ci: Some reorganization

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: CI
+run-name: >
+  CI (${{ github.event_name }})
+  ${{ github.event_name == 'pull_request' && format('PR#{0}', github.event.number) || '' }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      ui-tests:
+        description: Run UI-tests
+        type: boolean
+        default: false
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: 0 0 15 * *
+
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tests:
+    name: 🧪 tests
+    uses: ./.github/workflows/step_tests.yml
+    with:
+      mask-experimental: ${{ github.event_name == 'push' }}
+      ui-tests: ${{ inputs.ui-tests || false }}
+
+  static-analysis:
+    name: 🔍 Static-Analysis
+    uses: ./.github/workflows/step_static-analysis.yml
+    secrets:
+      QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
+    permissions:
+      security-events: write
+      contents: write
+      checks: write
+      pull-requests: write
+    if: github.event_name != 'schedule'
+
+  draft:
+    name: 🚀 Release
+    needs: [ tests, static-analysis ]
+    uses: ./.github/workflows/step_draft.yml
+    permissions:
+      contents: write
+    if: github.event_name == 'push'
+
+  pass:
+    name: ✅ Pass
+    needs: [ tests, static-analysis, draft ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all CI jobs
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
+          allowed-skips: draft, static-analysis
+    if: always()

.github/workflows/release.yml

@@ -17,16 +17,10 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-
-      # Check out current repository
-      - name: Fetch Sources
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.release.tag_name }}
-
-      # Setup Java 11 environment for the next steps
-      - name: Setup Java
-        uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: zulu
           java-version: 17

.github/workflows/step_draft.yml

@@ -0,0 +1,39 @@
+# TODO: Unify with release.yml
+name: Draft
+
+on:
+  workflow_call:
+
+permissions:
+  contents: write
+
+jobs:
+  Draft:
+    # TODO: Get the artifacts from a build run
+    # What to do with this workflow?
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Remove old release drafts by using the curl request for the available releases with a draft flag
+      - name: Remove Old Release Drafts
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api repos/{owner}/{repo}/releases \
+            --jq '.[] | select(.draft == true) | .id' \
+            | xargs -I '{}' gh api -X DELETE repos/{owner}/{repo}/releases/{}
+
+      # Create a new release draft which is not publicly visible and requires manual acceptance
+      - name: Create Release Draft
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create v${{ needs.build.outputs.version }} \
+            --draft \
+            --title "v${{ needs.build.outputs.version }}" \
+            --notes "$(cat << 'EOM'
+          ${{ needs.build.outputs.changelog }}
+          EOM
+          )"
+    if: false

.github/workflows/step_static-analysis.yml

@@ -0,0 +1,29 @@
+name: Static Analysis
+
+on:
+  workflow_call:
+    secrets:
+      QODANA_TOKEN:
+        required: false
+        description: Qodana token
+
+permissions:
+  security-events: write
+  contents: write
+  checks: write
+  pull-requests: write
+
+jobs:
+  Qodana:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # TODO: Java setup?
+      - name: Qodana Scan
+        uses: JetBrains/qodana-action@v2023.3
+        env:
+          QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
+      - name: Upload to GitHub code scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json