ci: configure ci (#54)

Author: ymgyt

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @ymgyt

.github/dependabot.yaml

@@ -3,9 +3,8 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: monthly
-
+      interval: weekly
   - package-ecosystem: cargo
     directory: /
     schedule:
-      interval: monthly
+      interval: weekly

.github/workflows/ci.yaml

@@ -2,7 +2,10 @@ name: CI
 on:
   workflow_dispatch:
   pull_request:
+    types: [opened, synchronize, reopened]
   push:
+    branches:
+      - main
     paths:
       - '**.rs'
       - rust-toolchain.toml
@@ -11,6 +14,7 @@ on:
 jobs:
   tests:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@V27
@@ -28,3 +32,21 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: result
+  dependabot-auto-merge:
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    needs: [tests]
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: meta
+        uses: dependabot/fetch-metadata@v2
+        # merge this PR if update is a semver patch 
+      - if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' }}
+        run: |
+          gh pr review "${GITHUB_HEAD_REF}" --approve
+          gh pr merge "${GITHUB_HEAD_REF}" --squash --auto

.github/workflows/release_image.yml

@@ -1,4 +1,4 @@
-name: Publish docker image
+name: Container
 on:
   workflow_dispatch:
     inputs:
@@ -11,6 +11,7 @@ on:
       - '*-v[0-9]+.[0-9]+.[0-9]+*'
 jobs:
   publish-synd-api-image:
+    timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

docs/ci.md

@@ -0,0 +1,27 @@
+# CI
+
+## GitHub Actions
+
+### Secrets
+
+| Secret               | Usage                           | GeneratedAt                                                      | ManagedBy | 
+| ---                  | ---                             | ---                                                              | ---       |
+| `CACHIX_AUTH_TOKEN`  | Read and Write cachix cache     | [cachix](https://app.cachix.org/personal-auth-tokens)            | @ymgyt    |
+| `CODECOV_TOKEN`      | Upload test coverage to codecov | [codecov](https://app.codecov.io/gh/ymgyt/syndicationd/settings) | @ymgyt    |
+| `HOMEBREW_TAP_TOKEN` | Push to [homebrew repo](https://github.com/ymgyt/homebrew-syndicationd/tree/main) by cargo-dist | [github](https://github.com/settings/tokens)       | @ymgyt | 
+| `NPM_TOKEN`          | Push to [npm registry](https://www.npmjs.com/settings/syndicationd/packages) by cargo-dist      | [npm](https://www.npmjs.com/settings/ymgyt/tokens) | @ymgyt |
+
+
+#### `HOMEBREW_TAP_TOKEN`
+
+* [cargo-dist doc](https://opensource.axo.dev/cargo-dist/book/installers/homebrew.html)
+* `repo` scope is required
+
+#### `NPM_TOKEN`
+
+* [cargo-dist doc](https://opensource.axo.dev/cargo-dist/book/installers/npm.html)
+* Packages and scopes: Read and write
+  * Select packages: All packages (NOTE: because the package does not yet exist, you must pick this. However, you can (and probably should!) update this to scope the token to a single package after publish. This is sadly a limitation of the npm token system.)
+  * Organizations: No access
+
+