docs: add per-action README files and update main README

Add README.md for go-lint, go-test, license-headers, and commitlint
actions following existing project conventions. Update main README with
new actions in the available actions table, repository structure tree,
and documentation links section.

Also includes linter-applied SHA pinning for action refs in docs.

Author: huaweic-nv

.github/actions/codeql-scan/README.md

@@ -412,7 +412,7 @@ jobs:
   codeql-go:
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       - uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
         with:
           languages: "go"
@@ -558,7 +558,7 @@ jobs:
   build-and-scan:
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
 
       # CodeQL will trace this build
       - uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main

.github/actions/commitlint/README.md

@@ -0,0 +1,52 @@
+# Commitlint Action
+
+A GitHub Composite Action that validates commit messages against [Conventional Commits](https://www.conventionalcommits.org/) using `commitlint`.
+
+## Usage
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+    with:
+      fetch-depth: 0  # Required to access commit history
+  - name: Lint Commits
+    uses: NVIDIA/dsx-github-actions/.github/actions/commitlint@main
+```
+
+### With custom config
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+    with:
+      fetch-depth: 0
+  - name: Lint Commits
+    uses: NVIDIA/dsx-github-actions/.github/actions/commitlint@main
+    with:
+      config-file: '.commitlintrc.js'
+```
+
+## Inputs
+
+| Input | Description | Required | Default |
+| :--- | :--- | :--- | :--- |
+| `config-file` | Path to commitlint config file. If empty, uses default discovery. | `false` | `''` |
+| `from` | Lint commits starting from this ref (exclusive). | `false` | `''` |
+| `to` | Lint commits up to this ref (inclusive). | `false` | `HEAD` |
+| `node-version` | Node.js version to use. | `false` | `20` |
+
+## Behavior
+
+1. **Set up Node.js** using `actions/setup-node`.
+2. **Install commitlint** packages (`@commitlint/cli` and `@commitlint/config-conventional`).
+3. **Determine commit range** automatically:
+   - If `from` input is provided, uses that ref.
+   - In PR context: lints commits from the base branch (`origin/$GITHUB_BASE_REF`).
+   - In push context: lints only the latest commit (`HEAD~1..HEAD`).
+   - On initial commits or shallow clones: lints `HEAD` only.
+4. **Run commitlint** with verbose output.
+
+## Notes
+
+- The calling workflow must use `actions/checkout` with `fetch-depth: 0` (or at least enough depth to cover all commits in the PR) for commitlint to access the full commit range.
+- npm packages are installed with `--ignore-scripts` for supply chain safety.

.github/actions/go-lint/README.md

@@ -0,0 +1,46 @@
+# Go Lint Action
+
+A GitHub Composite Action that runs a Go linting suite: `golangci-lint`, `go fmt` check, and `go vet`.
+
+## Usage
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  - name: Go Lint
+    uses: NVIDIA/dsx-github-actions/.github/actions/go-lint@main
+    with:
+      working-directory: '.'
+```
+
+### With vendor mode and custom config
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  - name: Go Lint
+    uses: NVIDIA/dsx-github-actions/.github/actions/go-lint@main
+    with:
+      go-flags: '-mod=vendor'
+      config-path: '.golangci.yml'
+      golangci-lint-args: '--timeout=5m'
+```
+
+## Inputs
+
+| Input | Description | Required | Default |
+| :--- | :--- | :--- | :--- |
+| `go-version` | Go version to use (e.g., `1.25.5`). If empty, uses `go.mod`. | `false` | `''` |
+| `go-version-file` | Path to `go.mod` for version detection. | `false` | `go.mod` |
+| `working-directory` | Working directory for lint commands. | `false` | `.` |
+| `golangci-lint-version` | golangci-lint version. | `false` | `v2.11` |
+| `golangci-lint-args` | Additional arguments for `golangci-lint run`. | `false` | `''` |
+| `config-path` | Path to `.golangci.yml` config file. | `false` | `''` |
+| `go-flags` | `GOFLAGS` environment variable (e.g., `-mod=vendor`). | `false` | `''` |
+
+## Behavior
+
+1. **Set up Go** using `actions/setup-go` with caching enabled.
+2. **Check go fmt** by running `gofmt -l` on all `.go` files (excluding `vendor/`). Fails if any files are unformatted.
+3. **Run go vet** on all packages.
+4. **Run golangci-lint** via `golangci/golangci-lint-action`.

