Import YAML helpers for repository governance

[CommitAxis]

This pull request introduces necessary configuration files for repository management.

• Chores
  • Configured automated dependency monitoring with weekly checks and auto-merge for minor/patch updates.
  • Added security scanning workflows using CodeQL and OpenSSF Scorecard for continuous code analysis.
  • Enabled automated code quality and linting checks on pull requests.
  • Introduced standardized templates for bug reports and feature requests to improve contribution workflow.
  • Added GitHub funding links and configured label synchronization for improved repository management.

Summary by CodeRabbit

• Chores
  • Updated dependency check scheduling from weekly to monthly
  • Optimized CI/CD workflow execution times
  • Enhanced build process efficiency with dependency caching
  • Streamlined workflow trigger configurations

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

AI Analysis Summary

The recent updates to the repository's configuration files have introduced changes to the dependency monitoring and security scanning workflows. The changes appear to be intentional updates, but it is recommended to review them to ensure they align with the project's requirements and security policies. No action is required at this time.

Severity: MEDIUM | Role: deps

Full details: #48

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates to GitHub Actions workflows and Dependabot configuration include: changing Dependabot schedule from weekly to monthly, reducing workflow timeouts, enabling pip/npm dependency caching, updating concurrency settings, and removing scheduled triggers from security workflows.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Changed schedule interval from "weekly" to "monthly" for both pip and github-actions ecosystems.
Workflow Concurrency & Timeouts .github/workflows/ai-issue.yml, .github/workflows/lint.yml	Enabled cancel-in-progress for concurrent runs, reduced job timeouts (15→10 minutes), and added dependency caching (pip and npm).
Workflow Trigger Updates .github/workflows/sast.yml, .github/workflows/scorecard.yml	Removed weekly scheduled cron triggers, retaining only manual and event-based execution paths.
Checkout Configuration .github/workflows/ai-issue.yml	Removed fetch-depth: 0 parameter from checkout step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Configuration changes align with CI/CD optimization objectives across multiple related repositories, including Dependabot scheduling adjustments and workflow timeout/caching enhancements.

Poem

🐰 A rabbit hops through workflows neat,
With monthly checks and caches fleet,
No more shall scheduled runs align,
The pipelines flow, concise and fine! 🚀

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to import YAML helpers, but the changeset only updates existing GitHub configuration files (Dependabot, workflows) with no YAML helper imports or additions.	Update the title to accurately reflect the changes, such as 'Optimize GitHub workflows and Dependabot scheduling' or 'Update workflow configurations and dependency scheduling'.
Description check	⚠️ Warning	The PR description discusses adding new configuration files for repository management, but the changeset only modifies existing workflow and Dependabot configurations with no new files created.	Revise the description to accurately reflect that this updates existing configurations (reducing timeouts, changing schedules, enabling caching) rather than introducing new configuration files.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch upload-repo-governance-1775850400150

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ai-issue.yml (1)

33-37: Pip cache is enabled but currently bypassed.

Line 33 enables pip caching with cache: 'pip', but line 37 uses --no-cache-dir in the pip install command, which prevents pip from using/updating its cache. This contradicts the intended optimization.

♻️ Proposed fix

       - name: Install dependencies
         run: |
-          pip install --no-cache-dir PyGithub==2.5.0 requests==2.32.3
+          pip install PyGithub==2.5.0 requests==2.32.3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ai-issue.yml around lines 33 - 37, The workflow declares
pip caching but the "Install dependencies" step uses "--no-cache-dir", which
prevents cache use; to fix, remove the "--no-cache-dir" option from the pip
install command in the "Install dependencies" step so pip can read/update the
cache when installing PyGithub==2.5.0 and requests==2.32.3, keeping the existing
cache: 'pip' setting intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Line 6: The Dependabot configuration currently sets interval: "monthly" (seen
in the .github/dependabot.yml diff) which contradicts the intended weekly
cadence; update both occurrences of interval: "monthly" to interval: "weekly" so
Dependabot runs on a weekly schedule (ensure you change every instance shown in
the diff).

---

Nitpick comments:
In @.github/workflows/ai-issue.yml:
- Around line 33-37: The workflow declares pip caching but the "Install
dependencies" step uses "--no-cache-dir", which prevents cache use; to fix,
remove the "--no-cache-dir" option from the pip install command in the "Install
dependencies" step so pip can read/update the cache when installing
PyGithub==2.5.0 and requests==2.32.3, keeping the existing cache: 'pip' setting
intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8167e8cf-530b-4531-bd71-6214272e8b7c

📥 Commits

Reviewing files that changed from the base of the PR and between b04e449 and 5bd64cb.

📒 Files selected for processing (5)

• .github/dependabot.yml
• .github/workflows/ai-issue.yml
• .github/workflows/lint.yml
• .github/workflows/sast.yml
• .github/workflows/scorecard.yml

💤 Files with no reviewable changes (2)

• .github/workflows/sast.yml
• .github/workflows/scorecard.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Set Dependabot back to weekly cadence to match the PR objective.

Line 6 and Line 14 set updates to monthly, which conflicts with the stated goal of weekly dependency monitoring and increases security/update lag.

Suggested change

     schedule:
-      interval: "monthly"
+      interval: "weekly"
@@
     schedule:
-      interval: "monthly"
+      interval: "weekly"

Also applies to: 14-14

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml at line 6, The Dependabot configuration currently
sets interval: "monthly" (seen in the .github/dependabot.yml diff) which
contradicts the intended weekly cadence; update both occurrences of interval:
"monthly" to interval: "weekly" so Dependabot runs on a weekly schedule (ensure
you change every instance shown in the diff).