Add CI/CD automation, auto-merge for bot PRs, and meaningful unit tests

.github/workflows/auto-merge.yml

@@ -0,0 +1,37 @@
+name: Auto-merge bot PRs
+
+# pull_request_target runs in the base branch context so GITHUB_TOKEN has write access.
+# We never checkout PR code here, only invoke gh pr merge — this is safe.
+on:
+  pull_request_target:
+    types: [opened, reopened, ready_for_review, synchronize]
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    # Use pull_request.user.login (the PR author), not github.actor (the workflow
+    # triggering actor), which can differ on synchronize events and is considered
+    # a forgeable context value by SonarCloud S6549.
+    if: |
+      github.event.pull_request.user.login == 'dependabot[bot]' ||
+      github.event.pull_request.user.login == 'snyk-bot'
+
+    steps:
+      - name: Enable auto-merge
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Bind to env var before shell interpolation to prevent template injection.
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_REPO: ${{ github.repository }}
+        # --auto queues the merge; GitHub will merge only after all required checks pass.
+        # Requires "Allow auto-merge" to be enabled in repo Settings → General.
+        # If the feature is off or permissions are insufficient, we warn and exit cleanly
+        # so the PR is not blocked — it will need manual review instead.
+        run: |
+          gh pr merge --auto --squash "$PR_NUMBER" \
+            --repo "$PR_REPO" \
+          || echo "::warning::Auto-merge could not be enabled. Either enable 'Allow auto-merge' in repo settings or merge this PR manually once CI passes."

.github/workflows/ci.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+        # tslint is deprecated — failures warn but do not block
+        continue-on-error: true
+
+      - name: Test
+        run: npm run test:ci
+
+      - name: Build
+        run: npx ng build --configuration=production
+        env:
+          NODE_OPTIONS: --max-old-space-size=4096
+
+      - name: Security audit
+        run: npm audit --audit-level=high
+        # Snyk manages fixes via PRs; audit here surfaces new issues without blocking
+        continue-on-error: true

.npmrc

@@ -0,0 +1 @@
+legacy-peer-deps=true

angular.json

@@ -108,7 +108,7 @@
                     "options": {
                       "main": "src/test.ts",
                       "polyfills": "src/polyfills.ts",
-                      "tsConfig": "tsconfig.spec.json",
+                      "tsConfig": "src/tsconfig.spec.json",
                       "karmaConfig": "karma.conf.js",
                       "assets": [
                         "src/favicon.ico",

karma.conf.js

@@ -1,5 +1,5 @@
 /*
-SPDX-Copyright: Copyright (c) Capital One Services,LLC 
+SPDX-Copyright: Copyright (c) Capital One Services,LLC
 SPDX-License-Identifier: Apache-2.0
 
 Copyright 2018 Capital One Services, LLC
@@ -20,30 +20,30 @@ See the License for the specific language governing permissions and limitations
 module.exports = function (config) {
     config.set({
         basePath: '',
-        frameworks: ['jasmine', '@angular/cli'],
+        frameworks: ['jasmine', '@angular-devkit/build-angular'],
         plugins: [
             require('karma-jasmine'),
             require('karma-chrome-launcher'),
             require('karma-jasmine-html-reporter'),
-            require('karma-coverage-istanbul-reporter'),
-            require('@angular/cli/plugins/karma')
+            require('karma-coverage'),
+            require('@angular-devkit/build-angular/plugins/karma')
         ],
         client: {
             clearContext: false // leave Jasmine Spec Runner output visible in browser
         },
-        coverageIstanbulReporter: {
-            reports: ['html', 'lcovonly'],
-            fixWebpackSourcePaths: true
-        },
-        angularCli: {
-            environment: 'dev'
-        },
         reporters: ['progress', 'kjhtml'],
         port: 9876,
         colors: true,
         logLevel: config.LOG_INFO,
         autoWatch: true,
         browsers: ['Chrome'],
+        // ChromeHeadlessNoSandbox is used in CI environments where --no-sandbox is required
+        customLaunchers: {
+            ChromeHeadlessNoSandbox: {
+                base: 'ChromeHeadless',
+                flags: ['--no-sandbox', '--disable-gpu', '--disable-dev-shm-usage']
+            }
+        },
         singleRun: false
     });
 };