ci: modernize GitHub Actions (concurrency, permissions, matrix, caching, dispatch)\n\n- Update CI to matrix Node 18/20/22, add concurrency and least-privilege permissions\n- Add workflow_dispatch and paths-ignore, type-check step\n- Modernize Release workflow, add dispatch input, concurrency\n- Add Dependabot config for npm and GitHub Actions

Author: gcodeprabhu

.github/dependabot.yml

@@ -1,4 +1,22 @@
 version: 2
+updates:
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: 'deps'
+      include: 'scope'
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: 'ci'
+      include: 'scope'
+version: 2
 updates:
   - package-ecosystem: 'npm'
     directory: '/'

.github/workflows/ci.yml

@@ -1,21 +1,57 @@
 name: CI
 on:
   pull_request:
+    branches: [master, main]
+    paths-ignore:
+      - 'README.md'
+      - 'readme-assets/**'
+      - '.github/ISSUE_TEMPLATE/**'
+      - '.github/PULL_REQUEST_TEMPLATE.md'
   push:
     branches: [master, main]
+    paths-ignore:
+      - 'README.md'
+      - 'readme-assets/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  ci:
+  build-and-check:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [18, 20, 22]
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
         with:
           version: 9
-      - uses: actions/setup-node@v4
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: ${{ matrix.node-version }}
           cache: pnpm
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm lint:js
-      - run: pnpm build
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint (JS only)
+        run: pnpm lint:js
+
+      - name: Type check
+        run: pnpm type-check
+
+      - name: Build library
+        run: pnpm build
 

.github/workflows/release.yml

@@ -2,26 +2,48 @@ name: Release
 on:
   push:
     branches: [master, main]
+  workflow_dispatch:
+    inputs:
+      publish:
+        description: 'Publish to npm (yes/no)'
+        required: false
+        default: 'yes'
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+  packages: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   release:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
-      packages: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
         with:
           version: 9
-      - uses: actions/setup-node@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
         with:
           node-version: 20
           cache: pnpm
           registry-url: https://registry.npmjs.org
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm build
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build library
+        run: pnpm build
+
       - name: Create version PR or publish
         uses: changesets/action@v1
         with: