From e583fdf32b555edfe7a076972c0bd19dd1389126 Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 15 May 2026 16:42:12 +0200
Subject: [PATCH 1/6] ci: Reset CI workflow permissions

---
 .github/workflows/ci.yml               | 4 ++--
 .github/workflows/reuse-compliance.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d5c9f44..ad67ebe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,8 +7,8 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+# No permissions are required for this workflow
+permissions: {}
 
 jobs:
   test:
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
index 7b7119b..4a95081 100644
--- a/.github/workflows/reuse-compliance.yml
+++ b/.github/workflows/reuse-compliance.yml
@@ -8,8 +8,8 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+# No permissions are required for this workflow
+permissions: {}
 
 jobs:
   compliance-check:

From f4d0d6f68b7f92053ced6e7be988ccdaf5920223 Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 15 May 2026 16:42:26 +0200
Subject: [PATCH 2/6] ci: Configure release environment

---
 .github/workflows/release-please.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 52aab6c..c9fe758 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -12,6 +12,7 @@ permissions:
 jobs:
   pull-request:
     runs-on: ubuntu-24.04
+    environment: release
     steps:
     - uses: googleapis/release-please-action@v5
       id: release

From 867bcfa2c591ddadaaef167803876ac0e736b7cd Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 15 May 2026 16:44:02 +0200
Subject: [PATCH 3/6] ci: Replace outdated commitlint action

Use the commitlint npm package directly instead as recommended at:
https://commitlint.js.org/guides/ci-setup.html

Also align husky and package.json script with ui5/cli repo
---
 .github/workflows/ci.yml         | 10 ++++++++++
 .github/workflows/commitlint.yml | 22 ----------------------
 .husky/commit-msg                |  1 +
 .husky/pre-push                  |  1 -
 package.json                     |  3 +--
 5 files changed, 12 insertions(+), 25 deletions(-)
 delete mode 100644 .github/workflows/commitlint.yml
 create mode 100644 .husky/commit-msg
 delete mode 100644 .husky/pre-push

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ad67ebe..ad09a59 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
     - name: Use Node.js 22
       uses: actions/setup-node@v6
       with:
@@ -27,6 +29,14 @@ jobs:
     - name: Perform Prettier check
       run: npm run prettier:check
 
+    - name: Validate current commit (last commit) with commitlint
+      if: github.event_name == 'push'
+      run: npm run lint:commit -- --last --verbose
+
+    - name: Validate PR commits with commitlint
+      if: github.event_name == 'pull_request'
+      run: npm run lint:commit -- --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+
     - name: Perform Licenses check
       run: npm run check-licenses
 
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
deleted file mode 100644
index d26cc2c..0000000
--- a/.github/workflows/commitlint.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: Commit Message Linting
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-permissions:
-  contents: read
-  pull-requests: read
-
-jobs:
-  commitlint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v6
diff --git a/.husky/commit-msg b/.husky/commit-msg
new file mode 100644
index 0000000..cfdf03d
--- /dev/null
+++ b/.husky/commit-msg
@@ -0,0 +1 @@
+npm run lint:commit -- --edit "$1" # Lint currently edited commit message
diff --git a/.husky/pre-push b/.husky/pre-push
deleted file mode 100644
index 9028981..0000000
--- a/.husky/pre-push
+++ /dev/null
@@ -1 +0,0 @@
-npm run hooks:pre-push
diff --git a/package.json b/package.json
index 80d83af..2734003 100644
--- a/package.json
+++ b/package.json
@@ -26,8 +26,7 @@
   "scripts": {
     "check-licenses": "licensee --errors-only",
     "knip": "knip",
-    "hooks:pre-push": "npm run lint:commit",
-    "lint:commit": "commitlint -e",
+    "lint:commit": "commitlint",
     "prepare": "node ./.husky/skip.js || husky",
     "prettier": "prettier **/.mcp.json **/plugin.json",
     "prettier:write": "npm run prettier -- --write",

From a81aa3c0274f5b2dd2d6080e4d001df29e443b9f Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 15 May 2026 16:44:51 +0200
Subject: [PATCH 4/6] ci: Enable two-day cooldown for dependabot

---
 .github/dependabot.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 0a24dfe..191adbe 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,13 +4,17 @@ updates:
   directory: "/"
   schedule:
     interval: "weekly"
+  cooldown:
+    default-days: 2
   commit-message:
     prefix: "ci(github-actions)"
 - package-ecosystem: npm
   directory: "/"
   schedule:
-    interval: "daily"
+    interval: "weekly"
   versioning-strategy: increase
+  cooldown:
+    default-days: 2
   commit-message:
     prefix: "deps"
     prefix-development: "build(deps-dev)"

From 1e1a60305e993203658817ca9dc95b12534ae1a7 Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 15 May 2026 14:37:33 +0200
Subject: [PATCH 5/6] ci: Disallow npm dependencies from git

See:
https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/#:~:text=New%20%2D%2Dallow%2Dgit%20flag,explicit%20control%20over%20this%20behavior.
---
 .npmrc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.npmrc b/.npmrc
index 3eeeab4..f5bb40b 100644
--- a/.npmrc
+++ b/.npmrc
@@ -2,3 +2,4 @@
 registry=https://registry.npmjs.org/
 lockfile-version=3
 ignore-scripts=true
+allow-git=none

From adfe03d8c31d2c9745b64db0f182a818cbdf1bec Mon Sep 17 00:00:00 2001
From: Merlin Beutlberger <m.beutlberger@sap.com>
Date: Fri, 15 May 2026 16:45:48 +0200
Subject: [PATCH 6/6] ci: Pin actions to commit hash

---
 .github/workflows/release-please.yml   | 2 +-
 .github/workflows/reuse-compliance.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index c9fe758..6688368 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     environment: release
     steps:
-    - uses: googleapis/release-please-action@v5
+    - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
       id: release
       with:
         token: ${{secrets.GH_OPENUI5BOT}}
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
index 4a95081..ccb2e77 100644
--- a/.github/workflows/reuse-compliance.yml
+++ b/.github/workflows/reuse-compliance.yml
@@ -18,4 +18,4 @@ jobs:
     steps:
     - uses: actions/checkout@v6
     - name: Execute REUSE Compliance Check
-      uses: fsfe/reuse-action@v6
+      uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0