refactor: remove unused code and improve maintainability (#9)

* refactor: remove unused code and improve maintainability

- Remove unused _compact parameter from getBootstrapContent function
- Move os.homedir() calls inline to functions for better scoping
- Remove tests for non-existent resolveSkillPath function
- Add semantic-release tooling for automated releases
- Add publishConfig for public npm package publishing
- Fix biome.json formatting to match linter expectations

All tests pass (38/38) and code follows project style guidelines.

* ci: fix action references

* ci: improve GitHub App integration and test workflow

- Add dynamic GitHub App user setup step to get app ID and email
- Replace hardcoded bot credentials with dynamic values from app token
- Update tests to run against source files instead of compiled dist
- Test Bun runtime directly instead of Node.js validation

This improves the CI workflow by making it work with any GitHub App
instead of being hardcoded to a specific bot, and improves test
reliability by testing source files directly with Bun.

Author: marcusrbrown

.github/codeql/codeql-config.yml

@@ -0,0 +1,6 @@
+---
+name: queries
+
+queries:
+  - uses: security-extended
+  - uses: security-and-quality

.github/renovate.json5

@@ -0,0 +1,24 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  description: ['Use the config preset for the @fro.bot/systematic repository'],
+  extends: ['local>marcusrbrown/renovate-config', 'github>sanity-io/renovate-config:semantic-commit-type'],
+  packageRules: [
+    {
+      matchPackageNames: [
+        '@semantic-release/{/,}**',
+        'conventional-changelog-conventionalcommits',
+        'semantic-release',
+        'semantic-release-export-data',
+      ],
+      semanticCommitType: 'build',
+    },
+    {
+      matchPackageNames: ['@opencode-ai/{/,}**'],
+      semanticCommitType: 'build',
+    },
+  ],
+  postUpgradeTasks: {
+    commands: ['bun install', 'bun run lint -- --fix || true'],
+    executionMode: 'branch',
+  },
+}

.github/settings.yml

@@ -0,0 +1,18 @@
+---
+_extends: .github:common-settings.yaml
+
+repository:
+  name: systematic
+  description: Structured engineering workflows for OpenCode
+  topics: opencode, plugin, ai, workflow, systematic, semantic-release, bun
+
+branches:
+  - name: main
+    protection:
+      required_status_checks:
+        strict: true
+        contexts: [Build, Typecheck, Lint, Test, Release, Analyze, Renovate / Renovate]
+      enforce_admins: true
+      required_pull_request_reviews: null
+      restrictions: null
+      required_linear_history: true

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,41 @@
+---
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '30 5 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [typescript]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        with:
+          config-file: ./.github/codeql/codeql-config.yml
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/main.yaml

