[ci] sync template files

.dockerignore

@@ -0,0 +1,11 @@
+Dockerfile
+.dockerignore
+**/node_modules/
+**/.git
+README.md
+npm-debug.log
+.coverage
+.coverage.*
+.env
+.aws
+.next

.github/renovate.json5

@@ -0,0 +1,31 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    ":disableDependencyDashboard",
+    ":semanticPrefixFixDepsChoreOthers",
+    ":ignoreModulesAndTests",
+    "workarounds:all",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "docker:disable",
+  ],
+  rangeStrategy: "bump",
+  ignorePaths: ["**/node_modules/**"],
+  packageRules: [
+    {
+      groupName: "github-actions",
+      matchManagers: ["github-actions"],
+    },
+    {
+      matchManagers: ["npm"],
+      groupName: "dependencies",
+      matchDepTypes: ["devDependencies", "dependencies", "peerDependencies"],
+      enabled: false,
+    },
+    {
+      description: "Disable package manager version updates",
+      matchPackageNames: ["pnpm"],
+      matchDepTypes: ["packageManager"],
+      enabled: false,
+    },
+  ],
+}

.github/workflows/deployment.yaml

@@ -0,0 +1,218 @@
+name: Deployment
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: docker.io
+  IMAGE_OWNER: trueberryless
+  IMAGE_NAME: starlight-subtle-top-level-items
+  NODE_VERSION: 20
+
+jobs:
+  changes:
+    name: Filter
+    runs-on: ubuntu-latest
+    outputs:
+      starlight: ${{ steps.filter.outputs.starlight }}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            starlight:
+              - 'starlight/**'
+
+  changesets:
+    name: Changesets
+    runs-on: ubuntu-latest
+    outputs:
+      hasChangesets: ${{ steps.changesets.outputs.hasChangesets }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Generate GitHub App token
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.BOT_APP_ID }}
+          private_key: ${{ secrets.BOT_PRIVATE_KEY }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup PNPM
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+
+      - name: Setup Node
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+
+      - name: Install Dependencies
+        run: pnpm i
+
+      - name: Create Release Pull Request
+        uses: changesets/action@06245a4e0a36c064a573d4150030f5ec548e4fcc # v1.4.10
+        id: changesets
+        with:
+          version: pnpm run version
+          commit: "ci: release"
+          title: "ci: release [skip netlify]"
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token}}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Get published version
+        if: steps.changesets.outputs.hasChangesets == 'true'
+        run: |
+          git checkout changeset-release/main
+          VERSION=$(node -p "require('./starlight/package.json').version")
+          NAME=$(node -p "require('./starlight/package.json').name")
+          git commit --amend -m "ci: release $NAME v$VERSION" --no-edit
+          git push origin changeset-release/main:changeset-release/main --force
+
+  image-tag:
+    name: Image Tag
+    runs-on: ubuntu-latest
+    outputs:
+      IMAGE_TAG: ${{ env.IMAGE_TAG }}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Read version from package.json
+        id: get_version
+        run: |
+          VERSION=$(jq -r '.version' starlight/package.json)
+          echo "IMAGE_TAG=$VERSION" >> $GITHUB_ENV
+
+  deployment:
+    needs: [changes, changesets, image-tag]
+    if: >
+      (
+        needs.changesets.outputs.hasChangesets == 'false' && 
+        (
+          contains(github.event.head_commit.message, 'deploy') || 
+          contains(github.event.head_commit.message, 'release')
+        )
+      ) || 
+      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup PNPM
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          package_json_file: ./starlight/package.json
+
+      - name: Setup Node
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: pnpm
+          cache-dependency-path: ./pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install
+        shell: bash
+        working-directory: ./starlight
+
+      - name: Build Website
+        run: pnpm run build
+        shell: bash
+        working-directory: ./starlight
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME }}:${{ needs.image-tag.outputs.IMAGE_TAG }}
+            ${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME }}:latest
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Update deployment.yaml file
+        run: |
+          yq eval '.spec.template.spec.containers[0].image = "${{ env.IMAGE_OWNER }}/${{ env.IMAGE_NAME }}:${{ needs.image-tag.outputs.IMAGE_TAG }}"' -i manifest/deployment.yaml
+
+      - uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        with:
+          commit_message: update deployment.json container image (automated)
+
+  release:
+    name: Release
+    needs: [image-tag, deployment]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - id: extract-changelog
+        uses: sean0x42/markdown-extract@7b185cbe85263116bbf741e739e7198ba86465dc # v2.1.0
+        with:
+          file: starlight/CHANGELOG.md
+          pattern: ${{ needs.image-tag.outputs.IMAGE_TAG }}
+
+      - uses: ncipollo/release-action@v1
+        id: create_release
+        with:
+          tag: ${{ env.IMAGE_NAME }}@${{ needs.image-tag.outputs.IMAGE_TAG }}
+          makeLatest: true
+          body: ${{ steps.extract-changelog.outputs.markdown }}
+          skipIfReleaseExists: true
+
+      - name: Check if release was created
+        id: check_release
+        run: |
+          if [ -z "${{ steps.create_release.outputs.html_url }}" ]; then
+            echo "RELEASE_SKIPPED=true" >> $GITHUB_ENV
+          else
+            echo "RELEASE_SKIPPED=false" >> $GITHUB_ENV
+          fi
+
+      - name: Discord notification
+        if: env.RELEASE_SKIPPED == 'false'
+        env:
+          DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK_URL }}
+        uses: Ilshidur/action-discord@0c4b27844ba47cb1c7bee539c8eead5284ce9fa9 # 0.3.2
+        with:
+          args: |
+            # ${{ env.IMAGE_NAME }}@${{ needs.image-tag.outputs.IMAGE_TAG }}
+
+            ${{ steps.extract-changelog.outputs.markdown }}

