feat(workflows): add CI/CD workflows for continuous integration, quality assurance, security scanning, and typo checks

Author: alienx5499

.github/actions/setup-sortvision/action.yml

@@ -0,0 +1,28 @@
+name: Setup SortVision
+description: Install pnpm, Node.js, and SortVision dependencies (run after actions/checkout).
+
+inputs:
+  node-version:
+    description: Node.js version (must satisfy SortVision/package.json engines)
+    required: false
+    default: '24'
+
+runs:
+  using: composite
+  steps:
+    - name: Install pnpm
+      uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      with:
+        version: 10.28.2
+
+    - name: Setup Node.js
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: pnpm
+        cache-dependency-path: SortVision/pnpm-lock.yaml
+
+    - name: Install dependencies
+      shell: bash
+      working-directory: SortVision
+      run: pnpm install --frozen-lockfile

.github/workflows/README.md

@@ -1,144 +1,73 @@
-# CI/CD Workflows
+# SortVision — GitHub Actions
 
-Automated quality assurance and deployment pipelines for SortVision.
+Workflows are split by responsibility. **Node.js 24** is used in CI to match [`SortVision/package.json` engines](../../SortVision/package.json). Third-party actions are pinned to **commit SHAs** (comments note the tag) for reproducible builds.
 
 ## Workflows
 
-### 1. Quality Assurance Pipeline (`quality-assurance.yml`)
+### `continuous-integration.yml`
 
-**Triggers:** Push/PR to main, master, develop branches
+**Triggers:** pull request, push to `main` / `master` / `develop`, merge queue, manual dispatch.
 
-**Jobs:**
-- **quality-assurance** (30min timeout)
-  - Code linting
-  - Application build
-  - Comprehensive test suite (600+ tests)
-  - SEO validation and sitemap generation
-  - Security audit
-  - Bundle size analysis
+| Job | Purpose |
+|-----|---------|
+| **Formatting** | Prettier (`pnpm run format:check`) |
+| **Lint** | ESLint |
+| **Build and test** | After format + lint: Next.js build, dev server, `pnpm test` |
+| **Lighthouse** | After format + lint: production build, Lighthouse on key URLs; assertions live in [`SortVision/lighthouserc.json`](../../SortVision/lighthouserc.json) |
+| **Production validation** | On `main` / `master` only, after build/test: production smoke tests and HTTP checks |
 
-- **lighthouse-audit** (Parallel, 15min timeout)
-  - Lighthouse performance tests on 4 key pages
-  - Automated performance scoring
-  - Artifact upload for historical tracking
+Shared setup: [`setup-sortvision`](../actions/setup-sortvision/action.yml) (pnpm, Node, `pnpm install`).
 
-- **production-validation** (Only on main/master, 10min timeout)
-  - Production site health check
-  - Production test suite (58 tests)
-  - Response time validation
-  - HTTP status verification
+### `extended-quality-assurance.yml`
 
-### 2. Security Scan (`security-scan.yml`)
+**Triggers:** nightly (`0 2 * * *` UTC), `workflow_dispatch`.
 
-**Triggers:** 
-- Push/PR to main, master, develop
-- Weekly schedule (Sunday midnight)
+Longer validation: format, lint, build, `pnpm run test:extended`, sitemap, **pnpm audit** (fails on high/critical for production deps), bundle notes, artifacts.
 
-**Jobs:**
-- Dependency vulnerability scan
-- Secret detection
-- Security audit report generation
+### `security-scan.yml`
 
-## Test Suite
+**Triggers:** push/PR, weekly schedule.
 
-Single comprehensive test file: `tests/quality-assurance.mjs`
+- **pnpm audit** for production dependencies: **fails on high and critical** (moderate/low: review locally or via Dependabot).
+- **TruffleHog** (pinned release) for verified secrets.
+- **Dependency review** on pull requests (`fail-on-severity: moderate`).
 
-### Test Modes:
+### CodeQL (GitHub default setup)
 
-| Command | Tests | Description |
-|---------|-------|-------------|
-| `npm test` | 600+ | Complete suite (localhost) |
-| `npm run test:quick` | 30 | Quick validation only |
-| `npm run test:prod` | 100+ | Production validation |
+This repo does **not** use a custom `codeql.yml` workflow. Enable **Code scanning** with **Default setup** under **Settings → Code security and analysis → Code scanning**. Results and status appear under the **Security** tab; required checks (if any) use the names GitHub shows for that setup (not the old workflow job `Analyze (JavaScript)`).
 
