ci: use reusable-ci v1

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

Author: janderssonse

.github/workflows/openssfscorecard.yml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2025 diggsweden/wallet-provider
+#
+# SPDX-License-Identifier: CC0-1.0
+
+---
+name: OpenSSF Scorecard analysis
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    # Weekly on Sundays at 01:30 UTC
+    - cron: "30 1 * * 0"
+
+permissions:
+  contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
+
+jobs:
+  scorecard-analysis:
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@v1

.github/workflows/pullrequest-workflow.yml

@@ -6,45 +6,36 @@
 name: Pull Request Workflow
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main
+      - develop
+      - "release/**"
+      - "feature/**"
 
 permissions:
-  contents: read
+  contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  commitlint:
-    uses: diggsweden/.github/.github/workflows/commit-lint.yml@main
-  # dependencyreviewlint:
-  #   uses: diggsweden/.github/.github/workflows/dependency-review.yml@main
-  #   # Disabled: requires GitHub Advanced Security ($19/month for private repos)
-  licenselint:
-    uses: diggsweden/.github/.github/workflows/license-lint.yml@main
-  misclint:
+  pr-checks:
+    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@v1
+    secrets: inherit # Pass org-level secrets (for private Maven dependencies)
     permissions:
-      contents: read
-      security-events: write
-    uses: diggsweden/.github/.github/workflows/megalint.yml@main
+      contents: read # Clone repository and read source code
+      packages: read # Access GitHub Packages for Maven dependencies
+      security-events: write # Upload SpotBugs/dependency check results to Security tab
+    with:
+      projectType: maven
+      linters.dependencyreview: false # Disabled: requires GitHub Advanced Security
+
   test:
+    needs: [pr-checks]
+    if: always() # Run tests even if linting fails (get complete feedback)
     permissions:
-      contents: read
-    if: always()
-    needs: [licenselint, commitlint, misclint]
+      contents: read # Access test resources and source code
+      packages: read # Fetch test dependencies from GitHub Packages
     uses: ./.github/workflows/test.yml
-  build-image:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write # Required for SLSA provenance
-      actions: read # Required for SLSA provenance v2
-    if: always()
-    needs: [licenselint, commitlint, misclint, test]
-    uses: ./.github/workflows/release-publish.yml

.github/workflows/release-dev-workflow.yml

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2025 diggsweden/wallet-provider
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Release Workflow Dev
+#
+# This workflow triggers the dev release orchestrator for development and feature branches.
+# It creates dev-tagged artifacts and container images for testing.
+#
+# Triggers:
+# - Push to dev/* or feat/* branches
+# - Manual workflow dispatch
+#
+# Created artifacts:
+# - Container images with dev tags
+# - See release summary for full details
+
+name: Release Workflow Dev
+
+on:
+  workflow_dispatch:
+
+jobs:
+  dev-release:
+    permissions:
+      contents: read # Read code for building
+      packages: write # Push dev images to ghcr.io
+    uses: diggsweden/reusable-ci/.github/workflows/release-dev-orchestrator.yml@v1
+    with:
+      projectType: maven
+      containerfile: "Containerfile"
+    secrets: inherit

.github/workflows/release-publish.yml

@@ -2,41 +2,51 @@
 #
 # SPDX-License-Identifier: CC0-1.0
 
+# Release Workflow for wallet-provider
+# Maven application with container image publishing
+---
 name: Release Workflow
 
 on:
   push:
     tags:
-      - "v[0-9]*.[0-9]*" # Forces at least vX.Y and then allows anything after
+      - "v[0-9]+.[0-9]+.[0-9]+" # Stable: v1.0.0
+      - "v[0-9]+.[0-9]+.[0-9]+-alpha*" # Alpha: v1.0.0-alpha.1
+      - "v[0-9]+.[0-9]+.[0-9]+-beta*" # Beta: v1.0.0-beta.1
+      - "v[0-9]+.[0-9]+.[0-9]+-rc*" # RC: v1.0.0-rc.1
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false # Queue releases, don't cancel partial releases
 
 permissions:
-  contents: read
+  contents: read # Best Security practice. Jobs only get read as base, and then permissions are added as needed
 
 jobs:
-  version-bump:
-    secrets: inherit
+  release:
+    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@v1
     permissions:
-      contents: write
-      packages: read
-    uses: diggsweden/.github/.github/workflows/version-bump-changelog.yml@main
+      contents: write # Create GitHub releases and tags
+      packages: write # Publish JARs to GitHub Packages and images to ghcr.io
+      id-token: write # Generate OIDC token for SLSA provenance attestation
+      actions: read # Read workflow runs for SLSA provenance generation
+      security-events: write # Upload vulnerability scan results from container scanning
+      attestations: write # Attach SBOM attestation to container images
+    secrets: inherit # Use org-level GPG keys, Maven credentials if configured
     with:
-      updatePom: true
-      file_pattern: pom.xml CHANGELOG.md
+      # Project configuration
+      projectType: maven # Build system type (determines version file location)
 
-  publish:
-    needs: [version-bump]
-    permissions:
-      contents: read
-      packages: write
-      id-token: write # Required for SLSA provenance
-      actions: read # Required for SLSA provenance v2
-    uses: ./.github/workflows/release-publish.yml
+      # Artifact publisher configuration
+      artifactPublisher: maven-app-github # Publishes JAR to GitHub Packages
 
-  release:
-    needs: [publish]
-    permissions:
-      contents: write
-      packages: write
-      id-token: write
-    secrets: inherit
-    uses: ./.github/workflows/release.yml
+      # Container builder configuration
+      containerBuilder: containerimage-ghcr # Build and push Docker image to ghcr.io
+      container.platforms: "linux/amd64,linux/arm64" # Multi-arch support for Intel and ARM
+      container.containerfile: "Containerfile" # Container build file
+
+      # Changelog configuration
+      changelogCreator: git-cliff # Generate changelog from conventional commits
+
+      # Release publisher configuration
+      releasePublisher: github-cli # Creates GitHub release with changelog and artifacts