[CU-86b8rd5j3] Migrate to new PR validation pipeline

.github/workflows/build-test-analyse.yml

@@ -0,0 +1,42 @@
+name: Build, Test & Analyse
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build-and-test-java-app:
+    name: Build & Test Java App
+    uses: DNAstack/dnastack-development-tools/.github/workflows/build-test-java-app.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      java-version: 21
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+
+  sast:
+    name: SAST (SonarQube)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/sast.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      with-frontend: false
+      java-version: 21
+      code-coverage-enabled: true
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+      sonar-token: ${{ secrets.SONAR_TOKEN }}
+      sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
+
+  sca:
+    name: SCA (Trivy)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/sca.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    with:
+      java-version: 21
+    secrets:
+      pat-with-read-packages-permission: ${{ secrets.AUTH_TOKEN }}
+
+  secrets-detection:
+    name: Secrets Detection (Gitleaks)
+    uses: DNAstack/dnastack-development-tools/.github/workflows/secrets-detection.yml@945ddc20e0baa715095f63b282d81da7df57dd0b
+    secrets:
+      gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}

.gitleaks.toml

@@ -0,0 +1,15 @@
+# Gitleaks configuration — controls secret scanning behavior.
+# See: https://github.com/gitleaks/gitleaks#configuration
+
+# Use the default detection rules.
+[extend]
+  useDefault = true
+
+# Exclude build artifacts and dependency directories from scanning.
+[[allowlists]]
+  description = "exclude build artifacts and dependency directories"
+  paths = [
+    '''target/''',
+    '''node_modules/''',
+    '''node_installation/''',
+  ]

.gitleaksignore

@@ -0,0 +1,6 @@
+# Gitleaks ignore file — suppresses known/accepted secret findings.
+# Each line is a fingerprint from gitleaks output. New secrets in the same
+# files will still be caught — only these specific findings are suppressed.
+#
+# To add a new entry: run `gitleaks detect --source . --no-git -v`,
+# copy the Fingerprint line, and add it here with a comment explaining why.

.trivyignore.yaml

@@ -0,0 +1,16 @@
+# Trivy ignore file for known/accepted vulnerabilities.
+# See: https://trivy.dev/docs/configuration/filtering/#trivyignoreyaml
+#
+# Format:
+#   vulnerabilities:
+#     - id: CVE-XXXX-XXXXX
+#       reason: "Why this is acceptable"
+#       expired_at: 2026-XX-XXT00:00:00Z
+
+vulnerabilities:
+  - id: CVE-2026-34483
+    reason: "Transitive via Spring Boot 3.5.13 parent (pins tomcat 10.1.53; fix in 10.1.54). Affects Tomcat's JsonAccessLogValve — not configured. Resolves when Spring Boot 3.5.14+ bumps tomcat."
+    expired_at: 2026-10-18T00:00:00Z
+  - id: CVE-2026-34487
+    reason: "Transitive via Spring Boot 3.5.13 parent (pins tomcat 10.1.53; fix in 10.1.54). Affects Tomcat access-log logging of sensitive data — no access log valve configured. Resolves when Spring Boot 3.5.14+ bumps tomcat."
+    expired_at: 2026-10-18T00:00:00Z

pom.xml

@@ -7,7 +7,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.5.6</version>
+    <version>3.5.13</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
 
@@ -61,6 +61,9 @@
     <dnastack-token-validator.version>1.0.18</dnastack-token-validator.version>
     <audit-event-logger.version>1.0.20</audit-event-logger.version>
     <oauth-client-factory.version>1.0.5</oauth-client-factory.version>
+    <!-- Pin Jackson to 2.18.x: dnastack-oauth-client-factory-spring-starter 1.0.5 uses
+         removed-in-2.19 PropertyNamingStrategy.SNAKE_CASE API. Remove when bumping the lib. -->
+    <jackson-bom.version>2.18.6</jackson-bom.version>
     <!-- Other -->
     <spring-cloud.version>2021.0.9</spring-cloud.version>
     <jdbi.version>3.49.5</jdbi.version>