chore: repository launch-readiness, supply-chain security, CI, and docs improvements

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+github: [Gsbreddy]
+# TODO: enable additional funding ecosystems as they are set up.
+# patreon: # Replace with a single Patreon username
+# open_collective: # Replace with a single Open Collective username
+# ko_fi: # Replace with a single Ko-fi username
+# tidelift: # Replace with a single Tidelift platform-name/package-name
+# community_bridge: # Replace with a single Community Bridge project-name
+# liberapay: # Replace with a single Liberapay username
+# issuehunt: # Replace with a single IssueHunt username
+# otechie: # Replace with a single Otechie username
+# lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name
+# custom: # Replace with up to 4 custom sponsorship URLs

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security disclosure
+    url: https://github.com/flightdeckdev/flightdeck/security/advisories/new
+    about: Report a vulnerability privately.
+  - name: Discussion / Q&A
+    url: https://github.com/flightdeckdev/flightdeck/discussions
+    about: Ask questions or share use cases.
+  - name: Documentation
+    url: https://github.com/flightdeckdev/flightdeck#documentation
+    about: Read CLI, HTTP API, policy, and operator docs.

.github/dependabot.yml

@@ -0,0 +1,57 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "automated"
+    groups:
+      python-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "pip"
+    directory: "/docs"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "automated"
+      - "docs"
+
+  - package-ecosystem: "npm"
+    directory: "/web"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "automated"
+    groups:
+      npm-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "automated"
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/ci.yml

@@ -7,11 +7,12 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.12"]
+        os: [ubuntu-latest, windows-latest]
+        python-version: ["3.11", "3.12", "3.13"]
 
     steps:
       - name: Checkout
@@ -24,6 +25,11 @@ jobs:
           cache: npm
           cache-dependency-path: web/package-lock.json
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
       - name: Set up uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -34,6 +40,8 @@ jobs:
         run: uv sync --frozen --extra dev
 
       - name: Build web UI
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        shell: bash
         run: |
           cd web
           npm ci
@@ -42,12 +50,16 @@ jobs:
           git diff --exit-code src/flightdeck/server/static/
 
       - name: Playwright E2E (served UI)
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        shell: bash
         run: |
           cd web
           npx playwright install chromium
           npm run test:e2e
 
       - name: Playwright E2E (approval workspace)
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        shell: bash
         env:
           FD_E2E_FORCE_APPROVAL: "1"
         run: |
@@ -62,6 +74,8 @@ jobs:
         run: uv run python -m pytest --cov=flightdeck --cov-fail-under=80 --cov-report=term
 
       - name: JSON Schemas drift check
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        shell: bash
         run: |
           uv run python scripts/generate_schemas.py
           git diff --exit-code schemas/
@@ -90,6 +104,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
       - name: Set up uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -104,79 +123,3 @@ jobs:
 
       - name: Integration tests
         run: uv run python -m pytest tests/test_integrations.py tests/test_integrations_langchain.py
-
-  test-windows:
-    runs-on: windows-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.12"]
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: npm
-          cache-dependency-path: web/package-lock.json
-
-      - name: Set up uv
-        uses: astral-sh/setup-uv@v5
-        with:
-          enable-cache: true
-          python-version: ${{ matrix.python-version }}
-
-      - name: Sync dependencies
-        run: uv sync --frozen --extra dev
-
-      - name: Build web UI
-        shell: bash
-        run: |
-          cd web
-          npm ci
-          npm run build
-          cd ..
-          git diff --exit-code src/flightdeck/server/static/
-
-      - name: Playwright E2E (served UI)
-        shell: bash
-        run: |
-          cd web
-          npx playwright install chromium
-          npm run test:e2e
-
-      - name: Playwright E2E (approval workspace)
-        shell: bash
-        env:
-          FD_E2E_FORCE_APPROVAL: "1"
-        run: |
-          cd web
-          npx playwright install chromium
-          npx playwright test e2e/actions-approval.spec.ts
-
-      - name: Lint
-        run: uv run python -m ruff check src tests
-
-      - name: Test
-        run: uv run python -m pytest --cov=flightdeck --cov-fail-under=80 --cov-report=term
-
-      - name: JSON Schemas drift check
-        run: |
-          uv run python scripts/generate_schemas.py
-          git diff --exit-code schemas/
-
-      - name: Quickstart smoke (cross-platform)
-        run: uv run flightdeck-quickstart-verify
-
-      - name: Example CI ledger gate
-        env:
-          FD_PROJECT: ${{ github.workspace }}
-          WORKSPACE: ${{ runner.temp }}/fd-ledger-gate-${{ github.run_id }}-${{ github.run_attempt }}
-          QUICKSTART_ROOT: ${{ github.workspace }}/examples/quickstart
-        run: uv run python examples/ci/ledger_gate.py
-
-      - name: CLI smoke
-        run: uv run flightdeck --help

.github/workflows/codeql.yml

@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 8 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['python', 'javascript-typescript']
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/docker-publish.yml

@@ -0,0 +1,72 @@
+name: docker-publish
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+  workflow_dispatch:
+    inputs:
+      push_latest:
+        description: 'Tag the resulting image as :latest (uncheck for backport / hotfix releases that should not move :latest backwards).'
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/flightdeckdev/flightdeck
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest,enable=${{ github.event_name == 'push' || inputs.push_latest }}
+          flavor: |
+            latest=false
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: examples/deploy
+          file: examples/deploy/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          provenance: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/flightdeckdev/flightdeck
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true