chore: reuse GitHub hygiene workflows (#176)

* chore(ci): convert to reusable GHA workflows via sovereign

* fix(release): declare "license": "MIT" in package.json

* fix(deps): upgrade vite to ^7.3.5 (HIGH CVEs)

* fix(deps): override tmp security advisory

* ci: limit reusable workflow permissions

---------

Co-authored-by: saagpatel <41898282+saagpatel@users.noreply.github.com>

Author: saagpatel

.github/workflows/git-hygiene.yml

@@ -3,60 +3,11 @@ name: git-hygiene
 on:
   pull_request:
     types: [opened, synchronize, reopened, edited]
-    branches: [master]
+    branches: [main, master]
 
 jobs:
-  commitlint:
-    runs-on: ubuntu-latest
+  git-hygiene:
+    uses: saagpatel/sovereign/.github/workflows/git-hygiene.yml@main
     permissions:
       contents: read
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed
-
-  pr-title:
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    steps:
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  branch-name:
-    runs-on: ubuntu-latest
-    permissions:
       pull-requests: read
-    steps:
-      - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
-        with:
-          script: |
-            const branch = context.payload.pull_request?.head?.ref || "";
-            const pattern = /^codex\/(feat|fix|chore|refactor|docs|test|perf|ci|spike|hotfix)\/[a-z0-9]+(?:-[a-z0-9]+)*$/;
-            const releasePleasePattern = /^release-please--branches--.+--components--[a-z0-9]+(?:-[a-z0-9]+)*$/;
-            const dependabotPattern = /^dependabot\/.+/;
-            if (releasePleasePattern.test(branch)) {
-              core.info(`Release Please automation branch detected: ${branch}`);
-              return;
-            }
-            if (dependabotPattern.test(branch)) {
-              core.info(`Dependabot automation branch detected: ${branch}`);
-              return;
-            }
-            if (!pattern.test(branch)) {
-              core.setFailed(`Invalid branch name: ${branch}`);
-            }
-
-  secrets:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-        with:
-          fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/lockfile-rationale.yml

@@ -3,33 +3,10 @@ name: lockfile-rationale
 on:
   pull_request:
     types: [opened, synchronize, reopened, edited]
-    branches: [master]
-
-permissions:
-  contents: read
-  pull-requests: read
 
 jobs:
-  enforce:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
-        id: changed
-      - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
-        if: contains(steps.changed.outputs.all_changed_files, 'pnpm-lock.yaml') || contains(steps.changed.outputs.all_changed_files, 'package-lock.json') || contains(steps.changed.outputs.all_changed_files, 'yarn.lock')
-        with:
-          script: |
-            const body = context.payload.pull_request.body || "";
-            const author = context.payload.pull_request.user?.login || "";
-            const title = context.payload.pull_request.title || "";
-            const dependabotAuthors = new Set(["app/dependabot", "dependabot[bot]", "dependabot"]);
-            const isDependabotBump =
-              dependabotAuthors.has(author) && /^build\(deps\): bump /i.test(title);
-            if (isDependabotBump || (dependabotAuthors.has(author) && /updated-dependencies:/i.test(body))) {
-              core.info("Dependabot dependency bump accepted as lockfile rationale.");
-              return;
-            }
-            if (!/## Lockfile rationale/i.test(body)) {
-              core.setFailed("Lockfile changed but PR body lacks 'Lockfile rationale' section.");
-            }
+  lockfile-rationale:
+    uses: saagpatel/sovereign/.github/workflows/lockfile-rationale.yml@main
+    permissions:
+      contents: read
+      pull-requests: read

package.json

@@ -1,6 +1,7 @@
 {
   "name": "assistsupport",
   "private": true,
+  "license": "MIT",
   "version": "1.3.0",
   "type": "module",
   "scripts": {
@@ -132,7 +133,7 @@
     "stylelint-config-standard": "^39.0.1",
     "typescript": "~5.8.3",
     "typescript-eslint": "^8.59.2",
-    "vite": "^7.3.3",
+    "vite": "^7.3.5",
     "vitest": "^4.1.8",
     "web-vitals": "^5.2.0"
   }