Roche-CAPT · gdgib-roche · Jul 18, 2025 · Sep 25, 2024 · Sep 26, 2024 · Sep 26, 2024
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,20 @@
+changelog:
+  categories:
+  - title: Breaking Changes 🚨
+    labels:
+    - breaking change
+  - title: Enhancements 🚀
+    labels:
+    - enhancement
+  - title: Bug Fixes 🐛
+    labels:
+    - bug
+  - title: Dependency Updates 🤖
+    labels:
+    - dependencies
+  - title: Documentation 📃
+    labels:
+    - documentation
+  - title: Other Changes
+    labels:
+    - "*"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -2,65 +2,39 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [master]
+    branches:
+    - master
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
+    branches:
+    - master
   schedule:
-    - cron: '0 9 * * 5'
+  - cron: '0 9 * * 5'
+
+permissions: { }
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        # Override automatic language detection by changing the below list
-        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
-        language: ['java']
-        # Learn more...
-        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
-
+    permissions:
+      security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
-
     # If this run was triggered by a pull request event, then checkout
     # the head of the pull request instead of the merge commit.
     - run: git checkout HEAD^2
       if: ${{ github.event_name == 'pull_request' }}
-
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # tag=v3.29.2
       with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
+        languages: java
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
+      uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # tag=v3.29.2
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # tag=v3.29.2
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -6,24 +6,26 @@ on:
       - master
   workflow_dispatch:
 
+permissions: { }
+
 jobs:
   build-documentation:
     name: "Build documentation"
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to push commits to gh-pages branch
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
       - name: Set up JDK 8
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # tag=v4.7.1
         with:
           distribution: temurin
           java-version: 8
       - name: Build with Maven
-        run: mvn package --file pom.xml
-
+        run: mvn -B --no-transfer-progress package
       - name: Deploy documentation
-        uses: JamesIves/github-pages-deploy-action@releases/v3
+        uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # tag=v4.7.3
         with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH: gh-pages
-          FOLDER: target/apidocs
+          branch: gh-pages
+          folder: target/reports/apidocs
diff --git a/.github/workflows/java-maven.yml b/.github/workflows/java-maven.yml
@@ -15,9 +15,9 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - name: Set up JDK 8
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@v4
       with:
         distribution: adopt
         java-version: 8

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -1,22 +1,47 @@
 name: Maven CI
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+
+permissions: { }
 
 jobs:
-  build:
+  test:
+    name: Test
     strategy:
       matrix:
-        os: [ ubuntu-latest ]
-        java-version: [ 8 ]
-        distro: [ 'zulu', 'temurin' ]
-    runs-on: ${{ matrix.os }}
-
+        java-version: [ 8, 11, 17, 21 ]
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
-    - uses: actions/checkout@v4.1.1
+    - name: Checkout Repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
     - name: Set up JDK ${{ matrix.java-version }}
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # tag=v4.7.1
       with:
-        distribution: ${{ matrix.distro }}
+        distribution: temurin
         java-version: ${{ matrix.java-version }}
-    - name: Build with Maven
-      run: mvn package --file pom.xml
+        cache: maven
+    - name: Test
+      run: mvn -B --no-transfer-progress clean verify
+    # Publishing coverage to Codacy is only possible for builds of push events.
+    # PRs from forks do not get access to repository secrets.
+    # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+    - name: Publish test coverage
+      if: ${{ github.event_name != 'pull_request' && github.repository_owner == 'CycloneDX' && matrix.java-version == '21' }}
+      uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # tag=v1.3.0
+      with:
+        project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+        language: Java
+        coverage-reports: target/site/jacoco/jacoco.xml
+    - name: Upload PR test coverage report
+      if: ${{ github.event_name == 'pull_request' }}
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+      with:
+        name: pr-test-coverage-report-java-${{ matrix.java-version }}
+        path: target/site/jacoco/jacoco.xml
diff --git a/.github/workflows/pr-test-coverage.yml b/.github/workflows/pr-test-coverage.yml
@@ -0,0 +1,32 @@
+name: Report PR Test Coverage
+
+on:
+  workflow_run:
+    workflows:
+    - Maven CI
+    types:
+    - completed
+
+permissions: { }
+
+jobs:
+  publish:
+    name: Report Coverage
+    runs-on: ubuntu-latest
+    if: |-
+      github.event.workflow_run.event == 'pull_request'
+        && github.event.workflow_run.conclusion == 'success'
+    steps:
+    - name: Download PR test coverage report
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # tag=v4.3.0
+      with:
+        name: pr-test-coverage-report-java-21
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        run-id: ${{ github.event.workflow_run.id }}
+    - name: Report Coverage to Codacy
+      run: |-
+        bash <(curl -Ls https://coverage.codacy.com/get.sh) report \
+          --project-token ${{ secrets.CODACY_PROJECT_TOKEN }} \
+          --commit-uuid ${{ github.event.workflow_run.head_sha }} \
+          --coverage-reports ./jacoco.xml \
+          --language Java
diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml
@@ -0,0 +1,29 @@
+name: Maven Publish Snapshot
+
+on: [workflow_dispatch]
+
+permissions: {}
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write  # for git-push after version modifications
+
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+    - name: Set up JDK 8
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # tag=v4.7.1
+      with:
+        java-version: '8'
+        distribution: 'temurin'
+        server-id: ossrh
+        server-username: MAVEN_USERNAME
+        server-password: MAVEN_PASSWORD
+    - name: Publish snapshot
+      run: mvn -B deploy
+      env:
+        MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml