Add release package automation and GitHub bots

.github/dependabot.yml

@@ -0,0 +1,60 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "10:00"
+      timezone: "America/Toronto"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "javascript"
+
+  - package-ecosystem: "npm"
+    directory: "/apps/codex-claw"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "10:15"
+      timezone: "America/Toronto"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "javascript"
+
+  - package-ecosystem: "npm"
+    directory: "/apps/landing"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "10:30"
+      timezone: "America/Toronto"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "javascript"
+
+  - package-ecosystem: "npm"
+    directory: "/packages/codex-claw"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "10:45"
+      timezone: "America/Toronto"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "javascript"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "11:00"
+      timezone: "America/Toronto"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"

.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: Validate app and package
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9.15.4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run CodexClaw app tests
+        run: pnpm -C apps/codex-claw test
+
+      - name: Build CodexClaw app
+        run: pnpm -C apps/codex-claw build
+
+      - name: Build landing page
+        run: pnpm -C apps/landing build
+
+      - name: Check package contents
+        run: pnpm pack:codex-claw
+
+      - name: Audit dependencies
+        run: pnpm audit --audit-level low

.github/workflows/codeql.yml

@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "22 10 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze JavaScript and TypeScript
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          build-mode: none
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"

.github/workflows/release-package.yml

@@ -0,0 +1,66 @@
+name: Release Package
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  codex-claw-package:
+    name: Build CodexClaw release package
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9.15.4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run CodexClaw app tests
+        run: pnpm -C apps/codex-claw test
+
+      - name: Build CodexClaw app
+        run: pnpm -C apps/codex-claw build
+
+      - name: Build landing page
+        run: pnpm -C apps/landing build
+
+      - name: Build package archive
+        run: pnpm package:codex-claw
+
+      - name: Write SHA256 checksums
+        shell: bash
+        run: |
+          cd dist/release
+          sha256sum *.tgz > SHA256SUMS.txt
+
+      - name: Upload workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: codex-claw-release-package
+          path: |
+            dist/release/*.tgz
+            dist/release/SHA256SUMS.txt
+          if-no-files-found: error
+
+      - name: Attach package to GitHub release
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload "$GITHUB_REF_NAME" dist/release/*.tgz dist/release/SHA256SUMS.txt --clobber

package.json

@@ -15,6 +15,7 @@
     "format": "pnpm -C apps/codex-claw format",
     "check": "pnpm -C apps/codex-claw check",
     "pack:codex-claw": "pnpm -C packages/codex-claw exec npm pack --dry-run",
+    "package:codex-claw": "node -e \"require('node:fs').mkdirSync('dist/release',{recursive:true})\" && pnpm -C packages/codex-claw exec npm pack --pack-destination ../../dist/release",
     "release:codex-claw": "pnpm -C packages/codex-claw exec npm publish --tag alpha --access public",
     "bump:codex-claw:patch": "pnpm -C packages/codex-claw version patch --no-git-tag-version",
     "bump:codex-claw:minor": "pnpm -C packages/codex-claw version minor --no-git-tag-version",