feat: add SonarCloud and Coveralls integration

.github/workflows/cd.yml

@@ -34,6 +34,8 @@ concurrency:
 env:
   ORG_NAME: ${{ github.repository_owner }}
   REPO_NAME: ${{ github.event.repository.name }}
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
   # ==========================================================================
@@ -345,3 +347,47 @@ jobs:
           else
             echo "ℹ️ No documentation changes"
           fi
+
+  # ==========================================================================
+  # Docker: Build and Push
+  # ==========================================================================
+  docker:
+    name: Docker Release
+    needs: [nodejs, python]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable={{github.ref == 'refs/heads/main'}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/ci.yml

@@ -1,24 +1,116 @@
-name: CI (Python)
+name: CI
 
 on:
   push:
     branches: [main, master]
   pull_request:
   workflow_dispatch:
 
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   FORCE_COLOR: "1"
-  PIP_DISABLE_PIP_VERSION_CHECK: "1"
-  PIP_NO_PYTHON_VERSION_WARNING: "1"
 
 permissions:
   contents: read
   pull-requests: write
   id-token: write
 
 jobs:
+  # ==========================================================================
+  # Node.js / TypeScript
+  # ==========================================================================
   lint:
-    name: Lint & Type Check
+    name: Lint (Node)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+      - run: pnpm install --no-frozen-lockfile
+      - run: pnpm lint
+
+  typecheck:
+    name: Typecheck (Node)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+      - run: pnpm install --no-frozen-lockfile
+      - run: pnpm typecheck
+
+  build:
+    name: Build (Node)
+    needs: [lint, typecheck]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+      - run: pnpm install --no-frozen-lockfile
+      - run: pnpm build
+      - name: Verify builds
+        run: |
+          ERROR=0
+          for pkg in packages/*/; do
+            if [ -d "$pkg/dist" ]; then
+              echo "✅ $pkg built successfully"
+            else
+              echo "❌ $pkg has no dist"
+              ERROR=1
+            fi
+          done
+          exit $ERROR
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-artifacts
+          path: |
+            packages/*/dist
+            dist
+          retention-days: 1
+
+  test:
+    name: Test (Node)
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+      - run: pnpm install --no-frozen-lockfile
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+      - name: Run tests with coverage
+        run: pnpm test:coverage
+      - name: Upload coverage to Coveralls
+        uses: coverallsapp/github-action@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          file: coverage/lcov.info
+
+  # ==========================================================================
+  # Python
+  # ==========================================================================
+  lint-python:
+    name: Lint (Python)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -35,10 +127,10 @@ jobs:
           uv sync --all-extras
           uv run mypy .
 
-  test:
+  test-python:
     name: Test (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
-    needs: lint
+    needs: lint-python
     strategy:
       matrix:
         python-version: ["3.11", "3.12", "3.13"]
@@ -53,15 +145,18 @@ jobs:
         run: uv sync --all-extras
       - name: Run tests
         run: uv run pytest --cov --cov-report=xml
-      - name: Upload coverage
+      - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
+  # ==========================================================================
+  # Release
+  # ==========================================================================
   release:
     name: Release
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-    needs: test
+    needs: [test, test-python]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -71,6 +166,18 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.CI_GITHUB_TOKEN }}
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+      - run: pnpm install
+      - name: Release (Node)
+        env:
+          GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx semantic-release
+
       - uses: astral-sh/setup-uv@v5
       - name: Python Semantic Release
         env:

.github/workflows/docs-push.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Detect Project Type
         id: detect

.github/workflows/ecosystem-agents.yml

@@ -64,7 +64,7 @@ jobs:
       repo: ${{ steps.select.outputs.repo }}
       prompt: ${{ steps.select.outputs.prompt }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Select Agent
         id: select
@@ -169,7 +169,7 @@ jobs:
     if: needs.dispatch.outputs.agent != 'triage' && needs.dispatch.outputs.agent != 'assessment'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.CI_GITHUB_TOKEN }}
@@ -209,7 +209,7 @@ jobs:
     if: needs.dispatch.outputs.agent == 'triage'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Triage Issues and PRs
         env:
@@ -279,7 +279,7 @@ jobs:
     if: needs.dispatch.outputs.agent == 'assessment'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/ecosystem-assessment.yml

@@ -49,7 +49,7 @@ jobs:
       branch: ${{ steps.branch.outputs.name }}
       improvements: ${{ steps.parse.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.CI_GITHUB_TOKEN }}

.github/workflows/ecosystem-connector.yml

@@ -22,7 +22,7 @@ jobs:
     if: github.event_name == 'pull_request' && !github.event.pull_request.draft
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"

.github/workflows/ecosystem-control.yml

@@ -116,7 +116,7 @@ jobs:
     if: needs.route.outputs.agent == 'claude'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.CI_GITHUB_TOKEN }}

.github/workflows/ecosystem-surveyor.yml

@@ -52,7 +52,7 @@ jobs:
     outputs:
       orgs: ${{ steps.discover.outputs.orgs }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Discover Managed Organizations
         id: discover
@@ -104,12 +104,12 @@ jobs:
         org: ${{ fromJson(needs.survey.outputs.orgs) }}
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           path: source
 
       - name: Checkout Target
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           repository: ${{ matrix.org }}/control-center
           token: ${{ secrets.CI_GITHUB_TOKEN }}

.github/workflows/jules-supervisor.yml

@@ -9,7 +9,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v3