Rewrite CI/CD pipelime

[gearnode]

Summary by cubic

Rewrite CI/CD to use ephemeral GitHub-hosted runners with S3-backed cache and replace GoReleaser with first‑party GitHub Actions. Builds and releases are faster, signed, and automated across Docker, Homebrew, and npm.

• Refactors
  • Standardize runs-on=${{ github.run_id }}/runner=.../extras=s3-cache via runs-on/action@v2, pin actions by SHA, and tighten permissions across CI, CodeQL, secrets scan, and release; add ./.github/actions/setup for Go 1.26.1 and Node from .nvmrc with caching.
  • Snapshot CI: build frontend once, matrix Go binaries for linux/darwin/windows/freebsd/openbsd (amd64/arm64), per‑arch Docker builds with Buildx; Trivy scans with cached DB; SBOM + vuln scan via anchore/*.
  • Build/lint/test: placeholder frontend for non‑app jobs; parallel go generate and binary builds; split lint-go/lint-js; faster e2e with Docker image caching and parallel stack-up; coverage via go tool cover.
  • Release: remove GoReleaser; build and archive probod, probod-bootstrap, and prb; push per‑arch images, create and cosign a multi‑arch manifest; sign checksums.txt; generate notes with gh; publish GitHub Release, Homebrew formula for prb from release checksums, and @probo/n8n-nodes-probo to npm with SBOM/provenance attestations.
  • Cleanups: delete .goreleaser.yaml, drop old Make targets, add MAKEFLAGS for parallelism, and use actions/upload-artifact@v7/actions/download-artifact@v8.

^{Written for commit acf5913. Summary will update on new commits.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[cubic-dev-ai]

1 issue found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/make.yaml">

<violation number="1" location=".github/workflows/make.yaml:216">
P1: Background process failures are silently ignored because `wait` with no arguments always returns 0. If any `go generate` command fails, the step will still succeed and subsequent `go build` steps will compile against missing/stale generated code.

Capture each PID and wait on them individually, or use `wait -n` in a loop, to propagate failures.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

2 issues found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/codeql.yml">

<violation number="1">
P2: Pin GitHub Actions by commit SHA instead of mutable tags in this CodeQL workflow.</violation>

<violation number="2">
P1: Using `autobuild` for Go drops required codegen/embed preparation, which can break or reduce CodeQL analysis for Go.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Using autobuild for Go drops required codegen/embed preparation, which can break or reduce CodeQL analysis for Go.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/codeql.yml, line 38:

<comment>Using `autobuild` for Go drops required codegen/embed preparation, which can break or reduce CodeQL analysis for Go.</comment>

<file context>
@@ -31,7 +35,7 @@ jobs:
             build-mode: none
           - language: go
-            build-mode: manual
+            build-mode: autobuild
           - language: javascript-typescript
             build-mode: none
</file context>

[cubic-dev-ai]

P2: Pin GitHub Actions by commit SHA instead of mutable tags in this CodeQL workflow.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/codeql.yml, line 51:

<comment>Pin GitHub Actions by commit SHA instead of mutable tags in this CodeQL workflow.</comment>

<file context>
@@ -44,42 +48,46 @@ jobs:
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v6
         with:
           submodules: recursive
</file context>