ci: Use GitHub environment, update commit-lint, pin actions

.github/workflows/coverage.yml

@@ -55,6 +55,6 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Close parallel build
-        uses: coverallsapp/github-action@v2.3.7
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
         with:
           parallel-finished: true

.github/workflows/github-ci.yml

@@ -19,6 +19,8 @@ jobs:
     steps:
 
     - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
 
     - name: Setup Node.js
       uses: actions/setup-node@v6
@@ -56,6 +58,14 @@ jobs:
     - name: Perform ESLint check
       run: npm run lint
 
+    - name: Validate current commit (last commit) with commitlint
+      if: github.event_name == 'push'
+      run: npm run lint:commit -- --last --verbose
+
+    - name: Validate PR commits with commitlint
+      if: github.event_name == 'pull_request'
+      run: npm run lint:commit -- --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+
     - name: Perform Licenses check
       run: npm run check-licenses
 

.github/workflows/release-please.yml

@@ -8,7 +8,6 @@ on:
 permissions:
   contents: write
   pull-requests: write
-  id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers)
 
 jobs:
   release-please:
@@ -24,7 +23,7 @@ jobs:
          node-version: 24.x
 
       - name: Run Release Please to update PRs and create releases
-        uses: googleapis/release-please-action@v5
+        uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         id: release
         with:
           token: "${{ secrets.GITHUB_TOKEN }}"
@@ -60,6 +59,10 @@ jobs:
     runs-on: ubuntu-24.04
     needs: release-please
     if: needs.release-please.outputs.releases_created == 'true'
+    permissions:
+      id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers)
+    # The GitHub Actions Environment configured for the trusted publisher
+    environment: npmjs:ui5-cli-mono
     strategy:
       # Sequential publishing ensures dependencies exist on NPM before dependents are published
       # Order: logger → fs → builder → server → project (CLI handled separately for shrinkwrap generation)
@@ -87,6 +90,10 @@ jobs:
     runs-on: ubuntu-24.04
     needs: [release-please, publish-packages]
     if: needs.release-please.outputs.releases_created == 'true'
+    permissions:
+      id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers)
+    # The GitHub Actions Environment configured for the trusted publisher
+    environment: npmjs:ui5-cli-mono
     steps:
       - uses: actions/checkout@v6
 

.github/workflows/reuse-compliance.yml

@@ -46,4 +46,4 @@ jobs:
     - uses: actions/checkout@v6
 
     - name: REUSE check for full repository
-      uses: fsfe/reuse-action@v6
+      uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0

.npmrc

@@ -2,3 +2,4 @@
 registry=https://registry.npmjs.org/
 lockfile-version=3
 ignore-scripts=true
+allow-git=none