From 613558ef671f11e2e60d26967f50397133b4ad1e Mon Sep 17 00:00:00 2001 From: Nigel Bazzeghin Date: Wed, 11 Feb 2026 20:37:04 -0600 Subject: [PATCH 1/2] chore: add CodeQL workflow, PR template, and Dependabot version updates --- .github/dependabot.yml | 24 ++++++++++++++++++++++++ .github/pull_request_template.md | 17 +++++++++++++++++ .github/workflows/codeql.yml | 30 ++++++++++++++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/codeql.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f7b45e5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,24 @@ +version: 2 +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 10 + labels: + - dependencies + commit-message: + prefix: "chore(deps):" + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - ci + commit-message: + prefix: "ci(deps):" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..4922314 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,17 @@ +## Summary + +Brief description of the changes. + +## Changes + +- + +## Testing + +- [ ] `bun run build` passes +- [ ] `bun test` passes +- [ ] Manual testing done (if applicable) + +## Notes + +Any additional context or trade-offs worth mentioning. diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..d87734d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,30 @@ +name: CodeQL + +on: + pull_request: + push: + branches: + - main + schedule: + - cron: '0 6 * * 1' + +jobs: + analyze: + name: Analyze TypeScript + runs-on: ubuntu-latest + + permissions: + security-events: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: javascript-typescript + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 3cf04a797756774e95bb6a84080c91e241944884 Mon Sep 17 00:00:00 2001 From: Nigel Bazzeghin Date: Wed, 11 Feb 2026 20:42:36 -0600 Subject: [PATCH 2/2] docs: add CI workflows and branch/merge rules to AGENTS.md --- AGENTS.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/AGENTS.md b/AGENTS.md index 2916995..e000468 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -42,6 +42,21 @@ If tests fail, identify whether failures are pre-existing vs introduced by your - Use the **Nuclear Cleanup** sequence before and after manual testing to avoid leftover tmux sessions, worktrees, branches, and state files. - Follow plan safety rules exactly: `tmc-` test naming, no remote push flows during testing (`mc_pr` is structural only), and explicit SHA-based resets. +## CI & GitHub Workflows + +- **CI** (`.github/workflows/ci.yml`) — Runs `bun run build` and `bun test` on PRs and pushes to `main`. +- **Conventional Commits** (`.github/workflows/conventional-commits.yml`) — Validates PR titles follow the convention. +- **CodeQL** (`.github/workflows/codeql.yml`) — Static analysis for TypeScript; runs on PRs, pushes to `main`, and weekly. +- **Publish** (`.github/workflows/publish.yml`) — semantic-release to npm on `main`. +- **Dependabot** (`.github/dependabot.yml`) — Opens weekly PRs for npm and GitHub Actions dependency updates. These use `chore(deps):` and `ci(deps):` commit prefixes. + +## Branch & Merge Rules + +- Direct pushes to `main` are blocked; all changes go through PRs. +- Merge commits are disabled — only **squash** and **rebase** merges are allowed. +- PRs require 1 approving review, passing `build-and-test` and `conventional-commits` checks, and all conversations resolved. +- A PR template (`.github/pull_request_template.md`) is provided — fill it out when opening PRs. + ## Release Notes for Agents - npm package output is `dist/` only (`package.json -> files`).