feat: dispatch-parity quality improvements

- Pin all GitHub Actions to full commit SHAs
- Add CODEOWNERS file
- Add Dependabot for go modules and github-actions
- Add concurrency control to CI/PR workflows
- Add CodeQL security scanning workflow
- Add govulncheck vulnerability scanning workflow
- Standardize golangci-lint config with 30+ linters
- Add dispatch-level linters (errname, exhaustive, forcetypeassert, etc.)
- Add gofumpt strict formatting checks
- Add deadcode detection
- Add cosign code signing to release workflow
- Add SBOM generation (SPDX + CycloneDX) to release workflow
- Add comprehensive README badges (CI, CodeQL, Go Report Card, etc.)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jongio

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default code owners for all files
+* @jongio

.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: ci-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 defaults:
@@ -28,17 +28,17 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
           cache-dependency-path: cli/go.sum
 
       - name: Cache Go tools
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: ~/go/bin
           key: go-tools-${{ runner.os }}-${{ hashFiles('cli/go.sum') }}
@@ -53,7 +53,7 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '20'
 
@@ -91,10 +91,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
@@ -112,7 +112,7 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: github.repository == 'jongio/azd-rest'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           file: coverage/coverage.out
           flags: unittests
@@ -140,10 +140,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
@@ -158,7 +158,7 @@ jobs:
           GOOS=darwin GOARCH=arm64 go build -o bin/darwin-arm64/rest ./src/cmd/rest
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: binaries
           path: cli/bin/

.github/workflows/codeql.yml

@@ -0,0 +1,57 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sundays at midnight UTC
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+        with:
+          go-version: '1.26.0'
+          cache: true
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@dd677812177e0c29f9c970a6c58d8607ae1bfefd # v4
+        with:
+          languages: go
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@dd677812177e0c29f9c970a6c58d8607ae1bfefd # v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@dd677812177e0c29f9c970a6c58d8607ae1bfefd # v4
+        continue-on-error: true
+        with:
+          upload: false
+
+      - name: Upload SARIF (if Code Scanning enabled)
+        uses: github/codeql-action/upload-sarif@dd677812177e0c29f9c970a6c58d8607ae1bfefd # v4
+        continue-on-error: true
+        with:
+          sarif_file: ../results

.github/workflows/govulncheck.yml

@@ -0,0 +1,37 @@
+name: Go Vulnerability Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sundays at midnight UTC
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    name: Run govulncheck
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+        with:
+          go-version: '1.26.0'
+          cache: true
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...

.github/workflows/pr-build.yml

@@ -17,6 +17,10 @@ on:
         required: false
         type: number
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   GO_VERSION: '1.26.1'
 
@@ -44,7 +48,7 @@ jobs:
     steps:
       - name: Check if build is allowed
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             let allowed = false;
@@ -149,7 +153,7 @@ jobs:
     steps:
       - name: Get PR details
         id: pr
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             let prNumber = '${{ needs.check-permission.outputs.pr_number }}';
@@ -183,12 +187,12 @@ jobs:
             core.setOutput('title', pr.data.title);
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ steps.pr.outputs.sha }}
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
@@ -309,7 +313,7 @@ jobs:
           EOF
 
       - name: Comment on PR
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const fs = require('fs');

.github/workflows/release.yml

@@ -30,17 +30,17 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
           cache-dependency-path: cli/go.sum
 
       - name: Cache Go tools
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: ~/go/bin
           key: go-tools-${{ runner.os }}-${{ hashFiles('cli/go.sum') }}
@@ -95,10 +95,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
@@ -116,7 +116,7 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: github.repository == 'jongio/azd-rest'
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           file: coverage/coverage.out
           flags: unittests
@@ -125,21 +125,8 @@ jobs:
           fail_ci_if_error: false
           verbose: true
 
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    needs: [preflight, test]
-    timeout-minutes: 30
-    defaults:
-      run:
-        working-directory: cli
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
@@ -154,7 +141,7 @@ jobs:
           GOOS=darwin GOARCH=arm64 go build -o bin/darwin-arm64/rest ./src/cmd/rest
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: binaries
           path: cli/bin/
@@ -167,15 +154,16 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write  # Required for cosign OIDC signing
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '${{ env.GO_VERSION }}'
           cache: true
@@ -401,6 +389,54 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@3454372be43e8ddeec39df0f73bb47954da3a1f1 # v3
+
+      - name: Install syft
+        uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0
+
+      - name: Sign release artifacts with cosign
+        working-directory: cli
+        run: |
+          VERSION="${{ steps.version.outputs.next }}"
+          TAG_NAME="azd-ext-jongio-azd-rest_${VERSION}"
+          echo "Signing release artifacts for ${TAG_NAME}..."
+          
+          # Download release assets
+          gh release download "${TAG_NAME}" --dir /tmp/release-assets --repo "${{ github.repository }}" || true
+          
+          # Sign each artifact
+          if [ -d /tmp/release-assets ]; then
+            for file in /tmp/release-assets/*; do
+              if [ -f "$file" ]; then
+                echo "Signing $(basename $file)..."
+                cosign sign-blob --yes "$file" --output-signature "${file}.sig" --output-certificate "${file}.pem"
+              fi
+            done
+            
+            # Upload signatures and certificates to the release
+            gh release upload "${TAG_NAME}" /tmp/release-assets/*.sig /tmp/release-assets/*.pem --repo "${{ github.repository }}" || true
+            echo "✅ All artifacts signed with cosign (keyless/OIDC)"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate SBOM
+        working-directory: cli
+        run: |
+          VERSION="${{ steps.version.outputs.next }}"
+          TAG_NAME="azd-ext-jongio-azd-rest_${VERSION}"
+          echo "Generating SBOM for ${TAG_NAME}..."
+          
+          # Generate SBOM for the Go module
+          syft . -o spdx-json=/tmp/sbom-spdx.json -o cyclonedx-json=/tmp/sbom-cyclonedx.json
+          
+          # Upload SBOM to the release
+          gh release upload "${TAG_NAME}" /tmp/sbom-spdx.json /tmp/sbom-cyclonedx.json --repo "${{ github.repository }}" || true
+          echo "✅ SBOM generated and uploaded (SPDX + CycloneDX)"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Update registry
         working-directory: cli
         run: |