chore: address issue 1836 action items

[pranitaurlam]

Resolves #1826
Resolves #1827

• Updates Node test matrix to include Node 22, 24, and 25
• Pins GitHub Actions dependencies for better OpenSSF scorecard
• Adds a CodeQL workflow
• Adds the CodeCov coverage badge to README.md

[netlify]

✅ Deploy Preview for fdc3 canceled.

Name	Link
🔨 Latest commit	824ecb4
🔍 Latest deploy log	https://app.netlify.com/projects/fdc3/deploys/69dd28715072540008012d31

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: pranitaurlam / name: urlam pranita (5295638, 824ecb4, 8780f4b, d837395, e8f86a6, f408c80)

[pranitaurlam]

/easycla

[pranitaurlam]

/easycla

[pranitaurlam]

Hi @kriswest

I've opened this PR to address the remaining action items from the April 8th maintainers meeting (#1836). Specifically, this PR covers:

Updated the Node.js test matrix to include Node 22, 24, and 25 (deprecating Node 20)
Pinned GitHub Actions dependencies to commit SHAs for improved OpenSSF scorecard
Added a CodeQL workflow for OpenSSF scorecard compliance
Added the CodeCov coverage badge to

README.md
The EasyCLA check has now passed. Could you please approve the 4 pending workflows so the CI tests can run? Happy to make any adjustments based on your feedback.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[kriswest]

Thanks for having a go at this. There are a couple of small adjustments to make + we'll need to figure out why the coverage and CVE scanning jobs are failing.

[pranitaurlam]

Hi @kriswest, thank you for the feedback! I've addressed all the requested changes:

• Removed the // trigger comment from toolbox/fdc3-conformance/webpack.config.js
• Pinned all codeql-action steps (init, autobuild, analyze) to their commit SHAs in .github/workflows/codeql.yml
• Simplified .github/workflows/cve-scanning.yml to use a single node-version: 22 instead of a matrix

Could you also let me know what's failing in the coverage and CVE scanning jobs so I can help investigate? Happy to make any further adjustments.

[kriswest]

This looks good to me now - we just need to figure out why the workflows are failing...

[kriswest]

@bingenito this PR is handling a couple of the action items you and I were going to look at after the maintainers meeting (CodeQL, dependency pinning etc., node test matrix). However, its failing the coverage and CVE scanning checks on what looks like token permissions issues? Is that something you could take a look at and advise on (as that was the remaining item you'd offered to look at - and probably understand a lot better than I)?

[pranitaurlam]

Thanks @kriswest
I’ll investigate the failing workflows (coverage and CVE scanning) and work on fixing them. I’ll push an update once it’s resolved.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.68%. Comparing base (c0f0e95) to head (824ecb4).
⚠️ Report is 26 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1840      +/-   ##
==========================================
+ Coverage   95.65%   95.68%   +0.02%     
==========================================
  Files          69       69              
  Lines        4631     4631              
  Branches      714      807      +93     
==========================================
+ Hits         4430     4431       +1     
+ Misses        201      200       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bingenito]

These got downgraded. We really should add a dependabot config at least for actions if we don't want to do npm yet. I suspect this older version will also not work with oidc.

[bingenito]

We lost this. It has to be sent.

[bingenito]

Since we have a build matrix, we will now have an issue that it will upload coverage for each entry of the build matrix overwriting the last. One fix for this is to upload with a to codecov that includes the matrix variable in it.

[bingenito]

This is required when adding back the oidc which was removed erroneously. It can be put at a lower level, but it has to be here in combination with oidc for codecov upload to work without tokens.

[bingenito]

If we change this to 24 (the publishing node version), we can remote the NODE_AUTH_TOKEN from the npm publish env variables and it will use oidc and trusted publishing for free. Trusted publishing requires a new version of npm with node 24.

[kriswest]

I'm definitely OK with moving forward to node 24 (and trusted publishing) sooner rather than later.