ci: migrate to netresearch/.github reusable container workflows

.github/workflows/lint.yml

@@ -1,5 +1,21 @@
 # SPDX-License-Identifier: MIT
 # Copyright (c) 2026 Netresearch DTT GmbH
+#
+# Static checks for the snipe-it-docker-compose-stack repo.
+#
+# Splits into:
+#   - container-lint  → delegates Dockerfile (hadolint) + shellcheck on shipped
+#                       scripts to netresearch/.github's reusable
+#                       lint-container.yml on @main. Reusable pins hadolint to
+#                       v2.14.0, which handles Docker 25's HEALTHCHECK
+#                       --start-interval correctly. (Earlier v2.12.0 pin was a
+#                       bug — see netresearch/.github#141 + a4a763e.)
+#   - compose-validate → stays inline. Validates docker compose config with
+#                        repo-specific .env.example placeholder substitution
+#                        (caller-specific shape that doesn't generalise).
+#   - yamllint         → stays inline. The repo has no .yamllint.yml config
+#                        file; rules are passed via config_data here to keep
+#                        the contract local.
 
 name: lint
 
@@ -14,26 +30,13 @@ permissions:
   contents: read
 
 jobs:
-  hadolint:
-    name: hadolint (Dockerfile)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      # hadolint/hadolint-action@v3.1.0 bundles hadolint v2.12.0 (Mar 2023),
-      # which predates Docker 25's HEALTHCHECK --start-interval flag and
-      # crashes with "invalid flag: --start-interval" on any Dockerfile
-      # that uses it. Use `hadolint:latest-alpine` directly so we track
-      # current hadolint releases (the action wraps the same image but
-      # version-pinned to whenever the action shipped).
-      - name: hadolint (via latest-alpine image)
-        run: |
-          docker run --rm -i \
-            -v "${{ github.workspace }}/.hadolint.yaml:/.config/hadolint.yaml:ro" \
-            hadolint/hadolint:latest-alpine \
-            hadolint --config /.config/hadolint.yaml --failure-threshold warning - \
-            < Dockerfile
+  container-lint:
+    # hadolint (always) + shellcheck (because shell-scandirs is set).
+    uses: netresearch/.github/.github/workflows/lint-container.yml@main
+    permissions:
+      contents: read
+    with:
+      shell-scandirs: ./rootfs/usr/local/bin ./bin
 
   compose-validate:
     name: docker compose config
@@ -54,17 +57,6 @@ jobs:
           docker compose config --quiet
           docker compose -f compose.yml config --quiet
 
-  shellcheck:
-    name: shellcheck (entrypoint + scripts)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
-        with:
-          scandir: ./rootfs/usr/local/bin ./bin
-
   yamllint:
     name: yamllint
     runs-on: ubuntu-latest

.github/workflows/scorecard.yml

@@ -2,6 +2,7 @@
 # Copyright (c) 2026 Netresearch DTT GmbH
 #
 # OpenSSF Scorecard — supply-chain security health check.
+# Delegates to the org-wide reusable in netresearch/.github.
 # Runs weekly against main and uploads SARIF to GitHub code-scanning.
 # Results also surface on the OpenSSF Scorecard public dashboard
 # (https://securityscorecards.dev/) once enabled.
@@ -17,16 +18,15 @@ on:
   workflow_dispatch:
 
 # Top-level permissions explicitly enumerated (SonarCloud rule
-# githubactions:S8234). The `analysis` job below requests its own
-# additional permissions; this minimum lets supporting tooling read
-# metadata without granting writes.
+# githubactions:S8234). The reusable's job requests its own
+# additional permissions via its own permissions block; this minimum
+# lets supporting tooling read metadata without granting writes.
 permissions:
   contents: read
 
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-latest
     permissions:
       # required by scorecard-action for publishing results
       security-events: write
@@ -35,29 +35,4 @@ jobs:
       contents: read
       # needed for nested API calls (Branch-Protection, Webhooks checks)
       actions: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run analysis
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # publish_results: true uploads to the OpenSSF public dashboard.
-          # Required for the org-level Scorecard badge.
-          publish_results: true
-
-      - name: Upload artifact (raw results)
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@bc0b696b4103f5fe60f15749af68a046868d511a # codeql-bundle-v2.25.4
-        with:
-          sarif_file: results.sarif
+    uses: netresearch/.github/.github/workflows/scorecard.yml@main

.github/workflows/smoke-test.yml

@@ -1,5 +1,24 @@
 # SPDX-License-Identifier: MIT
 # Copyright (c) 2026 Netresearch DTT GmbH
+#
+# Smoke tests for the snipe-it-docker-compose-stack repo.
+#
+# Splits into:
+#   - image-surface     → delegates buildx --load amd64 +
+#                         container-structure-test to the netresearch/.github
+#                         reusable smoke-test-container.yml. Pinned to the
+#                         feature branch until PR netresearch/.github#141
+#                         merges; flip to @main then.
+#   - compose-up        → stays inline. Boots the full compose stack with
+#                         placeholder-substituted .env and probes / for
+#                         HTTP 200/302 — snipe-it-specific bootstrap and
+#                         known HTTP route.
+#   - init-idempotency  → stays inline. Verifies bin/init.sh is idempotent —
+#                         snipe-it-specific contract (APP_KEY / random PW
+#                         generation must not re-roll on second run).
+#   - upstream-tests    → stays inline. Builds the `tester` Dockerfile stage
+#                         which runs the upstream Snipe-IT phpunit suite —
+#                         snipe-it-specific target stage.
 
 name: smoke-test
 
@@ -28,30 +47,14 @@ concurrency:
 
 jobs:
   image-surface:
-    name: container-structure-test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - name: Build amd64 image (load locally)
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: .
-          target: runtime
-          platforms: linux/amd64
-          load: true
-          tags: snipe-it-php-fpm:test
-          cache-from: type=gha,scope=smoke-test
-          cache-to: type=gha,scope=smoke-test,mode=max
-      - name: Install container-structure-test
-        run: |
-          curl -fsSL -o /tmp/cst \
-            "https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64"
-          sudo install /tmp/cst /usr/local/bin/container-structure-test
-      - name: Run image-surface tests
-        run: container-structure-test test --image snipe-it-php-fpm:test --config tests/container-structure-test.yaml
+    uses: netresearch/.github/.github/workflows/smoke-test-container.yml@main
+    permissions:
+      contents: read
+    with:
+      image-tag: snipe-it-php-fpm:test
+      target: runtime
+      cst-config-path: tests/container-structure-test.yaml
+      cache-scope: smoke-test
 
   compose-up:
     name: stack boots healthy