chore(deps): upgrade ci to use new build and linting

.github/commitlint.config.mjs

@@ -0,0 +1,22 @@
+import { RuleConfigSeverity } from '@commitlint/types';
+
+export default {
+  extends: ['@commitlint/config-conventional'],
+  parserPreset: 'conventional-changelog-conventionalcommits',
+  rules: {
+    'scope-enum': [RuleConfigSeverity.Error, 'always', [
+        '',
+        'deps',
+        'egress-api-container',
+        'egress-ui-container',
+        'main-api-container',
+        'main-ui-container',
+        'tre-api-container',
+        'tre-ui-container',
+        'tre-hasura-container',
+        'tre-sql-pg-container',
+        'tre-sql-trino-container'
+    ]],
+    'subject-case': [RuleConfigSeverity.Error, 'never', []],
+  }
+};

.github/labeler.yaml

@@ -0,0 +1,56 @@
+# Release branches where trunk branches are merge-committed to trigger releases
+
+release:
+- base-branch:
+  - 'main'
+  - 'maintenance/.+/[0-9]+\.([0-9]+|x)\.x'
+
+# Label any maintenance branch, trunk and release
+
+maintenance:
+- base-branch:
+  - 'maintenance/.+/[0-9]+\.([0-9]+|x)\.x'
+
+# Label PRs into the main branch
+
+main:
+- base-branch:
+  - 'main'
+
+# Labels for PRs on asset specific branches
+
+egress-api-container:
+- base-branch:
+  - '.+/egress-api-container(/.+)?'
+
+egress-ui-container:
+- base-branch:
+  - '.+/egress-ui-container(/.+)?'
+
+main-api-container:
+- base-branch:
+  - '.+/main-api-container(/.+)?'
+
+main-ui-container:
+- base-branch:
+  - '.+/main-ui-container(/.+)?'
+
+tre-api-container:
+- base-branch:
+  - '.+/tre-api-container(/.+)?'
+
+tre-ui-container:
+- base-branch:
+  - '.+/tre-ui-container(/.+)?'
+
+tre-hasura-container:
+- base-branch:
+  - '.+/tre-hasura-container(/.+)?'
+
+tre-sql-pg-container:
+- base-branch:
+  - '.+/tre-sql-pg-container(/.+)?'
+
+tre-sql-trino-container:
+- base-branch:
+  - '.+/tre-sql-trino-container(/.+)?'

.github/pull_request_template.md

@@ -0,0 +1,14 @@
+## :construction: Suggest a change
+
+A clear and concise description of what you are changing.
+
+## :memo: Pre-merge checklist
+
+Ready to merge? Do not merge until all checks are satisfied.
+- [ ] :chart: Have all `required` CI checks passed on the most recent commit?
+- [ ] :black_nib: Is the PR title a valid and meaningful conventional-commit message? ie. `type(scope): summary`
+- [ ] :boom: Are `breaking changes` declared in the PR title in conventional-commit style? ie. `type!(scope): summary`
+- [ ] :art: Does new code follow the code style of this project? 
+- [ ] :mag: Has new code been spellchecked and linted?
+- [ ] :book: Have docs been updated where necessary?
+- [ ] :poop: Have commits been checked for accidental file inclusions?

.github/workflows/egress-api-container.yaml

@@ -2,13 +2,34 @@ name: Egress API Container
 
 on:
   pull_request:
+    # Ignore PRs on branches specifically intended for other assets
+    branches-ignore:
+      - '*/egress-ui-container*'
+      - '*/main-api-container*'
+      - '*/main-ui-container*'
+      - '*/tre-api-container*'
+      - '*/tre-ui-container*'
+      - '*/tre-hasura-container*'
+      - '*/tre-sql-pg-container*'
+      - '*/tre-sql-trino-container*'
+    # Only consider PRs that change files for this asset, including ci scripts
     paths:
+      - '.github/workflows/egress-api-container.yaml'
       - 'src/Data-Egress-API/**'
       - 'src/BL/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
   push:
+    # Only release off of release and maintenance branches for this asset
     branches:
-      - main
+      - 'maintenance/egress-api-container/[0-9]+.x.x'
+      - 'maintenance/egress-api-container/[0-9]+.[0-9]+.x'
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
     paths:
+      - '.github/workflows/egress-api-container.yaml'
       - 'src/Data-Egress-API/**'
       - 'src/BL/**'
 
