feat: add GitHub Actions for pnpm setup, security scans, and automate…

.github/actions/pnpm-setup/action.yml

@@ -0,0 +1,33 @@
+name: pnpm Setup
+
+description: 'Setup pnpm, Node.js, and install dependencies'
+
+inputs:
+  pnpm-version:
+    description: 'pnpm version to install'
+    required: false
+    default: '10'
+  node-version:
+    description: 'Node.js version to use'
+    required: false
+    default: '24'
+  frozen-lockfile:
+    description: 'Use --frozen-lockfile flag'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps: # https://pnpm.io/continuous-integration#github-actions
+    - uses: pnpm/action-setup@v4
+      with:
+        version: ${{ inputs.pnpm-version }}
+        run_install: false
+
+    - uses: actions/setup-node@v6
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: 'pnpm'
+
+    - run: pnpm i ${{ inputs.frozen-lockfile == 'true' && '--frozen-lockfile' || '' }}
+      shell: bash

.github/actions/security-scan/action.yml

@@ -0,0 +1,92 @@
+name: 'Security Scan'
+description: 'Runs pnpm audit, Trivy and ClamAV scans with a summary report.'
+inputs:
+  enable-audit:
+    description: 'Whether to run pnpm audit.'
+    required: false
+    default: 'true'
+  enable-trivy:
+    description: 'Whether to run the Trivy scan.'
+    required: false
+    default: 'true'
+  enable-clamav:
+    description: 'Whether to run the ClamAV scan.'
+    required: false
+    default: 'true'
+  install-deps:
+    description: 'Whether to install dependencies before running the scans.'
+    required: false
+    default: 'false'
+runs:
+  using: 'composite'
+  steps:
+    - name: Install dependencies
+      if: ${{ inputs.install-deps == 'true' }}
+      shell: bash
+      run: pnpm install --frozen-lockfile
+
+    - name: Run pnpm audit
+      id: pnpm_audit
+      if: ${{ inputs.enable-audit == 'true' }}
+      shell: bash
+      run: pnpm audit --audit-level high
+      continue-on-error: true
+
+    - name: Scan repository with Trivy
+      id: trivy
+      if: ${{ inputs.enable-trivy == 'true' }}
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        format: 'table'
+        exit-code: '1'
+      continue-on-error: true
+
+    - name: Scan repository with ClamAV
+      id: clamav
+      if: ${{ inputs.enable-clamav == 'true' }}
+      uses: djdefi/gitavscan@main
+      continue-on-error: true
+
+    - name: Summarize scan results
+      if: ${{ always() }}
+      env:
+        PNPM_AUDIT_OUTCOME: ${{ steps.pnpm_audit.outcome }}
+        TRIVY_OUTCOME: ${{ steps.trivy.outcome }}
+        CLAMAV_OUTCOME: ${{ steps.clamav.outcome }}
+        RUN_PNPM_AUDIT: ${{ inputs.enable-audit }}
+        RUN_TRIVY: ${{ inputs.enable-trivy }}
+        RUN_CLAMAV: ${{ inputs.enable-clamav }}
+      shell: bash
+      run: |
+        printf '| Step | Outcome |\n' >> "$GITHUB_STEP_SUMMARY"
+        printf '| --- | --- |\n' >> "$GITHUB_STEP_SUMMARY"
+
+        pnpm_audit_outcome="$PNPM_AUDIT_OUTCOME"
+        if [[ "$RUN_PNPM_AUDIT" != 'true' ]]; then
+          pnpm_audit_outcome='skipped'
+        fi
+        printf '| pnpm audit | %s |\n' "$pnpm_audit_outcome" >> "$GITHUB_STEP_SUMMARY"
+
+        trivy_outcome="$TRIVY_OUTCOME"
+        if [[ "$RUN_TRIVY" != 'true' ]]; then
+          trivy_outcome='skipped'
+        fi
+        printf '| Trivy | %s |\n' "$trivy_outcome" >> "$GITHUB_STEP_SUMMARY"
+
+        clamav_outcome="$CLAMAV_OUTCOME"
+        if [[ "$RUN_CLAMAV" != 'true' ]]; then
+          clamav_outcome='skipped'
+        fi
+        printf '| ClamAV | %s |\n' "$clamav_outcome" >> "$GITHUB_STEP_SUMMARY"
+
+        if [[ ("$pnpm_audit_outcome" != 'success' && "$pnpm_audit_outcome" != 'skipped') || \
+              ("$trivy_outcome" != 'success' && "$trivy_outcome" != 'skipped') || \
+              ("$clamav_outcome" != 'success' && "$clamav_outcome" != 'skipped') ]]; then
+          echo 'One or more security scans reported a problem.' >> "$GITHUB_STEP_SUMMARY"
+          exit 1
+        fi

