cap-java · Schmarvinius · May 4, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -8,33 +8,22 @@ inputs:
   maven-version:
     description: The Maven version the build will run with.
     required: true
-  mutation-testing:
-    description: Whether to run mutation testing or not.
-    default: 'true'
-    required: false
 
 runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 
-    - name: Piper Maven build
-      uses: SAP/project-piper-action@main
-      with:
-        step-name: mavenBuild
-        docker-image: ''
-
-    - name: Mutation Testing
-      if: ${{ inputs.mutation-testing == 'true' }}
-      run: mvn org.pitest:pitest-maven:mutationCoverage -f cds-feature-attachments/pom.xml -ntp -B
+    - name: Maven Build
+      run: mvn clean install -DskipTests -B -ntp
       shell: bash
@@ -0,0 +1,91 @@
+name: Bind Cloud Foundry Services
+description: Login to CF and bind services for hybrid testing via cds bind
+
+inputs:
+  cf-api:
+    description: Cloud Foundry API endpoint
+    required: true
+  cf-username:
+    description: Cloud Foundry username
+    required: true
+  cf-password:
+    description: Cloud Foundry password
+    required: true
+  cf-org:
+    description: Cloud Foundry organization
+    required: true
+  cf-space:
+    description: Cloud Foundry space
+    required: true
+  auth-method:
+    description: 'Malware scanner authentication method: basic or mtls'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Install CF CLI
+      shell: bash
+      run: |
+        wget -q "https://packages.cloudfoundry.org/stable?release=linux64-binary&version=8.9.0&source=github-rel" -O cf-cli.tar.gz
+        tar -xzf cf-cli.tar.gz
+        sudo mv cf8 /usr/local/bin/cf
+        cf --version
+
+    - name: CF Login
+      shell: bash
+      env:
+        CF_USERNAME: ${{ inputs.cf-username }}
+        CF_PASSWORD: ${{ inputs.cf-password }}
+        CF_API: ${{ inputs.cf-api }}
+        CF_ORG: ${{ inputs.cf-org }}
+        CF_SPACE: ${{ inputs.cf-space }}
+      run: |
+        for i in {1..5}; do
+          cf api "$CF_API" && \
+          cf auth && \
+          cf target -o "$CF_ORG" -s "$CF_SPACE" && break
+          if [ "$i" -eq 5 ]; then
+            echo "cf login failed after 5 attempts."
+            exit 1
+          fi
+          echo "cf login failed, retrying ($i/5)..."
+          sleep 10
+        done
+
+    - name: Install @sap/cds-dk
+      shell: bash
+      run: |
+        npm i -g @sap/cds-dk
+        echo "$(npm config get prefix)/bin" >> "${GITHUB_PATH}"
+
+    - name: Install CDS dependencies
+      shell: bash
+      run: npm i
+      working-directory: integration-tests/mtx-local
+
+    - name: Bind objectstore
+      shell: bash
+      working-directory: integration-tests/mtx-local
+      run: |
+        for i in {1..5}; do
+          cds bind os -2 os:pipeline && break
+          echo "cds bind objectstore failed, retrying ($i/5)..."
+          sleep 30
+          if [ "$i" -eq 5 ]; then
+            echo "cds bind objectstore failed after 5 attempts."
+            exit 1
+          fi
+        done
+
+    - name: Bind malware-scanner (basic)
+      if: inputs.auth-method == 'basic'
+      shell: bash
+      working-directory: integration-tests/mtx-local
+      run: cds bind malware -2 malware:malware-key-basic
+
+    - name: Bind malware-scanner (mtls)
+      if: inputs.auth-method == 'mtls'
+      shell: bash
+      working-directory: integration-tests/mtx-local
+      run: cds bind malware -2 malware:malware-key-mtls
@@ -27,14 +27,8 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Echo Inputs
-      run: |
-        echo "user: ${{ inputs.user }}"
-        echo "revision: ${{ inputs.revision }}"
-      shell: bash
-
     - name: Set up Java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: sapmachine
         java-version: '17'
@@ -44,7 +38,7 @@ runs:
         server-password: MAVEN_CENTRAL_PASSWORD
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 

