CI/CD
Two GitHub Actions workflows live in .github/workflows/.
CI (ci.yml)
Runs on every pull request and on every push to main.
on:
pull_request:
push:
branches: [main]Steps, in order:
- Checkout
- Set up Node 22 with npm cache
npm cinpm run typechecknpm run lintnpm test -- --ci --coverage- Upload the coverage report as an artifact
A PR is not mergeable unless all three checks (typecheck, lint, test+coverage) pass. The coverage thresholds are enforced here, so adding untested logic to the domain fails the build.
Release (release.yml)
Runs on every push to main and drives release-please. It needs permission to open PRs, which is configured at the repo level:
Settings -> Actions -> General -> Workflow permissions -> "Allow GitHub Actions to create and approve pull requests".
permissions:
contents: write
pull-requests: writeSecurity note on workflows
Neither workflow interpolates untrusted event input (issue titles, PR bodies, commit messages) into run: steps, which is the common GitHub Actions injection vector. If you add steps that use such input, pass it through env: with quoting rather than inlining a GitHub expression directly in a shell command.
Local pre-flight
To reproduce CI before pushing:
npm run typecheck && npm run lint && npm run test:ci