From cbb870d27ac3c55beac2918e68f4aab9472bf381 Mon Sep 17 00:00:00 2001
From: ariwk <adam.ruberti@sbb.ch>
Date: Wed, 23 Oct 2024 11:21:30 +0200
Subject: [PATCH 1/2] ci: add sonar configuration for code coverage and RP,
 branch analysis

---
 .github/CODEOWNERS                   |  1 -
 .github/workflows/maven-build.yml    | 76 ++++++++++++++++------------
 .github/workflows/pr.yml             |  6 +--
 .github/workflows/release-please.yml |  2 +-
 .pre-commit-config.yaml              | 17 ++++++-
 CONTRIBUTING.md                      |  5 +-
 README.md                            | 11 ++++
 7 files changed, 76 insertions(+), 42 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index a34ee52..7e09d5f 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,4 +1,3 @@
 # These owners will be the default owners for everything in the repo.
 # Unless a later match takes precedence, global owners will be requested for review when someone opens a pull request.
-.pre-commit-config.yaml app/renovate-approve
 * @SchweizerischeBundesbahnen/SBB-CLEW-POLARION-ADMINS @SchweizerischeBundesbahnen/SBB-CLEW-POLARION-MAINTAINERS
diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml
index 5928dec..a2c2166 100644
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@@ -3,6 +3,9 @@ name: maven-build
 on:
   push:
     branches: ['**/**']
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -13,25 +16,34 @@ jobs:
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN }}
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
       GITHUB_TOKEN: ${{ github.token }}
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       MARKDOWN2HTML_MAVEN_PLUGIN_FAIL_ON_ERROR: true
     steps:
-      - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-      - name: Set up JDK and Maven
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
+      - name: 📄 Checkout the repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4
+        with:
+          fetch-depth: 0
+      - name: 🧱 Set up JDK and Maven
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73  # v4
         with:
           distribution: adopt
           java-version: 17
           gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
-      - name: Prepare Cache
+      - name: 📝 Get the project version
+        id: project_version
+        run: echo "project_version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
+      - name: 📝 Store cache key
+        id: cache_key
+        run: echo "cache_key=${{ runner.os }}-mvn-${{ hashFiles('**/pom.xml') }}-${{ github.sha }}" >> $GITHUB_OUTPUT
+      - name: 💾 Prepare cache using cache key
         id: prepare-cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
-          key: ${{ runner.os }}-mvn-${{ hashFiles('**/pom.xml') }}
-      - name: Generate settings.xml
+          key: ${{ steps.cache_key.outputs.cache_key }}
+      - name: 🔘 Generate settings.xml for Maven
         uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d  # v22
         with:
           repositories: >
@@ -78,21 +90,19 @@ jobs:
                 }
               }
             ]
-      - name: Print settings.xml
+      - name: 🔘 Print settings.xml
         run: cat /home/runner/.m2/settings.xml
-      - name: Build with Maven
-        run: mvn --batch-mode clean package
-      - name: Store project version
-        id: project_version
-        run: echo "project_version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_OUTPUT
-      - name: Store cache key
-        id: cache_key
-        run: echo "cache_key=${{ runner.os }}-mvn-${{ hashFiles('**/pom.xml') }}" >> $GITHUB_OUTPUT
+      - name: 📦 Build with Maven for Pushes
+        if: github.event_name == 'push'
+        run: mvn --batch-mode clean package  # sonar:sonar -Dsonar.branch.name=${{ github.head_ref }}
+      - name: 📦 Build with Maven for PRs
+        if: github.event_name == 'pull_request'
+        run: mvn --batch-mode clean package  # sonar:sonar -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
     outputs:
       project_version: ${{ steps.project_version.outputs.project_version }}
       cache_key: ${{ steps.cache_key.outputs.cache_key }}
 
-  # deploy to Maven Central
+  # Deploy release to Maven Central
   deploy-maven-central:
     needs: build
     runs-on: ubuntu-latest
@@ -104,24 +114,24 @@ jobs:
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_TOKEN }}
       COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PASSPHRASE }}
     steps:
-      - name: Set up JDK and Maven
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
+      - name: 🧱 Set up JDK and Maven
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73  # v4
         with:
           distribution: adopt
           java-version: 17
           gpg-private-key: ${{ secrets.COM_SONATYPE_CENTRAL_POLARION_OPENSOURCE_GPG_PRIVATE_KEY }}
-      - name: Restore Cache
+      - name: 💾 Restore cache using cache key
         id: restore-cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ needs.build.outputs.cache_key }}
-      - name: Publish to Maven Central
+      - name: 📦 Deploy artifacts to Maven Central
         run: mvn --batch-mode -Dmaven.test.skip=true deploy -P gpg-sign -P nexus-staging
 
