fix: close build release hygiene findings

[chhoumann]

Close build, package, and release-hygiene scorecard findings.

This removes the unused builtin-modules dependency, adjusts the bundle config accordingly, deduplicates/validates icon type data, and adds release artifact attestation/provenance steps to the GitHub release workflow.

Review focus:

• Release workflow permissions and attestation placement.
• esbuild dependency cleanup after removing builtin-modules.
• Icon type deduplication and regression coverage.

Stack position: 15/17, based on scorecard/14-markdown-render-clear.

Validated as part of the completed scorecard mission with bun run build-with-lint, bun run test, bun run build, bun run test:e2e, and Obsidian dev vault reload/smoke checks.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d2843b2a-34d6-4810-8cd5-545debcb536d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch scorecard/15-build-release-hygiene

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5eab0c1f1c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Attest final release files after version bump

Move the attestation step to run after semantic-release, because @semantic-release/npm updates package.json in prepare and this repo’s version script (version-bump.mjs) rewrites manifest.json and versions.json; attesting manifest.json before Release means the generated provenance is for a pre-bump digest and will not match the asset ultimately published to GitHub releases. This causes verification failures for real releases even when the workflow succeeds.

Useful? React with 👍 / 👎.

[cloudflare-workers-and-pages]

Deploying quickadd with    Cloudflare Pages

Latest commit:	ee370e5
Status:	⚡️  Build in progress...

View logs