fix: upgrade to reuseable-ci 2.6.x and just (#475)

* build: update justfile and reuseable-ci

* fix: correct lintwarning multiple run for container

* ci: use reuseable ci 2.6.0

---------

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

Author: janderssonse

.conform.yaml

@@ -1,8 +1,3 @@
-# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
-#
-# SPDX-License-Identifier: CC0-1.0
-
----
 policies:
   - type: commit
     spec:
@@ -17,6 +12,6 @@ policies:
       body:
         required: false
       conventional:
-        types: ['chore', 'build', 'docs', 'ci', 'perf', 'refactor', 'style', 'test', 'release']
-        scopes: ['.*']
+        types: ["build", "chore", "docs", "ci", "perf", "refactor", "style", "test", "release"]
+        scopes: [".*"]
         descriptionLength: 92

.github/artifacts.yml

@@ -5,7 +5,6 @@
 # Artifacts Configuration for rest-api-profil-lint-processor
 # NPM CLI application with container
 # Package tarballs will be attached to GitHub Release as assets
-
 artifacts:
   - name: raplp
     project-type: npm
@@ -15,7 +14,6 @@ artifacts:
       - github-packages
     config:
       node-version: 24
-
 # Container builds from source (no artifact dependency)
 # Containerfile copies source code and runs npm install
 containers:

.github/workflows/openssf-scorecard.yml

@@ -1,20 +1,16 @@
 # SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
 #
 # SPDX-License-Identifier: CC0-1.0
-
----
 name: OpenSSF Scorecard Analysis
 on:
   schedule:
     # Saturdays at 02:20 UTC
-    - cron: "20 2 * * 6"
+    - cron: '20 2 * * 6'
     # Wednesdays at 02:20 UTC
-    - cron: "20 2 * * 3"
+    - cron: '20 2 * * 3'
   workflow_dispatch:
-
 permissions:
   contents: read
-
 jobs:
   scorecard-analysis:
     permissions:

.github/workflows/pullrequest-workflow.yml

@@ -1,21 +1,16 @@
 # SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
 #
 # SPDX-License-Identifier: CC0-1.0
-
----
 name: Pull Request Workflow
-
 on:
   pull_request:
     branches:
       - main
       - develop
       - 'release/**'
       - 'feature/**'
-
 permissions:
   contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
-
 jobs:
   pr-checks:
     uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@e1e1387d5b0399bb5edb00e40485746772344176 # v2.6.0
@@ -26,10 +21,12 @@ jobs:
       security-events: write # Upload ESLint/security findings to GitHub Security tab
     with:
       project-type: npm
-      # MegaLinter is disabled for this project
-      linters.megalint: false # Skip MegaLinter
+      # Use devbase-check linting (replaces megalint, commitlint, licenselint)
+      linters.devbasecheck: true
+      linters.megalint: false
+      linters.commitlint: false
+      linters.licenselint: false
       linters.publiccodelint: true
-
   test:
     needs: [pr-checks]
     if: always() # Run tests even if linting fails (get full CI feedback)

.github/workflows/release-dev-workflow.yml

@@ -17,15 +17,11 @@
 # - NPM package: @diggsweden/rest-api-profil-lint-processor@0.5.9-dev-feat-name-abc1234
 # - Container image: ghcr.io/diggsweden/rest-api-profil-lint-processor:0.5.9-dev-feat-name-abc1234
 # - Tagged with 'dev' (not 'latest')
-
 name: Release Workflow Dev
-
 on:
   workflow_dispatch:
-
 permissions:
   contents: read
-
 jobs:
   dev-release:
     permissions:

.github/workflows/release-workflow.yml

@@ -4,24 +4,19 @@
 
 # Release Workflow for rest-api-profil-lint-processor
 # Uses the unified release orchestrator for NPM packages
----
 name: Release
-
 on:
   push:
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+' # Stable: v1.0.0
       - 'v[0-9]+.[0-9]+.[0-9]+-alpha*' # Alpha: v1.0.0-alpha.1
       - 'v[0-9]+.[0-9]+.[0-9]+-beta*' # Beta: v1.0.0-beta.1
       - 'v[0-9]+.[0-9]+.[0-9]+-rc*' # RC: v1.0.0-rc.1
-
 concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: false # Queue releases, don't cancel partial releases
-
 permissions:
   contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
-
 jobs:
   release:
     uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@e1e1387d5b0399bb5edb00e40485746772344176 # v2.6.0

.mise.toml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+[settings]
+experimental = true
+paranoid = true
+
+[env]
+HTTP_PROXY = "{{ get_env(name='HTTP_PROXY', default='') }}"
+HTTPS_PROXY = "{{ get_env(name='HTTPS_PROXY', default='') }}"
+NO_PROXY = "{{ get_env(name='NO_PROXY', default='') }}"
+http_proxy = "{{ get_env(name='http_proxy', default='') }}"
+https_proxy = "{{ get_env(name='https_proxy', default='') }}"
+no_proxy = "{{ get_env(name='no_proxy', default='') }}"
+PIP_INDEX_URL = "{{ get_env(name='PIP_INDEX_URL', default='') }}"
+
+[tools]
+node = "22"
+"aqua:casey/just" = "1.43.0"
+"aqua:rhysd/actionlint" = "v1.7.8"
+"aqua:siderolabs/conform" = "v0.1.0-alpha.30"
+"aqua:zricethezav/gitleaks" = "v8.29.1"
+"ubi:rvben/rumdl" = "v0.0.173"
+"aqua:koalaman/shellcheck" = "v0.11.0"
+"aqua:mvdan/sh" = "v3.12.0"
+"aqua:google/yamlfmt" = "v0.20.0"
+"aqua:hadolint/hadolint" = "v2.12.0"
+"pipx:reuse" = "6.2.0"

.yamlfmt

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+exclude:
+  - apis/
+  - node_modules/
+  - dist/
+  - coverage/

Containerfile

@@ -11,9 +11,8 @@ RUN npm ci --no-audit --no-fund --ignore-scripts
 
 COPY . .
 
-RUN npm run build
-
-RUN npm prune --omit=dev
+RUN npm run build && \
+    npm prune --omit=dev
 
 FROM node:24.11.0-slim AS runtime
 ENV NODE_ENV=production

REUSE.toml

@@ -6,7 +6,7 @@ version = 1
 
 # configurations
 [[annotations]]
-path = ["CHANGELOG.md","tsconfig.json","package.json","package-lock.json"]
+path = ["CHANGELOG.md","tsconfig.json","package.json","package-lock.json",".conform.yaml"]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2025 Digg - Agency for Digital Government"
 SPDX-License-Identifier = "CC0-1.0"