GitHub ci extend

.github/CI_VERSIONS.md

@@ -0,0 +1,15 @@
+# CI version pins
+
+Some versions used by CI are pinned manually and must be kept current. This
+file is the checklist of what needs periodic review and where each pin lives.
+
+| What | Version | Defined in | Notes |
+|------|---------|------------|-------|
+| Java (JDK) | `21` | `.github/actions/setup-java/action.yml` | Single source of truth for the CI JDK. Must match `maven.compiler.source`/`maven.compiler.target` in `pom.xml`. Review when the project adopts a new LTS. |
+| Elasticsearch | `8.11.2` | `.github/workflows/_integration-test.yml` and `services/save-and-restore/docker-compose.yml` | Service container for the save-and-restore integration tests. Update both files together. |
+
+## Automatically maintained
+
+GitHub Action versions (the `uses:` refs in `.github/workflows/*` and
+`.github/actions/**`) are bumped by Dependabot — see `.github/dependabot.yml`.
+These do **not** need manual tracking here.

.github/actions/setup-java/action.yml

@@ -0,0 +1,14 @@
+name: Set up Java
+description: Set up the project's pinned JDK with Maven dependency caching.
+
+runs:
+  using: composite
+  steps:
+    # Java 21 is the single source of truth for the CI JDK. It must match
+    # maven.compiler.source/target in pom.xml (currently 21). See
+    # .github/CI_VERSIONS.md. Bump here when the project moves to a new LTS.
+    - uses: actions/setup-java@v5
+      with:
+        distribution: temurin
+        java-version: '21'
+        cache: maven

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  # Auto-PR bumps for GitHub Action versions referenced in .github/workflows/*
+  # and in the local composite action (.github/actions/**). The JDK and
+  # Elasticsearch pins are not visible to Dependabot; see .github/CI_VERSIONS.md.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/_build.yml

@@ -0,0 +1,34 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        description: Runner to build on.
+        type: string
+        default: ubuntu-latest
+      upload-artifacts:
+        description: Upload the product tarball/zip (used by the master build).
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ${{ inputs.os }}
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Build
+      run: mvn --batch-mode install -DskipTests
+    - name: Archive build artifacts
+      if: ${{ inputs.upload-artifacts }}
+      uses: actions/upload-artifact@v7
+      with:
+        name: Phoebus product ${{ inputs.os }}
+        path: |
+          ${{ github.workspace }}/phoebus-product/target/*.tar.gz
+          ${{ github.workspace }}/phoebus-product/target/*.zip

.github/workflows/_docker-image.yml

@@ -0,0 +1,54 @@
+name: Docker image
+
+on:
+  workflow_call:
+    inputs:
+      image-suffix:
+        description: Image name under ghcr.io/<owner>/<repo>/ (e.g. service-alarm-server).
+        required: true
+        type: string
+      context:
+        description: Docker build context directory.
+        required: true
+        type: string
+      maven-args:
+        description: Maven goals/flags for the package step.
+        type: string
+        default: --update-snapshots package
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Build with Maven
+      run: mvn --batch-mode ${{ inputs.maven-args }}
+    - name: Login to the registry
+      uses: docker/login-action@v4
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Extract meta-data for Docker
+      id: meta
+      uses: docker/metadata-action@v6
+      with:
+        images: ghcr.io/${{ github.repository }}/${{ inputs.image-suffix }}
+    - name: Set up Docker Build
+      uses: docker/setup-buildx-action@v4
+    - name: Build and publish the Docker image
+      uses: docker/build-push-action@v7
+      with:
+        context: ${{ inputs.context }}
+        push: true
+        platforms: linux/amd64,linux/arm64
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max

.github/workflows/_integration-test.yml

@@ -0,0 +1,41 @@
+name: Integration test
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  integration-test:
+    runs-on: ubuntu-latest
+    services:
+      # TODO swap to testcontainers for integration tests
+      elasticsearch:
+        image: docker.elastic.co/elasticsearch/elasticsearch:8.11.2
+        env:
+          discovery.type: single-node
+          xpack.security.enabled: "false"
+        ports:
+          - 9200:9200
+        options: >-
+          --health-cmd "curl -s http://localhost:9200/_cluster/health || exit 1"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 30
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Integration tests (Elasticsearch-backed)
+      run: >
+        mvn --batch-mode install -P it-tests,docker-tests
+        -Dskip-executable-jar
+        -pl services/save-and-restore -am
+    - name: Upload integration test reports
+      uses: actions/upload-artifact@v7
+      if: always()
+      with:
+        name: integration-test-reports
+        path: services/save-and-restore/target/failsafe-reports/**
+        if-no-files-found: ignore

.github/workflows/_ui-test.yml

@@ -0,0 +1,30 @@
+name: UI test
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  ui-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Test
+      run: >
+        xvfb-run -a
+        mvn --batch-mode --fail-at-end verify -P ui-tests
+      env:
+        MAVEN_OPTS: >-
+          -Djava.awt.headless=true -Dtestfx.robot=glass -Dtestfx.headless=true
+          -Dprism.order=sw -Dprism.text=t2k -Dtestfx.setup.timeout=2500
+    - name: Upload test reports
+      uses: actions/upload-artifact@v7
+      if: always()
+      with:
+        name: ui-test-reports
+        path: '**/target/failsafe-reports/**'
+        if-no-files-found: ignore

.github/workflows/_unit-test.yml

@@ -0,0 +1,24 @@
+name: Unit test
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  unit-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Unit test
+      run: mvn --batch-mode --fail-at-end verify
+    - name: Upload test reports
+      uses: actions/upload-artifact@v7
+      if: always()
+      with:
+        name: unit-test-reports
+        path: '**/target/surefire-reports/**'
+        if-no-files-found: ignore

.github/workflows/branch.yml

@@ -0,0 +1,17 @@
+name: Branch
+
+on:
+  push:
+    branches-ignore:
+      - master
+
+permissions:
+  contents: read
+
+concurrency:
+  group: branch-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    uses: ./.github/workflows/_build.yml