ControlSystemStudio · jacomago · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 18, 2026
diff --git a/.github/CI_VERSIONS.md b/.github/CI_VERSIONS.md
@@ -0,0 +1,15 @@
+# CI version pins
+
+Some versions used by CI are pinned manually and must be kept current. This
+file is the checklist of what needs periodic review and where each pin lives.
+
+| What | Version | Defined in | Notes |
+|------|---------|------------|-------|
+| Java (JDK) | `21` | `.github/actions/setup-java/action.yml` | Single source of truth for the CI JDK. Must match `maven.compiler.source`/`maven.compiler.target` in `pom.xml`. Review when the project adopts a new LTS. |
+| Elasticsearch | `8.11.2` | `.github/workflows/_integration-test.yml` and `services/save-and-restore/docker-compose.yml` | Service container for the save-and-restore integration tests. Update both files together. |
+
+## Automatically maintained
+
+GitHub Action versions (the `uses:` refs in `.github/workflows/*` and
+`.github/actions/**`) are bumped by Dependabot — see `.github/dependabot.yml`.
+These do **not** need manual tracking here.
diff --git a/.github/actions/setup-java/action.yml b/.github/actions/setup-java/action.yml
@@ -0,0 +1,11 @@
+name: Set up Java
+description: Set up the project's pinned JDK with Maven dependency caching.
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287
+      with:
+        distribution: temurin
+        java-version: '21'
+        cache: maven
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  # Auto-PR bumps for GitHub Action versions referenced in .github/workflows/*
+  # and in the local composite action (.github/actions/**). The JDK and
+  # Elasticsearch pins are not visible to Dependabot; see .github/CI_VERSIONS.md.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
@@ -0,0 +1,36 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        description: Runner to build on.
+        type: string
+        default: ubuntu-latest
+      upload-artifacts:
+        description: Upload the product tarball/zip (used by the master build).
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ${{ inputs.os }}
+    steps:
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      with:
+        persist-credentials: false
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Build
+      run: mvn --batch-mode install -DskipTests
+    - name: Archive build artifacts
+      if: ${{ inputs.upload-artifacts }}
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+      with:
+        name: Phoebus product ${{ inputs.os }}
+        path: |
+          ${{ github.workspace }}/phoebus-product/target/*.tar.gz
+          ${{ github.workspace }}/phoebus-product/target/*.zip
diff --git a/.github/workflows/_docker-image.yml b/.github/workflows/_docker-image.yml
@@ -0,0 +1,58 @@
+name: Docker image
+
+on:
+  workflow_call:
+    inputs:
+      image-suffix:
+        description: Image name under ghcr.io/<owner>/<repo>/ (e.g. service-alarm-server).
+        required: true
+        type: string
+      context:
+        description: Docker build context directory.
+        required: true
+        type: string
+      maven-args:
+        description: Maven goals/flags for the package step.
+        type: string
+        default: --update-snapshots package
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      with:
+        persist-credentials: false
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Build with Maven
+      run: mvn --batch-mode $MAVEN_ARGS
+      env:
+        MAVEN_ARGS: ${{ inputs.maven-args }}
+    - name: Login to the registry
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Extract meta-data for Docker
+      id: meta
+      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
+      with:
+        images: ghcr.io/${{ github.repository }}/${{ inputs.image-suffix }}
+    - name: Set up Docker Build
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
+    - name: Build and publish the Docker image
+      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
+      with:
+        context: ${{ inputs.context }}
+        push: true
+        platforms: linux/amd64,linux/arm64
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
diff --git a/.github/workflows/_integration-test.yml b/.github/workflows/_integration-test.yml
@@ -0,0 +1,43 @@
+name: Integration test
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  integration-test:
+    runs-on: ubuntu-latest
+    services:
+      # TODO swap to testcontainers for integration tests
+      elasticsearch:
+        image: docker.elastic.co/elasticsearch/elasticsearch:8.11.2
+        env:
+          discovery.type: single-node
+          xpack.security.enabled: "false"
+        ports:
+          - 9200:9200
+        options: >-
+          --health-cmd "curl -s http://localhost:9200/_cluster/health || exit 1"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 30
+    steps:
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      with:
+        persist-credentials: false
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Integration tests (Elasticsearch-backed)
+      run: >
+        mvn --batch-mode install -P it-tests,docker-tests
+        -Dskip-executable-jar
+        -pl services/save-and-restore -am
+    - name: Upload integration test reports
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+      if: always()
+      with:
+        name: integration-test-reports
+        path: services/save-and-restore/target/failsafe-reports/**
+        if-no-files-found: ignore
diff --git a/.github/workflows/_lint.yml b/.github/workflows/_lint.yml
@@ -0,0 +1,17 @@
+name: pre-commit
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      with:
+        persist-credentials: false
+    - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -0,0 +1,41 @@
+name: Test
+
+on:
+  workflow_call:
+    inputs:
+      name:
+        description: Name used for the uploaded report artifact.
+        type: string
+        required: true
+      run:
+        description: Command that runs the tests.
+        type: string
+        required: true
+      report-path:
+        description: Glob for the test reports to upload.
+        type: string
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      with:
+        persist-credentials: false
+    - name: Set up Java
+      uses: ./.github/actions/setup-java
+    - name: Test
+      run: $TEST_COMMAND
+      env:
+        TEST_COMMAND: ${{ inputs.run }}
+    - name: Upload test reports
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+      if: always()
+      with:
+        name: ${{ inputs.name }}-reports
+        path: ${{ inputs.report-path }}
+        if-no-files-found: ignore
diff --git a/.github/workflows/_ui-test.yml b/.github/workflows/_ui-test.yml
@@ -0,0 +1,15 @@
+name: UI test
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  ui-test:
+    uses: ./.github/workflows/_test.yml
+    with:
+      name: ui-test
+      run: xvfb-run -a mvn --batch-mode --fail-at-end verify -P ui-tests
+      report-path: '**/target/failsafe-reports/**'
diff --git a/.github/workflows/_unit-test.yml b/.github/workflows/_unit-test.yml
@@ -0,0 +1,15 @@
+name: Unit test
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  unit-test:
+    uses: ./.github/workflows/_test.yml
+    with:
+      name: unit-test
+      run: mvn --batch-mode --fail-at-end verify
+      report-path: '**/target/surefire-reports/**'
diff --git a/.github/workflows/alarm-logger-docker-image.yml b/.github/workflows/alarm-logger-docker-image.yml