ci: CI-adjustments (#381)

* ci(workflows): pin action versions

This commit uses the standard convention of specifying the versions
of GitHub actions in a semver comment after the SHA.
Tools like renovate will use this, and pick it up.

It will lead to better PR's from renovate, where instead of
getting PR's like
Currently diff: 2342342342 -> 344939345328
With this: v4.2.3 -> v4.2.4

Dont worry though, the SHA-hash is still connected to
the version. If not, Renovate will adjust/correct this.

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

* build(codequality): add missing license check

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

* ci(commit): extend description length

The default setting for the lint committer
(conform) is 72 for description length.

This will at times leads to fails, as for
example tools like Dependabot and Renovate
sometimes adds longer commits messages.
Bumping it to 92 in length, has worked fine
in other projects, so should be fine here to
even for those longer cases.

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

---------

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

Author: janderssonse

.conform.yaml

@@ -19,3 +19,4 @@ policies:
       conventional:
         types: ['chore', 'build', 'docs', 'ci', 'perf', 'refactor', 'style', 'test', 'release']
         scopes: ['.*']
+        descriptionLength: 92

.github/workflows/publish-image.yaml

@@ -19,29 +19,29 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.3.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.5.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.11.0
 
       - name: Inspect builder
         run: |
           echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
 
       - name: Log in to the Container registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for distribution image
         id: metadist
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -53,7 +53,7 @@ jobs:
             type=raw,value=${{ env.IMAGE_NAME }}-{{tag}}-{{date 'YYYYMMDD'}}-{{sha}},priority=32, enable=${{ startsWith(github.ref, 'refs/tags/v') }}
 
       - name: Build and push distribution image
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v6.17.0
         with:
           context: .
           file: Containerfile

.github/workflows/publish-package.yaml

@@ -13,10 +13,10 @@ jobs:
       packages: write
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.3.0
 
       # Setup .npmrc file to publish to GitHub Packages
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.3.0
         with:
           node-version: "22.x"
           registry-url: "https://npm.pkg.github.com"

.github/workflows/test.yaml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.3.0
 
       - name: Set up Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.3.0
         with:
           node-version: "22.15.0"
 

development/code_quality.sh

@@ -48,7 +48,7 @@ store_exit_code() {
 lint_and_format() {
   export MEGALINTER_DEF_WORKSPACE='/repo'
   print_header 'LINTER HEALTH (MEGALINTER)'
-  podman run --rm --volume "$(pwd)":/repo -e MEGALINTER_CONFIG='development/megalinter.yml' -e DEFAULT_WORKSPACE=${MEGALINTER_DEF_WORKSPACE} -e LOG_LEVEL=INFO ghcr.io/oxsecurity/megalinter-javascript:v8.7.0
+  podman run --rm --volume "$(pwd)":/repo -e MEGALINTER_CONFIG='development/megalinter.yml' -e DEFAULT_WORKSPACE=${MEGALINTER_DEF_WORKSPACE} -e LOG_LEVEL=INFO ghcr.io/oxsecurity/megalinter-javascript:v8.8.0
   store_exit_code "$?" "Lint" "${MISSING} ${RED}Lint check failed, see logs (std out and/or ./megalinter-reports) and fix problems.${NC}\n" "${GREEN}${CHECKMARK}${CHECKMARK} Lint check passed${NC}\n"
   printf '\n\n'
 }
@@ -70,6 +70,13 @@ commit() {
   printf '\n\n'
 }
 
+license() {
+  print_header 'LICENSE HEALTH (REUSE)'
+  podman run --rm --volume "$(pwd)":/data docker.io/fsfe/reuse:5.0.2-debian lint
+  store_exit_code "$?" "License" "${MISSING} ${RED}License check failed, see logs and fix problems.${NC}\n" "${GREEN}${CHECKMARK}${CHECKMARK} License check passed${NC}\n"
+  printf '\n\n'
+}
+
 check_exit_codes() {
   printf '%b********* CODE QUALITY RUN SUMMARY ******%b\n\n' "${YELLOW}" "${NC}"
 
@@ -98,5 +105,6 @@ is_command_available 'npm' 'https://nodejs.org/'
 
 lint_and_format
 commit
+license
 
 check_exit_codes