.github/workflows/format.yaml

@@ -10,13 +10,13 @@ jobs:
   autofix:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup PNPM
-        uses: pnpm/action-setup@v3
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: 20
           cache: "pnpm"
@@ -32,6 +32,6 @@ jobs:
       - name: Run pngquant
         run: |
           shopt -s globstar
-          find . -name '*.png' -exec pngquant --ext .png --force 256 {} \;
+          find . -name '*.png' -exec pngquant --ext .png 256 {} \;
 
-      - uses: autofix-ci/action@ff86a557419858bb967097bfc916833f5647fa8c
+      - uses: autofix-ci/action@551dded8c6cc8a1054039c8bc0b8b48c51dfc6ef

.github/workflows/labeler.yaml

@@ -11,12 +11,12 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2.1.0
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         with:
           app_id: ${{ secrets.BOT_APP_ID }}
           private_key: ${{ secrets.BOT_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Ensure labels exist
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
@@ -49,7 +49,7 @@ jobs:
           gh label create "🏯 styles" --description "Stylesheets or design updates" --color "550F5A" --force
           gh label create "🔒 wontfix" --description "This will not be worked on" --color "FFFFFF" --force
 
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           configuration-path: .github/labeler.yaml
           sync-labels: true

.github/workflows/welcome-bot.yaml

@@ -15,19 +15,19 @@ jobs:
     steps:
       - name: Generate GitHub App token
         id: generate_token
-        uses: tibdex/github-app-token@v2.1.0
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         with:
           app_id: ${{ secrets.BOT_APP_ID }}
           private_key: ${{ secrets.BOT_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Convert Repository Name to Title Case
         id: convert_repo_name
         run: |
           REPO_NAME="${{ github.event.repository.name }}"
           TITLE_CASE_REPO_NAME=$(echo "$REPO_NAME" | sed 's/-/ /g' | awk '{for(i=1;i<=NF;i++) $i=toupper(substr($i,1,1)) tolower(substr($i,2))} 1')
           echo "title_case_repo_name=$TITLE_CASE_REPO_NAME" >> $GITHUB_ENV
-      - uses: zephyrproject-rtos/action-first-interaction@7e6446f8439d8b4399169880c36a3a12b5747699
+      - uses: zephyrproject-rtos/action-first-interaction@58853996b1ac504b8e0f6964301f369d2bb22e5c
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           pr-opened-message: |