diggsweden · janderssonse · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
diff --git a/.conform.yaml b/.conform.yaml
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
@@ -17,6 +17,6 @@ jobs:
       contents: read
       security-events: write
       id-token: write
-    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@e1e1387d5b0399bb5edb00e40485746772344176 # v2.6.0
+    uses: diggsweden/reusable-ci/.github/workflows/security-openssf-scorecard.yml@659cc5dbdbedc47f1510817f38aba07de8a93ae8 # v2.6.1
     with:
       publish-results: true
diff --git a/.github/workflows/pull-request-workflow.yml b/.github/workflows/pull-request-workflow.yml
@@ -11,7 +11,7 @@ concurrency:
   cancel-in-progress: true
 jobs:
   pr-checks:
-    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@e1e1387d5b0399bb5edb00e40485746772344176 # v2.6.0
+    uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@659cc5dbdbedc47f1510817f38aba07de8a93ae8 # v2.6.1
     permissions:
       contents: read
       packages: read

diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml
@@ -16,7 +16,7 @@ permissions:
   contents: read
 jobs:
   release:
-    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@e1e1387d5b0399bb5edb00e40485746772344176 # v2.6.0
+    uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@659cc5dbdbedc47f1510817f38aba07de8a93ae8 # v2.6.1
     permissions:
       contents: write
       packages: write

diff --git a/.gitignore b/.gitignore
@@ -1 +1,5 @@
 tests/libs/
+
+#IntelliJ
+/*.iml
+/.idea/
diff --git a/.gommitlint.yaml b/.gommitlint.yaml
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: CC0-1.0
+
+gommitlint:
+  crypto_signature:
+    required: true
+    require_ssh: true
+  repo:
+    max_commits_ahead: 10
diff --git a/.mise.toml b/.mise.toml
@@ -21,7 +21,7 @@ PIP_INDEX_URL = "{{ get_env(name='PIP_INDEX_URL', default='') }}"
 
 [tools]
 "aqua:rhysd/actionlint" = "v1.7.11"
-"aqua:siderolabs/conform" = "v0.1.0-alpha.30"
+"forgejo:itiquette/gommitlint" = "0.9.3"
 "aqua:zricethezav/gitleaks" = "v8.30.0"
 "ubi:rvben/rumdl" = "v0.1.25"
 "aqua:koalaman/shellcheck" = "v0.11.0"

diff --git a/README.md b/README.md
@@ -69,7 +69,8 @@ Run on every project. Skip automatically if no relevant files found:
 
 | Recipe | Tool | Checks | Skips when |
 |--------|------|--------|------------|
-| `lint-commits` | conform | Commit message format | On default branch or no new commits |
+| `lint-version-control` | git | Working tree is clean and version controlled | Never (fails if dirty or outside a Git repo) |
+| `lint-commits` | gommitlint | Commit message format | On default branch or no new commits |
 | `lint-secrets` | gitleaks | Secrets/credentials | Never (scans commits) |
 | `lint-yaml` | yamlfmt | YAML formatting | No .yml/.yaml files |
 | `lint-markdown` | rumdl | Markdown style | No .md files |
@@ -438,6 +439,7 @@ devbase-check/
 │   ├── secrets.sh
 │   ├── shell-fmt.sh
 │   ├── shell.sh
+│   ├── version-control.sh
 │   ├── xml.sh
 │   └── yaml.sh
 ├── scripts/

diff --git a/examples/base-justfile b/examples/base-justfile
@@ -57,7 +57,7 @@ setup-devtools:
 # Check required tools
 [group('setup')]
 check-tools: _ensure-devtools
-    @{{devtools_dir}}/scripts/check-tools.sh --check-devtools mise git just rumdl yamlfmt actionlint gitleaks shellcheck shfmt conform reuse hadolint
+    @{{devtools_dir}}/scripts/check-tools.sh --check-devtools mise git just rumdl yamlfmt actionlint gitleaks shellcheck shfmt gommitlint reuse hadolint
 
 # Install tools via mise
 [group('setup')]

diff --git a/examples/java-justfile b/examples/java-justfile
@@ -59,7 +59,7 @@ setup-devtools:
 # Check required tools
 [group('setup')]
 check-tools: _ensure-devtools
-    @{{devtools_dir}}/scripts/check-tools.sh --check-devtools mise git just java mvn rumdl yamlfmt actionlint gitleaks shellcheck shfmt conform reuse
+    @{{devtools_dir}}/scripts/check-tools.sh --check-devtools mise git just java mvn rumdl yamlfmt actionlint gitleaks shellcheck shfmt gommitlint reuse
 
 # Install tools via mise
 [group('setup')]

diff --git a/examples/node-justfile b/examples/node-justfile
@@ -57,7 +57,7 @@ setup-devtools:
 # Check required tools
 [group('setup')]
 check-tools: _ensure-devtools
-    @{{devtools_dir}}/scripts/check-tools.sh --check-devtools mise git just node npm rumdl yamlfmt actionlint gitleaks shellcheck shfmt conform reuse
+    @{{devtools_dir}}/scripts/check-tools.sh --check-devtools mise git just node npm rumdl yamlfmt actionlint gitleaks shellcheck shfmt gommitlint reuse
 
