From ed173ff5a813fb54cde47415c35697c2e9758243 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 13:39:47 +0200 Subject: [PATCH 1/9] . --- .github/actions/build/action.yml | 12 +- .github/actions/deploy-release/action.yml | 10 +- .github/actions/integration-tests/action.yml | 4 +- .github/actions/newrelease/action.yml | 4 +- .../actions/scan-with-blackduck/action.yml | 37 +++--- .github/actions/scan-with-sonar/action.yml | 32 ++--- .github/actions/test-sample/action.yml | 14 ++- .github/dependabot.yml | 1 + .github/workflows/issue.yml | 9 +- .github/workflows/main.yml | 26 +++- .github/workflows/pipeline.yml | 117 +++++++----------- .github/workflows/pr.yml | 24 +++- .github/workflows/prevent-issue-labeling.yml | 5 +- .github/workflows/release.yml | 21 ++-- .github/workflows/stale.yml | 5 +- .pipeline/config.yml | 52 -------- 16 files changed, 173 insertions(+), 200 deletions(-) delete mode 100644 .pipeline/config.yml diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index a6fd34568..629ef1d9b 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -17,22 +17,20 @@ runs: using: composite steps: - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: sapmachine cache: maven - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} - - name: Piper Maven build - uses: SAP/project-piper-action@main - with: - step-name: mavenBuild - docker-image: '' + - name: Maven Build + run: mvn clean install -DskipTests -B -ntp + shell: bash - name: Mutation Testing if: ${{ inputs.mutation-testing == 'true' }} diff --git a/.github/actions/deploy-release/action.yml b/.github/actions/deploy-release/action.yml index 23377a50c..7b900da65 100644 --- a/.github/actions/deploy-release/action.yml +++ b/.github/actions/deploy-release/action.yml @@ -27,14 +27,8 @@ inputs: runs: using: composite steps: - - name: Echo Inputs - run: | - echo "user: ${{ inputs.user }}" - echo "revision: ${{ inputs.revision }}" - shell: bash - - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: sapmachine java-version: '17' @@ -44,7 +38,7 @@ runs: server-password: MAVEN_CENTRAL_PASSWORD - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index ca4e3cfc1..0eb255882 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -16,14 +16,14 @@ runs: using: composite steps: - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: sapmachine cache: maven - name: Setup Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} diff --git a/.github/actions/newrelease/action.yml b/.github/actions/newrelease/action.yml index a6fe732c4..e9a08a852 100644 --- a/.github/actions/newrelease/action.yml +++ b/.github/actions/newrelease/action.yml @@ -13,14 +13,14 @@ runs: using: composite steps: - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: sapmachine cache: maven - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} diff --git a/.github/actions/scan-with-blackduck/action.yml b/.github/actions/scan-with-blackduck/action.yml index 2c847e382..2e69261ce 100644 --- a/.github/actions/scan-with-blackduck/action.yml +++ b/.github/actions/scan-with-blackduck/action.yml @@ -24,35 +24,40 @@ runs: using: composite steps: - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: sapmachine cache: maven - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} - - name: Get Major Version - id: get-major-version + - name: Get Revision + id: get-revision run: | echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT shell: bash - - name: Print Version Number - run: echo "${{ steps.get-major-version.outputs.REVISION }}" + - name: BlackDuck Detect Scan + run: | + bash <(curl -s -L https://detect.synopsys.com/detect9.sh) \ + --blackduck.url=https://sap.blackducksoftware.com/ \ + --blackduck.api.token="${BLACKDUCK_TOKEN}" \ + --detect.project.name=com.sap.cds.feature.attachments \ + --detect.project.version.name="${REVISION}" \ + --detect.included.detector.types=MAVEN \ + --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/**' \ + --detect.maven.excluded.modules=integration-tests,integration-tests/db,integration-tests/generic,integration-tests/mtx-local/srv \ + --detect.maven.build.command='-pl com.sap.cds:cds-feature-attachments' \ + --detect.tools=DETECTOR,BINARY_SCAN \ + --detect.blackduck.scan.mode="${SCAN_MODE}" \ + --detect.risk.report.pdf=false \ + --logging.level.detect=INFO shell: bash - - - name: BlackDuck Scan - uses: SAP/project-piper-action@main - with: - step-name: detectExecuteScan - flags: \ - --githubToken=$GITHUB_token \ - --version=${{ steps.get-major-version.outputs.REVISION }} env: - PIPER_token: ${{ inputs.blackduck_token }} - GITHUB_token: ${{ inputs.github_token }} + BLACKDUCK_TOKEN: ${{ inputs.blackduck_token }} SCAN_MODE: ${{ inputs.scan_mode }} + REVISION: ${{ steps.get-revision.outputs.REVISION }} diff --git a/.github/actions/scan-with-sonar/action.yml b/.github/actions/scan-with-sonar/action.yml index 3884b4052..a39d76125 100644 --- a/.github/actions/scan-with-sonar/action.yml +++ b/.github/actions/scan-with-sonar/action.yml @@ -20,14 +20,14 @@ runs: steps: - name: Set up Java ${{inputs.java-version}} - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{inputs.java-version}} distribution: sapmachine cache: maven - name: Set up Maven ${{inputs.maven-version}} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{inputs.maven-version}} @@ -37,10 +37,6 @@ runs: echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT shell: bash - - name: Print Revision - run: echo "${{steps.get-revision.outputs.REVISION}}" - shell: bash - - name: Build project for SonarQube scan run: | mvn clean verify -ntp -B @@ -66,12 +62,18 @@ runs: shell: bash - name: SonarQube Scan - uses: SAP/project-piper-action@main - with: - step-name: sonarExecuteScan - flags: > - --token=${{ inputs.sonarq-token }} - --githubToken=${{ inputs.github-token }} - --version=${{ steps.get-revision.outputs.REVISION }} - --inferJavaBinaries=true - --options=-Dsonar.exclusions=**/samples/**,-Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml + run: > + mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar + -Dsonar.host.url=https://sonar.tools.sap + -Dsonar.token=${{ inputs.sonarq-token }} + -Dsonar.projectKey=cds-feature-attachments + -Dsonar.projectVersion=${{ steps.get-revision.outputs.REVISION }} + -Dsonar.qualitygate.wait=true + -Dsonar.java.source=17 + -Dsonar.exclusions=**/samples/** + -Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml + -Dsonar.coverage.exclusions=cds-feature-attachments/src/test/**,cds-feature-attachments/src/gen/**,storage-targets/cds-feature-attachments-fs/src/test/**,storage-targets/cds-feature-attachments-oss/src/test/** + -B -ntp + shell: bash + env: + GITHUB_TOKEN: ${{ inputs.github-token }} diff --git a/.github/actions/test-sample/action.yml b/.github/actions/test-sample/action.yml index 403d49584..c0c8954f2 100644 --- a/.github/actions/test-sample/action.yml +++ b/.github/actions/test-sample/action.yml @@ -1,18 +1,26 @@ name: 'Test Sample' description: 'Compile sample and run tests' +inputs: + java-version: + description: The Java version the build shall run with. + required: true + maven-version: + description: The Maven version the build shall run with. + required: true + runs: using: 'composite' steps: - name: Set up Java ${{ inputs.java-version }} - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: ${{ inputs.java-version }} distribution: sapmachine cache: maven - name: Set up Maven ${{ inputs.maven-version }} - uses: stCarolas/setup-maven@v5 + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: maven-version: ${{ inputs.maven-version }} @@ -29,4 +37,4 @@ runs: - name: Run tests shell: bash working-directory: samples/bookshop - run: mvn test \ No newline at end of file + run: mvn test diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f5cd6b22c..cb2acf71c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,7 @@ updates: directory: "/" schedule: interval: weekly + open-pull-requests-limit: 5 groups: minor-patch: patterns: diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml index ef40728ee..f0ce52ea9 100644 --- a/.github/workflows/issue.yml +++ b/.github/workflows/issue.yml @@ -1,7 +1,6 @@ name: Label issues -permissions: - issues: write +permissions: {} on: issues: @@ -11,6 +10,8 @@ on: jobs: label_issues: runs-on: ubuntu-latest + permissions: + issues: write steps: - run: gh issue edit "$NUMBER" --add-label "$LABELS" env: @@ -19,7 +20,7 @@ jobs: NUMBER: ${{ github.event.issue.number }} LABELS: New - - uses: actions/github-script@v9 + - uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 with: script: | github.rest.issues.createComment({ @@ -27,4 +28,4 @@ jobs: owner: context.repo.owner, repo: context.repo.repo, body: `👋 Hello @${context.payload.issue.user.login}, thank you for submitting this issue. Our team is reviewing your report and will follow up with you as soon as possible.` - }) \ No newline at end of file + }) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e077dd447..c6ba8e5b1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,5 +1,7 @@ name: CI - MAIN +permissions: read-all + env: MAVEN_VERSION: '3.9.12' @@ -15,7 +17,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck uses: ./.github/actions/scan-with-blackduck @@ -27,6 +29,22 @@ jobs: build-and-test: uses: ./.github/workflows/pipeline.yml - with: - deploy-snapshot: true - secrets: inherit \ No newline at end of file + secrets: + AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} + AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} + AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} + AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} + AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} + AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} + AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} + GS_BUCKET: ${{ secrets.GS_BUCKET }} + GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} + MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} + MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} + MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} + MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} + MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} + MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} + SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 8a7da8016..0374c64e6 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -1,15 +1,49 @@ name: Reusable Workflow +permissions: read-all + env: MAVEN_VERSION: '3.9.12' on: workflow_call: - inputs: - deploy-snapshot: + secrets: + AWS_S3_HOST: + required: true + AWS_S3_BUCKET: + required: true + AWS_S3_REGION: + required: true + AWS_S3_ACCESS_KEY_ID: + required: true + AWS_S3_SECRET_ACCESS_KEY: + required: true + AZURE_CONTAINER_URI: + required: true + AZURE_SAS_TOKEN: + required: true + GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: + required: true + GS_BUCKET: + required: true + GS_PROJECT_ID: + required: true + MALWARE_SCANNER_URL: + required: true + MALWARE_SCANNER_USERNAME: + required: true + MALWARE_SCANNER_PASSWORD: + required: true + MALWARE_SCANNER_MTLS_URI: + required: true + MALWARE_SCANNER_MTLS_CERTIFICATE: + required: true + MALWARE_SCANNER_MTLS_KEY: + required: true + SONARQ_TOKEN: + required: true + GH_TOKEN: required: true - type: boolean - default: false jobs: build: @@ -21,10 +55,8 @@ jobs: java-version: [ 17, 21 ] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - # For internal PRs (same repo), checkout PR head to test actual changes - # For external PRs (forks), checkout base branch for security ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - name: Spotless check @@ -37,7 +69,7 @@ jobs: maven-version: ${{ env.MAVEN_VERSION }} - name: Upload build artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-artifacts-java-${{ matrix.java-version }} path: | @@ -52,24 +84,19 @@ jobs: timeout-minutes: 30 needs: build env: - ## AWS AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} - ## Azure AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} - ## GCP GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} GS_BUCKET: ${{ secrets.GS_BUCKET }} GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - ## Malware Scanner (Basic Auth) MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} - ## Malware Scanner (mTLS) MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} @@ -80,12 +107,12 @@ jobs: test-type: [ build-version, latest-version, oss ] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - name: Download build artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-artifacts-java-${{ matrix.java-version }} @@ -103,7 +130,7 @@ jobs: needs: build steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - name: SonarQube Scan @@ -126,19 +153,19 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - name: Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '17' distribution: 'sapmachine' cache: 'maven' - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 with: languages: java-kotlin build-mode: manual @@ -147,56 +174,6 @@ jobs: run: mvn clean compile -DskipTests -B -ntp - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 with: category: "/language:java-kotlin" - - deploy-snapshot: - name: Deploy snapshot to Artifactory - runs-on: ubuntu-latest - timeout-minutes: 30 - if: ${{ inputs.deploy-snapshot == true }} - needs: [build, integration-tests, codeql] - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - - - name: Set up Java - uses: actions/setup-java@v5 - with: - java-version: '17' - distribution: 'sapmachine' - cache: 'maven' - server-id: artifactory - server-username: DEPLOYMENT_USER - server-password: DEPLOYMENT_PASS - - - name: Set up Maven ${{ env.MAVEN_VERSION }} - uses: stCarolas/setup-maven@v5 - with: - maven-version: ${{ env.MAVEN_VERSION }} - - - name: Set Dry Run for Pull Request - if: github.event_name == 'pull_request_target' - run: echo "DRY_RUN_PARAM=-DaltDeploymentRepository=local-repo::default::file:./local-repo" >> $GITHUB_ENV - shell: bash - - - name: Get Revision - id: get-revision - run: | - echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT - shell: bash - - - name: Print Revision - run: echo "Current revision ${{ steps.get-revision.outputs.REVISION }}" - shell: bash - - - name: Deploy snapshot - if: ${{ endsWith(steps.get-revision.outputs.REVISION, '-SNAPSHOT') }} - run: mvn -B -ntp -fae -pl !integration-tests,!integration-tests/db,!integration-tests/generic,!integration-tests/mtx-local/srv -Dmaven.install.skip=true -Dmaven.test.skip=true -DdeployAtEnd=true deploy - env: - DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }} - DEPLOYMENT_PASS: ${{ secrets.DEPLOYMENT_PASS }} - shell: bash diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a98b55823..48962c712 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,5 +1,7 @@ name: CI - PR +permissions: read-all + on: workflow_dispatch: pull_request_target: @@ -20,6 +22,22 @@ jobs: needs: requires-approval if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') uses: ./.github/workflows/pipeline.yml - with: - deploy-snapshot: false - secrets: inherit \ No newline at end of file + secrets: + AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} + AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} + AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} + AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} + AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} + AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} + AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} + GS_BUCKET: ${{ secrets.GS_BUCKET }} + GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} + MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} + MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} + MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} + MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} + MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} + MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} + SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/prevent-issue-labeling.yml