feat: add some actions (#1)

.github/workflows/build-lint-test.yaml

@@ -6,9 +6,9 @@ on:
   workflow_call:
     inputs:
       node-version:
-        description: 'Node.js version'
+        description: "Node.js version"
         required: true
-        default: 'lts/*'
+        default: "lts/*"
         type: string
 
 permissions:

.github/workflows/codeql.yaml

@@ -0,0 +1,39 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: CodeQL
+
+on:
+  workflow_call:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  main:
+    name: CodeQL Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["TypeScript", "JavaScript"]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: ⤵️ Checkout repository
+        uses: actions/checkout@v4
+
+      - name: 🏗 Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Details on CodeQL's query packs refer to https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - name: 🏗 Auto build
+        uses: github/codeql-action/autobuild@v3
+
+      - name: 🚀 Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

.github/workflows/dependency-review.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Dependency Review
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⤵️ Checkout repository
+        uses: actions/checkout@v4
+
+      - name: 🚀 Dependency Review
+        uses: actions/dependency-review-action@v4

.github/workflows/publish-npm.yml

@@ -0,0 +1,74 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Publish NPM
+
+on:
+  workflow_call:
+    inputs:
+      node-version:
+        description: "Node.js version"
+        required: true
+        default: "lts/*"
+        type: string
+    secrets:
+      NPM_TOKEN:
+        required: true
+        description: "NPM token"
+
+env:
+  NODE_VERSION: lts/*
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  main:
+    if: github.repository_owner == 'the-nexim'
+
+    name: Publish NPM
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v4
+
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.NODE_VERSION }}
+
+      - name: 🛠️ Setup Node.js Corepack
+        run: corepack enable
+
+      - name: 📦 Get Yarn Config
+        id: yarn_config
+        run: echo "cache_folder=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+      - name: 🗄️ Cache Layer
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.yarn_config.outputs.cache_folder }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+
+      - name: 📥 Install Dependencies
+        run: yarn install --immutable
+
+      - name: 🏗️ Build
+        run: yarn build
+        env:
+          WIREIT_LOGGER: metrics
+
+      - name: 🧹 Run ESLint
+        run: yarn lint
+        env:
+          WIREIT_LOGGER: metrics
+
+      - name: 🚀 Publish
+        run: yarn run publish -- --yes
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true
+          WIREIT_LOGGER: metrics

.github/workflows/release.yaml

@@ -0,0 +1,98 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Build & Lint & Test & Release
+
+on:
+  workflow_call:
+    inputs:
+      NODE_VERSION:
+        description: "Node.js version"
+        required: true
+        default: "lts/*"
+        type: string
+    secrets:
+      GPG_KEY_ID:
+        required: true
+        description: "GPG key ID"
+      BOT_TOKEN:
+        required: true
+        description: "Nexim Bot token"
+      GPG_PRIVATE_KEY:
+        required: true
+        description: "GPG private key"
+
+permissions:
+  contents: write
+
+jobs:
+  main:
+    name: Build & Lint & Test & Release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⤵️ Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.BOT_TOKEN }}
+
+      - name: 🙂‍↔️ Import GPG key
+        run: |
+          echo "${{ env.GPG_PRIVATE_KEY }}" | gpg --batch --import
+          echo -e "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key ${{ secrets.GPG_KEY_ID }} trust quit
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY}}
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+
+      - name: 🫡 Setup Git
+        run: |
+          git config --global user.name "Nexim Bot"
+          git config --global user.email "bot@thenexim.com"
+          git config --global user.signingkey ${{ secrets.GPG_KEY_ID }}
+          git config --global commit.gpgsign true
+        env:
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.NODE_VERSION }}
+
+      - name: 🛠️ Setup Node.js Corepack
+        run: corepack enable
+
+      - name: 📦 Get Yarn Config
+        id: yarn_config
+        run: echo "cache_folder=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+      - name: 🗄️ Cache Layer
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.yarn_config.outputs.cache_folder }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+
+      - name: 📥 Install Dependencies
+        run: yarn install --immutable
+
+      - name: 🏗️ Build
+        run: yarn build
+        env:
+          WIREIT_LOGGER: metrics
+
+      - name: 🧹 Run ESLint
+        run: yarn lint
+        env:
+          WIREIT_LOGGER: metrics
+
+      - name: 🧪 Run Tests
+        run: yarn test
+        env:
+          WIREIT_LOGGER: metrics
+
+      - name: 🤖 Get Release
+        run: yarn lerna version --yes
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+          WIREIT_LOGGER: metrics

.github/workflows/sync-labels.yml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Sync labels
+
+on:
+  workflow_call:
+    secrets:
+      GITHUB_TOKEN:
+        description: "GitHub token"
+        required: true
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  main:
+    name: Sync labels
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: ⤵️ Check out code from GitHub
+        uses: actions/checkout@v4
+
+      - name: 🚀 Run Label Syncer
+        uses: micnncim/action-label-syncer@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}