refactor: CI/CD Pipelines

.github/actions/await-workflow/action.yaml

@@ -0,0 +1,100 @@
+name: "Await Workflow"
+description: "Waits until a workflow run completes."
+
+inputs:
+  run-id:
+    description: "The id of the workflow run to wait for."
+    required: true
+  poll-interval:
+    description: "The interval (in seconds) to poll for the workflow run status."
+    required: false
+    default: "60"
+  commit-status:
+    description: "The commit status message. Leave empty to not create a commit status."
+    required: false
+
+outputs:
+  succeeded:
+    description: "Whether the triggered run succeeded."
+    value: ${{ steps.wait-for-workflow.outputs.RUN_SUCCEEDED }}
+  conclusion:
+    description: "The conclusion of the triggered workflow run."
+    value: ${{ steps.wait-for-workflow.outputs.CONCLUSION }}
+
+runs:
+  using: composite
+  steps:
+    - name: Print Action Input
+      run: |
+        echo "[DEBUG] Starting 'Await Workflow' Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: View Run
+      if: ${{ inputs.commit-status != '' }}
+      id: view-run
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        JSON=$(gh run view ${{ inputs.run-id }} --json url,headSha)
+        echo "URL=$(echo $JSON | jq -r '.url')" >> $GITHUB_OUTPUT
+        echo "HEAD_SHA=$(echo $JSON | jq -r '.headSha')" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Create Commit Status
+      if: ${{ inputs.commit-status != '' }}
+      uses: actions/github-script@v7
+      with:
+        script: |
+          github.rest.repos.createCommitStatus({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            sha: '${{ steps.view-run.outputs.HEAD_SHA }}',
+            state: 'pending',
+            target_url: '${{ steps.view-run.outputs.URL }}',
+            context: '${{ inputs.commit-status }}'
+          })
+
+    - name: Wait for Workflow to Complete
+      id: wait-for-workflow
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        echo "[DEBUG] Waiting for run '${{ inputs.run-id }}' to complete..."
+        gh run watch ${{ inputs.run-id }} --interval ${{ inputs.poll-interval }} > /dev/null
+        CONCLUSION=$(gh run view ${{ inputs.run-id }} --json conclusion | jq -r '.conclusion')
+
+        echo "CONCLUSION=$CONCLUSION" >> $GITHUB_OUTPUT
+        echo "[DEBUG] Run '${{ inputs.run-id }}' finished with conclusion '$CONCLUSION'."
+
+        if [[ "$CONCLUSION" != "success" ]]; then
+          echo "RUN_SUCCEEDED=false" >> $GITHUB_OUTPUT
+          exit 1
+        fi
+
+        echo "RUN_SUCCEEDED=true" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Determine Final Commit Status
+      id: determine-final-commit-status
+      if: ${{ always() && inputs.commit-status != '' }}
+      run: |
+        if [[ "${{ steps.wait-for-workflow.outputs.CONCLUSION }}" == "success" ]]; then
+          echo "FINAL_COMMIT_STATUS=success" >> $GITHUB_OUTPUT
+        else
+          echo "FINAL_COMMIT_STATUS=failure" >> $GITHUB_OUTPUT
+        fi
+      shell: bash
+
+    - name: Update Commit Status
+      if: ${{ always() && inputs.commit-status != '' }}
+      uses: actions/github-script@v7
+      with:
+        script: |
+          github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: '${{ steps.view-run.outputs.HEAD_SHA }}',
+              state: '${{ steps.determine-final-commit-status.outputs.FINAL_COMMIT_STATUS }}',
+              target_url: '${{ steps.view-run.outputs.URL }}',
+              context: '${{ inputs.commit-status }}'
+          })

.github/actions/deploy-snapshot/action.yaml

@@ -0,0 +1,64 @@
+name: "Deploy Snapshot"
+description: "Deploys release artifacts produced by a given 'Continuous Integration' workflow to a provided SNAPSHOT repository."
+
+inputs:
+  ci-run-id:
+    description: "The run ID of the 'Continuous Integration' workflow that produced the release artifacts."
+    required: true
+  repository-url:
+    description: "The URL of the repository to which the release artifacts should be deployed."
+    required: true
+  repository-username:
+    description: "The username to use when authenticating with the repository."
+    required: true
+  repository-password:
+    description: "The password to use when authenticating with the repository."
+    required: true
+  release-artifact-name:
+    description: "The name of the artifact to download from the 'Continuous Integration' workflow."
+    required: false
+    default: "release-artifacts"
+
+runs:
+  using: composite
+  steps:
+    - name: "Print Action Start"
+      run: echo ">>>>> Starting Deploy Snapshot Action"
+      shell: bash
+
+    - name: "Setup java"
+      uses: actions/setup-java@v3
+      with:
+        distribution: "temurin"
+        java-version: "17"
+        server-id: artifactory-snapshots
+        server-username: ${{ inputs.repository-username }}
+        server-password: ${{ inputs.repository-password }}
+
+    - name: "Download Release Artifacts"
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ inputs.release-artifact-name }}
+        github-token: ${{ github.token }}
+        run-id: ${{ inputs.ci-run-id }}
+
+    - name: "Publish Snapshot"
+      run: >
+        mvn 
+        --batch-mode
+        --no-transfer-progress
+        --fail-at-end
+        --threads 1C
+        -Durl=${{ inputs.repository-url }}
+        -DrepositoryId=artifactory-snapshots
+        -Dmaven.install.skip=true
+        -Dmaven.test.skip
+        -Dmaven.compiler.showCompilationChanges
+        -Dhttp.keepAlive=false
+        deploy
+      shell: bash
+
+    - name: "Print Action End"
+      if: always()
+      run: echo ">>>>> Finished Deploy Snapshot Action"
+      shell: bash

