build: add blackduck and sonar scans (#1)

* build: add blackduck and sonar scans

* fixes

* rm repository

* readd repo

* fix repo

* allow creating issues

* github token

* fix permissions

Author: johanneseschrig

.github/actions/scan-with-blackduck/action.yml

@@ -0,0 +1,53 @@
+name: Scan with BlackDuck
+description: Scans the project with BlackDuck
+
+inputs:
+  blackduck_token:
+    description: The token to use for BlackDuck authentication
+    required: true
+  github_token:
+    description: The token to use for GitHub authentication
+    required: true
+  java-version:
+    description: The version of Java to use
+    default: "17"
+    required: false
+  maven-version:
+    description: The Maven version the build shall run with.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Java ${{ inputs.java-version }}
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{ inputs.java-version }}
+        distribution: sapmachine
+        cache: maven
+
+    - name: Set up Maven ${{ inputs.maven-version }}
+      uses: stCarolas/setup-maven@v5
+      with:
+        maven-version: ${{ inputs.maven-version }}
+
+    - name: Get Major Version
+      id: get-major-version
+      run: |
+        echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Print Version Number
+      run: echo "${{ steps.get-major-version.outputs.REVISION }}"
+      shell: bash
+
+    - name: BlackDuck Scan
+      uses: SAP/project-piper-action@main
+      with:
+        step-name: detectExecuteScan
+        flags: \
+          --version=${{ steps.get-major-version.outputs.REVISION }}
+      env:
+        PIPER_token: ${{ inputs.blackduck_token }}
+        PIPER_githubToken: ${{ inputs.github_token }}
+        SCAN_MODE: FULL

.github/actions/scan-with-sonar/action.yml

@@ -0,0 +1,48 @@
+name: Scan with SonarQube
+description: Scans the project with SonarQube
+
+inputs:
+  sonarq-token:
+    description: The token to use for SonarQube authentication
+    required: true
+  github-token:
+    description: The token to use for GitHub authentication
+    required: true
+  java-version:
+    description: The version of Java to use
+    required: true
+  maven-version:
+    description: The version of Maven to use
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Set up Java ${{inputs.java-version}}
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{inputs.java-version}}
+        distribution: sapmachine
+        cache: maven
+
+    - name: Set up Maven ${{inputs.maven-version}}
+      uses: stCarolas/setup-maven@v5
+      with:
+        maven-version: ${{inputs.maven-version}}
+
+    - name: Get Revision
+      id: get-revision
+      run: |
+        echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Print Revision
+      run: echo "${{steps.get-revision.outputs.REVISION}}"
+      shell: bash
+
+    - name: SonarQube Scan
+      uses: SAP/project-piper-action@main
+      with:
+        step-name: sonarExecuteScan
+        flags: --token=${{inputs.sonarq-token}} --githubToken=${{inputs.github-token}} --version=${{steps.get-revision.outputs.REVISION}} --inferJavaBinaries=true

.github/workflows/blackduck.yml

@@ -0,0 +1,33 @@
+name: Blackduck Scan
+
+env:
+  MAVEN_VERSION: "3.9.11"
+
+on:
+  schedule:
+    # Run nightly at 2 AM UTC
+    - cron: "0 2 * * *"
+  workflow_dispatch: # Allow manual trigger
+  pull_request:
+    branches: ["main"]
+  push:
+    branches: ["main"]
+permissions:
+  contents: write
+  id-token: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  blackduck:
+    name: Blackduck Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Scan With Black Duck
+        uses: ./.github/actions/scan-with-blackduck
+        with:
+          blackduck_token: ${{ secrets.BLACK_DUCK_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          maven-version: ${{ env.MAVEN_VERSION }}

.github/workflows/build.yml

@@ -1,13 +1,14 @@
-name: PR Build
+name: Build
 
 env:
-  MAVEN_VERSION: '3.9.11'
+  MAVEN_VERSION: "3.9.11"
 
 on:
+  workflow_dispatch: # Allow manual trigger
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
   push:
-    branches: [ "main" ]
+    branches: ["main"]
 permissions:
   contents: write
   id-token: write
@@ -17,13 +18,20 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java-version: [ 17, 21 ]
+        java-version: [17, 21]
     steps:
       - name: Checkout
         uses: actions/checkout@v5
-
       - name: Build
         uses: ./.github/actions/build
         with:
           java-version: ${{ matrix.java-version }}
-          maven-version: ${{ env.MAVEN_VERSION }}
+          maven-version: ${{ env.MAVEN_VERSION }}
+      - name: Sonar Scan
+        uses: ./.github/actions/scan-with-sonar
+        if: matrix.java-version == 21
+        with:
+          java-version: 21
+          maven-version: ${{ env.MAVEN_VERSION }}
+          sonarq-token: ${{ secrets.SONAR_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/prepare-next-version.yml

@@ -1,8 +1,8 @@
-name: Deploy to Maven Central
+name: Prepare Next Version
 
 env:
-  JAVA_VERSION: '17'
-  MAVEN_VERSION: '3.9.11'
+  JAVA_VERSION: "17"
+  MAVEN_VERSION: "3.9.11"
 
 on:
   workflow_dispatch:

.pipeline/config.yml

@@ -4,37 +4,35 @@ steps:
     verify: true
     flatten: true
     # https://www.project-piper.io/steps/mavenBuild/#dockerimage
-    # If empty, Docker is not used and the command is executed directly on the Jenkins system.
-    dockerImage: ''
+    dockerImage: ""
 
   detectExecuteScan:
-    projectName: 'com.sap.cds.feature.console'
+    projectName: "com.sap.cds.feature.console"
     groups:
-      - 'CDSJAVA-OPEN-SOURCE'
-    serverUrl: 'https://sap.blackducksoftware.com/'
-    mavenExcludedScopes: [ "provided", "test" ]
-    failOn: [ 'BLOCKER', 'CRITICAL', 'MAJOR' ]
+      - "CDSJAVA-OPEN-SOURCE"
+    serverUrl: "https://sap.blackducksoftware.com/"
+    mavenExcludedScopes: ["provided", "test"]
+    failOn: ["BLOCKER", "CRITICAL", "MAJOR"]
     versioningModel: "major-minor"
-    detectTools: [ 'DETECTOR', 'BINARY_SCAN' ]
+    detectTools: ["DETECTOR", "BINARY_SCAN"]
     installArtifacts: true
-    repository: '/cap-java/cds-feature-console'
+    owner: "cap-java"
+    repository: "cds-feature-console"
     verbose: true
     scanProperties:
       - --detect.included.detector.types=MAVEN
       - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar'
       - --detect.maven.build.command='-pl com.sap.cds:cds-feature-console'
     # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage
-    # If empty, Docker is not used and the command is executed directly on the Jenkins system.
-    dockerImage: ''
+    dockerImage: ""
 
   sonarExecuteScan:
     serverUrl: https://sonar.tools.sap
     projectKey: cds-feature-console
     # https://www.project-piper.io/steps/sonarExecuteScan/#dockerimage
-    # If empty, Docker is not used and the command is executed directly on the Jenkins system.
-    dockerImage: ''
+    dockerImage: ""
     options:
       - sonar.qualitygate.wait=true
       - sonar.java.source=17
       - sonar.exclusions=**/node_modules/**,**/target/**
-      - sonar.coverage.jacoco.xmlReportPaths=cds-feature-console/target/site/jacoco/jacoco.xml
+      - sonar.coverage.jacoco.xmlReportPaths=cds-feature-console/target/site/jacoco/jacoco.xml