stordco
diff --git a/‎.credo.exs‎
Lines changed: 15 additions & 4 deletions b/‎.credo.exs‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 25 additions & 0 deletions b/‎.github/pull_request_template.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.release-please-config.json‎ renamed to ‎.github/release-please-config-stable.json‎
Lines changed: 6 additions & 3 deletions b/‎.release-please-config.json‎ renamed to ‎.github/release-please-config-stable.json‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎.release-please-manifest.json‎ renamed to ‎.github/release-please-manifest.json‎ b/‎.release-please-manifest.json‎ renamed to ‎.github/release-please-manifest.json‎
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 153 additions & 12 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 153 additions & 12 deletions
diff --git a/‎.github/workflows/common-config-elixir.yaml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/common-config-elixir.yaml‎
Lines changed: 6 additions & 4 deletions
@@ -23,7 +23,7 @@
         # You can give explicit globs or simply directories.
         # In the latter case `**/*.{ex,exs}` will be used.
         #
-        included: ["lib/", "priv/", "test/"],
+        included: ["config/", "lib/", "priv/", "test/"],
         excluded: [~r"/_build/", ~r"/deps/", ~r"/node_modules/"]
       },
       #
@@ -81,7 +81,7 @@
         # You can customize the priority of any check
         # Priority values are: `low, normal, high, higher`
         #
-        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 2, if_called_more_often_than: 2]},
+        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 4, if_called_more_often_than: 2]},
         {Credo.Check.Design.DuplicatedCode, false},
         # You can also customize the exit_status of each check.
         # If you don't want TODO comments to cause `mix credo` to fail, just
@@ -119,7 +119,8 @@
          [
            order:
              ~w(moduledoc behaviour use import require alias module_attribute defstruct callback macrocallback optional_callback)a,
-           ignore: [:type]
+           ignore: [:type],
+           ignore_module_attributes: [:contract, :decorate, :operation, :trace]
          ]},
         {Credo.Check.Readability.StringSigils, []},
         {Credo.Check.Readability.TrailingBlankLine, []},
@@ -177,7 +178,17 @@
         {Credo.Check.Warning.UnusedPathOperation, []},
         {Credo.Check.Warning.UnusedRegexOperation, []},
         {Credo.Check.Warning.UnusedStringOperation, []},
-        {Credo.Check.Warning.UnusedTupleOperation, []}
+        {Credo.Check.Warning.UnusedTupleOperation, []},
+
+        #
+        ## Custom
+        #
+        {Credo.Check.Warning.ForbiddenModule,
+         [
+           modules: [
+             {Oban.Worker, "use Oban.Pro.Worker instead"}
+           ]
+         ]}
       ]
     }
   ]
 
@@ -0,0 +1,25 @@
+## Related Ticket(s)
+
+<!--
+Enter the Jira issue below in the following format: PROJECT-##
+-->
+
+## Checklist
+
+<!--
+For each bullet, ensure your pr meets the criteria and write a note explaining how this PR relates. Mark them as complete as they are done. All top-level checkboxes should be checked regardless of their relevance to the pr with a note explaining whether they are relevant or not.
+-->
+
+- [ ] Code conforms to the [Elixir Styleguide](https://github.com/christopheradams/elixir_style_guide)
+
+## Problem
+
+<!--
+What is the problem you're solving or feature you're implementing? Link to any Jira tickets or previous discussions of the issue.
+-->
+
+## Details
+
+<!--
+Include a brief overview of the technical process you took (or are going to take!) to get from the problem to the solution.
+-->
@@ -7,6 +7,11 @@
       "section": "Features",
       "hidden": false
     },
+    {
+      "type": "hotfix",
+      "section": "Hotfixes",
+      "hidden": true
+    },
     {
       "type": "fix",
       "section": "Bug Fixes",
@@ -22,9 +27,7 @@
   "draft-pull-request": false,
   "packages": {
     ".": {
-      "extra-files": [
-        "README.md"
-      ],
+      "extra-files": ["README.md"],
       "release-type": "elixir"
     }
   },
 
