update

.github/dependabot.yml

@@ -0,0 +1,33 @@
+version: 2
+updates:
+  # Go modules
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "dependabot[bot]"
+    assignees:
+      - "dependabot[bot]"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "dependabot[bot]"
+    assignees:
+      - "dependabot[bot]"
+    commit-message:
+      prefix: "ci"
+      include: "scope"

.github/workflows/README.md

@@ -0,0 +1,111 @@
+# GitHub Actions Workflows
+
+This directory contains the CI/CD workflows for the Devour project.
+
+## Workflows
+
+### 1. CI/CD Pipeline (`ci.yml`)
+
+**Triggers:**
+- Push to `main` or `develop` branches
+- Pull requests to `main` or `develop` branches
+- Release publications
+
+**Jobs:**
+- **Test**: Runs unit tests with race detection and uploads coverage to Codecov
+- **Lint**: Runs golangci-lint for code quality checks
+- **Security**: Scans for security vulnerabilities using Gosec
+- **Build**: Builds cross-platform binaries (Linux, Windows, macOS) for amd64/arm64
+- **Docker**: Builds and pushes Docker images to Docker Hub
+- **Release**: Creates GitHub releases with compiled binaries
+
+### 2. Code Quality (`quality.yml`)
+
+**Triggers:**
+- Push to `main` or `develop` branches
+- Pull requests to `main` or `develop` branches
+
+**Checks:**
+- `go vet` for potential issues
+- Code formatting with `gofmt`
+- Inefficient assignments with `ineffassign`
+- Spelling errors with `misspell`
+- Static analysis with `staticcheck`
+- TODO/FIXME comment detection
+- `go mod tidy` validation
+- Code coverage threshold (minimum 80%)
+- SonarCloud analysis (optional)
+
+### 3. Dependabot (`dependabot.yml`)
+
+**Features:**
+- Weekly dependency updates for Go modules
+- Weekly GitHub Actions updates
+- Automatic pull requests with dependency updates
+
+## Required Secrets
+
+To enable all features, add these secrets to your GitHub repository:
+
+### Docker Hub Integration
+- `DOCKER_USERNAME`: Your Docker Hub username
+- `DOCKER_PASSWORD`: Your Docker Hub password or access token
+
+### SonarCloud Integration (Optional)
+- `SONAR_TOKEN`: Your SonarCloud project token
+
+## Environment Variables
+
+- `GO_VERSION`: Set to '1.24' (can be updated in workflows)
+
+## Build Artifacts
+
+### Binaries
+The CI pipeline builds binaries for:
+- Linux (amd64, arm64)
+- Windows (amd64)
+- macOS (amd64, arm64)
+
+### Docker Images
+- Multi-platform images (linux/amd64, linux/arm64)
+- Tags: branch name, PR number, semantic version tags
+
+## Coverage Reports
+
+- Test coverage is uploaded to Codecov
+- Minimum coverage threshold: 80%
+- Coverage reports are generated for each test run
+
+## Security Scanning
+
+- Gosec security scanner runs on every push/PR
+- SARIF results are uploaded to GitHub Security tab
+- Dependencies are automatically updated by Dependabot
+
+## Local Development
+
+To run the same checks locally:
+
+```bash
+# Run tests with coverage
+make test-coverage
+
+# Run linting
+make lint
+
+# Format code
+make fmt
+
+# Build for production
+make build-prod
+
+# Build Docker image
+make docker
+```
+
+## Release Process
+
+1. Create a new tag: `git tag v1.0.0`
+2. Push the tag: `git push origin v1.0.0`
+3. Create a GitHub release (or let the workflow create it automatically)
+4. Binaries and Docker images will be built and published automatically

