ci: add nightly

[Lars Kemper (larskemper)]

resolves https://github.com/shopware/shopware-private/issues/214

Changes

• refactored workflows to be reusable
• added caching for npm dependencies
• added concurrency groups (runners with old state get canceled)
• added nightly.yml with slack notification
• added reactivate-workflows.yml in case github deactivates workflows cause of inactivity

[Nikolas Evers (vintagesucks)]

Suggested change

	uses: actions/cache@v4
	uses: actions/cache@v5

but do we also want to pin all our action versions to sha here?

[Lars Kemper (larskemper)]

i updated to v5

but do we also want to pin all our action versions to sha here?

What is the benefit 😅 ?

[Nikolas Evers (vintagesucks)]

uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4

https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release.

@v5 is just a tag: https://github.com/actions/cache/releases/tag/v5

[Nikolas Evers (vintagesucks)]

TIL: There even is a Require actions to be pinned to a full-length commit SHA setting, but I have no idea how that would behave in combination with our reusable workflows.

• https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/#enforce-sha-pinning

[Lars Kemper (larskemper)]

good to know 🤝
I pinned them to 5.0.4

[Lars Kemper (larskemper)]

we could try the setting and see what happens 😄