@@ -1,5 +1,5 @@
-name: Integration Tests with current version of CAP Java
-description: Run integration tests with the current version of CAP Java using Maven.
+name: Integration Tests
+description: Run integration tests using Maven with cds bind for service bindings.
 
 inputs:
   java-version:
@@ -8,40 +8,36 @@ inputs:
   maven-version:
     description: The Maven version the build shall run with.
     required: true
-  test-type:
-    description: 'Which integration test to run: build-version, latest-version, or oss'
-    required: true
 
 runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Setup Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 
     - name: Build dependencies for integration tests
-      run: mvn clean install -ntp -B -pl cds-feature-attachments,storage-targets/cds-feature-attachments-fs,storage-targets/cds-feature-attachments-oss -am
+      run: mvn clean install -ntp -B -pl cds-feature-attachments,storage-targets/cds-feature-attachments-fs,storage-targets/cds-feature-attachments-oss -am -Dcds.install-node.skip
       shell: bash
 
-    - name: Integration Tests with version of CAP Java used for build
-      if: inputs.test-type == 'build-version'
-      run: mvn clean verify -ntp -B -f ./integration-tests/pom.xml
+    - name: Generic Integration Tests
+      run: mvn clean verify -ntp -B -f integration-tests/pom.xml -pl :cds-feature-attachments-integration-tests-parent,:cds-feature-attachments-integration-tests-db,:cds-feature-attachments-integration-tests-generic -Dcds.install-node.skip
       shell: bash
 
-    - name: Integration Tests with latest version of CAP Java
-      if: inputs.test-type == 'latest-version'
-      run: mvn clean verify -ntp -B -f ./integration-tests/pom.xml -P latest-test-version
+    - name: MTX-Local Integration Tests
+      run: cds bind --exec -- mvn clean verify -ntp -B -f ../../integration-tests/mtx-local/srv/pom.xml -Dcds.install-node.skip
+      working-directory: integration-tests/mtx-local
       shell: bash
 
-    - name: Integration Tests for the object store service
-      if: inputs.test-type == 'oss'
-      run: mvn clean verify -ntp -B -Pintegration-tests-oss
+    - name: Client Integration Tests (OSS + Malware)
+      run: cds bind --exec -- mvn verify -ntp -B -f ../../pom.xml -pl cds-feature-attachments,storage-targets/cds-feature-attachments-oss -P integration-tests,integration-tests-oss -Dcds.install-node.skip
+      working-directory: integration-tests/mtx-local
       shell: bash
@@ -13,14 +13,14 @@ runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 

@@ -24,35 +24,36 @@ runs:
   using: composite
   steps:
     - name: Set up Java ${{ inputs.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{ inputs.maven-version }}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{ inputs.maven-version }}
 
-    - name: Get Major Version
-      id: get-major-version
+    - name: Get Revision
+      id: get-revision
       run: |
         echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
       shell: bash
 
