CI: run npm ci once via composite action + artifact sharing

[Copilot]

• Understand existing CI workflow structure
• Create .github/actions/setup/action.yml composite action (setup-node + download artifact)
• Update ci.yml: add setup job (npm ci + upload artifact), update lint/format-check/build/test to use composite action instead of running npm ci each time
• Add permissions: contents: read at workflow level (CodeQL security fix)
• Add actions: write to setup job and actions: read to downstream jobs so artifact upload/download work correctly
• Fix missing node_modules/.bin after artifact download — actions/upload-artifact uses zip format which doesn't preserve Unix symlinks; switched to tar/gzip the node_modules directory before upload and untar after download, which fully preserves symlinks and executable permissions

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[Copilot]

Pull request overview

Updates the GitHub Actions CI workflow to avoid repeated dependency installs by introducing a dedicated dependency setup job and a reusable composite action that restores dependencies via artifacts, while also tightening default workflow permissions.

Changes:

• Added a setup job that runs npm ci once and uploads node_modules as an artifact for downstream jobs.
• Updated lint/format-check/build/test jobs to depend on setup and use a new composite action to set up Node.js + download the artifact.
• Added workflow-level permissions: contents: read (intended as a security hardening change).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/ci.yml	Adds a dependency-setup job and shifts other jobs to consume dependencies from an artifact; introduces workflow-level token permissions.
.github/actions/setup/action.yml	New composite action to standardize Node setup and dependency restoration from the artifact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow-level permissions block sets only contents: read, which disables other default GITHUB_TOKEN scopes. actions/upload-artifact / actions/download-artifact require actions permissions, so the new artifact-based setup is likely to fail with permission errors. Consider adding actions: write for the setup job (upload) and actions: read for the dependent jobs (download), either at workflow level or overridden per job.

[sfreeman422]

@copilot apply changes based on this feedback

[Copilot]

Fixed in commit 2396c37. Added actions: write to the setup job (needed for upload-artifact) and actions: read to each of the downstream lint, format-check, build, and test jobs (needed for download-artifact), while keeping the workflow-level default of contents: read.

[sfreeman422]

@copilot most of the steps are failing with errors related to being unable to find specific packages such as jest, eslint, prettier, etc - do each the format check, lint and test & coverage steps leverage the one time npm ci run correctly?

[Copilot]

@copilot most of the steps are failing with errors related to being unable to find specific packages such as jest, eslint, prettier, etc - do each the format check, lint and test & c...

The root cause was that actions/upload-artifact strips Unix execute permissions from files, so node_modules/.bin/jest, eslint, prettier, etc. were downloaded without the +x bit and couldn't be executed (exit code 127 / "not found").

Fixed in commit ea56ad0 by adding chmod -R +x node_modules/.bin as a step in the composite action immediately after the artifact download.

[sfreeman422]

@copilot still not working:
Prepare all required actions
Getting action download info
Download action repository 'actions/setup-node@v4' (SHA:49933ea5288caeca8642d1e84afbd3f7d6820020)
Download action repository 'actions/download-artifact@v4' (SHA:d3f86a106a0bac45b974a628896c90dbdf5c8093)
Run ./.github/actions/setup
Run actions/setup-node@v4
Found in cache @ /opt/hostedtoolcache/node/20.20.1/x64
Environment details
Run actions/download-artifact@v4
Downloading single artifact
Preparing to download the following artifacts:

• node-modules (ID: 6046191424, Size: 53718394, Expected Digest: sha256:bd30e1646aed3c2a81aad1b2a9f9bdee8d413a1f1067fab4d7e99ce3ef5d5d3a)
  Redirecting to blob download url: https://productionresultssa4.blob.core.windows.net/actions-results/387a4d15-c8da-4f70-b0e9-d320925a1f24/workflow-job-run-362f18b0-b4ce-59f7-832c-ddd9809a15f2/artifacts/aa129119e42e394b6f3951292837f1a9bd1078d81179b80c979dd9a483b2aa0b.zip
  Starting download of artifact to: /home/runner/work/mocker/mocker/node_modules
  (node:2360) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
  (Use node --trace-deprecation ... to show where the warning was created)
  SHA256 digest of downloaded artifact is bd30e1646aed3c2a81aad1b2a9f9bdee8d413a1f1067fab4d7e99ce3ef5d5d3a
  Artifact download completed successfully.
  Total of 1 artifact(s) downloaded
  Download artifact has finished successfully
  Run chmod -R +x node_modules/.bin
  chmod: cannot access 'node_modules/.bin': No such file or directory
  Error: Process completed with exit code 1.

[Copilot]

@copilot still not working:
Prepare all required actions
Getting action download info
...

The root cause was that actions/upload-artifact uses zip format internally, which doesn't support Unix symlinks — so the entire node_modules/.bin directory (which contains only symlinks) was silently dropped during the upload, hence "No such file or directory" on download.

Fixed in commit 344ccd0 by switching to tar/gzip: the setup job now runs tar -czf node-modules.tar.gz node_modules before uploading the tarball, and the composite action extracts it with tar -xzf node-modules.tar.gz after downloading. This fully preserves symlinks and executable permissions.