From 570ca6c8b0fc08db1e13aa35f9408223e3d78fe9 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 22 Jan 2026 16:48:11 +0100 Subject: [PATCH 01/11] pipeline --- .github/workflows/ci.yml | 2 +- .pipeline/config.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11c9abb8..f8cdf159 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: maven-version: ${{ env.MAVEN_VERSION }} - name: Set Dry Run for Pull Request - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' run: echo "DRY_RUN_PARAM=-DaltDeploymentRepository=local-repo::default::file:./local-repo" >> $GITHUB_ENV shell: bash diff --git a/.pipeline/config.yml b/.pipeline/config.yml index e669e0aa..5a75c3ba 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -17,6 +17,9 @@ steps: versioningModel: "major-minor" detectTools: [ 'DETECTOR', 'BINARY_SCAN' ] installArtifacts: true + buildDescriptorExcludeList: + - 'samples/bookshop/pom.xml' + - 'samples/bookshop/srv/pom.xml' repository: '/cap-java/cds-feature-attachments' verbose: true scanProperties: From 63cec041d8e08615eefb8defa4d7a6353b03e510 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 22 Jan 2026 17:44:34 +0100 Subject: [PATCH 02/11] Update POM files to use fixed version instead of variable and remove unnecessary exclusions in config --- .pipeline/config.yml | 3 --- samples/bookshop/pom.xml | 5 +---- samples/bookshop/srv/pom.xml | 2 +- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/.pipeline/config.yml b/.pipeline/config.yml index 5a75c3ba..e669e0aa 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -17,9 +17,6 @@ steps: versioningModel: "major-minor" detectTools: [ 'DETECTOR', 'BINARY_SCAN' ] installArtifacts: true - buildDescriptorExcludeList: - - 'samples/bookshop/pom.xml' - - 'samples/bookshop/srv/pom.xml' repository: '/cap-java/cds-feature-attachments' verbose: true scanProperties: diff --git a/samples/bookshop/pom.xml b/samples/bookshop/pom.xml index 18d40330..332094a5 100644 --- a/samples/bookshop/pom.xml +++ b/samples/bookshop/pom.xml @@ -6,15 +6,12 @@ customer bookshop-parent - ${revision} + 1.0.0-SNAPSHOT pom bookshop parent - - 1.0.0-SNAPSHOT - 17 4.4.2 diff --git a/samples/bookshop/srv/pom.xml b/samples/bookshop/srv/pom.xml index 74c7054b..5cb9299f 100644 --- a/samples/bookshop/srv/pom.xml +++ b/samples/bookshop/srv/pom.xml @@ -7,7 +7,7 @@ bookshop-parent customer - ${revision} + 1.0.0-SNAPSHOT bookshop From 587a086c116bebf1cd3c31e007353fe3caf1d4f5 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 22 Jan 2026 18:32:16 +0100 Subject: [PATCH 03/11] Set installArtifacts to false in pipeline configuration --- .pipeline/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipeline/config.yml b/.pipeline/config.yml index e669e0aa..c115764c 100644 --- a/.pipeline/config.yml +++ b/.pipeline/config.yml @@ -16,7 +16,7 @@ steps: failOn: [ 'NONE' ] versioningModel: "major-minor" detectTools: [ 'DETECTOR', 'BINARY_SCAN' ] - installArtifacts: true + installArtifacts: false repository: '/cap-java/cds-feature-attachments' verbose: true scanProperties: From 29f76056d62cf1ceb184c91b87a3f7bf444cdd33 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 22 Jan 2026 18:42:47 +0100 Subject: [PATCH 04/11] remove blackduck --- .github/workflows/ci.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f8cdf159..0b4ad080 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,23 +115,6 @@ jobs: sonarq-token: ${{ env.SONARQ_TOKEN }} github-token: ${{ env.GITHUB_TOKEN }} - scan: - name: Blackduck Scan - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') - runs-on: ubuntu-latest - timeout-minutes: 30 - needs: build - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Scan - uses: ./.github/actions/scan-with-blackduck - with: - blackduck_token: ${{ env.BLACK_DUCK_TOKEN }} - github_token: ${{ env.GITHUB_TOKEN }} - maven-version: ${{ env.MAVEN_VERSION }} - deploy-snapshot: name: Deploy snapshot to Artifactory if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') From 36f5afa9fc26883ea89381292ab39411019582ec Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Thu, 22 Jan 2026 19:58:56 +0100 Subject: [PATCH 05/11] Refactor deployment user credentials to use secrets in CI configuration --- .github/workflows/ci.