Improve pipelines and use GitHub releases

[tnotheis]

No description provided.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

This PR updates the repository’s developer tooling and GitHub Actions pipelines to standardize Node usage, centralize CI checks, change publishing to be tag-driven, and modernize repo automation (CodeQL, PR label enforcement, Renovate, repo settings).

Changes:

• Added a shared .ci/runChecks.sh and introduced a separate run-checks job in workflows.
• Switched workflows to use .nvmrc for Node version selection and changed publishing to run on pushed tags.
• Consolidated CodeQL workflows into a single multi-trigger workflow and added repo automation configs (labels/settings, Renovate, PR label checks).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
.vscode/settings.json	Editor/todo-tree/xml tooling settings; adds TS SDK path setting.
.nvmrc	Pins Node version for local dev and CI workflows.
.github/workflows/test.yml	Adds run-checks job and rewires test steps to npm scripts.
.github/workflows/publish.yml	Publishes on tag pushes, adds run-checks, switches to npm script build + new publish script.
.github/workflows/codeql.yml	Replaces older CodeQL workflows with unified triggers + TS/JS analysis matrix.
.github/workflows/codeql-analysis.yml	Removed legacy CodeQL workflow.
.github/workflows/codeql-analysis-cron.yml	Removed legacy scheduled CodeQL workflow.
.github/workflows/check-pr.yml	Adds PR label validation workflow.
.github/settings.yml	Adds repo settings + label definitions for automation.
.github/renovate.json5	Adds Renovate configuration for dependency updates.
.ci/runChecks.sh	New shared checks script (build/lint/circular deps/license/audit).
.ci/publishNpm.sh	New publish script intended to version and publish packages on tag builds.
.ci/publish.sh	Removed old publish script.
.ci/build.sh	Removed old CI build script.

Comments suppressed due to low confidence (2)

.ci/runChecks.sh:7

• npm run build:node and npm run cdep both run tsc + madge --circular dist (per package.json), so this script is doing essentially the same compile/circular-deps check twice. Dropping one of these calls will reduce CI time without losing coverage (e.g., keep build:node and remove cdep, or vice versa).
  .ci/runChecks.sh:9
• better-npm-audit is not in package.json/package-lock.json, so npx better-npm-audit ... will require downloading it at runtime. On many npm versions this can prompt for confirmation (or fail in non-interactive CI). Consider adding it as a devDependency and running it via npm exec, or use npx --yes / npm exec --yes --package better-npm-audit ... to guarantee non-interactive execution.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.