From 86e71a534feb92306e53e6a63d8e143730970d1f Mon Sep 17 00:00:00 2001
From: Djaytan <26904516+Djaytan@users.noreply.github.com>
Date: Sat, 6 Jan 2024 16:33:51 +0100
Subject: [PATCH] ci(github): merge some workflows together for simplification

---
 .github/workflows/{maven-ci.yml => ci.yml}    | 29 ++++++++-
 .../workflows/conventional-commits-check.yml  | 41 ------------
 ...orecard.yml => openssf-scorecard-scan.yml} |  2 +-
 .github/workflows/security-scan-codeql.yml    | 64 -------------------
 4 files changed, 27 insertions(+), 109 deletions(-)
 rename .github/workflows/{maven-ci.yml => ci.yml} (71%)
 delete mode 100644 .github/workflows/conventional-commits-check.yml
 rename .github/workflows/{security-scan-scorecard.yml => openssf-scorecard-scan.yml} (98%)
 delete mode 100644 .github/workflows/security-scan-codeql.yml

diff --git a/.github/workflows/maven-ci.yml b/.github/workflows/ci.yml
similarity index 71%
rename from .github/workflows/maven-ci.yml
rename to .github/workflows/ci.yml
index 867401a77..4a8a90919 100644
--- a/.github/workflows/maven-ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,14 +1,15 @@
-name: Maven - CI
+name: CI
 
 on:
   workflow_dispatch:
   push:
-    # Re-execute the CI on default branch only for status while ensuring it remains stable in any circumstances
     branches:
       - 'main'
   pull_request:
     branches:
       - 'main'
+  schedule:
+    - cron: '28 14 * * *' # At 14:28 every day
 
 permissions: {}
 
@@ -18,7 +19,9 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
       - name: Harden runner
@@ -28,6 +31,9 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             github.com:443
+            api.github.com:443
+            uploads.github.com:443
+            objects.githubusercontent.com:443
             repo.maven.apache.org:443
             jitpack.io:443
             repo.papermc.io:443
@@ -43,8 +49,15 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
-          # SonarQube - Shallow clones should be disabled for a better relevancy of analysis
+          # Required by SonarCloud & Cocogitto
           fetch-depth: 0
+          # Pick the PR HEAD instead of the merge commit (required by Cocogitto)
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Conventional commits check
+        uses: cocogitto/cocogitto-action@ac6260150ee57e3164cd95b47fc84cdee9e3444c # v3.5
+        with:
+          check-latest-tag-only: true
 
       - name: Set up JDK 17
         uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
@@ -63,6 +76,11 @@ jobs:
           key: sonar
           restore-keys: sonar
 
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          languages: java
+
       - name: Maven build & SonarCloud quality scan
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -76,3 +94,8 @@ jobs:
             -Dsonar.host.url="${SONAR_HOST_URL}" \
             -Dsonar.organization="${SONAR_ORGANIZATION}" \
             -Dsonar.projectKey="${SONAR_PROJECT_KEY}"
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          category: /language:java
diff --git a/.github/workflows/conventional-commits-check.yml b/.github/workflows/conventional-commits-check.yml
deleted file mode 100644
index 48bc2f677..000000000
--- a/.github/workflows/conventional-commits-check.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-name: Conventional Commits - Check
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - 'main'
-
-permissions: {}
-
-jobs:
-  check:
-    name: Check
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            objects.githubusercontent.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          persist-credentials: false
-          # Required by Cocogitto
-          fetch-depth: 0
-          # Pick the PR HEAD instead of the merge commit
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Check compliance
-        uses: cocogitto/cocogitto-action@ac6260150ee57e3164cd95b47fc84cdee9e3444c # v3.5
-        with:
-          check-latest-tag-only: true
diff --git a/.github/workflows/security-scan-scorecard.yml b/.github/workflows/openssf-scorecard-scan.yml
similarity index 98%
rename from .github/workflows/security-scan-scorecard.yml
rename to .github/workflows/openssf-scorecard-scan.yml
index 72164e2fa..3adf265aa 100644
--- a/.github/workflows/security-scan-scorecard.yml
+++ b/.github/workflows/openssf-scorecard-scan.yml
@@ -1,4 +1,4 @@
-name: Security Scan - Scorecard
+name: OpenSSF Scorecard - Scan
 
 on:
   workflow_dispatch:
diff --git a/.github/workflows/security-scan-codeql.yml b/.github/workflows/security-scan-codeql.yml
deleted file mode 100644
index ceaa2f173..000000000
--- a/.github/workflows/security-scan-codeql.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-name: Security scan - CodeQL
-
-on:
-  workflow_dispatch:
-  push:
-    # Re-execute the CI on default branch only for status while ensuring it remains stable in any circumstances
-    branches:
-      - 'main'
-  pull_request:
-    branches:
-      - 'main'
-  schedule:
-    - cron: '28 14 * * *' # At 14:28 every day
-
-permissions: {}
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Harden runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            api.github.com:443
-            uploads.github.com:443
-            repo.maven.apache.org:443
-            jitpack.io:443
-            repo.papermc.io:443
-
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          persist-credentials: false
-
-      - name: Set up JDK 17
-        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
-        with:
-          java-version: 17
-          distribution: temurin
-          cache: maven
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
-        with:
-          languages: java
-
-      - name: Build
-        run: mvn package --activate-profiles fast --batch-mode --errors --strict-checksums --update-snapshots --fail-fast
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
-        with:
-          category: /language:java