feat: adding code and setup repository workflows

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"

.github/workflows/bandit.yml

@@ -0,0 +1,68 @@
+name: Bandit
+
+on:
+  workflow_dispatch: { }
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  analyze:
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+    - name: Set up Python 3.9
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.9
+
+    - name: Install Bandit
+      shell: bash
+      run: pip install bandit[sarif]
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.RELEASE_TOKEN }}
+
+    - name: Run Bandit - Check for HIGH severity issues
+      id: high_severity_check
+      shell: bash
+      run: |
+        # Run bandit focusing on high severity issues and capture the exit code
+        bandit . -r -c ipas_default.config --severity-level high || echo "high_severity_issues=true" >> $GITHUB_OUTPUT
+
+        # Check the result directly from the metrics
+        if ! bandit . -r -f json | grep -q '"SEVERITY.HIGH": [1-9]'; then
+          echo "No HIGH severity issues found!"
+        else
+          echo "HIGH severity issues found! Workflow will fail after reporting."
+          echo "high_severity_issues=true" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Run Bandit - Generate full report
+      shell: bash
+      run: bandit . -c ipas_default.config -r -f sarif -o results.sarif || true
+
+    - name: Upload SARIF results
+      uses: actions/upload-artifact@v4
+      with:
+        name: bandit-results
+        path: results.sarif
+
+    - name: Upload SARIF to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
+        category: bandit
+
+    - name: Fail workflow if HIGH severity issues were found
+      if: steps.high_severity_check.outputs.high_severity_issues == 'true'
+      shell: bash
+      run: |
+        echo "ERROR: HIGH severity security issues were found by Bandit."
+        echo "Review the security report and fix all HIGH severity issues before merging."
+        exit 1

.github/workflows/check-build.yml

@@ -0,0 +1,43 @@
+name: Check build
+
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+
+jobs:
+  build-test:
+    runs-on: 'ubuntu-latest'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set Up Python
+        uses: actions/setup-python@v4
+        with:
+          cache: 'pip'
+          cache-dependency-path: './docs/requirements.txt'
+          python-version: '3.12.10'
+
+      - name: Install Dependencies
+        shell: bash
+        run: |
+          pip install -r ./docs/requirements.txt
+          pip install --upgrade build
+
+      - name: Build
+        shell: python
+        run: |
+          import os
+          import subprocess
+
+          def build_wheel():
+              if not os.path.exists('dist'):
+                  os.makedirs('dist')
+              subprocess.check_call([ 'python', '-m', 'build', '--wheel' ])
+
+          build_wheel()
+

.github/workflows/semantic-release.yml

@@ -0,0 +1,50 @@
+name: semantic release
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - name: Reset branch
+        run: |
+          git reset --hard ${{ github.sha }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12.10'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install setuptools wheel python-semantic-release build
+
+      - name: Release
+        run: |
+          # symbolic link to fix an error when running a build_command
+          sudo ln -s /home/runner/_work/_tool/Python/3.12.10/x64/lib/libpython3.12.so.1.0 /usr/lib/libpython3.12.so.1.0
+          semantic-release version
+          semantic-release publish

.gitignore

@@ -0,0 +1,22 @@
+.idea
+.vscode
+__pycache__
+build
+dist
+*.egg-info
+build
+docs/_build
+docs\_build
+
+# Common Python entries
+*.py[cod]
+*.so
+*.dylib
+*.egg
+*.egg-info
+.eggs
+*.log
+*.pot
+.venv/
+
+.DS_Store

CHANGELOG.md

@@ -0,0 +1 @@
+# CHANGELOG

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 ### License
 
-<PROJECT NAME> is licensed under the terms in [LICENSE]<link to license file in repo>. By contributing to the project, you agree to the license and copyright terms therein and release your contribution under these terms.
+Intel® Sphinx Theme is licensed under the terms in [LICENSE](https://github.com/intel/intel-sphinx-theme/blob/main/LICENSE.md). By contributing to the project, you agree to the license and copyright terms therein and release your contribution under these terms.
 
 ### Sign your work