.github/actions/pr-is-mergeable/action.yaml

@@ -0,0 +1,106 @@
+name: "PR Is Mergeable"
+description: "Checks whether the provided PR is approved and all status checks either succeeded or have been skipped"
+
+inputs:
+  pr-ref:
+    description: "The reference (i.e. either number or a branch) of the PR to check"
+    required: true
+  fail-on-unmergeable:
+    description: "Whether to fail the action if the PR is not mergeable"
+    required: false
+    default: "true"
+  repo:
+    description: "The repository of the PR"
+    required: false
+    default: ${{ github.repository }}
+  token:
+    description: "The GitHub access token (with PR read permissions) to access the PR"
+    required: false
+    default: ${{ github.token }}
+  excluded-check-runs:
+    description: "A comma-separated list of workflow names that are excluded from the Check Runs check"
+    required: false
+    default: ${{ github.workflow }}
+
+outputs:
+  pr-number:
+    description: "The number of the PR that was checked"
+    value: ${{ steps.check.outputs.PR_NUMBER }}
+  is-mergeable:
+    description: "Whether the PR is mergeable"
+    value: ${{ steps.check.outputs.RESULT }}
+
+runs:
+  using: composite
+  steps:
+    - name: "Print Action Start"
+      run: echo ">>>>> Starting PR Is Mergeable Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: "Check Whether PR Is Mergeable"
+      id: check
+      run: |
+        PR_JSON=$(gh pr view "${{ inputs.pr-ref }}" --repo "${{ inputs.repo }}" --json number,mergeable,reviewDecision,statusCheckRollup)
+
+        PR_NUMBER=$(jq -r '.number' <<< "$PR_JSON")
+        PR_MERGEABLE=$(jq -r '.mergeable' <<< "$PR_JSON")
+        PR_DECISION=$(jq -r '.reviewDecision' <<< "$PR_JSON")
+
+        echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
+        echo "[DEBUG] PR #$PR_NUMBER (in ${{ inputs.repo }}) is mergeable: $PR_MERGEABLE with decision $PR_DECISION"
+
+        if [[ "$PR_DECISION" != "APPROVED" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) has not been approved."
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        if [[ "$PR_MERGEABLE" != "MERGEABLE" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) is not mergeable (i.e. there are conflicts)."
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        PR_CHECKS=$(jq -r '.statusCheckRollup' <<< "$PR_JSON")
+
+        # check runs are things like our CI pipeline
+        FAILED_CHECK_RUNS=$(jq -r '.[] | select(.__typename == "CheckRun" and .conclusion != "SUCCESS" and .conclusion != "NEUTRAL")' <<< "$PR_CHECKS")
+        IFS=',' read -ra EXCLUDED_WORKFLOWS <<< "${{ inputs.excluded-check-runs }}"
+        for EXCLUDED_WORKFLOW in "${EXCLUDED_WORKFLOWS[@]}"; do
+          if [[ -z "$FAILED_CHECK_RUNS" ]]; then
+            break
+          fi
+
+          FAILED_CHECK_RUNS=$(jq -r 'select(.workflowName != "$EXCLUDED_WORKFLOW")' <<< "$FAILED_CHECK_RUNS")
+        done
+
+        if [[ -n "$FAILED_CHECK_RUNS" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) contains failed check runs: "
+          echo "$FAILED_CHECK_RUNS"
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        # context checks are things like the license agreement check
+        FAILED_CONTEXT_CHECKS=$(jq -r '.[] | select(.__typename == "StatusContext" and .state != "SUCCESS" and .state != "NEUTRAL")' <<< "$PR_CHECKS")
+        if [[ -n "$FAILED_CONTEXT_CHECKS" ]]; then
+          echo "PR #$PR_NUMBER (in ${{ inputs.repo }}) contains failed context checks: "
+          echo "$FAILED_CONTEXT_CHECKS"
+          echo "RESULT=false" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        echo "RESULT=true" >> $GITHUB_OUTPUT
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+
+    - name: "Fail If PR Is Not Mergeable"
+      if: ${{ inputs.fail-on-unmergeable == 'true' && steps.check.outputs.RESULT != 'true' }}
+      run: exit 1
+      shell: bash
+
+    - name: "Print Action End"
+      if: always()
+      run: echo "<<<<< Finished PR Is Mergeable Action"
+      shell: bash

