Fix up CI/CD

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [humanspeak]

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+    - package-ecosystem: npm
+      directory: /
+      schedule:
+          interval: weekly
+      open-pull-requests-limit: 10
+      labels:
+          - dependencies

.github/workflows/cache-cleanup.yml

@@ -0,0 +1,31 @@
+name: Cache Cleanup
+
+permissions:
+    actions: read
+
+on:
+    schedule:
+        - cron: 0 0 1 * * # Monthly cleanup
+
+jobs:
+    cleanup:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Cleanup
+              env:
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  REPO: ${{ github.repository }}
+                  BRANCH: main
+              run: |
+                  gh extension install actions/gh-actions-cache
+
+                  echo "Fetching list of cache key"
+                  cacheKeys=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
+
+                  ## Setting this to not fail the workflow while deleting cache keys.
+                  set +e
+                  echo "Deleting caches..."
+                  for cacheKey in $cacheKeys
+                  do
+                      gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+                  done

.github/workflows/codeql.yml

@@ -0,0 +1,34 @@
+name: CodeQL
+
+permissions:
+    security-events: write
+    contents: read
+
+on:
+    push:
+        branches: [main]
+    pull_request:
+        branches: [main]
+        types: [opened, synchronize, reopened]
+    schedule:
+        - cron: 0 0 * * 0 # Run weekly
+
+jobs:
+    analyze:
+        name: Analyze
+        runs-on: ubuntu-latest
+        if: github.event_name == 'push' || github.event_name == 'schedule' || github.event.pull_request.head.repo.full_name != github.repository
+
+        steps:
+            - uses: actions/checkout@v4
+              with:
+                  persist-credentials: false
+                  fetch-depth: 0
+
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v3
+              with:
+                  languages: javascript
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v3

.github/workflows/coveralls.yml

@@ -0,0 +1,63 @@
+name: Coveralls
+
+permissions:
+    contents: read
+    packages: read
+
+on:
+    schedule:
+        # Runs at 00:00 on Sunday
+        - cron: 0 0 * * 0
+    workflow_dispatch: # Allows manual triggering
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        strategy:
+            matrix:
+                node-version: [20, 22]
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                  persist-credentials: false
+                  token: ${{ secrets.ACTIONS_KEY }}
+
+            - name: Use Node.js ${{ matrix.node-version }}
+              uses: actions/setup-node@v4
+              with:
+                  node-version: ${{ matrix.node-version }}
+
+            - name: Install
+              run: npm ci
+
+            - name: Test
+              run: npm test --coverage
+
+            - name: Upload coverage to Coveralls
+              uses: coverallsapp/github-action@v2
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  flag-name: node-${{ matrix.node-version }}
+                  parallel: true
+              if: matrix.node-version == '22'
+
+            - name: Cache dependencies
+              uses: actions/cache@v4
+              with:
+                  path: ~/.npm
+                  key: ${{ runner.os }}-node-${{ matrix.node-version }}-${{ hashFiles('**/package-lock.json') }}
+                  restore-keys: |
+                      ${{ runner.os }}-node-${{ matrix.node-version }}-
+                      ${{ runner.os }}-node-
+
+    finish-coverage:
+        needs: build
+        runs-on: ubuntu-latest
+        if: ${{ always() }}
+        steps:
+            - name: Coveralls Finished
+              uses: coverallsapp/github-action@v2
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  parallel-finished: true

.github/workflows/lint-check.yml

@@ -0,0 +1,45 @@
+# This workflow enforces code quality standards by running ESLint checks
+# on all Pull Requests targeting main or staging branches.
+#
+# It will:
+# 1. Run on every PR to main/staging
+# 2. Check all relevant files
+# 3. Fail if there are any linting errors/warnings
+# 4. Block PR merging until all lint issues are resolved
+#
+# The lint configuration is defined in the project's ESLint config files
+
+name: Lint Check
+
+permissions:
+    contents: read
+
+on:
+    pull_request:
+        branches:
+            - main
+        paths:
+            - '!docs/**'
+
+jobs:
+    lint:
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+              with:
+                  persist-credentials: false
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: '22'
+                  cache: npm
+                  cache-dependency-path: ./package.json
+
+            - name: Install dependencies
+              run: npm ci
+
+            - name: Run lint check
+              run: npm run lint