feat: Add GitHub Actions for CI/CD and security scanning

- Add publish workflow for automatic npm publishing
- Add CI workflow for PR validation
- Add version bump workflow for easy releases
- Add security scanning with TruffleHog and Trivy
- Add pre-commit hooks for local secret detection
- Fix Bing Webmaster API client lifecycle issue
- Add internal docs directory for sensitive documentation
- Add version sync script to keep package.json and Python versions aligned

Author: isiahw1

.env.example

@@ -4,4 +4,4 @@
 BING_WEBMASTER_API_KEY=your_api_key_here
 
 # Optional: Logging level (DEBUG, INFO, WARNING, ERROR)
-# LOG_LEVEL=INFO
+# LOG_LEVEL=INFO

.github/workflows/README.md

@@ -0,0 +1,75 @@
+# GitHub Actions Workflows
+
+This directory contains automated workflows for CI/CD:
+
+## Workflows
+
+### 1. CI (`ci.yml`)
+- **Triggers**: Pull requests and pushes to non-main branches
+- **Purpose**: Run tests and validation on multiple OS and runtime versions
+- **Matrix**: Tests on Ubuntu, Windows, macOS with Node.js 18.x/20.x and Python 3.10/3.11/3.12
+
+### 2. Publish (`publish.yml`)
+- **Triggers**:
+  - Push to main branch
+  - GitHub release creation
+  - Manual workflow dispatch
+- **Purpose**: Automatically publish to npm when version changes
+- **Features**:
+  - Checks if version already exists on npm
+  - Only publishes new versions
+  - Creates GitHub releases automatically
+
+### 3. Version Bump (`version-bump.yml`)
+- **Triggers**: Manual workflow dispatch
+- **Purpose**: Bump version numbers in both package.json and Python files
+- **Options**: patch, minor, or major version bumps
+
+## Setup Required
+
+### 1. NPM Token
+1. Go to https://www.npmjs.com/
+2. Sign in to your account
+3. Click on your profile → Access Tokens
+4. Generate a new Classic Token with "Automation" type
+5. Copy the token
+
+### 2. Add Secret to GitHub
+1. Go to your repository settings
+2. Navigate to Secrets and variables → Actions
+3. Click "New repository secret"
+4. Name: `NPM_TOKEN`
+5. Value: Paste your npm token
+6. Click "Add secret"
+
+## Usage
+
+### Automatic Publishing
+1. Update version in `package.json`
+2. Update version in `mcp_server_bwt/version.py`
+3. Commit and push to main
+4. GitHub Actions will automatically publish to npm
+
+### Manual Version Bump
+1. Go to Actions tab in GitHub
+2. Select "Version Bump" workflow
+3. Click "Run workflow"
+4. Select version type (patch/minor/major)
+5. The workflow will:
+   - Bump versions in both files
+   - Create commits
+   - Push changes back to main
+   - Trigger the publish workflow
+
+### Creating a Release
+1. Go to Releases in GitHub
+2. Click "Create a new release"
+3. Create a tag (e.g., v1.0.1)
+4. The publish workflow will automatically run
+
+## Best Practices
+
+1. Always ensure tests pass before merging to main
+2. Use semantic versioning (major.minor.patch)
+3. Keep package.json and Python versions in sync
+4. Add `[skip ci]` to commit messages to skip CI runs

.github/workflows/ci.yml

@@ -0,0 +1,59 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches-ignore: [main]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        node-version: [18.x, 20.x]
+        python-version: ['3.10', '3.11', '3.12']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+      - name: Install uv (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          irm https://astral.sh/uv/install.ps1 | iex
+          echo "$env:USERPROFILE\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          uv pip install --python python${{ matrix.python-version }} -e .
+
+      - name: Run validation
+        run: npm run validate
+
+      - name: Run tests
+        run: npm test
+
+      - name: Test Python import
+        run: |
+          python -c "from mcp_server_bwt import version; print('Version:', version.__version__)"
+
+      - name: Check package
+        run: npm run check-publish

.github/workflows/publish.yml

@@ -0,0 +1,118 @@
+name: Publish to npm
+
+on:
+  push:
+    branches:
+      - main
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x]
+        python-version: ['3.10', '3.11', '3.12']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          uv pip install --python python${{ matrix.python-version }} -e .
+
+      - name: Run validation
+        run: npm run validate
+
+      - name: Test Python import
+        run: |
+          python -c "from mcp_server_bwt import version; print('Version:', version.__version__)"
+
+  publish:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install uv
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          uv pip install --python python3.11 -e .
+
+      - name: Check if version changed
+        id: version-check
+        run: |
+          # Get the current version from package.json
+          CURRENT_VERSION=$(node -p "require('./package.json').version")
+          echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+
+          # Check if this version is already published
+          if npm view @isiahw1/mcp-server-bing-webmaster@$CURRENT_VERSION version 2>/dev/null; then
+            echo "Version $CURRENT_VERSION already exists on npm"
+            echo "should_publish=false" >> $GITHUB_OUTPUT
+          else
+            echo "Version $CURRENT_VERSION not found on npm, will publish"
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build
+        if: steps.version-check.outputs.should_publish == 'true'
+        run: npm run build
+
+      - name: Publish to npm
+        if: steps.version-check.outputs.should_publish == 'true'
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Create GitHub Release (if push to main)
+        if: github.event_name == 'push' && steps.version-check.outputs.should_publish == 'true'
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ steps.version-check.outputs.current_version }}
+          release_name: Release v${{ steps.version-check.outputs.current_version }}
+          body: |
+            Automated release for version ${{ steps.version-check.outputs.current_version }}
+
+            ## Changes
+            See [commit history](https://github.com/${{ github.repository }}/compare/v${{ steps.version-check.outputs.previous_version }}...v${{ steps.version-check.outputs.current_version }}) for details.
+          draft: false
+          prerelease: false

.github/workflows/security.yml

@@ -0,0 +1,47 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    # Run weekly on Mondays at 9 AM UTC
+    - cron: '0 9 * * 1'
+
+jobs:
+  trufflehog:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+
+  dependencies:
+    name: Dependency Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/version-bump.yml

@@ -0,0 +1,53 @@
+name: Version Bump
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version type (patch, minor, major)'
+        required: true
+        default: 'patch'
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+jobs:
+  version-bump:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+
+      - name: Configure Git
+        run: |
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Bump version
+        run: |
+          npm version ${{ github.event.inputs.version }} -m "chore: bump version to %s [skip ci]"
+          VERSION=$(node -p "require('./package.json').version")
+          echo "new_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Update Python version file
+        run: |
+          echo "__version__ = \"${{ env.new_version }}\"" > mcp_server_bwt/version.py
+          git add mcp_server_bwt/version.py
+          git commit -m "chore: update Python version to ${{ env.new_version }} [skip ci]"
+
+      - name: Push changes
+        run: |
+          git push
+          git push --tags

.gitignore

@@ -179,4 +179,7 @@ results/
 # API keys and secrets
 .env
 .env.*
-!.env.example
+!.env.example
+
+# Internal documentation (not for public)
+.internal-docs/