From 22f5b567bda739a97aef457744bc0f975b2f8472 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 15:47:55 +0200 Subject: [PATCH 1/5] ci: Use GitHub environment for publishing workflow JIRA: CPOUI5FOUNDATION-1239 --- .github/workflows/release-please.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index bd6159a1..18e49990 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -35,6 +35,8 @@ jobs: runs-on: ubuntu-24.04 permissions: id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers) + # The GitHub Actions Environment configured for the trusted publisher + environment: npmjs:@ui5/middleware-code-coverage strategy: matrix: path_released: ${{fromJson(needs.pull-request.outputs.paths_released)}} From b6999c00fe3a29634dd6cf0a9cd34c27615cd65d Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 14:37:33 +0200 Subject: [PATCH 2/5] ci: Disallow npm dependencies from git See: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/#:~:text=New%20%2D%2Dallow%2Dgit%20flag,explicit%20control%20over%20this%20behavior. --- .npmrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.npmrc b/.npmrc index 3eeeab4e..f5bb40b0 100644 --- a/.npmrc +++ b/.npmrc @@ -2,3 +2,4 @@ registry=https://registry.npmjs.org/ lockfile-version=3 ignore-scripts=true +allow-git=none From 4c9525dd77dd98e3d684a3ad605112572d2d5780 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 15:50:45 +0200 Subject: [PATCH 3/5] ci: Replace outdated commitlint action Use the commitlint npm package directly instead as recommended at: https://commitlint.js.org/guides/ci-setup.html Also align husky and package.json script with ui5/cli repo --- .github/workflows/commitlint.yml | 24 ------------------------ .github/workflows/github-ci.yml | 10 ++++++++++ .husky/commit-msg | 1 + .husky/pre-push | 1 - package.json | 3 +-- 5 files changed, 12 insertions(+), 27 deletions(-) delete mode 100644 .github/workflows/commitlint.yml create mode 100644 .husky/commit-msg delete mode 100644 .husky/pre-push diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml deleted file mode 100644 index fd1efdf9..00000000 --- a/.github/workflows/commitlint.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Commit Message Linting - -on: - push: - branches: - - main - pull_request: - branches: - - main - -permissions: - contents: read - - -jobs: - commitlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - uses: wagoid/commitlint-github-action@v6 - with: - configFile: .commitlintrc.mjs diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml index d14974a7..669e05f9 100644 --- a/.github/workflows/github-ci.yml +++ b/.github/workflows/github-ci.yml @@ -18,6 +18,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Setup Node.js uses: actions/setup-node@v6 @@ -33,6 +35,14 @@ jobs: - name: Perfrom ESLint check run: npm run lint + - name: Validate current commit (last commit) with commitlint + if: github.event_name == 'push' + run: npm run lint:commit -- --last --verbose + + - name: Validate PR commits with commitlint + if: github.event_name == 'pull_request' + run: npm run lint:commit -- --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose + - name: Perfrom Licenses check run: npm run check-licenses diff --git a/.husky/commit-msg b/.husky/commit-msg new file mode 100644 index 00000000..cfdf03d5 --- /dev/null +++ b/.husky/commit-msg @@ -0,0 +1 @@ +npm run lint:commit -- --edit "$1" # Lint currently edited commit message diff --git a/.husky/pre-push b/.husky/pre-push deleted file mode 100644 index 90289817..00000000 --- a/.husky/pre-push +++ /dev/null @@ -1 +0,0 @@ -npm run hooks:pre-push diff --git a/package.json b/package.json index 84f66a00..10848a3a 100644 --- a/package.json +++ b/package.json @@ -39,9 +39,8 @@ "scripts": { "check-licenses": "licensee --errors-only", "knip": "knip --config knip.config.js", - "hooks:pre-push": "npm run lint:commit", "lint": "npm run lint --workspaces --if-present", - "lint:commit": "commitlint -e", + "lint:commit": "commitlint", "prepare": "node ./.husky/skip.js || husky", "check-engine": "check-engine-light .", "test": "npm run test --workspaces --if-present && npm run knip", From 30b04b5fb6963bfdb9846640f74fe7e2a65b39df Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 15:52:48 +0200 Subject: [PATCH 4/5] ci: Pin actions to commit hash --- .github/workflows/github-ci.yml | 3 ++- .github/workflows/release-please.yml | 2 +- .github/workflows/reuse-compliance.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml index 669e05f9..793e4c7b 100644 --- a/.github/workflows/github-ci.yml +++ b/.github/workflows/github-ci.yml @@ -53,7 +53,8 @@ jobs: run: npm run test:unit:coverage - name: Send report to Coveralls for package @ui5/middleware-code-coverage - uses: coverallsapp/github-action@v2.3.7 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 + continue-on-error: true # Do not fail the job if coverage reporting fails (e.g. service is down) with: flag-name: middleware-code-coverage base-path: ./packages/middleware-code-coverage diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 18e49990..61994c93 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -24,7 +24,7 @@ jobs: releases_created: ${{steps.release.outputs.releases_created}} paths_released: ${{steps.release.outputs.paths_released}} steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 id: release with: token: ${{secrets.GH_OPENUI5BOT}} diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml index ea0a6129..2ce43a7a 100644 --- a/.github/workflows/reuse-compliance.yml +++ b/.github/workflows/reuse-compliance.yml @@ -17,4 +17,4 @@ jobs: steps: - uses: actions/checkout@v6 - name: Execute REUSE Compliance Check - uses: fsfe/reuse-action@v6 + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 From c45396e79eea10a5c0073bd7209121f2dcc2d4fb Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 16:21:53 +0200 Subject: [PATCH 5/5] ci: Enable two-day cooldown for dependabot --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5a774f1a..069819f7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 2 commit-message: prefix: "ci(github-actions)" - package-ecosystem: npm @@ -17,6 +19,8 @@ updates: - RandomByte - flovogt versioning-strategy: increase + cooldown: + default-days: 2 commit-message: prefix: "deps" prefix-development: "build(deps-dev)"