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0b4ad080..e08e03ff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,9 +17,6 @@ env: SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} BLACK_DUCK_TOKEN: ${{ secrets.BLACK_DUCK_TOKEN }} - # Other - DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} - DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }} on: workflow_dispatch: @@ -165,6 +162,6 @@ jobs: -DdeployAtEnd=true deploy ${{ env.DRY_RUN_PARAM }} env: - DEPLOYMENT_USER: ${{ env.DEPLOYMENT_USER }} - DEPLOYMENT_PASS: ${{ env.DEPLOYMENT_PASS }} + DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} + DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }} shell: bash From ffad0dd2c19002ec18029c092aae2e5ece22813a Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 23 Jan 2026 08:56:37 +0100 Subject: [PATCH 06/11] additions --- .github/workflows/{ci.yml => ci-main.yml} | 48 +++----- .../{codeql.yml => ci-pr-codeql.yml} | 2 - .github/workflows/ci-pr.yml | 111 ++++++++++++++++++ ...uild-and-deploy-oss.yml => ci-release.yml} | 0 pom.xml | 1 - 5 files changed, 127 insertions(+), 35 deletions(-) rename .github/workflows/{ci.yml => ci-main.yml} (77%) rename .github/workflows/{codeql.yml => ci-pr-codeql.yml} (99%) create mode 100644 .github/workflows/ci-pr.yml rename .github/workflows/{main-build-and-deploy-oss.yml => ci-release.yml} (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci-main.yml similarity index 77% rename from .github/workflows/ci.yml rename to .github/workflows/ci-main.yml index e08e03ff..c843dfc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci-main.yml @@ -1,35 +1,25 @@ -name: CI - -env: - MAVEN_VERSION: '3.9.12' - # Cloud storage environment variables (available to all jobs that need them) - AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} - AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} - AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} - AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} - AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} - AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} - GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} - GS_BUCKET: ${{ secrets.GS_BUCKET }} - GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - # Tokens - SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - BLACK_DUCK_TOKEN: ${{ secrets.BLACK_DUCK_TOKEN }} +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" on: - workflow_dispatch: push: - branches: [main] - pull_request_target: - branches: [main] - types: [reopened, synchronize, opened] + branches: [ "main" ] + schedule: + - cron: '24 18 * * 2' jobs: requires-approval: runs-on: ubuntu-latest - timeout-minutes: 30 name: "Waiting for PR approval as this workflow runs on pull_request_target" if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' environment: pr-approval @@ -154,13 +144,7 @@ jobs: - name: Deploy snapshot if: ${{ endsWith(steps.get-revision.outputs.REVISION, '-SNAPSHOT') }} - run: > - mvn -B -ntp -fae - -pl !integration-tests,!integration-tests/db,!integration-tests/srv - -Dmaven.install.skip=true - -Dmaven.test.skip=true - -DdeployAtEnd=true - deploy ${{ env.DRY_RUN_PARAM }} + run: mvn -B -ntp -fae -pl !integration-tests,!integration-tests/db,!integration-tests/srv -Dmaven.install.skip=true -Dmaven.test.skip=true -DdeployAtEnd=true deploy ${{ env.DRY_RUN_PARAM }} env: DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/ci-pr-codeql.yml similarity index 99% rename from .github/workflows/codeql.yml rename to .github/workflows/ci-pr-codeql.yml index c295f22c..2d6fd370 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/ci-pr-codeql.yml @@ -14,8 +14,6 @@ name: "CodeQL Advanced" on: push: branches: [ "main" ] - pull_request: - branches: [ "main" ] schedule: - cron: '24 18 * * 2' diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml new file mode 100644 index 00000000..cfd08d2d --- /dev/null +++ b/.github/workflows/ci-pr.yml @@ -0,0 +1,111 @@ +name: CI + +env: + MAVEN_VERSION: '3.9.12' + # Cloud storage environment variables (available to all jobs that need them) + AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} + AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} + AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} + AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} + AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} + AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} + AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} + GS_BUCKET: ${{ secrets.GS_BUCKET }} + GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} + # Tokens + SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + BLACK_DUCK_TOKEN: ${{ secrets.BLACK_DUCK_TOKEN }} + +on: + workflow_dispatch: + pull_request_target: + branches: [main] + types: [reopened, synchronize, opened] + +jobs: + requires-approval: + runs-on: ubuntu-latest + timeout-minutes: 30 + name: "Waiting for PR approval as this workflow runs on pull_request_target" + if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' + environment: pr-approval + steps: + - name: Approval Step + run: echo "This job has been approved!" + + build: + name: Build (Java ${{ matrix.java-version }}) + if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') + needs: requires-approval + runs-on: ubuntu-latest + timeout-minutes: 30 + strategy: + matrix: + java-version: [ 17, 21 ] + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Spotless check + run: mvn spotless:check -Dspotless.check.skip=false + + - name: Build + uses: ./.github/actions/build + with: + java-version: ${{ matrix.java-version }} + maven-version: ${{ env.MAVEN_VERSION }} + + - name: Upload build artifacts + uses: actions/upload-artifact@v6 + with: + name: build-artifacts-java-${{ matrix.java-version }} + path: | + **/target/*.jar + **/pom.xml + .mvn/ + retention-days: 1 + + integration-tests: + name: Integration Tests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }}) + if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: build + strategy: + matrix: + java-version: [ 17, 21 ] + test-type: [ build-version, latest-version, oss ] + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Download build artifacts + uses: actions/download-artifact@v7 + with: + name: build-artifacts-java-${{ matrix.java-version }} + + - name: Integration Tests + uses: ./.github/actions/integration-tests + with: + java-version: ${{ matrix.java-version }} + maven-version: ${{ env.MAVEN_VERSION }} + test-type: ${{ matrix.test-type }} + + sonarqube-scan: + name: SonarQube Scan + if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') + runs-on: ubuntu-latest + timeout-minutes: 30 + needs: build + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: SonarQube Scan + uses: ./.github/actions/scan-with-sonar + with: + java-version: 17 + maven-version: ${{ env.MAVEN_VERSION }} + sonarq-token: ${{ env.SONARQ_TOKEN }} + github-token: ${{ env.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/ci-release.yml similarity index 100% rename from .github/workflows/main-build-and-deploy-oss.yml rename to .github/workflows/ci-release.yml diff --git a/pom.xml b/pom.xml index 71432d38..c55e6752 100644 --- a/pom.xml +++ b/pom.xml @@ -406,7 +406,6 @@ cds-feature-attachments-integration-tests-parent cds-feature-attachments-integration-tests-db cds-feature-attachments-integration-tests-srv - cds-feature-attachments-fs From 634bfc57e5e1e78d43eae05d349deb718ac664a2 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 23 Jan 2026 08:59:37 +0100 Subject: [PATCH 07/11] confusion in main merge --- .github/workflows/ci-main.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index 8aea87b1..c127d3d2 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -1,17 +1,3 @@ -<<<<<<< HEAD:.github/workflows/ci-main.yml -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" -======= name: CI env: @@ -31,9 +17,12 @@ env: SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} BLACK_DUCK_TOKEN: ${{ secrets.BLACK_DUCK_TOKEN }} ->>>>>>> main:.github/workflows/ci.yml + # Other + DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} + DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }} on: + workflow_dispatch: push: branches: [ "main" ] schedule: From 9fa4a500156b6856a348a0d5fdd03419d870d041 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 23 Jan 2026 09:07:34 +0100 Subject: [PATCH 08/11] Refactor CI workflows to remove approval steps and improve environment variable organization --- .github/workflows/ci-main.yml | 13 ------------- .github/workflows/ci-pr.yml | 3 +++ 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index c127d3d2..69fa3d10 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -29,18 +29,8 @@ on: - cron: '24 18 * * 2' jobs: - requires-approval: - runs-on: ubuntu-latest - name: "Waiting for PR approval as this workflow runs on pull_request_target" - if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' - environment: pr-approval - steps: - - name: Approval Step - run: echo "This job has been approved!" - build: name: Build (Java ${{ matrix.java-version }}) - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') needs: requires-approval runs-on: ubuntu-latest timeout-minutes: 30 @@ -72,7 +62,6 @@ jobs: integration-tests: name: Integration Tests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }}) - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') runs-on: ubuntu-latest timeout-minutes: 30 needs: build @@ -98,7 +87,6 @@ jobs: sonarqube-scan: name: SonarQube Scan - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') runs-on: ubuntu-latest timeout-minutes: 30 needs: build @@ -115,7 +103,6 @@ jobs: deploy-snapshot: name: Deploy snapshot to Artifactory - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') runs-on: ubuntu-latest timeout-minutes: 30 needs: [build, integration-tests] diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml index cfd08d2d..7b035098 100644 --- a/.github/workflows/ci-pr.yml +++ b/.github/workflows/ci-pr.yml @@ -3,13 +3,16 @@ name: CI env: MAVEN_VERSION: '3.9.12' # Cloud storage environment variables (available to all jobs that need them) + ## AWS AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} + ## Azure AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + ## GCP GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} GS_BUCKET: ${{ secrets.GS_BUCKET }} GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} From 2158682a20e4917375c98a997d3ef0c3d7fcd614 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 23 Jan 2026 10:09:12 +0100 Subject: [PATCH 09/11] Remove