self hosted

deps(deps): bump github/codeql-action in the github-actions group

Bumps the github-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3 to 4
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/labels.yml

@@ -0,0 +1,60 @@
+- name: 'feature'
+  color: 0E8A16
+  description: 'Represents all feature requests and new feature implementations. (Replaces feature-request and new-feature)'
+- name: 'bug'
+  color: D93F0B
+  description: 'Something is not working as expected.'
+- name: 'breaking-change'
+  color: B60205
+  description: 'A change that changes the API or breaks backward compatibility for users.'
+- name: 'security'
+  color: B80808
+  description: 'Addressing a vulnerability or security risk in this project.'
+- name: 'documentation'
+  color: 0052CC
+  description: 'Solely about the documentation of the project.'
+- name: 'refactor'
+  color: 1D76DB
+  description: 'Updating the code with simpler, easier to understand or more efficient syntax or methods.'
+- name: 'ci'
+  color: 1D76DB
+  description: 'Work that improves the continuous integration.'
+- name: 'dependencies'
+  color: 1D76DB
+  description: 'Change in project dependencies.'
+- name: 'in-progress'
+  color: F7C632
+  description: 'Issue is currently being worked on by a developer.'
+- name: 'ready-for-review'
+  color: 0E5C0D
+  description: 'Work is done, initial tests (Self-Review) passed, and ready for review by colleagues.'
+- name: 'changes-requested'
+  color: D93F0B
+  description: 'Reviewer has requested changes/corrections. Author needs to work on it again.'
+- name: 'waiting-on-author'
+  color: FBCA04
+  description: 'Workflow is paused, waiting for author response/changes/clarification.'
+- name: 'blocked'
+  color: B60205
+  description: 'PR/Issue cannot proceed due to external dependency or CI/CD issue.'
+- name: 'priority-critical'
+  color: B80808
+  description: 'Must be addressed as soon as possible.'
+- name: 'priority-high'
+  color: D93F0B
+  description: 'After critical issues are fixed, these should be dealt with before any further issues.'
+- name: 'priority-medium'
+  color: 5319E7
+  description: 'This issue may be useful, and needs some attention.'
+- name: 'priority-low'
+  color: 5319E7
+  description: 'Nice addition, maybe... someday...'
+- name: 'major'
+  color: B60205
+  description: 'This PR causes a major bump in the version number.'
+- name: 'minor'
+  color: 0E8A16
+  description: 'This PR causes a minor bump in the version number.'
+- name: 'Jules'
+  color: 5319E7
+  description: 'Label for Google Jules AI.'

.github/workflows/build-lint-test.yaml

@@ -2,6 +2,10 @@
 
 name: Build, Lint, and Test Project
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+
 on:
   workflow_call:
     inputs:
@@ -11,22 +15,20 @@ on:
         default: 'lts/*'
         type: string
 
-permissions:
-  contents: read
-
 jobs:
   main:
     name: Build, Lint, and Test Project
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔧 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: ${{ inputs.NODE_VERSION }}
+          node-version: ${{ inputs.node-version }}
+          package-manager-cache: false
 
       - name: 🛠️ Setup Node.js Corepack
         run: corepack enable
@@ -43,6 +45,14 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-yarn-
 
+      - name: 🗂️ Cache .cache folders
+        uses: actions/cache@v4
+        with:
+          path: packages/**/.cache
+          key: ${{ runner.os }}-cache
+          restore-keys: |
+            ${{ runner.os }}-cache-
+
       - name: 📥 Install Dependencies
         run: yarn install --immutable
 

.github/workflows/codeql.yaml

@@ -2,18 +2,19 @@
 
 name: CodeQL
 
+# Required permission on the caller workflow
+# permissions:
+#   actions: read
+#   contents: read
+#   security-events: write
+
 on:
   workflow_call:
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
 jobs:
   main:
     name: CodeQL Analyze
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     strategy:
       fail-fast: false
@@ -23,17 +24,17 @@ jobs:
 
     steps:
       - name: ⤵️ Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🏗 Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           # Details on CodeQL's query packs refer to https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           # queries: security-extended,security-and-quality
 
       - name: 🏗 Auto build
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: 🚀 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/dependency-review.yaml

@@ -2,20 +2,35 @@
 
 name: Dependency Review
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+
 on:
   workflow_call:
-
-permissions:
-  contents: read
+    inputs:
+      base_ref:
+        description: 'The base ref for the dependency review'
+        required: false
+        type: string
+        default: 'next'
+      head_ref:
+        description: 'The head ref for the dependency review'
+        required: false
+        type: string
+        default: 'next'
 
 jobs:
   main:
     name: Dependency Review
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⤵️ Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🚀 Dependency Review
         uses: actions/dependency-review-action@v4
+        with:
+          base-ref: ${{ inputs.base_ref }}
+          head-ref: ${{ inputs.head_ref }}

.github/workflows/publish-npm.yaml

@@ -2,6 +2,11 @@
 
 name: Publish NPM
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+#   id-token: write
+
 on:
   workflow_call:
     inputs:
@@ -10,18 +15,16 @@ on:
         required: true
         default: 'lts/*'
         type: string
+      npm-registry-url:
+        description: 'NPM registry url'
+        required: false
+        default: 'https://registry.npmjs.org'
+        type: string
     secrets:
       NPM_TOKEN:
         required: true
         description: 'NPM token'
 
-env:
-  NODE_VERSION: lts/*
-
-permissions:
-  contents: read
-  id-token: write
-
 jobs:
   main:
     if: github.repository_owner == 'the-nexim'
@@ -31,12 +34,14 @@ jobs:
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔧 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: ${{ inputs.NODE_VERSION }}
+          node-version: ${{ inputs.node-version }}
+          registry-url: ${{ inputs.npm-registry-url }}
+          package-manager-cache: false
 
       - name: 🛠️ Setup Node.js Corepack
         run: corepack enable
@@ -60,15 +65,11 @@ jobs:
         run: yarn build
         env:
           WIREIT_LOGGER: metrics
-
-      - name: 🧹 Run ESLint
-        run: yarn lint
-        env:
-          WIREIT_LOGGER: metrics
+          NODE_ENV: production
 
       - name: 🚀 Publish
         run: yarn run publish -- --yes
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true
           WIREIT_LOGGER: metrics

.github/workflows/release.yaml

@@ -2,6 +2,10 @@
 
 name: Build & Lint & Test & Release
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: write
+
 on:
   workflow_call:
     inputs:
@@ -11,30 +15,27 @@ on:
         default: 'lts/*'
         type: string
     secrets:
+      RELEASER_ACCOUNT_TOKEN:
+        required: true
+        description: 'GitHub token for the releaser account'
       GPG_KEY_ID:
         required: true
         description: 'GPG key ID'
-      BOT_TOKEN:
-        required: true
-        description: 'Nexim Bot token'
       GPG_PRIVATE_KEY:
         required: true
         description: 'GPG private key'
 
-permissions:
-  contents: write
-
 jobs:
   main:
     name: Build & Lint & Test & Release
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⤵️ Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
-          token: ${{ secrets.BOT_TOKEN }}
+          token: ${{ secrets.RELEASER_ACCOUNT_TOKEN }}
 
       - name: 🙂‍↔️ Import GPG key
         run: |
@@ -54,9 +55,10 @@ jobs:
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
 
       - name: 🔧 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: ${{ inputs.node-version }}
+          package-manager-cache: false
 
       - name: 🛠️ Setup Node.js Corepack
         run: corepack enable
@@ -94,5 +96,5 @@ jobs:
       - name: 🤖 Get Release
         run: yarn lerna version --yes
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASER_ACCOUNT_TOKEN }}
           WIREIT_LOGGER: metrics

.github/workflows/sync-label.yaml

@@ -1,26 +1,22 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-
 name: Sync labels
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+#   issues: write
+
 on:
   workflow_call:
-    secrets:
-      GITHUB_TOKEN:
-        description: 'GitHub token'
-        required: true
-
-permissions:
-  contents: read
-  issues: write
 
 jobs:
   main:
     name: Sync labels
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⤵️ Check out code from GitHub
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🚀 Run Label Syncer
         uses: micnncim/action-label-syncer@v1

.vscode/settings.json

@@ -22,7 +22,10 @@
   },
   "typescript.enablePromptUseWorkspaceTsdk": true,
   "typescript.tsdk": ".yarn/sdks/typescript/lib",
-  "cSpell.words": ["nexim"],
+  "cSpell.words": [
+    "nexim",
+    "wireit"
+  ],
   "todo-tree.tree.scanMode": "workspace only",
   "github.copilot.chat.codeGeneration.instructions": [
     {