Add zip export & resolve issues

.github/.actionlint.yaml

@@ -0,0 +1,19 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels: []
+
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null
+
+# Configuration for file paths. The keys are glob patterns to match to file
+# paths relative to the repository root. The values are the configurations for
+# the file paths. Note that the path separator is always '/'.
+# The following configurations are available.
+#
+# "ignore" is an array of regular expression patterns. Matched error messages
+# are ignored. This is similar to the "-ignore" command line option.
+paths:
+  .github/workflows/**/*.yml:
+    ignore: []

.github/SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a vulnerability, please follow these guidelines:
+
+- **Known fixes**: If you have a clear fix for a security issue, please open a pull request describing the problem and your solution.
+- **Non-trivial issues**: For security issues that require discussion or are not straightforward, please open a GitHub issue with as much detail as possible (but avoid sharing sensitive exploit details publicly).
+- **Severe vulnerabilities**: For critical or high-impact vulnerabilities, please contact the developers directly at <contact@mjanglin.com>. We will respond as quickly as possible.
+
+Thank you for helping keep this project secure!

.github/workflows/ci.yml

@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: [master]
+    branches: [master, dev]
   pull_request:
     branches: [master]
 
@@ -28,11 +28,11 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
 
       - uses: pnpm/action-setup@v2
         with:
-          version: 9
+          version: 11
 
       - uses: dtolnay/rust-toolchain@stable
         with:

.github/workflows/codeql.yml

@@ -0,0 +1,25 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [master, dev]
+  pull_request:
+    branches: [master, dev]
+
+jobs:
+  analyze:
+    permissions:
+      security-events: write
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+
+      - uses: github/codeql-action/autobuild@v3
+
+      - uses: github/codeql-action/analyze@v3

.github/workflows/release.yml

@@ -4,18 +4,16 @@ on:
   push:
     branches: [master]
 
-# release-please needs write access to create PRs, releases, and tags
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   # ──────────────────────────────────────────────────────────
   # Job 1: release-please analyzes conventional commits and
   # either opens/updates a "Release PR" or, when that PR is
   # merged, creates a git tag + GitHub Release.
   # ──────────────────────────────────────────────────────────
   release-please:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
@@ -58,14 +56,16 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
 
       - uses: pnpm/action-setup@v2
         with:
-          version: 9
+          version: 11
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions-rs/toolchain@v1
         with:
+          toolchain: stable
+          override: true
           # On macOS, install both arch targets for the universal binary
           targets: ${{ matrix.rust-targets }}