        description: "Manually run vulnerability analysis"
+      distinct_id:
+        description: "Required by the return-dispatch action"
+        required: true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  socket-vulnerability-analysis:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Check distinct_id
+        run: |
+          echo "distinct_id: ${{ github.event.inputs.distinct_id }}"
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Install Socket CLI
+        run: npm install -g socket
+      - name: Run Tier 1 reachability scan
+        env:
+          SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_API_KEY }}
+        run: |
+          # Full application reachability (Tier 1)
+          socket scan create . \
+            --reach \
+            --org "workos" \
+            --no-interactive

.github/workflows/release.yml

@@ -0,0 +1,3 @@
+{
+  ".": "0.16.0"
+}

.github/workflows/socket-tier1-analysis.yml

@@ -0,0 +1,13 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "include-component-in-tag": false,
+  "packages": {
+    ".": {
+      "release-type": "node",
+      "changelog-path": "CHANGELOG.md",
+      "versioning": "default",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true
+    }
+  }
+}

.release-please-manifest.json

@@ -0,0 +1,26 @@
+{
+  "extends": ["config:recommended"],
+  "schedule": ["on the 15th day of the month before 12pm"],
+  "timezone": "UTC",
+  "rebaseWhen": "conflicted",
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "extractVersion": "^v(?<version>\\d+\\.\\d+\\.\\d+)$",
+      "groupName": "github-actions"
+    },
+    {
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "groupName": "minor and patch updates"
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "automerge": false
+    },
+    {
+      "matchUpdateTypes": ["digest"],
+      "automerge": false
+    }
+  ]
+}