diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
index a6fd34568..8982a2149 100644
--- a/.github/actions/build/action.yml
+++ b/.github/actions/build/action.yml
@@ -8,33 +8,22 @@ inputs:
maven-version:
description: The Maven version the build will run with.
required: true
- mutation-testing:
- description: Whether to run mutation testing or not.
- default: 'true'
- required: false
runs:
using: composite
steps:
- name: Set up Java ${{ inputs.java-version }}
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: ${{ inputs.java-version }}
distribution: sapmachine
cache: maven
- name: Set up Maven ${{ inputs.maven-version }}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{ inputs.maven-version }}
- - name: Piper Maven build
- uses: SAP/project-piper-action@main
- with:
- step-name: mavenBuild
- docker-image: ''
-
- - name: Mutation Testing
- if: ${{ inputs.mutation-testing == 'true' }}
- run: mvn org.pitest:pitest-maven:mutationCoverage -f cds-feature-attachments/pom.xml -ntp -B
+ - name: Maven Build
+ run: mvn clean install -DskipTests -B -ntp
shell: bash
diff --git a/.github/actions/deploy-release/action.yml b/.github/actions/deploy-release/action.yml
index 23377a50c..7b900da65 100644
--- a/.github/actions/deploy-release/action.yml
+++ b/.github/actions/deploy-release/action.yml
@@ -27,14 +27,8 @@ inputs:
runs:
using: composite
steps:
- - name: Echo Inputs
- run: |
- echo "user: ${{ inputs.user }}"
- echo "revision: ${{ inputs.revision }}"
- shell: bash
-
- name: Set up Java
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: sapmachine
java-version: '17'
@@ -44,7 +38,7 @@ runs:
server-password: MAVEN_CENTRAL_PASSWORD
- name: Set up Maven ${{ inputs.maven-version }}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{ inputs.maven-version }}
diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml
index ca4e3cfc1..8be8de2ab 100644
--- a/.github/actions/integration-tests/action.yml
+++ b/.github/actions/integration-tests/action.yml
@@ -11,19 +11,22 @@ inputs:
test-type:
description: 'Which integration test to run: build-version, latest-version, or oss'
required: true
+ auth-method:
+ description: 'Authentication method: basic or mtls'
+ required: true
runs:
using: composite
steps:
- name: Set up Java ${{ inputs.java-version }}
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: ${{ inputs.java-version }}
distribution: sapmachine
cache: maven
- name: Setup Maven ${{ inputs.maven-version }}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{ inputs.maven-version }}
diff --git a/.github/actions/newrelease/action.yml b/.github/actions/newrelease/action.yml
index a6fe732c4..e9a08a852 100644
--- a/.github/actions/newrelease/action.yml
+++ b/.github/actions/newrelease/action.yml
@@ -13,14 +13,14 @@ runs:
using: composite
steps:
- name: Set up Java ${{ inputs.java-version }}
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: ${{ inputs.java-version }}
distribution: sapmachine
cache: maven
- name: Set up Maven ${{ inputs.maven-version }}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{ inputs.maven-version }}
diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml
index 2c847e382..2e69261ce 100644
--- a/.github/actions/scan-with-blackduck/action.yml
+++ b/.github/actions/scan-with-blackduck/action.yml
@@ -24,35 +24,40 @@ runs:
using: composite
steps:
- name: Set up Java ${{ inputs.java-version }}
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: ${{ inputs.java-version }}
distribution: sapmachine
cache: maven
- name: Set up Maven ${{ inputs.maven-version }}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{ inputs.maven-version }}
- - name: Get Major Version
- id: get-major-version
+ - name: Get Revision
+ id: get-revision
run: |
echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
shell: bash
- - name: Print Version Number
- run: echo "${{ steps.get-major-version.outputs.REVISION }}"
+ - name: BlackDuck Detect Scan
+ run: |
+ bash <(curl -s -L https://detect.synopsys.com/detect9.sh) \
+ --blackduck.url=https://sap.blackducksoftware.com/ \
+ --blackduck.api.token="${BLACKDUCK_TOKEN}" \
+ --detect.project.name=com.sap.cds.feature.attachments \
+ --detect.project.version.name="${REVISION}" \
+ --detect.included.detector.types=MAVEN \
+ --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/**' \
