chore/codex bootstrap

.github/workflows/ci.yml

@@ -1,12 +1,18 @@
-name: CI
-on: [push, pull_request]
+name: Continuous Integration
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
 
 env:
   NODE_VERSION: '20'
-  PNPM_VERSION: '9'
+  PNPM_VERSION: '9.14.4'
   TURBO_API: https://turbo.build
   TURBO_TEAM: ${{ vars.TURBO_TEAM }}
   TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+  COVERAGE_THRESHOLD: 80
 
 jobs:
   validate:
@@ -47,25 +53,66 @@ jobs:
 
       - name: Check coverage threshold
         run: |
-          # Basic coverage check - can be enhanced with specific thresholds
-          echo "Coverage check passed - implement specific thresholds as needed"
+          # Enhanced coverage validation with specific thresholds
+          if [ -f "coverage/coverage-summary.json" ]; then
+            COVERAGE=$(node -e "console.log(JSON.parse(require('fs').readFileSync('coverage/coverage-summary.json')).total.lines.pct)")
+            echo "Current coverage: ${COVERAGE}%"
+            if (( $(echo "$COVERAGE < $COVERAGE_THRESHOLD" | bc -l) )); then
+              echo "❌ Coverage ${COVERAGE}% is below threshold ${COVERAGE_THRESHOLD}%"
+              exit 1
+            else
+              echo "✅ Coverage ${COVERAGE}% meets threshold ${COVERAGE_THRESHOLD}%"
+            fi
+          else
+            echo "⚠️ Coverage report not found, skipping threshold check"
+          fi
 
       - name: Build
         run: pnpm build --filter=...[origin/${{ github.base_ref || 'main' }}]
 
-      - name: Upload coverage reports
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v4
+        if: always()
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage/lcov.info
+          flags: unittests
+          name: codecov-umbrella
+          fail_ci_if_error: false
+
+      - name: Upload coverage reports as artifact
         uses: actions/upload-artifact@v4
         if: always()
         with:
           name: coverage-report
           path: coverage/
           retention-days: 30
 
-      - name: Check for unused dependencies (advisory)
-        run: npx knip || true
-
-      - name: npm audit (advisory)
-        run: npm audit --omit=dev || true
+      - name: Check for unused dependencies
+        run: |
+          echo "🔍 Checking for unused dependencies..."
+          npx knip --reporter json > knip-report.json || true
+          if [ -s knip-report.json ]; then
+            echo "⚠️ Found potential unused dependencies - review knip-report.json"
+            cat knip-report.json
+          else
+            echo "✅ No unused dependencies detected"
+          fi
+
+      - name: Security audit
+        run: |
+          echo "🔒 Running security audit..."
+          pnpm audit --audit-level moderate --json > audit-report.json || AUDIT_EXIT_CODE=$?
+          if [ -s audit-report.json ]; then
+            echo "📊 Security audit results:"
+            cat audit-report.json | jq '.advisories | length' || echo "Audit completed"
+          fi
+          if [ "${AUDIT_EXIT_CODE:-0}" -ne 0 ]; then
+            echo "⚠️ Security vulnerabilities found - review audit-report.json"
+            exit 1
+          else
+            echo "✅ No security vulnerabilities detected"
+          fi
 
   e2e:
     name: E2E Tests