Netcentric · kwin · Dec 10, 2025 · Dec 10, 2025
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -1,6 +1,9 @@
 name: Java CI/CD
 
 on:
+  # run every month on default branch to prevent inactive token removal: https://community.sonarsource.com/t/removing-inactive-tokens-after-60-days/142451
+  schedule:
+    - cron: '0 0 1 * *'
   push:
     branches:
       - master
@@ -9,54 +12,94 @@ on:
 
 jobs:
   build:
-
+    name: Maven Build
     runs-on: ubuntu-latest
     steps:
     - name: Git Clone
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
     - name: Set up JDK 21
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         distribution: 'temurin'
         java-version: 21
          # generate settings.xml with the correct values
         server-id: sonatype-central-portal # Value of the distributionManagement/repository/id field of the pom.xml
-        server-username: MAVEN_USERNAME # env variable for username in deploy
-        server-password: MAVEN_PASSWORD # env variable for token in deploy
+        server-username: MAVEN_CENTRAL_PORTAL_USERNAME # env variable for username in deploy
+        server-password: MAVEN_CENTRAL_PORTAL_PASSWORD # env variable for token in deploy
     - name: Adjust Git Config
       run: |
         git config --global user.email "action@github.com"
         git config --global user.name "GitHub Action"
-    - name: Build and Analyse Reactor with Maven
-      if: github.ref != 'refs/heads/master'
-      run: ./mvnw -B clean install org.sonarsource.scanner.maven:sonar-maven-plugin:5.2.0.4988:sonar -Dsonar.projectKey=Netcentric_aem-classification -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -Dsonar.scanner.skipJreProvisioning=true -Pcoverage-report
-      env:
-        # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        # Needed to get some information about the pull request, if any
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Build Site for Maven Plugin
-      if: github.ref != 'refs/heads/master'
-      run: ./mvnw -B clean site --file aem-classification-maven-plugin/pom.xml
-    - name:  Build, Analyse and Deploy Reactor with Maven
-      if: github.ref == 'refs/heads/master'
-      run: ./mvnw -B clean deploy org.sonarsource.scanner.maven:sonar-maven-plugin:5.2.0.4988:sonar -Dsonar.projectKey=Netcentric_aem-classification -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -Dsonar.scanner.skipJreProvisioning=true -Pcoverage-report
-      env: 
-        MAVEN_USERNAME: ${{ secrets.SONATYPE_CENTRAL_TOKEN_USER }}
-        MAVEN_PASSWORD: ${{ secrets.SONATYPE_CENTRAL_TOKEN_PASSWORD }}
-        # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        # Needed to get some information about the pull request, if any
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    # sets environment variables to be used in subsequent steps: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
+    - name: Set environment variables
+      shell: bash
+      run: |
+          if [ "${{github.ref}}" = "refs/heads/master" ] && [ "${{github.event_name}}" = "push" ] && [ "${{github.repository_owner}}" = "Netcentric" ]; then
+            echo 'Running on main branch of the canonical repo'
+            echo "MVN_ADDITIONAL_OPTS=-DdeployAtEnd=true" >> $GITHUB_ENV
+            echo "MVN_GOAL=deploy" >> $GITHUB_ENV
+            echo "MAVEN_CENTRAL_PORTAL_USERNAME=${{ secrets.SONATYPE_CENTRAL_TOKEN_USER }}" >> $GITHUB_ENV
+            echo "MAVEN_CENTRAL_PORTAL_PASSWORD=${{ secrets.SONATYPE_CENTRAL_TOKEN_PASSWORD }}" >> $GITHUB_ENV
+          else
+            echo 'Running outside main branch/canonical repo'
+            echo "MVN_ADDITIONAL_OPTS=" >> $GITHUB_ENV
+            echo "MVN_GOAL=verify" >> $GITHUB_ENV
+          fi
+    - name:  Build
+      run: ./mvnw -B ${{ env.MVN_GOAL }} ${{ env.MVN_ADDITIONAL_OPTS }} -Pcoverage-report
+    - name: Upload build result for subsequent SonarQube job
+      # not supported on forks, https://portal.productboard.com/sonarsource/1-sonarqube-cloud/c/50-sonarcloud-analyzes-external-pull-request
+      if: github.repository == 'Netcentric/aem-classification'
+      uses: actions/upload-artifact@v4
+      with:
+        name: compiled-classes-and-coverage
+        # compare with https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/java/#java-analysis-and-bytecode
+        path: |
+             **/target/**/*.class
+             **/target/site/jacoco*/*.xml
     - name: Build Site for Maven Plugin
       if: github.ref == 'refs/heads/master'
-      run: ./mvnw -B clean site --file aem-classification-maven-plugin/pom.xml
+      run: ./mvnw -B site --file aem-classification-maven-plugin/pom.xml
     - name: Upload Site for Maven Plugin
       if: github.ref == 'refs/heads/master'
-      uses: actions/upload-pages-artifact@v3
+      uses: actions/upload-pages-artifact@v4
       with:
         path: aem-classification-maven-plugin/target/site/
+  # execute analysis in a separate job for better visualization and usage of matrix builds
+  # https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/#invoking-the-goal
+  sonarqube:
+    name: SonarQube Analysis
+    runs-on: ubuntu-latest
+    needs: build
+    # not supported on forks, https://portal.productboard.com/sonarsource/1-sonarqube-cloud/c/50-sonarcloud-analyzes-external-pull-request
+    if: github.repository == 'Netcentric/aem-classification'
+    steps: 
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 21
+        uses: actions/setup-java@v5
+        with:
+          java-version: 21
+          distribution: temurin
+          cache: maven
+      - name: Download compiled classes
+        uses: actions/download-artifact@v6
+        with:
+          name: compiled-classes-and-coverage
+      - name: Cache SonarQube packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Analyze with SonarQube
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: ./mvnw -B org.sonarsource.scanner.maven:sonar-maven-plugin:5.5.0.6356:sonar -Dsonar.projectKey=Netcentric_aem-classification -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -Dsonar.scanner.skipJreProvisioning=true
   deploy:
+    name: Deploy to GH Pages
     if: github.ref == 'refs/heads/master'
      # Add a dependency to the build job
     needs: build