ci: add OpenApi validator and sonar code coverage

.github/workflows/maven-build.yml

@@ -3,6 +3,9 @@ name: maven-build
 on:
   push:
     branches: ['**/**']
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -13,33 +16,34 @@ jobs:
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN }}
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
       GITHUB_TOKEN: ${{ github.token }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       MARKDOWN2HTML_MAVEN_PLUGIN_FAIL_ON_ERROR: true
     steps:
-      - name: 📄 Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: 📄 Checkout the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
         with:
           fetch-depth: 0
       - name: 🧱 Set up JDK and Maven
-        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b  # v4
         with:
           distribution: adopt
           java-version: 17
           gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
-      - name: 📝 Store project version
+      - name: 📝 Get the project version
         id: project_version
         run: echo "project_version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
       - name: 📝 Store cache key
         id: cache_key
         run: echo "cache_key=${{ runner.os }}-mvn-${{ hashFiles('**/pom.xml') }}-${{ github.sha }}" >> $GITHUB_OUTPUT
-      - name: 💾 Prepare Cache
+      - name: 💾 Prepare cache using cache key
         id: prepare-cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ steps.cache_key.outputs.cache_key }}
-      - name: 🔘 Generate settings.xml
+      - name: 🔘 Generate settings.xml for Maven
         uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d  # v22
         with:
           repositories: >
@@ -88,8 +92,12 @@ jobs:
             ]
       - name: 🔘 Print settings.xml
         run: cat /home/runner/.m2/settings.xml
-      - name: 📦 Build with Maven
-        run: mvn --batch-mode clean package
+      - name: 📦 Build with Maven for Pushes
+        if: github.event_name == 'push'
+        run: mvn --batch-mode clean package sonar:sonar -Dsonar.branch.name=${{ github.head_ref }}
+      - name: 📦 Build with Maven for PRs
+        if: github.event_name == 'pull_request'
+        run: mvn --batch-mode clean package sonar:sonar -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
     outputs:
       project_version: ${{ steps.project_version.outputs.project_version }}
       cache_key: ${{ steps.cache_key.outputs.cache_key }}
@@ -107,20 +115,20 @@ jobs:
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
     steps:
       - name: 🧱 Set up JDK and Maven
-        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b  # v4
         with:
           distribution: adopt
           java-version: 17
           gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
-      - name: 💾 Restore Cache
+      - name: 💾 Restore cache using cache key
         id: restore-cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ needs.build.outputs.cache_key }}
-      - name: 📦 Publish to Maven Central
+      - name: 📦 Deploy artifacts to Maven Central
         run: mvn --batch-mode -Dmaven.test.skip=true deploy -P gpg-sign -P nexus-staging
 
   # Deploy release to GitHub Packages
@@ -137,20 +145,20 @@ jobs:
       GITHUB_TOKEN: ${{ github.token }}
     steps:
       - name: 🧱 Set up JDK and Maven
-        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b  # v4
         with:
           distribution: adopt
           java-version: 17
-      - name: 💾 Restore Cache
+      - name: 💾 Restore cache using cache key
         id: restore-cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ needs.build.outputs.cache_key }}
-      - name: 📦 Publish to GitHub Packages
+      - name: 📦 Deploy artifacts to GitHub Packages
         run: mvn --batch-mode -Dmaven.test.skip=true -Dmaven.javadoc.skip=true -Dmaven.source.skip=true deploy -P deploy-github-packages
-      - name: 📦 Upload assets
+      - name: 📦 Upload assets to GitHub Release
         run: |-
           gh release upload v${{ needs.build.outputs.project_version }} target/*-${{ needs.build.outputs.project_version }}.jar

.github/workflows/openapi-validation.yml

@@ -0,0 +1,16 @@
+---
+name: openapi-validate
+on: [push]
+jobs:
+  check-openapi-definition:
+    runs-on: ubuntu-latest
+    name: Swagger Editor Validator Remote
+    steps:
+      - name: 📄 Checkout the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+        with:
+          fetch-depth: 0
+      - name: 🧪 Validate OpenAPI definition
+        uses: char0n/swagger-editor-validate@fe35d650e9fc674505607519d0d12ab4de5d415d  # v1
+        with:
+          definition-file: docs/openapi.json

.github/workflows/pr.yml

@@ -10,15 +10,14 @@ jobs:
     name: Check commit messages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5
         with:
-          cache: pip  # caching pip dependencies
-          check-latest: true
+          python-version: 3.x
       - run: pip install commitizen
       - name: Check commit messages
         run: cz check --rev-range origin/${GITHUB_BASE_REF}..

.github/workflows/release-please.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: release-please
         id: release
-        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f  # v4
         with:
           release-type: maven
           target-branch: main

.pre-commit-config.yaml

@@ -21,18 +21,19 @@ repos:
       - id: end-of-file-fixer
       - id: pretty-format-json
         args: [--autofix, --no-ensure-ascii, '--top-keys=openapi,info,servers,paths,components']
+        files: docs/openapi.json
   - repo: local
     hooks:
       - id: sensitive-data-leak-urls
         name: Sensitive data leak - URLs
         entry: (?<!polarion-opensource@)(?<!www\.)sbb\.ch
         language: pygrep
-        types: [ text ]
+        types: [text]
       - id: sensitive-data-leak-ue-numbers
         name: Sensitive data leak - UE numbers
         entry: \b([uUeE]{1,2})\d{5,6}\b
         language: pygrep
-        types: [ text ]
+        types: [text]
   - repo: https://github.com/zricethezav/gitleaks
     rev: v8.21.2
     hooks:

CONTRIBUTING.md

@@ -79,11 +79,11 @@ Before you submit your Pull Request (PR) consider the following guidelines:
   is necessary because release notes are automatically generated from these messages.
 
      ```shell
-     git commit -a -S
+     git commit -a --gpg-sign
      ```
   Note: The optional commit `-a` command line option will automatically "add" and "rm" edited files.
 
-  Note: The command line option `-S` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
+  Note: The command line option `-S/--gpg-sign` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
 
 * Push your branch to GitHub:
 
@@ -104,4 +104,3 @@ To ensure consistency throughout the source code, keep these rules in mind as yo
 * All features or bug fixes **must be tested** by one or more specs (unit-tests).
 * All API methods **must be documented**.
 * Also see [CODING_STANDARDS.md](./CODING_STANDARDS.md)
-