@@ -1,120 +1,261 @@
+# This file is synced with stordco/common-config-elixir. Any changes will be overwritten.
+
 name: CI
 
 on:
+  merge_group:
   pull_request:
     types:
       - opened
       - reopened
       - synchronize
-  merge_group:
+  push:
+    branches:
+      - main
+      - code-freeze/**
   workflow_call:
     secrets:
+      CI_SERVICE_KEY:
+        required: true
       GH_PERSONAL_ACCESS_TOKEN:
         required: true
       HEX_API_KEY:
         required: true
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
+  Changed:
+    name: Changed Files
+    runs-on: ubuntu-latest
+
+    outputs:
+      database: ${{ steps.changed.outputs.database }}
+      docker: ${{ steps.changed.outputs.docker }}
+      # Note: temporarily disabling documentation/OpenAPI validation in CI until a long term solution is found
+      # documentation: ${{ steps.changed.outputs.documentation }}
+      elixir: ${{ steps.changed.outputs.elixir }}
+      helm: ${{ steps.changed.outputs.helm }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - id: changed
+        name: Get Changed Files
+        run: |
+          # Using fetch-depth 2 above, we should always be able to get the full list of changes files:
+          # - In a pull-request, GHA merges the PR branch into main
+          # - When pushed to main, we always squash merge, so there is only one new commit
+
+          CHANGED_FILES=$(git diff --name-only HEAD^1 HEAD)
+
+          declare -A patterns
+          patterns["database"]=".github/workflows/ci.yaml priv/.*repo/.*"
+          patterns["docker"]=".github/workflows/ci.yaml Dockerfile"
+          patterns["documentation"]="docs/.* priv/documentation/.* .*.ex .*.md"
+          patterns["elixir"]=".github/workflows/ci.yaml .tool-versions priv/.* .*.ex .*.exs .*.heex"
+          patterns["helm"]=".github/workflows/ci.yaml .github/workflows/staging.yaml .github/workflows/production.yaml helm/.*"
+
+          for filetype in ${!patterns[@]}; do
+            found="false"
+            echo "==> Checking: $filetype"
+            for pattern in ${patterns[$filetype]}; do
+              for changed_file in $CHANGED_FILES; do
+                if [[ "$changed_file" =~ $pattern ]]; then
+                  echo "====> Found change: $changed_file"
+                  found="true"
+                  break
+                fi
+              done
+              if [[ "$found" == "true" ]]; then
+                break
+              fi
+            done
+            echo "$filetype=$found" >> $GITHUB_OUTPUT
+          done
+
   Credo:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
+    needs: [Changed]
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
       - name: Credo
-        run: mix credo
+        run: mix credo --strict
 
-  Deps:
+  Dependencies:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
+    needs: [Changed]
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
       - name: Unused
         run: mix deps.unlock --check-unused
 
   Dialyzer:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
+    needs: [Changed]
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
       - name: Dialyzer
         run: mix dialyzer --format github
 
-  Docs:
+  Documentation:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.documentation == 'true' }}
+    needs: [Changed]
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
       - name: Docs
         run: mix docs
 
   Format:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
+    needs: [Changed]
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
       - name: Format
         run: mix format --check-formatted
 
   Test:
+    name: Test (Elixir ${{ matrix.versions.elixir }} OTP ${{ matrix.versions.otp }})
+
     runs-on: ubuntu-latest
 
     env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       MIX_ENV: test
 
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
+          elixir-version: ${{ matrix.versions.elixir }}
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
+          otp-version: ${{ matrix.versions.otp }}
 
       - name: Compile
         run: mix compile --warnings-as-errors
 
       - name: Test
-        run: mix test
+        run: mix coveralls.github --warnings-as-errors
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        versions:
+          - elixir: 1.13
+            otp: 25
+          - elixir: 1.14
+            otp: 25
+          - elixir: 1.15
+            otp: 26
+
+  Trivy_Filesystem:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') }}
+    name: Trivy Filesystem Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Elixir
+        uses: stordco/actions-elixir/setup@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
+
+      - name: Trivy Scan
+        uses: stordco/actions-trivy@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          scan-type: fs
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_SECURITY_ALERTS }}
+          update-db: false
+
@@ -21,22 +21,24 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           persist-credentials: true
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 18
 
       - name: Setup Elixir
         uses: stordco/actions-elixir/setup@v1
         with:
+          elixir-version: "1.15"
           github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
           hex-token: ${{ secrets.HEX_API_KEY }}
-          elixir-version: "1.15"
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
           otp-version: "26.0"
 
       - name: Sync