-  # deploy to GitHub Packages
+  # Deploy release to GitHub Packages
   deploy-github-packages:
     needs: build
     runs-on: ubuntu-latest
@@ -134,21 +144,21 @@ jobs:
       S3_SBB_POLARION_MAVEN_REPO_RW_SECRET_ACCESS_KEY: ${{ secrets.S3_SBB_POLARION_MAVEN_REPO_RW_SECRET_ACCESS_KEY }}
       GITHUB_TOKEN: ${{ github.token }}
     steps:
-      - name: Set up JDK and Maven
-        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4
+      - name: 🧱 Set up JDK and Maven
+        uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73  # v4
         with:
           distribution: adopt
           java-version: 17
-      - name: Cache
-        id: cache
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+      - name: 💾 Restore cache using cache key
+        id: restore-cache
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a  # v4
         with:
           path: |
             /home/runner/.m2
             /home/runner/work
           key: ${{ needs.build.outputs.cache_key }}
-      - name: Publish to GitHub Packages
+      - name: 📦 Deploy artifacts to GitHub Packages
         run: mvn --batch-mode -Dmaven.test.skip=true -Dmaven.javadoc.skip=true -Dmaven.source.skip=true deploy -P deploy-github-packages
-      - name: Upload assets
-        run: cd ${{github.workspace}} && gh release upload v${{ needs.build.outputs.project_version }} target/*-${{ needs.build.outputs.project_version }}.jar
-        shell: bash
+      - name: 📦 Upload assets to GitHub Release
+        run: |-
+          gh release upload v${{ needs.build.outputs.project_version }} target/*-${{ needs.build.outputs.project_version }}.jar
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index da401b1..25e4fd1 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -10,14 +10,14 @@ jobs:
     name: Check commit messages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871  # v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5
         with:
-          cache: pip  # caching pip dependencies
+          python-version: 3.x
       - run: pip install commitizen
       - name: Check commit messages
         run: cz check --rev-range origin/${GITHUB_BASE_REF}..
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 32c85a1..57493be 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: release-please
         id: release
-        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f  # v4
         with:
           release-type: maven
           target-branch: main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a87cf6c..7971b76 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -9,6 +9,8 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
       - id: check-merge-conflict
       - id: trailing-whitespace
       - id: check-xml
@@ -16,9 +18,22 @@ repos:
       - id: check-yaml
       - id: no-commit-to-branch
       - id: mixed-line-ending
+      - id: end-of-file-fixer
       - id: pretty-format-json
-        args: [ --autofix, --no-ensure-ascii, '--top-keys=openapi,info,servers,paths,components' ]
+        args: [--autofix, --no-ensure-ascii, '--top-keys=openapi,info,servers,paths,components']
         files: docs/openapi.json
+  - repo: local
+    hooks:
+      - id: sensitive-data-leak-urls
+        name: Sensitive data leak - URLs
+        entry: (?<!polarion-opensource@)(?<!www\.)sbb\.ch
+        language: pygrep
+        types: [text]
+      - id: sensitive-data-leak-ue-numbers
+        name: Sensitive data leak - UE numbers
+        entry: \b([uUeE]{1,2})\d{5,6}\b
+        language: pygrep
+        types: [text]
   - repo: https://github.com/zricethezav/gitleaks
     rev: v8.21.1
     hooks:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index fbeaf36..d974bbb 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -79,11 +79,11 @@ Before you submit your Pull Request (PR) consider the following guidelines:
   is necessary because release notes are automatically generated from these messages.
 
      ```shell
-     git commit -a -S
+     git commit -a --gpg-sign
      ```
   Note: The optional commit `-a` command line option will automatically "add" and "rm" edited files.
 
-  Note: The command line option `-S` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
+  Note: The command line option `-S/--gpg-sign` generates a signed commit, which is required to make a contribution (See [Developer Certificate of Origin](./LICENSES/DCO.txt))
 
 * Push your branch to GitHub:
 
@@ -104,4 +104,3 @@ To ensure consistency throughout the source code, keep these rules in mind as yo
 * All features or bug fixes **must be tested** by one or more specs (unit-tests).
 * All API methods **must be documented**.
 * Also see [CODING_STANDARDS.md](./CODING_STANDARDS.md)
-
diff --git a/README.md b/README.md
index 1f75ca5..6c54b64 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,14 @@
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=bugs)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=code_smells)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=coverage)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=duplicated_lines_density)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=reliability_rating)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=SchweizerischeBundesbahnen_ch.sbb.polarion.extension.api-extender)
+
 # API extension for Polarion ALM
 
 This Polarion extension provides additional functionality which is not implemented in standard Polarion API for some reason.

From 4ee23d7be7af91a327000ae42d05e07beda71428 Mon Sep 17 00:00:00 2001
From: ariwk <adam.ruberti@sbb.ch>
Date: Wed, 23 Oct 2024 11:23:27 +0200
Subject: [PATCH 2/2] ci: add sonar configuration for code coverage and RP,
 branch analysis

---
 .github/workflows/maven-build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml
index a2c2166..cd0ac47 100644
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@@ -94,10 +94,10 @@ jobs:
         run: cat /home/runner/.m2/settings.xml
       - name: 📦 Build with Maven for Pushes
         if: github.event_name == 'push'
-        run: mvn --batch-mode clean package  # sonar:sonar -Dsonar.branch.name=${{ github.head_ref }}
+        run: mvn --batch-mode clean package sonar:sonar -Dsonar.branch.name=${{ github.head_ref }}
       - name: 📦 Build with Maven for PRs
         if: github.event_name == 'pull_request'
-        run: mvn --batch-mode clean package  # sonar:sonar -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+        run: mvn --batch-mode clean package sonar:sonar -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
     outputs:
       project_version: ${{ steps.project_version.outputs.project_version }}
       cache_key: ${{ steps.cache_key.outputs.cache_key }}