initial commit

Change-Id: I12a20fc994c2a94df96de9d3393b06bf6687f77a

.gitea/workflows/build-push.yml

@@ -0,0 +1,84 @@
+name: Build and Push to ACR
+
+on:
+  push:
+    branches: [ dev ]
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
+
+jobs:
+  build:
+    name: Build and Push
+    runs-on: ubuntu-latest
+    if: >-
+      github.ref != 'refs/heads/main' && (
+        github.event_name == 'workflow_dispatch' ||
+        (github.event_name == 'push' && github.event.before != '0000000000000000000000000000000000000000')
+      )
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Azure CLI
+        run: |
+          command -v az &>/dev/null || curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+
+      - name: Install Docker CLI
+        run: |
+          command -v docker &>/dev/null || (apt-get update -qq && apt-get install -y docker.io)
+          docker --version
+
+      - name: Azure login (OIDC)
+        run: |
+          az login \
+            --service-principal \
+            --username "$AZURE_CLIENT_ID" \
+            --tenant "$AZURE_TENANT_ID" \
+            --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)"
+          echo "✓ Azure login successful"
+
+      - name: Get ACR details
+        run: |
+          ACR_NAME=$(az acr list --query "[0].name" -o tsv)
+          ACR_NAME="${ACR_NAME:-bstagecjotdevacr}"
+          echo "ACR_NAME=$ACR_NAME" >> $GITHUB_ENV
+          echo "ACR_LOGIN_SERVER=${ACR_NAME}.azurecr.io" >> $GITHUB_ENV
+          echo "✓ Using ACR: ${ACR_NAME}.azurecr.io"
+
+      - name: ACR Login
+        run: |
+          ACR_TOKEN=$(az acr login --name "$ACR_NAME" --expose-token --output tsv --query accessToken)
+          docker login "$ACR_LOGIN_SERVER" \
+            --username 00000000-0000-0000-0000-000000000000 \
+            --password "$ACR_TOKEN"
+          echo "✓ ACR login successful"
+
+      - name: Build and Push Docker image
+        run: |
+          IMAGE_TAG="${{ gitea.sha }}"
+          IMAGE_FULL="${ACR_LOGIN_SERVER}/security-scan-test:${IMAGE_TAG}"
+          IMAGE_LATEST="${ACR_LOGIN_SERVER}/security-scan-test:latest"
+          docker build -t "$IMAGE_FULL" -t "$IMAGE_LATEST" .
+          docker push "$IMAGE_FULL"
+          docker push "$IMAGE_LATEST"
+          echo "IMAGE_FULL=$IMAGE_FULL" >> $GITHUB_ENV
+          echo "✓ Pushed: $IMAGE_FULL"
+
+      - name: Build Summary
+        run: |
+          echo "### ✅ Build Successful" >> $GITHUB_STEP_SUMMARY
+          echo "| | |" >> $GITHUB_STEP_SUMMARY
+          echo "|---|---|" >> $GITHUB_STEP_SUMMARY
+          echo "| **Service** | security-scan-test |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Commit** | ${{ gitea.sha }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Image** | $IMAGE_FULL |" >> $GITHUB_STEP_SUMMARY

