chore: update from sync-files

.editorconfig

@@ -1,3 +1,4 @@
+
 # EditorConfig https://EditorConfig.org
 
 # top-most EditorConfig file
@@ -7,9 +8,20 @@ root = true
 [*]
 end_of_line = lf
 insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
 
-# Indentation override for all JS under lib directory
-[**.js]
+# Ensure we're standardising on 2 space soft-tabs for most files
+[*.md, *.markdown, *.yml, *.yaml, *.json, *.js, *.ts, *.tsx, *.sh]
 indent_style = space
 indent_size = 2
-charset = utf-8
+
+# Makefile specific
+[Makefile]
+indent_style = tab
+indent_size = 4
+
+# Python specific
+[*.py, *.pyi]
+indent_style = space
+indent_size = 4

.github/pull_request_template.md

@@ -1 +1,24 @@
-# Summary of changes
+# Description
+
+Please include a summary of the change and which issue is fixed along with any relevant motivation, context and any dependencies that are required for this change.
+
+-
+- Fixes #
+
+## Breaking Changes
+
+Are there any breaking changes in this PR, If yes, please list them.
+
+## How Has This Been Tested?
+
+Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
+
+- Test 1
+- Test 2
+
+## Checklist
+
+- [ ] I have performed a self-review of my own code.
+- [ ] I have commented my code, particularly in hard-to-understand areas.
+- [ ] I have made corresponding changes to the documentation.
+- [ ] My changes generate no new warnings.

.github/workflows/codeball.yml

@@ -0,0 +1,38 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: Codeball
+
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+      - "!repo-sync/**"
+      - "!renovate/**"
+      - "!update/pre-commit-hooks/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+  checks: write
+
+# One build per branch, cancel out of date builds
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codeball-review:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    name: Run Codeball Code Review
+    steps:
+      - name: Codeball AI Actions
+        uses: sturdy-dev/codeball-action@v2
+        with:
+          approvePullRequests: "false"
+          labelPullRequestsWhenApproved: "true"
+          labelPullRequestsWhenReviewNeeded: "true"
+          failJobsWhenReviewNeeded: "false"

.github/workflows/detect-secrets.yml

@@ -0,0 +1,44 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: "Detect Secrets"
+
+# https://github.com/Yelp/detect-secrets
+
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+      - "!repo-sync/**"
+      - "!renovate/**"
+      - "!update/pre-commit-hooks/**"
+  workflow_dispatch:
+
+jobs:
+  detect-secrets:
+    name: "Detect Secrets in Code"
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+      - name: run detect-secrets
+        uses: reviewdog/action-detect-secrets@master
+        with:
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          fail_on_error: "true"
+          level: warning
+          detect_secrets_flags: "--all-files --force-use-all-plugins"
+          # filter_mode: "nofilter" # Optional. Check all files, not just the diff
+#
+# Allowlisting Secrets
+#
+# It is possible to disable detection for individual lines of code in case of false positives.
+# To do this, add a comment at the end of the line with text `pragma: allowlist secret`
+#
+# public_key: |  # pragma: allowlist secret
+#    gX69YO4CvBsVjzAwYxdG
+#    yDd30t5+9ez31gKATtj4
+#
+# Or add a comment with the text `pragma: allowlist nextline secret` before the line.
+# pragma: allowlist nextline secret
+# public_key = gX69YO4CvBsVjzAwYxdG

.github/workflows/label-sync.yml

@@ -0,0 +1,32 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: "Sync Available Github Labels"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 4 * * *"
+
+permissions:
+  pull-requests: write
+  contents: read
+  issues: write
+
+# One build per branch, cancel out of date builds
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sync-labels:
+    name: Sync Github Labels
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+      - uses: EndBug/label-sync@2155ba23e047b09a88c8a2f577fa370307d171f4 # tag=v2
+        with:
+          delete-other-labels: true
+          dry-run: false
+          token: ${{ secrets.GITHUB_TOKEN }}
+          config-file: .github/config/labels.yml

.github/workflows/lint-codeowners.yml

@@ -0,0 +1,36 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: "Lint CODEOWNERS"
+on:
+  pull_request:
+    paths:
+      - "**/CODEOWNERS"
+    branches:
+      - main
+      - master
+
+# One build per branch, cancel out of date builds
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  issues: write
+  pull-requests: write
+  statuses: write
+  checks: write
+  contents: read
+  security-events: read
+
+jobs:
+  lint-codeowners:
+    name: "Lint CODEOWNERS file"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+      - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # tag=v0.7.4
+        with:
+          checks: "files,duppatterns,syntax"
+          experimental_checks: "avoid-shadowing"
+          github_access_token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/lint-docker.yml

@@ -0,0 +1,34 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: "Lint Docker"
+
+on:
+  pull_request:
+    paths:
+      - "**/Dockerfile.*"
+      - "**/docker-compose.*"
+    branches:
+      - main
+      - master
+      - "!repo-sync/**"
+      - "!renovate/**"
+      - "!update/pre-commit-hooks/**"
+  workflow_dispatch:
+
+jobs:
+  hadolint:
+    name: "Lint Docker with hadolint"
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+      - name: run tflint
+        uses: reviewdog/action-hadolint@master
+        with:
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          fail_on_error: "false"
+          level: warning
+          filter_mode: "nofilter" # Optional. Check all files, not just the diff
+          # tflint_version: "v0.24.0" # Optional. Custom version, instead of latest
+          # tflint_rulesets: "azurerm google" # Optional. Extra official rulesets to install
+          # flags: "--module" # Optional. Add custom tflint flags

.github/workflows/lint-pr-actions-skip.yml

@@ -0,0 +1,37 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: "Lint Github Actions Workflows"
+
+# This is a gross hack to allow PRs that don't require a specific workflow to run (e.g. don't lint files not touched) by providing a positive status check in their place.
+# This workflow runs on an inverse match using the paths-ignore filter, so it will only run if the PR doesn't touch any of the paths that the other linting workflow does
+# The "name:" must match the name of the workflow it's skipping.
+# As recommended by Github - https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+    branches:
+      - main
+      - master
+      - "!repo-sync/**"
+      - "!renovate/**"
+      - "!update/pre-commit-hooks/**"
+    paths-ignore:
+      - ".github/**"
+
+# One build per branch, cancel out of date builds
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint-actions-workflows:
+    name: Lint Actions Workflows
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    steps:
+      - run: echo "This workflow is a placeholder for PRs that don't require linting of Github Actions workflows"

.github/workflows/lint-pr-actions.yml

@@ -0,0 +1,45 @@
+#### THIS FILE IS MANAGED BY AN AUTOMATED WORKFLOW ####
+
+name: "Lint Github Actions Workflows"
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+    branches:
+      - main
+      - master
+      - "!repo-sync/**"
+      - "!renovate/**"
+      - "!update/pre-commit-hooks/**"
+    paths:
+      - ".github/**"
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
+# One build per branch, cancel out of date builds
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint-actions-workflows:
+    name: Lint Actions Workflows
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+      - uses: reviewdog/action-actionlint@46bb1b6f2d05d10a2c2851ee235fe36a0ad2daa5 # tag=v1
+        with:
+          actionlint_flags: -color -ignore 'SC2086' -ignore 'SC2129'
+          fail_on_error: false
+          level: error
+          reporter: github-pr-review
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}