.github/dependabot.yml

@@ -5,9 +5,31 @@
 
 version: 2
 updates:
+  # === Default Branch ===
   - package-ecosystem: github-actions
     directory: /
     labels:
       - dependabot
+      - v4
+    schedule:
+      interval: weekly
+
+  # === Release Branch: v3 ===
+  - package-ecosystem: github-actions
+    directory: /
+    target-branch: release/3
+    labels:
+      - dependabot
+      - v3
+    schedule:
+      interval: weekly
+
+  # === Release Branch: v2 ===
+  - package-ecosystem: github-actions
+    directory: /
+    target-branch: release/2
+    labels:
+      - dependabot
+      - v2
     schedule:
       interval: weekly

.github/workflows/auto-dependency-updater.yml

@@ -0,0 +1,91 @@
+name: Auto Dependency Updates
+
+on:
+  schedule:
+    - cron: '0 2 * * 1' # Runs weekly on Monday at 02:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.verify-changed-files.outputs.changed }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - base: develop
+            version: v4
+          - base: release/3
+            version: v3
+          - base: release/2
+            version: v2
+          # - base: release/1
+          #   version: v1
+    env:
+      version: ${{ matrix.version }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ matrix.base }}
+          persist-credentials: false
+      - uses: actions/setup-node@v6
+        with:
+          # cache: pnpm
+          node-version: 22
+      - uses: pnpm/action-setup@v4
+        id: pnpm-install
+        with:
+          version: 10
+          run_install: false
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+      - uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store
+
+      - name: Install
+        run: pnpm i --no-frozen-lockfile
+      - name: Update dependencies (minor)
+        run: |
+          pnpm ncu:minor
+          # Run the recursive update twice so peer and dev dependency bumps align after the first pass adjusts peer ranges.
+          pnpm ncu:minor
+      - name: Reinstall dependencies
+        run: pnpm i --no-frozen-lockfile
+      - name: Fix format
+        run: pnpm format -w
+
+      - name: Check for changes
+        id: verify-changed-files
+        run: |
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        if: steps.verify-changed-files.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v8
+        with:
+          base: ${{ matrix.base }}
+          branch: ${{ env.version }}/auto-update-deps
+          commit-message: 'chore: update dependencies and lock file'
+          title: 'chore(${{ env.version }}): update dependencies and lock file'
+          body: 'Automated dependency updates for ${{ env.version }}.'
+          delete-branch: true
+
+  quality-gates:
+    needs: update
+    if: needs.update.outputs.changed == 'true'
+    uses: ./.github/workflows/quality-gates.yml

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: CI-Pipeline
+name: Continue Integration
 
 on:
   pull_request:
@@ -10,42 +10,5 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-          run_install: false
-      - name: Setup Node with pnpm cache
-        uses: actions/setup-node@v6
-        with:
-          node-version: 22
-          cache: 'pnpm'
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-      - name: Install Playwright
-        run: pnpm exec playwright install
-      - name: Format
-        run: pnpm format
-      - name: Lint
-        run: pnpm lint
-      - name: Unused
-        run: pnpm unused
-      - name: Build
-        run: pnpm build
-      - name: Test
-        run: pnpm test
-      - uses: actions/upload-artifact@v6
-        if: failure()
-        name: Upload test reports
-        with:
-          name: reports
-          path: |
-            test-results/**/*.png
-            !**/node_modules
+  quality-gates:
+    uses: ./.github/workflows/quality-gates.yml

.github/workflows/cla.yml

@@ -0,0 +1,47 @@
+name: 'CLA Assistant'
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+jobs:
+  cla:
+    if: github.repository == 'public-ui/template-theme'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Create GitHub app token'
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+          repositories: 'kolibri,.github-private'
+
+      - name: 'CLA Assistant'
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        # Beta Release
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          path-to-signatures: 'cla/kolibri/signatures-v1.0.json'
+          path-to-document: 'https://github.com/public-ui/kolibri/blob/main/docs/CLA.md' # e.g. a CLA or a DCO document
+          remote-organization-name: 'public-ui'
+          remote-repository-name: '.github-private'
+          # branch should not be protected
+          branch: 'main'
+          allowlist: actions-user,bot*,Copilot,copilot-swe-agent[bot]
+
+          #below are the optional inputs - If the optional inputs are not given, then default values will be taken
+          #remote-organization-name: enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository)
+          #remote-repository-name:  enter the  remote repository name where the signatures should be stored (Default is storing the signatures in the same repository)
+          #create-file-commit-message: 'For example: Creating file for storing CLA Signatures'
+          #signed-commit-message: 'For example: $contributorName has signed the CLA in #$pullRequestNo'
+          #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign'
+          #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA'
+          #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.'
+          #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true)
+          #use-dco-flag: true - If you are using DCO instead of CLA

.github/workflows/codeql.yml

@@ -18,11 +18,10 @@ on:
     # The branches below must be a subset of the branches above
     branches: ['develop']
   schedule:
-    - cron: '23 1 * * 6'
 
 jobs:
   analyze:
-    if: github.repository == 'public-ui/kolibri-theme-kern'
+    if: github.repository == 'public-ui/template-theme'
     name: Analyze
     # Runner size impacts CodeQL analysis time. To learn more, please see:
     #   - https://gh.io/recommended-hardware-resources-for-running-codeql