Improve project workflows

[jamesrweb]

Related Issue

N/A — workflow overhaul to fix bugs, improve security, and reduce duplication

PR Type

• 🐛 Bug Fix
• ✨ New Feature
• 🔨 Code Refactor
• 📝 Documentation Update
• 🧪 Test Update
• 🔧 Build/CI Update
• 🧹 Chore
• ⏪ Revert

Description

Overhaul all GitHub Actions workflows to fix several bugs, eliminate duplication
via a reusable composite action, tighten security with scoped permissions,
simplify caching with actions/setup-node built-in support, and centralise
Node/pnpm version management through package.json.

Proposed Changes

• Created .github/actions/setup/action.yml composite action that handles pnpm
  setup, Node.js installation (reading version from package.json), built-in
  pnpm caching via actions/setup-node, and dependency installation — replacing
  the 5–7 duplicated steps across every job in every workflow
• CI.yml:
  • Removed the setup job that spun up a full runner just to compute cache
    keys
  • Removed the auto-fix-and-commit pattern from format and lint jobs (was
    broken: job status stayed "failure" after fix, downstream jobs were skipped,
    and GITHUB_TOKEN commits don't re-trigger CI)
  • Format, lint, test, and build now run in parallel instead of sequentially —
    branch protection enforces all must pass
  • Fixed {{ matrix.runs-on }} in artifact names — was literal text (missing
    $ prefix) and no matrix strategy existed
  • Fixed npm-dry-run job to properly download build artifacts (removed
    continue-on-error that silently swallowed download failures)
  • Fixed coverage comparison: previous coverage is now fetched from the last
    successful CI run via gh api and run-id parameter, instead of attempting
    to download from the current run (which always failed)
  • Pinned lucassabreu/comment-coverage-clover to v0.16.0 instead of @main
  • Added permissions: {} at workflow level with least-privilege per-job scoping
  • Removed contents: write from format and lint jobs (no longer needed without
    auto-commit)
• CD.yml:
  • gh-pages and npm jobs now run in parallel (removed unnecessary
    dependency)
  • Changed cancel-in-progress to false to prevent aborting mid-deploy
  • Added lint and test steps before publish as a safety net for direct pushes
    to master
  • Replaced raw pnpm publish with JS-DevTools/npm-publish@v4 for built-in
    version-exists checking and provenance support
  • Added environment: production to the npm publish job for environment
    protection rules
  • Added permissions: {} at workflow level with least-privilege per-job scoping
• CODEQL.yml:
  • Fixed duplicate analysis: replaced ["javascript", "typescript"] matrix
    (which ran two identical scans) with single javascript-typescript language
  • Reduced timeout from 360 minutes to 30 minutes
  • Removed unnecessary fetch-depth: 0 (CodeQL doesn't need full git history)
  • Added category to the analyze step
  • Added permissions: {} at workflow level
• DependabotBot.yml:
  • Moved permissions from workflow level to job level
  • Changed to check-then-fix pattern: formatting and linting checks run first,
    fixes and commits only happen when checks actually fail
  • Added permissions: {} at workflow level
• Added PR_DESCRIPTION.md to .gitignore

How Has This Been Tested?

• Unit Tests
• Integration Tests
• Manual Testing (please describe)

Workflow YAML validated for correct syntax and structure. CI run on this PR will
serve as the functional validation.

Screenshots/Recordings

N/A — no visual changes.

Breaking Changes

• Yes (please describe)
• No

Checklist

• My code follows the code style of this project
• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• My changes generate no new warnings

Additional Notes

The CD workflow now uses JS-DevTools/npm-publish@v4 instead of raw
pnpm publish. This action automatically skips publishing when the version
already exists on the registry, preventing failures on non-version-bump pushes
to master.

A new environment: production has been added to the npm publish job. You may
need to create this environment in the repository settings and configure any
desired protection rules (e.g. required reviewers).

The auto-fix-and-commit pattern has been removed from CI. Developers should run
pnpm format and pnpm lint:fix locally before pushing. The Dependabot
workflow retains its auto-fix pattern since Dependabot PRs cannot be edited
manually.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

Coverage report for commit: 0be9f9f
File: ./coverage/clover.xml

Cover ┌─────────────────────────┐ Freq.
   0% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  10% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  20% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  30% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  40% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  50% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  60% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  70% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  80% │ ░░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
  90% │ ▒░░░░░░░░░░░░░░░░░░░░░░ │  0.0%
 100% │ ███████████████████████ │ 100.0%
      └─────────────────────────┘
 *Legend:* █ = Current Distribution / ▒ = Previous Distribution

Summary - Lines: 100.00% 🔼 | Methods: 100.00% ⏹️ | Branches: 97.22% 🔼

Files	Lines	Methods	Branches
src/components
P5Canvas.tsx	100.00%	100.00%	100.00%
P5CanvasGuard.tsx	100.00%	100.00%	87.50%
P5CanvasWithSketch.tsx	100.00%	100.00%	100.00%
src/constants
CanvasContainerClassName.ts	100.00%	100.00%	100.00%
src/contracts
CanvasContainer.ts	100.00%	100.00%	100.00%
CanvasContainerRef.ts	100.00%	100.00%	100.00%
InputProps.ts	100.00%	100.00%	100.00%
P5CanvasInstance.ts	100.00%	100.00%	100.00%
P5CanvasInstanceRef.ts	100.00%	100.00%	100.00%
P5CanvasProps.ts	100.00%	100.00%	100.00%
P5CanvasPropsWithSketch.ts	100.00%	100.00%	100.00%
Sketch.ts	100.00%	100.00%	100.00%
SketchProps.ts	100.00%	100.00%	100.00%
WithChildren.ts	100.00%	100.00%	100.00%
p5.ts	100.00%	100.00%	100.00%
src
main.tsx	100.00%	100.00%	100.00%
src/utils
createP5CanvasInstance.ts	100.00%	100.00%	100.00%
logErrorBoundaryError.ts	100.00%	100.00%	100.00%
propsAreEqual.ts	100.00%	100.00%	100.00%
removeP5CanvasInstance.ts	100.00%	100.00%	100.00%
updateP5CanvasInstance.ts	100.00%	100.00%	100.00%
withoutKeys.ts	100.00%	100.00%	100.00%

_{🤖 comment via lucassabreu/comment-coverage-clover}

[yevdyko]

@jamesrweb There are a few merge conflicts in the PR. I think we’ll be able to merge it once they’ve been resolved. WDYT?

[jamesrweb]

@jamesrweb There are a few merge conflicts in the PR. I think we’ll be able to merge it once they’ve been resolved. WDYT?

Yes, I will resolve the conflicts today - it happened due to the other two PRs being merged. 👍🏻

[jamesrweb]

FYI @yevdyko, I changed the name of the base branch to main since most of my other repos use that by default now anyway, you can run git branch -m master main && git fetch origin && git branch -u origin/main main && git remote set-head origin -a locally, just be sure you are on the current master branch when you run it. 👍🏻

[yevdyko]

Looks good, except that the package includes a duplicate in the way of an older version of Vite

Thank you @jamesrweb