+ --detect.maven.excluded.modules=integration-tests,integration-tests/db,integration-tests/generic,integration-tests/mtx-local/srv \
+ --detect.maven.build.command='-pl com.sap.cds:cds-feature-attachments' \
+ --detect.tools=DETECTOR,BINARY_SCAN \
+ --detect.blackduck.scan.mode="${SCAN_MODE}" \
+ --detect.risk.report.pdf=false \
+ --logging.level.detect=INFO
shell: bash
-
- - name: BlackDuck Scan
- uses: SAP/project-piper-action@main
- with:
- step-name: detectExecuteScan
- flags: \
- --githubToken=$GITHUB_token \
- --version=${{ steps.get-major-version.outputs.REVISION }}
env:
- PIPER_token: ${{ inputs.blackduck_token }}
- GITHUB_token: ${{ inputs.github_token }}
+ BLACKDUCK_TOKEN: ${{ inputs.blackduck_token }}
SCAN_MODE: ${{ inputs.scan_mode }}
+ REVISION: ${{ steps.get-revision.outputs.REVISION }}
diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml
new file mode 100644
index 000000000..4be2598e3
--- /dev/null
+++ b/.github/actions/scan-with-codeql/action.yml
@@ -0,0 +1,40 @@
+name: CodeQL Analysis
+description: Runs CodeQL security analysis on the project.
+
+inputs:
+ java-version:
+ description: The Java version to use for the build.
+ required: true
+ maven-version:
+ description: The Maven version to use for the build.
+ required: true
+
+runs:
+ using: composite
+ steps:
+ - name: Set up Java ${{ inputs.java-version }}
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+ with:
+ java-version: ${{ inputs.java-version }}
+ distribution: sapmachine
+ cache: maven
+
+ - name: Set up Maven ${{ inputs.maven-version }}
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
+ with:
+ maven-version: ${{ inputs.maven-version }}
+
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
+ with:
+ languages: java-kotlin
+ build-mode: manual
+
+ - name: Build Java code
+ run: mvn clean compile -B -ntp
+ shell: bash
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
+ with:
+ category: "/language:java-kotlin"
diff --git a/.github/actions/scan-with-sonar/action.yml b/.github/actions/scan-with-sonar/action.yml
index 3884b4052..a39d76125 100644
--- a/.github/actions/scan-with-sonar/action.yml
+++ b/.github/actions/scan-with-sonar/action.yml
@@ -20,14 +20,14 @@ runs:
steps:
- name: Set up Java ${{inputs.java-version}}
- uses: actions/setup-java@v5
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: ${{inputs.java-version}}
distribution: sapmachine
cache: maven
- name: Set up Maven ${{inputs.maven-version}}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{inputs.maven-version}}
@@ -37,10 +37,6 @@ runs:
echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
shell: bash
- - name: Print Revision
- run: echo "${{steps.get-revision.outputs.REVISION}}"
- shell: bash
-
- name: Build project for SonarQube scan
run: |
mvn clean verify -ntp -B
@@ -66,12 +62,18 @@ runs:
shell: bash
- name: SonarQube Scan
- uses: SAP/project-piper-action@main
- with:
- step-name: sonarExecuteScan
- flags: >
- --token=${{ inputs.sonarq-token }}
- --githubToken=${{ inputs.github-token }}
- --version=${{ steps.get-revision.outputs.REVISION }}
- --inferJavaBinaries=true
- --options=-Dsonar.exclusions=**/samples/**,-Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml
+ run: >
+ mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+ -Dsonar.host.url=https://sonar.tools.sap
+ -Dsonar.token=${{ inputs.sonarq-token }}
+ -Dsonar.projectKey=cds-feature-attachments
+ -Dsonar.projectVersion=${{ steps.get-revision.outputs.REVISION }}
+ -Dsonar.qualitygate.wait=true
+ -Dsonar.java.source=17
+ -Dsonar.exclusions=**/samples/**
+ -Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml
+ -Dsonar.coverage.exclusions=cds-feature-attachments/src/test/**,cds-feature-attachments/src/gen/**,storage-targets/cds-feature-attachments-fs/src/test/**,storage-targets/cds-feature-attachments-oss/src/test/**
+ -B -ntp
+ shell: bash
+ env:
+ GITHUB_TOKEN: ${{ inputs.github-token }}
diff --git a/.github/actions/test-sample/action.yml b/.github/actions/test-sample/action.yml
index 403d49584..c0c8954f2 100644
--- a/.github/actions/test-sample/action.yml
+++ b/.github/actions/test-sample/action.yml
@@ -1,18 +1,26 @@
name: 'Test Sample'
description: 'Compile sample and run tests'
+inputs:
+ java-version:
+ description: The Java version the build shall run with.