.github/actions/scan-with-blackduck/action.yaml

@@ -0,0 +1,37 @@
+name: "Scan with BlackDuck"
+description: "Scans the project with BlackDuck"
+
+runs:
+  using: composite
+  steps:
+    - name: Print Action Start
+      run: echo ">>>>> Starting Scan with BlackDuck Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: Get Major Version
+      id: get-major-version
+      run: echo "MAJOR_VERSION=$(cat latest.json | jq -r .version | cut -d '.' -f 1)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Determine Maven Excludes
+      id: get-maven-excludes-for-blackduck
+      run: python .pipeline/scripts/get-maven-excludes.py --filter-key excludeFromBlackDuckScan --filter-value True
+      shell: bash
+
+    - name: BlackDuck Scan
+      uses: SAP/project-piper-action@master
+      with:
+        command: detectExecuteScan
+        flags: \
+          --version=$PROJECT_VERSION \
+      env:
+        PIPER_token: ${{ secrets.BLACKDUCK_TOKEN }}
+        DETECT_MAVEN_EXCLUDED_MODULES: ${{ steps.get-maven-excludes-for-blackduck.outputs.EXCLUDES }}
+        DETECT_MAVEN_BUILD_COMMAND: -pl ${{ steps.get-maven-excludes-for-blackduck.outputs.PREFIXED_EXCLUDES }}
+        DETECT_TIMEOUT: "7200"
+        PROJECT_VERSION: ${{ steps.get-major-version.outputs.MAJOR_VERSION }}
+
+    - name: Print Action End
+      if: always()
+      run: echo "<<<<< Finished Scan with BlackDuck Action"
+      shell: bash

.github/actions/trigger-workflow/action.yaml

@@ -0,0 +1,67 @@
+name: "Trigger Workflow"
+description: "Triggers a workflow without waiting for it to complete."
+
+inputs:
+  workflow:
+    description: "The workflow file name"
+    required: true
+  workflow-ref:
+    description: "The ref (i.e. branch name, or tag name) where the workflow is located."
+    required: true
+  parameters:
+    description: "The workflow parameters"
+    required: false
+  commit-sha:
+    description: "The commit SHA to trigger the workflow on"
+    required: false
+    default: ${{ github.sha }}
+
+outputs:
+  run-id:
+    description: "The id of the workflow run that was triggered."
+    value: ${{ steps.trigger-workflow.outputs.RUN_ID }}
+  run-url:
+    description: "The url of the workflow run that was triggered."
+    value: ${{ steps.trigger-workflow.outputs.RUN_URL }}
+
+runs:
+  using: composite
+  steps:
+    - name: Print Action Input
+      run: |
+        echo "[DEBUG] Starting 'Trigger Workflow' Action; inputs = ${{ toJson(inputs) }}"
+      shell: bash
+
+    - name: Trigger Workflow
+      id: trigger-workflow
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        PREVIOUS_RUN_ID=$(gh run list --workflow=${{ inputs.workflow}} --commit=${{ inputs.commit-sha }} --json databaseId | jq -r '.[0].databaseId')
+        echo "[DEBUG] Previous run id = '$PREVIOUS_RUN_ID'"
+
+        gh workflow run "${{ inputs.workflow }}" --ref "${{ inputs.workflow-ref }}" ${{ inputs.parameters }}
+        # allow for some initial delay as workflows take a moment to spin up
+        sleep 20
+
+        for i in {0..6}; do
+          LATEST_RUN_ID=$(gh run list --workflow=${{ inputs.workflow }} --commit=${{ inputs.commit-sha }} --json databaseId | jq -r '.[0].databaseId')
+
+          if [[ -z "$LATEST_RUN_ID" || "$LATEST_RUN_ID" == "$PREVIOUS_RUN_ID" ]]; then
+            echo "[DEBUG] No new run detected. Waiting for 10 seconds."
+            sleep 10
+          else
+            echo "[DEBUG] New workflow run detected: '$LATEST_RUN_ID'."
+
+            RUN_URL=$(gh run view $LATEST_RUN_ID --json url | jq -r '.url')
+            echo "[DEBUG] ${{ inputs.workflow }} run #$LATEST_RUN_ID successfully triggered: $RUN_URL"
+            echo "[${{ inputs.workflow }} run (#$LATEST_RUN_ID)]($RUN_URL)" >> $GITHUB_STEP_SUMMARY        
+            echo "RUN_ID=$LATEST_RUN_ID" >> $GITHUB_OUTPUT
+            echo "RUN_URL=$RUN_URL" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        done
+
+        echo "[DEBUG] Unable to detect new run of workflow '${{ inputs.workflow }}'."
+        exit 1
+      shell: bash