b/.github/workflows/prevent-issue-labeling.yml index dac7a41b3..6c3503090 100644 --- a/.github/workflows/prevent-issue-labeling.yml +++ b/.github/workflows/prevent-issue-labeling.yml @@ -1,7 +1,6 @@ name: Prevent "New" Label on Issues -permissions: - issues: write +permissions: {} on: issues: @@ -10,6 +9,8 @@ on: jobs: remove_new_label: runs-on: ubuntu-latest + permissions: + issues: write steps: - name: Remove "New" label if applied by non-bot user if: > diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 422008ff2..8bccdaa10 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,7 @@ name: Deploy to Maven Central +permissions: read-all + env: JAVA_VERSION: '17' MAVEN_VERSION: '3.9.12' @@ -15,7 +17,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan With Black Duck uses: ./.github/actions/scan-with-blackduck @@ -28,9 +30,11 @@ jobs: name: Update Version runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + contents: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ secrets.GH_TOKEN }} @@ -41,11 +45,10 @@ jobs: maven-version: ${{ env.MAVEN_VERSION }} - name: Upload Changed Artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: root-new-version path: . - include-hidden-files: true retention-days: 1 build: @@ -66,7 +69,7 @@ jobs: GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} steps: - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: root-new-version @@ -85,10 +88,9 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Upload Changed Artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: root-build - include-hidden-files: true path: . retention-days: 1 @@ -99,7 +101,7 @@ jobs: needs: [blackduck, build] steps: - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: root-build @@ -113,6 +115,3 @@ jobs: pgp-passphrase: ${{ secrets.PGP_PASSPHRASE }} revision: ${{ github.event.release.tag_name }} maven-version: ${{ env.MAVEN_VERSION }} - - - name: Echo Status - run: echo "The job status is ${{ job.status }}" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3e33f1df1..4feaa66fb 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,4 +1,7 @@ name: "Close stale issues" + +permissions: {} + on: schedule: - cron: "30 1 * * *" @@ -11,7 +14,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10 with: close-issue-message: "This issue has been automatically closed due to 2 weeks of inactivity. If you believe this was a mistake, please reopen or comment to continue the discussion." days-before-stale: -1 diff --git a/.pipeline/config.yml b/.pipeline/config.yml deleted file mode 100644 index 111191b00..000000000 --- a/.pipeline/config.yml +++ /dev/null @@ -1,52 +0,0 @@ -steps: - mavenBuild: - verbose: false - verify: false - flatten: true - # https://www.project-piper.io/steps/mavenBuild/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. - dockerImage: '' - - detectExecuteScan: - projectName: 'com.sap.cds.feature.attachments' - groups: - - 'CDSJAVA-OPEN-SOURCE' - serverUrl: 'https://sap.blackducksoftware.com/' - mavenExcludedScopes: [ "provided", "test" ] - failOn: [ 'NONE' ] - versioningModel: "major-minor" - detectTools: [ 'DETECTOR', 'BINARY_SCAN' ] - installArtifacts: false - repository: '/cap-java/cds-feature-attachments' - verbose: true - scanProperties: - - --detect.included.detector.types=MAVEN - - --detect.excluded.directories='**/node_modules,**/*test*,**/localrepo,**/target/site,**/*-site.jar,**/samples/**' - - --detect.maven.excluded.modules=integration-tests,integration-tests/db,integration-tests/generic,integration-tests/mtx-local/srv - - --detect.maven.build.command='-pl com.sap.cds:cds-feature-attachments' - # https://www.project-piper.io/steps/detectExecuteScan/#dockerimage - # If empty, Docker is not used and the command is executed directly on the Jenkins system. - dockerImage: '' - - sonarExecuteScan: - serverUrl: https://sonar.tools.sap - projectKey: cds-feature-attachments - options: - - sonar.qualitygate.wait=true - - sonar.java.source=17 - - sonar.exclusions=**/node_modules/**,**/target/**,**/test/** - - sonar.modules=cds-feature-attachments,cds-feature-attachments-fs,cds-feature-attachments-oss - - sonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml - - sonar.coverage.exclusions=cds-feature-attachments/src/test/**,cds-feature-attachments/src/gen/**,storage-targets/cds-feature-attachments-fs/src/test/**,storage-targets/cds-feature-attachments-oss/src/test/** - - cds-feature-attachments.sonar.projectBaseDir=cds-feature-attachments - - cds-feature-attachments.sonar.sources=src/main/java - - cds-feature-attachments.sonar.tests=src/test/java - - cds-feature-attachments.sonar.java.binaries=target/classes - - cds-feature-attachments-fs.sonar.projectBaseDir=storage-targets/cds-feature-attachments-fs - - cds-feature-attachments-fs.sonar.sources=src/main/java - - cds-feature-attachments-fs.sonar.tests=src/test/java - - cds-feature-attachments-fs.sonar.java.binaries=target/classes - - cds-feature-attachments-oss.sonar.projectBaseDir=storage-targets/cds-feature-attachments-oss - - cds-feature-attachments-oss.sonar.sources=src/main/java - - cds-feature-attachments-oss.sonar.tests=src/test/java - - cds-feature-attachments-oss.sonar.java.binaries=target/classes From 9a2ed30bbc894ed43a462a68e0e91ceaddbdfe1f Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:09:30 +0200 Subject: [PATCH 2/9] update --- .github/actions/build/action.yml | 9 --- .github/actions/integration-tests/action.yml | 3 + .github/workflows/pipeline.yml | 85 +++++++++++--------- 3 files changed, 48 insertions(+), 49 deletions(-) diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 629ef1d9b..8982a2149 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -8,10 +8,6 @@ inputs: maven-version: description: The Maven version the build will run with. required: true - mutation-testing: - description: Whether to run mutation testing or not. - default: 'true' - required: false runs: using: composite @@ -31,8 +27,3 @@ runs: - name: Maven Build run: mvn clean install -DskipTests -B -ntp shell: bash - - - name: Mutation Testing - if: ${{ inputs.mutation-testing == 'true' }} - run: mvn org.pitest:pitest-maven:mutationCoverage -f cds-feature-attachments/pom.xml -ntp -B - shell: bash diff --git a/.github/actions/integration-tests/action.yml b/.github/actions/integration-tests/action.yml index 0eb255882..8be8de2ab 100644 --- a/.github/actions/integration-tests/action.yml +++ b/.github/actions/integration-tests/action.yml @@ -11,6 +11,9 @@ inputs: test-type: description: 'Which integration test to run: build-version, latest-version, or oss' required: true + auth-method: + description: 'Authentication method: basic or mtls' + required: true runs: using: composite diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 0374c64e6..b532e7ca4 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -46,43 +46,41 @@ on: required: true jobs: - build: - name: Build (Java ${{ matrix.java-version }}) + spotless: + name: Spotless Check runs-on: ubuntu-latest - timeout-minutes: 30 - strategy: - matrix: - java-version: [ 17, 21 ] + timeout-minutes: 10 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - - name: Spotless check - run: mvn spotless:check -Dspotless.check.skip=false + - name: Set up Java + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + with: + java-version: '17' + distribution: sapmachine + cache: maven - - name: Build - uses: ./.github/actions/build + - name: Set up Maven + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 with: - java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} - - name: Upload build artifacts - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 - with: - name: build-artifacts-java-${{ matrix.java-version }} - path: | - **/target/*.jar - **/pom.xml - .mvn/ - retention-days: 1 + - name: Spotless Check + run: mvn spotless:check -Dspotless.check.skip=false -B -ntp integration-tests: - name: Integration Tests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }}) + name: ITests (Java ${{ matrix.java-version }}, ${{ matrix.test-type }}, ${{ matrix.auth-method }}) runs-on: ubuntu-latest timeout-minutes: 30 - needs: build + strategy: + fail-fast: false + matrix: + java-version: [ 17, 21 ] + test-type: [ build-version, latest-version, oss ] + auth-method: [ basic, mtls ] env: AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} @@ -94,45 +92,53 @@ jobs: GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} GS_BUCKET: ${{ secrets.GS_BUCKET }} GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} - MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} - MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} - MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} - MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} - MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} - strategy: - fail-fast: false - matrix: - java-version: [ 17, 21 ] - test-type: [ build-version, latest-version, oss ] + MALWARE_SCANNER_URL: ${{ matrix.auth-method == 'basic' && secrets.MALWARE_SCANNER_URL || '' }} + MALWARE_SCANNER_USERNAME: ${{ matrix.auth-method == 'basic' && secrets.MALWARE_SCANNER_USERNAME || '' }} + MALWARE_SCANNER_PASSWORD: ${{ matrix.auth-method == 'basic' && secrets.MALWARE_SCANNER_PASSWORD || '' }} + MALWARE_SCANNER_MTLS_URI: ${{ matrix.auth-method == 'mtls' && secrets.MALWARE_SCANNER_MTLS_URI || '' }} + MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ matrix.auth-method == 'mtls' && secrets.MALWARE_SCANNER_MTLS_CERTIFICATE || '' }} + MALWARE_SCANNER_MTLS_KEY: ${{ matrix.auth-method == 'mtls' && secrets.MALWARE_SCANNER_MTLS_KEY || '' }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - - name: Download build artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 - with: - name: build-artifacts-java-${{ matrix.java-version }} - - name: Integration Tests uses: ./.github/actions/integration-tests with: java-version: ${{ matrix.java-version }} maven-version: ${{ env.MAVEN_VERSION }} test-type: ${{ matrix.test-type }} + auth-method: ${{ matrix.auth-method }} sonarqube-scan: name: SonarQube Scan runs-on: ubuntu-latest timeout-minutes: 30 - needs: build + env: + AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} + AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} + AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} + AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} + AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} + AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} + AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} + GS_BUCKET: ${{ secrets.GS_BUCKET }} + GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} + MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} + MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} + MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} + MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} + MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} + MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} + - name: SonarQube Scan uses: ./.github/actions/scan-with-sonar with: @@ -144,7 +150,6 @@ jobs: codeql: name: CodeQL Analysis runs-on: ubuntu-latest - needs: build timeout-minutes: 30 permissions: security-events: write From cbaa69c991980c8548b0ebd7873bc8d8108ddf51 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:13:13 +0200 Subject: [PATCH 3/9] add default days --- .github/dependabot.