ci: updating some workflows and preparing for merge queues (#1464)

* update codeql analysis

* add merge_group to go linter

* update golangci_version in Makefile

* add diff condition on linter

* add paths to gosec.yml

* update md link checker

* add merge_group to test.yml

* add PR linter

* add workflow for adding issue labels

.github/issue_labeler.yml

@@ -0,0 +1,2 @@
+needs-triage: # if no label is set then set triage
+  - ''

.github/workflows/codeql.yml → .github/workflows/codeql-analysis.yml

@@ -2,18 +2,15 @@ name: "CodeQL"
 
 on:
   push:
-    branches:
-      - main
-      - feat/*
-
-    paths-ignore:
-      - "legacy_ibc_testing"
+    paths:
+      - "**.go"
   pull_request:
     branches:
       - main
+      - release/*
       - feat/*
-    paths-ignore:
-      - "legacy_ibc_testing"
+    paths:
+      - "**.go"
   schedule:
     #        ┌───────────── minute (0 - 59)
     #        │  ┌───────────── hour (0 - 23)
@@ -27,28 +24,33 @@ on:
     - cron: "30 1 * * 0"
 
 jobs:
-  CodeQL-Build:
-    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
+  analyze:
+    name: Analyze
     runs-on: ubuntu-latest
-
     permissions:
-      # required for all workflows
-      security-events: write
-
-      # only required for workflows in private repositories
       actions: read
       contents: read
+      security-events: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+          check-latest: true
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         # Override language selection by uncommenting this and choosing your languages
         with:
           languages: go
+          queries: +security-and-quality,github/codeql/go/ql/src/experimental/InconsistentCode/DeferInLoop.ql@main,github/codeql/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql@main,github/codeql/go/ql/src/experimental/CWE-369/DivideByZero.ql@main
+          packs: +crypto-com/cosmos-sdk-codeql
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).

.github/workflows/golangci-lint.yml

@@ -1,47 +1,34 @@
-name: golangci-lint
+name: Lint
 on:
   push:
-    tags:
-      - v*
     branches:
-      - master
       - main
+      - release/**
       - feat/*
   pull_request:
+  merge_group:
 permissions:
   contents: read
-  # Optional: allow read access to pull request. Use with `only-new-issues` option.
-  # pull-requests: read
 jobs:
   golangci:
-    name: lint
+    name: golangci-lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@v4
         with:
           go-version: '1.20'
-      - uses: actions/checkout@v4
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+      - uses: technote-space/[email protected]
+        id: git_diff
         with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.54.1
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
-          args: --config=.golangci.yml
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          # only-new-issues: true
-
-          # Optional: if set to true then the all caching functionality will be complete disabled,
-          #           takes precedence over all other caching options.
-          # skip-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            **/go.mod
+            **/go.sum
+      - uses: actions/checkout@v4
+      - name: run linting
+        if: env.GIT_DIFF
+        run: |
+          make lint
 
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true

.github/workflows/gosec.yml

@@ -1,13 +1,22 @@
-name: gosec
+name: Run Gosec
 on:
-  push:
+  pull_request:
+    paths:
+      - "**/*.go"
+      - "go.mod"
+      - "go.sum"
     branches:
       - main
       - feat/*
-  pull_request:
+  push:
     branches:
       - main
       - feat/*
+    paths:
+      - "**/*.go"
+      - "go.mod"
+      - "go.sum"
+
 jobs:
   Gosec:
     runs-on: ubuntu-latest

.github/workflows/issue_labeler.yml

@@ -0,0 +1,15 @@
+name: "Issue Labeler"
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: github/[email protected]
+        if: join(github.event.issue.labels) == ''
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0 

.github/workflows/lint-pr.yml

@@ -0,0 +1,47 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/[email protected]
+        id: lint_pr_title
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: marocchino/sticky-pull-request-comment@v2
+        # When the previous steps fails, the workflow would stop. By adding this
+        # condition you can continue the execution with the populated error message.
+        if: always() && (steps.lint_pr_title.outputs.error_message != null)
+        with:
+          header: pr-title-lint-error
+          message: |
+            Hey there and thank you for opening this pull request! 👋🏼
+
+            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
+
+            Details:
+
+            ```
+            ${{ steps.lint_pr_title.outputs.error_message }}
+            ```
+
+      # Delete a previous comment when the issue has been resolved
+      - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: pr-title-lint-error
+          delete: true

.github/workflows/md-link-checker.yml

@@ -0,0 +1,13 @@
+name: Check Markdown links
+on:
+  pull_request:
+    paths:
+      - "**.md"
+      - "!.github/**"
+      - "!.changelog/**"
+jobs:
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: gaurav-nelson/[email protected]

.github/workflows/test.yml

@@ -2,6 +2,7 @@ name: Test
 on:
   workflow_call:
   pull_request:
+  merge_group:
   push:
     branches:
       - main

Makefile

@@ -96,7 +96,7 @@ test-trace:
 ###                                Linting                                  ###
 ###############################################################################
 
-golangci_version=v1.52.2
+golangci_version=v1.54.1
 
 lint:
 	@echo "--> Running linter"