Merge pull request #1 from kripa-sindhu-007/copilot/setup-ci-cd-pipeline

feat: Add CI/CD pipeline with PR validation, branch protection, and security controls

Author: kripa-sindhu-007

.github/CODEOWNERS

@@ -0,0 +1,18 @@
+# Default owner for all files
+* @kripa-sindhu-007
+
+# Package ownership
+/packages/404-ui/ @kripa-sindhu-007
+
+# Documentation ownership
+/apps/docs/ @kripa-sindhu-007
+*.md @kripa-sindhu-007
+
+# CI/CD and configuration ownership
+/.github/ @kripa-sindhu-007
+/*.json @kripa-sindhu-007
+/package.json @kripa-sindhu-007
+/tsconfig*.json @kripa-sindhu-007
+/turbo.json @kripa-sindhu-007
+*.yml @kripa-sindhu-007
+*.yaml @kripa-sindhu-007

.github/pull_request_template.md

@@ -0,0 +1,46 @@
+## Description
+
+<!-- Provide a clear and concise description of your changes -->
+
+## Type of Change
+
+<!-- Check all that apply -->
+
+- [ ] 🐛 Bug fix (non-breaking change which fixes an issue)
+- [ ] ✨ New feature (non-breaking change which adds functionality)
+- [ ] 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] 📝 Documentation update
+- [ ] 🎨 Style/formatting changes (no functional changes)
+- [ ] ♻️ Code refactoring (no functional changes)
+- [ ] ⚡ Performance improvement
+- [ ] ✅ Test updates
+- [ ] 🔧 Configuration/build changes
+
+## Checklist
+
+<!-- Check all that apply -->
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes
+- [ ] I have added a changeset (if applicable)
+
+## Changeset
+
+<!-- If your changes should trigger a release, run `pnpm changeset` and describe your changes -->
+<!-- The changeset file will be automatically detected by the PR validation workflow -->
+
+- [ ] I have added a changeset (required for package changes that should be released)
+- [ ] No changeset needed (docs-only, CI/CD, or other non-package changes)
+
+## Screenshots
+
+<!-- If applicable, add screenshots to help explain your changes -->
+
+## Additional Notes
+
+<!-- Add any other context about the pull request here -->

.github/workflows/ci.yml

@@ -3,8 +3,6 @@ name: CI
 on:
   push:
     branches: [main]
-  pull_request:
-    branches: [main]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/pr-validation.yml

@@ -0,0 +1,208 @@
+name: PR Validation
+
+on:
+  pull_request:
+    branches: [main]
+
+# Limit GITHUB_TOKEN permissions to read-only
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint (ESLint)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run ESLint
+        run: pnpm lint
+
+  prettier:
+    name: Format Check (Prettier)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Check formatting
+        run: pnpm format:check
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run TypeScript
+        run: pnpm typecheck
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build packages
+        run: pnpm build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          # Artifact paths match the monorepo structure: packages/*/dist and apps/docs/dist
+          path: |
+            packages/*/dist
+            apps/docs/dist
+          retention-days: 7
+
+  release-check:
+    name: Release Check (Dry Run)
+    runs-on: ubuntu-latest
+    outputs:
+      has-changeset: ${{ steps.check-changeset.outputs.has-changeset }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Check for changeset files
+        id: check-changeset
+        run: |
+          # Check if any changeset files were added or modified in this PR
+          # Compare against the base branch to find changed files
+          git fetch origin ${{ github.base_ref }}
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+          
+          # Check if any .md files in .changeset directory (excluding README.md specifically)
+          CHANGESET_FILES=$(echo "$CHANGED_FILES" | grep -E '^\.changeset/.*\.md$' | grep -v '^\.changeset/README\.md$' || true)
+          
+          if [ -n "$CHANGESET_FILES" ]; then
+            echo "has-changeset=true" >> $GITHUB_OUTPUT
+            echo "✅ Changeset file(s) found:"
+            echo "$CHANGESET_FILES"
+          else
+            echo "has-changeset=false" >> $GITHUB_OUTPUT
+            echo "ℹ️  No changeset files found in this PR"
+            echo "If this PR includes changes that should be released, please add a changeset:"
+            echo "   pnpm changeset"
+          fi
+
+      - name: Validate changeset format
+        if: steps.check-changeset.outputs.has-changeset == 'true'
+        run: |
+          echo "Validating changeset format..."
+          pnpm changeset status
+          echo "✅ Changeset validation passed! This PR will trigger a release."
+
+      - name: Skip validation
+        if: steps.check-changeset.outputs.has-changeset == 'false'
+        run: |
+          echo "ℹ️  Skipping changeset validation (no changesets in this PR)"
+          echo "This PR will not trigger a release."
+
+  pr-validation-complete:
+    name: PR Validation Complete
+    runs-on: ubuntu-latest
+    if: always()
+    needs: [lint, prettier, typecheck, build, release-check]
+    steps:
+      - name: Check job status
+        run: |
+          echo "Checking status of all required jobs..."
+          
+          # Check each job status
+          if [ "${{ needs.lint.result }}" != "success" ]; then
+            echo "❌ Lint job failed or was cancelled"
+            exit 1
+          fi
+          
+          if [ "${{ needs.prettier.result }}" != "success" ]; then
+            echo "❌ Prettier job failed or was cancelled"
+            exit 1
+          fi
+          
+          if [ "${{ needs.typecheck.result }}" != "success" ]; then
+            echo "❌ TypeCheck job failed or was cancelled"
+            exit 1
+          fi
+          
+          if [ "${{ needs.build.result }}" != "success" ]; then
+            echo "❌ Build job failed or was cancelled"
+            exit 1
+          fi
+          
+          if [ "${{ needs.release-check.result }}" != "success" ]; then
+            echo "❌ Release Check job failed or was cancelled"
+            exit 1
+          fi
+          
+          echo "✅ All validation checks passed successfully!"

