From 12b7aabe872a217ecc96b7913e1050e4edaffa32 Mon Sep 17 00:00:00 2001
From: Leandro Afonso <leo@0x1eo.dev>
Date: Thu, 23 Oct 2025 00:21:36 +0100
Subject: [PATCH] Enhance CI workflow with security and dependency checks

Added security scan and dependency review jobs to the workflow.
---
 .github/workflows/maven.yml | 97 ++++++++++++++++++++++++++++++++-----
 1 file changed, 86 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 6fa7075..acc3264 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -1,11 +1,6 @@
 # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 name: Java CI with Maven
 
 on:
@@ -16,9 +11,7 @@ on:
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v4
 
@@ -33,13 +26,95 @@ jobs:
       run: mvn -B package
       working-directory: main
 
-    # Generate dependency graph explicitly (run step supports -f)
+    # Generate dependency graph explicitly
     - name: Generate dependency graph
-      run: mvn -B -f main/pom.xml com.github.ferstl:depgraph-maven-plugin:4.0.1:graph
+      run: mvn -B com.github.ferstl:depgraph-maven-plugin:4.0.1:graph
+      working-directory: main
 
-    # Upload the generated dependency files so you can inspect them in the workflow run
+    # Upload the packaged JAR file as an artifact
+    - name: Upload package artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: package
+        path: main/target/*.jar # Upload only the JAR
+
+    # Upload the generated dependency graph so you can inspect it
     - name: Upload dependency graph artifact
       uses: actions/upload-artifact@v4
       with:
         name: dependency-graph
-        path: main/target/**
+        path: main/target/dependency-graph.dot # Upload the specific graph file
+
+  test-and-coverage:
+    runs-on: ubuntu-latest
+    needs: build # Make it dependent on the build job to ensure code compiles
+    
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+        cache: maven
+
+    - name: Run tests and generate coverage report
+      # 'verify' runs all tests. 'jacoco:report' generates the coverage report.
+      # This assumes you have the JaCoCo plugin configured in your pom.xml
+      run: mvn -B verify jacoco:report
+      working-directory: main
+
+    - name: Upload coverage report
+      # This uploads the HTML coverage report as an artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: code-coverage-report
+        path: main/target/site/jacoco/ # Path to the JaCoCo HTML report
+
+  security-scan:
+    # NEW JOB: This job runs GitHub's CodeQL to find security vulnerabilities.
+    # It runs in parallel with other jobs.
+    runs-on: ubuntu-latest
+    
+    # Required permissions for CodeQL to write results
+    permissions:
+      security-events: write # for github/codeql-action/analyze
+      actions: read # for github/codeql-action/init
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: 'java' # Specify the language to analyze
+
+    - name: Build project for CodeQL
+      # CodeQL needs to monitor the build process.
+      # We skip tests here (-DskipTests) because we only need the compiled code
+      # for static analysis, and tests are run in the 'test-and-coverage' job.
+      run: mvn -B clean package -DskipTests
+      working-directory: main
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+
+  dependency-review:
+    # NEW JOB: This job checks for vulnerable dependencies on Pull Requests.
+    # It prevents merging PRs that introduce known vulnerabilities.
+    runs-on: ubuntu-latest
+    
+    # This job only needs to run on pull requests
+    if: github.event_name == 'pull_request'
+    
+    permissions:
+      contents: read # To read dependency files
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4