feat(workflows): add CI/CD workflows for continuous integration, quality assurance, security scanning, and typo checks

Author: alienx5499

.github/actions/setup-sortvision/action.yml

@@ -0,0 +1,28 @@
+name: Setup SortVision
+description: Install pnpm, Node.js, and SortVision dependencies (run after actions/checkout).
+
+inputs:
+  node-version:
+    description: Node.js version (must satisfy SortVision/package.json engines)
+    required: false
+    default: '24'
+
+runs:
+  using: composite
+  steps:
+    - name: Install pnpm
+      uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      with:
+        version: 10.28.2
+
+    - name: Setup Node.js
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: pnpm
+        cache-dependency-path: SortVision/pnpm-lock.yaml
+
+    - name: Install dependencies
+      shell: bash
+      working-directory: SortVision
+      run: pnpm install --frozen-lockfile

.github/codeql/codeql-config.yml

@@ -0,0 +1,5 @@
+# Limit analysis to the Next.js app (repo root contains other material).
+paths:
+  - SortVision
+paths-ignore:
+  - SortVision/node_modules

.github/workflows/README.md

@@ -1,144 +1,76 @@
-# CI/CD Workflows
+# SortVision — GitHub Actions
 
-Automated quality assurance and deployment pipelines for SortVision.
+Workflows are split by responsibility. **Node.js 24** is used in CI to match [`SortVision/package.json` engines](../../SortVision/package.json). Third-party actions are pinned to **commit SHAs** (comments note the tag) for reproducible builds.
 
 ## Workflows
 
-### 1. Quality Assurance Pipeline (`quality-assurance.yml`)
+### `continuous-integration.yml`
 
-**Triggers:** Push/PR to main, master, develop branches
+**Triggers:** pull request, push to `main` / `master` / `develop`, merge queue, manual dispatch.
 
-**Jobs:**
-- **quality-assurance** (30min timeout)
-  - Code linting
-  - Application build
-  - Comprehensive test suite (600+ tests)
-  - SEO validation and sitemap generation
-  - Security audit
-  - Bundle size analysis
+| Job | Purpose |
+|-----|---------|
+| **Formatting** | Prettier (`pnpm run format:check`) |
+| **Lint** | ESLint |
+| **Build and test** | After format + lint: Next.js build, dev server, `pnpm test` |
+| **Lighthouse** | After format + lint: production build, Lighthouse on key URLs; assertions live in [`SortVision/lighthouserc.json`](../../SortVision/lighthouserc.json) |
+| **Production validation** | On `main` / `master` only, after build/test: production smoke tests and HTTP checks |
 
-- **lighthouse-audit** (Parallel, 15min timeout)
-  - Lighthouse performance tests on 4 key pages
-  - Automated performance scoring
-  - Artifact upload for historical tracking
+Shared setup: [`setup-sortvision`](../actions/setup-sortvision/action.yml) (pnpm, Node, `pnpm install`).
 
-- **production-validation** (Only on main/master, 10min timeout)
-  - Production site health check
-  - Production test suite (58 tests)
-  - Response time validation
-  - HTTP status verification
+### `extended-quality-assurance.yml`
 
-### 2. Security Scan (`security-scan.yml`)
+**Triggers:** nightly (`0 2 * * *` UTC), `workflow_dispatch`.
 
-**Triggers:** 
-- Push/PR to main, master, develop
-- Weekly schedule (Sunday midnight)
+Longer validation: format, lint, build, `pnpm run test:extended`, sitemap, **pnpm audit** (fails on high/critical for production deps), bundle notes, artifacts.
 
-**Jobs:**
-- Dependency vulnerability scan
-- Secret detection
-- Security audit report generation
+### `security-scan.yml`
 
-## Test Suite
+**Triggers:** push/PR, weekly schedule.
 
-Single comprehensive test file: `tests/quality-assurance.mjs`
+- **pnpm audit** for production dependencies: **fails on high and critical** (moderate/low: review locally or via Dependabot).
+- **TruffleHog** (pinned release) for verified secrets.
+- **Dependency review** on pull requests (`fail-on-severity: moderate`).
 
-### Test Modes:
+### `codeql.yml`
 
-| Command | Tests | Description |
-|---------|-------|-------------|
-| `npm test` | 600+ | Complete suite (localhost) |
-| `npm run test:quick` | 30 | Quick validation only |
-| `npm run test:prod` | 100+ | Production validation |
+**Triggers:** push/PR when `SortVision/**` or this workflow changes; weekly schedule.
 
