feat: add kiro-cli agents and experts

Author: jordan-a-young

.github/workflows/codeql-analysis.yml

@@ -9,14 +9,14 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [master]
   schedule:
     - cron: '23 22 * * 6'
 
@@ -32,40 +32,40 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
+        language: ['javascript']
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
         # Learn more:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+      #- run: |
+      #   make bootstrap
+      #   make release
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5

.github/workflows/commitlint.yml

@@ -8,22 +8,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
-          cache: "yarn"
-          cache-dependency-path: "yarn.lock"
+          cache: 'yarn'
+          cache-dependency-path: 'yarn.lock'
 
       - name: Install Dependencies
         run: yarn install --immutable
 
       - name: Lint Commit Message
-        uses: wagoid/commitlint-github-action@v5
+        uses: wagoid/commitlint-github-action@9763196e10f27aef304c9b8b660d31d97fce0f99 # v5.5.1
         env:
           NODE_PATH: ${{ github.workspace }}/node_modules
         with:

.github/workflows/deploy.yml

@@ -9,28 +9,29 @@ on:
 
 jobs:
   setup:
-    if: "!contains(github.event.head_commit.message, 'skip ci')"
+    if: "${{!contains(github.event.head_commit.message, 'skip ci') && !contains(github.event.head_commit.message, 'Release: Version Updates')}}"
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
-          token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 0
-          ref: "master"
+          ref: 'master'
 
       - name: Derive appropriate SHAs for base and head for `nx affected` commands
-        uses: nrwl/nx-set-shas@v3
+        uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3
         with:
-          main-branch-name: "master"
+          main-branch-name: 'master'
 
       - name: Set Node Version
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
-          cache: "yarn"
-          cache-dependency-path: "yarn.lock"
+          cache: 'yarn'
+          cache-dependency-path: 'yarn.lock'
 
       # - name: Get yarn cache directory path
       #   id: yarn-cache-dir-path
@@ -58,50 +59,40 @@ jobs:
       - name: Unit Tests
         run: yarn test:ci
 
-      - name: Upload coverage report
-        uses: codecov/codecov-action@v3
-        with:
-          file: ./coverage/coverage-final.json
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       - name: Build Packages
         run: yarn build
 
-  release:
+  publish:
+    if: "${{!contains(github.event.head_commit.message, 'skip ci') && !contains(github.event.head_commit.message, 'Release: Version Updates')}}"
     needs: [setup]
     runs-on: ubuntu-latest
+    outputs:
+      has_changes: ${{ steps.changes.outputs.has_changes }}
+    permissions:
+      contents: write # Required for git push and creating tags
+      pull-requests: write # Required for creating pull requests
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
-          token: ${{ secrets.BOT_TOKEN }}
           fetch-depth: 0
-          ref: "master"
+          ref: 'master'
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Derive appropriate SHAs for base and head for `nx affected` commands
-        uses: nrwl/nx-set-shas@v3
+        uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3
         with:
-          main-branch-name: "master"
+          main-branch-name: 'master'
 
       - name: Set Node Version
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
-          cache: "yarn"
-          cache-dependency-path: "yarn.lock"
+          cache: 'yarn'
+          cache-dependency-path: 'yarn.lock'
 
-      # - name: Get yarn cache directory path
-      #   id: yarn-cache-dir-path
-      #   run: |
-      #     echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
-
-      # - name: Restore yarn cache
-      #   uses: actions/cache@v3
-      #   id: yarn-cache
-      #   with:
-      #     path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-      #     key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
-      #     restore-keys: |
-      #       ${{ runner.os }}-yarn-
+      - name: Install latest npm
+        run: npm install -g npm@latest
 
       - name: Install Dependencies
         run: yarn install --immutable
@@ -111,26 +102,81 @@ jobs:
 
       - name: Setup Publish Config
         run: |
-          yarn config set npmAuthToken "${{ secrets.NPM_TOKEN }}"
-          git config --global user.email ${{ secrets.GH_EMAIL }}
-          git config --global user.name ${{ secrets.GH_USER }}
+          git config user.email ${{ secrets.GH_EMAIL }}
+          git config user.name ${{ secrets.GH_USER }}
 
-      # TODO: ngx-deploy-npm? Or continue to leverage nx + yarn npm publish command?
-      - name: Publish
+      - name: Store initial commit SHA
+        id: initial-sha
+        run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Version Packages
         run: |
           yarn nx affected --target version --parallel=1
+
+      - name: Check for Version Changes
+        id: changes
+        run: |
+          INITIAL_SHA="${{ steps.initial-sha.outputs.sha }}"
+          CURRENT_SHA=$(git rev-parse HEAD)
+          if [ "$INITIAL_SHA" = "$CURRENT_SHA" ]; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            echo "No new commits created by version step"
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+            echo "New commits created by version step"
+          fi
+
+      - name: Publish
+        if: steps.changes.outputs.has_changes == 'true'
+        run: |
           yarn nx affected --target publish --parallel=1
-          git push && git push --tags
+
+      - name: Create Release PR
+        if: steps.changes.outputs.has_changes == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "Creating PR because changes detected: ${{ steps.changes.outputs.has_changes }}"
+          git push origin --delete release/version-updates || true
+          git checkout -b release/version-updates
+          git push origin release/version-updates
+          git push origin --tags
+          gh pr create --title "Release: Version Updates" --body "Automated release PR with version updates and package publications." --base master --head release/version-updates
+
+  deploy-docs:
+    if: "${{!contains(github.event.head_commit.message, 'skip ci') && !contains(github.event.head_commit.message, 'Release: Version Updates')}}"
+    needs: [publish]
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          fetch-depth: 0
+          ref: 'master'
+
+      - name: Set Node Version
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 22
+          cache: 'yarn'
+          cache-dependency-path: 'yarn.lock'
+
+      - name: Install Dependencies
+        run: yarn install --immutable
 
       - name: Build Docs
         run: yarn build:docs
 
-      - name: Deploy Docs
-        uses: crazy-max/ghaction-github-pages@v3
+      - name: Upload Pages Artifact
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
-          target_branch: gh-pages
-          build_dir: docusaurus/build
-          commit_message: deployed docs [skip ci]
-          committer: ${{ secrets.GH_USER }} ${{ secrets.GH_EMAIL }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+          path: docusaurus/build
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/pr-build.yml

@@ -17,21 +17,21 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
 
       - name: Derive appropriate SHAs for base and head for `nx affected` commands
-        uses: nrwl/nx-set-shas@v3
+        uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4.3.3
         with:
-          main-branch-name: "master"
+          main-branch-name: 'master'
 
       - name: Set Node Version
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node }}
-          cache: "yarn"
-          cache-dependency-path: "yarn.lock"
+          cache: 'yarn'
+          cache-dependency-path: 'yarn.lock'
 
       # - name: Get yarn cache directory path
       #   id: yarn-cache-dir-path
@@ -61,16 +61,9 @@ jobs:
       - name: Publish Dry Run
         run: yarn publish:dry-run
 
-      - name: Upload coverage report
-        if: ${{ github.actor != 'dependabot[bot]' }}
-        uses: codecov/codecov-action@v3
-        with:
-          file: ./coverage/coverage-final.json
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       - name: Build Packages
         run: yarn build:packages
 
       - name: Build Docs
-        if: ${{matrix.node > 20}}
+        if: ${{ matrix.node == 22 }}
         run: yarn build:docs