chore: refactor ci and versioning scheme

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This PR contains a refactoring to the GitHub Workflows, separating concerns for continuous integration and release purposes. This slightly changes the versioning scheme, that is now documented in the readme.

In the process:

• Re-visted permissions for all jobs and reduced where necessary
• Added step-security/harden-runner to all applicable workflows
• Renamed all workflows with a 'workflow_call' trigger to include a wc- (workflow call) prefix to clarify that those are callable from other workflows
• Removed the prime-cache job, that is now redundant as ci builds (edge) are also done on main
• Switched the base of the size comparison to the 'edge' version (latest build on main)

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[github-actions]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ DOCKERFILE	hadolint	2		0	0	0.79s
✅ GHERKIN	gherkin-lint	2		0	0	1.01s
✅ JSON	npm-package-json-lint	yes		no	no	0.36s
✅ JSON	prettier	16	1	0	0	0.51s
✅ JSON	v8r	16		0	0	8.64s
✅ MARKDOWN	markdownlint	9	0	0	0	0.87s
✅ MARKDOWN	markdown-table-formatter	9	0	0	0	0.31s
✅ REPOSITORY	checkov	yes		no	no	16.09s
✅ REPOSITORY	gitleaks	yes		no	no	0.32s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	22.29s
✅ REPOSITORY	secretlint	yes		no	no	0.91s
✅ REPOSITORY	syft	yes		no	no	1.13s
✅ REPOSITORY	trivy	yes		no	no	5.2s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.09s
✅ REPOSITORY	trufflehog	yes		no	no	3.34s
✅ SPELL	lychee	62		0	0	1.88s
✅ YAML	prettier	23	0	0	0	0.87s
✅ YAML	v8r	23		0	0	7.07s
✅ YAML	yamllint	23		0	0	0.79s

See detailed report in MegaLinter reports

[github-actions]

📦 Container Size Analysis

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge to ghcr.io/philips-software/amp-devcontainer-rust:pr-815

📈 Size Comparison Table

OS/Platform	Previous Size	Current Size	Change	Trend

[github-actions]

📦 Container Size Analysis

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge to ghcr.io/philips-software/amp-devcontainer-cpp:pr-815

📈 Size Comparison Table

OS/Platform	Previous Size	Current Size	Change	Trend

[github-actions]

Test Results

 4 files  + 4   4 suites  +4   2m 25s ⏱️ + 2m 25s
31 tests +31  31 ✅ +31  0 💤 ±0  0 ❌ ±0 
66 runs  +66  66 ✅ +66  0 💤 ±0  0 ❌ ±0 

Results for commit b474837. ± Comparison against base commit 2cd0bad.

♻️ This comment has been updated with latest results.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull Request Overview

Refactors GitHub workflows by separating CI and release concerns, standardizing versioning to use an “edge” base, and strengthening runner security.

• Converts many workflows to workflow_call with explicit flavor inputs and removes the now-redundant prime-cache workflow
• Updates build & push logic to use inputs.flavor, pins harden-runner steps, and switches to the “edge” devcontainer tag
• Adds step-security/harden-runner to applicable workflows and tightens permissions

Reviewed Changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/wc-integration-test.yml	Added runner hardening and updated cache path
.github/workflows/wc-build-push.yml	Made build-push a callable workflow; switched to inputs.flavor and “edge” base; cleaned up matrix
.github/workflows/wc-build-push-test.yml	New workflow chaining build-push, integration, acceptance tests, and result publishing
.github/workflows/vulnerability-scan.yml	Added runner hardening step
.github/workflows/update-dependencies.yml	Updated container tag to “edge”; reset permissions; added hardening
.github/workflows/social-interaction.yml	Cleared permissions block; added hardening step
.github/workflows/release-published.yml	Cleared permissions; added hardening step
.github/workflows/release-please.yml	Moved permissions block; added hardening step
.github/workflows/release-build.yml	New release-build workflow stitching tests and notes
.github/workflows/prime-cache.yml	Removed obsolete prime-cache workflow
.github/workflows/pr-report.yml	Cleared permissions; added hardening step
.github/workflows/pr-image-cleanup.yml	Cleared permissions; added hardening step
.github/workflows/pr-conventional-title.yml	Added runner hardening step
.github/workflows/ossf-scorecard.yml	Added runner hardening step
.github/workflows/linting-formatting.yml	Added hardening and switched MegaLinter flavor
.github/workflows/issue-creation-tool-versions.yml	Added runner hardening step
.github/workflows/issue-cleanup.yml	Cleared permissions; added hardening step
.github/workflows/continuous-integration.yml	New CI workflow using wc-build-push-test
.github/actions/container-size-diff/container-size-diff.sh	Improved formatting and infinite-percentage handling

Comments suppressed due to low confidence (2)

.github/actions/container-size-diff/container-size-diff.sh:42

• The new branch handling zero base sizes (infinite percentage change) should be covered by automated tests or integration scenarios to ensure the edge case and formatting (+∞) remain correct.

if [[ ${FROM_SIZE} -eq 0 ]]; then

.github/workflows/wc-integration-test.yml:23

• [nitpick] Consider adding a name: to this harden-runner step (e.g., name: Harden runner security) for improved readability and consistency across workflows.

-      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0

[github-actions]

Pull Request Report (#815)

Static measures

Description	Value
Number of added lines	335
Number of deleted lines	204
Number of changed files	21
Number of commits	20
Number of reviews	4
Number of comments (w/o review comments)	5
Number of reviews that contains a comment to resolve	3
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	7

Time related measures

Description	Value
PR lead time (from creation to close of PR)	7.1 Days
Time that was spend on the branch before the PR was created	40 Sec
Time that was spend on the branch before the PR was merged	7.1 Days
Time to merge after last review	4.6 Hours

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	38 Min
Total time spend in last status check run on PR	19.4 Min

[github-actions]

🎉 Hooray! The changes in this pull request went live with the release of v6.1.0 🎉