-### Coverage:
-- **Quick Validation** (30 tests): Core pages, SEO files, sample algorithms
-- **Comprehensive** (200 tests): All languages × all algorithms × all tabs
-- **Integration** (250 tests): Extended core, deep SEO, security, headers, edge cases
-- **Performance** (120 tests): Multi-run performance validation across all languages
-- **Total:** 600+ tests
+JavaScript/TypeScript analysis scoped to `SortVision` via [`codeql-config.yml`](../codeql/codeql-config.yml).
 
-## Artifacts
+### `typos.yml`
 
-### Retention Periods:
-- Test results: 30 days
-- Security audits: 90 days
-- Lighthouse reports: Permanent (via temporary public storage)
+**Triggers:** push/PR when `SortVision/**`, [`_typos.toml`](../../_typos.toml), or this workflow changes.
 
-## Status Badges
+Spell check using [typos](https://github.com/crate-ci/typos); large i18n and lockfiles are excluded in [`_typos.toml`](../../_typos.toml).
 
-Add to README.md:
+### `dependabot-auto-merge.yml`
 
-```markdown
-![Quality Assurance](https://github.com/YOUR_USERNAME/SortVision/workflows/Quality%20Assurance%20Pipeline/badge.svg)
-![Security Scan](https://github.com/YOUR_USERNAME/SortVision/workflows/Security%20Scan/badge.svg)
-```
-
-## Configuration
-
-### Environment Variables:
-- `NODE_VERSION`: '22'
-- `NEXT_PUBLIC_SITE_URL`: https://www.sortvision.com
+Auto-merge rules for Dependabot PRs (repository-specific).
 
-### Timeouts:
-- Quality Assurance: 30 minutes
-- Lighthouse: 15 minutes
-- Production Validation: 10 minutes
-- Security Scan: 10 minutes
+## Branch protection
 
-## Local Testing
+Required status check names must match each job’s `name:` field exactly (for example **Formatting**, **Lint**, **Build and test**, **Typos**, **Analyze (JavaScript)**).
 
-Run tests locally:
+## Adding more checks
 
-```bash
-# Complete test suite
-npm test
+- **Default PR path:** extend [`continuous-integration.yml`](continuous-integration.yml) or add a job with `needs:` as appropriate.
+- **Nightly / manual only:** use [`extended-quality-assurance.yml`](extended-quality-assurance.yml) or a new workflow file.
+- **Security:** prefer [`security-scan.yml`](security-scan.yml) or CodeQL-related config under `.github/codeql/`.
 
-# Quick validation (30 tests)
-npm run test:quick
+**Not configured here (optional later):** Knip/depcheck for unused exports, Playwright E2E — useful once you want the extra maintenance cost.
 
-# Production validation
-npm run test:prod
+## Badges
 
-# Other checks
-npm run lint
-npm run build
-npm run generate-sitemap
-npm audit --production
+```markdown
+![CI](https://github.com/OWNER/REPO/workflows/Continuous%20integration/badge.svg)
+![Security](https://github.com/OWNER/REPO/workflows/Security%20Scan/badge.svg)
+![CodeQL](https://github.com/OWNER/REPO/workflows/CodeQL/badge.svg)
 ```
 
-## Troubleshooting
-
-### Build Failures:
-1. Check Node version (requires 22+)
-2. Clear cache: `npm ci`
-3. Verify dependencies: `npm audit`
-
-### Test Failures:
-1. Ensure dev server starts: `npm run dev`
-2. Check port 3000 is free
-3. Review test output for details
-4. Check specific failed URLs
+## Local parity
 
-### Production Validation Failures:
-1. Verify site is deployed
-2. Check DNS resolution
-3. Test manually: `curl https://www.sortvision.com`
-
-## Maintenance
-
-### Weekly:
-- Review security scan results
-- Check for dependency updates
-
-### Monthly:
-- Review Lighthouse trends
-- Analyze bundle size changes
-- Update workflow versions
-
-## Contact
-
-For CI/CD issues, check:
-1. GitHub Actions logs
-2. Uploaded artifacts
-3. GITHUB_STEP_SUMMARY reports
+```bash
+cd SortVision
+pnpm run format:check && pnpm run lint && pnpm run build && pnpm test
+```

.github/workflows/codeql.yml

@@ -0,0 +1,45 @@
+name: CodeQL
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+on:
+  push:
+    branches: [main, master, develop]
+    paths:
+      - 'SortVision/**'
+      - '.github/workflows/codeql.yml'
+  pull_request:
+    branches: [main, master, develop]
+    paths:
+      - 'SortVision/**'
+      - '.github/workflows/codeql.yml'
+  schedule:
+    - cron: '0 5 * * 1'
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  analyze:
+    name: Analyze (JavaScript)
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          category: '/language:javascript'