From 84a6375ae03a9556045e994c746765de0f524202 Mon Sep 17 00:00:00 2001
From: John Collier <jcollier@redhat.com>
Date: Thu, 18 Jun 2026 16:25:27 -0400
Subject: [PATCH 1/2] ci: add GitHub Actions workflow (build, lint, test)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Triggers on push to main and pull_request targeting main
- Single job on ubuntu-latest / Node.js 22
- npm ci → npm run build → npm run lint → npm test
- Dependency cache keyed on package-lock.json via actions/setup-node cache
- Concurrency group cancels in-progress runs on the same ref

Closes: RHIDP-14958
Epic: RHIDP-14946
Feature: RHDHPLAN-1525
Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/ci.yml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/workflows/ci.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..a1b9f58
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,37 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: Build, Lint & Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Test
+        run: npm test

From 2ebbce37279bbff2b7fb1f28cafdcd7acefb4aa3 Mon Sep 17 00:00:00 2001
From: John Collier <jcollier@redhat.com>
Date: Thu, 18 Jun 2026 16:30:11 -0400
Subject: [PATCH 2/2] fix: pin action SHAs and restrict GITHUB_TOKEN
 permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Pin actions/checkout and actions/setup-node to immutable commit SHAs
  (with # v4 comments for readability) — prevents supply-chain risk from
  mutable tag retargeting
- Add top-level permissions: contents: read — explicitly constrains
  GITHUB_TOKEN to the minimum needed; build/lint/test jobs do not write
  to the repo or packages

Fixes Qodo bugs #1 and #2

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/ci.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a1b9f58..ff2d4d5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,16 +10,19 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     name: Build, Lint & Test
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: "22"
           cache: "npm"