build: use just mise for quality and ci

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

Author: janderssonse

.conform.yaml

@@ -17,6 +17,6 @@ policies:
       body:
         required: false
       conventional:
-        types: ["chore","build", "docs","ci","perf", "refactor", "style", "test", "release"]
+        types: ["chore", "build", "docs", "ci", "perf", "refactor", "style", "test", "release"]
         scopes: [".*"]
         descriptionLength: 92

.github/artifacts.yml

@@ -1,3 +1,4 @@
+---
 # SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
 #
 # SPDX-License-Identifier: CC0-1.0

.github/workflows/openssf-scorecard.yml

@@ -13,7 +13,7 @@ on:
   workflow_dispatch:
 
 permissions:
- contents: read  # Best Security practice. Jobs only get read as base, and then permissions are added as needed
+  contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
 
 jobs:
   scorecard-analysis:
@@ -23,4 +23,4 @@ jobs:
       id-token: write
     uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     with:
-      publish-results: true
+      publish-results: true

.github/workflows/pullrequest-workflow.yml

@@ -9,24 +9,25 @@ on:
   pull_request:
 
 permissions:
-  contents: read  # Best Security practice. Jobs only get read as base, and then permissions are added as needed
+  contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
 
 jobs:
   pr-checks:
     uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
-    secrets: inherit  # Pass org-level secrets (for private dependencies if any)
+    secrets: inherit # Pass org-level secrets (for private dependencies if any)
     permissions:
-      contents: read         # Clone repository and read source code
-      packages: read         # Access GitHub Packages for Maven dependencies
+      contents: read # Clone repository and read source code
+      packages: read # Access GitHub Packages for Maven dependencies
       security-events: write # Upload SpotBugs/dependency check results to Security tab
     with:
       project-type: maven
-      # All linters enabled by default (library needs strict quality checks)
-  
+      linters.megalint: false # Disable heavy MegaLinter
+      linters.justmiselint: true # Enable lightweight just+mise linting
+
   test:
     needs: [pr-checks]
-    if: always()  # Run tests even if linting fails (get complete feedback)
+    if: always() # Run tests even if linting fails (get complete feedback)
     permissions:
-      contents: read  # Access test resources and source code
-      packages: read  # Fetch test dependencies from GitHub Packages
-    uses: ./.github/workflows/test.yml
+      contents: read # Access test resources and source code
+      packages: read # Fetch test dependencies from GitHub Packages
+    uses: ./.github/workflows/test.yml

.github/workflows/release-workflow.yml

@@ -10,28 +10,28 @@ name: Release Workflow
 on:
   push:
     tags:
-      - "v[0-9]+.[0-9]+.[0-9]+"              # Stable: v1.0.0
-      - "v[0-9]+.[0-9]+.[0-9]+-SNAPSHOT*"    # Snapshot: v1.0.0-SNAPSHOT
+      - "v[0-9]+.[0-9]+.[0-9]+" # Stable: v1.0.0
+      - "v[0-9]+.[0-9]+.[0-9]+-SNAPSHOT*" # Snapshot: v1.0.0-SNAPSHOT
 
 concurrency:
   group: release-${{ github.ref }}
-  cancel-in-progress: false  # Queue releases, don't cancel partial releases
+  cancel-in-progress: false # Queue releases, don't cancel partial releases
 
 permissions:
-  contents: read  # Best Security practice. Jobs only get read as base, and then permissions are added as needed
+  contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
 
 jobs:
   release:
     uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@1a7dcd9c5257495ebf141e4e4b4bac438a8aae56 # v2.0.0
     permissions:
-      contents: write         # Create GitHub releases and tags
-      packages: write         # Publish to GitHub Packages (backup)
-      id-token: write        # Generate OIDC token for Maven Central
-      actions: read          # Needed by container job (even if skipped)
-      attestations: write    # Needed by container job (even if skipped)
+      contents: write # Create GitHub releases and tags
+      packages: write # Publish to GitHub Packages (backup)
+      id-token: write # Generate OIDC token for Maven Central
+      actions: read # Needed by container job (even if skipped)
+      attestations: write # Needed by container job (even if skipped)
       security-events: write # Needed by container job (even if skipped)
-    secrets: inherit  # Use org-level MAVEN_CENTRAL credentials and GPG keys
+    secrets: inherit # Use org-level MAVEN_CENTRAL credentials and GPG keys
     with:
       artifacts-config: .github/artifacts.yml
       changelog-creator: git-cliff
-      release-publisher: github-cli
+      release-publisher: github-cli