+ required: true
+ maven-version:
+ description: The Maven version the build shall run with.
+ required: true
+
runs:
using: 'composite'
steps:
- name: Set up Java ${{ inputs.java-version }}
- uses: actions/setup-java@v4
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: ${{ inputs.java-version }}
distribution: sapmachine
cache: maven
- name: Set up Maven ${{ inputs.maven-version }}
- uses: stCarolas/setup-maven@v5
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
maven-version: ${{ inputs.maven-version }}
@@ -29,4 +37,4 @@ runs:
- name: Run tests
shell: bash
working-directory: samples/bookshop
- run: mvn test
\ No newline at end of file
+ run: mvn test
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f5cd6b22c..8be0b3dbf 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,10 +5,8 @@ updates:
- "/"
schedule:
interval: weekly
- ignore:
- - dependency-name: "com.sap.cds:*"
- versions:
- - ">=4"
+ cooldown:
+ default-days: 7
groups:
minor-patch:
patterns:
@@ -21,6 +19,8 @@ updates:
directory: "/"
schedule:
interval: weekly
+ cooldown:
+ default-days: 7
groups:
minor-patch:
patterns:
diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml
index ef40728ee..f0ce52ea9 100644
--- a/.github/workflows/issue.yml
+++ b/.github/workflows/issue.yml
@@ -1,7 +1,6 @@
name: Label issues
-permissions:
- issues: write
+permissions: {}
on:
issues:
@@ -11,6 +10,8 @@ on:
jobs:
label_issues:
runs-on: ubuntu-latest
+ permissions:
+ issues: write
steps:
- run: gh issue edit "$NUMBER" --add-label "$LABELS"
env:
@@ -19,7 +20,7 @@ jobs:
NUMBER: ${{ github.event.issue.number }}
LABELS: New
- - uses: actions/github-script@v9
+ - uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9
with:
script: |
github.rest.issues.createComment({
@@ -27,4 +28,4 @@ jobs:
owner: context.repo.owner,
repo: context.repo.repo,
body: `👋 Hello @${context.payload.issue.user.login}, thank you for submitting this issue. Our team is reviewing your report and will follow up with you as soon as possible.`
- })
\ No newline at end of file
+ })
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e077dd447..1e19a3d1d 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,5 +1,11 @@
name: CI - MAIN
+permissions:
+ actions: read
+ contents: read
+ packages: read
+ security-events: write
+
env:
MAVEN_VERSION: '3.9.12'
@@ -15,7 +21,7 @@ jobs:
timeout-minutes: 30
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Scan With Black Duck
uses: ./.github/actions/scan-with-blackduck
@@ -27,6 +33,4 @@ jobs:
build-and-test:
uses: ./.github/workflows/pipeline.yml
- with:
- deploy-snapshot: true
- secrets: inherit
\ No newline at end of file
+ secrets: inherit
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index 8a7da8016..e36236383 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -1,111 +1,111 @@
name: Reusable Workflow
+permissions:
+ actions: read
+ contents: read
+ packages: read
+ security-events: write
+
env:
MAVEN_VERSION: '3.9.12'
on:
workflow_call:
- inputs:
- deploy-snapshot:
- required: true
- type: boolean
- default: false
jobs:
- build:
- name: Build (Java ${{ matrix.java-version }})
+ spotless:
+ name: Spotless Check
runs-on: ubuntu-latest
- timeout-minutes: 30
- strategy:
- matrix:
- java-version: [ 17, 21 ]
+ timeout-minutes: 10
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
- # For internal PRs (same repo), checkout PR head to test actual changes
- # For external PRs (forks), checkout base branch for security
ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }}
- - name: Spotless check
- run: mvn spotless:check -Dspotless.check.skip=false
+ - name: Set up Java
+ uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+ with:
+ java-version: '17'
+ distribution: sapmachine
+ cache: maven
- - name: Build
- uses: ./.github/actions/build
+ - name: Set up Maven
+ uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
with:
- java-version: ${{ matrix.java-version }}
maven-version: ${{ env.MAVEN_VERSION }}
- - name: Upload build artifacts
- uses: actions/upload-artifact@v7