@@ -0,0 +1,161 @@
+---
+name: main
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: Dry run
+        default: true
+        required: false
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build
+        run: bun run build
+
+  typecheck:
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Typecheck
+        run: bun run typecheck
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Lint codebase
+        run: bun run lint
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run tests
+        run: bun test tests/unit
+
+  release:
+    env:
+      DRY_RUN: ${{ github.event_name == 'pull_request' || github.event.inputs.dry-run && 'true' || 'false' }}
+    name: Release
+    needs: [build, typecheck, lint, test]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+    steps:
+      - id: get-workflow-app-token
+        name: Get Workflow Application Token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.APPLICATION_ID }}
+          private-key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+
+      - id: setup-git-user
+        name: Get GitHub App User ID and Setup Git user
+        env:
+          GH_TOKEN: ${{ steps.get-workflow-app-token.outputs.token }}
+        run: |
+          name="${{ steps.get-workflow-app-token.outputs.app-slug }}[bot]"
+          user_id=$(gh api "/users/${name}" --jq .id)
+          email="${user_id}+${name}@users.noreply.github.com"
+          echo "user-email=${email}" >> "$GITHUB_OUTPUT"
+          echo "user-name=${name}" >> "$GITHUB_OUTPUT"
+          git config --global user.email "${email}"
+          git config --global user.name "${name}"
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          token: ${{ steps.get-workflow-app-token.outputs.token }}
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+
+      - name: Setup Node.js for NPM publishing
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 22
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build
+        run: bun run build
+
+      - name: Get Release Options
+        env:
+          INPUT_DRY_RUN: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.dry-run && 'true' || 'false' }}
+          IS_DEFAULT_BRANCH: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+        run: |
+          if [[ $DRY_RUN != 'true' || $IS_DEFAULT_BRANCH == 'true' ]]; then
+            echo "DRY_RUN=false" >> $GITHUB_ENV
+          fi
+
+      - name: Semantic Release
+        id: semantic-release
+        env:
+          CI_FLAG: ${{ env.DRY_RUN == 'true' && 'false' || 'true' }}
+          GIT_AUTHOR_EMAIL: ${{ steps.setup-git-user.outputs.user-email }}
+          GIT_AUTHOR_NAME: ${{ steps.setup-git-user.outputs.user-name }}
+          GIT_COMMITTER_EMAIL: ${{ steps.setup-git-user.outputs.user-email }}
+          GIT_COMMITTER_NAME: ${{ steps.setup-git-user.outputs.user-name }}
+          GITHUB_TOKEN: ${{ steps.get-workflow-app-token.outputs.token }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+        run: |
+          npx semantic-release --dry-run ${{ env.DRY_RUN }} --ci ${{ env.CI_FLAG }}
+        shell: 'bash -Eeuxo pipefail {0}'

.github/workflows/renovate.yaml

@@ -0,0 +1,45 @@
+---
+# Renovate this repository if Renovate-specific tasks are checked, if this workflow file or the Renovate configuration file is changed, or if dispatched.
+name: Renovate
+
+on:
+  issues:
+    types: [edited]
+  pull_request:
+    types: [edited]
+  push:
+    branches-ignore: [main]
+  workflow_dispatch:
+    inputs:
+      log-level:
+        description: Log level for Renovate
+        required: false
+        type: string
+        default: debug
+      print-config:
+        description: Log the fully-resolved Renovate config for each repository, plus fully-resolved presets.
+        required: false
+        type: boolean
+        default: false
+  workflow_run:
+    branches: [main]
+    types: [completed]
+    workflows: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    # Only run Renovate if this isn't a bot edit (issue or pull request) or if the workflow run is successful
+    if: >
+      (github.event.action == 'edited' && !contains(github.actor, '[bot]')) ||
+      (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')
+    name: Renovate
+    secrets:
+      APPLICATION_ID: ${{ secrets.APPLICATION_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+    uses: bfra-me/.github/.github/workflows/renovate.yaml@084299cf8d89425e3c5947c39772258c61f1dbc7 # v4.3.18
+    with:
+      log-level: ${{ inputs.log-level || (github.event_name == 'pull_request' || github.ref_name != github.event.repository.default_branch) && 'debug' || 'info' }}
+      print-config: ${{ inputs.print-config || false }}

.github/workflows/scorecard.yaml

@@ -0,0 +1,43 @@
+---
+name: Scorecard
+
+on:
+  branch_protection_rule:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '30 5 * * 1'
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        with:
+          sarif_file: results.sarif

.github/workflows/update-repo-settings.yaml

@@ -0,0 +1,23 @@
+---
+# Update repository settings to match the definitions in .github/settings.yml.
+name: Update Repo Settings
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '.github/settings.yml'
+  schedule:
+    - cron: '23 12 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-repo-settings:
+    name: Update Repo Settings
+    secrets:
+      APPLICATION_ID: ${{ secrets.APPLICATION_ID }}
+      APPLICATION_PRIVATE_KEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+    uses: bfra-me/.github/.github/workflows/update-repo-settings.yaml@084299cf8d89425e3c5947c39772258c61f1dbc7 # v4.3.18