ci: tighten dependency and analysis hygiene

[RtlZeroMemory]

Summary

• switch CI installs to reproducible npm ci runs
• enable CodeQL result uploads
• bump the minimatch override to 10.2.4 and refresh the lockfile

Verification

• npm ci
• npm run build
• npm audit --json (3 low, 0 high)

Summary by CodeRabbit

• Chores
  • Updated minimatch dependency from version 10.2.1 to 10.2.4 for stability improvements
  • Streamlined continuous integration installation workflow by consolidating platform-specific steps into a unified process
  • Optimized code analysis workflow configuration to use default upload behavior for enhanced automation

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7e0a2a4-effd-48db-a868-3cf8a64d139e

📥 Commits

Reviewing files that changed from the base of the PR and between ea134a5 and 4249466.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• package.json

💤 Files with no reviewable changes (1)

• .github/workflows/codeql.yml

---

📝 Walkthrough

Walkthrough

Pull request consolidates CI installation steps into a single unconditional command, removes explicit CodeQL upload disabling to adopt defaults, and bumps the minimatch dependency version. Changes span GitHub workflows configuration and package dependencies.

Changes

Cohort / File(s)	Summary
GitHub Workflows .github/workflows/ci.yml, .github/workflows/codeql.yml	CI workflow consolidates conditional Install steps into single unconditional npm ci command. CodeQL workflow removes explicit upload: false settings to adopt default upload behavior.
Dependencies package.json	minimatch dependency upgraded from 10.2.1 to 10.2.4 in overrides.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 With nimble paws we tidy workflows clean,
One Install step where branches once convened,
Default uploads flow like morning dew,
And minimatch hops to version new!
Simplicity's the carrot we pursue. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: consolidating CI install steps for reproducibility, enabling CodeQL uploads, and bumping the minimatch dependency version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/rezi-ci-security-hygiene

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.