 # Install Node dependencies
 [group('setup')]

diff --git a/justfile b/justfile
@@ -58,7 +58,12 @@ lint-base:
 [group('lint')]
 lint-all: lint-base
 
-# Validate commit messages (conform)
+# Validate version control
+[group('lint')]
+lint-version-control:
+    @{{lint}}/version-control.sh
+
+# Validate commit messages (gommitlint)
 [group('lint')]
 lint-commits:
     @{{lint}}/commits.sh

diff --git a/linters/commits.sh b/linters/commits.sh
@@ -10,35 +10,66 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/../utils/colors.sh"
 source "${SCRIPT_DIR}/../utils/git-utils.sh"
 
+emit_status() {
+  [[ "${DEVBASE_CHECK_MARKERS:-0}" == "1" ]] || return 0
+  printf "DEVBASE_CHECK_STATUS=%s\n" "$1"
+  [[ -n "${2:-}" ]] && printf "DEVBASE_CHECK_DETAILS=%s\n" "$2"
+}
+
 main() {
-  print_header "COMMIT HEALTH (CONFORM)"
+  print_header "COMMIT HEALTH (GOMMITLINT)"
 
-  local current_branch default_branch
+  local current_branch default_branch base_branch local_base remote_base
   current_branch=$(git branch --show-current)
   default_branch=$(get_default_branch)
+  local_base="$default_branch"
+  remote_base="origin/${default_branch}"
+  base_branch="$local_base"
+
+  # Prefer local default branch first. Fall back to origin/<default> when local
+  # is missing or not in HEAD ancestry (avoids false ahead counts in diverged trees).
+  if branch_exists "$local_base"; then
+    if ! git merge-base --is-ancestor "$local_base" HEAD >/dev/null 2>&1 && branch_exists "$remote_base"; then
+      base_branch="$remote_base"
+    fi
+  elif branch_exists "$remote_base"; then
+    base_branch="$remote_base"
+  fi
 
-  # Skip if on the base branch itself (conform can't handle base..HEAD when they're the same)
+  # Skip if on the base branch itself (gommitlint can't handle base..HEAD when they're the same)
   if [[ "$current_branch" == "$default_branch" ]]; then
     print_info "On ${default_branch} - no commits to check against base branch"
+    emit_status "na" "n/a"
     return 0
   fi
 
-  if ! has_commits_since "$default_branch"; then
-    print_info "No commits to check on ${current_branch} (compared to ${default_branch})"
+  if ! has_commits_since "$base_branch"; then
+    print_info "No commits to check on ${current_branch} (compared to ${base_branch})"
+    emit_status "na" "n/a"
     return 0
   fi
 
-  if ! command -v conform >/dev/null 2>&1; then
-    print_warning "conform not found in PATH - skipping commit linting"
+  # Detect SHA-256 repo and select correct binary
+  # See: https://github.com/go-git/go-git/issues/706
+  local gommitlint_cmd="gommitlint"
+  if git rev-parse --show-object-format 2>/dev/null | grep -q sha256; then
+    gommitlint_cmd="gommitlint-sha256"
+  fi
+
+  if ! command -v "$gommitlint_cmd" >/dev/null 2>&1; then
+    print_warning "${gommitlint_cmd} not found in PATH - skipping commit linting"
     echo "  Install: mise install"
+    emit_status "skip" "not in PATH"
     return 0
   fi
 
-  if conform enforce --base-branch="${default_branch}" 2>/dev/null; then
+  if $gommitlint_cmd validate --base-branch="${base_branch}" 2>/dev/null; then
     print_success "Commit health check passed"
+    emit_status "pass" "ok"
     return 0
   else
     print_error "Commit health check failed - check your commit messages"
+    emit_status "fail" "failed"
     return 1
   fi
 }

diff --git a/linters/container.sh b/linters/container.sh
@@ -9,6 +9,12 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/../utils/colors.sh"
 
+emit_status() {
+  [[ "${DEVBASE_CHECK_MARKERS:-0}" == "1" ]] || return 0
+  printf "DEVBASE_CHECK_STATUS=%s\n" "$1"
+  [[ -n "${2:-}" ]] && printf "DEVBASE_CHECK_DETAILS=%s\n" "$2"
+}
+
 find_containerfiles() {
   find . -type f \( -name "Containerfile" -o -name "Containerfile.*" -o -name "Dockerfile" -o -name "Dockerfile.*" \) -not -path "./.git/*" 2>/dev/null
 }
@@ -21,12 +27,14 @@ main() {
 
   if [[ -z "$files" ]]; then
     print_info "No Containerfile/Dockerfile found to check"
+    emit_status "na" "n/a"
     return 0
   fi
 
   if ! command -v hadolint >/dev/null 2>&1; then
     print_warning "hadolint not found in PATH - skipping container linting"
     echo "  Install: mise install"
+    emit_status "skip" "not in PATH"
     return 0
   fi
 
