Skip to content

Start implementation according to plan#3

Merged
gander merged 12 commits into
mainfrom
claude/start-implementation-H60OG
Dec 17, 2025
Merged

Start implementation according to plan#3
gander merged 12 commits into
mainfrom
claude/start-implementation-H60OG

Conversation

@gander

@gander gander commented Dec 17, 2025

Copy link
Copy Markdown
Member

Complete MVP implementation including:

  • Project structure with TypeScript, ESM support
  • Code quality tools: BiomeJS, Lefthook, Vitest, tsdown/pkgroll
  • 9 GitHub Actions workflows for CI/CD automation
  • Security features: SLSA Level 3, NPM provenance, CodeQL
  • Automated releases with release-please
  • Comprehensive documentation with TDD methodology
  • Claude Code integration
  • Sample code and tests demonstrating best practices

Major components:

  • TypeScript 5 with strict mode and ESM-first approach
  • Dual bundler support (tsdown default, pkgroll alternative)
  • 80% test coverage enforcement with Vitest
  • Property-based testing with @fast-check
  • Automated dependency updates with Renovate
  • Matrix testing across Node 18, 20, 22
  • Complete security scanning and attestation pipeline

Documentation:

  • README.md with 13 badges and comprehensive guide
  • CONTRIBUTING.md with TDD workflow examples
  • SECURITY.md with vulnerability reporting
  • Architecture Decision Records (ADRs)
  • Branch protection and security deployment guides

All workflows configured to skip on template repository and activate automatically when template is used.

@claude
feat: initial Node Project Starter template implementation
69c3c21 
Complete MVP implementation including:

- Project structure with TypeScript, ESM support
- Code quality tools: BiomeJS, Lefthook, Vitest, tsdown/pkgroll
- 9 GitHub Actions workflows for CI/CD automation
- Security features: SLSA Level 3, NPM provenance, CodeQL
- Automated releases with release-please
- Comprehensive documentation with TDD methodology
- Claude Code integration
- Sample code and tests demonstrating best practices

Major components:
- TypeScript 5 with strict mode and ESM-first approach
- Dual bundler support (tsdown default, pkgroll alternative)
- 80% test coverage enforcement with Vitest
- Property-based testing with @fast-check
- Automated dependency updates with Renovate
- Matrix testing across Node 18, 20, 22
- Complete security scanning and attestation pipeline

Documentation:
- README.md with 13 badges and comprehensive guide
- CONTRIBUTING.md with TDD workflow examples
- SECURITY.md with vulnerability reporting
- Architecture Decision Records (ADRs)
- Branch protection and security deployment guides

All workflows configured to skip on template repository
and activate automatically when template is used.
claude and others added 3 commits December 17, 2025 14:32
@claude
fix: simplify test workflow to Linux Node 22 only
6fea2b1 
Remove matrix testing strategy and test only on Linux Node 22.
This simplifies CI/CD and reduces workflow execution time.

Changes:
- Remove matrix strategy from test.yml
- Test only on ubuntu-latest with Node 22
- Update README.md to reflect single-platform testing
@claude
fix: skip workflows on template repo (no package-lock.json)
df29c2e 
Add repository checks to skip workflows that require package-lock.json
on the template repository itself.

Workflows updated:
- test: skip test job on template repo
- fuzz: skip fuzz-pr job on template repo
- security-pr: skip npm-audit, sbom, license-check jobs on template repo

These workflows will activate automatically when template is used.
@gander
Update actionlint workflow with new versions
9201e3f
@github-actions

github-actions Bot commented Dec 17, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
actions/actions/checkout 4.*.* 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 56 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/labeler 5.*.* 🟢 5
Details
CheckScoreReason
Maintained⚠️ 01 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Vulnerabilities🟢 64 existing vulnerabilities detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
actions/codelytv/pr-size-labeler 1.*.* UnknownUnknown
actions/actions/checkout 4.*.* 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 56 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/setup-node 4.*.* 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 68 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 9binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
Vulnerabilities🟢 82 existing vulnerabilities detected
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact 4.*.* 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 9SAST tool detected but not run on all commits
actions/dorny/paths-filter 3.*.* 🟢 3.1
Details
CheckScoreReason
Maintained⚠️ 01 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 3Found 6/17 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 014 existing vulnerabilities detected
npm/@biomejs/biome ^2.3.8 UnknownUnknown
npm/@fast-check/vitest ^0.2.4 🟢 7.9
Details
CheckScoreReason
Dependency-Update-Tool🟢 10update tool detected
Code-Review⚠️ 0Found 0/4 approved changesets -- score normalized to 0
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 8detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
CII-Best-Practices🟢 5badge detected: Passing
Fuzzing🟢 10project is fuzzed
SAST🟢 10SAST tool is run on all commits
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 37 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 4 contributing companies or organizations
npm/@types/node ^20.0.0 🟢 7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 9Found 26/28 approved changesets -- score normalized to 9
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 10security policy file detected
License🟢 9license file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Fuzzing⚠️ 0project is not fuzzed
npm/@vitest/coverage-v8 ^3.0.5 UnknownUnknown
npm/@vitest/ui ^3.0.5 UnknownUnknown
npm/lefthook ^1.10.6 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 5Found 15/30 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 9SAST tool detected but not run on all commits
npm/pkgroll ^2.10.3 UnknownUnknown
npm/publint ^0.3.0 UnknownUnknown
npm/tsdown ^0.18.0 UnknownUnknown
npm/typescript ^5.7.3 🟢 8.6
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
License🟢 10license file detected
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Branch-Protection⚠️ -1internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
SAST🟢 10SAST tool is run on all commits
Fuzzing🟢 10project is fuzzed
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 34 contributing companies or organizations
npm/vitest ^3.0.5 UnknownUnknown

Scanned Files

  • .github/workflows/labeler.yml
  • .github/workflows/test.yml
  • package.json

gander and others added 8 commits December 17, 2025 16:22
@gander
Update actionlint action version to v0.2.4
4e04e1d
@gander
Update actionlint action to version 2
dcdfca3
@gander
Update @fast-check/vitest version to 0.2.4
cbbdbc1
@gander
Update tsdown version to 0.18.0
edc30da
@gander
Update publint version to 0.3.0
8eca3b3
@gander
Update package version and Node.js engine requirement
b3a46e2
@gander
Update @types/node version in package.json
b9b24c6
@claude
fix: resolve all actionlint/shellcheck violations in workflows
7e16cc1 
- Replace sed with bash parameter expansion in auto-pr.yml
- Quote all variable references to prevent word splitting
- Group echo redirects to avoid SC2129 warnings
- Add skip condition for dependency-review with setup instructions
- Fix all SC2086 and SC2129 shellcheck errors across all workflows

Affected files:
- auto-pr.yml: Fixed SC2001 (sed), SC2086 (quotes), SC2129 (grouped echo)
- dependency-review.yml: Added skip condition with documentation
- fuzz.yml: Fixed SC2086 and SC2129
- release-please.yml: Fixed SC2086 and SC2129
- security-main.yml: Fixed SC2086 and SC2129
- security-pr.yml: Fixed SC2086 and SC2129
- test.yml: Fixed SC2086 (quoted GITHUB_STEP_SUMMARY)
@gander gander merged commit 2623ca4 into main Dec 17, 2025
20 checks passed
@gander gander deleted the claude/start-implementation-H60OG branch December 17, 2025 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

build code config dependencies documentation Improvements or additions to documentation github-actions security size/xl tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gander @claude