.github/actions/go-test/README.md

@@ -0,0 +1,65 @@
+# Go Test Action
+
+A GitHub Composite Action that runs Go tests with race detection, coverage reporting, and JUnit XML output via `gotestsum`.
+
+## Usage
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  - name: Go Test
+    uses: NVIDIA/dsx-github-actions/.github/actions/go-test@main
+```
+
+### With custom packages and flags
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  - name: Go Test
+    uses: NVIDIA/dsx-github-actions/.github/actions/go-test@main
+    with:
+      packages: './pkg/...'
+      test-flags: '-v -count=1 -timeout=10m'
+      go-flags: '-mod=vendor'
+      artifact-name: 'test-results-${{ matrix.go-version }}'
+```
+
+## Inputs
+
+| Input | Description | Required | Default |
+| :--- | :--- | :--- | :--- |
+| `go-version` | Go version to use (e.g., `1.25.5`). If empty, uses `go.mod`. | `false` | `''` |
+| `go-version-file` | Path to `go.mod` for version detection. | `false` | `go.mod` |
+| `working-directory` | Working directory for running tests. | `false` | `.` |
+| `packages` | Go packages to test. | `false` | `./...` |
+| `race` | Enable race detector. | `false` | `true` |
+| `coverage` | Enable coverage reporting. | `false` | `true` |
+| `coverage-file` | Coverage output file name. | `false` | `coverage.out` |
+| `junit` | Generate JUnit XML report via `gotestsum`. | `false` | `true` |
+| `junit-file` | JUnit XML output file name. | `false` | `junit-report.xml` |
+| `test-flags` | Additional flags passed to `go test`. | `false` | `-v -count=1` |
+| `go-flags` | `GOFLAGS` environment variable (e.g., `-mod=vendor`). | `false` | `''` |
+| `gotestsum-version` | `gotestsum` version to install. | `false` | `v1.12.0` |
+| `upload-artifacts` | Upload coverage and JUnit reports as workflow artifacts. | `false` | `true` |
+| `artifact-name` | Name for uploaded artifact (override to avoid collisions in matrix builds). | `false` | `go-test-results` |
+
+## Outputs
+
+| Output | Description |
+| :--- | :--- |
+| `coverage-file` | Path to coverage output file. |
+| `junit-file` | Path to JUnit XML report. |
+
+## Behavior
+
+1. **Set up Go** using `actions/setup-go` with caching enabled.
+2. **Install gotestsum** (pinned version) if JUnit output is enabled.
+3. **Run tests** with configurable race detection, coverage, and JUnit output.
+4. **Display coverage summary** showing the total coverage percentage.
+5. **Upload artifacts** (coverage and JUnit reports) with 7-day retention.
+
+## Notes
+
+- When using matrix builds, set `artifact-name` to a unique value per matrix cell to avoid upload collisions (e.g., `artifact-name: 'test-results-${{ matrix.go-version }}'`).
+- All shell inputs are routed through environment variables to prevent expression injection.

