Composite action versioning

.gitattributes

@@ -1,8 +1,13 @@
+# Normalize all text files to LF in the repo; always check out with LF
 * text eol=lf
+
+# Binary assets (no diffs)
 *.zip binary
-*.ico binary
 *.png binary
 *.gif binary
 *.jpg binary
 *.jpeg binary
-*.svg binary
+*.ico binary
+
+# SVG is text (keep diffs readable)
+*.svg text

.github/CODEOWNERS

@@ -1 +1 @@
-* @OpenSesame/core
+* @OpenSesame/core-domain-operators

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,13 +1,31 @@
-## Dependencies of PR
+# PR Summary
 
-<!-- Please list any dependencies this pull request has -->
+Jira: [https://opensesame.atlassian.net/browse/CORE-XXXX]
 
 ## Description of Changes
 
-<!-- Please describe the changes you made -->
+<!-- Describe the changes you made andy why -->
+
+## Versioning
+
+⚠️ Components in this repo are used by multiple repos and teams. Breaking changes to non-versioned components are high-risk. Always apply correct versioning to versioned components to ensure safe, controlled updates.
+
+Versioned components live under `./github/actions`
+
+Does this PR modify a versioned component?
+
+- [ ] **No** — label this PR with `version:untracked`
+- [ ] **Yes**
+  - Add a version label: `version:<component-name>:vX.Y.Z`
+  - Ensure the component’s `CHANGELOG.md` includes a `## vX.Y.Z` entry
+  - Use `version:untracked` **only** if changes do _not_ alter behavior, inputs, or outputs
+
+**If version labels are incorrect or missing, automated version validation will fail and block merge.**
+
+## Dependencies of PR
+
+<!-- Please list any dependencies this pull request has -->
 
 ## Testing
 
 <!-- Please describe any testing you ran manually -->
-
-[Jira Task Link](https://opensesame.atlassian.net/browse/)

.github/actions/TEMPLATE/CHANGELOG_TEMPLATE.md

@@ -0,0 +1,21 @@
+# {action-name} action Changelog
+
+All notable changes to the **{action-name}** action are documented in this file.
+
+## v{semver}
+
+### Added
+
+- ...
+
+### Changed
+
+- ...
+
+### Fixed
+
+- ...
+
+### Removed
+
+- ...

.github/actions/TEMPLATE/README_TEMPLATE.md

@@ -0,0 +1,85 @@
+# {action-name} Action
+
+## 🧭 Summary
+
+<!-- Brief description of what this action does -->
+
+## Scope/Limitations
+
+<!-- Describe supported scenarios and known constraints -->
+
+## 🔒 Permissions
+
+<!-- Adjust for the permissions necessary for the action -->
+
+The following GHA permissions are required to use this step:
+
+```yaml
+permissions:
+  contents: read
+```
+
+## Dependencies
+
+<!-- List required tools, CLIs, or environment expectations -->
+
+<!-- Example:
+- `gh` — GitHub CLI
+- `jq` — JSON processor
+
+> Both tools are preinstalled on GitHub-hosted Ubuntu runners.
+> If running in a container or on a self-hosted runner, they must be installed manually.
+-->
+
+## ⚙️ Inputs
+
+| Name         | Required | Description |
+| ------------ | -------- | ----------- |
+| `input-name` | ✅/❌    |             |
+| `input-name` | ✅/❌    |             |
+
+## 📤 Outputs
+
+| Name          | Description |
+| ------------- | ----------- |
+| `output-name` |             |
+| `output-name` |             |
+
+## 🚀 Usage
+
+Basic usage example:
+
+```yaml
+- name: Name for step
+  id: <step-id>
+  uses: ./.github/actions/<action-name>
+  with:
+    <input-name>: <value>
+```
+
+Example outputs:
+
+```yaml
+steps.<step-id>.outputs.<output-name>
+```
+
+Example usage of outputs in later steps:
+
+```yaml
+if: steps.<step-id>.outputs.<output-name> == '<expected-value>'
+run: echo "Condition met"
+```
+
+## 🧠 Notes
+
+<!-- Add internal details, design considerations, or behavior caveats -->
+
+## Versioning
+
+This action uses namespaced tags for versioning and is tracked in the CHANGELOG.
+
+```text
+action/<action-name>/vX.Y.Z
+```
+
+See the repository's versioning documentation for details on how tags are validated and created.

