refactor: migrate to centralized actions from cap-java/.github

[Schmarvinius]

Summary

Migrates this repository to use the shared actions and workflows from cap-java/.github (branch feat/centralized-actions-workflows).

Net result: -399 lines of duplicated YAML deleted, replaced by 34 lines of thin references.

Changes

Removed local actions (replaced by central):

• actions/build → cap-java/.github/actions/build
• actions/deploy-release → cap-java/.github/actions/deploy-release
• actions/scan-with-blackduck → cap-java/.github/actions/scan-with-blackduck
• actions/scan-with-codeql → cap-java/.github/actions/scan-with-codeql
• actions/scan-with-sonar → cap-java/.github/actions/scan-with-sonar

Utility workflows now call central reusable workflows:

• issue.yml → thin caller
• stale.yml → thin caller
• prevent-issue-labeling.yml → thin caller

Updated:

• cf-bind action uses cap-java/.github/actions/cf-login for CF CLI install + auth (keeps project-specific service bindings local)
• pipeline.yml references central scan-with-sonar and scan-with-codeql
• main.yml references central scan-with-blackduck with project-specific inputs
• release.yml references central build, deploy-release, and scan-with-blackduck
• pr.yml and main.yml use local pipeline workflow (./.github/workflows/pipeline.yml)

Kept local (project-specific):

• actions/cf-bind (service-specific bindings)
• actions/integration-tests (project-specific test commands)
• actions/test-sample (bookshop sample tests)

Testing

All action references point to @feat/centralized-actions-workflows for testing. Once verified, they should be updated to @main after the central repo PR is merged.

[hyperspace-insights]

Summary

The following content is AI-generated and provides a summary of the pull request:

---

Refactor: Migrate to Centralized Actions from cap-java/.github

Refactor

♻️ Migrates this repository to use shared, centralized actions and reusable workflows from cap-java/.github, eliminating ~399 lines of duplicated YAML replaced by ~34 lines of thin references.

Changes

Removed local actions (replaced by central equivalents):

• .github/actions/build/action.yml: Deleted — now references cap-java/.github/actions/build@feat/centralized-actions-workflows
• .github/actions/deploy-release/action.yml: Deleted — now references cap-java/.github/actions/deploy-release@feat/centralized-actions-workflows
• .github/actions/scan-with-blackduck/action.yml: Deleted — now references cap-java/.github/actions/scan-with-blackduck@feat/centralized-actions-workflows
• .github/actions/scan-with-codeql/action.yml: Deleted — now references cap-java/.github/actions/scan-with-codeql@feat/centralized-actions-workflows
• .github/actions/scan-with-sonar/action.yml: Deleted — now references cap-java/.github/actions/scan-with-sonar@feat/centralized-actions-workflows

Updated local actions and workflows:

• .github/actions/cf-bind/action.yml: Replaced inline CF CLI install and login steps with a call to cap-java/.github/actions/cf-login; project-specific service bindings remain local.
• .github/workflows/issue.yml: Converted to a thin caller of the central issue.yml reusable workflow; removed inline labeling and comment logic.
• .github/workflows/stale.yml: Converted to a thin caller of the central stale.yml; removed inline stale action configuration.
• .github/workflows/prevent-issue-labeling.yml: Converted to a thin caller of the central prevent-issue-labeling.yml; removed inline label-removal logic.
• .github/workflows/pipeline.yml: Updated cf-bind, integration-tests, scan-with-sonar, and scan-with-codeql references to use local (./.github) or central (cap-java/.github) actions; added explicit Sonar project configuration inputs.
• .github/workflows/main.yml: Updated scan-with-blackduck to use central action; build-and-test now calls local pipeline.yml instead of the remote one.
• .github/workflows/pr.yml: Updated build-and-test job to call local pipeline.yml.
• .github/workflows/release.yml: Updated build, deploy, and blackduck jobs to reference central actions with project-specific inputs.

---

• 🔄 Regenerate and Update Summary
• ✏️ Insert as PR Description (deletes this comment)
• 🗑️ Delete comment

PR Bot Information

Version: 1.21.0

• File Content Strategy: Full file content
• Output Template: Default Template
• LLM: anthropic--claude-4.6-sonnet
• Event Trigger: pull_request.opened
• Correlation ID: 401fb8c6-fa69-4fa6-9176-26d03aa75ebd
• Summary Prompt: Default Prompt

[hyperspace-insights]

The PR is a clean consolidation that reduces ~400 lines of duplicated YAML, but there are two categories of issues to address before merging: (1) all three thin caller workflows (issue.yml, prevent-issue-labeling.yml, stale.yml) are missing secrets: inherit, which will cause their delegated central workflows to fail when they try to use GITHUB_TOKEN; and (2) every central action/workflow reference is pinned to the mutable feat/centralized-actions-workflows branch — this must be updated to @main (and ideally a commit SHA for supply-chain integrity) once the upstream PR is merged, before this is relied upon in production CI.

