CI/CD Cleanup (#156)

* CI/CD Cleanup

* Restore creation of publish artifacts as part of matrix build as it seems faster

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/release-drafter.yml

@@ -0,0 +1,36 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+template: |
+  # What's Changed
+  $CHANGES
+categories:
+  - title: 'Breaking'
+    label: 'type: breaking'
+  - title: 'New'
+    label: 'type: feature'
+  - title: 'Bug Fixes'
+    label: 'type: bug'
+  - title: 'Maintenance'
+    label: 'type: maintenance'
+  - title: 'Documentation'
+    label: 'type: docs'
+  - title: 'Dependency Updates'
+    label: 'type: dependencies'
+
+version-resolver:
+  major:
+    labels:
+      - 'type: breaking'
+  minor:
+    labels:
+      - 'type: feature'
+  patch:
+    labels:
+      - 'type: bug'
+      - 'type: maintenance'
+      - 'type: docs'
+      - 'type: dependencies'
+      - 'type: security'
+
+exclude-labels:
+  - 'skip-changelog'

.github/workflows/ci-cd.yml

@@ -149,16 +149,17 @@ jobs:
             out/morphir/${{matrix.scala}}/**/native/
           key: ${{ runner.os }}-mill-native-${{matrix.java}}-${{ matrix.scala }}-${{ github.sha }}-${{ hashFiles('out') }}
 
-  publish-sonatype:
-    # when in master repo: all commits to main branch and all additional tags
-    if: github.repository == 'finos/morphir-jvm' && ( github.ref == 'refs/heads/main' || (github.ref != 'refs/heads/main' && startsWith( github.ref, 'refs/tags/') ) )
+  cd:    
     needs: [ci]
 
     runs-on: ubuntu-latest
+    # when in primary repo: all commits to main branch and all additional tags
+    if: github.repository == 'finos/morphir-jvm' && ( github.ref == 'refs/heads/main' || (github.ref != 'refs/heads/main' && startsWith( github.ref, 'refs/tags/') ) )      
 
     # only run one publish job for the same sha at the same time
     # e.g. when a main-branch push is also tagged
-    concurrency: publish-sonatype-${{ github.sha }}
+    concurrency: 
+      group: ${{ github.workflow}}-publish-${{ github.sha }}
 
     env:
       PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
@@ -260,7 +261,8 @@ jobs:
           key: ${{ runner.os }}-mill-native-11-3.3.1-${{ github.sha }}-${{ hashFiles('out') }}
           restore-keys: ${{ runner.os }}-mill-native-11-3.3.1-${{ github.sha }}-
 
-      - run: ./mill -i -j 0 io.kipp.mill.ci.release.ReleaseModule/publishAll
+      - name: Publish artifacts to Sonatype        
+        run: ./mill -i -j 0 io.kipp.mill.ci.release.ReleaseModule/publishAll
 
   ci:
     runs-on: ubuntu-latest

.github/workflows/github-dependency-graph.yml

@@ -0,0 +1,29 @@
+name: dependency-graph
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  submit-dependency-graph:
+    if: github.repository == 'finos/morphir-scala' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: coursier/cache-action@v6
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      # We want to see the transmitted graph in the logs
+      - run:  ./mill --import ivy:io.chris-kipp::mill-github-dependency-graph::0.2.6 showNamed io.kipp.mill.github.dependency.graph.Graph/generate
+
+      # Actually upload the graph
+      - uses: ckipp01/mill-dependency-submission@v1

.github/workflows/github-dependency-review.yml

@@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+permissions:
+  contents: read
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v3
+        with:
+          fail-on-severity: high