apiVersion: capsule.dev/v0.1
kind: Capsule
name: ext-github-ci
version: 0.1.0
type: template
purpose:
  summary: 'Defines standard GitHub Actions workflows for automating continuous integration,
    dependency updates, code quality analysis (CodeQL), and supply-chain security
    scanning (Scorecard) for a Node.js project. This capsule provides a template for
    setting up a robust CI/CD pipeline.

    '
  owns:
  - GitHub Actions workflow definitions for CI, CodeQL, Scorecard.
  - Dependabot configuration for automated dependency updates.
  does_not_own:
  - Application source code.
  - Local development tools or configurations.
agent:
  summary_for_ai: 'This capsule manages the GitHub Actions workflows for CI, CodeQL,
    Scorecard, and Dependabot. An AI agent working on this should focus on updating
    action versions, optimizing workflow performance, adding new CI checks, or ensuring
    security best practices are followed in the pipeline. Pay close attention to the
    Node.js version matrix and npm commands in `ci.yml`.

    '
  avoid:
  - Modifying application logic within these workflow files.
  - Introducing non-CI/CD related configurations.
verification:
  invariants:
  - All CI workflows must pass on successful builds.
  - CodeQL and Scorecard scans must run regularly and report findings.
  - Dependabot must be configured to keep dependencies up-to-date.
x-reuse:
  notes: 'All workflow files (`.github/workflows/*.yml`) contain hardcoded action
    versions (e.g., `actions/checkout@...`, `github/codeql-action@...`). These should
    be updated to their latest stable versions by the consumer. `dependabot.yml` is
    configured for `npm` and `github-actions` ecosystems, assuming a Node.js project
    at the repository root. This may need adjustment for different project structures
    or languages. `ci.yml` defines a specific Node.js version matrix (from 0.8 to
    22.x) and includes NVM-specific commands and npm installation logic. This matrix
    and setup should be reviewed and potentially simplified or updated to match the
    consumer''s required Node.js versions. It also uses `coverallsapp/github-action`,
    which might not be desired by all consumers. `codeql.yml` explicitly sets `language:
    ["javascript"]`. This should be verified for projects with multiple languages.
    `scorecard.yml` has `publish_results: true`, which is suitable for public repositories.
    For private repositories, this should be set to `false`, and the `repo_token`
    might need to be uncommented and configured.

    '
x-reconstruct:
  install: install.json