feat: adds GitHub Actions build pipeline

Author: hartmut-co-uk

.github/workflows/1.pipeline.yml

@@ -0,0 +1,79 @@
+name: "> Main Pipeline"
+
+on:
+  push:
+    branches: [ "main" ]
+    tags:
+      - '*'
+  pull_request:
+    branches: ['*']
+  workflow_dispatch:
+    inputs:
+      type:
+        description: 'Release Library'
+        required: true
+        default: '...no release'
+        type: choice
+        options:
+          - '...no release'
+          - major
+          - minor
+          - patch
+
+jobs:
+
+  build:
+    name: Build + unit tests
+    uses: ./.github/workflows/callable.build.yml
+    if: | # avoid unnecessary pipeline runs during artifact release process ('gradle release plugin')
+      !contains(github.event.head_commit.message, '[Gradle Release Plugin] - pre tag commit')
+      || github.ref_type == 'tag'
+
+  code_analysis:
+    name: Code Analysis (multi)
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: ./.github/workflows/callable.code-analysis.yml
+    needs: build
+    if: |
+      github.event_name != 'workflow_dispatch'
+      || inputs.type == '...no release'
+
+  integration_test:
+    name: Run integration tests
+    uses: ./.github/workflows/callable.integration-test.yml
+    needs: build
+
+  gradle_release:
+    name: Create artifact release
+    uses: ./.github/workflows/callable.gradle-release.yml
+    secrets: inherit
+    with:
+      type: ${{ inputs.type }}
+    needs: integration_test
+    if: |
+      github.event_name == 'workflow_dispatch'
+      && inputs.type != '...no release'
+
+  publish_sonatype:
+    name: Publish to Maven Central (Sonatype)
+    uses: ./.github/workflows/callable.publish-sonatype.yml
+    secrets: inherit
+    needs: integration_test
+    if: |
+      (
+        github.event_name != 'workflow_dispatch'
+        || inputs.type == '...no release'
+      ) && ( 
+        github.ref == 'refs/heads/main' 
+        || github.ref_type == 'tag' 
+      )
+
+  publish_javadoc:
+    name: Publish javadoc (GitHub Pages)
+    permissions:
+      contents: write
+    uses: ./.github/workflows/callable.publish-javadoc.yml
+    needs: integration_test

.github/workflows/2.scheduled.code-analysis.yml

@@ -0,0 +1,15 @@
+name: ">> Scheduled Code Analysis"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '23 1 * * 6' # weekly, on Saturday at 01:23 UTC
+
+jobs:
+  code_analysis:
+    name: Code Analysis (multi)
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: ./.github/workflows/callable.code-analysis.yml

.github/workflows/callable.build.yml

@@ -0,0 +1,24 @@
+name: Gradle Build
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: gradle build test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project sources
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+          cache: 'gradle'
+      - uses: gradle/wrapper-validation-action@v1
+      - name: Setup Gradle
+        uses: gradle/[email protected]
+
+      - name: Run build (incl. test)
+        run: gradle build -x intTest --no-daemon

.github/workflows/callable.code-analysis.codeql.yml

@@ -0,0 +1,55 @@
+name: CodeQL Analysis
+
+on:
+  workflow_call:
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: java
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+        queries: security-extended,security-and-quality
+
+    - uses: actions/setup-java@v3
+      with:
+        distribution: 'corretto'
+        java-version: '17'
+        cache: 'gradle'
+    - uses: gradle/wrapper-validation-action@v1
+    - name: Setup Gradle
+      uses: gradle/[email protected]
+    - name: Run build with Gradle Wrapper
+      run: |
+        gradle build -x intTest --no-daemon
+        # ignore ./.gradle folder for analysis
+        rm -Rf .gradle
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/callable.code-analysis.trivy.yml

@@ -0,0 +1,43 @@
+name: Trivy Security Scan
+
+on:
+  workflow_call:
+
+jobs:
+  analyze:
+    name: Trivy scan (JVM)
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+          cache: 'gradle'
+      - uses: gradle/wrapper-validation-action@v1
+      - name: Setup Gradle
+        uses: gradle/[email protected]
+
+      - name: Generate gradle.lockfile for trivy scan
+        run: gradle dependencies --write-locks
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/callable.code-analysis.yml

@@ -0,0 +1,20 @@
+name: Code Analysis
+
+on:
+  workflow_call:
+
+jobs:
+  github_codeql_analysis:
+    name: GitHub CodeQL Analysis
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: ./.github/workflows/callable.code-analysis.codeql.yml
+  trivy_scan:
+    name: Trivy Security Scan
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: ./.github/workflows/callable.code-analysis.trivy.yml

