feat(ci): add quality and security workflows with PR comments

- Add CI workflow with Biome lint/format, TypeScript check, tests, build
- Add dependency audit with bun pm scan
- Add Semgrep SAST with auto and OWASP Top 10 rules
- Add CodeQL analysis for JavaScript/TypeScript
- Add dependency review action with PR comments
- Update mise.toml build output to ralph-for-kiro

Author: theagenticguy

.github/workflows/ci.yml

@@ -0,0 +1,57 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
+jobs:
+  quality:
+    name: Quality Checks
+    runs-on: ubuntu-latest
+    container:
+      image: oven/bun:latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Lint (Biome)
+        run: bunx biome check src tests
+
+      - name: Format Check (Biome)
+        run: bunx biome format src tests
+
+      - name: Type Check (TypeScript)
+        run: bunx tsc --noEmit
+
+      - name: Test
+        run: bun test
+
+      - name: Build
+        run: bun run build
+
+  dependency-audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+    container:
+      image: oven/bun:latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Scan dependencies for vulnerabilities
+        run: bun pm scan

.github/workflows/security.yml

@@ -0,0 +1,83 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1' # Weekly on Monday at 6am UTC
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: write
+  actions: read
+
+jobs:
+  semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep (Auto)
+        run: semgrep scan --config auto --sarif --output semgrep-auto.sarif src
+        continue-on-error: true
+
+      - name: Run Semgrep (OWASP Top 10)
+        run: semgrep scan --config p/owasp-top-ten --sarif --output semgrep-owasp.sarif src
+        continue-on-error: true
+
+      - name: Upload Semgrep Auto results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep-auto.sarif
+          category: semgrep-auto
+        if: always()
+
+      - name: Upload Semgrep OWASP results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep-owasp.sarif
+          category: semgrep-owasp
+        if: always()
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          queries: security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: codeql
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          comment-summary-in-pr: always
+          fail-on-severity: high
+          warn-on-openssf-scorecard-level: 3

mise.toml

@@ -8,7 +8,7 @@ run = "bun run src/index.ts"
 
 [tasks.build]
 description = "Build the CLI binary"
-run = "bun build src/index.ts --compile --outfile ralph"
+run = "bun build src/index.ts --compile --outfile ralph-for-kiro"
 
 [tasks.test]
 alias = "t"