ci: migrate to reusable node-ci in .github repo

[WomB0ComB0]

Summary

Replaces inline build/test/lint jobs in .github/workflows/ci.yml with a thin caller of the org-wide reusable workflow resq-software/.github/.github/workflows/node-ci.yml.

Adds a top-level required aggregator job that emits the required status-check context consumed by the org ruleset default-branch-baseline (id 15191038, currently in evaluate mode — does not block merges yet).

Blocked on: resq-software/.github#12 (defines node-ci.yml). This PR pins to the feat branch tip SHA 5a72372. After #12 lands, update the ref to the merge commit or a semver tag.

Behavior parity

Step	Before	After
lint	bun run lint in its own job	lint-cmd input to node-ci.yml
typecheck	bun run tsc --noEmit in build job	typecheck-cmd input
build	bun run build	build-cmd input
test	bun test --coverage with conditional file check	test-cmd: bun test --coverage (bun test exits 0 on no matches)

Not changed

• security.yml keeps its independent schedule; it still calls security-scan.yml@main directly.
• Other workflows (deploy.yml, labeler.yml, etc.) untouched.

Test plan

• CI runs on this PR and reports node / Node CI + required status contexts green.
• required status check appears in branch protection selector on settings → rulesets.
• After chore(deps): bump lucide-react from 0.577.0 to 1.7.0 #12 merges, pin ref updated to merge commit or tag.

Summary by CodeRabbit

• Chores
  • Streamlined continuous integration workflow configuration to improve build efficiency and process management.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

CI workflow refactored to delegate build, test, lint, and typecheck jobs to a reusable workflow from resq-software/.github. Concurrency groups added to cancel in-progress runs. New aggregation job interprets reusable workflow results. License header updated with SPDX identifier and security scanning note.

Changes

Cohort / File(s)	Summary
CI Workflow Refactoring .github/workflows/ci.yml	Replaced inline CI jobs (build, test, lint) with delegation to resq-software/.github/.../node-ci.yml reusable workflow. Added workflow-level concurrency grouping to cancel redundant runs. Added aggregation job (required) to evaluate reusable workflow outcome. Updated Apache license header with SPDX-License-Identifier and security scanning note.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 The workflow hops to distant shores,
No need to repeat chores once more.
With concurrency's gentle sway,
Old jobs race away today.
Reusable magic, clean and bright—
Our CI pipeline takes flight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: migrating CI jobs from inline definitions to a reusable workflow from the .github repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ci-governance-adoption

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 42-50: The case in the Aggregate step currently treats "skipped"
as an OK result which can let the required-status gate pass without CI running;
update the case that inspects NODE_RESULT (the case "$NODE_RESULT" in block) to
accept only success (and optionally the empty string "") and treat any other
value (including skipped) as an error so the run exits non-zero; adjust the
error message to clearly state the unexpected NODE_RESULT value when failing.
- Around line 22-24: The current concurrency block uses cancel-in-progress: true
which can cancel CI runs on the default branch and prevent subsequent deploy
triggers; update the concurrency configuration so cancel-in-progress is only
enabled for non-default branch runs (e.g., PRs/feature branches) and disabled
for the default branch and tag pushes. Locate the concurrency block (symbols:
concurrency, group, cancel-in-progress) and change the logic to set
cancel-in-progress to false when github.ref is the default branch (e.g.,
refs/heads/main) or a tag, and true otherwise so PRs still cancel but main/tag
pushes do not get cancelled and can trigger workflow_run deploys.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8a895c93-4b8f-4ca5-b214-6c338e2c0d99

📥 Commits

Reviewing files that changed from the base of the PR and between 67a1352 and 62faaf5.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

cancel-in-progress: true on main can swallow deploys.

deploy.yml triggers off workflow_run and only runs when conclusion == 'success'. When two pushes land on main in quick succession, this concurrency config cancels the first CI run (conclusion: cancelled, not success), so the first push will not trigger a deploy. Cancellation is desirable on PRs but usually not on the default branch or tags.

🛠️ Suggested guard

 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  # Don't cancel in-flight runs on protected refs; deploy.yml listens on workflow_run.
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 22 - 24, The current concurrency block
uses cancel-in-progress: true which can cancel CI runs on the default branch and
prevent subsequent deploy triggers; update the concurrency configuration so
cancel-in-progress is only enabled for non-default branch runs (e.g.,
PRs/feature branches) and disabled for the default branch and tag pushes. Locate
the concurrency block (symbols: concurrency, group, cancel-in-progress) and
change the logic to set cancel-in-progress to false when github.ref is the
default branch (e.g., refs/heads/main) or a tag, and true otherwise so PRs still
cancel but main/tag pushes do not get cancelled and can trigger workflow_run
deploys.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Don't treat skipped as success for a required-status gate.

required is the aggregator consumed by the default-branch-baseline ruleset, so its success is the branch-protection gate. Today node has no if: and can't be skipped, but accepting skipped as ok is a silent footgun: a future path filter, matrix guard, or upstream change that skips node would make required green without CI actually running. Recommend narrowing to success only (and optionally keep "" defensively).

🛡️ Suggested tightening

           case "$NODE_RESULT" in
-            success|skipped|"") echo "ok: node=$NODE_RESULT" ;;
-            *) echo "::error::node reusable returned: $NODE_RESULT"; exit 1 ;;
+            success) echo "ok: node=$NODE_RESULT" ;;
+            *) echo "::error::node reusable returned: '$NODE_RESULT'"; exit 1 ;;
           esac

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Aggregate
	env:
	NODE_RESULT: ${{ needs.node.result }}
	run: |
	if find src -name "*.test.ts" -o -name "*.test.tsx" -o -name "*.spec.ts" -o -name "*.spec.tsx" | grep -q .; then
	bun test --coverage
	else
	echo "No test files found — skipping."
	fi
	lint:
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
	- run: bun install --frozen-lockfile
	- run: bun run lint
	set -eu
	case "$NODE_RESULT" in
	success|skipped|"") echo "ok: node=$NODE_RESULT" ;;
	*) echo "::error::node reusable returned: $NODE_RESULT"; exit 1 ;;
	esac
	- name: Aggregate
	env:
	NODE_RESULT: ${{ needs.node.result }}
	run: |
	set -eu
	case "$NODE_RESULT" in
	success) echo "ok: node=$NODE_RESULT" ;;
	*) echo "::error::node reusable returned: '$NODE_RESULT'"; exit 1 ;;
	esac

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 42 - 50, The case in the Aggregate
step currently treats "skipped" as an OK result which can let the
required-status gate pass without CI running; update the case that inspects
NODE_RESULT (the case "$NODE_RESULT" in block) to accept only success (and
optionally the empty string "") and treat any other value (including skipped) as
an error so the run exits non-zero; adjust the error message to clearly state
the unexpected NODE_RESULT value when failing.