- with:
- name: build-artifacts-java-${{ matrix.java-version }}
- path: |
- **/target/*.jar
- **/pom.xml
- .mvn/
- retention-days: 1
+ - name: Spotless Check
+ run: mvn spotless:check -Dspotless.check.skip=false -B -ntp
integration-tests:
- name: Integration Tests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }})
+ name: ITests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }}, ${{ matrix.auth-method }})
runs-on: ubuntu-latest
timeout-minutes: 30
- needs: build
+ strategy:
+ fail-fast: false
+ matrix:
+ java-version: [ 17, 21 ]
+ test-type: [ build-version, latest-version, oss ]
+ auth-method: [ basic, mtls ]
env:
- ## AWS
AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }}
- ## Azure
AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }}
AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }}
- ## GCP
GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }}
GS_BUCKET: ${{ secrets.GS_BUCKET }}
GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }}
- ## Malware Scanner (Basic Auth)
- MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }}
- MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }}
- MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }}
- ## Malware Scanner (mTLS)
- MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }}
- MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }}
- MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }}
- strategy:
- fail-fast: false
- matrix:
- java-version: [ 17, 21 ]
- test-type: [ build-version, latest-version, oss ]
+ MALWARE_SCANNER_URL: ${{ matrix.auth-method == 'basic' && secrets.MALWARE_SCANNER_URL || '' }}
+ MALWARE_SCANNER_USERNAME: ${{ matrix.auth-method == 'basic' && secrets.MALWARE_SCANNER_USERNAME || '' }}
+ MALWARE_SCANNER_PASSWORD: ${{ matrix.auth-method == 'basic' && secrets.MALWARE_SCANNER_PASSWORD || '' }}
+ MALWARE_SCANNER_MTLS_URI: ${{ matrix.auth-method == 'mtls' && secrets.MALWARE_SCANNER_MTLS_URI || '' }}
+ MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ matrix.auth-method == 'mtls' && secrets.MALWARE_SCANNER_MTLS_CERTIFICATE || '' }}
+ MALWARE_SCANNER_MTLS_KEY: ${{ matrix.auth-method == 'mtls' && secrets.MALWARE_SCANNER_MTLS_KEY || '' }}
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }}
- - name: Download build artifacts
- uses: actions/download-artifact@v8
- with:
- name: build-artifacts-java-${{ matrix.java-version }}
-
- name: Integration Tests
uses: ./.github/actions/integration-tests
with:
java-version: ${{ matrix.java-version }}
maven-version: ${{ env.MAVEN_VERSION }}
test-type: ${{ matrix.test-type }}
+ auth-method: ${{ matrix.auth-method }}
sonarqube-scan:
name: SonarQube Scan
runs-on: ubuntu-latest
timeout-minutes: 30
- needs: build
+ env:
+ AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }}
+ AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
+ AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+ AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
+ AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }}
+ AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }}
+ AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }}
+ GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }}
+ GS_BUCKET: ${{ secrets.GS_BUCKET }}
+ GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }}
+ MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }}
+ MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }}
+ MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }}
+ MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }}
+ MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }}
+ MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }}
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }}
+
- name: SonarQube Scan
uses: ./.github/actions/scan-with-sonar
with:
@@ -117,7 +117,6 @@ jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
- needs: build
timeout-minutes: 30
permissions:
security-events: write
@@ -126,77 +125,12 @@ jobs:
contents: read
steps:
- name: Checkout repository
