From 3f08da19ccbfbb8dbcdc99340fd13f7396ac357a Mon Sep 17 00:00:00 2001
From: Gabriel Fleischer <gabriel.fleischer@sonarsource.com>
Date: Mon, 20 Oct 2025 14:50:49 +0200
Subject: [PATCH 1/2] Bootstrap GHA for sonar-java-symbolic-execution

---
 .cirrus.yml                                   |   2 +-
 .../resolve-sonar-java-plugin-version.sh      |   0
 .github/workflows/build.yml                   | 116 ++++++++++++++++++
 .github/workflows/pr-cleanup.yml              |  13 ++
 mise.toml                                     |   3 +
 5 files changed, 133 insertions(+), 1 deletion(-)
 rename {.cirrus => .github/scripts}/resolve-sonar-java-plugin-version.sh (100%)
 create mode 100644 .github/workflows/build.yml
 create mode 100644 .github/workflows/pr-cleanup.yml
 create mode 100644 mise.toml

diff --git a/.cirrus.yml b/.cirrus.yml
index 5c88182b5..21d685fa3 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -116,7 +116,7 @@ ruling_task:
   ruling_script:
     - source cirrus-env QA
     - source set_maven_build_version $BUILD_NUMBER
-    - export SONAR_JAVA_VERSION="$(.cirrus/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
+    - export SONAR_JAVA_VERSION="$(.github/scripts/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
     - echo "Using SONAR_JAVA_VERSION=${SONAR_JAVA_VERSION}"
     - cd its/ruling
     - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.java.version="$SONAR_JAVA_VERSION" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
diff --git a/.cirrus/resolve-sonar-java-plugin-version.sh b/.github/scripts/resolve-sonar-java-plugin-version.sh
similarity index 100%
rename from .cirrus/resolve-sonar-java-plugin-version.sh
rename to .github/scripts/resolve-sonar-java-plugin-version.sh
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..527c5c7b2
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,116 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - branch-*
+      - dogfood-*
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 1 * * *" # Run daily at 1:30 AM UTC
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      id-token: write
+      contents: write
+    outputs:
+      build-number: ${{ steps.build-maven.outputs.BUILD_NUMBER }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+        with:
+          version: 2025.7.12
+      - uses: SonarSource/ci-github-actions/build-maven@v1
+        id: build-maven
+        with:
+          deploy-pull-request: true
+          artifactory-reader-role: private-reader    # Override default public-reader
+          artifactory-deployer-role: qa-deployer     # Override default public-deployer
+
+  qa:
+    needs: [build]
+    runs-on: github-ubuntu-latest-l
+    if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        item:
+          - { name: "with Lastest SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
+          - { name: "for SonarQube Project Only", profile: "only-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
+          - { name: "with Prod SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "POM_PROPERTY" }
+    name: "QA Tests ${{ matrix.item.name }}"
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          submodules: recursive
+      - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+        with:
+          version: 2025.7.12
+      - name: Get GitHub Token for QA Licenses
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/github/token/licenses-ro token | GITHUB_TOKEN;
+      - name: Configure Maven
+        id: configure-maven
+        uses: SonarSource/ci-github-actions/config-maven@v1
+        with:
+          artifactory-reader-role: private-reader    # Override default public-reader
+      - name: Get Sonar Java plugin version
+        id: resolve-sonar-java-plugin-version
+        run: |
+          VERSION=$(.github/scripts/resolve-sonar-java-plugin-version.sh "${{ matrix.item.java_plugin_version }}")
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Run QA Tests
+        env:
+          GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+          MAVEN_OPTS: "-Xmx3g"
+          SONAR_JAVA_VERSION: ${{ steps.resolve-sonar-java-plugin-version.outputs.version }}
+        run: |
+          cd its/ruling
+          mvn package --batch-mode \
+            "-Pit-ruling,${{ matrix.item.profile }}" \
+            "-Dsonar.java.version=${SONAR_JAVA_VERSION}" \
+            "-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" \
+            "-Dsonar.runtimeVersion=LATEST_RELEASE" \
+            "-Dmaven.test.redirectTestOutputToFile=false" \
+            "-DbuildNumber=${BUILD_NUMBER}" \
+            -B -e -V \
+            "-Dparallel=methods" \
+            "-DuseUnlimitedThreads=true"
+      - name: Upload ruling artifacts on failure
+        if: failure()
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.5.0
+        with:
+          name: ruling-actual-${{ matrix.item.profile }}-${{ matrix.item.java_plugin_version }}
+          path: its/ruling/target/actual/**/*
+
+  promote:
+    name: Promote
+    needs: [build, qa]
+    runs-on: github-ubuntu-latest-s
+    if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+        with:
+          cache_save: false
+          version: 2025.7.12
+      - name: Promote artifacts
+        uses: SonarSource/ci-github-actions/promote@v1
\ No newline at end of file
diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml
new file mode 100644
index 000000000..65c756fc6
--- /dev/null
+++ b/.github/workflows/pr-cleanup.yml
@@ -0,0 +1,13 @@
+name: Cleanup PR Resources
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: github-ubuntu-latest-s
+    permissions:
+      actions: write
+    steps:
+      - uses: SonarSource/ci-github-actions/pr_cleanup@v1
diff --git a/mise.toml b/mise.toml
new file mode 100644
index 000000000..84c0deeef
--- /dev/null
+++ b/mise.toml
@@ -0,0 +1,3 @@
+[tools]
+java = "17.0"
+maven = "3.9"

From 4fc26fb72a7b87ae90da71f44952754d88373e4b Mon Sep 17 00:00:00 2001
From: Gabriel Fleischer <gabriel.fleischer@sonarsource.com>
Date: Wed, 22 Oct 2025 16:11:38 +0200
Subject: [PATCH 2/2] Use proper java versions and checkout action

---
 .github/workflows/build.yml | 5 +++--
 its/ruling/mise.toml        | 2 ++
 mise.toml                   | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 its/ruling/mise.toml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 527c5c7b2..dfdbae8be 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,11 +51,12 @@ jobs:
     name: "QA Tests ${{ matrix.item.name }}"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: recursive
       - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
         with:
+          working-directory: its/ruling
           version: 2025.7.12
       - name: Get GitHub Token for QA Licenses
         id: secrets
@@ -74,13 +75,13 @@ jobs:
           VERSION=$(.github/scripts/resolve-sonar-java-plugin-version.sh "${{ matrix.item.java_plugin_version }}")
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
       - name: Run QA Tests
+        working-directory: its/ruling
         env:
           GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
           BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
           MAVEN_OPTS: "-Xmx3g"
           SONAR_JAVA_VERSION: ${{ steps.resolve-sonar-java-plugin-version.outputs.version }}
         run: |
-          cd its/ruling
           mvn package --batch-mode \
             "-Pit-ruling,${{ matrix.item.profile }}" \
             "-Dsonar.java.version=${SONAR_JAVA_VERSION}" \
diff --git a/its/ruling/mise.toml b/its/ruling/mise.toml
new file mode 100644
index 000000000..5a685377c
--- /dev/null
+++ b/its/ruling/mise.toml
@@ -0,0 +1,2 @@
+[tools]
+java = "17.0"
\ No newline at end of file
diff --git a/mise.toml b/mise.toml
index 84c0deeef..9a5dc67a1 100644
--- a/mise.toml
+++ b/mise.toml
@@ -1,3 +1,3 @@
 [tools]
-java = "17.0"
+java = "23"
 maven = "3.9"