@@ -19,9 +40,12 @@ permissions:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
+  # Needed to generate releases safely
   cancel-in-progress: false
 
 jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
   egress-api-container:
     uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-container.yaml@v1.8.1-containers
     with:
@@ -30,7 +54,11 @@ jobs:
       registry-user: ${{ vars.HARBOR_USER }}
       registry-repo: ${{ vars.HARBOR_PROJECT }}/${{ vars.HARBOR_REPO }}-egress-api
       release-tag-format: 'DARE-Egress-API-Container-${version}'
-      cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
+      release-branches: |
+        [
+          'maintenance/egress-api-container/[0-9]+\.([0-9]+|x)\.x',
+          'main'
+        ]cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
       slack-channel: ${{ vars.SLACK_CHANNEL }}
       build-file: src/Data-Egress-API/Dockerfile
       build-context: src

.github/workflows/egress-ui-container.yaml

@@ -2,13 +2,34 @@ name: Egress UI Container
 
 on:
   pull_request:
+    # Ignore PRs on branches specifically intended for other assets
+    branches-ignore:
+      - '*/egress-api-container*'
+      - '*/main-api-container*'
+      - '*/main-ui-container*'
+      - '*/tre-api-container*'
+      - '*/tre-ui-container*'
+      - '*/tre-hasura-container*'
+      - '*/tre-sql-pg-container*'
+      - '*/tre-sql-trino-container*'
+    # Only consider PRs that change files for this asset, including ci scripts
     paths:
+      - '.github/workflows/egress-ui-container.yaml'
       - 'src/Data-Egress-UI/**'
       - 'src/BL/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
   push:
+    # Only release off of release and maintenance branches for this asset
     branches:
-      - main
+      - 'maintenance/egress-ui-container/[0-9]+.x.x'
+      - 'maintenance/egress-ui-container/[0-9]+.[0-9]+.x'
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
     paths:
+      - '.github/workflows/egress-ui-container.yaml'
       - 'src/Data-Egress-UI/**'
       - 'src/BL/**'
 
@@ -19,9 +40,12 @@ permissions:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
+  # Needed to generate releases safely
   cancel-in-progress: false
 
 jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
   egress-ui-container:
     uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-container.yaml@v1.8.1-containers
     with:
@@ -30,6 +54,11 @@ jobs:
       registry-user: ${{ vars.HARBOR_USER }}
       registry-repo: ${{ vars.HARBOR_PROJECT }}/${{ vars.HARBOR_REPO }}-egress-ui
       release-tag-format: 'DARE-Egress-UI-Container-${version}'
+      release-branches: |
+        [
+          'maintenance/egress-ui-container/[0-9]+\.([0-9]+|x)\.x',
+          'main'
+        ]
       cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
       slack-channel: ${{ vars.SLACK_CHANNEL }}
       build-file: src/Data-Egress-UI/Dockerfile

.github/workflows/main-api-container.yaml

@@ -0,0 +1,70 @@
+name: Main API Container
+
+on:
+  pull_request:
+    # Ignore PRs on branches specifically intended for other assets
+    branches-ignore:
+      - '*/egress-api-container*'
+      - '*/egress-ui-container*'
+      - '*/main-ui-container*'
+      - '*/tre-api-container*'
+      - '*/tre-ui-container*'
+      - '*/tre-hasura-container*'
+      - '*/tre-sql-pg-container*'
+      - '*/tre-sql-trino-container*'
+    # Only consider PRs that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/main-api-container.yaml'
+      - 'src/DARE-API/**'
+      - 'src/BL/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
+  push:
+    # Only release off of release and maintenance branches for this asset
+    branches:
+      - 'maintenance/main-api-container/[0-9]+.x.x'
+      - 'maintenance/main-api-container/[0-9]+.[0-9]+.x'
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/main-api-container.yaml'
+      - 'src/DARE-API/**'
+      - 'src/BL/**'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # Needed to generate releases safely
+  cancel-in-progress: false
+
+jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
+  main-api-container:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-container.yaml@v1.8.1-containers
+    with:
+      job-name: main-api-container
+      registry: ${{ vars.HARBOR_REGISTRY }}
+      registry-user: ${{ vars.HARBOR_USER }}
+      registry-repo: ${{ vars.HARBOR_PROJECT }}/${{ vars.HARBOR_REPO }}-main-api
+      release-tag-format: 'DARE-Control-API-Container-${version}'
+      release-branches: |
+        [
+          'maintenance/main-api-container/[0-9]+\.([0-9]+|x)\.x',
+          'main'
+        ]
+      cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
+      slack-channel: ${{ vars.SLACK_CHANNEL }}
+      build-file: src/DARE-API/Dockerfile
+      build-context: src
+    secrets:
+      cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+      registry-token: ${{ secrets.HARBOR_TOKEN }}
+      slack-token: ${{ secrets.SLACK_TOKEN }}