chore(ci-deps): Update files based on repository configuration

.github/workflows/codeql-analysis.managed.yaml

@@ -0,0 +1,131 @@
+# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
+# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
+#   - centralized-templates
+# FILE STEWARD: @pleo-io/team-security
+
+name: CodeQL Analysis
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+  merge_group:
+    types: [checks_requested]
+
+env:
+  CONFIG_FILE: ""
+  RUN_ON_DEFAULT_BRANCH: true
+
+jobs:
+  preflight:
+    if: ${{ !contains(github.event.pull_request.title, '(deps)') }}
+    name: Determine if CodeQL should run
+    runs-on: ubuntu-latest
+    outputs:
+      should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }}
+    steps:
+      - uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2
+        id: split
+        with:
+          msg: ${{ github.repository }}
+          separator: "/"
+      - id: get_default_branch
+        name: Determine our default branch
+        uses: octokit/[email protected]
+        with:
+          route: GET /repos/{owner}/{repo}
+          owner: ${{ github.repository_owner }}
+          repo: ${{ steps.split.outputs._1 }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - id: set_default_branch
+        name: Set our default branch
+        run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV"
+      - id: maybe_skip_analyze
+        name: Check if analyze should run
+        shell: bash
+        run: |
+          if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then
+            echo "Skipping CodeQL analysis on main branch due to configuration"
+            echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event_name }}" == "merge_group" ]]; then
+            echo "Skipping CodeQL analysis on merge queue due to a GitHub's known issue, see: https://github.com/github/codeql-action/issues/1537"
+            echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "Running CodeQL analysis"
+            echo "should_run_analyze=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  wiz-cli-scanning:
+    if: ${{ (github.ref != 'refs/heads/main' || github.event_name != 'push') && (!contains(github.event.pull_request.title, 'deps')) }}
+    name: Scan Dependency, Container or IaC with Wiz-CLI
+    uses: pleo-io/reusable-workflows/.github/workflows/security-analysis-with-wiz.reusable-external.yaml@main
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    secrets: inherit
+    with:
+      # Dependency Scanning
+      wiz_scan_deps: false
+      wiz_scan_deps_path: "."
+      wiz_scan_deps_policy: "Pleo-Default-vulnerabilities-policy"
+      # Container Scanning
+      wiz_scan_container: false
+      wiz_scan_container_policy: "Pleo-Default-container-policy"
+      wiz_scan_container_dockerfile_path: "."
+      jdk_version: "17"
+      node_version: 20
+
+  languages:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.languages }}
+    steps:
+      - name: Get languages from repo
+        id: set-matrix
+        uses: pleo-io/set-codeql-language-matrix@fix_output
+        with:
+          access-token: ${{ secrets.GITHUB_TOKEN }}
+          endpoint: ${{ github.event.repository.languages_url }}
+
+  analyze-code:
+    name: Analyze code with CodeQL
+    if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (!contains(github.event.pull_request.title, 'deps')) && (needs.languages.outputs.matrix != '[]') }}
+    needs:
+      - preflight
+      - languages
+    runs-on:
+      group: codeql-runner-group
+    timeout-minutes: 30
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    env:
+      CODEQL_ACTION_EXTRA_OPTIONS: '{"database": {"run-queries": ["--off-heap-ram=3072"]}}'
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJSON(needs.languages.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      # Set up a JDK environment for building, testing and releasing.
+      - name: CodeQL Analysis
+        uses: pleo-io/reusable-actions/codeql@main
+        with:
+          language: ${{ matrix.language }}
+          github_token: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          gradle_read_key: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          job_runr_repo_password: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
+          config_file: ${{ env.CONFIG_FILE }}
+          nodeVersion: 20
+          jdkVersion: 17

.github/workflows/pr-help.yaml → .github/workflows/pr-help.managed.yaml

@@ -40,7 +40,7 @@ jobs:
     if: ${{ github.event.label.name == 'automerge' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - id: enable-automerge
         name: Enable Pull Request Automerge

.github/workflows/renovate_dependency_management.yaml → .github/workflows/renovate_dependency_management.managed.yaml

@@ -15,13 +15,13 @@ on:
         type: string
 
   schedule:
-    - cron: 40 7 * * 1-5
+    - cron: "40 11 * * 1-5"
 
 concurrency: renovate
 
 jobs:
   call-workflow:
-    uses: pleo-io/renovate-config/.github/workflows/[custom]_reusable_run-renovate.yaml@main
+    uses: pleo-io/renovate-config/.github/workflows/run-renovate.reusable-external.yaml@main
     with:
       logLevel: ${{ inputs.logLevel || 'info' }}
     secrets: inherit