michelin
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 99 additions & 0 deletions b/‎.github/workflows/build.yml‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎.github/workflows/hotfix.yml‎
Lines changed: 34 additions & 0 deletions b/‎.github/workflows/hotfix.yml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎.github/workflows/on_pull_request.yml‎
Lines changed: 0 additions & 43 deletions b/‎.github/workflows/on_pull_request.yml‎
Lines changed: 0 additions & 43 deletions
diff --git a/‎.github/workflows/on_push_main.yml‎
Lines changed: 0 additions & 59 deletions b/‎.github/workflows/on_push_main.yml‎
Lines changed: 0 additions & 59 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 16 additions & 9 deletions b/‎.github/workflows/release.yml‎
Lines changed: 16 additions & 9 deletions
diff --git a/‎.github/workflows/tag.yml‎
Lines changed: 14 additions & 3 deletions b/‎.github/workflows/tag.yml‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎.spotless/HEADER‎
Lines changed: 18 additions & 0 deletions b/‎.spotless/HEADER‎
Lines changed: 18 additions & 0 deletions
@@ -0,0 +1,99 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+      - 'hotfix/v*.*.*'
+  schedule:
+    - cron: '0 5 * * 1'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [ '17', '21' ]
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: 'temurin'
+          cache: maven
+          server-id: central
+          server-username: SONATYPE_USERNAME
+          server-password: SONATYPE_TOKEN
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+
+      - name: Cache SonarQube packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Lint
+        run: mvn spotless:check
+
+      - name: Build
+        run: mvn clean package
+
+      - name: Publish test report
+        if: always()
+        uses: mikepenz/action-junit-report@v5
+        with:
+          report_paths: '**/target/surefire-reports/TEST-*.xml'
+
+      - name: Grype source code
+        if: matrix.java == '17'
+        id: grype_source_code
+        uses: anchore/scan-action@v6
+        with:
+          path: .
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: true
+
+      - name: Upload Grype source code report
+        if: always() && steps.grype_source_code.outputs.sarif != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.grype_source_code.outputs.sarif }}
+          category: 'source-code'
+
+      - name: Sonar
+        if: matrix.java == '17' && github.event.pull_request.head.repo.fork == false
+        run: mvn verify sonar:sonar
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: Metadata
+        if: matrix.java == '17' && github.ref == 'refs/heads/main'
+        id: metadata
+        run: echo current_version=$(echo $(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)) >> $GITHUB_OUTPUT
+
+      - name: Deploy
+        if: matrix.java == '17' && github.ref == 'refs/heads/main' && endsWith(steps.metadata.outputs.current_version, '-SNAPSHOT')
+        run: mvn -B deploy -DskipTests -Psign
+        env:
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
@@ -0,0 +1,34 @@
+name: Hotfix
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag_version:
+        description: 'Tag version'
+        required: true
+
+jobs:
+  create-branch:
+    name: Create Branch
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.CI_CD_TOKEN }}
+
+      - name: Create branch
+        run: |
+          START_TAG=v${{ github.event.inputs.tag_version }}
+          echo "Start from tag $START_TAG"
+          MAJOR_MINOR_DIGIT=$(echo "$START_TAG" | cut -d '.' -f 1-2)
+          PATCH_DIGIT=$(echo "$START_TAG" | cut -d '.' -f 3)
+          NEW_PATCH_DIGIT=$((PATCH_DIGIT + 1))
+          HOTFIX_VERSION="${MAJOR_MINOR_DIGIT}.${NEW_PATCH_DIGIT}"
+          HOTFIX_BRANCH_NAME="hotfix/$HOTFIX_VERSION"
+          echo "Create hotfix branch $HOTFIX_BRANCH_NAME"
+          git fetch --all
+          git checkout tags/$START_TAG -b $HOTFIX_BRANCH_NAME
+          git push origin $HOTFIX_BRANCH_NAME
@@ -10,37 +10,44 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
           cache: maven
-          server-id: ossrh
-          server-username: MAVEN_USERNAME
-          server-password: MAVEN_PASSWORD
+          server-id: central
+          server-username: SONATYPE_USERNAME
+          server-password: SONATYPE_TOKEN
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
       - name: Deploy
         run: mvn -B clean deploy -DskipTests -Psign
         env:
-          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
+          SONATYPE_TOKEN: ${{ secrets.SONATYPE_TOKEN }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Generate release changelog
-        uses: mikepenz/release-changelog-builder-action@v4.0.0
+        uses: mikepenz/release-changelog-builder-action@v5
         id: build_changelog
         with:
           configuration: 'changelog-builder.json'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create release
-        uses: ncipollo/release-action@v1.14.0
+        uses: ncipollo/release-action@v1.18.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           body: ${{ steps.build_changelog.outputs.changelog }}
 
@@ -9,16 +9,17 @@ on:
 
 jobs:
   tag:
+    name: Tag
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/hotfix/v')
     steps:
       - name: Checkout project
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.CI_CD_TOKEN }}
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -32,6 +33,16 @@ jobs:
           git_user_signingkey: true
           git_commit_gpgsign: true
 
+      - name: Validate release version format
+        run: |
+          if [[ ! "${{ github.event.inputs.release_version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Release version must follow SemVer format (X.Y.Z) and start with a digit"
+            echo "Current value: ${{ github.event.inputs.release_version }}"
+            echo "Expected format: 1.2.3, 2.0.0, etc."
+            echo "Note: The 'v' prefix will be added automatically to the tag. Do not include it manually"
+            exit 1
+          fi
+
       - name: Tag
         run: |
           mvn versions:set -DnewVersion=${{ github.event.inputs.release_version }}
 
@@ -0,0 +1,18 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */