docs: refactor CI setup example of GitHub Actions

[Marukome0743]

Description

Enhancements:

• Simplify workflow steps for clarity and maintainability

Documentation:

• Add a permissions block granting read access to repository contents in the CI example
• Update runner to ubuntu-latest and bump actions/checkout to v4
• Replace manual apt-based Node.js install with actions/setup-node@v4 and enable npm caching
• Consolidate commitlint installation to use @commitlint/cli and @commitlint/config-conventional

File-Level Changes

Change	Details	Files
Add explicit CI permissions	Grant contents read permission under permissions block	docs/guides/ci-setup.md
Update GitHub Actions runner and checkout action	Switch runner from ubuntu-22.04 to ubuntu-latest Upgrade actions/checkout from v3 to v4	docs/guides/ci-setup.md
Replace manual Node.js installation with setup-node	Remove apt-based dependency and Node.js installs Use actions/setup-node@v4 with node-version lts/* and npm caching	docs/guides/ci-setup.md
Simplify commitlint installation	Replace two npm install commands with a single install of @commitlint/cli and @commitlint/config-conventional as dev dependencies	docs/guides/ci-setup.md

Motivation and Context

Modernize the GitHub Actions example in the CI setup guide by simplifying Node.js and commitlint setup and updating workflow components.

Closes #4132

Usage examples

name: CI

on:
  push:
  pull_request:

permissions:
  contents: read

jobs:
  commitlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup node
        uses: actions/setup-node@v4
        with:
          node-version: lts/*
          cache: npm
      - name: Install commitlint
        run: npm install -D @commitlint/cli @commitlint/config-conventional
      - name: Print versions
        run: |
          git --version
          node --version
          npm --version
          npx commitlint --version

      - name: Validate current commit (last commit) with commitlint
        if: github.event_name == 'push'
        run: npx commitlint --last --verbose

      - name: Validate PR commits with commitlint
        if: github.event_name == 'pull_request'
        run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose

Sequence Diagram for the Updated 'commitlint' Job Steps

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Checkout as actions/checkout@v4
    participant SetupNode as actions/setup-node@v4
    participant NPM as npm
    participant CommitlintCLI as "npx commitlint"

    Runner->>Checkout: Execute (with: fetch-depth: 0)
    Checkout-->>Runner: Code checked out
    Runner->>SetupNode: Execute (with: node-version: "lts/*", cache: "npm")
    SetupNode-->>Runner: Node.js environment set up
    Runner->>NPM: Run "npm install -D @commitlint/cli @commitlint/config-conventional"
    NPM-->>Runner: Dependencies installed
    Runner->>Runner: Run script "Print versions"
    alt If github.event_name == "push"
        Runner->>CommitlintCLI: Run "npx commitlint --from HEAD~1 --to HEAD --verbose"
        CommitlintCLI-->>Runner: Validation result
    end

Loading

How Has This Been Tested?

Tested in my local repo.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[Marukome0743]

If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the write permission only to a specific types as issues: write or pull-requests: write.

References

• Assigning permissions to jobs

[Marukome0743]

First, move the install commitlint step for printing versions.
Second, remove conventional-changelog-conventionalcommits because this GitHub Actions doesn't make changelog.
Finally, the command is npm install -D @commitlint/cli @commitlint/config-conventional to match Install section.

[escapedcat]

Thanks! ❤️