security: harden entry file — input validation, error sanitization, n… #97

	name: CI

	on:
	push:
	branches: [ main, master ]
	pull_request:
	branches: [ main, master ]

	jobs:
	ci:
	runs-on: ubuntu-latest

	strategy:
	matrix:
	node-version: [18, 20]

	steps:
	- uses: actions/checkout@v6

	- name: Use Node.js ${{ matrix.node-version }}
	uses: actions/setup-node@v6
	with:
	node-version: ${{ matrix.node-version }}
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Run lint
	run: npm run lint --if-present

	- name: Run type check
	run: npm run type-check --if-present

	- name: Run tests
	run: npm test --if-present

	- name: Run build
	run: npm run build --if-present

	security:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6

	- name: Run security audit
	run: npm audit --audit-level moderate

	- name: Run CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	languages: javascript

	release:
	needs: [ci, security]
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/master'

	steps:
	- uses: actions/checkout@v6
	with:
	fetch-depth: 0

	- name: Use Node.js
	uses: actions/setup-node@v6
	with:
	node-version: '20'
	cache: 'npm'
	registry-url: 'https://registry.npmjs.org'

	- name: Install dependencies
	run: npm ci

	- name: Build
	run: npm run build --if-present

	- name: Semantic Release
	uses: cycjimmy/semantic-release-action@v6
	with:
	semantic_version: 18
	extra_plugins: \|
	@semantic-release/changelog
	@semantic-release/git
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Provide feedback