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }}
- - name: Set up Java
- uses: actions/setup-java@v5
- with:
- java-version: '17'
- distribution: 'sapmachine'
- cache: 'maven'
-
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v4
- with:
- languages: java-kotlin
- build-mode: manual
-
- - name: Build Java code
- run: mvn clean compile -DskipTests -B -ntp
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v4
- with:
- category: "/language:java-kotlin"
-
- deploy-snapshot:
- name: Deploy snapshot to Artifactory
- runs-on: ubuntu-latest
- timeout-minutes: 30
- if: ${{ inputs.deploy-snapshot == true }}
- needs: [build, integration-tests, codeql]
- steps:
- - name: Checkout
- uses: actions/checkout@v6
- with:
- ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }}
-
- - name: Set up Java
- uses: actions/setup-java@v5
- with:
- java-version: '17'
- distribution: 'sapmachine'
- cache: 'maven'
- server-id: artifactory
- server-username: DEPLOYMENT_USER
- server-password: DEPLOYMENT_PASS
-
- - name: Set up Maven ${{ env.MAVEN_VERSION }}
- uses: stCarolas/setup-maven@v5
+ - name: CodeQL Analysis
+ uses: ./.github/actions/scan-with-codeql
with:
+ java-version: 17
maven-version: ${{ env.MAVEN_VERSION }}
-
- - name: Set Dry Run for Pull Request
- if: github.event_name == 'pull_request_target'
- run: echo "DRY_RUN_PARAM=-DaltDeploymentRepository=local-repo::default::file:./local-repo" >> $GITHUB_ENV
- shell: bash
-
- - name: Get Revision
- id: get-revision
- run: |
- echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
- shell: bash
-
- - name: Print Revision
- run: echo "Current revision ${{ steps.get-revision.outputs.REVISION }}"
- shell: bash
-
- - name: Deploy snapshot
- if: ${{ endsWith(steps.get-revision.outputs.REVISION, '-SNAPSHOT') }}
- run: mvn -B -ntp -fae -pl !integration-tests,!integration-tests/db,!integration-tests/generic,!integration-tests/mtx-local/srv -Dmaven.install.skip=true -Dmaven.test.skip=true -DdeployAtEnd=true deploy
- env:
- DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }}
- DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }}
- shell: bash
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index a98b55823..1cb329519 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -1,5 +1,11 @@
name: CI - PR
+permissions:
+ actions: read
+ contents: read
+ packages: read
+ security-events: write
+
on:
workflow_dispatch:
pull_request_target:
@@ -20,6 +26,4 @@ jobs:
needs: requires-approval
if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped')
uses: ./.github/workflows/pipeline.yml
- with:
- deploy-snapshot: false
- secrets: inherit
\ No newline at end of file
+ secrets: inherit
diff --git a/.github/workflows/prevent-issue-labeling.yml b/.github/workflows/prevent-issue-labeling.yml
index dac7a41b3..6c3503090 100644
--- a/.github/workflows/prevent-issue-labeling.yml
+++ b/.github/workflows/prevent-issue-labeling.yml
@@ -1,7 +1,6 @@
name: Prevent "New" Label on Issues
-permissions:
- issues: write
+permissions: {}
on:
issues:
@@ -10,6 +9,8 @@ on:
jobs:
remove_new_label:
runs-on: ubuntu-latest
+ permissions:
+ issues: write
steps:
- name: Remove "New" label if applied by non-bot user
if: >
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 422008ff2..8bccdaa10 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,7 @@
name: Deploy to Maven Central
+permissions: read-all
+
env:
JAVA_VERSION: '17'
MAVEN_VERSION: '3.9.12'
@@ -15,7 +17,7 @@ jobs:
timeout-minutes: 30
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Scan With Black Duck
uses: ./.github/actions/scan-with-blackduck
@@ -28,9 +30,11 @@ jobs:
name: Update Version
runs-on: ubuntu-latest
timeout-minutes: 30
+ permissions:
+ contents: write
steps:
- name: Checkout
- uses: actions/checkout@v6
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ secrets.GH_TOKEN }}
@@ -41,11 +45,10 @@ jobs:
maven-version: ${{ env.MAVEN_VERSION }}
- name: Upload Changed Artifacts
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: root-new-version
path: .