.gitea/workflows/integration-test.yml

@@ -0,0 +1,138 @@
+
+name: Integration Test
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # ── Job 1: Platform Conformance ───────────────────────────────────────────
+  platform-check:
+    name: Platform Conformance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate catalog-info.yaml
+        run: |
+          if [ ! -f catalog-info.yaml ]; then
+            echo "✗ catalog-info.yaml not found"
+            exit 1
+          fi
+          python3 -c "import yaml; list(yaml.safe_load_all(open('catalog-info.yaml')))" 2>/dev/null \
+            || (pip install pyyaml -q && python3 -c "import yaml; list(yaml.safe_load_all(open('catalog-info.yaml')))")
+          echo "✓ catalog-info.yaml is valid YAML"
+
+      - name: Check platform files
+        run: |
+          ERRORS=0
+          for f in catalog-info.yaml; do
+            if [ ! -f "$f" ]; then
+              echo "✗ Missing: $f"
+              ERRORS=$((ERRORS+1))
+            else
+              echo "✓ Found: $f"
+            fi
+          done
+          if [ $ERRORS -gt 0 ]; then exit 1; fi
+
+  # ── Job 2: Unit Tests + Container Smoke ───────────────────────────────────
+  smoke-test:
+    name: Unit Tests + Container Smoke
+    runs-on: ubuntu-latest
+    needs: platform-check
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Free disk space
+        run: |
+          docker system prune -f 2>/dev/null || true
+          df -h / 2>/dev/null || true
+
+      - name: Install Docker CLI
+        run: command -v docker &>/dev/null || (apt-get update -qq && apt-get install -y docker.io)
+
+      - name: Build container image
+        run: |
+          if [ -f Dockerfile ]; then
+            docker build -t ci-image:test .
+          else
+            echo "No Dockerfile found — skipping container smoke test"
+            echo "SKIP_SMOKE=true" >> $GITHUB_ENV
+          fi
+
+      - name: Start service and wait for health
+        if: env.SKIP_SMOKE != 'true'
+        run: |
+          CONTAINER_NAME="ci-${GITHUB_RUN_ID}"
+          PORT="${CONTAINER_PORT:-8080}"
+          HEALTH_PATH="${HEALTH_ENDPOINT:-/health}"
+          echo "CONTAINER_NAME=${CONTAINER_NAME}" >> $GITHUB_ENV
+          echo "CONTAINER_PORT=${PORT}" >> $GITHUB_ENV
+          echo "HEALTH_PATH=${HEALTH_PATH}" >> $GITHUB_ENV
+
+          docker run -d --name "${CONTAINER_NAME}" -e OTEL_SDK_DISABLED=true ci-image:test
+
+          for i in $(seq 1 10); do
+            CONTAINER_IP=$(docker inspect "${CONTAINER_NAME}" --format '{{.NetworkSettings.IPAddress}}' 2>/dev/null)
+            [ -n "${CONTAINER_IP}" ] && break
+            sleep 1
+          done
+          echo "CONTAINER_IP=${CONTAINER_IP}" >> $GITHUB_ENV
+
+          echo "Waiting for ${HEALTH_PATH} on ${CONTAINER_IP}:${PORT} (up to 180s)..."
+          DEADLINE=$(($(date +%s) + 180))
+          while true; do
+            if curl -sf "http://${CONTAINER_IP}:${PORT}${HEALTH_PATH}" >/dev/null 2>&1; then
+              break
+            fi
+            if [ $(date +%s) -ge $DEADLINE ]; then
+              echo "Timeout waiting for health check"
+              docker logs "${CONTAINER_NAME}" 2>&1 | tail -30
+              exit 1
+            fi
+            if ! docker ps --filter "name=${CONTAINER_NAME}" --format '{{.Status}}' | grep -q Up; then
+              echo "Container exited:"
+              docker logs "${CONTAINER_NAME}" 2>&1 | tail -30
+              exit 1
+            fi
+            echo "  still waiting..."; sleep 3
+          done
+          echo "✓ Service healthy at ${CONTAINER_IP}:${PORT}${HEALTH_PATH}"
+
+      - name: Validate health response
+        if: env.SKIP_SMOKE != 'true'
+        run: |
+          curl -sf "http://${CONTAINER_IP}:${CONTAINER_PORT}${HEALTH_PATH}" > /tmp/health.json
+          echo "Health response:"
+          cat /tmp/health.json
+          echo ""
+          echo "✓ Container smoke test: PASSED"
+
+      - name: Cleanup
+        if: always()
+        run: docker rm -f "ci-${GITHUB_RUN_ID}" 2>/dev/null || true
+
+      - name: Post commit status
+        if: always()
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          JOB_STATUS: ${{ job.status }}
+        run: |
+          STATE=$([[ "$JOB_STATUS" == "success" ]] && echo "success" || echo "failure")
+          DESC=$([[ "$STATE" == "success" ]] && echo "All checks passed" || echo "Some checks failed")
+          curl -sf -X POST \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
+            -d "{\"state\":\"${STATE}\",\"context\":\"Integration Test / Unit Tests + Container Smoke (workflow_dispatch)\",\"description\":\"${DESC}\"}" \
+            || true

