chore(ci): Fix workflows

.github/workflows/build-and-test.yaml

@@ -1,251 +1,18 @@
 name: "Build and Test Client"
 
-env:
-  do_sonarscan: >-
-    ${{ (github.event_name == 'push' ||
-      github.event.pull_request.head.repo.full_name == github.repository) &&
-      github.actor != 'dependabot[bot]' }}
-
 on:
   pull_request:
   push:
     branches:
       - main
       - "release/**"
-jobs:
-  ccc:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./lib
-    timeout-minutes: 5
-    steps:
-      - name: Conventional Commits Check
-        if: contains(fromJSON('["pull_request", "pull_request_target"]'), github.event_name)
-        id: conventional-commits
-        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          # Types include:
-          #   - fix: fixes
-          #   - feat: features and enhancements
-          #   - chore: non-feature or enhancement (i.e. docs, ci, linting, automated, etc)
-          types: |
-            fix
-            feat
-            chore
-            revert
-          # Scopes include:
-          #   - sdk: changes to @opentdf/sdk (was lib)
-          #   - cli: changes to @opentdf/ctl
-          #   - ci: anything related to ci
-          #   - tests: test only changes
-          #   - docs: anything related solely to documentation
-          scopes: |
-            ci
-            cli
-            docs
-            sdk
-            tests
-
-  lib:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./lib
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-        with:
-          fetch-depth: ${{ !fromJSON(env.do_sonarscan) && 1 || 0 }}
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e #v4.3.0
-        with:
-          node-version: '22'
-          cache: 'npm'
-          cache-dependency-path: './lib/package-lock.json'
-      - run: npm ci
-      - run: npm test
-      - uses: fingerprintjs/action-coverage-report-md@72dfb7de7581612640a8e599e918b2eda98f9bba #v2.0.1
-        id: coverage-md
-        with:
-          srcBasePath: './'
-          textReportPath: './lib/coverage/coverage.txt'
-      - run: echo "${MARKDOWN_REPORT}" >>$GITHUB_STEP_SUMMARY
-        env:
-          MARKDOWN_REPORT: '${{ steps.coverage-md.outputs.markdownReport }}'
-      - run: npm audit --omit dev && npm audit --audit-level high --omit dev
-      - run: npm run license-check
-      - run: npm run lint
-      - run: npm pack
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
-        with:
-          name: opentdf-sdk-lib
-          path: ./lib/opentdf-sdk-*.tgz
-      - name: SonarCloud Scan
-        if: fromJSON(env.do_sonarscan)
-        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf #v5.2.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-  cli:
-    needs:
-      - lib
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./cli
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e #v4.3.0
-        with:
-          node-version: '22'
-          cache: 'npm'
-          cache-dependency-path: './cli/package-lock.json'
-      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1
-        with:
-          name: opentdf-sdk-lib
-          path: lib/
-      - run: npm uninstall @opentdf/sdk && npm ci && npm i ../lib/opentdf-sdk-*.tgz
-      - run: npm test
-      - run: npm audit --omit dev && npm audit --audit-level high --omit dev
-      - run: npm run license-check
-      - run: npm run lint
-      - run: npm pack
-      - name: Setup Bats and bats libs
-        uses: bats-core/[email protected]
-      - run: bats bin/opentdf.bats
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
-        with:
-          name: opentdf-ctl
-          path: ./cli/opentdf-ctl-*.tgz
-
-  web-app:
-    needs:
-      - lib
-    runs-on: ubuntu-22.04 # NOTE: Playwright not yet supported on 24.04
-    defaults:
-      run:
-        working-directory: ./web-app
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e #v4.3.0
-        with:
-          node-version: '22'
-          cache: 'npm'
-          cache-dependency-path: './web-app/package-lock.json'
-      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1
-        with:
-          name: opentdf-sdk-lib
-          path: lib/
-      - run: npm uninstall @opentdf/sdk && npm ci && npm i ../lib/opentdf-sdk-*.tgz
-      - run: npm install
-      - run: npm audit --omit dev && npm audit --audit-level high --omit dev
-      - run: npm run license-check
-      - run: npm run lint
-      - run: npx playwright install
-      - run: npm test
-      - run: npm pack
 
-  scripts:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: .github/workflows
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      - name: 🦇🦇🦇🦇🦇🦇
-        run: docker run --rm -v "$PWD:/mnt" --workdir "/mnt" bats/bats:1.11.0 *.bats
-      - name: 🦪 ✔ 🧼🧼🧼
-        run: >-
-          docker run --rm -v "$PWD:/mnt" --workdir "/mnt" "koalaman/shellcheck:v0.10.0"
-          --color=always *.sh
+# Default empty permissions for all jobs
+permissions: {}
 