.github/actions/license-headers/README.md

@@ -0,0 +1,46 @@
+# License Headers Action
+
+A GitHub Composite Action that checks (and optionally adds) SPDX license headers using `addlicense`.
+
+## Usage
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  - name: Check License Headers
+    uses: NVIDIA/dsx-github-actions/.github/actions/license-headers@main
+```
+
+### Auto-add missing headers
+
+```yaml
+steps:
+  - uses: actions/checkout@v4
+  - name: Add License Headers
+    uses: NVIDIA/dsx-github-actions/.github/actions/license-headers@main
+    with:
+      check-only: 'false'
+      paths: 'src/ pkg/ cmd/'
+      ignore: 'vendor/**,testdata/**'
+```
+
+## Inputs
+
+| Input | Description | Required | Default |
+| :--- | :--- | :--- | :--- |
+| `license` | License type (`apache`, `mit`, `bsd`). | `false` | `apache` |
+| `copyright-holder` | Copyright holder string. | `false` | `NVIDIA CORPORATION & AFFILIATES. All rights reserved.` |
+| `year` | Copyright year. | `false` | `2026` |
+| `paths` | Space-separated paths to check. | `false` | `.` |
+| `ignore` | Comma-separated glob patterns to ignore. | `false` | `vendor/**` |
+| `check-only` | Only check headers (fail if missing). Set to `false` to auto-add. | `false` | `true` |
+| `addlicense-version` | `addlicense` tool version. | `false` | `v1.2.0` |
+| `go-version` | Go version for installing `addlicense`. If empty, uses existing Go. | `false` | `''` |
+
+## Behavior
+
+1. **Set up Go** (optional, only if `go-version` is specified).
+2. **Install addlicense** at the pinned version.
+3. **Check or add** license headers depending on the `check-only` flag.
+   - Check mode: fails if any files are missing headers.
+   - Add mode: automatically inserts missing headers.

.github/actions/semantic-release/README.md

@@ -291,7 +291,7 @@ steps:
 ### Example 7: NPM Package Publishing
 
 ```yaml
-- uses: actions/setup-node@v4
+- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
   with:
     node-version: "20"
 

README.md

@@ -13,6 +13,10 @@ A collection of reusable GitHub Actions for standardizing CI/CD workflows across
 | [docker-build](.github/actions/docker-build/)           | Docker Buildx build/push wrapper  | Build/push multi-arch OCI images  |
 | [git-tag](.github/actions/git-tag/)                     | Create and push git tag           | Tagging releases                  |
 | [slack-notify](.github/actions/slack-notify/)           | Send notifications to Slack       | CI/CD status notifications        |
+| [go-lint](.github/actions/go-lint/)                     | Go linting (golangci-lint, fmt, vet) | Go code quality checks         |
+| [go-test](.github/actions/go-test/)                     | Go tests with coverage and JUnit  | Go test execution and reporting   |
+| [license-headers](.github/actions/license-headers/)     | SPDX license header checks        | License compliance                |
+| [commitlint](.github/actions/commitlint/)               | Conventional commit validation    | Commit message enforcement        |
 
 ## ♻️ Available Workflows
 
@@ -107,6 +111,10 @@ This reusable workflow wraps `skopeo copy`, so it copies the entire manifest lis
 - [Resource Push NGC Action](.github/actions/resource-push-ngc/README.md)
 - [Docker Build Action](.github/actions/docker-build/README.md)
 - [Slack Notify Action](.github/actions/slack-notify/README.md)
+- [Go Lint Action](.github/actions/go-lint/README.md)
+- [Go Test Action](.github/actions/go-test/README.md)
+- [License Headers Action](.github/actions/license-headers/README.md)
+- [Commitlint Action](.github/actions/commitlint/README.md)
 - [Workflows Guide](.github/workflows/README.md)
 
 ## 🎯 Features
@@ -309,7 +317,11 @@ If CI still fails, execute `pre-commit run actionlint --all-files` or `pre-commi
 │   ├── semantic-release/   # Automated versioning and releases
 │   ├── resource-push-ngc/  # NGC resources publishing
 │   ├── git-tag/            # Create and push git tag
-│   └── slack-notify/       # Send Slack notifications
+│   ├── slack-notify/       # Send Slack notifications
+│   ├── go-lint/            # Go linting (golangci-lint, fmt, vet)
+│   ├── go-test/            # Go tests with coverage and JUnit
+│   ├── license-headers/    # SPDX license header checks
+│   └── commitlint/         # Conventional commit validation
 └── workflows/
     ├── release.yml         # Automatic semantic versioning
     ├── promote-image.yml   # Promote image across registries