.gitea/workflows/security-scan.yml

@@ -0,0 +1,164 @@
+name: Security Scanning
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch: {}
+
+env:
+  TRIVY_VERSION: "0.69.3"
+  GITLEAKS_VERSION: "8.18.4"
+  COMPONENT_ID: security-scan-test
+
+jobs:
+  # ─────────────────────────────────────────────
+  # 1. FILESYSTEM & DEPENDENCY SCAN
+  #    Trivy auto-detects lockfiles (pom.xml,
+  #    package-lock.json, go.sum, requirements.txt, etc.)
+  #    and scans for vulns, secrets, and misconfigs.
+  # ─────────────────────────────────────────────
+  trivy-scan:
+    name: Trivy — Filesystem & Dependency Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          set -e
+          mkdir -p $HOME/.local/bin
+          curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz" \
+            | tar -xz -C $HOME/.local/bin trivy
+          chmod +x $HOME/.local/bin/trivy
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run Trivy filesystem scan
+        run: |
+          $HOME/.local/bin/trivy fs \
+            --exit-code 0 \
+            --severity HIGH,CRITICAL \
+            --format sarif \
+            --output trivy-results.sarif \
+            --scanners vuln,secret,misconfig \
+            --dependency-tree \
+            .
+
+      - name: Upload SARIF report
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: trivy-sarif
+          path: trivy-results.sarif
+          retention-days: 30
+
+      - name: Print human-readable summary
+        run: |
+          $HOME/.local/bin/trivy fs \
+            --exit-code 0 \
+            --severity MEDIUM,HIGH,CRITICAL \
+            --format table \
+            --scanners vuln,secret,misconfig \
+            .
+
+      - name: Enforce quality gate (CRITICAL — report only)
+        run: |
+          $HOME/.local/bin/trivy fs \
+            --exit-code 0 \
+            --severity CRITICAL \
+            --scanners vuln,misconfig \
+            .
+
+  # ─────────────────────────────────────────────
+  # 2. SECRET SCAN — detect leaked credentials
+  #    across full git history.
+  # ─────────────────────────────────────────────
+  gitleaks-scan:
+    name: Gitleaks — Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source (full history)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Install Gitleaks binary directly — the GitHub Action
+      # relies on GITHUB_TOKEN which is unavailable on Gitea Act runners.
+      - name: Install Gitleaks
+        run: |
+          set -e
+          mkdir -p $HOME/.local/bin
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz" \
+            | tar -xz -C $HOME/.local/bin gitleaks
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run Gitleaks
+        run: |
+          $HOME/.local/bin/gitleaks detect \
+            --source . \
+            --report-format sarif \
+            --report-path gitleaks-results.sarif \
+            --exit-code 1 \
+            --log-level warn
+
+      - name: Upload SARIF report
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: gitleaks-sarif
+          path: gitleaks-results.sarif
+          retention-days: 30
+
+  # ─────────────────────────────────────────────
+  # 3. SUMMARY — aggregate all SARIF reports
+  # ─────────────────────────────────────────────
+  security-summary:
+    name: Security Summary
+    needs:
+      - trivy-scan
+      - gitleaks-scan
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Download Trivy SARIF
+        uses: actions/download-artifact@v3
+        with:
+          name: trivy-sarif
+          path: sarif-reports/
+        continue-on-error: true
+
+      - name: Download Gitleaks SARIF
+        uses: actions/download-artifact@v3
+        with:
+          name: gitleaks-sarif
+          path: sarif-reports/
+        continue-on-error: true
+
+      - name: List collected reports
+        run: ls -lh sarif-reports/ || echo "No reports found"
+
+      - name: Generate summary
+        run: |
+          echo "## Security Scan Results — ${{ env.COMPONENT_ID }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Report | Size |" >> $GITHUB_STEP_SUMMARY
+          echo "|--------|------|" >> $GITHUB_STEP_SUMMARY
+          for f in sarif-reports/*.sarif; do
+            [ -e "$f" ] || continue
+            name=$(basename "$f")
+            size=$(du -sh "$f" | cut -f1)
+            echo "| $name | $size |" >> $GITHUB_STEP_SUMMARY
+          done
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "Branch: \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY
+
+      - name: Bundle all SARIF reports
+        uses: actions/upload-artifact@v3
+        with:
+          name: all-sarif-reports
+          path: sarif-reports/
+          retention-days: 90