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb2acf71c..8be0b3dbf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,10 +5,8 @@ updates: - "/" schedule: interval: weekly - ignore: - - dependency-name: "com.sap.cds:*" - versions: - - ">=4" + cooldown: + default-days: 7 groups: minor-patch: patterns: @@ -21,7 +19,8 @@ updates: directory: "/" schedule: interval: weekly - open-pull-requests-limit: 5 + cooldown: + default-days: 7 groups: minor-patch: patterns: From f01fb4a99bd45d01a97f0ce72353bb8e6a5c1393 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:28:26 +0200 Subject: [PATCH 4/9] . --- .github/workflows/main.yml | 31 ++++++++----------------------- .github/workflows/pipeline.yml | 6 +++++- .github/workflows/pr.yml | 26 ++++++-------------------- 3 files changed, 19 insertions(+), 44 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c6ba8e5b1..307ffe844 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,9 +1,10 @@ name: CI - MAIN -permissions: read-all - -env: - MAVEN_VERSION: '3.9.12' +permissions: + actions: read + contents: read + packages: read + security-events: write on: workflow_dispatch: @@ -15,6 +16,8 @@ jobs: name: Blackduck Scan runs-on: ubuntu-latest timeout-minutes: 30 + env: + MAVEN_VERSION: '3.9.12' steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -29,22 +32,4 @@ jobs: build-and-test: uses: ./.github/workflows/pipeline.yml - secrets: - AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} - AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} - AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} - AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} - AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} - AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} - GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} - GS_BUCKET: ${{ secrets.GS_BUCKET }} - GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} - MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} - MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} - MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} - MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} - MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} - SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} + secrets: inherit diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index b532e7ca4..72e01eddc 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -1,6 +1,10 @@ name: Reusable Workflow -permissions: read-all +permissions: + actions: read + contents: read + packages: read + security-events: write env: MAVEN_VERSION: '3.9.12' diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 48962c712..1cb329519 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,6 +1,10 @@ name: CI - PR -permissions: read-all +permissions: + actions: read + contents: read + packages: read + security-events: write on: workflow_dispatch: @@ -22,22 +26,4 @@ jobs: needs: requires-approval if: always() && (needs.requires-approval.result == 'success' || needs.requires-approval.result == 'skipped') uses: ./.github/workflows/pipeline.yml - secrets: - AWS_S3_HOST: ${{ secrets.AWS_S3_HOST }} - AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} - AWS_S3_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }} - AWS_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_S3_SECRET_ACCESS_KEY }} - AZURE_CONTAINER_URI: ${{ secrets.AZURE_CONTAINER_URI }} - AZURE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} - GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: ${{ secrets.GS_BASE_64_ENCODED_PRIVATE_KEY_DATA }} - GS_BUCKET: ${{ secrets.GS_BUCKET }} - GS_PROJECT_ID: ${{ secrets.GS_PROJECT_ID }} - MALWARE_SCANNER_URL: ${{ secrets.MALWARE_SCANNER_URL }} - MALWARE_SCANNER_USERNAME: ${{ secrets.MALWARE_SCANNER_USERNAME }} - MALWARE_SCANNER_PASSWORD: ${{ secrets.MALWARE_SCANNER_PASSWORD }} - MALWARE_SCANNER_MTLS_URI: ${{ secrets.MALWARE_SCANNER_MTLS_URI }} - MALWARE_SCANNER_MTLS_CERTIFICATE: ${{ secrets.MALWARE_SCANNER_MTLS_CERTIFICATE }} - MALWARE_SCANNER_MTLS_KEY: ${{ secrets.MALWARE_SCANNER_MTLS_KEY }} - SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }} - GH_TOKEN: ${{ secrets.GH_TOKEN }} + secrets: inherit From 61435461d65173b1d1ba94c6e0c0cf6d8932dec1 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:31:09 +0200 Subject: [PATCH 5/9] . --- .github/workflows/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 307ffe844..1e19a3d1d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -6,6 +6,9 @@ permissions: packages: read security-events: write +env: + MAVEN_VERSION: '3.9.12' + on: workflow_dispatch: push: @@ -16,8 +19,6 @@ jobs: name: Blackduck Scan runs-on: ubuntu-latest timeout-minutes: 30 - env: - MAVEN_VERSION: '3.9.12' steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 From af2bf407aef0cc3bb476c9f5137b60d77461fb72 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:33:22 +0200 Subject: [PATCH 6/9] make codeql its own action --- .github/actions/scan-with-codeql/action.yml | 40 +++++++++++++++++++++ .github/workflows/pipeline.yml | 23 +++--------- 2 files changed, 44 insertions(+), 19 deletions(-) create mode 100644 .github/actions/scan-with-codeql/action.yml diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml new file mode 100644 index 000000000..7c22ba7c8 --- /dev/null +++ b/.github/actions/scan-with-codeql/action.yml @@ -0,0 +1,40 @@ +name: CodeQL Analysis +description: Runs CodeQL security analysis on the project. + +inputs: + java-version: + description: The Java version to use for the build. + required: true + maven-version: + description: The Maven version to use for the build. + required: true + +runs: + using: composite + steps: + - name: Set up Java ${{ inputs.java-version }} + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + with: + java-version: ${{ inputs.java-version }} + distribution: sapmachine + cache: maven + + - name: Set up Maven ${{ inputs.maven-version }} + uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5 + with: + maven-version: ${{ inputs.maven-version }} + + - name: Initialize CodeQL + uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + with: + languages: java-kotlin + build-mode: manual + + - name: Build Java code + run: mvn clean compile -DskipTests -B -ntp + shell: bash + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + with: + category: "/language:java-kotlin" diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 72e01eddc..2fc87919b 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -166,23 +166,8 @@ jobs: with: ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} - - name: Set up Java - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 - with: - java-version: '17' - distribution: 'sapmachine' - cache: 'maven' - - - name: Initialize CodeQL - uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 + - name: CodeQL Analysis + uses: ./.github/actions/scan-with-codeql with: - languages: java-kotlin - build-mode: manual - - - name: Build Java code - run: mvn clean compile -DskipTests -B -ntp - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4 - with: - category: "/language:java-kotlin" + java-version: 17 + maven-version: ${{ env.MAVEN_VERSION }} From ddbc57d4311dc09bcd0719a5d2738457ea642da0 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:36:00 +0200 Subject: [PATCH 7/9] simplify --- .github/actions/scan-with-codeql/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/scan-with-codeql/action.yml b/.github/actions/scan-with-codeql/action.yml index 7c22ba7c8..4be2598e3 100644 --- a/.github/actions/scan-with-codeql/action.yml +++ b/.github/actions/scan-with-codeql/action.yml @@ -31,7 +31,7 @@ runs: build-mode: manual - name: Build Java code - run: mvn clean compile -DskipTests -B -ntp + run: mvn clean compile -B -ntp shell: bash - name: Perform CodeQL Analysis From b33831ce347fc588f49e541be68dc7b9fcc299f3 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:37:40 +0200 Subject: [PATCH 8/9] simplify v2 --- .github/workflows/pipeline.yml | 37 ---------------------------------- 1 file changed, 37 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 2fc87919b..e36236383 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -11,43 +11,6 @@ env: on: workflow_call: - secrets: - AWS_S3_HOST: - required: true - AWS_S3_BUCKET: - required: true - AWS_S3_REGION: - required: true - AWS_S3_ACCESS_KEY_ID: - required: true - AWS_S3_SECRET_ACCESS_KEY: - required: true - AZURE_CONTAINER_URI: - required: true - AZURE_SAS_TOKEN: - required: true - GS_BASE_64_ENCODED_PRIVATE_KEY_DATA: - required: true - GS_BUCKET: - required: true - GS_PROJECT_ID: - required: true - MALWARE_SCANNER_URL: - required: true - MALWARE_SCANNER_USERNAME: - required: true - MALWARE_SCANNER_PASSWORD: - required: true - MALWARE_SCANNER_MTLS_URI: - required: true - MALWARE_SCANNER_MTLS_CERTIFICATE: - required: true - MALWARE_SCANNER_MTLS_KEY: - required: true - SONARQ_TOKEN: - required: true - GH_TOKEN: - required: true jobs: spotless: From 487b4a064e8361eda4cfaf343810d9924546c105 Mon Sep 17 00:00:00 2001 From: Marvin Lindner Date: Mon, 4 May 2026 15:50:05 +0200 Subject: [PATCH 9/9] remove pitest --- CLAUDE.md | 1 - cds-feature-attachments/pom.xml | 34 --------------------------------- doc/Design.md | 22 +++------------------ pom.xml | 5 ----- 4 files changed, 3 insertions(+), 59 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 49cf9e133..22734dc62 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -122,7 +122,6 @@ Defined in `cds-feature-attachments/src/main/resources/cds/com.sap.cds/cds-featu All enforced in CI: - **JaCoCo:** 95% minimum (instruction, branch, complexity), 0 missed classes -- **Mutation testing (Pitest):** 90% aggregated threshold on `handler.*` and `service.