From 6e893177afcdad5612c84e029b053fc22aad2d11 Mon Sep 17 00:00:00 2001
From: execaman <151807496+execaman@users.noreply.github.com>
Date: Tue, 26 May 2026 12:36:03 +0530
Subject: [PATCH] ci: add codeql and update actions

---
 .github/workflows/codeql.yml        | 33 +++++++++++++++++++++++++++++
 .github/workflows/coverage.yml      | 30 +++++++++++++++++++++-----
 .github/workflows/documentation.yml |  6 +++---
 .github/workflows/publication.yml   |  2 +-
 4 files changed, 62 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..865d073
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,33 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "30 19 * * 2"
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      pull-requests: write
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript
+          build-mode: none
+          source-root: ./src
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:javascript-typescript"
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 6e95629..6179326 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -2,19 +2,39 @@ name: Coverage
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
   pull_request:
+    branches: [main]
 
 concurrency:
   group: coverage-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          cache: npm
+          node-version: lts/*
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run lint
+        run: npm run lint
+
   report:
+    needs: lint
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -29,7 +49,7 @@ jobs:
         run: npm ci
 
       - name: Run tests
-        run: npm test
+        run: npm run test
 
       - name: Upload results to Codecov
         uses: codecov/codecov-action@v5
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index cfff29f..e48dad4 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -39,10 +39,10 @@ jobs:
         run: npm run docs:build
 
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@v6
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@v5
         with:
           path: ./docs/dist
 
@@ -55,4 +55,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v5
diff --git a/.github/workflows/publication.yml b/.github/workflows/publication.yml
index 42ae066..48ef2a9 100644
--- a/.github/workflows/publication.yml
+++ b/.github/workflows/publication.yml
@@ -17,7 +17,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@v5
         id: release
         with:
           release-type: node