repo-template

Template for NodeOps Go and Node (TS / Next) projects. Strip what you don't need; everything is wired but each language path is independently toggleable.

What's included

Concern	Tool / file	Go	TS
Dependency updates	.github/dependabot.yml	gomod	npm
GH Actions updates	.github/dependabot.yml	yes	yes
Lint	.golangci.yml / .oxlintrc.json	golangci-lint	oxlint
Format	(golangci-lint integrates gofmt) / oxfmt	yes	yes
Vuln scan	govulncheck	yes	—
SAST	gosec	yes	—
Tests	go test / bun test	yes	yes
Build smoke	go build -o /tmp/... / bun build	yes	yes
Tidy	go mod tidy check	yes	—
Pre-commit	.pre-commit-config.yaml	yes	yes
Docker image	Dockerfile + docker-build-go.yml	yes	— (add later)
AI PR review	oc-pr-review.yml (comment /oc)	yes	yes
Dependabot AI triage	oc-dependabot.yml	yes	yes
Path auto-label	auto-label.yml + labeler.yml	yes	yes
Auto-merge	auto-merge.yml (label: automerge)	yes	yes
Code ownership	.github/CODEOWNERS	yes	yes
Least-privilege CI	per-workflow permissions:	yes	yes

How to adopt this template

1. gh repo create <name> --template NodeOps-app/repo-template

2. Pick your language path; delete or comment out the other:

   Go-only project — remove:

   • .github/workflows/ci-ts.yml
   • package.json, tsconfig.json, .oxlintrc.json, bun.lock
   • TS hooks in .pre-commit-config.yaml
   • npm ecosystem block in .github/dependabot.yml
   • *.ts/*.js lines in .github/CODEOWNERS

   TS-only project — remove:

   • .github/workflows/ci-go.yml
   • .github/workflows/docker-build-go.yml (or rewrite for Node)
   • Dockerfile (Go-flavoured), .golangci.yml, go.mod, go.sum
   • Go hooks in .pre-commit-config.yaml
   • gomod ecosystem block in .github/dependabot.yml
   • *.go/*.mod lines in .github/CODEOWNERS

3. Update .github/CODEOWNERS with real reviewers for your scope.

4. Update package.json name / go.mod module path.

5. Wire repo secrets used by oc-* workflows: OPENROUTER_API_KEY.

6. Optional: turn on branch protection requiring ci-go or ci-ts checks.

Local setup

asdf install                # picks Go / Bun / golangci-lint versions
pre-commit install          # enables hook on commit

CI design notes

• Least privilege: every workflow declares permissions: at top with contents: read and elevates only where needed (e.g. pull-requests: write for the labeler).
• Concurrency: PR workflows cancel in-progress runs on the same ref.
• Runner: defaults to arc-runner-set (NodeOps self-hosted). Swap to ubuntu-latest for OSS.
• Caching: asdf + go build / golangci-lint / bun caches keyed by lockfile hashes.

AI review (opencode)

• Comment /oc or /opencode on any PR → AI review run.
• Dependabot PRs auto-classified into SAFE (enables --auto --squash) / NEEDS_REVIEW / UNSAFE buckets.
• Backed by anomalyco/opencode/github.

Auto-merge

• Dependabot PRs in SAFE bucket are auto-merged by oc-dependabot.yml after CI passes.
• Human PRs: add label automerge → auto-merge.yml enables GitHub native auto-merge once required checks + reviews pass.

CODEOWNERS

Default reviewer routing:

Path	Owners
ci/dockerfiles/github actions	@ashwaq06 @pratikbin
*.go, *.mod	@bhautikchudasama @vaibhav @mukund
*.ts, *.js	@jdchudasasma @starc007
*.py	@rahil