obsolete CI workflow files and introduce a new reusable pipeline workflow for improved build and deployment processes --- .github/workflows/ci-pr-codeql.yml | 92 -------------- .github/workflows/ci-pr.yml | 114 ------------------ .github/workflows/main.yml | 13 ++ .../workflows/{ci-main.yml => pipeline.yml} | 65 +++++++--- .github/workflows/pr.yml | 24 ++++ .../workflows/{ci-release.yml => release.yml} | 0 6 files changed, 85 insertions(+), 223 deletions(-) delete mode 100644 .github/workflows/ci-pr-codeql.yml delete mode 100644 .github/workflows/ci-pr.yml create mode 100644 .github/workflows/main.yml rename .github/workflows/{ci-main.yml => pipeline.yml} (77%) create mode 100644 .github/workflows/pr.yml rename .github/workflows/{ci-release.yml => release.yml} (100%) diff --git a/.github/workflows/ci-pr-codeql.yml b/.github/workflows/ci-pr-codeql.yml deleted file mode 100644 index 2d6fd370..00000000 --- a/.github/workflows/ci-pr-codeql.yml +++ /dev/null @@ -1,92 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" - -on: - push: - branches: [ "main" ] - schedule: - - cron: '24 18 * * 2' - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: 30 - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - include: - - language: java-kotlin - build-mode: manual - # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v6 - - - name: Set up Java - if: matrix.build-mode == 'manual' - uses: actions/setup-java@v5 - with: - java-version: '17' - distribution: 'sapmachine' - cache: 'maven' - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - - name: Build Java code - if: matrix.build-mode == 'manual' - shell: bash - run: mvn clean compile -DskipTests -B -ntp - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml deleted file mode 100644 index 7b035098..00000000 --- a/.github/workflows/ci-pr.yml +++ /dev/null @@ -1,114 +0,0 @@ -name: CI - -env: - MAVEN_VERSION: '3.9.12' - # Cloud storage environment variables (available to all jobs that need them) - ## AWS - AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} - AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} - AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} - AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} - ## Azure - AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} - AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} - ## GCP - GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} - GS_BUCKET: ${{ secrets.GS_BUCKET }} - GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - # Tokens - SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - BLACK_DUCK_TOKEN: ${{ secrets.BLACK_DUCK_TOKEN }} - -on: - workflow_dispatch: - pull_request_target: - branches: [main] - types: [reopened, synchronize, opened] - -jobs: - requires-approval: - runs-on: ubuntu-latest - timeout-minutes: 30 - name: "Waiting for PR approval as this workflow runs on pull_request_target" - if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' - environment: pr-approval - steps: - - name: Approval Step - run: echo "This job has been approved!" - - build: - name: Build (Java ${{ matrix.java-version }}) - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') - needs: requires-approval - runs-on: ubuntu-latest - timeout-minutes: 30 - strategy: - matrix: - java-version: [ 17, 21 ] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Spotless check - run: mvn spotless:check -Dspotless.check.skip=false - - - name: Build - uses: ./.github/actions/build - with: - java-version: ${{ matrix.java-version }} - maven-version: ${{ env.MAVEN_VERSION }} - - - name: Upload build artifacts - uses: actions/upload-artifact@v6 - with: - name: build-artifacts-java-${{ matrix.java-version }} - path: | - **/target/*.jar - **/pom.xml - .mvn/ - retention-days: 1 - - integration-tests: - name: Integration Tests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }}) - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') - runs-on: ubuntu-latest - timeout-minutes: 30 - needs: build - strategy: - matrix: - java-version: [ 17, 21 ] - test-type: [ build-version, latest-version, oss ] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Download build artifacts - uses: actions/download-artifact@v7 - with: - name: build-artifacts-java-${{ matrix.java-version }} - - - name: Integration Tests - uses: ./.github/actions/integration-tests - with: - java-version: ${{ matrix.java-version }} - maven-version: ${{ env.MAVEN_VERSION }} - test-type: ${{ matrix.test-type }} - - sonarqube-scan: - name: SonarQube Scan - if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') - runs-on: ubuntu-latest - timeout-minutes: 30 - needs: build - steps: - - name: Checkout - uses: actions/checkout@v6 - - name: SonarQube Scan - uses: ./.github/actions/scan-with-sonar - with: - java-version: 17 - maven-version: ${{ env.MAVEN_VERSION }} - sonarq-token: ${{ env.SONARQ_TOKEN }} - github-token: ${{ env.