Add CI, repo policies & lint foundation (closes #6)

.editorconfig

@@ -0,0 +1,19 @@
+# https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = tab
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{md,mdx}]
+trim_trailing_whitespace = false
+
+[*.{json,yml,yaml}]
+indent_style = space
+
+[COMMIT_EDITMSG]
+max_line_length = 0

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+# Default owners for everything
+* @SSWConsulting/sswdevelopers
+
+# .github folder (CI, policies, deploy) is owned by the website maintainers team
+/.github @SSWConsulting/ssw-website-maintainers

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,39 @@
+name: 🐛 Bug Report
+description: Report a bug
+title: '🐛 {{ TITLE }}'
+labels: ['Type: Bug']
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the bug
+      description: A clear and concise description of what the bug is.
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: To Reproduce
+      description: Steps to reproduce the behaviour.
+      value: |
+        1.
+        2.
+        3.
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots / Video
+      description: |
+        If applicable, add screenshots or video to help explain the problem.
+        Remember to mark the area in the application that's impacted.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,33 @@
+name: ✨ Feature Request
+description: Suggest an idea for this project
+title: '✨ {{ TITLE }}'
+labels: ['Type: Feature']
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives you've considered
+      description: A clear and concise description of any alternative solutions or features you've considered.
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Add any other context or screenshots about the feature request here.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/tech_debt.yml

@@ -0,0 +1,19 @@
+name: 💸 Tech Debt
+description: Report tech debt
+title: '💸 {{ TITLE }}'
+labels: ['Type: Refactor']
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: A clear and concise description of what the tech debt is and why it was created.
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How would you fix it?
+    validations:
+      required: false

.github/dependabot.yml

@@ -0,0 +1,33 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    labels:
+      - 'Type: Dependencies'
+    commit-message:
+      prefix: '⬆️ github-actions'
+    rebase-strategy: auto
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    labels:
+      - 'Type: Dependencies'
+    commit-message:
+      prefix: '⬆️ npm'
+    rebase-strategy: auto
+    cooldown:
+      default-days: 7
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 7
+    ignore:
+      # Tina canary releases use a pinned date-stamped version; let Hark bump these by hand
+      - dependency-name: '@tinacms/astro'
+      - dependency-name: '@tinacms/cli'
+      - dependency-name: 'tinacms'

.github/pull_request_template.md

@@ -0,0 +1,11 @@
+<!-- describe the change, why it is needed, and what it accomplishes -->
+<!-- As per rule https://www.ssw.com.au/rules/over-the-shoulder-prs -->
+<!-- Getting the PR merged is part of the PBI - call someone to review your changes to get them merged ASAP -->
+
+- Affected routes: <!-- e.g. `/`, `/admin/` -->
+
+- Fixed #{{ ISSUE NUMBER }}
+
+- [ ] Every new piece of user-visible copy is modelled as a Tina field (no hardcoded strings in `.astro` files — see [AGENTS.md](../AGENTS.md))
+- [ ] Local build passes (`pnpm run build:local`)
+- [ ] Done video or screenshots attached below

.github/workflows/codeql.yml

@@ -0,0 +1,40 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  schedule:
+    - cron: '0 23 * * SUN'
+
+jobs:
+  analyze:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript']
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/pr-build.yml

@@ -0,0 +1,59 @@
+name: PR - Build
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ci-${{ github.event.number }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        with:
+          package_json_file: package.json
+          standalone: true
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - run: pnpm install --frozen-lockfile
+
+      # Decide which build to run.
+      # Same-repo PRs: `pnpm run build` — mirrors Cloudflare Workers Builds,
+      # talks to Tina Cloud (needs PUBLIC_TINA_CLIENT_ID + TINA_TOKEN).
+      # Fork PRs: GitHub strips secrets, so fall back to `pnpm run build:local`
+      # (in-process Tina datalayer, no creds needed). Catches most breakage
+      # except the Tina Cloud schema-sync class — that's verified again
+      # post-merge on `main` via CF Builds.
+      - name: Decide build mode
+        id: mode
+        shell: bash
+        env:
+          HAS_TINA_TOKEN: ${{ secrets.TINA_TOKEN != '' }}
+        run: |
+          if [ "$HAS_TINA_TOKEN" = "true" ]; then
+            echo "script=build" >> "$GITHUB_OUTPUT"
+            echo "Using full CF parity build (Tina Cloud)"
+          else
+            echo "script=build:local" >> "$GITHUB_OUTPUT"
+            echo "::warning::Tina Cloud secrets unavailable (likely fork PR) — falling back to build:local"
+          fi
+
+      - name: Tina + Astro build
+        run: pnpm run ${{ steps.mode.outputs.script }}
+        env:
+          NODE_OPTIONS: --max-old-space-size=4096
+          PUBLIC_TINA_CLIENT_ID: ${{ secrets.PUBLIC_TINA_CLIENT_ID }}
+          TINA_TOKEN: ${{ secrets.TINA_TOKEN }}

.github/workflows/pr-dependency-review.yml

@@ -0,0 +1,20 @@
+# Dependency Review Action — flags known-vulnerable packages added in a PR.
+# https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
+name: PR - Dependency Review
+
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: dependency-review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: critical

.github/workflows/pr-lint-code.yml

@@ -0,0 +1,33 @@
+name: PR - Lint code
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ci-${{ github.event.number }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  lint-code:
+    name: lint-code
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        with:
+          package_json_file: package.json
+          standalone: true
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: ESLint
+        run: pnpm lint

.github/workflows/pr-lint-pr.yml

@@ -0,0 +1,64 @@
+name: PR - Lint PR
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+concurrency:
+  group: ci-${{ github.event.number }}-${{ github.workflow }}-lint-pr
+  cancel-in-progress: true
+
+jobs:
+  pr-lint:
+    runs-on: ubuntu-latest
+    name: Check linked issues
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Detect non-content changes
+        id: check_file_changed
+        shell: bash
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          # Diff full PR range, not just last commit, so multi-commit PRs
+          # don't get misclassified as content-only when the latest commit
+          # happens to only touch content.
+          diff=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
+          source_diff=$(echo "$diff" | grep -Ev '^src/content/|^public/|^\.github/ISSUE_TEMPLATE/|^package\.json$|^pnpm-lock\.yaml$' || true)
+          if [ -n "$source_diff" ]; then
+            echo "hasCodeChanges=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "hasCodeChanges=false" >> "$GITHUB_OUTPUT"
+          fi
+          {
+            echo "sourceDiff<<EOF"
+            echo "$source_diff"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Summarise diff
+        shell: bash
+        run: |
+          if [ -z "${{ steps.check_file_changed.outputs.sourceDiff }}" ]; then
+            echo "Content change only — skipping linked-issue check"
+          else
+            echo "Non-content files changed:"
+            echo "${{ steps.check_file_changed.outputs.sourceDiff }}"
+          fi
+
+      - uses: nearform-actions/github-action-check-linked-issues@v1.8.3
+        if: ${{ steps.check_file_changed.outputs.hasCodeChanges == 'true' }}
+        id: check-linked-issues
+        with:
+          exclude-branches: 'dependabot/**'
+
+      - name: Generate summary
+        if: ${{ steps.check_file_changed.outputs.hasCodeChanges == 'true' }}
+        shell: bash
+        run: |
+          echo "Found ${{ steps.check-linked-issues.outputs.linked_issues_count }} issues linked to PR" >> "$GITHUB_STEP_SUMMARY"

.nvmrc

@@ -0,0 +1 @@
+v22.21.1