Initial WatchLink scaffold

.gitea/workflows/build.yml

@@ -0,0 +1,43 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: git.wilkensxl.de/MrSphay/watchlink:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Test
+        run: npm run test
+
+      - name: Build
+        run: npm run build
+
+      - name: Build Docker image
+        run: docker build -t "$IMAGE_NAME" .
+
+      - name: Publish Docker image
+        if: ${{ secrets.REGISTRY_TOKEN != '' }}
+        run: |
+          echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.wilkensxl.de -u "${{ gitea.actor }}" --password-stdin
+          docker push "$IMAGE_NAME"

.gitea/workflows/dependency-check.yml

@@ -0,0 +1,27 @@
+name: Dependency Check
+
+on:
+  schedule:
+    - cron: "43 5 * * 3"
+  workflow_dispatch:
+
+jobs:
+  dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Audit
+        run: npm audit --omit=dev --audit-level=high
+
+      - name: Outdated report
+        run: npm outdated || true

.gitea/workflows/release-dry-run.yml

@@ -0,0 +1,33 @@
+name: Release Dry Run
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  workflow_dispatch:
+
+jobs:
+  release-dry-run:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check release docs
+        run: test -f docs/release-checklist.md && test -f docs/security-review.md && test -f CHANGELOG.md
+
+      - name: Check unresolved placeholders
+        run: |
+          ! grep -RInE "PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|BUILD_COMMAND|TEST_COMMAND|LINT_COMMAND" -- . --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=.next
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Release check
+        run: npm run release:check

.gitea/workflows/repo-cleanup.yml

@@ -0,0 +1,21 @@
+name: Repository Cleanup Report
+
+on:
+  schedule:
+    - cron: "29 4 * * 2"
+  workflow_dispatch:
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Report generated files
+        run: |
+          find . -maxdepth 3 \( -path "./node_modules" -o -path "./.next" -o -path "./coverage" -o -path "./dist" \) -print
+
+      - name: Report large files
+        run: |
+          find . -type f -size +10M -not -path "./.git/*" -print

.gitea/workflows/security-scan.yml

@@ -0,0 +1,32 @@
+name: Security Scan
+
+on:
+  schedule:
+    - cron: "17 3 * * 1"
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Audit dependencies
+        run: npm audit --omit=dev --audit-level=high
+
+      - name: Scan secret-prone files
+        run: |
+          ! find . -type f \( -name ".env" -o -name "*.pem" -o -name "*.key" \) -not -path "./node_modules/*" | grep .
+
+      - name: Scan instruction-injection markers
+        run: |
+          ! grep -RInE "ignore previous instructions|system prompt|developer message" -- . --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=.next

.gitea/workflows/template-compliance.yml

@@ -0,0 +1,29 @@
+name: Template Compliance
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  compliance:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Required files
+        run: |
+          test -f AGENTS.md
+          test -f .codex/project.md
+          test -f README.md
+          test -f SECURITY.md
+          test -f CHANGELOG.md
+          test -f .gitignore
+
+      - name: Placeholder scan
+        run: |
+          ! grep -RInE "PROJECT_NAME|PROJECT_DESCRIPTION|REPOSITORY_OWNER|REPOSITORY_NAME|PACKAGE_NAME|ARTIFACT_NAME|ARTIFACT_OUTPUT_DIRECTORY" -- AGENTS.md .codex README.md docs .gitea || exit 1
+
+      - name: README divider
+        run: grep -q "rainbow.png" README.md