feat: Establish CI/CD workflows, security policies, and enhance documentation and configuration management.

Author: muhammedaksam

.github/CODEOWNERS

@@ -0,0 +1,21 @@
+# Dependabot reviewers (migrated from .github/dependabot.yml)
+
+# npm dependencies (root directory)
+
+/package.json @muhammedaksam
+/package-lock.json @muhammedaksam
+/npm-shrinkwrap.json @muhammedaksam
+/yarn.lock @muhammedaksam
+/bun.lock @muhammedaksam
+/pnpm-lock.yaml @muhammedaksam
+
+# GitHub Actions workflows
+
+/.github/workflows/*.yml @muhammedaksam
+/.github/workflows/*.yaml @muhammedaksam
+/action.yml @muhammedaksam
+/action.yaml @muhammedaksam
+
+# Default owner for all other files
+
+* @muhammedaksam

.github/actions/setup/action.yml

@@ -0,0 +1,25 @@
+name: "Setup Environment"
+description: "Setup Bun and install dependencies"
+
+inputs:
+  frozen-lockfile:
+    description: "Use --frozen-lockfile for install"
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v2
+      with:
+        bun-version: latest
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        if [ "${{ inputs.frozen-lockfile }}" = "true" ]; then
+          bun install --frozen-lockfile
+        else
+          bun install
+        fi

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    assignees:
+      - "muhammedaksam"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    target-branch: "develop"
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    assignees:
+      - "muhammedaksam"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    target-branch: "develop"

.github/workflows/build.yml

@@ -0,0 +1,31 @@
+name: Build Check
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup environment
+        uses: ./.github/actions/setup
+
+      - name: Type check
+        run: bun run typecheck
+
+      - name: Build package
+        run: bun run build
+
+      - name: Verify build artifacts
+        run: |
+          echo "Checking build artifacts..."
+          test -d dist || (echo "❌ dist directory not found" && exit 1)
+          test -f dist/index.js || (echo "❌ dist/index.js not found" && exit 1)
+          echo "✅ dist/index.js: $(ls -lh dist/index.js | awk '{print $5}')"

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+jobs:
+  lint-and-build:
+    name: Lint, Format & Build
+    runs-on: ubuntu-latest
+    if: ${{ !contains(github.event.head_commit.message || '', '[skip ci]') && !contains(github.event.pull_request.title || '', '[skip ci]') }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup environment
+        uses: ./.github/actions/setup
+
+      - name: Run ESLint
+        run: bun run lint
+
+      - name: Check Prettier formatting
+        run: bun run format:check
+
+      - name: Type check
+        run: bun run typecheck
+
+      - name: Build project
+        run: bun run build

.github/workflows/publish-trusted.yml

@@ -0,0 +1,50 @@
+name: Publish Package (Trusted Publishing)
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  id-token: write # Required for OIDC trusted publishing
+  contents: read
+
+jobs:
+  publish:
+    name: Publish to npm with Trusted Publishing
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup environment
+        uses: ./.github/actions/setup
+        with:
+          frozen-lockfile: "true"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.x"
+          registry-url: "https://registry.npmjs.org"
+
+      # Ensure npm 11.5.1 or later is installed for trusted publishing support
+      - name: Update npm to latest version
+        run: npm install -g npm@latest
+
+      - name: Build package
+        run: bun run build
+
+      - name: Verify build artifacts
+        run: |
+          if [ ! -f "dist/index.js" ]; then
+            echo "ERROR: Build artifacts missing - dist/index.js not found"
+            exit 1
+          fi
+          echo "✓ Build artifacts verified"
+          ls -la dist/
+
+      # Publish using OIDC authentication (no NPM_TOKEN needed)
+      - name: Publish to npm
+        run: npm publish --access public --no-git-checks

.github/workflows/security.yml

@@ -0,0 +1,50 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    # Run weekly on Monday at 9am
+    - cron: "0 9 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  dependency-audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup environment
+        uses: ./.github/actions/setup
+
+      - name: Audit dependencies
+        run: bun pm audit 2>/dev/null || echo "No vulnerabilities found or audit not supported"
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: typescript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:typescript"

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Muhammed Mustafa AKŞAM
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.