From 41ec5622ee2216c718b15690edf7b9216687bea9 Mon Sep 17 00:00:00 2001
From: Dan Chao <dan.chao@apple.com>
Date: Mon, 8 Jun 2026 15:51:35 -0700
Subject: [PATCH] Set up CodeQL and Dependabot

---
 .github/PklProject           |  2 +-
 .github/dependabot.yml       | 10 ++++++++++
 .github/index.pkl            | 31 +++++++++++++++++++++++++++++++
 .github/workflows/codeql.yml | 17 +++++++++++++++++
 4 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/.github/PklProject b/.github/PklProject
index a156cf8..278cc17 100644
--- a/.github/PklProject
+++ b/.github/PklProject
@@ -21,6 +21,6 @@ dependencies {
     uri = "package://pkg.pkl-lang.org/pkl-project-commons/pkl.impl.ghactions@1.8.0"
   }
   ["com.github.actions"] {
-    uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.3.0"
+    uri = "package://pkg.pkl-lang.org/pkl-pantry/com.github.actions@1.6.0"
   }
 }
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index acca6fc..3052742 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,15 @@
 version: 2
 updates:
+- package-ecosystem: gomod
+  cooldown:
+    default-days: 7
+    exclude:
+    - github.com/apple/pkl-go
+  directories:
+  - /helm
+  - /prometheus
+  schedule:
+    interval: weekly
 - package-ecosystem: github-actions
   cooldown:
     default-days: 7
diff --git a/.github/index.pkl b/.github/index.pkl
index 653262b..412cf32 100644
--- a/.github/index.pkl
+++ b/.github/index.pkl
@@ -170,3 +170,34 @@ release = (build) {
     }
   }
 }
+
+dependabot {
+  updates {
+    new {
+      `package-ecosystem` = "gomod"
+      cooldown {
+        `default-days` = 7
+        exclude {
+          "github.com/apple/pkl-go"
+        }
+      }
+      schedule {
+        interval = "weekly"
+      }
+      directories {
+        for (reader in readers) {
+          "/" + reader.directory
+        }
+      }
+    }
+  }
+}
+
+codeql {
+  scans {
+    new {
+      language = "go"
+      buildMode = "autobuild"
+    }
+  }
+}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5c29d52..fcae8b1 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,3 +26,20 @@ jobs:
       uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
       with:
         category: /language:actions
+  analyze-go:
+    name: Analyze (go)
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
+    - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
+      with:
+        languages: go
+        build-mode: autobuild
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
+      with:
+        category: /language:go