From ff7d38c29cfcfabc2fc4bfd71d06416406151782 Mon Sep 17 00:00:00 2001
From: Lisa <lisa.welsch1985@gmail.com>
Date: Tue, 10 Mar 2026 02:03:34 +0100
Subject: [PATCH 1/3] feat(ci): add Codecov, CodeQL, changelog enforcement,
 bench gating

- Upload coverage to Codecov from Node 22 test run
- Add CodeQL workflow for static security analysis (weekly + PR)
- Validate CHANGELOG.md entry exists before publishing a release
- Gate bench job on test passing; include bench in publish dependencies
---
 .github/workflows/ci.yml     | 17 ++++++++++++++++-
 .github/workflows/codeql.yml | 25 +++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0513a16..1b999d0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -50,9 +50,16 @@ jobs:
           else
             npm run test:coverage
           fi
+      - name: Upload coverage
+        if: matrix.node-version == 22
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
       - run: npx tsc --noEmit
 
   bench:
+    needs: [test]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -76,7 +83,7 @@ jobs:
         run: npm run test:e2e
 
   publish:
-    needs: [audit, lint, test, e2e]
+    needs: [audit, lint, test, bench, e2e]
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     permissions:
@@ -100,6 +107,14 @@ jobs:
             exit 1
           fi
 
+      - name: Validate changelog entry
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          if ! grep -q "## \[${TAG_VERSION}\]" CHANGELOG.md; then
+            echo "::error::No CHANGELOG.md entry found for version ${TAG_VERSION}"
+            exit 1
+          fi
+
       - run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..c023939
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,25 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

From 1bfa680c7f1aa0709ad65bf8903ae4f2cb63cf0e Mon Sep 17 00:00:00 2001
From: Lisa <lisa.welsch1985@gmail.com>
Date: Tue, 10 Mar 2026 02:24:42 +0100
Subject: [PATCH 2/3] feat(ci): harden permissions, add concurrency, dependency
 review, PR coverage

- Set top-level permissions to read-only, grant per-job as needed
- Add concurrency group to cancel in-progress runs on new pushes
- Add dependency-review-action on PRs (fail on high severity)
- Add vitest-coverage-report-action for PR coverage comments
- Fix CodeQL permissions (add actions: read, contents: read)
---
 .github/workflows/ci.yml     | 22 ++++++++++++++++++++++
 .github/workflows/codeql.yml |  2 ++
 2 files changed, 24 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1b999d0..e96c347 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,7 +7,26 @@ on:
   pull_request:
     branches: [main, develop]
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
+  dependency-review:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+
   audit:
     runs-on: ubuntu-latest
     steps:
@@ -56,6 +75,9 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
+      - name: Coverage report on PR
+        if: matrix.node-version == 22 && github.event_name == 'pull_request'
+        uses: davelosert/vitest-coverage-report-action@v2
       - run: npx tsc --noEmit
 
   bench:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c023939..65b9645 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,8 @@ jobs:
   analyze:
     runs-on: ubuntu-latest
     permissions:
+      actions: read
+      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v6

From 57a4806d8b7b5ae555e0675509cc196b36354f12 Mon Sep 17 00:00:00 2001
From: Lisa <lisa.welsch1985@gmail.com>
Date: Tue, 10 Mar 2026 02:35:33 +0100
Subject: [PATCH 3/3] feat(ci): switch to npm OIDC trusted publishing, drop
 NODE_AUTH_TOKEN

npm now authenticates via OpenID Connect using the id-token: write
permission already set on the publish job. No long-lived token needed.
---
 .github/workflows/ci.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e96c347..30eef4f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -138,8 +138,6 @@ jobs:
           fi
 
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
 
       - name: Extract release notes
         id: release_notes