From fe111405c57dd787ceadc42aa5ae628778ee3371 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <kwin@apache.org>
Date: Fri, 15 May 2026 18:30:32 +0200
Subject: [PATCH] Build with GHA

---
 .asf.yaml                   |   2 +-
 .github/workflows/build.yml | 120 ++++++++++++++++++++++++++++++++++++
 parent/pom.xml              |   4 +-
 3 files changed, 123 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/build.yml

diff --git a/.asf.yaml b/.asf.yaml
index 106f10cc5..4320b9081 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -14,7 +14,7 @@ github:
     - JCR
     - SLING
     - FELIX
-  dependabot_alerts:  true
+  dependabot_alerts:  false
   dependabot_updates: false
   protected_branches:
     master: {}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..85ef387fe
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,120 @@
+#  ~ Licensed to the Apache Software Foundation (ASF) under one
+#  ~ or more contributor license agreements.  See the NOTICE file
+#  ~ distributed with this work for additional information
+#  ~ regarding copyright ownership.  The ASF licenses this file
+#  ~ to you under the Apache License, Version 2.0 (the
+#  ~ "License"); you may not use this file except in compliance
+#  ~ with the License.  You may obtain a copy of the License at
+#  ~
+#  ~   http://www.apache.org/licenses/LICENSE-2.0
+#  ~
+#  ~ Unless required by applicable law or agreed to in writing,
+#  ~ software distributed under the License is distributed on an
+#  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  ~ KIND, either express or implied.  See the License for the
+#  ~ specific language governing permissions and limitations
+#  ~ under the License.
+
+name: Build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  build:
+    name: ${{ matrix.namePrefix }} Maven build (${{ matrix.os }}, JDK ${{ matrix.jdk }})
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macOS-latest]
+        jdk: [17, 21, 25]
+        include:
+          # lengthy build steps should only be performed on linux with Java 21 (deployment)
+          - os: ubuntu-latest
+            jdk: 21
+            isMainBuildEnv: true
+            namePrefix: 'Main '
+      fail-fast: true
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Git clone
+        uses: actions/checkout@v6
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: ${{ matrix.jdk }}
+          cache: maven
+          server-id: apache.snapshots.https # Value of the distributionManagement/repository/id field of the pom.xml
+          server-username: MAVEN_APACHE_NEXUS_USERNAME # env variable for username in deploy
+          server-password: MAVEN_APACHE_NEXUS_PASSWORD # env variable for token in deploy
+      # sets environment variables to be used in subsequent steps: https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
+      - name: Set environment variables
+        shell: bash
+        run: |
+          if [ "${{github.ref}}" = "refs/heads/master" ] && [ "${{github.event_name}}" = "push" ] && [ "${{github.repository_owner}}" = "apache" ] && [ "${{ matrix.isMainBuildEnv }}" = "true" ]; then
+            echo 'Running on main branch of the canonical repo'
+            echo "MVN_ADDITIONAL_OPTS=-DdeployAtEnd=true -Pdependency-check -DnvdApiKeyEnvironmentVariable=NIST_NVD_API_KEY" >> $GITHUB_ENV
+            echo "MVN_GOAL=deploy" >> $GITHUB_ENV
+            echo "MAVEN_APACHE_NEXUS_USERNAME=${{ secrets.NEXUS_USER }}" >> $GITHUB_ENV
+            echo "MAVEN_APACHE_NEXUS_PASSWORD=${{ secrets.NEXUS_PW }}" >> $GITHUB_ENV
+            echo "NIST_NVD_API_KEY=${{ secrets.NIST_NVD_API_KEY }}" >> $GITHUB_ENV
+          else
+            echo 'Running outside main branch/canonical repo'
+            if [ "${{ matrix.isMainBuildEnv }}" = "true" ]; then
+              echo "MVN_ADDITIONAL_OPTS=-Pdependency-check -DnvdApiKeyEnvironmentVariable=NIST_NVD_API_KEY" >> $GITHUB_ENV
+            else
+              echo "MVN_ADDITIONAL_OPTS=" >> $GITHUB_ENV
+            fi
+            echo "MVN_GOAL=install site" >> $GITHUB_ENV
+          fi
+      - name: Build
+        shell: bash
+        # executing ITs requires installing artifacts to the local repository
+        run: mvn -B ${{ env.MVN_GOAL }} ${{ env.MVN_ADDITIONAL_OPTS }} -Pjacoco-report -Dlogback.configurationFile=vault-core/src/test/resources/logback-only-errors.xml
+      - name: Upload build result
+        uses: actions/upload-artifact@v7
+        with:
+          name: compiled-classes-and-coverage
+          # compare with https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/java/#java-analysis-and-bytecode
+          path: |
+             **/target/**/*.class
+             **/target/site/jacoco*/*.xml
+  
+  # execute analysis in a separate job for better visualization and usage of matrix builds
+  # https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/#invoking-the-goal
+  sonar:
+    name: SonarQube Analysis
+    runs-on: ubuntu-latest
+    needs: build
+    # not supported on forks, https://portal.productboard.com/sonarsource/1-sonarqube-cloud/c/50-sonarcloud-analyzes-external-pull-request
+    if: ${{ github.repository == 'apache/jackrabbit-filevault'  }}
+    steps: 
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 21
+          distribution: temurin
+          cache: maven
+      - name: Download compiled classes
+        uses: actions/download-artifact@v8
+        with:
+          name: compiled-classes-and-coverage
+      - name: Cache SonarQube packages
+        uses: actions/cache@v5
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Analyze with SonarQube
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}
+        run: mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:5.6.0.6792:sonar -Dsonar.projectKey=apache_jackrabbit-filevault -Dsonar.organization=apache -Dsonar.scanner.skipJreProvisioning=true
\ No newline at end of file
diff --git a/parent/pom.xml b/parent/pom.xml
index 3934d2be4..6b27ae768 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -85,8 +85,8 @@ Apache Jackrabbit FileVault is a project of the Apache Software Foundation.</des
   </issueManagement>
 
   <ciManagement>
-    <system>Jenkins</system>
-    <url>https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/activity</url>
+    <system>github</system>
+    <url>https://github.com/apache/jackrabbit-filevault/actions/workflows/build.yml</url>
   </ciManagement>
 
   <properties>