apps/desktop/.github/workflows/. The root .github/ directory contains Dependabot configuration and issue/PR templates.
Workflow overview
| Workflow file | Trigger | Purpose |
|---|---|---|
ci.yml | Push / PR to main, develop | Full CI pipeline: build, test, code quality, security scan, jpackage verification, and optional release. |
build-and-deploy.yml | Push / PR to main, master; version tags (v*) | Cross-platform native installer builds (Linux .deb, Windows .msi, macOS .dmg) and GitHub Pages deployment. |
maven.yml | Push / PR to main | Lightweight Maven build and dependency graph submission to GitHub. |
codeql.yml | Push / PR to main; weekly schedule | GitHub CodeQL static analysis for Java. |
sonarcloud.yml | Push / PR to main | SonarCloud quality gate analysis. |
CI pipeline (ci.yml)
Triggered on every push or pull request to main or develop. The pipeline runs six jobs:
Build and test
Sets up Java 21 (Liberica JDK with JavaFX), caches the local Maven repository, compiles the project, and runs the unit test suite with
mvn test. JaCoCo coverage reports are generated and uploaded to Codecov. Test results are retained as workflow artifacts for 30 days.Code quality analysis
Runs SpotBugs static analysis (
mvn spotbugs:check) and generates JavaDoc. Both outputs are uploaded as artifacts. This job runs after the build-and-test job succeeds.Security scan
Runs OWASP Dependency-Check (
mvn org.owasp:dependency-check-maven:check) and Trivy filesystem vulnerability scanning. Results are uploaded to GitHub Security as SARIF.Verify jpackage configuration
Builds the application JAR and validates that
jpackage can produce a working app-image on the CI runner. Fails the pipeline if the image is not created.Build release artifacts
Runs only when a version tag (
refs/tags/v*) is pushed. Builds the release JAR, generates release notes, and creates a GitHub Release with the JAR, LICENSE, and README attached.Build and deploy workflow (build-and-deploy.yml)
Produces native desktop installers for all three platforms in parallel using jpackage. The app version is 1.0.10 and the main class is com.esprit.MainApp.
Build Linux distribution
Runs on
ubuntu-latest. Produces a .deb Debian package installer and a portable .tar.gz archive. Both are uploaded as the linux-distributions artifact (retained 90 days).Build Windows distribution
Runs on
windows-latest. Produces a .msi Windows Installer package and a portable .zip archive. Both are uploaded as the windows-distributions artifact.Build macOS distribution
Runs on
macos-latest. Produces a .dmg disk image installer and a portable .tar.gz archive. Both are uploaded as the macos-distributions artifact.Deploy to GitHub Pages
Downloads all platform artifacts, organises them under
releases/{linux,windows,macos}/, and deploys the result to GitHub Pages. Runs on pushes to main/master and on version tags.CodeQL analysis (codeql.yml)
Runs CodeQL Advanced analysis against the java-kotlin language matrix on every push and pull request to main, and on a weekly schedule (Fridays at 21:44 UTC). Results are uploaded to the GitHub Security tab as SARIF.
SonarCloud analysis (sonarcloud.yml)
Runs SonarCloud quality gate analysis on every push and pull request to main. Requires the SONAR_TOKEN repository secret.
SONAR_TOKEN in Settings > Secrets and variables > Actions before enabling this workflow.
Dependabot
Dependabot is configured at the repository root (.github/dependabot.yml) and in apps/web/.github/dependabot.yml. It runs weekly version updates for:
| Ecosystem | Directory |
|---|---|
npm | /apps/web |
maven | /apps/desktop |
composer | /apps/web |
docker-compose | / (repository root) |
pub (Flutter/Dart) | /apps/mobile |
Running tests locally
TheTaskfile.yml at the repository root provides task definitions for all apps. Install Task to use these commands.
Run the full test suite
Per-app test commands
Available Taskfile tasks
TheTaskfile.yml defines the following tasks:
| Task | Directory | Command | Description |
|---|---|---|---|
desktop:build | apps/desktop | mvn clean install -DskipTests | Build the desktop JAR without running tests. |
desktop:run | apps/desktop | mvn javafx:run | Launch the desktop app via the JavaFX Maven plugin. |
desktop:test | apps/desktop | mvn test | Run the Maven test suite. |
web:install | apps/web | composer install && npm install | Install PHP and JavaScript dependencies. |
web:dev | apps/web | symfony server:start -d | Start the Symfony development server in detached mode. Requires the Symfony CLI. |
web:build | apps/web | npm run build | Build frontend assets. |
web:test | apps/web | php bin/phpunit | Run the PHPUnit test suite. |
web:migrate | apps/web | php bin/console doctrine:migrations:migrate --no-interaction | Apply pending database migrations. |
mobile:get | apps/mobile | flutter pub get | Fetch Flutter/Dart dependencies. |
mobile:run | apps/mobile | flutter run | Run the app on a connected device or emulator. |
mobile:build:apk | apps/mobile | flutter build apk | Build an Android APK. |
mobile:build:ios | apps/mobile | flutter build ios | Build an iOS archive (macOS only). |
mobile:test | apps/mobile | flutter test | Run the Flutter test suite. |
test:all | (root) | Runs desktop:test, web:test, mobile:test | Run all test suites in sequence. |
setup | (root) | Runs web:install, mobile:get, desktop:build | First-time setup for all apps. |
api:generate | (root) | openapi-generator-cli generate | Regenerate API clients for all three apps from shared/api-spec/openapi.yaml. |
Required secrets
The following secrets must be configured in the GitHub repository before the workflows function correctly:| Secret | Used by | Description |
|---|---|---|
GITHUB_TOKEN | ci.yml, build-and-deploy.yml | Automatically provided by GitHub Actions. Used for creating releases and uploading artifacts. |
SONAR_TOKEN | sonarcloud.yml | API token from SonarCloud. |
Codecov integration in
ci.yml uses codecov/codecov-action with fail_ci_if_error: false, so missing Codecov configuration does not break the build.