com-pas · noraeb · May 11, 2026 · May 11, 2026
@@ -14,24 +14,28 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.workflow_run.conclusion == 'success'
     timeout-minutes: 15
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: read
     steps:
     - name: echo event
       run: cat $GITHUB_EVENT_PATH
     - name: Download PR number artifact
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
+      if: github.event.workflow_run.event == 'pull_request'
       uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
       with:
         workflow: SonarCloud Build
         run_id: ${{ github.event.workflow_run.id }}
         name: PR_NUMBER
     - name: Read PR_NUMBER.txt
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
+      if: github.event.workflow_run.event == 'pull_request'
       id: pr_number
       uses: juliangruber/read-file-action@271ff311a4947af354c6abcd696a306553b9ec18 # v1
       with:
         path: ./PR_NUMBER.txt
     - name: Request GitHub API for PR data
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
+      if: github.event.workflow_run.event == 'pull_request'
       uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
       id: get_pr_data
       with:
@@ -40,25 +44,26 @@ jobs:
         full_name: ${{ github.event.repository.full_name }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Extract PR data
+      if: github.event.workflow_run.event == 'pull_request'
+      id: pr_data
+      env:
+        DATA: ${{ steps.get_pr_data.outputs.data }}
+      run: |
+        echo "head_ref=$(echo "$DATA" | jq -r '.head.ref')" >> $GITHUB_OUTPUT
+        echo "number=$(echo "$DATA" | jq -r '.number')" >> $GITHUB_OUTPUT
+        echo "base_ref=$(echo "$DATA" | jq -r '.base.ref')" >> $GITHUB_OUTPUT
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
-        repository: ${{ github.event.workflow_run.head_repository.full_name }}
-        ref: ${{ github.event.workflow_run.head_branch }}
         fetch-depth: 0
-    - name: Checkout base branch
-      if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
-      env:
-        CLONE_URL: ${{ github.event.repository.clone_url }}
-        BASE_REF: ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
-        HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
-      run: |
-        git remote add upstream "$CLONE_URL"
-        git fetch upstream
-        git checkout -B "$BASE_REF" "upstream/$BASE_REF"
-        git checkout "$HEAD_BRANCH"
-        git clean -ffdx && git reset --hard HEAD
+    - name: Download build artifacts
+      uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+      with:
+        workflow: SonarCloud Build
+        run_id: ${{ github.event.workflow_run.id }}
+        name: build-artifacts
     - name: Cache SonarCloud packages
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
       with:
         path: ~/.sonar/cache
         key: ${{ runner.os }}-sonar
@@ -76,35 +81,36 @@ jobs:
       with:
         distribution: 'zulu'
         java-version: '17'
+
     - name: Set Common Sonar Variables
       id: sonar_env
       run: |
-        echo "##[set-output name=sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \
+        echo "sonar_opts=-Dsonar.host.url=https://sonarcloud.io \
           -Dsonar.projectKey=com-pas_compas-scl-data-service \
-          -Dsonar.organization=com-pas )"
+          -Dsonar.organization=com-pas" >> $GITHUB_OUTPUT
     - name: Create custom Maven Settings.xml
       uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
       with:
         output_file: custom_maven_settings.xml
         servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
     - name: Build and analyze (Pull Request)
-      if: ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }}
+      if: ${{ github.event.workflow_run.event == 'pull_request' }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         SONAR_OPTS: ${{ steps.sonar_env.outputs.sonar_opts }}
-        PR_HEAD_REF: ${{ fromJson(steps.get_pr_data.outputs.data).head.ref }}
-        PR_NUMBER: ${{ fromJson(steps.get_pr_data.outputs.data).number }}
-        PR_BASE_REF: ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
+        PR_HEAD_REF: ${{ steps.pr_data.outputs.head_ref }}
+        PR_NUMBER: ${{ steps.pr_data.outputs.number }}
+        PR_BASE_REF: ${{ steps.pr_data.outputs.base_ref }}
         HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
       run: |
-        ./mvnw -B -s custom_maven_settings.xml -Psonar \
+        mvn -B -s custom_maven_settings.xml -Psonar \
           $SONAR_OPTS \
           -Dsonar.pullrequest.branch="$PR_HEAD_REF" \
           -Dsonar.pullrequest.key="$PR_NUMBER" \
           -Dsonar.pullrequest.base="$PR_BASE_REF" \
           -Dsonar.scm.revision="$HEAD_SHA" \
-          clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
     - name: Build and analyze (Push)
       if: ${{ github.event.workflow_run.event == 'push' }}
       env:
@@ -114,8 +120,8 @@ jobs:
         HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
         HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
       run: |
-        ./mvnw -B -s custom_maven_settings.xml -Psonar \
+        mvn -B -s custom_maven_settings.xml -Psonar \
           $SONAR_OPTS \
           -Dsonar.scm.revision="$HEAD_SHA" \
           -Dsonar.branch.name="$HEAD_BRANCH" \
-          clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
@@ -12,18 +12,15 @@ on:
     branches:
       - 'main'
       - 'develop'
-  pull_request_target:
-    branches:
-      - 'main'
-      - 'develop'
 
 jobs:
   precheck-build:
     name: Pre Check Build
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
 
-    if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -61,25 +58,32 @@ jobs:
         with:
           output_file: custom_maven_settings.xml
           servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
-      - name: Build and analyze (Pull Request)
-        if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
+      - name: Build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          ./mvnw -B -s custom_maven_settings.xml clean verify
-      - name: Build and analyze (Push)
-        if: ${{ github.event_name == 'push' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          ./mvnw -B -s custom_maven_settings.xml clean verify
+          ./mvnw -B -s custom_maven_settings.xml -Psonar clean verify
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: build-artifacts
+          path: |
+            api/src/
+            app/src/
+            repository/src/
+            repository-postgresql/src/
+            service/src/
+            api/target/
+            app/target/
+            repository/target/
+            repository-postgresql/target/
+            service/target/
+          retention-days: 1
       - name: Save PR number to file
-        if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: echo "$PR_NUMBER" > PR_NUMBER.txt
+        if: github.event_name == 'pull_request'
+        run: echo ${{ github.event.pull_request.number }} > PR_NUMBER.txt
       - name: Archive PR number
-        if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
+        if: github.event_name == 'pull_request'
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: PR_NUMBER