Re-organize development commands (#1766)

Attempt to avoid the arbitrary divide between vetting, linting, and
other checks by just naming them all "checks" (and referring to it as
analysis in the Contributing Guidelines).

The only potentially seemingly related categorization left now is checks
and audits. The division here is that "checks" should always pass (are
invariant w.r.t. the commit history) while audits aren't (because
packages may be deprecated or report vulnerability at any time).

On top of that, this includes some minor reformatting of the
Contributing Guidelines, and also introduces `npm-run-all` as a
convenience to run all checks (and audits and tests).

.github/workflows/checks.yml

@@ -8,6 +8,39 @@ on:
 permissions: read-all
 
 jobs:
+  ci:
+    name: CI
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            actions-results-receiver-production.githubapp.com:443
+            api.github.com:443
+            artifactcache.actions.githubusercontent.com:443
+            github.com:443
+            gitlab.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install tooling
+        uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Check
+        run: npm run check:ci
   codeql:
     name: CodeQL
     runs-on: ubuntu-24.04
@@ -38,6 +71,41 @@ jobs:
           languages: javascript
       - name: Perform CodeQL analysis
         uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
+  deps:
+    name: Dependencies
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            actions-results-receiver-production.githubapp.com:443
+            api.github.com:443
+            artifactcache.actions.githubusercontent.com:443
+            github.com:443
+            gitlab.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Check dependencies
+        if: ${{ failure() || success() }}
+        run: npm run check:dependencies
+      - name: Check runtime dependency versions
+        if: ${{ failure() || success() }}
+        run: node script/check-runtime-deps.js
   format:
     name: Formatting
     runs-on: ubuntu-24.04
@@ -68,7 +136,69 @@ jobs:
       - name: Install dependencies
         run: npm clean-install
       - name: Check formatting
-        run: npm run format:check
+        run: npm run check:formatting
+  js:
+    name: JavaScript
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            actions-results-receiver-production.githubapp.com:443
+            api.github.com:443
+            artifactcache.actions.githubusercontent.com:443
+            github.com:443
+            gitlab.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Check
+        run: npm run check:js
+  json:
+    name: JSON
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            actions-results-receiver-production.githubapp.com:443
+            api.github.com:443
+            artifactcache.actions.githubusercontent.com:443
+            github.com:443
+            gitlab.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Check
+        run: npm run check:json
   licenses:
     name: Licenses
     runs-on: ubuntu-24.04
@@ -99,9 +229,9 @@ jobs:
       - name: Install dependencies
         run: npm clean-install
       - name: Check licenses
-        run: npm run license-check
-  lint:
-    name: Lint
+        run: npm run check:licenses
+  md:
+    name: MarkDown
     runs-on: ubuntu-24.04
     steps:
       - name: Harden runner
@@ -122,33 +252,15 @@ jobs:
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           persist-credentials: false
-      - name: Install tooling
-        uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
       - name: Install Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           cache: npm
           node-version-file: .nvmrc
       - name: Install dependencies
         run: npm clean-install
-      - name: Lint CI
-        if: ${{ failure() || success() }}
-        run: npm run lint:ci
-      - name: Lint JavaScript
-        if: ${{ failure() || success() }}
-        run: npm run lint:js
-      - name: Lint JSON
-        if: ${{ failure() || success() }}
-        run: npm run lint:json
-      - name: Lint MarkDown
-        if: ${{ failure() || success() }}
-        run: npm run lint:md
-      - name: Lint shell scripts
-        if: ${{ failure() || success() }}
-        run: npm run lint:sh
-      - name: Lint YAML
-        if: ${{ failure() || success() }}
-        run: npm run lint:yml
+      - name: Check
+        run: npm run check:md
   reproducible:
     name: Reproducible build
     runs-on: ubuntu-24.04
@@ -196,6 +308,39 @@ jobs:
           npm pack
       - name: Verify checksum
         run: shasum --check checksums.txt --strict
+  shell:
+    name: Shell scripts
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            actions-results-receiver-production.githubapp.com:443
+            api.github.com:443
+            artifactcache.actions.githubusercontent.com:443
+            github.com:443
+            gitlab.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install tooling
+        uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
+      - name: Install Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Check
+        run: npm run check:sh
   test-breakage:
     name: Breakage
     runs-on: ubuntu-24.04
@@ -538,8 +683,8 @@ jobs:
         run: npm clean-install
       - name: Transpile to CommonJS
         run: npm run transpile
-  vet:
-    name: Vet
+  yaml:
+    name: YAML
     runs-on: ubuntu-24.04
     steps:
       - name: Harden runner
@@ -567,9 +712,5 @@ jobs:
           node-version-file: .nvmrc
       - name: Install dependencies
         run: npm clean-install
-      - name: Vet dependencies
-        if: ${{ failure() || success() }}
-        run: npm run vet:deps
-      - name: Check runtime dependency versions
-        if: ${{ failure() || success() }}
-        run: node script/check-runtime-deps.js
+      - name: Check
+        run: npm run check:yml

.github/workflows/config-npm.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Install dependencies
         run: npm clean-install
       - name: Validate package.json
-        run: npm run vet:package.json
+        run: npm run check:manifest
   package-lock-json:
     name: package-lock.json
     runs-on: ubuntu-24.04
@@ -77,4 +77,4 @@ jobs:
       - name: Install dependencies
         run: npm clean-install
       - name: Validate package-lock.json
-        run: npm run vet:package-lock.json
+        run: npm run check:lockfile