-### Coverage:
-- **Quick Validation** (30 tests): Core pages, SEO files, sample algorithms
-- **Comprehensive** (200 tests): All languages × all algorithms × all tabs
-- **Integration** (250 tests): Extended core, deep SEO, security, headers, edge cases
-- **Performance** (120 tests): Multi-run performance validation across all languages
-- **Total:** 600+ tests
+### `typos.yml`
 
-## Artifacts
+**Triggers:** push/PR when `SortVision/**`, [`_typos.toml`](../../_typos.toml), or this workflow changes.
 
-### Retention Periods:
-- Test results: 30 days
-- Security audits: 90 days
-- Lighthouse reports: Permanent (via temporary public storage)
+Spell check using [typos](https://github.com/crate-ci/typos); large i18n and lockfiles are excluded in [`_typos.toml`](../../_typos.toml).
 
-## Status Badges
+### `dependabot-auto-merge.yml`
 
-Add to README.md:
+Auto-merge rules for Dependabot PRs (repository-specific).
 
-```markdown
-![Quality Assurance](https://github.com/YOUR_USERNAME/SortVision/workflows/Quality%20Assurance%20Pipeline/badge.svg)
-![Security Scan](https://github.com/YOUR_USERNAME/SortVision/workflows/Security%20Scan/badge.svg)
-```
-
-## Configuration
-
-### Environment Variables:
-- `NODE_VERSION`: '22'
-- `NEXT_PUBLIC_SITE_URL`: https://www.sortvision.com
+## Branch protection
 
-### Timeouts:
-- Quality Assurance: 30 minutes
-- Lighthouse: 15 minutes
-- Production Validation: 10 minutes
-- Security Scan: 10 minutes
+Required status check names must match each job’s `name:` field exactly (for example **Formatting**, **Lint**, **Build and test**, **Typos**). Add CodeQL-related checks only if you require them, using the exact names from **Settings → Rules** after a green run.
 
-## Local Testing
+## Adding more checks
 
-Run tests locally:
+- **Default PR path:** extend [`continuous-integration.yml`](continuous-integration.yml) or add a job with `needs:` as appropriate.
+- **Nightly / manual only:** use [`extended-quality-assurance.yml`](extended-quality-assurance.yml) or a new workflow file.
+- **Security:** prefer [`security-scan.yml`](security-scan.yml); CodeQL is managed in **Settings → Code scanning** (default setup).
 
-```bash
-# Complete test suite
-npm test
-
-# Quick validation (30 tests)
-npm run test:quick
+**Not configured here (optional later):** Knip/depcheck for unused exports, Playwright E2E — useful once you want the extra maintenance cost.
 
-# Production validation
-npm run test:prod
+## Badges
 
-# Other checks
-npm run lint
-npm run build
-npm run generate-sitemap
-npm audit --production
+```markdown
+![CI](https://github.com/OWNER/REPO/workflows/Continuous%20integration/badge.svg)
+![Security](https://github.com/OWNER/REPO/workflows/Security%20Scan/badge.svg)
 ```
 
-## Troubleshooting
-
-### Build Failures:
-1. Check Node version (requires 22+)
-2. Clear cache: `npm ci`
-3. Verify dependencies: `npm audit`
+## Local parity
 
-### Test Failures:
-1. Ensure dev server starts: `npm run dev`
-2. Check port 3000 is free
-3. Review test output for details
-4. Check specific failed URLs
-
-### Production Validation Failures:
-1. Verify site is deployed
-2. Check DNS resolution
-3. Test manually: `curl https://www.sortvision.com`
-
-## Maintenance
-
-### Weekly:
-- Review security scan results
-- Check for dependency updates
-
-### Monthly:
-- Review Lighthouse trends
-- Analyze bundle size changes
-- Update workflow versions
-
-## Contact
-
-For CI/CD issues, check:
-1. GitHub Actions logs
-2. Uploaded artifacts
-3. GITHUB_STEP_SUMMARY reports
+```bash
+cd SortVision
+pnpm run format:check && pnpm run lint && pnpm run build && pnpm test
+```