.gitea/workflows/sonar.yaml

@@ -0,0 +1 @@
+

.gitea/workflows/techdocs.yml

@@ -0,0 +1,108 @@
+name: Build and Publish TechDocs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - "catalog-info.yaml"
+  workflow_dispatch: {}
+
+env:
+  TECHDOCS_AZURE_BLOB_CONTAINER_NAME: 
+  AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
+  AZURE_ACCOUNT_NAME: "bstagecjotdevsttechdocs"
+  ENTITY_NAMESPACE: default
+  ENTITY_KIND: component
+  ENTITY_NAME: security-scan-test
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: read and set output
+        id: read_env
+        run: |
+          echo "$AZURE_FEDERATED_TOKEN_FILE"
+          env | grep AZURE
+          echo "$(cat $AZURE_FEDERATED_TOKEN_FILE)"
+
+      # act-based Gitea runners run as root — sudo is not available.
+      # apt-get is called directly; works whether root or not.
+      - name: Bootstrap pip
+        run: |
+          python3 --version
+          if python3 -m pip --version 2>/dev/null; then
+            echo "pip already available"
+          elif python3 -m ensurepip --version 2>/dev/null; then
+            python3 -m ensurepip --upgrade
+          else
+            apt-get update -qq
+            apt-get install -y python3-pip
+          fi
+          python3 -m pip install --upgrade pip
+          python3 -m pip --version
+
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install \
+            mkdocs-techdocs-core==1.* \
+            mkdocs-git-revision-date-localized-plugin \
+            mkdocs-awesome-pages-plugin
+
+          npm install -g @techdocs/cli
+          npm cache clean --force
+
+      # mkdocs has no dry-run flag — build into a temp dir to validate config
+      # and catch any broken links or missing pages early.
+      - name: Validate MkDocs config
+        run: mkdocs build --strict --site-dir /tmp/mkdocs-validate
+
+      - name: Build TechDocs site
+        run: |
+          techdocs-cli generate \
+            --source-dir . \
+            --output-dir ./site \
+            --no-docker \
+            --verbose
+
+      # act runners don't include az by default — install via Microsoft's
+      # official script which works on Debian/Ubuntu without sudo.
+      - name: Install Azure CLI
+        run: |
+          if command -v az &>/dev/null; then
+            echo "Azure CLI already installed: $(az version --query '"azure-cli"' -o tsv)"
+          else
+            curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+          fi
+
+      - name: Azure login (OIDC)
+        run: |
+          az login \
+            --service-principal \
+            --username "$AZURE_CLIENT_ID" \
+            --tenant "$AZURE_TENANT_ID" \
+            --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)"
+
+          echo "✓ Azure login successful"
+
+      - name: Publish TechDocs site
+        run: |
+          echo "$AZURE_ACCOUNT_NAME"
+          echo "$ENTITY_NAMESPACE"
+          echo "$ENTITY_KIND"
+          echo "$ENTITY_NAME"
+          techdocs-cli publish \
+            --publisher-type azureBlobStorage \
+            --storage-name "techdocs" \
+            --azureAccountName "$AZURE_ACCOUNT_NAME" \
+            --entity "$ENTITY_NAMESPACE/$ENTITY_KIND/$ENTITY_NAME"