.github/renovate.json

@@ -2,4 +2,4 @@
   "dependencyDashboard": true,
   "dependencyDashboardApproval": true,
   "dependencyDashboardAutoclose": true
-}
+}

.github/workflows/README.md

@@ -0,0 +1,9 @@
+# GitHub Action Workflows
+
+## Naming Convention
+
+- **Reusable workflows** (those that expose `workflow_call`) are treated as **products** of this repo.  
+  Their filenames should describe what they do, e.g. `deploy_environment.yml`, `tf_apply.yml`.
+
+- **Internal workflows** (used only by this repository and never exposed via `workflow_call`)  
+  must be prefixed with: `internal_`

.github/workflows/internal_on_pr_validate_component_version.yml

@@ -0,0 +1,98 @@
+name: Validate PR Version Labels
+
+on:
+  pull_request:
+    branches: [main]
+    types:
+      - opened
+      - synchronize
+      - edited
+      - labeled # important to catch version label additions
+      - unlabeled
+      - reopened
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  validate-version-labels:
+    name: Validate PR Version Labels
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Get all labels from PR
+        id: get_labels
+        run: |
+          echo "## PR Labels" >> "$GITHUB_STEP_SUMMARY"
+
+          ## Newline separated list of all labels on the PR
+          all_labels=$(jq -r '.pull_request.labels[].name' < "$GITHUB_EVENT_PATH" 2>/dev/null || true)
+
+          if [ -z "$all_labels" ]; then
+            echo "- (none)" >> "$GITHUB_STEP_SUMMARY"
+            echo "::error title=No Labels::No Labels were found on this PR. A version label is required."
+            exit 1
+          else
+            while IFS= read -r lbl; do
+            [ -z "$lbl" ] && continue
+            echo "- \`$lbl\`" >> "$GITHUB_STEP_SUMMARY"
+            done <<< "$all_labels"
+          fi
+
+          echo "$all_labels" > all_labels.txt
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      - name: Label Validation
+        id: validate
+        run: node scripts/internal-ci/validate-version-labels.js all_labels.txt
+
+      - name: Validation Summary
+        if: ${{ always() }}
+        env:
+          NO_LABELS: ${{ steps.get_labels.outcome == 'failure' }}
+          IS_VALID: ${{ steps.validate.outputs.isValid }}
+          VALIDATION_MESSAGE: ${{ steps.validate.outputs.validationMessage }}
+          INVALID_VERSION_LABELS: ${{ steps.validate.outputs.invalidVersionLabels }}
+          HAS_UNTRACKED_VERSION: ${{ steps.validate.outputs.hasUntrackedVersion }}
+          COMPONENT_VERSION_LABELS: ${{ steps.validate.outputs.componentVersionLabels }}
+        run: |
+          echo "## Validation Outcome" >> "$GITHUB_STEP_SUMMARY"
+
+          if [ "${{ env.NO_LABELS }}" === "true" ]; then
+            echo "❌ No labels found on the PR. Add at least one version label." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+          if [ "${{ env.IS_VALID }}" === "false" ]; then
+            echo "❌ Version label validation failed." >> "$GITHUB_STEP_SUMMARY"
+            if [ -n "${{ env.VALIDATION_MESSAGE }}" ]; then
+              echo "${{ env.VALIDATION_MESSAGE }}" >> "$GITHUB_STEP_SUMMARY"
+            fi
+            if [ -n "${{ env.INVALID_VERSION_LABELS }}" ]; then
+              echo "Invalid version labels: ${{ env.INVALID_VERSION_LABELS }}" >> "$GITHUB_STEP_SUMMARY"
+            fi
+          else
+            echo "✅ Version label validation passed." >> "$GITHUB_STEP_SUMMARY"
+          fi
+          echo "**Untracked Version**: ${{ env.HAS_UNTRACKED_VERSION }}" >> "$GITHUB_STEP_SUMMARY"
+          if [ -n "${{ env.COMPONENT_VERSION_LABELS }}" ]; then
+            echo "**Component Versions**: ${{ env.COMPONENT_VERSION_LABELS }}" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      - name: Tags
+        env:
+          HAS_UNTRACKED_VERSION: ${{ steps.validate.outputs.hasUntrackedVersion }}
+        run: |
+          echo "## Tags" >> "$GITHUB_STEP_SUMMARY"
+          if [ "${{ env.HAS_UNTRACKED_VERSION }}" = "true" ]; then
+            echo "- No Tags will be created on main" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+          # TODO: Add more tag information here in the future

.github/workflows/internal_on_push_ci.yml

@@ -0,0 +1,52 @@
+name: Internal CI
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write # needed if reporter is github-pr-check or github-check
+
+jobs:
+  internal-ci:
+    name: Internal CI
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Dependency Audit
+        run: npm audit
+
+      - name: Test
+        run: npm test
+
+      - name: Lint Check
+        run: npm run lint:check
+
+      - name: Format Check
+        run: npm run format:check
+
+  semgrep:
+    uses: ./.github/workflows/run_semgrep_scan.yml
+    secrets: inherit
+    with:
+      commit_identifier: ${{ github.sha }}
+      cancel_in_progress: true
+      semgrep_config: 'p/default'
+      fail_severity: 'error'
+      scan_mode: 'diff'
+      pr_filter_mode: 'added'
+      pr_reporter: 'github-pr-review'