Add CI/CD quality gates and Dependabot config

* Add CI/CD quality gates and Dependabot config

Enforce coverage thresholds in CI and publish, add security audit,
version-tag validation, GitHub Release creation, and Dependabot for
automated dependency updates targeting develop.

* Split CI into separate lint, audit, and test jobs

* Remove redundant push trigger for develop in CI

* Add Node.js version label to test job names

Author: SimplyLiz

.github/dependabot.yml

@@ -0,0 +1,29 @@
+version: 2
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    target-branch: develop
+    open-pull-requests-limit: 10
+    groups:
+      dev-deps:
+        dependency-type: development
+        update-types:
+          - minor
+          - patch
+      prod-deps:
+        dependency-type: production
+        update-types:
+          - minor
+          - patch
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    target-branch: develop
+    open-pull-requests-limit: 10

.github/pull_request_template.md

@@ -12,7 +12,8 @@ Implementation approach.
 
 ## Checklist
 
-- [ ] Tests pass (`pnpm test`)
+- [ ] Tests pass (`pnpm test:coverage`)
 - [ ] Linting passes (`pnpm lint`)
+- [ ] Formatting passes (`pnpm format:check`)
 - [ ] Build succeeds (`pnpm build`)
 - [ ] Documentation updated (if applicable)

.github/workflows/ci.yml

@@ -4,10 +4,45 @@ on:
   push:
     branches: [main]
   pull_request:
-    branches: [main]
+    branches: [main, develop]
 
 jobs:
-  build-and-test:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm lint
+
+      - run: pnpm format:check
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm audit --prod --audit-level=high
+
+  test:
+    name: test (Node.js ${{ matrix.node-version }})
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -27,11 +62,7 @@ jobs:
 
       - run: pnpm build
 
-      - run: pnpm test
-
-      - run: pnpm lint
-
-      - run: pnpm format:check
+      - run: pnpm test:coverage
 
       - name: Verify probe size
         run: |

.github/workflows/publish.yml

@@ -9,7 +9,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       id-token: write
 
     steps:
@@ -27,8 +27,25 @@ jobs:
 
       - run: pnpm build
 
-      - run: pnpm test
+      - run: pnpm test:coverage
+
+      - run: pnpm lint
+
+      - run: pnpm format:check
+
+      - name: Validate version matches tag
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "Tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
+            exit 1
+          fi
 
       - run: pnpm -r publish --no-git-checks --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true

CONTRIBUTING.md

@@ -13,22 +13,22 @@ pnpm install
 # Build all packages
 pnpm build
 
-# Run tests
-pnpm test
+# Run tests with coverage
+pnpm test:coverage
 ```
 
 ## Development Workflow
 
-1. Create a feature branch from `main`
+1. Create a feature branch from `develop`
 2. Make your changes
 3. Ensure all checks pass:
    ```bash
    pnpm build
-   pnpm test
+   pnpm test:coverage
    pnpm lint
    pnpm format:check
    ```
-4. Open a pull request
+4. Open a pull request against `develop`
 
 ## Project Structure