fix: audit remediation — P0 correctness/security fixes + P1 product hardening #179
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CI gate for every push and PR: the Node 20/22 test matrix (matches the ">=20" engines | |
| # field; 18 is EOL) plus the shared quality gate (Biome, typecheck, ShellCheck, zero-dep | |
| # assertion, version-drift, docs-drift, pack). The quality gate is the SAME reusable workflow | |
| # the version bump and release require, so none of the three can drift from the others. | |
| name: CI | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| name: Test (Node ${{ matrix.node }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: [20, 22] | |
| steps: | |
| - uses: actions/checkout@v7 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: npm | |
| - run: npm ci | |
| - run: npm test | |
| quality-gate: | |
| name: Quality gate | |
| uses: ./.github/workflows/reusable-quality-gate.yml | |
| dependency-review: | |
| name: Dependency review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@v7 | |
| # Advisory: needs the repo's Dependency graph enabled (Settings → Security & analysis). | |
| # continue-on-error keeps the CHECK green until then — this project has zero runtime deps. | |
| - uses: actions/dependency-review-action@v5 | |
| continue-on-error: true |