chore: add issue templates for bug reports and feature requests, enhance PR template, and implement security policy

Author: LabEG

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,59 @@
+---
+name: Bug Report
+about: Create a report to help us improve
+title: '[BUG] '
+labels: bug
+assignees: ''
+
+---
+
+## Description
+
+A clear and concise description of the bug.
+
+## Steps to Reproduce
+
+1. Install `@mts-pjsc/image-optimize` library version X.X.X
+2. Use the Image component in your React app
+3. Observe the behavior
+4. See error
+
+## Expected Behavior
+
+What you expected to happen.
+
+## Actual Behavior
+
+What actually happened.
+
+## Code Sample
+
+```typescript
+// Example code that demonstrates the issue
+import { Image } from "@mts-pjsc/image-optimize";
+
+<Image src="/path/to/image.jpg" alt="Example" />
+```
+
+## Configuration
+
+```json
+// Environment variables or configuration
+```
+
+## Environment
+
+- **@mts-pjsc/image-optimize version**: [e.g., 1.3.9]
+- **React version**: [e.g., 18.2.0]
+- **Node.js version**: [e.g., 20.10.0]
+- **Browser**: [e.g., Chrome 120, Firefox 121, Safari 17]
+- **Operating System**: [e.g., Windows 11, macOS 14, Ubuntu 22.04]
+- **Build tool**: [e.g., Webpack 5, Vite 5, Next.js 14]
+
+## Additional Context
+
+Add any other context, screenshots, or error messages here.
+
+## Possible Solution
+
+If you have ideas on how to fix this, please share them.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,65 @@
+---
+name: Feature Request
+about: Suggest an idea for this project
+title: '[FEATURE] '
+labels: enhancement
+assignees: ''
+
+---
+
+## Feature Description
+
+A clear and concise description of the feature you'd like to see.
+
+## Problem Statement
+
+What problem would this feature solve? Is your feature request related to a problem?
+
+**Example:** "I'm frustrated when [...]"
+
+## Proposed Solution
+
+Describe the solution you'd like to see implemented.
+
+## Alternatives Considered
+
+Describe any alternative solutions or features you've considered.
+
+## Use Cases
+
+Provide specific examples of how this feature would be used:
+
+1. Use case 1...
+2. Use case 2...
+
+## Code Examples
+
+If applicable, provide example code showing how you envision using this feature:
+
+```typescript
+// Example usage
+import { Image } from "@mts-pjsc/image-optimize";
+
+<Image
+  src="/path/to/image.jpg"
+  alt="Example"
+  optimize={true}
+  formats={['webp', 'avif']}
+/>
+```
+
+## Impact
+
+- **Who benefits**: [developers, teams, specific use cases]
+- **Breaking changes**: [yes/no - explain if yes]
+- **Backward compatibility**: [maintained/affected]
+
+## Additional Context
+
+Add any other context, screenshots, or examples about the feature request here.
+
+## Willingness to Contribute
+
+- [ ] I'm willing to submit a PR to implement this feature
+- [ ] I can help with testing
+- [ ] I can help with documentation

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,74 @@
+## Description
+
+<!-- Provide a brief description of your changes -->
+
+## Related Issue
+
+<!-- Link to the issue this PR addresses -->
+Closes #
+
+## Type of Change
+
+<!-- Check all that apply -->
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation update
+- [ ] Code refactoring
+- [ ] Dependency update
+
+## Changes Made
+
+<!-- List the main changes in this PR -->
+
+-
+-
+-
+
+## Testing
+
+<!-- Describe the tests you ran -->
+
+- [ ] I have run `npm test` and all tests pass
+- [ ] I have tested the changes manually
+- [ ] I have added/updated tests for my changes
+
+## Code Quality
+
+- [ ] My code follows the code style of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] My changes generate no new warnings
+- [ ] No console.log or debugging code left in
+
+## Documentation
+
+- [ ] I have updated the README.md (if applicable)
+- [ ] I have updated the CHANGELOG.md (if applicable)
+- [ ] I have added/updated code comments
+
+## Breaking Changes
+
+<!-- If this is a breaking change, describe what breaks and migration path -->
+
+N/A
+
+## Screenshots / Examples
+
+<!-- If applicable, add screenshots or code examples -->
+
+```javascript
+// Example code showing the changes
+```
+
+## Checklist
+
+- [ ] This PR has a descriptive title
+- [ ] All commits follow [Conventional Commits](https://www.conventionalcommits.org/)
+- [ ] I have read the [CONTRIBUTING](../CONTRIBUTING.md) guide
+- [ ] This PR is ready for review
+
+## Additional Notes
+
+<!-- Any additional information or context -->

.github/dependabot.yml

@@ -0,0 +1,49 @@
+version: 2
+updates:
+  # NPM dependencies
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    open-pull-requests-limit: 1
+    groups:
+      all-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      eslint-plugins:
+        patterns:
+          - "eslint*"
+          - "@typescript-eslint/*"
+          - "@stylistic/*"
+      development-dependencies:
+        dependency-type: "development"
+        exclude-patterns:
+          - "eslint*"
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    labels:
+      - "dependencies"
+    assignees:
+      - "LabEG"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+    assignees:
+      - "LabEG"

.github/workflows/codeql.yml

@@ -0,0 +1,43 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 4'  # Каждый четверг в 00:00
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze Code
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript-typescript' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,42 @@
+name: Dependabot Auto-merge
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  enable-auto-merge:
+    runs-on: ubuntu-latest
+    # Срабатывает ТОЛЬКО для Dependabot PR
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Wait for test completion
+        uses: lewagon/wait-on-check-action@v1.4.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          check-name: 'test'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 10
+
+      - name: Approve PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Merge PR
+        run: gh pr merge --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/npm-publish.yml

@@ -1,4 +1,4 @@
-name: Docker
+name: NPM Publish
 
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
@@ -8,15 +8,18 @@ name: Docker
 on:
   push:
     branches: [ main ]
+  schedule:
+    - cron: '0 12 8-14 1,5,9 4'  # Thursday of 2nd week, 3 times a year (Jan, May, Sep) at 12:00 UTC
   workflow_dispatch:
 
+permissions:
+  contents: write
+  id-token: write  # Required for npm provenance
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -27,12 +30,22 @@ jobs:
           node-version: 24
           registry-url: https://registry.npmjs.org/
 
-      - run: git config --global user.email "elabutin@mts.ru"
-      - run: git config --global user.name "Eugene Labutin"
-      - run: npm ci
-      - run: npm run build
-      - run: npm run release
-      - run: git push && git push --tags
-      - run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+      - name: Configure Git
+        run: |
+          git config --global user.email "elabutin@mts.ru"
+          git config --global user.name "Eugene Labutin"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build package
+        run: npm run build
+
+      - name: Create release
+        run: npm run release
+
+      - name: Push changes and tags
+        run: git push && git push --tags
+
+      - name: Publish to NPM
+        run: npm publish --provenance --access public