From 10f7d7b1d0e4f88a48addcba8f42b836dfa5a4f5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 14 Feb 2025 03:31:15 +0000
Subject: [PATCH 1/2] add Renovate and custom workflow files

---
 .github/topissuebot.yml                       |  4 -
 .github/workflows/maven.yml                   | 54 -----------
 .github/workflows/sync-fork.yml               | 89 +++++++++++++++++++
 .../trivy-dependencies-submission.yml         | 27 ++++++
 .gitignore                                    | 34 -------
 renovate.json5                                | 12 +++
 6 files changed, 128 insertions(+), 92 deletions(-)
 delete mode 100644 .github/topissuebot.yml
 delete mode 100644 .github/workflows/maven.yml
 create mode 100644 .github/workflows/sync-fork.yml
 create mode 100644 .github/workflows/trivy-dependencies-submission.yml
 delete mode 100644 .gitignore
 create mode 100644 renovate.json5

diff --git a/.github/topissuebot.yml b/.github/topissuebot.yml
deleted file mode 100644
index b02540a2da4..00000000000
--- a/.github/topissuebot.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-# Configuration for top-issue-bot
-labelName: ":thumbsup: Top Issue!"
-labelColor: "f442c2"
-numberOfIssuesToLabel: 5
\ No newline at end of file
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
deleted file mode 100644
index 66849c6b559..00000000000
--- a/.github/workflows/maven.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches:
-      - 'main'
-      - 'release-v**'
-      - 'full-sonar-analysis-**'
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+*'
-  pull_request:
-
-permissions: {}
-
-jobs:
-  build:
-    name: Build OS ${{ matrix.os }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
-
-    steps:
-      - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Set up JDK 17
-        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
-        with:
-          distribution: 'temurin'
-          java-version: '17'
-
-      - name: Build with Maven (Ubuntu)
-        if: matrix.os == 'ubuntu-latest'
-        run: ./mvnw --batch-mode -Dpowsybl.docker-unit-tests.skip=false -Pjacoco install
-
-      - name: Build with Maven (Windows)
-        if: matrix.os == 'windows-latest'
-        run: mvnw.cmd --batch-mode install
-        shell: cmd
-
-      - name: Build with Maven (MacOS)
-        if: matrix.os == 'macos-latest'
-        run: ./mvnw --batch-mode install
-
-      - name: Run SonarCloud analysis
-        if: matrix.os == 'ubuntu-latest'
-        run: >
-          ./mvnw --batch-mode -DskipTests sonar:sonar
-          -Dsonar.host.url=https://sonarcloud.io
-          -Dsonar.organization=powsybl-ci-github
-          -Dsonar.projectKey=com.powsybl:powsybl-core
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml
new file mode 100644
index 00000000000..42ba380546e
--- /dev/null
+++ b/.github/workflows/sync-fork.yml
@@ -0,0 +1,89 @@
+name: Sync fork
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "15 3 * * *"   # Run every day at 3:15 UTC
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout fork's default branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          path: "fork"
+          token: ${{ secrets.GH_PAT }}
+      - name: Checkout fork's configuration branch
+        uses: actions/checkout@v4
+        with:
+          path: "configuration"
+          ref: "renovate-and-workflow-files"
+          token: ${{ secrets.GH_PAT }}
+      - name: Determine Upstream clone URL
+        id: upstream-repo-clone-url
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data } = await github.rest.repos.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+            if (data.fork) {
+              return data.parent.clone_url;
+            } else {
+              throw new Error('This repository is not a fork.');
+            }
+          result-encoding: string
+      - name: Determine Upstream default branch
+        id: upstream-repo-default-branch
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data } = await github.rest.repos.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+            if (data.fork) {
+              return data.parent.default_branch;
+            } else {
+              throw new Error('This repository is not a fork.');
+            }
+          result-encoding: string
+      - name: Sync fork with upstream
+        run: |
+          set -ex
+          cd fork
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }}
+          git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }}
+          UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H")
+          PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash)
+          if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then
+            echo "No need to sync, already up-to-date"
+            exit 0
+          fi
+          
+          git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }}
+          # Enforce the usage of our own config (renovate.json5)
+          git rm renovate.json* || true
+          # Avoid problems where an existing .gitignore file would prevent committing our configuration files
+          git rm .gitignore || true
+          # Delete existing workflows, we don't need to run them in our fork
+          rm -rf .github || true
+          # Instead of using "cp -r", rsync allows us to exclude the .git directory
+          rsync -av --exclude '.git' ../configuration/ .
+          rm upstream_commit_hash
+          git add .
+          git commit -m "add Renovate and custom workflow files"
+          git push --force-with-lease
+          
+          cd ../configuration
+          # git config user.name "github-actions[bot]"
+          # git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash
+          git add upstream_commit_hash
+          git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH"
+          git push
diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml
new file mode 100644
index 00000000000..71f59af7e39
--- /dev/null
+++ b/.github/workflows/trivy-dependencies-submission.yml
@@ -0,0 +1,27 @@
+name: SBOM upload from Trivy
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "0 9 */5 * *"   # Run every fifth day at 9 AM UTC
+
+jobs:
+  SBOM-upload:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.23.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'github'
+          output: 'trivy-results.gsbom'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}  # this causes a curl call to upload the snapshot
+
+      - name: Upload report file
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results
+          path: trivy-results.gsbom
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 9e8763bdadb..00000000000
--- a/.gitignore
+++ /dev/null
@@ -1,34 +0,0 @@
-# Maven projects
-target/
-
-# IntelliJ
-/.idea
-*.iml
-
-# Compilation settings
-install.cfg
-
-# Eclipse projects
-.apt_generated
-.apt_generated_tests
-.classpath
-.factorypath
-.project
-.factorypath
-.checkstyle
-org.eclipse.core.resources.prefs
-org.eclipse.jdt.core.prefs
-org.eclipse.m2e.core.prefs
-org.eclipse.jdt.apt.core.prefs
-org.eclipse.jdt.groovy.core.prefs
-org.eclipse.jdt.apt.core.prefs
-org.sonarlint.eclipse.core.prefs
-
-# Log files
-powsybl.log
-
-# Maven wrapper jar
-.mvn/wrapper/*.jar
-
-# Generated readthedocs pages
-build-docs/
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 00000000000..53fe2ac3270
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":disableRateLimiting"
+  ],
+  "labels": ["dependencies", "depManager:{{{manager}}}"],
+  "vulnerabilityAlerts": {
+    "labels": ["security", "dependencies", "depManager:{{{manager}}}"],
+  },
+  "forkProcessing": "enabled"
+}

From b91474fb7c3c76bd23dc1716ddfaa240dff437da Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 14 Feb 2025 03:39:49 +0000
Subject: [PATCH 2/2] Update dependency com.powsybl:powsybl-parent to v21

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c872dd9e5e1..c6d46f37f4d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -15,7 +15,7 @@
     <parent>
         <groupId>com.powsybl</groupId>
         <artifactId>powsybl-parent</artifactId>
-        <version>20</version>
+        <version>21</version>
         <relativePath/>
     </parent>