From c4dc81fd8feb5a5e01f78781b8f503ea99e287c0 Mon Sep 17 00:00:00 2001 From: Oliver Wolff <23139298+cuioss@users.noreply.github.com> Date: Mon, 2 Feb 2026 22:30:16 +0100 Subject: [PATCH 1/3] chore: update GitHub Actions to use reusable workflows - Update project.yml to new structured schema format - Replace inline maven.yml with reusable workflow caller - Replace inline maven-release.yml with reusable release.yml caller - Add scorecards.yml for OpenSSF Scorecard security analysis - Add dependency-review.yml for PR dependency scanning All workflows now call cuioss-organization reusable workflows pinned to v0.2.0 (SHA: 288f393bf5407c87ffd95c128cdf694761941308) Co-Authored-By: Claude Opus 4.5 --- .github/project.yml | 23 ++++- .github/workflows/dependency-review.yml | 9 ++ .github/workflows/maven-release.yml | 86 ------------------ .github/workflows/maven.yml | 113 +++--------------------- .github/workflows/release.yml | 19 ++++ .github/workflows/scorecards.yml | 14 +++ 6 files changed, 74 insertions(+), 190 deletions(-) create mode 100644 .github/workflows/dependency-review.yml delete mode 100644 .github/workflows/maven-release.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/project.yml b/.github/project.yml index 5ed9f2c..6479a67 100644 --- a/.github/project.yml +++ b/.github/project.yml @@ -1,6 +1,25 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/cuioss/cuioss-organization/main/.github/actions/read-project-config/schema.json name: cui-java-module-template -pages-reference: cui-java-module-template -sonar-project-key: cuioss_cui-java-module-template +description: Template for cuioss Java modules + release: current-version: 1.0.0 next-version: 1.1.0-SNAPSHOT + create-github-release: true + +maven-build: + java-versions: '["21","25"]' + java-version: '21' + enable-snapshot-deploy: true + maven-profiles-snapshot: 'release-snapshot,javadoc' + maven-profiles-release: 'release,javadoc' + npm-cache: false + +sonar: + project-key: cuioss_cui-java-module-template + enabled: true + skip-on-dependabot: true + +pages: + reference: cui-java-module-template + deploy-at-release: true diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..ac1779e --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,9 @@ +# Example: Copy this to your repo as .github/workflows/dependency-review.yml +name: Dependency Review + +on: [pull_request] + +jobs: + dependency-review: + uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + secrets: inherit diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml deleted file mode 100644 index c412ea8..0000000 --- a/.github/workflows/maven-release.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Maven Release - -on: - pull_request: - types: [ closed ] - paths: - - '.github/project.yml' - workflow_dispatch: - -jobs: - release: - runs-on: ubuntu-latest - name: release - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false # otherwise, the validation used is the PA_TOKEN, instead of your personal access token. - fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. - - - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1 - name: Retrieve project metadata from '.github/project.yml' - id: metadata - with: - github-token: ${{secrets.GITHUB_TOKEN}} - metadata-file-path: '.github/project.yml' - local-file: true - - - name: Set up JDK 21 - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - cache: maven - - - name: Configure Git author - run: | - git config --local user.email "action@github.com" - git config --local user.name "Cuioss Robot Action" - - - name: Maven release ${{steps.metadata.outputs.current-version}} - run: | - git checkout -b release - ./mvnw -B --no-transfer-progress -Prelease release:clean release:prepare -DreleaseVersion=${{steps.metadata.outputs.current-version}} -DdevelopmentVersion=${{steps.metadata.outputs.next-version}} - ./mvnw -B --no-transfer-progress -Prelease,javadoc site:site site:stage - git checkout ${{vars.GITHUB_BASE_REF}} - git rebase release - ./mvnw -B --no-transfer-progress -Prelease release:perform -DskipTests - env: - MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - - - name: Deploy Maven Site to cuioss.github.io -> ${{steps.metadata.outputs.pages-reference}}🚀 - uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3 - with: - folder: target/site - repository-name: cuioss/cuioss.github.io - target-folder: ${{steps.metadata.outputs.pages-reference}} - branch: main - token: ${{ secrets.PAGES_DEPLOY_TOKEN }} - - - name: Push changes to ${{github.ref_name}} - uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - branch: ${{github.ref_name}} - force: true - - - name: Push tag ${{steps.metadata.outputs.current-version}} - uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 - with: - branch: ${{github.ref_name}} - github_token: ${{ secrets.GITHUB_TOKEN }} - tags: true - force: true \ No newline at end of file diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 48bfb51..5329189 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -1,109 +1,18 @@ -name: Master Build +# Example: Copy this to your repo as .github/workflows/maven.yml +# Configuration is read from .github/project.yml - no inputs needed! +name: Maven Build on: push: - branches: [ "main", "feature/*" ] + branches: [main, "feature/*", "fix/*", "dependabot/**"] pull_request: - branches: [ "main" ] + branches: [main] + workflow_dispatch: jobs: build: - - runs-on: ubuntu-latest - strategy: - matrix: - version: [ 21,24 ] - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK ${{ matrix.version }} - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: ${{ matrix.version }} - distribution: 'temurin' - cache: maven - - name: Build with Maven, Java ${{ matrix.version }} - run: ./mvnw --no-transfer-progress verify -Dmaven.compiler.release=${{ matrix.version }} - - sonar-build: - needs: build - runs-on: ubuntu-latest - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - name: Set up JDK 21 for Sonar-build - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - cache: maven - - - name: Cache SonarCloud packages - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1 - name: Retrieve project metadata from '.github/project.yml' - id: metadata - with: - github-token: ${{secrets.GITHUB_TOKEN}} - metadata-file-path: '.github/project.yml' - local-file: true - - - name: Build and analyze - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: ./mvnw -B --no-transfer-progress verify -Psonar -Dsonar.projectKey=${{steps.metadata.outputs.sonar-project-key}} sonar:sonar - - deploy-snapshot: - needs: sonar-build - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK 17 for snapshot release - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - cache: maven - - - name: Extract project version - id: project - run: echo ::set-output name=version::$(./mvnw --no-transfer-progress help:evaluate -Dexpression=project.version -q -DforceStdout) - - - name: Deploy Snapshot with Maven, version ${{ steps.project.outputs.version }} - if: ${{endsWith(steps.project.outputs.version, '-SNAPSHOT')}} - run: | - ./mvnw -B --no-transfer-progress -Prelease-snapshot,javadoc deploy -Dmaven.test.skip=true - env: - MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} \ No newline at end of file + # Run on push events, OR on pull_request only if from a fork + # This prevents duplicate runs: push handles internal branches, PR handles forks + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..db224de --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,19 @@ +# Example: Copy this to your repo as .github/workflows/release.yml +# Configuration is read from .github/project.yml - no inputs needed! +name: Release + +on: + pull_request: + types: [closed] + paths: + - '.github/project.yml' + workflow_dispatch: + +permissions: + contents: read + +jobs: + release: + if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + secrets: inherit diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..df47b88 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,14 @@ +# Example: Copy this to your repo as .github/workflows/scorecards.yml +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '20 7 * * 2' + push: + branches: [main] + +jobs: + analysis: + uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + secrets: inherit From 24fcab8ef54f9d9e9f0a167253bb5134ed8aa7a0 Mon Sep 17 00:00:00 2001 From: Oliver Wolff <23139298+cuioss@users.noreply.github.com> Date: Mon, 2 Feb 2026 22:42:20 +0100 Subject: [PATCH 2/3] fix: correct SHA reference for reusable workflows The SHA 288f393... was incorrect. Using correct v0.2.0 SHA: 9ce5ba83776bab80eeffb695f7374e334cf6bd9f Co-Authored-By: Claude Opus 4.5 --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/maven.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/scorecards.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ac1779e..6a961ae 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -5,5 +5,5 @@ on: [pull_request] jobs: dependency-review: - uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 secrets: inherit diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 5329189..1c6fcf5 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -14,5 +14,5 @@ jobs: # Run on push events, OR on pull_request only if from a fork # This prevents duplicate runs: push handles internal branches, PR handles forks if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name - uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index db224de..c32f904 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,5 +15,5 @@ permissions: jobs: release: if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 secrets: inherit diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index df47b88..edfdd7d 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -10,5 +10,5 @@ on: jobs: analysis: - uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0 + uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 secrets: inherit From 45ee7c29aab5da35f22342b0d87f71bda6c7a551 Mon Sep 17 00:00:00 2001 From: Oliver Wolff <23139298+cuioss@users.noreply.github.com> Date: Mon, 2 Feb 2026 22:48:51 +0100 Subject: [PATCH 3/3] fix: add chore/* to push triggers and permissions to dependency-review - Add chore/* to maven.yml push triggers so builds run on chore branches - Add required permissions to dependency-review.yml for reusable workflow Co-Authored-By: Claude Opus 4.5 --- .github/workflows/dependency-review.yml | 10 +++++++++- .github/workflows/maven.yml | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 6a961ae..468834f 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,9 +1,17 @@ # Example: Copy this to your repo as .github/workflows/dependency-review.yml name: Dependency Review -on: [pull_request] +on: + pull_request: + branches: [main] + +permissions: + contents: read jobs: dependency-review: uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@9ce5ba83776bab80eeffb695f7374e334cf6bd9f # v0.2.0 + permissions: + contents: read + pull-requests: write secrets: inherit diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 1c6fcf5..de106b2 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -4,7 +4,7 @@ name: Maven Build on: push: - branches: [main, "feature/*", "fix/*", "dependabot/**"] + branches: [main, "feature/*", "fix/*", "chore/*", "dependabot/**"] pull_request: branches: [main] workflow_dispatch: