DOT-175: Add CI workflow and npm pack dry-run

[eiei114]

Summary

• PR CI ワークフロー（ci.yml）を追加し、PR と main への push で typecheck / test / pack dry-run を実行
• npm run check に npm pack --dry-run（release:npm:dry）を統合し、ローカルと CI / publish の検証を揃える

Multica Issue: DOT-175

確認シナリオ

PR マージ前に、CI とローカル check が同じ検証（typecheck・test・pack dry-run）を通ることを確認する。

操作手順

1. この PR の GitHub Actions（CI workflow）が green になることを確認する
2. ローカルで npm ci && npm run check を実行する

期待結果

• CI workflow が成功する（31 テスト pass、pack dry-run で 13 ファイルが tarball に含まれる）
• ローカル npm run check も同様に成功する
• 既存の auto-release.yml → publish.yml 連携は変更なし（publish.yml は引き続き npm run check を実行するため、pack dry-run も自動的に含まれる）

確認コマンド

npm ci
npm run check

注意する失敗パターン

• npm pack --dry-run が files フィールド漏れで失敗する（今回の tarball には README / LICENSE / src が含まれることを確認済み）
• Node バージョン不一致（CI は Node 24、engines は >=22.19.0）

Summary by CodeRabbit

• Chores
  • Added an automated CI workflow that runs on pushes to main and on all pull requests to validate changes.
  • Clarified CI job steps and permissions to make checks more explicit.
  • Updated the local "check" command to include an additional dry-run release validation step during the build process.

[coderabbitai]

Need the big picture first? Review this PR in Change Stack to see what changed before going file by file.

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that runs on pushes to main and pull requests, with repository contents read-only permissions; the job checks out code, sets up Node.js v24, runs npm ci, and executes npm run check. package.json's check script now appends npm run release:npm:dry.

Changes

CI Workflow and Release Validation

Layer / File(s)	Summary
CI Workflow and Release Validation Pipeline .github/workflows/ci.yml, package.json	Workflow triggers updated to include push to main and a top-level permissions block; job renamed to check with explicit steps (checkout, setup Node 24, npm ci, npm run check); scripts.check now runs typecheck && test && release:npm:dry.

Possibly Related PRs

• eiei114/pi-weighted-model-router#2: The update to package.json's scripts.check directly affects auto-release workflows that rely on npm run check for publish validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰
A workflow hops and watches every mainline push,
Typechecks and tests in a tidy, eager rush,
Then a dry-run of release tiptoes in view,
The rabbit nods—checks passed, the pipeline's true,
Hooray for builds that quietly do what they must.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding a CI workflow and integrating npm pack dry-run into the check script.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch agent/cursor-composer-builder/3cbea624

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

20-24: ⚡ Quick win

Enable package manager caching to improve CI performance.

The package-manager-cache: false setting forces npm to download all dependencies on every CI run. Enabling caching (by removing this line or setting it to true) will significantly speed up CI runs without sacrificing correctness, since npm ci already ensures deterministic installs from the lock file.

⚡ Proposed change to enable caching

       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
         with:
           node-version: 24
-          package-manager-cache: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 20 - 24, The CI workflow currently
disables Node package manager caching via the `package-manager-cache: false`
setting in the "Setup Node.js" step; change this to enable caching by removing
that key or setting `package-manager-cache: true` so the actions/setup-node step
can cache npm/yarn/pnpm artifacts and speed up subsequent runs (look for the
"Setup Node.js" step and the `package-manager-cache` key in the
`.github/workflows/ci.yml` file to update).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 17-18: The Checkout step currently uses actions/checkout without
disabling credential persistence; update the "Checkout" step (the step using
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) to include a with:
persist-credentials: false setting so GitHub credentials are not written to the
git config, reducing credential exposure risk.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 20-24: The CI workflow currently disables Node package manager
caching via the `package-manager-cache: false` setting in the "Setup Node.js"
step; change this to enable caching by removing that key or setting
`package-manager-cache: true` so the actions/setup-node step can cache
npm/yarn/pnpm artifacts and speed up subsequent runs (look for the "Setup
Node.js" step and the `package-manager-cache` key in the
`.github/workflows/ci.yml` file to update).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c9202cd8-e469-44d5-805b-36111d647faa

📥 Commits

Reviewing files that changed from the base of the PR and between 20783ff and e4e8ace.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• package.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 18: Replace the floating action tags `actions/checkout@v6` and
`actions/setup-node@v6` with their corresponding commit SHAs (pin to the exact
commit) and add `persist-credentials: false` to the checkout step; locate the
checkout and setup steps by the strings `actions/checkout@v6` and
`actions/setup-node@v6` in the workflow, swap the versions for the full SHA
values from the actions repositories, and include `persist-credentials: false`
under the checkout step to harden credentials handling.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9a138352-d216-44e9-b56a-78bf8adc58ec

📥 Commits

Reviewing files that changed from the base of the PR and between e4e8ace and bd97ee0.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json