chore: add GitHub Actions workflows for build, CI, publish, and security checks

TypeError86 · TypeError86 · commit a8b9ad900d5d · 2025-12-09T21:23:47.000+01:00
diff --git a/.github/workflows/build-check.yml b/.github/workflows/build-check.yml
@@ -0,0 +1,52 @@
+name: Build Check
+
+on:
+    pull_request:
+        branches: [main, master]
+
+jobs:
+    build:
+        name: Verify Build
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: '20.x'
+                  cache: 'npm'
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Build package
+              run: npm run build
+
+            - name: Verify build output
+              run: |
+                  if [ ! -d "dist" ]; then
+                    echo "Error: dist directory not found"
+                    exit 1
+                  fi
+                  if [ ! -f "dist/index.js" ]; then
+                    echo "Error: dist/index.js not found"
+                    exit 1
+                  fi
+                  if [ ! -f "dist/index.d.ts" ]; then
+                    echo "Error: dist/index.d.ts not found"
+                    exit 1
+                  fi
+                  echo "Build output verified successfully"
+
+            - name: Check bundle size
+              run: |
+                  SIZE=$(du -sh dist | cut -f1)
+                  echo "Build size: $SIZE"
+                  # Fail if build is suspiciously large (>50MB)
+                  SIZE_BYTES=$(du -sb dist | cut -f1)
+                  if [ $SIZE_BYTES -gt 52428800 ]; then
+                    echo "Warning: Build size exceeds 50MB"
+                  fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,73 @@
+name: CI
+
+on:
+    push:
+        branches: [main, master]
+    pull_request:
+        branches: [main, master]
+
+jobs:
+    test:
+        name: Test & Lint
+        runs-on: ubuntu-latest
+
+        strategy:
+            matrix:
+                node-version: [18.x, 20.x, 22.x]
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js ${{ matrix.node-version }}
+              uses: actions/setup-node@v4
+              with:
+                  node-version: ${{ matrix.node-version }}
+                  cache: 'npm'
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Run linter
+              run: npm run lint
+
+            - name: Check formatting
+              run: npm run prettier:check
+
+            - name: Build
+              run: npm run build
+
+            - name: Run tests
+              run: npm test
+
+            - name: Generate coverage
+              if: matrix.node-version == '20.x'
+              run: npm run test:coverage
+
+            - name: Upload coverage reports
+              if: matrix.node-version == '20.x'
+              uses: codecov/codecov-action@v4
+              with:
+                  files: ./coverage/coverage-final.json
+                  fail_ci_if_error: false
+                  token: ${{ secrets.CODECOV_TOKEN }}
+
+    type-check:
+        name: Type Check
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: '20.x'
+                  cache: 'npm'
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Type check
+              run: npx tsc --noEmit
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,77 @@
+name: Publish to npm
+
+on:
+    release:
+        types: [published]
+    workflow_dispatch:
+        inputs:
+            version:
+                description: 'Version to publish (e.g., 1.0.0)'
+                required: true
+                type: string
+
+jobs:
+    publish:
+        name: Publish Package
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+            id-token: write
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: '20.x'
+                  registry-url: 'https://registry.npmjs.org'
+                  cache: 'npm'
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Run tests
+              run: npm test
+
+            - name: Build
+              run: npm run build
+
+            - name: Verify package
+              run: npm pack --dry-run
+
+            - name: Extract version from release
+              if: github.event_name == 'release'
+              id: version
+              run: |
+                  VERSION=${GITHUB_REF#refs/tags/v}
+                  VERSION=${VERSION#refs/tags/}
+                  echo "version=$VERSION" >> $GITHUB_OUTPUT
+                  echo "Publishing version: $VERSION"
+
+            - name: Verify version matches package.json
+              if: github.event_name == 'release'
+              run: |
+                  PACKAGE_VERSION=$(node -p "require('./package.json').version")
+                  RELEASE_VERSION="${{ steps.version.outputs.version }}"
+                  if [ "$PACKAGE_VERSION" != "$RELEASE_VERSION" ]; then
+                    echo "Error: package.json version ($PACKAGE_VERSION) doesn't match release tag ($RELEASE_VERSION)"
+                    exit 1
+                  fi
+                  echo "Version verified: $PACKAGE_VERSION"
+
+            - name: Update package.json version (manual)
+              if: github.event_name == 'workflow_dispatch'
+              run: |
+                  npm version "${{ github.event.inputs.version }}" --no-git-tag-version
+                  echo "Updated package.json to version ${{ github.event.inputs.version }}"
+
+            - name: Publish to npm
+              uses: JS-DevTools/npm-publish@v3
+              with:
+                  token: ${{ secrets.NPM_TOKEN }}
+                  registry: https://registry.npmjs.org
+                  access: public
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,50 @@
+name: Security
+
+on:
+    push:
+        branches: [main, master]
+    pull_request:
+        branches: [main, master]
+    schedule:
+        # Run weekly on Monday at 00:00 UTC
+        - cron: '0 0 * * 1'
+
+jobs:
+    audit:
+        name: Security Audit
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: '20.x'
+                  cache: 'npm'
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Run npm audit
+              run: npm audit --audit-level=moderate
+              continue-on-error: true
+
+            - name: Check for known vulnerabilities
+              run: npm audit --audit-level=high
+              continue-on-error: true
+
+    dependency-review:
+        name: Dependency Review
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Dependency Review
+              uses: actions/dependency-review-action@v4
+              with:
+                  fail-on-severity: moderate