.github/workflows/test.yml

@@ -5,7 +5,7 @@
 ---
 name: Maven Test
 
-on: [workflow_call]  # yamllint disable-line rule:truthy
+on: [workflow_call] # yamllint disable-line rule:truthy
 
 permissions:
   contents: read
@@ -16,16 +16,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java-version: ['21'] 
+        java-version: ['21']
         os: [ubuntu-latest]
 
-    env: 
-      MAVEN_CLI_OPTS: "--batch-mode --no-transfer-progress --errors --fail-at-end -Dstyle.color=always -DinstallAtEnd=true -DdeployAtEnd=true"
-    
+    env:
+      MAVEN_CLI_OPTS: "--batch-mode --no-transfer-progress --errors --fail-at-end -Dstyle.color=always -DinstallAtEnd=true
+        -DdeployAtEnd=true"
+
     permissions:
       contents: read
       packages: read
-    
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -34,13 +35,12 @@ jobs:
         uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           java-version: ${{ matrix.java-version }}
-          distribution: 'temurin'  # Popular Java distribution
-          cache: 'maven'  # Enables Maven caching
+          distribution: 'temurin' # Popular Java distribution
+          cache: 'maven' # Enables Maven caching
 
       - name: Run tests
-        env: 
+        env:
           GITHUB_ACTOR: ${{ github.actor }}
           PACKAGE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          # shellcheck disable=SC2086 
-          mvn $MAVEN_CLI_OPTS test
+        run: "# Run Maven tests directly (justfile not needed for simple test execution)\n# shellcheck disable=SC2086 \nmvn
+          $MAVEN_CLI_OPTS test\n"

.gitleaks.toml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Gitleaks configuration for secret scanning
+
+[extend]
+# Use default gitleaks rules
+useDefault = true
+
+# Add custom rules or allowlists here if needed

.mise.toml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Tool versions for mise (https://mise.jdx.dev/)
+# Install all tools: mise install
+# Activate in shell: eval "$(mise activate bash)"
+
+[settings]
+experimental = true
+paranoid = true      # Enable strict security checks and verification
+
+[tools]
+
+# Task runner
+"aqua:casey/just" = "1.43.0"
+
+# Linters
+"aqua:rhysd/actionlint" = "v1.7.8"           # GitHub Actions linter
+"aqua:koalaman/shellcheck" = "v0.10.0"       # Shell script linter  
+"aqua:mvdan/sh" = "v3.10.0"                  # Shell formatter (shfmt)
+"ubi:rvben/rumdl" = "v0.0.162"               # Markdown linter
+"aqua:google/yamlfmt" = "v0.19.0"            # YAML formatter
+"aqua:zricethezav/gitleaks" = "v8.28.0"      # Secret scanner
+"aqua:siderolabs/conform" = "v0.1.0-alpha.30" # Commit linter
+
+# License compliance (can also use pip install reuse)
+# For now using container for REUSE as it's already in justfile

.rumdl.toml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Markdown linting configuration for rumdl
+
+[global]
+exclude = ["CHANGELOG.md"]
+disable = ["MD041", "MD024", "MD033"]
+
+[MD013]
+line-length = 140

.yamlfmt

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# YAML formatting configuration for yamlfmt
+
+formatter:
+  type: basic
+  indent: 2
+  include_document_start: true
+  retain_line_breaks: true
+  max_line_length: 120