ci: enhance GitHub Actions workflow with modern Node.js versions and security

- Update to Node.js 22 (LTS) for primary jobs and Node.js 20/22/24 for testing
- Add cross-platform testing on Ubuntu, Windows, and macOS
- Add security audit job with vulnerability scanning
- Add package verification and npm provenance publishing
- Update Node.js engine requirement to >=20.0.0
- Improve caching and performance optimizations

Author: webmasterdevlin

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: 'npm'
 
       - name: Install dependencies
@@ -32,12 +32,35 @@ jobs:
       - name: TypeScript type checking
         run: npm run typecheck
 
+  security:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run security audit
+        run: npm audit --audit-level moderate
+
+      - name: Check for known vulnerabilities
+        run: npm audit --audit-level high --production
+
   test:
     name: Test
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [22.x]
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        node-version: [20.x, 22.x, 24.x]
 
     steps:
       - name: Checkout repository
@@ -57,23 +80,23 @@ jobs:
 
       - name: Upload coverage reports
         uses: codecov/codecov-action@v4
-        if: matrix.node-version == '20.x' && github.event_name != 'pull_request'
+        if: matrix.node-version == '22.x' && matrix.os == 'ubuntu-latest' && github.event_name != 'pull_request'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
 
   build:
     name: Build
     runs-on: ubuntu-latest
-    needs: [lint-and-typecheck, test]
+    needs: [lint-and-typecheck, test, security]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: 'npm'
 
       - name: Install dependencies
@@ -93,8 +116,11 @@ jobs:
     name: Publish to npm
     runs-on: ubuntu-latest
     needs: build
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v'))
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     environment: npm-publish
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -104,8 +130,9 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
 
       - name: Download build artifact
         uses: actions/download-artifact@v4
@@ -114,10 +141,12 @@ jobs:
           path: dist/
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --only=production
+
+      - name: Verify package contents
+        run: npm pack --dry-run
 
       - name: Publish to NPM
-        if: startsWith(github.ref, 'refs/tags/v')
-        run: npm publish --access public
+        run: npm publish --access public --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package.json

@@ -99,7 +99,7 @@
   },
   "packageManager": "npm@10.2.4 || pnpm@8.15.4 || yarn@4.2.0 || bun@1.0.25",
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "exports": {
     ".": {