LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) [year] [fullname]
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

action.yml

@@ -1,74 +1,59 @@
 ---
-# SPDX-License-Identifier: MIT
+name: Setup Java environment
-name: "Setup Java environment"
+description: Initialize Java Environment and retrieve secrets from Vault
-description: "Initialize Java Environment and retrieve secrets from Vault"
-author: Oliver Weyhmüller
 inputs:
-  roleid:
+  vault-role-id:
-    description: "Role ID of Approle"
+    description: Role ID of Approle
-    default: ""
+    required: true
-  secretid:
+  vault-secret-id:
-    description: "Secret ID of Approle"
+    description: Secret ID of Approle
-    default: ""
+    required: true
-outputs:
-  gituser:
-    description: User to use for git operations
-    value: ${{ steps.import-gpg.outputs.name }}
-  gitemail:
-    description: Email to use for git operations
-    value: ${{ steps.import-gpg.outputs.email }}
 runs:
-  using: "composite"
+  using: composite
   steps:
-    - name: "Import Secrets"
+    - name: Import Secrets
-      id: "import-secrets"
+      id: import-secrets
-      uses: "https://github.com/hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c" # v3
+      uses: https://github.com/hashicorp/vault-action@v3
       with:
-        url: "https://vault.w9r.dev"
+        url: https://vault.w9r.dev
-        method: "approle"
+        method: approle
-        role: "forgejo-ci"
+        role: forgejo-ci
-        roleId: "${{ inputs.roleid }}"
+        roleId: ${{ inputs.vault-role-id }}
-        secretId: "${{ inputs.secretid }}"
+        secretId: ${{ inputs.vault-secret-id }}
         secrets: |
-          kv/data/ci/nexus username | MAVEN_USERNAME ;
+          kv/data/ci/nexus username | NEXUS_USERNAME ;
-          kv/data/ci/nexus password | MAVEN_CENTRAL_TOKEN ;
+          kv/data/ci/nexus password | NEXUS_PASSWORD ;
-          kv/data/ci/nexus username | JRELEASER_ARTIFACTORY_USERNAME ;
-          kv/data/ci/nexus password | JRELEASER_ARTIFACTORY_TOKEN ;
           kv/data/ci/vulnz username | VULNZ_USERNAME ;
           kv/data/ci/vulnz password | VULNZ_PASSWORD ;
-          kv/data/ci/releasebot gpgPrivateKey | JRELEASER_GPG_SECRET_KEY ;
+          kv/data/ci/releasebot gpgPrivateKey | RELEASEBOT_PRIVATE_KEY ;
-          kv/data/ci/releasebot gpgPublicKey | JRELEASER_GPG_PUBLIC_KEY ;
+          kv/data/ci/releasebot gpgPublicKey | RELEASEBOT_PUBLIC_KEY ;
-          kv/data/ci/releasebot gpgPassphrase | JRELEASER_GPG_PASSPHRASE ;
+          kv/data/ci/releasebot gpgPassphrease | RELEASEBOT_PASSPHRASE ;
           kv/data/ci/releasebot ciToken | JRELEASER_GITEA_TOKEN ;
           kv/data/ci/signing gpgPrivateKey | GPG_PRIVATE_KEY ;
           kv/data/ci/signing gpgPublicKey | GPG_PUBLIC_KEY ;
-          kv/data/ci/signing gpgPassphrase | MAVEN_GPG_PASSPHRASE ;
+          kv/data/ci/signing gpgPassphrease | GPG_PASSPHRASE ;
-          kv/data/ci/sonarqube sonarToken | SONAR_TOKEN ;
+          kv/data/ci/sonarqube sonarToken | SONARQUBE_TOKEN ;
-          kv/data/ci/sonarqube sonarHost | SONAR_HOST_URL ;
+          kv/data/ci/sonarqube sonarHost | SONARQUBE_HOST ;
 
