Add CI, repo policies & lint foundation (closes #6)

.editorconfig

@@ -0,0 +1,19 @@
+# https://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = tab
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{md,mdx}]
+trim_trailing_whitespace = false
+
+[*.{json,yml,yaml}]
+indent_style = space
+
+[COMMIT_EDITMSG]
+max_line_length = 0

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+# Default owners for everything
+* @0xharkirat
+
+# .github folder is owned by repo maintainers
+/.github @wicksipedia @GordonBeeming @tiagov8

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,23 @@
+---
+name: "\U0001F41B Bug Report"
+about: Report a bug
+title: "\U0001F41B {{ TITLE }}"
+labels: 'Type: Bug'
+assignees: ''
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+
+1.
+2.
+3.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots / Video**
+If applicable, add screenshots or video to help explain the problem.
+Remember to mark the area in the application that's impacted.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,19 @@
+---
+name: '✨ Feature Request'
+about: Suggest an idea for this project
+title: '✨ {{ TITLE }}'
+labels: 'Type: Feature'
+assignees: ''
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/tech_debt.md

@@ -0,0 +1,13 @@
+---
+name: "\U0001F4B8 Tech Debt"
+about: Report tech debt
+title: "\U0001F4B8 {{ TITLE }}"
+labels: 'Type: Refactor'
+assignees: ''
+---
+
+**Description**
+A clear and concise description of what the tech debt is and why it was created.
+
+**Proposed solution**
+How would you fix it?

.github/dependabot.yml

@@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    labels:
+      - 'Type: Dependencies'
+    commit-message:
+      prefix: 'Actions'
+    rebase-strategy: auto
+
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    labels:
+      - 'Type: Dependencies'
+    commit-message:
+      prefix: 'NPM'
+    rebase-strategy: auto
+    ignore:
+      # Tina canary releases use a pinned date-stamped version; let Hark bump these by hand
+      - dependency-name: '@tinacms/astro'
+      - dependency-name: '@tinacms/cli'
+      - dependency-name: 'tinacms'

.github/pull_request_template.md

@@ -0,0 +1,10 @@
+<!-- describe the change, why it is needed, and what it accomplishes -->
+<!-- As per rule https://www.ssw.com.au/rules/over-the-shoulder-prs -->
+
+- Affected routes: <!-- e.g. `/`, `/admin/` -->
+
+- Fixed #{{ ISSUE NUMBER }}
+
+- [ ] Every new piece of user-visible copy is modelled as a Tina field (no hardcoded strings in `.astro` files — see [AGENTS.md](../AGENTS.md))
+- [ ] Local build passes (`pnpm run build:local`)
+- [ ] Done video or screenshots attached below

.github/settings.yml

@@ -0,0 +1,78 @@
+# Source of truth for repo metadata, labels, and branch protection.
+# Applied to GitHub on push to main by .github/workflows/update-settings.yml
+# (via GuacamoleResearch/actions-settings, the GitHub Actions port of the
+# Probot Settings app's schema).
+
+repository:
+  name: SSW.Website.Global
+  description: SSW Global Website built with Astro + TinaCMS
+  homepage: https://ssw-website-global.workers.dev
+  topics: astro, tinacms, cloudflare-workers, ssw
+  private: false
+  has_issues: true
+  has_projects: true
+  has_wiki: false
+  has_downloads: false
+  default_branch: main
+  allow_squash_merge: true
+  allow_merge_commit: false
+  allow_rebase_merge: false
+  delete_branch_on_merge: true
+  enable_automated_security_fixes: true
+  enable_vulnerability_alerts: true
+
+labels:
+  - name: Good First Issue
+    color: '7057FF'
+
+  - name: 'Type: Bug'
+    color: 'FF2222'
+    description: A problem with existing functionality
+
+  - name: 'Type: DevOps'
+    color: '1D76DB'
+    description: Setting up of DevOps processes, e.g. GitHub Actions
+
+  - name: 'Type: Documentation'
+    color: 'BABABA'
+    description: Updating documentation (e.g. README, Wiki, Guides)
+
+  - name: 'Type: Feature'
+    color: '6DFF6D'
+    description: A suggested idea for this project
+
+  - name: 'Type: Refactor'
+    color: '0E8A16'
+    description: A code-quality improvement, e.g. tech debt
+
+  - name: 'Type: Dependencies'
+    color: 'FF2222'
+    description: Dependabot found dependencies to upgrade
+
+teams:
+  - name: sswdevelopers
+    permission: push
+  - name: ssw-website-maintainers
+    permission: maintain
+
+branches:
+  - name: main
+    protection:
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        dismiss_stale_reviews: false
+        require_code_owner_reviews: true
+        dismissal_restrictions:
+          users: []
+          teams: []
+      required_status_checks:
+        strict: false
+        contexts:
+          - 'Check linked issues'
+          - 'dependency-review'
+          - 'lint-code'
+          - 'build'
+          - 'CodeQL'
+      enforce_admins: false
+      required_linear_history: true
+      restrictions: null

.github/workflows/codeql.yml

@@ -0,0 +1,40 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  schedule:
+    - cron: '0 23 * * SUN'
+
+jobs:
+  analyze:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript']
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/pr-build.yml

@@ -0,0 +1,59 @@
+name: PR - Build
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ci-${{ github.event.number }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        with:
+          package_json_file: package.json
+          standalone: true
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - run: pnpm install --frozen-lockfile
+
+      # Decide which build to run.
+      # Same-repo PRs: `pnpm run build` — mirrors Cloudflare Workers Builds,
+      # talks to Tina Cloud (needs PUBLIC_TINA_CLIENT_ID + TINA_TOKEN).
+      # Fork PRs: GitHub strips secrets, so fall back to `pnpm run build:local`
+      # (in-process Tina datalayer, no creds needed). Catches most breakage
+      # except the Tina Cloud schema-sync class — that's verified again
+      # post-merge on `main` via CF Builds.
+      - name: Decide build mode
+        id: mode
+        shell: bash
+        env:
+          HAS_TINA_TOKEN: ${{ secrets.TINA_TOKEN != '' }}
+        run: |
+          if [ "$HAS_TINA_TOKEN" = "true" ]; then
+            echo "script=build" >> "$GITHUB_OUTPUT"
+            echo "Using full CF parity build (Tina Cloud)"
+          else
+            echo "script=build:local" >> "$GITHUB_OUTPUT"
+            echo "::warning::Tina Cloud secrets unavailable (likely fork PR) — falling back to build:local"
+          fi
+
+      - name: Tina + Astro build
+        run: pnpm run ${{ steps.mode.outputs.script }}
+        env:
+          NODE_OPTIONS: --max-old-space-size=4096
+          PUBLIC_TINA_CLIENT_ID: ${{ secrets.PUBLIC_TINA_CLIENT_ID }}
+          TINA_TOKEN: ${{ secrets.TINA_TOKEN }}

.github/workflows/pr-dependency-review.yml

@@ -0,0 +1,20 @@
+# Dependency Review Action — flags known-vulnerable packages added in a PR.
+# https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
+name: PR - Dependency Review
+
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: dependency-review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: critical

.github/workflows/pr-lint-code.yml

@@ -0,0 +1,33 @@
+name: PR - Lint code
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ci-${{ github.event.number }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  lint-code:
+    name: lint-code
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        with:
+          package_json_file: package.json
+          standalone: true
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: ESLint
+        run: pnpm lint