- include-hidden-files: true
retention-days: 1
build:
@@ -66,7 +69,7 @@ jobs:
GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }}
steps:
- name: Download artifact
- uses: actions/download-artifact@v8
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: root-new-version
@@ -85,10 +88,9 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Changed Artifacts
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: root-build
- include-hidden-files: true
path: .
retention-days: 1
@@ -99,7 +101,7 @@ jobs:
needs: [blackduck, build]
steps:
- name: Download artifact
- uses: actions/download-artifact@v8
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: root-build
@@ -113,6 +115,3 @@ jobs:
pgp-passphrase: ${{ secrets.PGP_PASSPHRASE }}
revision: ${{ github.event.release.tag_name }}
maven-version: ${{ env.MAVEN_VERSION }}
-
- - name: Echo Status
- run: echo "The job status is ${{ job.status }}"
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 3e33f1df1..4feaa66fb 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,4 +1,7 @@
name: "Close stale issues"
+
+permissions: {}
+
on:
schedule:
- cron: "30 1 * * *"
@@ -11,7 +14,7 @@ jobs:
issues: write
pull-requests: write
steps:
- - uses: actions/stale@v10
+ - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
with:
close-issue-message: "This issue has been automatically closed due to 2 weeks of inactivity. If you believe this was a mistake, please reopen or comment to continue the discussion."
days-before-stale: -1
diff --git a/.pipeline/config.yml b/.pipeline/config.yml
deleted file mode 100644
index 111191b00..000000000
--- a/.pipeline/config.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-steps:
- mavenBuild:
- verbose: false
- verify: false
- flatten: true
- # https://www.project-piper.io/steps/mavenBuild/#dockerimage
- # If empty, Docker is not used and the command is executed directly on the Jenkins system.
- dockerImage: ''
-
- detectExecuteScan:
- projectName: 'com.sap.cds.feature.attachments'
- groups:
- - 'CDSJAVA-OPEN-SOURCE'
- serverUrl: 'https://sap.blackducksoftware.com/'
- mavenExcludedScopes: [ "provided", "test" ]
- failOn: [ 'NONE' ]
- versioningModel: "major-minor"
- detectTools: [ 'DETECTOR', 'BINARY_SCAN' ]
- installArtifacts: false
- repository: '/cap-java/cds-feature-attachments'
- verbose: true
- scanProperties:
- - --detect.included.detector.types=MAVEN
- - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/**'
- - --detect.maven.excluded.modules=integration-tests,integration-tests/db,integration-tests/generic,integration-tests/mtx-local/srv
- - --detect.maven.build.command='-pl com.sap.cds:cds-feature-attachments'
- # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage
- # If empty, Docker is not used and the command is executed directly on the Jenkins system.
