ci(workflows): add CI, security, release, and supply-chain pipeline

.github/codecov.yml

@@ -0,0 +1,51 @@
+# Codecov configuration. Validated with `curl --data-binary @.github/codecov.yml https://codecov.io/validate`.
+codecov:
+  require_ci_to_pass: true
+  notify:
+    wait_for_ci: true
+
+coverage:
+  precision: 2
+  round: down
+  range: "70...95"
+  status:
+    project:
+      default: false
+      core:
+        # The library is the part of the project we care about. Aim for >80%
+        # statement coverage; PRs that drop coverage by more than 1pp fail.
+        target: 80%
+        threshold: 1%
+        flags:
+          - core
+        paths:
+          - core/
+        if_ci_failed: error
+    patch:
+      default: false
+      core:
+        target: 80%
+        flags:
+          - core
+        paths:
+          - core/
+        if_ci_failed: error
+
+flags:
+  core:
+    paths:
+      - core/
+    carryforward: false
+
+comment:
+  layout: "reach,diff,flags,files,footer"
+  behavior: default
+  require_changes: false
+
+ignore:
+  - "cmd/**"
+  - "examples/**"
+  - "docs/**"
+  - "**/testdata/**"
+  - "**/*_test.go"
+  - "**/mocks/**"

.github/workflows/ci.yml

@@ -0,0 +1,191 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+env:
+  GO_VERSION: "1.26"
+
+jobs:
+  detect:
+    name: detect go source
+    runs-on: ubuntu-latest
+    outputs:
+      has-source: ${{ steps.detect.outputs.has-source }}
+    steps:
+      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Detect Go source
+        id: detect
+        shell: bash
+        run: |
+          if find . -name '*.go' \
+              -not -path './.*' \
+              -not -path './vendor/*' \
+              -not -path '*/testdata/*' \
+              -print -quit | grep -q .; then
+            echo "has-source=true" >> "$GITHUB_OUTPUT"
+            echo "Go source detected — full CI will run."
+          else
+            echo "has-source=false" >> "$GITHUB_OUTPUT"
+            echo "No Go source yet — lint/test/build steps will be skipped."
+          fi
+
+  lint:
+    name: lint
+    needs: detect
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: go mod verify
+        run: go mod verify
+
+      - name: go mod tidy -diff
+        run: |
+          diff=$(go mod tidy -diff)
+          if [ -n "$diff" ]; then
+            echo "go.mod / go.sum drift detected; run 'go mod tidy' and commit."
+            echo "$diff"
+            exit 1
+          fi
+
+      - name: gofmt
+        if: needs.detect.outputs.has-source == 'true'
+        run: |
+          unformatted=$(gofmt -l .)
+          if [ -n "$unformatted" ]; then
+            echo "Unformatted files:"
+            echo "$unformatted"
+            echo "Run 'go tool goimports -w -local github.com/plexara/plexara-agents .' and commit."
+            exit 1
+          fi
+
+      - name: go vet
+        if: needs.detect.outputs.has-source == 'true'
+        run: go vet ./...
+
+      - name: golangci-lint config verify
+        run: go tool golangci-lint config verify
+
+      - name: golangci-lint
+        if: needs.detect.outputs.has-source == 'true'
+        run: go tool golangci-lint run ./...
+
+  test:
+    name: test (${{ matrix.os }})
+    needs: detect
+    if: needs.detect.outputs.has-source == 'true'
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Test (race + shuffle + coverage)
+        run: |
+          go test -race -shuffle=on -count=1 \
+            -covermode=atomic \
+            -coverprofile=coverage.out \
+            ./...
+
+      - name: Upload coverage to Codecov
+        if: matrix.os == 'ubuntu-latest'
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage.out
+          flags: core
+          fail_ci_if_error: true
+
+  build:
+    name: build (${{ matrix.goos }}/${{ matrix.goarch }})
+    needs: detect
+    if: needs.detect.outputs.has-source == 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+          - goos: linux
+            goarch: arm64
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          - goos: windows
+            goarch: amd64
+    env:
+      CGO_ENABLED: "0"
+      GOOS: ${{ matrix.goos }}
+      GOARCH: ${{ matrix.goarch }}
+    steps:
+      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Build
+        run: go build -trimpath ./...
+
+  ci-pass:
+    name: ci pass
+    needs: [lint, test, build]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Aggregate
+        run: |
+          if [ "${{ needs.lint.result }}" != "success" ]; then
+            echo "lint failed"; exit 1
+          fi
+          if [ "${{ needs.test.result }}" != "success" ] && [ "${{ needs.test.result }}" != "skipped" ]; then
+            echo "test failed"; exit 1
+          fi
+          if [ "${{ needs.build.result }}" != "success" ] && [ "${{ needs.build.result }}" != "skipped" ]; then
+            echo "build failed"; exit 1
+          fi
+          echo "ci passed"

.github/workflows/codeql.yml

@@ -0,0 +1,63 @@
+name: codeql
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 7 * * 1"  # weekly Monday 07:00 UTC
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  analyze:
+    name: analyze go
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: "1.26"
+          cache: true
+
+      - name: Detect Go source
+        id: detect
+        shell: bash
+        run: |
+          if find . -name '*.go' -not -path './.*' -not -path './vendor/*' -not -path '*/testdata/*' -print -quit | grep -q .; then
+            echo "has-source=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has-source=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Initialize CodeQL
+        if: steps.detect.outputs.has-source == 'true'
+        uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
+        with:
+          languages: go
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        if: steps.detect.outputs.has-source == 'true'
+        uses: github/codeql-action/autobuild@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
+
+      - name: Analyze
+        if: steps.detect.outputs.has-source == 'true'
+        uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
+        with:
+          category: "/language:go"

.github/workflows/dependency-review.yml

@@ -0,0 +1,37 @@
+name: dependency-review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    name: review
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: on-failure
+          # License allowlist mirrors §14.7 of the bootstrap spec.
+          allow-licenses: >-
+            Apache-2.0,
+            BSD-2-Clause,
+            BSD-3-Clause,
+            ISC,
+            MIT,
+            MPL-2.0,
+            Unlicense,
+            CC0-1.0,
+            Zlib,
+            BSD-2-Clause-Patent