Add comprehensive GitHub Actions automation infrastructure

[Copilot]

Implements production-grade CI/CD, security scanning, and maintenance automation for the repository.

Workflows

CI/CD

• ci.yml: Parallel test/build jobs with coverage artifacts, build verification, pnpm caching
• lint.yml: TypeScript type checking on all PRs
• docs.yml: Auto-deploy documentation to GitHub Pages on changes

Security

• codeql.yml: Weekly JavaScript/TypeScript security scanning + on-demand
• validate-deps.yml: Dependency audits (fails on high-severity), lockfile verification, outdated tracking

Automation

• pr-automation.yml: Size labels (xs/s/m/l/xl), 9 auto-labels by file path, changeset validation
• stale.yml: Daily cleanup (issues: 60d→14d, PRs: 30d→7d)

Configuration

• dependabot.yml: Weekly dependency updates (grouped minor/patch), GitHub Actions version updates
• labeler.yml: Auto-labeling rules for protocol:data/ui/system/ai, documentation, ci/cd, dependencies, tests, tooling

Documentation

• WORKFLOWS.md: Comprehensive workflow reference
• AUTOMATION.md: Quick reference and commands
• WORKFLOW_DIAGRAM.md: Visual flow diagrams
• COMPLETION_SUMMARY.md: Implementation details and setup guide

Key Technical Decisions

• Pinned action versions (v1.10.1, v5.0.0, v9.0.0) for supply chain security
• Explicit pnpm 10.28.0 across all workflows for consistency
• Fail-fast on high-severity vulnerabilities (security compliance)
• Directory existence checks before operations (robustness)
• Minimal permissions per workflow (least privilege)

Post-Merge Setup Required

1. Add NPM_TOKEN secret for npm publishing
2. Enable GitHub Pages: Settings → Pages → Source: GitHub Actions

Original prompt

添加必要的自动化工作流

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
spec	Ready	Preview, Comment	Jan 19, 2026 0:44am

[Copilot]

Pull request overview

This PR adds comprehensive automation workflows to improve CI/CD, security, and maintenance capabilities for the ObjectStack Spec repository. The implementation focuses on establishing robust testing, security scanning, dependency management, and automated documentation deployment.

Changes:

• Added 6 new GitHub Actions workflows for testing, linting, security scanning, documentation deployment, PR automation, and dependency validation
• Enhanced the existing CI workflow with separate test and build jobs, coverage reporting, and artifact management
• Configured Dependabot for automated dependency updates with grouping by type
• Created auto-labeling rules based on file changes and PR size classification
• Added comprehensive documentation for all workflows and automation features

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/ci.yml	Enhanced with separate test/build jobs, coverage reporting, artifact uploads, and build verification
.github/workflows/lint.yml	Adds TypeScript type checking with pnpm caching
.github/workflows/codeql.yml	Implements CodeQL security analysis on push, PR, and weekly schedule
.github/workflows/docs.yml	Automates documentation building and deployment to GitHub Pages
.github/workflows/pr-automation.yml	Implements PR size labeling, auto-labeling, and changeset validation
.github/workflows/stale.yml	Manages stale issues and PRs with configurable timeframes
.github/workflows/validate-deps.yml	Validates dependencies with security audits and license compliance checks
.github/dependabot.yml	Configures automated dependency updates with grouping and scheduling
.github/labeler.yml	Defines auto-labeling rules based on changed file paths
.github/WORKFLOWS.md	Provides comprehensive documentation of all workflows
.github/AUTOMATION.md	Quick reference guide for developers

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

This PR is very large. Consider breaking it into smaller PRs for easier review.

[github-actions]

This PR is very large. Consider breaking it into smaller PRs for easier review.

[github-actions]

This PR is very large. Consider breaking it into smaller PRs for easier review.