Skip to content

fix: audit remediation — P0 correctness/security fixes + P1 product hardening #179

fix: audit remediation — P0 correctness/security fixes + P1 product hardening

fix: audit remediation — P0 correctness/security fixes + P1 product hardening #179

Workflow file for this run

# CI gate for every push and PR: the Node 20/22 test matrix (matches the ">=20" engines
# field; 18 is EOL) plus the shared quality gate (Biome, typecheck, ShellCheck, zero-dep
# assertion, version-drift, docs-drift, pack). The quality gate is the SAME reusable workflow
# the version bump and release require, so none of the three can drift from the others.
name: CI
on:
push:
branches: [main, master]
pull_request:
permissions:
contents: read
jobs:
test:
name: Test (Node ${{ matrix.node }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
node: [20, 22]
steps:
- uses: actions/checkout@v7
- uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node }}
cache: npm
- run: npm ci
- run: npm test
quality-gate:
name: Quality gate
uses: ./.github/workflows/reusable-quality-gate.yml
dependency-review:
name: Dependency review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v7
# Advisory: needs the repo's Dependency graph enabled (Settings → Security & analysis).
# continue-on-error keeps the CHECK green until then — this project has zero runtime deps.
- uses: actions/dependency-review-action@v5
continue-on-error: true