.github/workflows/ci.yml

@@ -0,0 +1,220 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  release:
+    types: [ published ]
+
+env:
+  GO_VERSION: '1.24'
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Cache Go modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Download dependencies
+      run: go mod download
+
+    - name: Run tests
+      run: go test -v -race -coverprofile=coverage.out ./...
+
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v4
+      with:
+        file: ./coverage.out
+        flags: unittests
+        name: codecov-umbrella
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Run golangci-lint
+      uses: golangci/golangci-lint-action@v6
+      with:
+        version: latest
+        args: --timeout=5m
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Run Gosec Security Scanner
+      uses: securecodewarrior/github-action-gosec@master
+      with:
+        args: '-no-fail -fmt sarif -out results.sarif ./...'
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: [test, lint]
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin]
+        goarch: [amd64, arm64]
+        exclude:
+          - goos: windows
+            goarch: arm64
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Cache Go modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Download dependencies
+      run: go mod download
+
+    - name: Build binary
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+      run: |
+        VERSION=${GITHUB_REF#refs/tags/}
+        if [[ $VERSION == refs/heads/* ]]; then
+          VERSION=${GITHUB_SHA::7}
+        fi
+        BINARY_NAME=devour-${{ matrix.goos }}-${{ matrix.goarch }}
+        if [ "${{ matrix.goos }}" = "windows" ]; then
+          BINARY_NAME+=.exe
+        fi
+        mkdir -p dist
+        CGO_ENABLED=0 go build -ldflags "-s -w -X main.Version=$VERSION -X main.BuildTime=$(date -u '+%Y-%m-%d_%H:%M:%S')" -o dist/$BINARY_NAME ./cmd/devour
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: devour-${{ matrix.goos }}-${{ matrix.goarch }}
+        path: dist/
+
+  docker:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    needs: [test, lint]
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.event_name == 'release')
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to Docker Hub
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+
+    - name: Extract metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: yourorg/devour
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        platforms: linux/amd64,linux/arm64
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.event_name == 'release'
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Download all artifacts
+      uses: actions/download-artifact@v4
+      with:
+        path: artifacts/
+
+    - name: Create release assets
+      run: |
+        mkdir -p release-assets
+        cd artifacts
+        for dir in */; do
+          cd "$dir"
+          if [[ $dir == *windows* ]]; then
+            zip -r "../../release-assets/${dir%/}.zip" *
+          else
+            tar -czf "../../release-assets/${dir%/}.tar.gz" *
+          fi
+          cd ..
+        done
+
+    - name: Upload release assets
+      uses: softprops/action-gh-release@v2
+      with:
+        files: release-assets/*
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/quality.yml

@@ -0,0 +1,86 @@
+name: Code Quality
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  quality-check:
+    name: Quality Analysis
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.24'
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Run go fmt check
+      run: |
+        if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then
+          echo "The following files are not formatted:"
+          gofmt -s -l .
+          exit 1
+        fi
+
+    - name: Run ineffassign
+      run: |
+        go install github.com/gordonklaus/ineffassign@latest
+        ineffassign ./...
+
+    - name: Run misspell
+      run: |
+        go install github.com/client9/misspell/cmd/misspell@latest
+        misspell -error .
+
+    - name: Run staticcheck
+      run: |
+        go install honnef.co/go/tools/cmd/staticcheck@latest
+        staticcheck ./...
+
+    - name: Check for TODO/FIXME comments
+      run: |
+        if grep -r "TODO\|FIXME" --include="*.go" .; then
+          echo "Found TODO/FIXME comments. Please address them or add to issue tracker."
+          exit 1
+        fi
+
+    - name: Run go mod tidy check
+      run: |
+        go mod tidy
+        if [[ -n $(git status --porcelain go.mod go.sum) ]]; then
+          echo "go.mod or go.sum is not tidy"
+          git diff go.mod go.sum
+          exit 1
+        fi
+
+    - name: Calculate code coverage
+      run: |
+        go test -coverprofile=coverage.out ./...
+        go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//' > coverage.txt
+        echo "Coverage: $(cat coverage.txt)%"
+
+    - name: Check coverage threshold
+      run: |
+        COVERAGE=$(cat coverage.txt)
+        THRESHOLD=80
+        if (( $(echo "$COVERAGE < $THRESHOLD" | bc -l) )); then
+          echo "Coverage $COVERAGE% is below threshold $THRESHOLD%"
+          exit 1
+        fi
+        echo "Coverage $COVERAGE% meets threshold $THRESHOLD%"
+
+    - name: SonarCloud Scan
+      uses: SonarSource/sonarcloud-github-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.gitignore

@@ -65,3 +65,7 @@ debug.test
 
 # Air live reload
 tmp/
+
+# Project-specific directories
+.opencode/
+desloppify/