.gitea/workflows/tools-quality.yaml

@@ -0,0 +1,156 @@
+name: SonarQube Analysis
+
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sonarqube:
+    name: Build, Test & Analyse
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    env:
+      SONAR_PROJECT_KEY: security-scan-test
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Make Maven wrapper executable
+        run: chmod +x mvnw
+
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: maven-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: maven-${{ runner.os }}-
+
+      - name: Cache SonarQube analysis data
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: sonar-${{ runner.os }}
+          restore-keys: sonar-${{ runner.os }}
+
+      # SONAR_TOKEN replaced by SONAR_ADMIN_TOKEN — the admin token is used
+      # only for provisioning; the scan uses an ephemeral PROJECT_ANALYSIS_TOKEN
+      # generated in the bootstrap step below.
+      - name: Validate required secrets
+        env:
+          SONAR_ADMIN_TOKEN: 
+          SONAR_HOST_URL: 
+        run: |
+          [[ -n "$SONAR_ADMIN_TOKEN" ]] || { echo "::error::SONAR_ADMIN_TOKEN is not set"; exit 1; }
+          [[ -n "$SONAR_HOST_URL" ]]    || { echo "::error::SONAR_HOST_URL is not set"; exit 1; }
+          [[ -n "$SONAR_PROJECT_KEY" ]] || { echo "::error::SONAR_PROJECT_KEY is not set"; exit 1; }
+
+      - name: Bootstrap SonarQube project and generate scan token
+        id: sonar-bootstrap
+        env:
+          SONAR_ADMIN_TOKEN: 
+          SONAR_HOST_URL: 
+        run: |
+          # ---- 1. Create the project if it doesn't already exist ----
+          PROJECT_COUNT=$(curl -sf \
+            -u "${SONAR_ADMIN_TOKEN}:" \
+            "${SONAR_HOST_URL}/api/projects/search?projects=${SONAR_PROJECT_KEY}" \
+            | jq '.paging.total')
+
+          if [[ "$PROJECT_COUNT" == "0" ]]; then
+            echo "Project '${SONAR_PROJECT_KEY}' not found — creating it..."
+            curl -sf -X POST \
+              -u "${SONAR_ADMIN_TOKEN}:" \
+              "${SONAR_HOST_URL}/api/projects/create" \
+              --data-urlencode "name=${SONAR_PROJECT_KEY}" \
+              --data-urlencode "project=${SONAR_PROJECT_KEY}" \
+              --data-urlencode "mainBranch=main" \
+              --data-urlencode "visibility=private"
+            echo "✅ Project created."
+          else
+            echo "✅ Project '${SONAR_PROJECT_KEY}' already exists — skipping creation."
+          fi
+
+          # ---- 2. Revoke any leftover token from a previous failed run ----
+          TOKEN_NAME="gitea-scan-${SONAR_PROJECT_KEY}"
+          curl -sf -X POST \
+            -u "${SONAR_ADMIN_TOKEN}:" \
+            "${SONAR_HOST_URL}/api/user_tokens/revoke" \
+            --data-urlencode "name=${TOKEN_NAME}" \
+            > /dev/null 2>&1 || true
+
+          # ---- 3. Generate a fresh PROJECT_ANALYSIS_TOKEN for this run ----
+          SCAN_TOKEN=$(curl -sf -X POST \
+            -u "${SONAR_ADMIN_TOKEN}:" \
+            "${SONAR_HOST_URL}/api/user_tokens/generate" \
+            --data-urlencode "name=${TOKEN_NAME}" \
+            --data-urlencode "type=PROJECT_ANALYSIS_TOKEN" \
+            --data-urlencode "projectKey=${SONAR_PROJECT_KEY}" \
+            | jq -r '.token')
+
+          [[ -n "$SCAN_TOKEN" ]] || { echo "::error::Failed to generate scan token"; exit 1; }
+
+          echo "✅ Scan token generated for project '${SONAR_PROJECT_KEY}'"
+          echo "::add-mask::${SCAN_TOKEN}"
+          echo "SCAN_TOKEN=${SCAN_TOKEN}" >> "$GITHUB_ENV"
+
+      - name: Build and test
+        run: |
+          ./mvnw -B verify \
+            -Dtest='!PostgresIntegrationTests,!MySqlIntegrationTests'
+
+      - name: SonarQube analysis
+        env:
+          SCAN_TOKEN: 
+          SONAR_HOST_URL: 
+        run: |
+          ./mvnw -B org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121:sonar \
+            -Dsonar.projectKey="${SONAR_PROJECT_KEY}" \
+            -Dsonar.host.url="${SONAR_HOST_URL}" \
+            -Dsonar.token="${SCAN_TOKEN}" \
+            -Dsonar.java.source=17 \
+            -Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
+
+      - name: Quality Gate check
+        env:
+          SCAN_TOKEN: 
+          SONAR_HOST_URL: 
+        run: |
+          echo "Waiting for SonarQube to process the analysis..."
+          for i in $(seq 1 24); do
+            RESPONSE=$(curl -sf -u "${SCAN_TOKEN}:" \
+              "${SONAR_HOST_URL}/api/qualitygates/project_status?projectKey=${SONAR_PROJECT_KEY}" || true)
+            STATUS=$(echo "$RESPONSE" | jq -r '.projectStatus.status' 2>/dev/null || echo "NONE")
+            if [[ "$STATUS" =~ ^(OK|ERROR|WARN)$ ]]; then break; fi
+            echo "  Status: ${STATUS:-pending} — retrying in 5s..."
+            sleep 5
+          done
+          echo "Quality Gate status: $STATUS"
+          [[ "$STATUS" != "ERROR" ]] || { echo "::error::Quality Gate FAILED"; exit 1; }
+
+      - name: Revoke scan token
+        if: always()
+        env:
+          SONAR_ADMIN_TOKEN: 
+          SONAR_HOST_URL: 
+        run: |
+          curl -sf -X POST \
+            -u "${SONAR_ADMIN_TOKEN}:" \
+            "${SONAR_HOST_URL}/api/user_tokens/revoke" \
+            --data-urlencode "name=gitea-scan-${SONAR_PROJECT_KEY}" \
+            && echo "✅ Scan token revoked" \
+            || echo "⚠️  Token revocation failed (may have already been removed)"