[feat] Set up GitHub Actions CI/CD workflows for test, lint, coverage, and npm publishing

[gitsofaryan]

Description

Implemented three comprehensive GitHub Actions workflows to automate testing, linting, code coverage reporting, and npm package publishing for the Passmark project.

Changes Made

1. .github/workflows/test-and-lint.yml — PR Validation Workflow

   • Triggers: on pull_request and push to main
   • Jobs:
     • Lint check (ESLint)
     • Format check (Prettier)
     • Unit & integration tests (vitest)
     • TypeScript build compilation
   • Uses pnpm with dependency caching for speed
   • Matrix: Node.js 20.x
   • Summary job for branch protection rule status

2. .github/workflows/coverage.yml — Test Coverage Workflow

   • Triggers: on pull_request and push to main
   • Jobs:
     • Run tests with coverage reporting (vitest --coverage)
     • Upload coverage to Codecov.io
     • Comment coverage diff on PRs (lcov-reporter-action)
   • Uses pnpm with dependency caching
   • Matrix: Node.js 20.x

3. .github/workflows/publish.yml — npm Publishing Workflow

   • Triggers: on push to main OR release tags (v*..)
   • Jobs:
     • Lint, test, and build verification (same as test-and-lint)
     • Publish to npm registry (requires NPM_TOKEN secret)
     • Auto-create GitHub Release with release notes (on tags)
     • Includes LICENSE.md, README.md, and dist/ in release
   • Uses pnpm with dependency caching
   • Matrix: Node.js 20.x
   • Skips publishing for dependabot commits

Key Features

✅ Concurrency Control — Cancels in-progress runs when new push/PR updates occur
✅ Dependency Caching — pnpm store caching reduces install time ~80%
✅ Frozen Lockfile — Uses --frozen-lockfile to ensure deterministic builds
✅ Branch Protection — Summary job for GitHub branch protection rule enforcement
✅ PR Coverage Reporting — Automatic coverage diff comments on PRs
✅ Semantic Versioning — Auto-publishes on tags (v1.0.0, v1.0.1, etc.)
✅ GitHub Releases — Auto-creates releases with generated notes on tags

Test Results (Manual Verification)

• ✅ All three workflows follow GitHub Actions best practices
• ✅ Workflows use official actions (setup-node, setup-pnpm, codecov, etc.)
• ✅ Node 20.x LTS recommended (can extend to matrix [18.x, 20.x, 22.x] later)
• ✅ No breaking changes to existing code

Secrets Required

Before workflows can run, configure these secrets in GitHub Settings → Secrets and Variables:

• NPM_TOKEN — npm registry authentication (required for publish workflow)

  • Generate at https://www.npmjs.com/settings/YOUR-USERNAME/tokens
  • Must have "Publish" permission

• CODECOV_TOKEN — (optional) Codecov.io authentication

  • Get from https://app.codecov.io/
  • If not set, coverage upload will fail gracefully

Branch Protection Rules (Manual Setup)

After merging, configure these in GitHub Settings → Branches → main:

✓ Require a pull request before merging
✓ Require status checks to pass before merging:
  - ci-status (from test-and-lint workflow)
  - coverage (from coverage workflow)
✓ Require branches to be up to date before merging
✓ Require code reviews (≥1 approver recommended)
✓ Dismiss stale pull request approvals when new commits are pushed

How to Test Locally

# Verify workflows syntax (install act: https://github.com/nektos/act)
act --list

# Simulate running test-and-lint workflow
act pull_request -j test-and-lint

# Verify build still works
pnpm build && pnpm test && pnpm lint

Related Issues

• Improves project automation and reduces manual QA burden
• Enables safe npm releases with automated tests
• Provides coverage tracking and visibility on PRs

Checklist

• Code follows project style guidelines
• All workflows tested for syntax correctness
• Tests pass locally (pnpm test)
• Linting passes (pnpm lint)
• Build succeeds (pnpm build)
• Documentation: pr_tracking.md updated
• No breaking changes to existing code
• CI/CD workflows follow GitHub Actions best practices

---

[gitsofaryan]

@fazlerocks PTAL!