PR Bot Information

Version: 1.21.0

• File Content Strategy: Full file content
• LLM: anthropic--claude-4.6-sonnet
• Event Trigger: pull_request.opened
• Correlation ID: 401fb8c6-fa69-4fa6-9176-26d03aa75ebd
• Agent Instructions:
  • CLAUDE.md

[hyperspace-insights]

Bug: Reusable workflow called without passing secrets: inherit

When a caller workflow uses uses: (reusable workflow call), secrets are not automatically passed through. The called workflow in cap-java/.github likely needs secrets.GITHUB_TOKEN (or similar) to label issues. Without secrets: inherit, the called workflow receives no secrets and will fail on any step that requires authentication.

Should add secrets: inherit to the job definition.

Suggested change

	label:
	uses: cap-java/.github/.github/workflows/issue.yml@feat/centralized-actions-workflows
	permissions:
	issues: write
	label:
	uses: cap-java/.github/.github/workflows/issue.yml@feat/centralized-actions-workflows
	permissions:
	issues: write
	secrets: inherit

Double-check suggestion before committing. Edit this comment for amendments.

---

Please provide feedback on the review comment by checking the appropriate box:

• 🌟 Awesome comment, a human might have missed that.
• ✅ Helpful comment
• 🤷 Neutral
• ❌ This comment is not helpful

[hyperspace-insights]

Bug: Reusable workflow called without passing secrets: inherit

The called workflow in cap-java/.github will likely need secrets.GITHUB_TOKEN to remove labels via the GitHub CLI or API. Without secrets: inherit, no secrets flow into the reusable workflow and the step will fail.

Should add secrets: inherit.

Suggested change

	guard:
	uses: cap-java/.github/.github/workflows/prevent-issue-labeling.yml@feat/centralized-actions-workflows
	permissions:
	guard:
	uses: cap-java/.github/.github/workflows/prevent-issue-labeling.yml@feat/centralized-actions-workflows
	permissions:
	issues: write
	secrets: inherit

Double-check suggestion before committing. Edit this comment for amendments.

---

Please provide feedback on the review comment by checking the appropriate box:

• 🌟 Awesome comment, a human might have missed that.
• ✅ Helpful comment
• 🤷 Neutral
• ❌ This comment is not helpful

[hyperspace-insights]

Bug: Reusable workflow called without passing secrets: inherit

The actions/stale action used inside the central workflow needs GITHUB_TOKEN to close/label issues and PRs. Without secrets: inherit, the token is unavailable and the workflow will fail with a permissions/authentication error.

Should add secrets: inherit.

Suggested change

	stale:
	runs-on: ubuntu-latest
	uses: cap-java/.github/.github/workflows/stale.yml@feat/centralized-actions-workflows
	permissions:
	actions: write
	issues: write
	pull-requests: write
	stale:
	uses: cap-java/.github/.github/workflows/stale.yml@feat/centralized-actions-workflows
	permissions:
	actions: write
	issues: write
	pull-requests: write
	secrets: inherit

Double-check suggestion before committing. Edit this comment for amendments.

---

Please provide feedback on the review comment by checking the appropriate box:

• 🌟 Awesome comment, a human might have missed that.
• ✅ Helpful comment
• 🤷 Neutral
• ❌ This comment is not helpful

[hyperspace-insights]

Bug: The CF Login step delegates to a cross-repository action pinned to a feature branch, not a stable ref

The reference cap-java/.github/actions/cf-login@feat/centralized-actions-workflows is a mutable branch tip. If that branch is force-pushed or rebased, the action will run a different (possibly broken) version without any notice. Additionally, cross-repository composite action uses: references are only supported when the referenced repository is in the same GitHub organization, and branch refs have no integrity guarantee.

Per the PR description, this should eventually be updated to @main once the central repo PR is merged. Make sure this is done before production use, or pin to a specific commit SHA.

---

Please provide feedback on the review comment by checking the appropriate box:

• 🌟 Awesome comment, a human might have missed that.
• ✅ Helpful comment
• 🤷 Neutral
• ❌ This comment is not helpful

[hyperspace-insights]

Bug: Central actions referenced at a mutable feature branch

All four central action/workflow references (scan-with-sonar, scan-with-codeql, and the two cf-bind delegations) target @feat/centralized-actions-workflows, a mutable branch. If that branch is force-pushed or deleted, these jobs silently pick up different code or break entirely.

The PR description acknowledges this and says they must be updated to @main after the central repo PR is merged. Leaving mutable branch refs in a pipeline.yml that runs on every PR is risky — ensure this is updated before merging.

---

Please provide feedback on the review comment by checking the appropriate box:

• 🌟 Awesome comment, a human might have missed that.
• ✅ Helpful comment
• 🤷 Neutral
• ❌ This comment is not helpful