- dockerImage: ''
-
- sonarExecuteScan:
- serverUrl: https://sonar.tools.sap
- projectKey: cds-feature-attachments
- options:
- - sonar.qualitygate.wait=true
- - sonar.java.source=17
- - sonar.exclusions=**/node_modules/**,**/target/**,**/test/**
- - sonar.modules=cds-feature-attachments,cds-feature-attachments-fs,cds-feature-attachments-oss
- - sonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml
- - sonar.coverage.exclusions=cds-feature-attachments/src/test/**,cds-feature-attachments/src/gen/**,storage-targets/cds-feature-attachments-fs/src/test/**,storage-targets/cds-feature-attachments-oss/src/test/**
- - cds-feature-attachments.sonar.projectBaseDir=cds-feature-attachments
- - cds-feature-attachments.sonar.sources=src/main/java
- - cds-feature-attachments.sonar.tests=src/test/java
- - cds-feature-attachments.sonar.java.binaries=target/classes
- - cds-feature-attachments-fs.sonar.projectBaseDir=storage-targets/cds-feature-attachments-fs
- - cds-feature-attachments-fs.sonar.sources=src/main/java
- - cds-feature-attachments-fs.sonar.tests=src/test/java
- - cds-feature-attachments-fs.sonar.java.binaries=target/classes
- - cds-feature-attachments-oss.sonar.projectBaseDir=storage-targets/cds-feature-attachments-oss
- - cds-feature-attachments-oss.sonar.sources=src/main/java
- - cds-feature-attachments-oss.sonar.tests=src/test/java
- - cds-feature-attachments-oss.sonar.java.binaries=target/classes
diff --git a/CLAUDE.md b/CLAUDE.md
index 49cf9e133..22734dc62 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -122,7 +122,6 @@ Defined in `cds-feature-attachments/src/main/resources/cds/com.sap.cds/cds-featu
All enforced in CI:
- **JaCoCo:** 95% minimum (instruction, branch, complexity), 0 missed classes
-- **Mutation testing (Pitest):** 90% aggregated threshold on `handler.*` and `service.*`
- **SpotBugs:** max effort, includes tests
- **PMD:** SAP Cloud SDK rules, excludes generated code and tests
- **Spotless:** Google Java Format check
diff --git a/cds-feature-attachments/pom.xml b/cds-feature-attachments/pom.xml
index 44bec84e4..dda78a2d7 100644
--- a/cds-feature-attachments/pom.xml
+++ b/cds-feature-attachments/pom.xml
@@ -92,40 +92,6 @@
${project.artifactId}
-
- org.pitest
- pitest-maven
-
-
- com.sap.cds.feature.attachments.handler.*
- com.sap.cds.feature.attachments.service.*
-
-
- CONSTRUCTOR_CALLS
- VOID_METHOD_CALLS
- NON_VOID_METHOD_CALLS
- REMOVE_CONDITIONALS_ORDER_ELSE
- CONDITIONALS_BOUNDARY
- EMPTY_RETURNS
- NEGATE_CONDITIONALS
- REMOVE_CONDITIONALS_EQUAL_IF
- REMOVE_CONDITIONALS_EQUAL_ELSE
- REMOVE_CONDITIONALS_ORDER_IF
- REMOVE_CONDITIONALS_ORDER_ELSE
-
- 95
- 90
-
-
-
-
- org.pitest
- pitest-junit5-plugin
- 1.2.3
-
-
-
-
maven-clean-plugin
diff --git a/doc/Design.md b/doc/Design.md
index 1945024c5..6777dde22 100644
--- a/doc/Design.md
+++ b/doc/Design.md
@@ -51,7 +51,6 @@
- [Texts](#texts)
- [Tests](#tests)
- [Unit Tests](#unit-tests)
- - [Mutation Tests](#mutation-tests)
- [Integration Tests](#integration-tests)
- [Quality Tools](#quality-tools)
@@ -93,21 +92,19 @@ In folder `.github/workflows` are the GitHub Actions defined. The following tabl
| File Name | Description |
| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `pr.yml` | Builds and tests pull requests for Java 17 and 21. Requires approval for external forks. Each pull request needs green runs from this workflow to be merged. |
-| `main.yml` | Builds, tests, and deploys snapshots when commits are merged to main. Runs unit tests, integration tests, and mutation tests for Java 17 and 21. |
+| `main.yml` | Builds and tests when commits are merged to main. Runs unit tests and integration tests for Java 17 and 21. |
| `release.yml` | Triggered on GitHub releases. Updates version, runs BlackDuck scan, builds, tests, and deploys to Maven Central. See also [Build and Deploy](#build-and-deploy). |
| `pipeline.yml` | Reusable workflow containing shared build, test, integration test, SonarQube scan, CodeQL analysis, and snapshot deployment logic. Called by `pr.yml` and `main.yml`. |
### Build Action
The build step is implemented in action `.github/actions/build/action.yml` which is used in the workflows via `pipeline.yml`.
