VCST-5054: Node dependencies actualization

[AndrewEhlo]

Summary

Stands up an ncc-based build pipeline and end-to-end Dependabot integration for the bundled Node actions in this repo, replacing the manual "rebuild dist/ on a developer machine" workflow. Originating signal: a recent publish-artifact-link invocation crashed with an unhandled-rejection stack trace on a transient GitHub 502, surfacing the broader problem that npm dependencies across actions had been drifting freely (@actions/github versions ranged from ^3.0.0 to ^8.0.0) with no signal that anything was outdated, no guard against committing src/ without a matching dist/ rebuild, and no automation to keep them current.

What lands on master

• npm run build (ncc 0.38.4) added to 35 actions; every dist/ regenerated as a one-shot baseline reset. publish-artifact-link is the canonical template documented in README.md.
• .github/dependabot.yml — npm ecosystem entry across all action directories. Minor+patch grouped per action; majors individual; 10-PR open limit.
• .github/workflows/check-dist.yml — on every PR touching */src/**, */index.js, */package.json, */package-lock.json, or */tsconfig.json: rebuilds the affected actions' dist/ and fails the PR if it differs from what's committed. Drift guard against "edited src/ but forgot to rebuild" and silent dep drift.
• .github/workflows/dependabot-rebuild.yml — on Dependabot npm PRs: regenerates dist/ and pushes back to the PR branch so check-dist passes without a maintainer running npm run build locally.
• gh-deployments — @vercel/ncc bumped 0.33.1 → ^0.38.0 (old version failed ERR_OSSL_EVP_UNSUPPORTED on modern Node) and a package-lock.json committed for the first time.
• changelog-generator — package-lock.json committed for the first time (was previously blocked by a package-lock.json entry in root .gitignore).
• create-deploy-pr — missing js-yaml runtime dep added; bundle rebuilt. Was de-synced from src/index.ts imports.
• .gitignore — three stale entries removed (package-lock.json, **/dist/index.js.map, **/dist/LICENSES) that conflicted with the new pipeline. Un-ignores added for the 9 legacy unbundled actions whose committed node_modules/ ships as the deployment artifact.
• .gitattributes — enforces LF on **/dist/** to prevent Windows checkouts from producing phantom diffs against bundles emitted by ncc.
• node_modules/ detracked from 18 bundled-action directories where it had been committed despite already being gitignored. Bulk of the deletion count comes from here (~10 400 files).
• README.md — new "Bundled Node actions: build and dependency hygiene" section covering layout, local rebuild flow, Dependabot + check-dist mechanics, how to add a new bundled action, and the legacy-unbundled list with the migration recipe pointer.

Action coverage matrix

Style	Count	This PR	Pipeline coverage going forward
TS bundled (src/index.ts)	33	Build script added, dist/ rebuilt, node_modules/ detracked	Full: Dependabot + check-dist + auto-rebuild
JS root-bundled (changelog-generator)	1	Lockfile committed, dist/ rebuilt	Full
TS forked-upstream (gh-deployments, src/main.ts)	1	ncc bumped, lockfile committed, dist/ rebuilt	Full
Legacy unbundled (root index.js + tracked node_modules/)	9	Unchanged; gitignore exception added	Dependabot opens npm PRs; both workflows skip with ::notice:: log. Maintainer must npm install locally and commit node_modules/. Migration to ncc is the follow-up.
Missing package.json (docker-install-theme)	1	Unchanged	None

Diff scale

Large by line count, narrow by intent:

• ~10 400 deletions = node_modules/ detracked from 18 directories.
• ~190 000 insertions / 3.5 M-line deletion in git diff --stat is dominated by the same node_modules/ move (and the few legacy bundles that ship their tree).
• The actual reviewable surface is .github/, root config files, and per-action package.json + dist/index.js.

Test plan

• pin-check passes on the new workflow files
• check-dist runs and passes on this PR (proves the workflow itself executes and the 35 committed bundles match CI's rebuild)
• Adversarial: on a throwaway commit, touch publish-artifact-link/src/index.ts without rebuilding dist/; confirm check-dist fails with the stale-bundle error; rebuild, confirm it passes
• Consumer canary: temporarily pin one vc-module-* dev workflow's uses: to this PR's head SHA for publish-artifact-link and one docker-* action; trigger a real run; confirm green; revert the pin before merge
• Post-merge: watch first scheduled Dependabot run. Confirm npm PRs open, dependabot-rebuild regenerates dist/, and check-dist then passes without manual intervention
• Post-merge: when Dependabot opens an npm PR for one of the 9 legacy actions, confirm both workflows skip it via the documented ::notice:: path

Out of scope, tracked separately

• Migration of the 9 legacy unbundled actions to ncc. Recipe documented in README.md; separate ticket queued.
• docker-install-theme reconstruction (missing package.json entirely).
• Tier-3 canary mechanism (introduce a moving @v1 major-version tag so consumers stop referencing @master).
• Tier-2 runtime smoke tests for read-only actions.

Reviewer notes

The diff is large because of the one-shot baseline dist/ rebuild and the node_modules/ detrack — both intentional, neither will recur. Focus areas:

• publish-artifact-link/package.json — the canonical template every onboarded action follows
• .github/workflows/check-dist.yml and .github/workflows/dependabot-rebuild.yml — the two new workflows
• .gitignore and .gitattributes — repo-wide hygiene changes
• README.md — documents the new contract for contributors

---

Note

Medium Risk
dependabot-rebuild uses pull_request_target with contents: write and a PAT to push to PR branches; guards (author login, SHA pin, env indirection) reduce but do not eliminate supply-chain workflow risk. Runtime behavior of all regenerated action bundles changes when merged.

Overview
Introduces an ncc-based build contract for bundled Node actions: committed dist/index.js must match npm ci && npm run build, with Dependabot npm keeping lockfiles current and automation so PRs do not merge stale bundles.

CI and config: Adds check-dist (rebuild affected actions on PRs touching source/deps, smoke-require the bundle, diff only dist/index.js + license files) and dependabot-rebuild (pull_request_target, author-gated to dependabot[bot], checkout pinned to head.sha, push rebuilt dist/ via REPO_TOKEN). Extends Dependabot with weekly npm updates per top-level action directory (grouped minor/patch, 10 open PR cap). .gitattributes forces LF on */dist/**; .gitignore stops ignoring lockfiles/dist maps, ignores .env, and re-includes node_modules/ only for nine legacy unbundled actions. remove-file job is restricted to workflow_dispatch.

Contributor docs: README documents bundled vs legacy layouts, local rebuild with npm ci, and how the two workflows interact.

Action hygiene (bulk of the diff, not all shown in the snippet): Standardizes npm run build + regenerated dist/ across bundled actions, detracks mistakenly committed node_modules/, commits missing lockfiles, and fixes targeted dep/bundle gaps (e.g. create-deploy-pr / js-yaml, gh-deployments ncc on modern Node).

^{Reviewed by Cursor Bugbot for commit d3589cc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9eb3075. Configure here.}