d-oit · d-oit · Nov 2, 2025 · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/.github/actions/dependency-management/action.yml b/.github/actions/dependency-management/action.yml
@@ -43,6 +43,12 @@ outputs:
 runs:
   using: 'composite'
   steps:
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -y bc jq
+
     - name: Install dependencies
       if: inputs.action == 'install'
       id: install
@@ -114,20 +120,20 @@ runs:
       run: |
         echo "⬆️ Updating dependencies..."
 
-        # Install npm-check-updates if not present
+        # Install npm-check-updates if not present (use npx to avoid global install)
         if ! command -v ncu >/dev/null 2>&1; then
-          npm install -g npm-check-updates
+          npm install npm-check-updates
         fi
 
         # Generate update plan
-        ncu --${{ inputs.update-strategy }} --jsonAll > update-plan.json
+        npx ncu --${{ inputs.update-strategy }} --jsonAll > update-plan.json || echo '{}' > update-plan.json
 
-        if [ -s "update-plan.json" ]; then
+        if [ -s "update-plan.json" ] && [ "$(cat update-plan.json | jq length)" -gt 0 ]; then
           echo "📋 Update plan generated"
-          jq -r 'to_entries[] | "- \(.key): \(.value.current) → \(.value.latest)"' update-plan.json >> $GITHUB_STEP_SUMMARY
+          npx jq -r 'to_entries[] | "- \(.key): \(.value.current) → \(.value.latest)"' update-plan.json >> $GITHUB_STEP_SUMMARY
 
           # Apply updates
-          ncu --${{ inputs.update-strategy }} --upgrade
+          npx ncu --${{ inputs.update-strategy }} --upgrade
           echo "✅ Dependencies updated"
         else
           echo "ℹ️ No updates available"

diff --git a/.github/actions/quality-checks/action.yml b/.github/actions/quality-checks/action.yml
@@ -48,6 +48,12 @@ outputs:
 runs:
   using: 'composite'
   steps:
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -y bc
+
     - name: Cache ESLint results
       uses: actions/cache@v4
       with:

diff --git a/.github/actions/security-scan/action.yml b/.github/actions/security-scan/action.yml
@@ -29,6 +29,12 @@ outputs:
 runs:
   using: 'composite'
   steps:
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -y bc jq
+
     - name: Run npm audit
       id: audit
       shell: bash
@@ -97,14 +103,20 @@ runs:
         fi
 
     - name: Run Snyk Security Scan
-      if: inputs.include-snyk == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
+      if: inputs.include-snyk == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && secrets.SNYK_TOKEN != ''
       uses: snyk/actions/node@v3.0.0
       continue-on-error: true
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         args: --severity-threshold=${{ inputs.severity-threshold }} --sarif-file-output=${{ inputs.sarif-output }}
 
+    - name: Skip Snyk Security Scan
+      if: inputs.include-snyk == 'true' && secrets.SNYK_TOKEN == ''
+      shell: bash
+      run: |
+        echo "⚠️ Snyk token not configured, skipping Snyk security scan" >> $GITHUB_STEP_SUMMARY
+
     - name: Upload SARIF results
       if: always()
       uses: github/codeql-action/upload-sarif@v4

diff --git a/.github/actions/setup-node/action.yml b/.github/actions/setup-node/action.yml
@@ -1,96 +1,43 @@
-name: 'Setup Node.js Environment'
-description: 'Complete Node.js setup with optimized caching for npm dependencies'
+name: 'Setup Node.js'
+description: 'Setup a specific Node.js version using actions/setup-node with caching'
 inputs:
   node-version:
-    description: 'Node.js version to use'
+    description: 'Version of Node.js to use'
     required: false
     default: '20.x'
-  cache-dependency-path:
-    description: 'Path to dependency file for caching'
-    required: false
-    default: 'package-lock.json'
-  install-command:
-    description: 'Command to install dependencies (ci or install)'
-    required: false
-    default: 'ci'
-  peer-deps:
-    description: 'Use legacy peer deps flag'
+  always-auth:
+    description: 'Always authenticate'
     required: false
     default: 'true'
-  verify-dependencies:
-    description: 'Verify installed dependencies after install'
+  cache:
+    description: 'Package manager to cache'
     required: false
-    default: 'true'
+    default: 'npm'
+  cache-dependency-path:
+    description: 'Path to dependency lock file'
+    required: false
+    default: 'package-lock.json'
 
