chore: compile once for all runs

[gagik]

WIP

[Copilot]

Pull request overview

Refactors CI to compile once and reuse build artifacts across jobs, and moves Snyk scanning into a dedicated workflow.

Changes:

• Add a compile step that uploads dist/ and out/ as an artifact, then download it in build/test jobs to avoid recompiling.
• Introduce test-ci script and update workflows to run tests without the pretest compile hook.
• Extract Snyk testing from the main build workflow into its own workflow (and add it to draft-release as a separate job).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
scripts/snyk-test.ts	Changes Snyk test runner to return { results, error } and suppress/adjust error handling.
package.json	Adds test-ci and changes snyk-test to run the TS file directly.
.github/workflows/test-and-build.yaml	Compiles once, uploads build output, downloads it in downstream jobs; removes in-workflow Snyk finalize.
.github/workflows/test-and-build-from-fork.yaml	Same compile/upload/download approach for fork workflow; switches to test-ci.
.github/workflows/snyk-test.yaml	New standalone Snyk workflow for main/tags/PR/schedule.
.github/workflows/draft-release.yaml	Adds a separate Snyk job and gates draft release on it.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

node cannot execute TypeScript files without a loader (e.g., ts-node/tsx) or prior compilation. This will fail in environments that don’t register a TS transpiler. Consider running the compiled JS output (e.g., node ./out/scripts/snyk-test.js) or switching the script to use a TS runner (e.g., tsx scripts/snyk-test.ts / ts-node scripts/snyk-test.ts) consistent with the repo’s tooling.

Suggested change

	"snyk-test": "node scripts/snyk-test.ts",
	"snyk-test": "node -r ts-node/register scripts/snyk-test.ts",

[Copilot]

child_process.execFile does not support the stdio option (it’s a spawn option). This is either a TS type error (in stricter configs) or a no-op at runtime, and the comment becomes misleading. Either remove stdio (since execFile already buffers output and won’t print unless you log it) or switch to spawn if you need explicit stdout/stderr behavior control.

Suggested change

	{ cwd, stdio: 'ignore' },
	{ cwd },

[Copilot]

fs.readFile(tmpPath) returns a Buffer by default; JSON.parse expects a string. This can produce TypeScript errors and relies on implicit coercion. Read as UTF-8 explicitly (e.g., await fs.readFile(tmpPath, 'utf8')) before parsing.

Suggested change

	const res = JSON.parse(await fs.readFile(tmpPath));
	const fileContents = await fs.readFile(tmpPath, 'utf8');
	const res = JSON.parse(fileContents);

[Copilot]

In TS, catch (err) is unknown; assigning it directly to Error-typed error breaks type safety and can lead to confusing downstream logging. Normalize the caught value to an Error (e.g., err instanceof Error ? err : new Error(String(err))) before assigning.

[Copilot]

err in the main().catch(...) handler is not guaranteed to be an Error, so err.message may be undefined and you’ll lose useful diagnostics (including stack traces). Prefer logging the full error object (or normalize to Error first) to preserve actionable output.

Suggested change

	console.error('Snyk Test Failed:', err.message);
	console.error(
	'Snyk Test Failed:',
	err instanceof Error ? err.stack || err.message || err : err,
	);

[Copilot]

This workflow uploads artifacts via actions/upload-artifact, but the workflow-level permissions block restricts the token scopes to only contents: read (all other scopes become none). This commonly causes artifact upload to fail with authorization errors. Add the required permission (typically actions: write) or remove the restrictive permissions block if the repo relies on default permissions.

Suggested change

	contents: read
	contents: read
	actions: write