-  platform-roundtrip:
-    needs:
-      - cli
-      - lib
-      - web-app
-    runs-on: ubuntu-22.04 # NOTE: Playwright not yet supported on 24.04
-    defaults:
-      run:
-        working-directory: .github/workflows/roundtrip
-    timeout-minutes: 45
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e #v4.3.0
-        with:
-          node-version: '22'
-          cache: 'npm'
-          cache-dependency-path: './web-app/package-lock.json'
-      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1
-        with:
-          name: opentdf-sdk-lib
-          path: lib/
-      - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e #v4.2.1
-        with:
-          name: opentdf-ctl
-          path: cli/
-      - name: Git clone backend
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-        with:
-          path: .github/workflows/roundtrip/platform
-          repository: opentdf/platform
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b #v5.4.0
-        with:
-          go-version-file: .github/workflows/roundtrip/platform/service/go.mod
-          check-latest: false
-          cache-dependency-path: |
-            .github/workflows/roundtrip/platform/lib/fixtures/go.sum
-            .github/workflows/roundtrip/platform/lib/ocrypto/go.sum
-            .github/workflows/roundtrip/platform/protocol/go/go.sum
-            .github/workflows/roundtrip/platform/sdk/go.sum
-            .github/workflows/roundtrip/platform/service/go.sum
-      - run: find ./ -name go.mod
-      - name: go configure backend
-        run: |-
-          go work init
-          for x in platform/{protocol/go,lib/{fixtures,ocrypto},sdk,service}; do
-            go work use "$x"
-          done
-      - run: docker compose up -d --wait --wait-timeout 240
-      - env:
-          PLAYWRIGHT_TESTS_TO_RUN: roundtrip
-        run: |-
-          ./wait-and-test.sh platform
-
-  platform-xtest:
-    needs:
-      - cli
-      - lib
-    uses: opentdf/tests/.github/workflows/xtest.yml@main
-    with:
-      focus-sdk: js
-      js-ref: ${{ github.ref }} latest lts
-      platform-ref: main lts
-
-  ci:
-    needs:
-      - lib
-      - cli
-      - web-app
-      - scripts
-      - platform-xtest
-    runs-on: ubuntu-22.04
-    if: ${{ !cancelled() }}
-    steps:
-
-      - name: "All jobs succeeded"
-        id: success
-        if: ${{ contains(needs.*.result, 'success') }}
-        run: |
-          :
-
-      - name: "One or more jobs failed"
-        if: ${{ contains(needs.*.result, 'failure') }}
-        run: |
-          exit 1
+jobs:
+  build-and-test:
+    uses: opentdf/web-sdk/.github/workflows/reusable_build-and-test.yaml@main
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/deliver.yaml

@@ -13,125 +13,11 @@ on:
 permissions: {}
 
 jobs:
-  deliver-ghp:
+  deliver:
     permissions:
       contents: read
       packages: write
       pages: write
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: "Checkout repo"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: "Setup node"
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
-        with:
-          node-version: "22"
-          registry-url: https://npm.pkg.github.com
-
-      - name: "Check version number is same between tag, library, and/or release"
-        id: check-version
-        env:
-          REF: ${{ github.ref }}
-        run: |
-          if [[ "$REF" = refs/heads/release/* ]]; then
-            scripts/check-version-is.sh "${GITHUB_REF##*release/}"
-          elif [[ "$REF" = refs/tags/sdk/v* ]]; then
-            scripts/check-version-is.sh "${GITHUB_REF_NAME#sdk/v}"
-          else
-            scripts/check-version-is.sh
-          fi
-
-      - name: "Output build metadata"
-        id: guess-build-metadata
-        run: |
-          FULL_VERSION=$(.github/workflows/gh-semver.sh)
-          DIST_TAG=$(.github/workflows/guess-dist-tag.sh)
-
-          echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_OUTPUT"
-          echo "DIST_TAG=$DIST_TAG" >> "$GITHUB_OUTPUT"
-
-      - name: "Run: make doc"
-        run: |
-          make doc
-
-      - name: "Echo info"
-        env:
-          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
-          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
-        run: |
-          echo "::notice file=lib/package.json::Will be published to \
-          [GitHub Packages](https://github.com/opentdf/web-sdk/pkgs/npm/client) \
-          as $DIST_TAG \
-          with version=[$FULL_VERSION]"
-
-      - name: "Deliver to GitHub Packages"
-        env:
-          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
-          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
-          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          bash scripts/deliver-to-npm-registry.sh "$FULL_VERSION" "$DIST_TAG"
-
-      - name: "Echo info to Run Summary"
-        run: |
-          {
-          echo "- [Client Library](https://github.com/opentdf/web-sdk/pkgs/npm/client)"
-          echo "- [Command Line Tool](https://github.com/opentdf/web-sdk/pkgs/npm/cli)"
-          } >>"$GITHUB_STEP_SUMMARY"
-
-      - name: "Publish documentation to gh-pages"
-        uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3
-        with:
-          branch: gh-pages
-          folder: lib/dist/docs
-
-  deliver-npmjs:
-    permissions:
-      contents: read
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Checkout repo"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: "Setup node"
-        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
-        with:
-          node-version: "22"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: "Run: make all"
-        run: |
-          make all
-
-      - name: "Output build metadata"
-        id: guess-build-metadata
-        run: |
-          FULL_VERSION=$(.github/workflows/gh-semver.sh)
-          DIST_TAG=$(.github/workflows/guess-dist-tag.sh)
-
-          echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_OUTPUT"
-          echo "DIST_TAG=$DIST_TAG" >> "$GITHUB_OUTPUT"
-
-      - name: "Deliver to npmjs"
-        env:
-          DIST_TAG: ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
-          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          bash scripts/deliver-to-npm-registry.sh "$FULL_VERSION" "$DIST_TAG"
-
-      - name: "Echo info to Run Summary"
-        env:
-          FULL_VERSION: ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}
-        run: |
-          {
-          echo "- [Client Library](https://www.npmjs.com/package/@opentdf/sdk/v/$FULL_VERSION)"
-          echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/ctl/v/$FULL_VERSION)"
-          echo "- [unpkg](https://unpkg.com/browse/@opentdf/sdk@$FULL_VERSION)"
-          } >>"$GITHUB_STEP_SUMMARY"
+    uses: opentdf/web-sdk/.github/workflows/reusable_deliver.yaml@main
+    secrets:
+      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}