 outputs:
-  cache-hit:
-    description: 'Whether npm cache was hit'
-    value: ${{ steps.setup-node.outputs.cache-hit }}
   node-version:
-    description: 'Node.js version that was set up'
-    value: ${{ steps.setup-node.outputs.node-version }}
+    description: 'Version of Node.js that was setup'
+    value: ${{ steps.node-version.outputs.node-version }}
 
 runs:
   using: 'composite'
   steps:
-    - name: Checkout code
-      uses: actions/checkout@v5
-      with:
-        fetch-depth: 1
-        sparse-checkout: |
-          package.json
-          package-lock.json
-          lib/
-          __tests__/
-          scripts/
-          eslint.config.js
-          vitest.config.js
-        sparse-checkout-cone-mode: false
-
     - name: Setup Node.js
-      id: setup-node
-      uses: actions/setup-node@v6
+      uses: actions/setup-node@v4
+      id: node-version
       with:
         node-version: ${{ inputs.node-version }}
-        cache: 'npm'
+        always-auth: ${{ inputs.always-auth }}
+        cache: ${{ inputs.cache }}
         cache-dependency-path: ${{ inputs.cache-dependency-path }}
 
-    - name: Cache npm dependencies
-      uses: actions/cache@v4
-      with:
-        path: |
-          ~/.npm
-          node_modules
-        key: npm-${{ runner.os }}-${{ hashFiles(inputs.cache-dependency-path) }}
-        restore-keys: |
-          npm-${{ runner.os }}-
-          npm-
-
-    - name: Install dependencies
-      shell: bash
-      run: |
-        if [ "${{ inputs.install-command }}" = "ci" ]; then
-          if [ "${{ inputs.peer-deps }}" = "true" ]; then
-            npm ci --legacy-peer-deps
-          else
-            npm ci
-          fi
-        else
-          if [ "${{ inputs.peer-deps }}" = "true" ]; then
-            npm install --legacy-peer-deps
-          else
-            npm install
-          fi
-        fi
-
-    - name: Verify dependencies
-      if: inputs.verify-dependencies == 'true'
-      shell: bash
-      run: npm ls --depth=0
-
-    - name: Environment summary
+    - name: Verify setup
       shell: bash
       run: |
-        echo "✅ Node.js ${{ inputs.node-version }} setup completed"
-        echo "📦 Dependencies installed using ${{ inputs.install-command }}"
-        echo "💾 Cache status: ${{ steps.setup-node.outputs.cache-hit }}"
+        echo "✅ Node.js $(node --version) is ready"
+        echo "✅ NPM $(npm --version) is ready"
+        echo "✅ Cache directory: $(npm config get cache)"
diff --git a/.github/actions/test-execution/action.yml b/.github/actions/test-execution/action.yml
@@ -40,6 +40,12 @@ outputs:
 runs:
   using: 'composite'
   steps:
+    - name: Install system dependencies
+      shell: bash
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -y bc jq
+
     - name: Cache ESLint results
       uses: actions/cache@v4
       with:
@@ -58,6 +64,10 @@ runs:
           vitest-${{ runner.os }}-
           npm-${{ runner.os }}-
 
+    - name: Install dependencies
+      shell: bash
+      run: npm ci
+
     - name: Run linter with cache
       id: lint
       shell: bash
@@ -142,7 +152,7 @@ runs:
         fi
 
     - name: Upload coverage to Codecov
-      if: inputs.upload-coverage == 'true' && always()
+      if: inputs.upload-coverage == 'true' && always() && secrets.CODECOV_TOKEN != ''
       uses: codecov/codecov-action@v4
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
@@ -152,6 +162,12 @@ runs:
         flags: unittests
         name: codecov-umbrella
 
+    - name: Skip coverage upload if token missing
+      if: inputs.upload-coverage == 'true' && secrets.CODECOV_TOKEN == ''
+      shell: bash
+      run: |
+        echo "⚠️ Codecov token not configured, skipping coverage upload" >> $GITHUB_STEP_SUMMARY
+
     - name: Generate SBOM
       uses: anchore/sbom-action@v0
       if: always()