ci: setup sonarcloud (#266)

* chore: update with open-source-polarion-java-repo-template

---------

Co-authored-by: ariwk <adam.ruberti@sbb.ch>

.github/workflows/maven-build.yml

@@ -3,6 +3,9 @@ name: maven-build
 on:
   push:
     branches: ['**/**']
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -13,33 +16,34 @@ jobs:
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN }}
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
       GITHUB_TOKEN: ${{ github.token }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       MARKDOWN2HTML_MAVEN_PLUGIN_FAIL_ON_ERROR: true
     steps:
-      - name: 📄 Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - name: 📄 Checkout the repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4
         with:
           fetch-depth: 0
       - name: 🧱 Set up JDK and Maven
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73  # v4
         with:
           distribution: adopt
           java-version: 17
           gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
-      - name: 📝 Store project version
+      - name: 📝 Get the project version
         id: project_version
         run: echo "project_version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
       - name: 📝 Store cache key
         id: cache_key
         run: echo "cache_key=${{ runner.os }}-mvn-${{ hashFiles('**/pom.xml') }}-${{ github.sha }}" >> $GITHUB_OUTPUT
-      - name: 💾 Prepare Cache
+      - name: 💾 Prepare cache using cache key
         id: prepare-cache
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
+        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ steps.cache_key.outputs.cache_key }}
-      - name: 🔘 Generate settings.xml
+      - name: 🔘 Generate settings.xml for Maven
         uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d  # v22
         with:
           repositories: >
@@ -88,8 +92,13 @@ jobs:
             ]
       - name: 🔘 Print settings.xml
         run: cat /home/runner/.m2/settings.xml
-      - name: 📦 Build with Maven
-        run: mvn --batch-mode clean package -P tests-with-weasyprint-docker
+      - name: 📦 Build with Maven for Pushes
+        if: github.event_name == 'push'
+        run: mvn --batch-mode clean package -P tests-with-weasyprint-docker sonar:sonar -Dsonar.branch.name=${{ github.head_ref }}
+      - name: 📦 Build with Maven for PRs
+        if: github.event_name == 'pull_request'
+        run: mvn --batch-mode clean package -P tests-with-weasyprint-docker sonar:sonar -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.branch=${{ github.head_ref }}
+          -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
     outputs:
       project_version: ${{ steps.project_version.outputs.project_version }}
       cache_key: ${{ steps.cache_key.outputs.cache_key }}
@@ -107,21 +116,21 @@ jobs:
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
     steps:
       - name: 🧱 Set up JDK and Maven
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73  # v4
         with:
           distribution: adopt
           java-version: 17
           gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
-      - name: 💾 Restore Cache
+      - name: 💾 Restore cache using cache key
         id: restore-cache
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
+        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ needs.build.outputs.cache_key }}
-      - name: 📦 Publish to Maven Central
-        run: mvn --batch-mode -Dmaven.test.skip=true deploy -P gpg-sign -P nexus-staging
+      - name: 📦 Deploy artifacts to Maven Central
+        run: mvn --batch-mode deploy -P gpg-sign -P nexus-staging
 
   # Deploy release to GitHub Packages
   deploy-github-packages:
@@ -137,20 +146,20 @@ jobs:
       GITHUB_TOKEN: ${{ github.token }}
     steps:
       - name: 🧱 Set up JDK and Maven
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73  # v4
         with:
           distribution: adopt
           java-version: 17
-      - name: 💾 Restore Cache
+      - name: 💾 Restore cache using cache key
         id: restore-cache
-        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
+        uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ needs.build.outputs.cache_key }}
-      - name: 📦 Publish to GitHub Packages
-        run: mvn --batch-mode -Dmaven.test.skip=true -Dmaven.javadoc.skip=true -Dmaven.source.skip=true deploy -P deploy-github-packages
-      - name: 📦 Upload assets
+      - name: 📦 Deploy artifacts to GitHub Packages
+        run: mvn --batch-mode -Dmaven.javadoc.skip=true -Dmaven.source.skip=true deploy -P deploy-github-packages
+      - name: 📦 Upload assets to GitHub Release
         run: |-
           gh release upload v${{ needs.build.outputs.project_version }} target/*-${{ needs.build.outputs.project_version }}.jar

.github/workflows/pr.yml

@@ -10,14 +10,14 @@ jobs:
     name: Check commit messages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5
         with:
-          cache: pip  # caching pip dependencies
+          python-version: 3.x
       - run: pip install commitizen
       - name: Check commit messages
         run: cz check --rev-range origin/${GITHUB_BASE_REF}..

.github/workflows/release-please.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: release-please
         id: release
-        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f  # v4
         with:
           release-type: maven
           target-branch: main

.pre-commit-config.yaml

@@ -9,16 +9,31 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
       - id: check-merge-conflict
       - id: trailing-whitespace
       - id: check-xml
       - id: check-json
       - id: check-yaml
       - id: no-commit-to-branch
       - id: mixed-line-ending
+      - id: end-of-file-fixer
       - id: pretty-format-json
         args: [--autofix, --no-ensure-ascii, '--top-keys=openapi,info,servers,paths,components']
         files: docs/openapi.json
+  - repo: local
+    hooks:
+      - id: sensitive-data-leak-urls
+        name: Sensitive data leak - URLs
+        entry: (?<!polarion-opensource@)(?<!www\.)sbb\.ch
+        language: pygrep
+        types: [text]
+      - id: sensitive-data-leak-ue-numbers
+        name: Sensitive data leak - UE numbers
+        entry: \b([uUeE]{1,2})\d{5,6}\b
+        language: pygrep
+        types: [text]
   - repo: https://github.com/zricethezav/gitleaks
     rev: v8.21.1
     hooks:

CONTRIBUTING.md

@@ -79,11 +79,11 @@ Before you submit your Pull Request (PR) consider the following guidelines:
   is necessary because release notes are automatically generated from these messages.
 
      ```shell
-     git commit -a -S
+     git commit -a --gpg-sign
      ```
   Note: The optional commit `-a` command line option will automatically "add" and "rm" edited files.
 
-  Note: The command line option `-S` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
+  Note: The command line option `-S/--gpg-sign` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
 
 * Push your branch to GitHub:
 
@@ -104,4 +104,3 @@ To ensure consistency throughout the source code, keep these rules in mind as yo
 * All features or bug fixes **must be tested** by one or more specs (unit-tests).
 * All API methods **must be documented**.
 * Also see [CODING_STANDARDS.md](./CODING_STANDARDS.md)
-

QUICK_START.md

@@ -21,8 +21,8 @@ ch.sbb.polarion.extension.pdf-exporter.weasyprint.service=http://localhost:9080
 
 ## Restart Polarion
 
-Stop Polarion.  
-Delete the `<polarion_home>/data/workspace/.config` folder.  
+Stop Polarion.
+Delete the `<polarion_home>/data/workspace/.config` folder.
 Start Polarion.
 
 ## Configure PDF Exporter for Live Reports