-    - name: Print Version Number
-      run: echo "${{ steps.get-major-version.outputs.REVISION }}"
-      shell: bash
-
-    - name: BlackDuck Scan
-      uses: SAP/project-piper-action@main
+    - name: BlackDuck Security Scan
+      uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0
       with:
-        step-name: detectExecuteScan
-        flags: \
-          --githubToken=$GITHUB_token \
-          --version=${{ steps.get-major-version.outputs.REVISION }}
-      env:
-        PIPER_token: ${{ inputs.blackduck_token }}
-        GITHUB_token: ${{ inputs.github_token }}
-        SCAN_MODE: ${{ inputs.scan_mode }}
+        blackducksca_url: https://sap.blackducksoftware.com/
+        blackducksca_token: ${{ inputs.blackduck_token }}
+        blackducksca_scan_full: ${{ inputs.scan_mode == 'FULL' }}
+        github_token: ${{ inputs.github_token }}
+        detect_args: >
+          --detect.project.name=com.sap.cds.feature.attachments
+          --detect.project.version.name=${{ steps.get-revision.outputs.REVISION }}
+          --detect.included.detector.types=MAVEN
+          --detect.excluded.directories=**/*test*,**/samples/**
+          --detect.maven.build.command=-pl com.sap.cds:cds-feature-attachments,com.sap.cds:cds-feature-attachments-oss,com.sap.cds:cds-feature-attachments-fs
+          --detect.tools=DETECTOR,BINARY_SCAN
+          --detect.risk.report.pdf=false
+          --logging.level.detect=INFO
@@ -0,0 +1,44 @@
+name: CodeQL Analysis
+description: Runs CodeQL security analysis on the project.
+
+inputs:
+  java-version:
+    description: The Java version to use for the build.
+    required: true
+  maven-version:
+    description: The Maven version to use for the build.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Java ${{ inputs.java-version }}
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      with:
+        java-version: ${{ inputs.java-version }}
+        distribution: sapmachine
+        cache: maven
+
+    - name: Set up Maven ${{ inputs.maven-version }}
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
+      with:
+        maven-version: ${{ inputs.maven-version }}
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
+      with:
+        languages: java-kotlin
+        build-mode: manual
+
+    - name: Install @sap/cds-dk
+      run: npm i -g @sap/cds-dk
+      shell: bash
+
+    - name: Build Java code
+      run: mvn clean compile -B -ntp -Dcds.install-node.skip
+      shell: bash
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@ed410739ba306e4ebe5e123421a6bd694e494a2b # v4
+      with:
+        category: "/language:java-kotlin"
@@ -20,14 +20,14 @@ runs:
 
   steps:
     - name: Set up Java ${{inputs.java-version}}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: ${{inputs.java-version}}
         distribution: sapmachine
         cache: maven
 
     - name: Set up Maven ${{inputs.maven-version}}
-      uses: stCarolas/setup-maven@v5
+      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
       with:
         maven-version: ${{inputs.maven-version}}
 
@@ -37,13 +37,9 @@ runs:
         echo "REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)" >> $GITHUB_OUTPUT
       shell: bash
 
-    - name: Print Revision
-      run: echo "${{steps.get-revision.outputs.REVISION}}"
-      shell: bash
-
     - name: Build project for SonarQube scan
       run: |
-        mvn clean verify -ntp -B
+        mvn clean verify -ntp -B -Dcds.install-node.skip
       shell: bash
 
     - name: Verify JaCoCo reports exist
@@ -66,12 +62,19 @@ runs:
       shell: bash
 
     - name: SonarQube Scan
-      uses: SAP/project-piper-action@main
-      with:
-        step-name: sonarExecuteScan
-        flags: >
-          --token=${{ inputs.sonarq-token }}
-          --githubToken=${{ inputs.github-token }}
-          --version=${{ steps.get-revision.outputs.REVISION }}
-          --inferJavaBinaries=true
-          --options=-Dsonar.exclusions=**/samples/**,-Dsonar.coverage.jacoco.xmlReportPaths=coverage-report/target/site/jacoco-aggregate/jacoco.xml
+      run: >
+        mvn org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+        -Dsonar.host.url=https://sonar.tools.sap
+        -Dsonar.token="${SONAR_TOKEN}"
+        -Dsonar.projectKey=cds-feature-attachments
+        -Dsonar.projectVersion=${{ steps.get-revision.outputs.REVISION }}
+        -Dsonar.qualitygate.wait=true
+        -Dsonar.java.source=17
+        -Dsonar.exclusions=**/samples/**
+        -Dsonar.coverage.jacoco.xmlReportPaths=${{ github.workspace }}/coverage-report/target/site/jacoco-aggregate/jacoco.xml
+        -Dsonar.coverage.exclusions=cds-feature-attachments/src/test/**,cds-feature-attachments/src/gen/**,storage-targets/cds-feature-attachments-fs/src/test/**,storage-targets/cds-feature-attachments-oss/src/test/**
+        -B -ntp
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+        SONAR_TOKEN: ${{ inputs.sonarq-token }}