refactor: breakdown ci

[bukinoshita]

---

Summary by cubic

Split the monolithic CI into four workflows—Lint, Typecheck, Test, and Smoke—for clearer status checks and targeted reruns.

• Refactors
  • Removed .github/workflows/ci.yml and added .github/workflows/lint.yml, typecheck.yml, test.yml, and smoke.yml.
  • Each workflow runs on push to main and on PRs with its own concurrency group.
  • Standardized setup (Node 24 + pnpm); Smoke builds the Node bundle and pkg binary and runs version/help smoke tests.

^{Written for commit 9870a1f. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 5 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/lint.yml">

<violation number="1" location=".github/workflows/lint.yml:9">
P2: Restrict `GITHUB_TOKEN` to read-only permissions in this build-only workflow. Without an explicit `permissions` block, the checkout/install/lint steps inherit the repository default token scopes, which can be write-enabled.</violation>
</file>

<file name=".github/workflows/test.yml">

<violation number="1" location=".github/workflows/test.yml:6">
P2: Add an explicit read-only `permissions` block for this checkout-and-test workflow. Otherwise it inherits repo/org default `GITHUB_TOKEN` permissions, which can be broader than necessary.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Restrict GITHUB_TOKEN to read-only permissions in this build-only workflow. Without an explicit permissions block, the checkout/install/lint steps inherit the repository default token scopes, which can be write-enabled.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/lint.yml, line 9:

<comment>Restrict `GITHUB_TOKEN` to read-only permissions in this build-only workflow. Without an explicit `permissions` block, the checkout/install/lint steps inherit the repository default token scopes, which can be write-enabled.</comment>

<file context>
@@ -0,0 +1,20 @@
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  lint:
+    runs-on: blacksmith-2vcpu-ubuntu-2204
</file context>

[cubic-dev-ai]

P2: Add an explicit read-only permissions block for this checkout-and-test workflow. Otherwise it inherits repo/org default GITHUB_TOKEN permissions, which can be broader than necessary.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/test.yml, line 6:

<comment>Add an explicit read-only `permissions` block for this checkout-and-test workflow. Otherwise it inherits repo/org default `GITHUB_TOKEN` permissions, which can be broader than necessary.</comment>

<file context>
@@ -0,0 +1,20 @@
+  push:
+    branches: [main]
+  pull_request:
+concurrency:
+  group: test-${{ github.ref }}
+  cancel-in-progress: true
</file context>