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..55dbf538 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,13 @@ +name: CI + +on: + workflow_dispatch: + push: + branches: [main] + +jobs: + build-and-test: + uses: ./.github/workflows/pipeline.yml + with: + deploy-snapshot: true + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/ci-main.yml b/.github/workflows/pipeline.yml similarity index 77% rename from .github/workflows/ci-main.yml rename to .github/workflows/pipeline.yml index 69fa3d10..4dbb4f90 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/pipeline.yml @@ -1,37 +1,33 @@ -name: CI +name: Reusable Workflow env: MAVEN_VERSION: '3.9.12' # Cloud storage environment variables (available to all jobs that need them) + ## AWS AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} + ## Azure AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + ## GCP GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} GS_BUCKET: ${{ secrets.GS_BUCKET }} GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - # Tokens - SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - BLACK_DUCK_TOKEN: ${{ secrets.BLACK_DUCK_TOKEN }} - # Other - DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} - DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }} on: - workflow_dispatch: - push: - branches: [ "main" ] - schedule: - - cron: '24 18 * * 2' + workflow_call: + inputs: + deploy-snapshot: + required: true + type: boolean + default: false jobs: build: name: Build (Java ${{ matrix.java-version }}) - needs: requires-approval runs-on: ubuntu-latest timeout-minutes: 30 strategy: @@ -98,14 +94,49 @@ jobs: with: java-version: 17 maven-version: ${{ env.MAVEN_VERSION }} - sonarq-token: ${{ env.SONARQ_TOKEN }} - github-token: ${{ env.GITHUB_TOKEN }} + sonarq-token: ${{ secrets.SONARQ_TOKEN }} + github-token: ${{ secrets.GH_TOKEN }} + + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + security-events: write + packages: read + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Set up Java + uses: actions/setup-java@v5 + with: + java-version: '17' + distribution: 'sapmachine' + cache: 'maven' + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: java-kotlin + build-mode: manual + + - name: Build Java code + run: mvn clean compile -DskipTests -B -ntp + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:java-kotlin" deploy-snapshot: name: Deploy snapshot to Artifactory runs-on: ubuntu-latest timeout-minutes: 30 - needs: [build, integration-tests] + if: ${{ inputs.deploy-snapshot == true }} + needs: [build, integration-tests, codeql] steps: - name: Checkout uses: actions/checkout@v6 diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 00000000..f5e56ff3 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,24 @@ +name: CI + +on: + workflow_dispatch: + pull_request_target: + branches: [main] + types: [reopened, synchronize, opened] + +jobs: + requires-approval: + runs-on: ubuntu-latest + name: "Waiting for PR approval as this workflow runs on pull_request_target" + if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' + environment: pr-approval + steps: + - name: Approval Step + run: echo "This job has been approved!" + + build-and-test: + if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') + uses: ./.github/workflows/pipeline.yml + with: + deploy-snapshot: false + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/ci-release.yml b/.github/workflows/release.yml similarity index 100% rename from .github/workflows/ci-release.yml rename to .github/workflows/release.yml From 26b219a6392087c8034a9080161718185370d497 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 23 Jan 2026 10:20:44 +0100 Subject: [PATCH 10/11] Add 'needs: build' dependency to CodeQL Analysis job in pipeline --- .github/workflows/pipeline.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 4dbb4f90..e94d4b33 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -100,6 +100,7 @@ jobs: codeql: name: CodeQL Analysis runs-on: ubuntu-latest + needs: build timeout-minutes: 30 permissions: security-events: write From d91d816cb043b5a7acb3b89aafeaa00912ca3f02 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Fri, 23 Jan 2026 10:25:29 +0100 Subject: [PATCH 11/11] Remove unnecessary dry run parameter from Maven deploy command in pipeline --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index e94d4b33..e307caf3 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -174,7 +174,7 @@ jobs: - name: Deploy snapshot if: ${{ endsWith(steps.get-revision.outputs.REVISION, '-SNAPSHOT') }} - run: mvn -B -ntp -fae -pl !integration-tests,!integration-tests/db,!integration-tests/srv -Dmaven.install.skip=true -Dmaven.test.skip=true -DdeployAtEnd=true deploy ${{ env.DRY_RUN_PARAM }} + run: mvn -B -ntp -fae -pl !integration-tests,!integration-tests/db,!integration-tests/srv -Dmaven.install.skip=true -Dmaven.test.skip=true -DdeployAtEnd=true deploy env: DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }}