Repository Guidelines

Project Structure & Module Organization

• src/ — TypeScript sources for the composite action (dependency-review.ts, check-ossf.ts, check-guarddog.ts, frozen-install.ts).
• dist/ — Built JS (committed). Keep in sync with src/ via pnpm build.
• tests/ — Jest tests (*.test.ts).
• action.yml — Composite GitHub Action entry.
• .github/workflows/ — CI and self-test workflows.

Build, Test, and Development Commands

• Install: pnpm install --frozen-lockfile (use Corepack: corepack enable).
• Lint: pnpm lint (Biome).
• Test: pnpm test or pnpm test:watch (Jest + ts-jest).
• Build: pnpm build (tsup → dist/). CI fails if dist/ is out of date.
• Example run: node dist/check-ossf.js changed.json /tmp/ossf.

Coding Style & Naming Conventions

• Language: TypeScript (strict: true). Target ES2020, module CommonJS.
• Indentation: 2 spaces; prefer double quotes and semicolons (match existing files).
• Files: kebab-case (e.g., check-guarddog.ts).
• Symbols: camelCase variables/functions, PascalCase types/classes.
• Linting/formatting: pnpm lint (Biome) must pass before PR.

Testing Guidelines

• Framework: Jest (node env) with ts-jest.
• Location/pattern: tests/**/**.test.ts (config also picks up src/**).
• Behavior: avoid real network; prefer stubs/env overrides. Verify file outputs in temp dirs.
• Coverage: reports to coverage/ (no enforced threshold). Run pnpm test locally.

Commit & Pull Request Guidelines

• Use Conventional Commits seen in history: feat:, fix:, docs:, refactor:, improve:.
  • Example: feat: add multi-ecosystem frozen install
• PRs must include:
  • Clear description and linked issues (e.g., Closes #123).
  • Rationale and risk notes; logs/screenshots when behavior/outputs change.
  • Updated dist/ (run pnpm build) and docs (README.md) if inputs/behavior change.
  • Green CI (lint, tests, build).

Security & Configuration Tips

• Do not commit secrets. dependency-review requires GITHUB_TOKEN at runtime (CI provides it).
• Local Node: use lts/* or Node 18+; project CI builds with pnpm + Corepack.
• When adding new action inputs/steps, update action.yml, tests, and README accordingly.