-    - name: "Set up Environment"
+    - name: Set up Environment
-      shell: "bash"
+      shell: bash
       run: |
         apt update
-        apt install -y zip zstd
+        apt install -y zip
         mkdir -p /root/.jreleaser
         mkdir -p /root/.m2
         touch /root/.jreleaser/config.properties
 
-    - name: "Install syft"
+    - name: Install syft
-      uses: "https://github.com/anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75" # v0
+      uses: https://github.com/anchore/sbom-action/download-syft@v0
-      id: "install_syft"
+      id: install_syft
       with:
-        syft-version: "v1.18.1"
+        syft-version: v1.18.1
 
-    - name: "Setup Java and Maven"
+    - name: maven-settings-xml-action
-      uses: "https://github.com/s4u/setup-maven-action@4f7fb9d9675e899ca81c6161dadbba0189a4ebb1" # v1.18.0
+      uses: https://github.com/whelk-io/maven-settings-xml-action@v22
       with:
-        checkout-fetch-depth: 0
+        repositories: >
-        java-distribution: "temurin"
-        java-version: 21
-        maven-version: 3.9.9
-        settings-repositories: >
           [
             {
               "id": "maven-releases",
@@ -101,22 +86,22 @@ runs:
               }
             }
           ]
-        settings-servers: >
+        servers: >
           [
             {
               "id": "maven-group",
-              "username": "${{ env.MAVEN_USERNAME }}",
+              "username": "${{ env.NEXUS_USERNAME }}",
-              "password": "${{ env.MAVEN_CENTRAL_TOKEN }}"
+              "password": "${{ env.NEXUS_PASSWORD }}"
             },
             {
               "id": "maven-snapshots",
-              "username": "${{ env.MAVEN_USERNAME }}",
+              "username": "${{ env.NEXUS_USERNAME }}",
-              "password": "${{ env.MAVEN_CENTRAL_TOKEN }}"
+              "password": "${{ env.NEXUS_PASSWORD }}"
             },
             {
               "id": "maven-releases",
-              "username": "${{ env.MAVEN_USERNAME }}",
+              "username": "${{ env.NEXUS_USERNAME }}",
-              "password": "${{ env.MAVEN_CENTRAL_TOKEN }}"
+              "password": "${{ env.NEXUS_PASSWORD }}"
             },
             {
               "id": "vulnz",
@@ -124,7 +109,7 @@ runs:
               "password": "${{ env.VULNZ_PASSWORD }}"
             }
           ]
-        settings-mirrors: >
+        mirrors: >
           [
             {
               "id": "maven-group",
@@ -133,18 +118,32 @@ runs:
               "url": "https://nexus.w9r.dev/repository/maven-group/"
             }
           ]
+        plugin_groups: >
+          [
+            "org.sonarsource.scanner.maven"
+          ]
+        output_file: /root/.m2/settings.xml
 
-    - name: "Import Commit Signing GPG key"
+    - name: Setup Java
-      id: "import-gpg"
+      uses: https://github.com/actions/setup-java@v4
-      uses: "https://github.com/crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5" # v6
       with:
-        gpg_private_key: "${{ env.JRELEASER_GPG_SECRET_KEY }}"
+        distribution: temurin # See 'Supported distributions' for available options
-        passphrase: "${{ env.JRELEASER_GPG_PASSPHRASE }}"
+        java-version: 21
+        cache: maven
+        check-latest: true
+
+
+    - name: Import Commit Signing GPG key
+      id: import-gpg
+      uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ env.RELEASEBOT_PRIVATE_KEY }}
+        passphrase: ${{ env.RELEASEBOT_PASSPHRASE }}
         git_user_signingkey: true
         git_commit_gpgsign: true
 
-    - name: "GPG user IDs"
+    - name: GPG user IDs
-      shell: "bash"
+      shell: bash
       run: |
         echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}"
         echo "keyid:       ${{ steps.import-gpg.outputs.keyid }}"

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "local>w9r.dev/renovate-config"
-  ]
-}