feat: add @bchen/ui v0.1.0 — dark-mode token palette and 16px base rule

- dist/tokens.css: canonical light + @media dark semantic-token palette extracted from inventory (cross-checked against authd and buchinese). Covers --fg, --fg-muted, --bg, --bg-elevated, --surface, --accent*, --danger*, --border*, --input-*, --warning, primitive --gray-* scale. - dist/base.css: `input, textarea, select { font-size: 16px; }` prevents iOS Safari auto-zoom on focus. - tests/tokens.test.ts: vitest — token presence in both light and dark blocks; WCAG AA contrast (>=4.5:1 body, >=3.0:1 UI) via inline hex-to-luminance math. All 10 tests green. - tests/base.test.ts: vitest — asserts 16px rule covers all three selectors. - .gitea/workflows/release.yml: tag-triggered CI — npm ci + npm test, CHANGELOG version gate, dist/scripts security grep, Gitea release artifact upload. - README.md: four-step consumer integration guide with copy-pasteable snippets (package.json dep, Dockerfile cp, HTML link tags, app CSS). - CHANGELOG.md: v0.1.0 entry. npm audit --omit=dev: 0 vulnerabilities Closes #1
2026-05-13 17:56:08 -07:00
parent da38554c17
commit 6b06d00115
11 changed files with 1932 additions and 2 deletions
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,69 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      - name: install
+        run: npm ci
+
+      - name: test
+        run: npm test
+
+      - name: validate changelog
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          if ! grep -qF "## [${VERSION}]" CHANGELOG.md && ! grep -qE "^## ${VERSION}$" CHANGELOG.md; then
+            echo "ERROR: CHANGELOG.md has no entry for version ${VERSION}"
+            exit 1
+          fi
+
+      - name: security scan (dist/scripts)
+        run: |
+          if [ -d dist/scripts ]; then
+            if grep -rE 'eval\b|new Function\b|\.innerHTML\s*=' dist/scripts/; then
+              echo "ERROR: unsafe pattern detected in dist/scripts/"
+              exit 1
+            fi
+            echo "dist/scripts/ scan: clean"
+          else
+            echo "dist/scripts/ does not exist — scan skipped"
+          fi
+
+      - name: package dist artifact
+        run: tar -czf "dist-${GITHUB_REF_NAME}.tar.gz" dist/
+
+      - name: create release and upload artifact
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        run: |
+          SERVER="${GITHUB_SERVER_URL}"
+          REPO="${GITHUB_REPOSITORY}"
+          TAG="${GITHUB_REF_NAME}"
+
+          RELEASE=$(curl -sf -X POST \
+            "${SERVER}/api/v1/repos/${REPO}/releases" \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"${TAG}\",\"name\":\"${TAG}\"}")
+
+          RELEASE_ID=$(echo "${RELEASE}" | grep -o '"id":[0-9]*' | head -1 | sed 's/"id"://')
+
+          curl -sf -X POST \
+            "${SERVER}/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets" \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -F "attachment=@dist-${TAG}.tar.gz;type=application/gzip"
+
+          echo "Release ${TAG} created (id=${RELEASE_ID})"