docs/BRANCH_PROTECTION_SETUP.md

@@ -0,0 +1,92 @@
+# Branch Protection Setup Guide
+
+This guide explains how to set up branch protection rules for the main branch of your repository.
+
+## Prerequisites
+
+- Repository admin access
+- GitHub account with appropriate permissions
+
+## Setup Steps
+
+### 1. Navigate to Branch Protection Settings
+
+1. Go to your repository on GitHub
+2. Click on "Settings" tab
+3. Click on "Branches" in the left sidebar
+4. Under "Branch protection rules", click "Add rule"
+
+### 2. Configure Protection Rules
+
+#### Branch Name Pattern
+
+- Enter `main` as the branch name pattern
+
+#### Protection Settings
+
+Enable the following rules:
+
+- **Require a pull request before merging**
+  - Require approvals: 1
+  - Dismiss stale pull request approvals when new commits are pushed
+  - Require review from Code Owners (if applicable)
+- **Require status checks to pass before merging**
+  - Require branches to be up to date before merging
+  - Add status checks:
+    - CI tests
+    - Linting
+    - Build verification
+- **Require conversation resolution before merging**
+- **Require signed commits** (optional but recommended)
+- **Require linear history** (optional)
+- **Include administrators** (applies rules to admins too)
+
+### 3. Additional Recommended Settings
+
+- **Restrict who can push to matching branches**: Limit to specific users/teams
+- **Allow force pushes**: Disabled (recommended)
+- **Allow deletions**: Disabled (recommended)
+
+## Verification
+
+After setting up branch protection:
+
+1. Try to push directly to main (should be blocked)
+2. Create a PR and verify that checks run
+3. Verify that approval is required before merging
+
+## Common Issues
+
+### Issue: Can't push to main
+
+**Solution**: This is expected. Create a feature branch and submit a PR instead.
+
+### Issue: Status checks not appearing
+
+**Solution**: Ensure your CI/CD workflow is properly configured and has run at least once.
+
+### Issue: Need to bypass protection temporarily
+
+**Solution**: If you're an admin, you can temporarily disable protection rules, but this is not recommended.
+
+## Best Practices
+
+1. Always work on feature branches
+2. Keep pull requests small and focused
+3. Ensure all tests pass before requesting review
+4. Address review comments promptly
+5. Keep your branch up to date with main
+
+## Resources
+
+- [GitHub Branch Protection Documentation](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches)
+- [GitHub Flow Guide](https://guides.github.com/introduction/flow/)
+
+## Support
+
+If you encounter issues with branch protection setup, please:
+
+1. Check the GitHub documentation
+2. Review repository settings
+3. Contact your repository administrator
+4. Open an issue in the repository