*` - **SpotBugs:** max effort, includes tests - **PMD:** SAP Cloud SDK rules, excludes generated code and tests - **Spotless:** Google Java Format check diff --git a/cds-feature-attachments/pom.xml b/cds-feature-attachments/pom.xml index 44bec84e4..dda78a2d7 100644 --- a/cds-feature-attachments/pom.xml +++ b/cds-feature-attachments/pom.xml @@ -92,40 +92,6 @@ ${project.artifactId} - - org.pitest - pitest-maven - - - com.sap.cds.feature.attachments.handler.* - com.sap.cds.feature.attachments.service.* - - - CONSTRUCTOR_CALLS - VOID_METHOD_CALLS - NON_VOID_METHOD_CALLS - REMOVE_CONDITIONALS_ORDER_ELSE - CONDITIONALS_BOUNDARY - EMPTY_RETURNS - NEGATE_CONDITIONALS - REMOVE_CONDITIONALS_EQUAL_IF - REMOVE_CONDITIONALS_EQUAL_ELSE - REMOVE_CONDITIONALS_ORDER_IF - REMOVE_CONDITIONALS_ORDER_ELSE - - 95 - 90 - - - - - org.pitest - pitest-junit5-plugin - 1.2.3 - - - - maven-clean-plugin diff --git a/doc/Design.md b/doc/Design.md index 1945024c5..6777dde22 100644 --- a/doc/Design.md +++ b/doc/Design.md @@ -51,7 +51,6 @@ - [Texts](#texts) - [Tests](#tests) - [Unit Tests](#unit-tests) - - [Mutation Tests](#mutation-tests) - [Integration Tests](#integration-tests) - [Quality Tools](#quality-tools) @@ -93,21 +92,19 @@ In folder `.github/workflows` are the GitHub Actions defined. The following tabl | File Name | Description | | -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `pr.yml` | Builds and tests pull requests for Java 17 and 21. Requires approval for external forks. Each pull request needs green runs from this workflow to be merged. | -| `main.yml` | Builds, tests, and deploys snapshots when commits are merged to main. Runs unit tests, integration tests, and mutation tests for Java 17 and 21. | +| `main.yml` | Builds and tests when commits are merged to main. Runs unit tests and integration tests for Java 17 and 21. | | `release.yml` | Triggered on GitHub releases. Updates version, runs BlackDuck scan, builds, tests, and deploys to Maven Central. See also [Build and Deploy](#build-and-deploy). | | `pipeline.yml` | Reusable workflow containing shared build, test, integration test, SonarQube scan, CodeQL analysis, and snapshot deployment logic. Called by `pr.yml` and `main.yml`. | ### Build Action The build step is implemented in action `.github/actions/build/action.yml` which is used in the workflows via `pipeline.yml`. -As the build action does not only run a build of the project, but also the mutation tests, this action is used in all -the mentioned workflows. Additional reusable actions are defined in `.github/actions/`: | Action | Description | | --------------------- | ----------------------------------------------------------- | -| `build` | Builds the project and runs unit/mutation tests | +| `build` | Builds the project and runs unit tests | | `integration-tests` | Runs integration tests (build-version, latest-version, oss) | | `deploy-release` | Deploys release artifacts to Maven Central | | `newrelease` | Updates version in pom.xml for new releases | @@ -142,7 +139,7 @@ The following steps are executed in the workflow: 1. Update the version in the `pom.xml` files. The tag used in the release is read and git commands are used to update the property `revision` in the parent `pom.xml` file. -2. Build the project and run all unit, integration and mutation tests. Here a reuse action is used which is also +2. Build the project and run all unit and integration tests. Here a reuse action is used which is also executed in the main and pull request build. 3. Deploy the project to maven or artifactory. The deployment is done with the maven command `mvn deploy`. The deployment is done to the repository defined in the `pom.xml` file. So only project parts which have defined the @@ -660,18 +657,6 @@ The following settings are used for this plugin: | Complexity Coverage | 95% | | Class Missed Count | 0 | -#### Mutation Tests - -In addition to this plugin, also mutation tests are executed during the build of the project in the GitHub Actions. -To run the mutation tests the plugin `pitest-maven` is included in the same pom. - -Several mutators are maintained in the plugin and the following settings are used: - -| Setting | Value | -| ----------------------------- | ----- | -| Coverage Threshold | 95% | -| Aggregated Mutation Threshold | 90% | - ### Integration Tests Spring Boot tests are implemented in the `integration-tests` folder. @@ -746,7 +731,6 @@ The following quality tools are used in the project to ensure the quality of the | Spotbugs | Defined in the root `pom.xml` | Static Code check for Java code working in the bytecode. | | PMD/CPD | Defined in the root `pom.xml` | Static Code check for Java code working on the source code. CPD checks the coding for duplications. | | Maven Enforcer Plugin | Defined in the root `pom.xml` | Checks if there are dependencies declared twice. | -| Mutation Tests | Defined in `cds-feature-attachments/pom.xml` | See section [mutation tests](#mutation-tests). | | Jacoco | Defined in `cds-feature-attachments/pom.xml` | See section [unit tests](#unit-tests). | | Dependabot | Config is defined in the `.github/dependabot.yml` | Checks for new versions of dependencies. | | CodeQL | Defined in `pipeline.yml` | Checks for vulnerabilities in the coding. Executed as part of the CI pipeline. | diff --git a/pom.xml b/pom.xml index 2e775ac3b..024fe7d44 100644 --- a/pom.xml +++ b/pom.xml @@ -238,11 +238,6 @@ jacoco-maven-plugin 0.8.14 - - org.pitest - pitest-maven - 1.23.0 - com.github.spotbugs spotbugs-maven-plugin