chore: Update third party actions

[marek-saji]

Why?

Closes https://verkstedt.atlassian.net/browse/VIP-86

Groundwork for #25 and #26 (not yet ready for review).

What?

• Update used actions

What else?

• Typo in an error message

• Use ref-comment-in-commit action in this repository

• feat(ci): Run npm audit signatures. https://github.blog/changelog/2022-07-26-a-new-npm-audit-signatures-command-to-verify-npm-package-integrity/

• feat(ci): Output package-manager in setup action, introducing source of truth for this info, instead of checking for yarn.lock file

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Setup action now auto-detects the project’s package manager and adjusts install/prepare steps accordingly.
  • Adds conditional verification of dependency provenance and signatures for npm installs.

• Bug Fixes

  • Corrected a typo in a Slack permission string in notifications.

• Chores

  • Upgraded multiple GitHub Actions to latest major versions for improved reliability and compatibility.
  • Introduced a workflow to reference a GitHub comment in commit messages.
  • Streamlined release and image-tagging workflows with updated action versions.

Walkthrough

Multiple GitHub Actions workflows were updated to newer action versions, a typo in a Slack permission string was fixed, a new workflow was added to reference GitHub comments in commit messages, and the setup composite action now detects package manager and conditionally runs install/prepare and optional provenance checks.

Changes

Cohort / File(s)	Summary
Workflow action version bumps .github/workflows/ci.yaml, .../reusable-release.yml, .../reusable-tag-docker-release-images.yml	Bumped action versions: actions/github-script@v7 → @v8, actions/checkout@v4 → @v5; also google-github-actions/auth@v2 → @v3 in docker-release workflow. No control-flow changes.
Slack typo fix .github/workflows/notify-main-branch-failure.yaml	Fix typo in emitted permission string: "chate:write" → "chat:write".
New workflow: reference comment in commit .github/workflows/ref-comment-in-commit.yaml	Add push-triggered workflow using verkstedt/actions/ref-comment-in-commit@v1 with secrets.GITHUB_TOKEN.
Setup action enhancements setup/action.yaml	Add package-manager output; detect yarn.lock vs package-lock.json; conditional install (yarn install --immutable or npm ci), conditional prepare/postinstall handling, optional npm provenance/signature verification, and update actions/checkout & actions/setup-node to v5.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Workflow as GitHub Workflow
  participant Setup as setup/action.yaml
  participant Repo as Repository
  participant Yarn as Yarn CLI
  participant NPM as npm CLI
  participant Verify as Provenance Verifier

  Workflow->>Setup: invoke composite action
  Setup->>Repo: inspect for yarn.lock / package-lock.json
  alt yarn.lock present
    Setup->>Setup: set output package-manager = "yarn"
    Setup->>Yarn: yarn install --immutable
    Note right of Yarn: postinstall handles prepare
  else package-lock.json present
    Setup->>Setup: set output package-manager = "npm"
    Setup->>NPM: npm ci
    opt cache miss
      Setup->>Verify: verify provenance & registry signatures
    end
    Setup->>NPM: npm run prepare (if defined)
  else no lockfile
    Setup->>Workflow: fail step with error
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• erolci

Poem

I thump my paws—versions hop and glide,
A comment tags a commit, side by side.
Yarn or npm? I sniff and decide—
Locks checked, signatures verified.
A typo fixed, workflows tidy—happy hop, wide-eyed. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	This PR introduces features beyond the scope of VIP-86’s action version updates, including a new ref-comment-in-commit workflow and CI enhancements for npm audit signatures and package-manager detection.	Please separate these new CI features into dedicated pull requests or associate them with appropriate issue tickets to keep VIP-86 focused only on action version updates.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title reflects the task of updating third-party actions but omits other significant additions in this PR such as npm audit signatures, the new ref-comment-in-commit workflow, and the package-manager detection enhancements.
Linked Issues Check	✅ Passed	The changes comprehensively bump the specified third-party action versions across multiple workflows—including actions/github-script to v8, actions/checkout to v5, and google-github-actions/auth to v3—thereby satisfying the VIP-86 objective of updating action versions.
Description Check	✅ Passed	The pull request description clearly outlines the purpose of closing VIP-86 and details relevant changes such as updating actions, fixing the typo, adding the ref-comment-in-commit workflow, enabling npm audit signatures, and introducing package-manager output which all correspond to the code changes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/actions-ver-update

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e65dd66 and b10c045.

📒 Files selected for processing (3)

• .github/workflows/ref-comment-in-commit.yaml (1 hunks)
• .github/workflows/reusable-release.yml (3 hunks)
• .github/workflows/reusable-tag-docker-release-images.yml (3 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 690e8a3 and e65dd66.

📒 Files selected for processing (6)

• .github/workflows/ci.yaml (1 hunks)
• .github/workflows/notify-main-branch-failure.yaml (1 hunks)
• .github/workflows/ref-comment-in-commit.yaml (1 hunks)
• .github/workflows/reusable-release.yml (2 hunks)
• .github/workflows/reusable-tag-docker-release-images.yml (2 hunks)
• setup/action.yaml (3 hunks)