Skip to content

CI/CD

Two GitHub Actions workflows live in .github/workflows/.

CI (ci.yml)

Runs on every pull request and on every push to main.

yaml
on:
  pull_request:
  push:
    branches: [main]

Steps, in order:

  1. Checkout
  2. Set up Node 22 with npm cache
  3. npm ci
  4. npm run typecheck
  5. npm run lint
  6. npm test -- --ci --coverage
  7. Upload the coverage report as an artifact

A PR is not mergeable unless all three checks (typecheck, lint, test+coverage) pass. The coverage thresholds are enforced here, so adding untested logic to the domain fails the build.

Release (release.yml)

Runs on every push to main and drives release-please. It needs permission to open PRs, which is configured at the repo level:

Settings -> Actions -> General -> Workflow permissions -> "Allow GitHub Actions to create and approve pull requests".

yaml
permissions:
  contents: write
  pull-requests: write

Security note on workflows

Neither workflow interpolates untrusted event input (issue titles, PR bodies, commit messages) into run: steps, which is the common GitHub Actions injection vector. If you add steps that use such input, pass it through env: with quoting rather than inlining a GitHub expression directly in a shell command.

Local pre-flight

To reproduce CI before pushing:

bash
npm run typecheck && npm run lint && npm run test:ci

Spend together, settle simply.