.github/workflows/callable.gradle-release.yml

@@ -0,0 +1,79 @@
+name: Gradle Release
+
+on:
+  workflow_call:
+    inputs:
+      type:
+        description: 'Release type'
+        required: true
+        type: string
+
+jobs:
+  release:
+    name: gradle release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate 'Release Type' param
+        id: validate_type
+        env:
+          TYPE: ${{ inputs.type }}
+        run: |
+          valid_types=(major minor patch)
+          if [[ ! ${valid_types[*]} =~ "$TYPE" ]]; then
+            echo "Unknown release type: $TYPE"
+            exit 1
+          fi
+      - name: Checkout project sources ('main' branch)
+        uses: actions/checkout@v4
+        with:
+          ref: main
+          token: ${{ secrets.CI_GITHUB_TOKEN }}
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+          cache: 'gradle'
+      - uses: gradle/wrapper-validation-action@v1
+      - name: Setup Gradle
+        uses: gradle/[email protected]
+
+      - name: Get current version
+        id: get_version
+        run: |
+          source gradle.properties
+          echo "current_version=${version}" >> $GITHUB_ENV
+
+      - name: Determine version type
+        id: bump_version
+        env:
+          TYPE: ${{ inputs.type }}
+          VERSION: ${{ env.current_version }}
+        run: |
+          export major=$(echo "${VERSION}" | cut -d. -f1)
+          export minor=$(echo "${VERSION}" | cut -d. -f2)
+          export patch=$(echo "${VERSION}" | cut -d. -f3 | cut -d- -f1)
+          echo "resolved: ${major}.${minor}.${patch}"
+          
+          if [[ "$TYPE" == "major" ]]; then
+            echo "new_version=$((major+1)).0.0" >> $GITHUB_ENV
+            echo "new_snapshot_version=$((major+1)).0.1-SNAPSHOT" >> $GITHUB_ENV
+          elif [ "$TYPE" == "minor" ]; then
+            echo "new_version=${major}.$((minor+1)).0" >> $GITHUB_ENV
+            echo "new_snapshot_version=${major}.$((minor+1)).1-SNAPSHOT" >> $GITHUB_ENV
+          else
+            echo "new_version=${major}.${minor}.${patch}" >> $GITHUB_ENV
+            echo "new_snapshot_version=${major}.${minor}.$((patch+1))-SNAPSHOT" >> $GITHUB_ENV
+          fi
+      - name: Set git config 'user.name' and 'user.email'
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+      - name: Run 'gradle release'
+        id: gradle_release
+        run: |
+          echo "Type: ${{ inputs.type }}"
+          echo "Current version: ${{ env.current_version }}"
+          echo "New version: ${{ env.new_version }}"
+          echo "New snapshot version: ${{ env.new_snapshot_version }}"
+          echo "./gradlew release -Prelease.useAutomaticVersion=true -Prelease.releaseVersion=${{ env.new_version }} -Prelease.newVersion=${{ env.new_snapshot_version }}"
+          gradle release -Prelease.useAutomaticVersion=true -Prelease.releaseVersion=${{ env.new_version }} -Prelease.newVersion=${{ env.new_snapshot_version }}

.github/workflows/callable.integration-test.yml

@@ -0,0 +1,27 @@
+name: Gradle Build + intTests
+
+on:
+  workflow_call:
+
+jobs:
+  intTest:
+    name: gradle intTest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project sources
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+          cache: 'gradle'
+      - uses: gradle/wrapper-validation-action@v1
+      - name: Setup Gradle
+        uses: gradle/[email protected]
+
+      - name: Run build (incl. test)
+        run: gradle build -x intTest --no-daemon
+
+      - name: Run integration tests
+        run: gradle intTest --no-daemon

.github/workflows/callable.publish-javadoc.yml

@@ -0,0 +1,43 @@
+name: Deploy Javadoc
+
+on:
+  workflow_call:
+
+jobs:
+  deploy_javadoc:
+    name: Build & deploy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout project sources
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+          cache: 'gradle'
+      - uses: gradle/wrapper-validation-action@v1
+      - name: Setup Gradle
+        uses: gradle/[email protected]
+
+      - name: Run build (incl. test)
+        run: gradle javadoc
+
+      - name: Conclude javadoc version and set env
+        run: |
+          if [[ "$GITHUB_REF" == "refs/heads/main" || "$GITHUB_REF" == "refs/heads/master" ]]; then
+            echo "PUBLISH_VERSION=current" >> $GITHUB_ENV
+          else
+            echo "PUBLISH_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+          fi
+
+      - name: Deploy to GitHub Page 🚀 with Gradle
+        uses: JamesIves/[email protected]
+        with:
+          branch: gh-pages
+          clean: true
+          folder: java-library-template/build/docs/javadoc
+          target-folder: javadoc/${{ env.PUBLISH_VERSION }}