🧑‍💻: Add GitHub Actions workflows for improved linting and testing

- Added a new workflow for linting all files on merge and pull request events.
- Introduced a testing workflow that runs Jest tests on specified paths during pull requests.
- Enhanced the build workflow to ensure proper setup and artifact management.

Signed-off-by: Alexandre Nicolaie <[email protected]>

Author: xunleii

.github/workflows/merge_group,pull_request.all.lint.yaml

@@ -0,0 +1,25 @@
+---
+name: 🚨 Lint Everything
+
+on:
+  merge_group: {}
+  pull_request: {}
+
+concurrency:
+  group: ${{ github.action }}-${{ github.event.pull_request.id }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  trunk:
+    name: ✅ Validate code quality
+    permissions:
+      contents: read
+      checks: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: ⚡️ Run `trunk check`
+        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19

.github/workflows/merge_group,pull_request.all.tests.yaml

@@ -0,0 +1,50 @@
+---
+name: 🧪 Run Tests
+
+on:
+  merge_group: {}
+  pull_request:
+    paths:
+      - src/
+      - package.json
+      - pnpm-lock.yaml
+
+concurrency:
+  group: ${{ github.action }}-${{ github.event.pull_request.id }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  tests:
+    name: ✅ Run Jest Tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: 🏗️ Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+
+      - name: 📦 Install PNPM
+        run: npm install -g pnpm
+
+      - name: 📦 Install dependencies
+        run: pnpm install
+
+      - name: 🧪 Run tests
+        run: pnpm test
+
+      - name: 📊 Upload test results
+        uses: dorny/test-reporter@6e6a65b7a0bd2c9197df7d0ae36ac5cee784230c # v2.0.0
+        if: always()
+        with:
+          name: Jest Test Results
+          path: junit.xml
+          reporter: jest-junit
+          fail-on-error: true

.github/workflows/push,pull_request.build.yaml

@@ -0,0 +1,49 @@
+---
+name: 🏗️ Build Extension
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - src/
+      - package.json
+      - pnpm-lock.yaml
+  pull_request:
+    paths:
+      - src/
+      - package.json
+      - pnpm-lock.yaml
+
+permissions: {}
+
+jobs:
+  build:
+    name: 🏗️ Build ArgoCD extension
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: 🏗️ Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+
+      - name: 📦 Install PNPM
+        run: npm install -g pnpm
+
+      - name: 📦 Install dependencies
+        run: pnpm install
+
+      - name: 🔨 Build the extension
+        run: pnpm build:prod
+
+      - name: 📂 Upload build artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: extension-build
+          path: dist/
+          if-no-files-found: error
+          retention-days: 7

.github/workflows/push.release.yaml

@@ -0,0 +1,92 @@
+---
+name: 🚀 Release Extension
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - package.json
+
+permissions:
+  contents: write
+  discussions: write
+
+jobs:
+  check-version:
+    name: 🔍 Check version change
+    runs-on: ubuntu-latest
+    outputs:
+      should_release: ${{ steps.check.outputs.should_release }}
+      version: ${{ steps.check.outputs.version }}
+    permissions:
+      contents: read
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 2
+
+      - name: 🔍 Check for version change
+        id: check
+        run: |
+          # Get current version
+          CURRENT_VERSION=$(node -p "require('./package.json').version")
+          echo "Current version: $CURRENT_VERSION"
+
+          # Get previous version from the previous commit
+          git checkout HEAD~1
+          if [ -f "package.json" ]; then
+            PREVIOUS_VERSION=$(node -p "try { require('./package.json').version } catch { 'none' }")
+          else
+            PREVIOUS_VERSION="none"
+          fi
+          git checkout -
+          echo "Previous version: $PREVIOUS_VERSION"
+
+          # Check if version has changed
+          if [ "$CURRENT_VERSION" != "$PREVIOUS_VERSION" ]; then
+            echo "Version has changed from $PREVIOUS_VERSION to $CURRENT_VERSION"
+            echo "should_release=true" >> $GITHUB_OUTPUT
+            echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          else
+            echo "Version has not changed ($CURRENT_VERSION)"
+            echo "should_release=false" >> $GITHUB_OUTPUT
+            echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          fi
+
+  build:
+    name: 📦 Build and Release
+    needs: check-version
+    if: needs.check-version.outputs.should_release == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: 🏗️ Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+
+      - name: 📦 Install PNPM
+        run: npm install -g pnpm
+
+      - name: 📦 Install dependencies
+        run: pnpm install
+
+      - name: 🔨 Build the extension
+        run: pnpm build:prod && pnpm build:enpack
+
+      - name: 📄 Create checksums
+        run: |
+          SHA256_FILE="extension_checksums.txt"
+          sha256sum ./dist/extension.tar > ${SHA256_FILE}
+          echo "Created checksum file: ${SHA256_FILE}"
+          cat ${SHA256_FILE}
+
+      - name: 🚀 Create GitHub Release
+        run: |
+          VERSION="v${{ needs.check-version.outputs.version }}"
+          gh release create ${VERSION} --draft --generate-notes ./dist/extension.tar ./extension_checksums.txt
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/push.trunk-cache.yaml

@@ -0,0 +1,25 @@
+---
+name: ♻️ Refresh Trunk cache
+
+on:
+  push:
+    branches: [main]
+    paths: [.trunk/trunk.yaml]
+
+permissions: {}
+
+jobs:
+  trunk-cache:
+    name: ♻️ Refresh Trunk cache
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 📦️ Populate cache with Trunk
+        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+        with:
+          check-mode: populate_cache_only

.github/workflows/security.dependencies.yaml

@@ -0,0 +1,45 @@
+---
+name: 🔒️ Security checks (Dependencies)
+
+on:
+  push:
+    branches: [main]
+    paths: [package.json, pnpm-lock.yaml]
+  pull_request:
+    paths: [package.json, pnpm-lock.yaml]
+  schedule:
+    - cron: 0 0 * * 1 # Run every Monday at midnight
+  workflow_dispatch: {}
+
+permissions: {}
+
+jobs:
+  security_audit:
+    name: 🔍 Dependency security audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: 🏗️ Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+
+      - name: 📦 Install PNPM
+        run: npm install -g pnpm
+
+      - name: 🔒 Install dependencies
+        run: pnpm install
+
+      - name: 🛡️ Run security audit
+        run: pnpm audit --json | pnpx npm-audit-sarif /dev/stdin > pnpm-audit.sarif || true
+
+      - name: 📊 Upload audit results to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@018ac1a585e52f775ee7460e25bd00c4d516240e # v2.21.2
+        with:
+          sarif_file: pnpm-audit.sarif
+          category: pnpm-audit

.github/workflows/security.workflows.yaml

@@ -0,0 +1,31 @@
+---
+name: 🔒️ Security hardening (Github Actions workflows)
+
+on:
+  merge_group: {}
+  pull_request:
+    types: [opened, synchronize]
+    paths: [.github/workflows/**]
+
+permissions: {}
+
+jobs:
+  ci_harden_security:
+    name: 🔒️ Github Action security hardening
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: 📄 Lint Github Actions
+        run: |
+          curl -O https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/.github/actionlint-matcher.json
+
+          echo "::add-matcher::actionlint-matcher.json"
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/scripts/download-actionlint.bash)
+          ./actionlint -color
+
+      - name: ✅ Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@4830be28ce81da52ec70d65c552a7403821d98d4 # v3.0.23