From 220b15a7d49d594cce83695457b8b4a672daf7b4 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 19 Jun 2026 03:04:37 +0000
Subject: [PATCH] ci: use npm ci for reproducible installs and test the
 declared Node range

The workflows installed dependencies with `npm install --include=dev`, which
ignores the committed package-lock.json and can resolve newer transitive
versions than the locked tree. For a supply-chain-security tool this is
especially significant in publish.yml: the package is published with
`--provenance` but was built from an unpinned dependency tree, weakening the
reproducibility that provenance is meant to attest. Switch all three workflows
to `npm ci`, which installs the exact locked tree and fails on lockfile drift.

Also run CI across Node 18, 20 and 22 to actually cover the
`engines.node: ">=18"` range declared in package.json (previously only Node 20
was exercised, so nothing verified the supported minimum or current LTS), and
add an explicit type-check step to the PR gate for a clearer failure signal.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018iftJL9x2Bjx7T9q2o5Bd6
---
 .github/workflows/auto-tag.yml |  4 ++--
 .github/workflows/ci.yml       | 14 ++++++++++++--
 .github/workflows/publish.yml  |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index d21635b..aefd8e7 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -23,10 +23,10 @@ jobs:
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm install --include=dev
+        run: npm ci
 
       - name: Type check
-        run: npx tsc --noEmit
+        run: npm run typecheck
 
       - name: Test
         run: npm test
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fad540b..8ac5a85 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,21 +7,31 @@ on:
 jobs:
   ci:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Cover the engines.node range declared in package.json (>=18):
+        # the supported minimum, current LTS, and latest LTS.
+        node-version: ['18', '20', '22']
+    name: ci (Node ${{ matrix.node-version }})
     steps:
       - uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: ${{ matrix.node-version }}
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm install --include=dev
+        run: npm ci
 
       - name: Lint
         run: npm run lint
 
+      - name: Type check
+        run: npm run typecheck
+
       - name: Test
         run: npm test
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 575daf9..b4c0285 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,7 +24,7 @@ jobs:
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm install --include=dev
+        run: npm ci
 
       - name: Set version from tag
         run: |