feat: bootstrap reusable CI (Py/TS) with SBOM & signing hooks

Author: CoderDeltaLAN

.github/workflows/build.yml

@@ -0,0 +1,27 @@
+name: CI / build
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches: ["main"]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  python:
+    name: build (py)
+    if: ${{ !github.event.pull_request.draft }}
+    uses: ./.github/workflows/py-ci.yml
+    with:
+      python-versions: '["3.11","3.12"]'
+      cov-min: 100
+  node:
+    name: build (node)
+    if: ${{ !github.event.pull_request.draft }}
+    uses: ./.github/workflows/ts-ci.yml
+    with:
+      node-version: "20"

.github/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI / build
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install Poetry
+        run: pipx install poetry
+
+      - name: Install dependencies
+        run: poetry install
+
+      - name: Run linters & type checks
+        run: |
+          poetry run ruff check .
+          poetry run black . --check
+          poetry run mypy .
+
+      - name: Run tests
+        run: poetry run pytest -q

.github/workflows/codeql.yml

@@ -0,0 +1,29 @@
+name: CodeQL Analyze
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "23 5 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: codeql
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript", "python"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3

.github/workflows/py-ci.yml

@@ -0,0 +1,78 @@
+name: py-ci (reusable)
+on:
+  workflow_call:
+    inputs:
+      python-versions:
+        required: false
+        type: string
+        default: '["3.11","3.12"]'
+      cov-min:
+        required: false
+        type: number
+        default: 100
+    secrets:
+      COSIGN_KEY:
+        required: false
+      COSIGN_PASSWORD:
+        required: false
+
+jobs:
+  py:
+    name: Python ${{ matrix.py }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        py: ${{ fromJson(inputs.python-versions) }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.py }}
+          cache: poetry
+      - name: Install deps
+        run: |
+          python -m pip install -U pip
+          pip install poetry
+          poetry install --no-interaction
+      - name: Lint & Format
+        run: |
+          poetry run ruff check .
+          poetry run black --check .
+      - name: Type check
+        run: poetry run mypy src
+      - name: Tests + coverage
+        env:
+          PYTHONPATH: src
+        run: |
+          poetry run pytest -q --cov=src --cov-report=xml:coverage.xml --cov-fail-under=${{ inputs.cov-min }}
+      - name: SBOM (CycloneDX)
+        run: |
+          python -m pip install cyclonedx-bom || pip install cyclonedx-bom
+          cyclonedx-py -o sbom-python-${{ matrix.py }}.xml || cyclonedx-bom -o sbom-python-${{ matrix.py }}.xml || true
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: py-${{ matrix.py }}-artifacts
+          path: |
+            coverage.xml
+            sbom-python-${{ matrix.py }}.xml
+  sign:
+    if: ${{ always() && secrets.COSIGN_KEY != '' }}
+    needs: [py]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install cosign
+        run: |
+          COSIGN_VERSION="v2.4.0"
+          curl -sSfL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" -o cosign
+          chmod +x cosign
+      - name: Sign SBOMs (attestation)
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          for f in sbom-*.xml; do
+            [ -f "$f" ] && ./cosign sign-blob --key env://COSIGN_KEY "$f" || true
+          done

.github/workflows/ts-ci.yml

@@ -0,0 +1,65 @@
+name: ts-ci (reusable)
+on:
+  workflow_call:
+    inputs:
+      node-version:
+        required: false
+        type: string
+        default: "20"
+    secrets:
+      COSIGN_KEY:
+        required: false
+      COSIGN_PASSWORD:
+        required: false
+
+jobs:
+  ts:
+    name: Node ${{ inputs.node-version }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: npm
+      - name: Install deps
+        run: npm ci
+      - name: Lint & Format
+        run: npx prettier --check . && npx eslint . --max-warnings=0
+      - name: Type check
+        run: |
+          if [ -f tsconfig.json ]; then npx tsc --noEmit; else echo "no tsconfig.json"; fi
+      - name: Tests + coverage
+        run: |
+          if npm run -s test --dry-run >/dev/null 2>&1; then
+            npm test -- --coverage --coverageReporters=text --coverageReporters=json-summary;
+          else
+            echo "no tests";
+          fi
+      - name: SBOM (CycloneDX)
+        run: |
+          npx @cyclonedx/cyclonedx-npm --output-file sbom-node.json || true
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: node-artifacts
+          path: |
+            coverage/coverage-summary.json
+            sbom-node.json
+  sign:
+    if: ${{ always() && secrets.COSIGN_KEY != '' }}
+    needs: [ts]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install cosign
+        run: |
+          COSIGN_VERSION="v2.4.0"
+          curl -sSfL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" -o cosign
+          chmod +x cosign
+      - name: Sign SBOM (attestation)
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          [ -f sbom-node.json ] && ./cosign sign-blob --key env://COSIGN_KEY sbom-node.json || true

.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.5.7
+    hooks:
+      - id: ruff
+      - id: ruff-format
+
+  - repo: https://github.com/psf/black
+    rev: 24.8.0
+    hooks:
+      - id: black
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.11.1
+    hooks:
+      - id: mypy

.prettierignore

@@ -0,0 +1,8 @@
+node_modules/
+.venv/
+dist/
+coverage/
+_ci_logs/
+.mypy_cache/
+.pytest_cache/
+sbom-*.json

README.md

@@ -0,0 +1,9 @@
+# ci-matrix-starter
+
+Reusable GitHub Actions workflows for Python and TypeScript:
+
+- Lint/Format/Types/Tests
+- SBOM (CycloneDX)
+- Optional cosign signing
+
+Jobs are exposed via `workflow_call` so downstream repos can consume them.

_ci_logs/preflight-ok.txt

@@ -0,0 +1,3 @@
+# Preflight ci-matrix-starter 2025-09-14T20:41:16Z
+Node: prettier+eslint+tsc+tests ✅
+Python: ruff+black+pytest(100%)+mypy ✅

eslint.config.mjs

@@ -0,0 +1,23 @@
+import js from "@eslint/js";
+import tseslint from "typescript-eslint";
+
+export default [
+  {
+    ignores: [
+      "node_modules/**",
+      "dist/**",
+      ".venv/**",
+      "coverage/**",
+      "_ci_logs/**",
+      "**/*.mjs",
+    ],
+  },
+  js.configs.recommended,
+  ...tseslint.configs.recommended,
+  {
+    files: ["src/**/*.ts"],
+    ...tseslint.configs.recommendedTypeChecked[0],
+    languageOptions: { parserOptions: { project: "./tsconfig.json" } },
+    rules: {},
+  },
+];