@@ -40,9 +48,11 @@ main() {
 
   if [[ $failed -eq 0 ]]; then
     print_success "Container linting passed"
+    emit_status "pass" "ok"
     return 0
   else
     print_error "Container linting failed"
+    emit_status "fail" "failed"
     return 1
   fi
 }

diff --git a/linters/github-actions.sh b/linters/github-actions.sh
@@ -9,25 +9,35 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/../utils/colors.sh"
 
+emit_status() {
+  [[ "${DEVBASE_CHECK_MARKERS:-0}" == "1" ]] || return 0
+  printf "DEVBASE_CHECK_STATUS=%s\n" "$1"
+  [[ -n "${2:-}" ]] && printf "DEVBASE_CHECK_DETAILS=%s\n" "$2"
+}
+
 main() {
   print_header "GITHUB ACTIONS LINTING (ACTIONLINT)"
 
   if [[ ! -d .github/workflows ]]; then
     print_info "No GitHub Actions workflows found to check"
+    emit_status "na" "n/a"
     return 0
   fi
 
   if ! command -v actionlint >/dev/null 2>&1; then
     print_warning "actionlint not found in PATH - skipping GitHub Actions linting"
     echo "  Install: mise install"
+    emit_status "skip" "not in PATH"
     return 0
   fi
 
   if actionlint; then
     print_success "GitHub Actions linting passed"
+    emit_status "pass" "ok"
     return 0
   else
     print_error "GitHub Actions linting failed"
+    emit_status "fail" "failed"
     return 1
   fi
 }

diff --git a/linters/java/checkstyle.sh b/linters/java/checkstyle.sh
@@ -11,24 +11,34 @@ source "${SCRIPT_DIR}/../../utils/colors.sh"
 
 maven_opts=(--batch-mode --no-transfer-progress --errors -Dstyle.color=always)
 
+emit_status() {
+  [[ "${DEVBASE_CHECK_MARKERS:-0}" == "1" ]] || return 0
+  printf "DEVBASE_CHECK_STATUS=%s\n" "$1"
+  [[ -n "${2:-}" ]] && printf "DEVBASE_CHECK_DETAILS=%s\n" "$2"
+}
+
 main() {
   print_header "JAVA CHECKSTYLE"
 
   if [[ ! -f pom.xml ]]; then
     print_warning "No pom.xml found, skipping"
+    emit_status "skip" "skipped"
     return 0
   fi
 
   if ! command -v mvn >/dev/null 2>&1; then
     print_error "mvn not found. Install with: mise install maven"
+    emit_status "fail" "failed"
     return 1
   fi
 
   if mvn "${maven_opts[@]}" checkstyle:check; then
     print_success "Checkstyle passed"
+    emit_status "pass" "ok"
     return 0
   else
     print_error "Checkstyle failed"
+    emit_status "fail" "failed"
     return 1
   fi
 }

diff --git a/linters/java/format.sh b/linters/java/format.sh
@@ -12,9 +12,16 @@ source "${SCRIPT_DIR}/../../utils/colors.sh"
 maven_opts=(--batch-mode --no-transfer-progress --errors -Dstyle.color=always)
 readonly ACTION="${1:-check}"
 
+emit_status() {
+  [[ "${DEVBASE_CHECK_MARKERS:-0}" == "1" ]] || return 0
+  printf "DEVBASE_CHECK_STATUS=%s\n" "$1"
+  [[ -n "${2:-}" ]] && printf "DEVBASE_CHECK_DETAILS=%s\n" "$2"
+}
+
 check_maven() {
   if ! command -v mvn >/dev/null 2>&1; then
     print_error "mvn not found. Install with: mise install maven"
+    emit_status "fail" "failed"
     return 1
   fi
 }
@@ -27,9 +34,11 @@ check_format() {
   print_info "Checking Java formatting..."
   if mvn "${maven_opts[@]}" formatter:validate; then
     print_success "Java formatting check passed"
+    emit_status "pass" "ok"
     return 0
   else
     print_error "Java formatting check failed - run 'just lint-java-fmt-fix' to fix"
+    emit_status "fail" "failed"
     return 1
   fi
 }
@@ -38,9 +47,11 @@ fix_format() {
   print_info "Formatting Java code..."
   if mvn "${maven_opts[@]}" formatter:format; then
     print_success "Java code formatted"
+    emit_status "pass" "ok"
     return 0
   else
     print_error "Java formatting failed"
+    emit_status "fail" "failed"
     return 1
   fi
 }
@@ -50,6 +61,7 @@ main() {
 
   if ! has_pom; then
     print_warning "No pom.xml found, skipping"
+    emit_status "skip" "skipped"
     return 0
   fi
 
@@ -63,6 +75,7 @@ main() {
   *)
     print_error "Unknown action: $ACTION"
     printf "Usage: %s [check|fix]\n" "$0"
+    emit_status "fail" "failed"
     return 1
     ;;
   esac