-As the build action does not only run a build of the project, but also the mutation tests, this action is used in all
-the mentioned workflows.
Additional reusable actions are defined in `.github/actions/`:
| Action | Description |
| --------------------- | ----------------------------------------------------------- |
-| `build` | Builds the project and runs unit/mutation tests |
+| `build` | Builds the project and runs unit tests |
| `integration-tests` | Runs integration tests (build-version, latest-version, oss) |
| `deploy-release` | Deploys release artifacts to Maven Central |
| `newrelease` | Updates version in pom.xml for new releases |
@@ -142,7 +139,7 @@ The following steps are executed in the workflow:
1. Update the version in the `pom.xml` files. The tag used in the release is read and git commands are used to update
the property `revision` in the parent `pom.xml` file.
-2. Build the project and run all unit, integration and mutation tests. Here a reuse action is used which is also
+2. Build the project and run all unit and integration tests. Here a reuse action is used which is also
executed in the main and pull request build.
3. Deploy the project to maven or artifactory. The deployment is done with the maven command `mvn deploy`. The
deployment is done to the repository defined in the `pom.xml` file. So only project parts which have defined the
@@ -660,18 +657,6 @@ The following settings are used for this plugin:
| Complexity Coverage | 95% |
| Class Missed Count | 0 |
-#### Mutation Tests
-
-In addition to this plugin, also mutation tests are executed during the build of the project in the GitHub Actions.
-To run the mutation tests the plugin `pitest-maven` is included in the same pom.
-
-Several mutators are maintained in the plugin and the following settings are used:
-
-| Setting | Value |
-| ----------------------------- | ----- |
-| Coverage Threshold | 95% |
-| Aggregated Mutation Threshold | 90% |
-
### Integration Tests
Spring Boot tests are implemented in the `integration-tests` folder.
@@ -746,7 +731,6 @@ The following quality tools are used in the project to ensure the quality of the
| Spotbugs | Defined in the root `pom.xml` | Static Code check for Java code working in the bytecode. |
| PMD/CPD | Defined in the root `pom.xml` | Static Code check for Java code working on the source code. CPD checks the coding for duplications. |
| Maven Enforcer Plugin | Defined in the root `pom.xml` | Checks if there are dependencies declared twice. |
-| Mutation Tests | Defined in `cds-feature-attachments/pom.xml` | See section [mutation tests](#mutation-tests). |
| Jacoco | Defined in `cds-feature-attachments/pom.xml` | See section [unit tests](#unit-tests). |
| Dependabot | Config is defined in the `.github/dependabot.yml` | Checks for new versions of dependencies. |
| CodeQL | Defined in `pipeline.yml` | Checks for vulnerabilities in the coding. Executed as part of the CI pipeline. |
diff --git a/pom.xml b/pom.xml
index 2e775ac3b..024fe7d44 100644
--- a/pom.xml
+++ b/pom.xml
@@ -238,11 +238,6 @@
jacoco-maven-plugin
0.8.14
-
- org.pitest
- pitest-maven
- 1.23.0
-
com.github.spotbugs
spotbugs-maven-plugin