[codex] add self-sustaining pipeline

.github/dependabot.yml

@@ -5,19 +5,71 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
-      day: monday
+      interval: daily
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"
     labels:
       - dependencies
+      - github-actions
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "ci"
 
   - package-ecosystem: docker
     directory: /
     schedule:
-      interval: weekly
-      day: monday
+      interval: daily
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+    groups:
+      docker:
+        patterns:
+          - "*"
     labels:
       - dependencies
+      - docker
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "chore"
+
+  - package-ecosystem: pre-commit
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+    groups:
+      pre-commit:
+        patterns:
+          - "*"
+    labels:
+      - dependencies
+      - pre-commit
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7
+      semver-major-days: 30
+      semver-minor-days: 7
+      semver-patch-days: 3
+    versioning-strategy: increase
+    groups:
+      npm-tooling:
+        patterns:
+          - "*"
+    labels:
+      - dependencies
+      - npm
+    commit-message:
+      prefix: "chore"

.github/workflows/ci.yml

@@ -6,13 +6,22 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  workflow_dispatch:
+  schedule:
+    - cron: "17 8 * * 1"
 
 permissions:
   contents: read
 
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   lint:
+    name: lint
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     steps:
       - name: Checkout
@@ -21,9 +30,71 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "lts/*"
+          cache: npm
+
+      - name: Install npm tooling
+        run: npm ci
 
       - name: Run prek
         uses: j178/prek-action@bdca6f102f98e2b4c7029491a53dfd366469e33d # v2.0.4
         with:
           extra-args: --all-files
+
+  report-scheduled-failure:
+    name: report scheduled failure
+    if: ${{ always() && github.event_name == 'schedule' }}
+    needs: lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      issues: write
+    env:
+      GH_TOKEN: ${{ github.token }}
+      ISSUE_LABEL: ci-scheduled
+      ISSUE_TITLE: Scheduled CI failure detected
+      LINT_RESULT: ${{ needs.lint.result }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+    steps:
+      - name: Report scheduled CI status
+        run: |
+          set -euo pipefail
+          triggered_at="$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
+
+          issue_number="$(
+            gh issue list \
+              --state open \
+              --label "$ISSUE_LABEL" \
+              --search "$ISSUE_TITLE in:title" \
+              --json number,title \
+              --jq '.[] | select(.title == "Scheduled CI failure detected") | .number' \
+            | head -n 1
+          )"
+
+          body_file="$(mktemp)"
+          {
+            echo "Scheduled CI failed."
+            echo
+            echo "| Field | Value |"
+            echo "| --- | --- |"
+            echo "| Workflow | ${GITHUB_WORKFLOW} |"
+            echo "| Run number | ${GITHUB_RUN_NUMBER} |"
+            echo "| Commit SHA | ${GITHUB_SHA} |"
+            echo "| Run URL | ${RUN_URL} |"
+            echo "| Trigger time | ${triggered_at} |"
+            echo "| Job result | ${LINT_RESULT} |"
+          } > "$body_file"
+
+          if [ "$LINT_RESULT" != "success" ]; then
+            if [ -n "$issue_number" ]; then
+              gh issue edit "$issue_number" --body-file "$body_file" --add-label "$ISSUE_LABEL"
+              gh issue comment "$issue_number" --body "Scheduled CI is still failing: ${RUN_URL}"
+            else
+              gh issue create --title "$ISSUE_TITLE" --label "$ISSUE_LABEL" --body-file "$body_file"
+            fi
+          elif [ -n "$issue_number" ]; then
+            gh issue comment "$issue_number" --body "Scheduled CI recovered: ${RUN_URL}"
+            gh issue close "$issue_number" --comment "Closing after successful scheduled CI run: ${RUN_URL}"
+          fi

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,44 @@
+---
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  approve-and-auto-merge:
+    if: >-
+      ${{
+        github.event.pull_request.user.login == 'dependabot[bot]' &&
+        github.repository == github.event.pull_request.head.repo.full_name
+      }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    concurrency:
+      group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+
+    steps:
+      - name: Fetch Dependabot metadata
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve pull request
+        run: gh pr review --approve "$PR_URL"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+
+      - name: Enable squash auto-merge
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}

.gitignore

@@ -50,3 +50,6 @@ $RECYCLE.BIN/
 .history
 .ionide
 *.vsix
+
+### Node.js tooling ###
+node_modules/

.npmrc

@@ -0,0 +1 @@
+save-exact=true

.pre-commit-config.yaml

@@ -49,30 +49,28 @@ repos:
       - id: sync-pre-commit-deps
 
   # ── Prose related hooks ───────────────────────────────────────────────
-
   # requires cspell.json at the root of the repository
-  - repo: https://github.com/streetsidesoftware/cspell-cli
-    rev: v10.0.1
+  - repo: local
     hooks:
       - id: cspell
+        name: cspell
+        language: system
+        entry: npx --no-install cspell
         args: ["--config", "cspell.json"]
 
-  # requires npx which is available with nodejs
-  - repo: local
-    hooks:
       - id: markdown-table-formatter
         name: markdown-table-formatter
         language: system
-        entry: npx -y markdown-table-formatter
+        entry: npx --no-install markdown-table-formatter
         types: [markdown]
 
-  # requires .markdownlint-cli2.jsonc at the root of the repository
-  - repo: https://github.com/DavidAnson/markdownlint-cli2
-    rev: v0.22.1
-    hooks:
       - id: markdownlint-cli2
+        name: markdownlint-cli2
+        language: system
+        entry: npx --no-install markdownlint-cli2
         args: ["--config", ".markdownlint-cli2.jsonc", "--fix"]
         require_serial: true
+        types: [markdown]
 
   # ── Shell related hooks ───────────────────────────────────────────────
   - repo: https://github.com/shellcheck-py/shellcheck-py

cspell.json

@@ -5,28 +5,35 @@
   "dictionaries": [],
   "words": [
     "actionlint",
+    "Anson",
     "apdisk",
     "autoupdate",
+    "cooldown",
     "donotpresent",
     "ehthumbs",
+    "elif",
     "encryptable",
     "esktop",
     "fseventsd",
     "ionide",
     "justfile",
     "LOCALAPPDATA",
+    "mktemp",
     "msix",
     "OPTOUT",
+    "pipefail",
     "prek",
     "psmoduleanalysiscache",
     "pssa",
     "psscriptanalyzer",
+    "rhysd",
     "shellcheck",
     "shfmt",
     "stackdump",
     "Taskfile",
     "timemachine",
     "USERPROFILE",
+    "worktree",
     "venv"
   ],
   "ignoreWords": [],