POC: Configure ipa-validation-ruleset package

[sphterry]

Proposed changes

Support for IPA Validation Framework NPM package.

• Configure package.json for IPA Validation Framework npm package
• Update documentation
  • Extend ReadMEs for external developers
  • Update contributing.md with override documentation
• Add Changelog
  • Added semantic commit check (taken from ipa repo) to enforce conventional commits
  • Add changelog generation script
  • Include new code health check on changelog
• Add workflow for package release

More details

Jira ticket: CLOUDP-329998

[wtrocki]

What is the purpose of this checkout?

[wtrocki]

[FYI] Checkout of the repository is optional step if your action does not need repository (uses GH API you can skip it)

[wtrocki]

Reminder to remove it before merge

[wtrocki]

FYI: Unsure if that will work (we do have branch protection rules)

[wtrocki]

[wtrocki]

I suggest we get changelog generated in separate PR.
You need specific filters and standards for changelog to be introduced for it to have any value.

[wtrocki]

Since we have a root package.json, we need to configure npm workspaces by adding:

{  
  "workspaces": [  
    "path/to/subfolder"  
  ]  
}  

As General FYI: A nested package.json without proper workspace configuration can cause:

• Publishing conflicts - npm may not recognize the correct package scope
• Dependency resolution issues - nested dependencies might not resolve properly
• NPM metadata - npm/tools may not know which package.json to use as the source of truth
• Missing Dependencies/Scripts Migration

My suggestion is to split this PR and start with proper package structure.
PR is missing certain aspects:

First PR: Set up proper npm workspace structure
Configure workspaces in root package.json
Move/duplicate necessary dependencies
Ensure scripts work in workspace context
Test locally with npm pack
Second PR: Enable Dependabot after confirming the package structure works
Third PR: Add semantic commits checks
... etc. etd.

This approach will allow us to validate and review the package structure before introducing automated semantics checks and publish, reducing the risk of broken publishes to NPM that will require lengthy support tickets.

[wtrocki]

If you plan for this readme to be part of the NPM docs then your package is missing dependencies.

[wtrocki]

Some of those are actually dev dependencies and not runtime dependencies.
We need to have minimal set of dependencies for npm package as it will be installed without dev dependencies

[wtrocki]

Security recommendation. Do not use tag for third party packages that deal with credentials.
Edit:
You could avoid using action and have a separate publish script etc.

Suggested change

	- uses: JS-DevTools/npm-publish@v3
	- uses: JS-DevTools/npm-publish@sha here
	with:
	token: ${{ secrets.IPA_VALIDATION_NPM_TOKEN }}
	package: "tools/spectral/ipa/package.json"

[wtrocki]

[nit] Do we want to publish on non code changes like Readme.md

[wtrocki]

Summary: @sphterry Thank you for amazing changes covering everything we need to publish package.
Minor tweaks suggested:

• Decide if ipa package is separate or part of the workspace
• Clarify changelog format and workflow to publish it to main
• Publication of NPM package. What README to use, what to npmignore etc.
• suggest to split code in small PRs. Have separate rollout where publication PR should be one liner PR. Can be done by commenting out main branch in action