ci: Add GitHub Actions CI/CD with SonarCloud integration (#33)

* Add GitHub Actions CI/CD with SonarCloud integration

- Add comprehensive CI/CD pipeline workflow (ci.yml)
  - Build and test all modules with Java 21
  - MySQL 8.0 and PostgreSQL 15 services for tests
  - JaCoCo code coverage generation (50% minimum)
  - Integration tests with TestContainers
  - SonarCloud analysis with quality gates
  - OWASP security vulnerability scanning

- Add Pull Request checks workflow (pr-checks.yml)
  - PR title validation (conventional commits)
  - Quick tests on core modules
  - SonarCloud PR-specific analysis
  - Security vulnerability scanning with CVSS threshold

- Configure SonarCloud integration
  - Add sonar-project.properties for monorepo structure
  - Update root pom.xml with SonarCloud Maven plugin
  - Add JaCoCo Maven plugin for code coverage
  - Configure integration tests profile

- Add comprehensive CI/CD documentation
  - Setup guide in .github/CI_CD_SETUP.md
  - SonarCloud configuration instructions
  - Local testing commands
  - Troubleshooting guide
  - Migration notes from CircleCI

Replaces outdated CircleCI configuration (Java 8, ThirdParty only).
All workflows use Java 21 LTS for stability and Spring Boot 3.5 compatibility.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* ci: Temporarily exclude openespi-authserver from CI/CD

- Commented out authserver tests in ci.yml workflow
- Removed authserver from quick tests in pr-checks.yml
- Excluded authserver from SonarCloud analysis in sonar-project.properties
- Updated CI/CD documentation to note authserver exclusion

The authserver module will be re-enabled once implementation is complete.

* test: Exclude ApplicationStartupIntegrationTest from integration tests

- Temporarily exclude ApplicationStartupIntegrationTest from failsafe plugin
- Test requires OAuth2 resource server configuration which is not available in CI
- Will be re-enabled once OAuth2 integration is properly configured

* fix: Exclude authserver from integration tests

- Added -pl flag to integration tests to exclude authserver
- Integration tests now only run on: openespi-common, openespi-datacustodian, openespi-thirdparty
- This was causing authserver tests to run despite being excluded from unit tests

* fix: Remove separate jacoco:report step

- JaCoCo reports are automatically generated during test phase via root pom.xml
- The separate jacoco:report step was failing with 'No plugin found' error
- Coverage reports will still be generated and uploaded as artifacts

* fix: Exclude authserver from SonarCloud workflows

- Added -pl flag to both SonarCloud jobs to exclude authserver
- This prevents authserver tests from running in SonarCloud analysis
- Fixes SonarCloud PR Analysis and main SonarCloud Analysis failures

* fix: Separate build and SonarCloud analysis steps

- Split verify and sonar:sonar into separate steps
- Verify only builds selected modules (excluding authserver)
- SonarCloud analysis runs at root level using sonar-project.properties
- This ensures tests run properly while respecting module exclusions

* docs: Update CI/CD support section

* fix: Specify explicit binary paths in SonarCloud config

- Changed from wildcard **/target/classes to explicit paths
- Only includes binaries for built modules (excluding authserver)
- Fixes 'provide compiled classes' error in SonarCloud analysis

* fix: Explicitly exclude authserver directory from SonarCloud

- Added openespi-authserver/** to sonar.exclusions
- Prevents SonarCloud from trying to analyze authserver source files
- Fixes 'provide compiled classes' error

* fix: Remove module configuration from SonarCloud

- Disabled sonar.modules configuration that scans all directories
- Use flat source structure with explicit paths only
- Should prevent SonarCloud from finding authserver .java files

* fix: Run sonar:sonar only on built modules

- Added -pl flag to sonar:sonar command in both workflows
- Prevents Maven reactor from including authserver module
- Should resolve 'Your project contains .java files' error

* ci: Temporarily exclude authserver from SonarCloud analysis

- Added sonar.skip=true property to openespi-authserver/pom.xml
- Simplified SonarCloud workflow to run from root (Maven auto-skips authserver)
- Added prominent TODO comments emphasizing this is temporary

IMPORTANT: The sonar.skip property MUST be removed when authserver
implementation is complete to re-enable SonarCloud analysis.

This resolves the "project contains .java files, please provide compiled
classes" error by making Maven skip SonarCloud analysis for the
incomplete authserver module.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: dfcoffin

.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git checkout:*)",
+      "Bash(grep:*)"
+    ]
+  }
+}

.github/CI_CD_SETUP.md

@@ -0,0 +1,260 @@
+# CI/CD Setup Guide
+
+This document explains the Continuous Integration and Continuous Deployment (CI/CD) setup for the OpenESPI GreenButton Java monorepo.
+
+## Overview
+
+The project uses **GitHub Actions** for CI/CD with **SonarCloud** integration for code quality analysis.
+
+## Workflows
+
+### 1. Main CI/CD Pipeline (`.github/workflows/ci.yml`)
+
+**Triggers:**
+- Push to `main` or `develop` branches
+- Pull requests to `main` or `develop` branches
+
+**Jobs:**
+
+#### build-and-test
+- Runs on Ubuntu with Java 21
+- Sets up MySQL 8.0 and PostgreSQL 15 services
+- Builds all modules
+- Runs unit tests for each module separately (authserver temporarily excluded)
+- Runs integration tests with TestContainers
+- Generates JaCoCo coverage reports
+- Uploads test results and coverage reports as artifacts
+
+**Note:** The `openespi-authserver` module is temporarily excluded from CI/CD until implementation is complete.
+
+####sonarcloud
+- Depends on successful `build-and-test` job
+- Runs SonarCloud analysis with code coverage
+- Uploads results to SonarCloud dashboard
+- Checks quality gates
+
+#### security-scan
+- Runs OWASP Dependency Check
+- Scans for known vulnerabilities in dependencies
+- Uploads security reports as artifacts
+
+### 2. Pull Request Checks (`.github/workflows/pr-checks.yml`)
+
+**Triggers:**
+- Pull request opened, synchronized, or reopened
+
+**Jobs:**
+
+#### pr-validation
+- Validates PR title follows conventional commits format
+- Checks code formatting with Spotless
+- Runs quick tests on core modules
+- Security vulnerability scan with CVSS threshold
+
+#### sonarcloud-pr
+- Runs SonarCloud analysis specific to the PR
+- Provides inline PR comments with code quality issues
+- Only runs for PRs from the same repository (not forks)
+
+## SonarCloud Configuration
+
+### Required Secrets
+
+Add these secrets in GitHub repository settings (`Settings > Secrets and variables > Actions`):
+
+1. **SONAR_TOKEN**
+   - Generate from [SonarCloud Account](https://sonarcloud.io/account/security)
+   - Go to SonarCloud → My Account → Security → Generate Token
+   - Add as repository secret in GitHub
+
+2. **GITHUB_TOKEN**
+   - Automatically provided by GitHub Actions
+   - No manual configuration needed
+
+### SonarCloud Project Setup
+
+1. **Import Project to SonarCloud:**
+   ```bash
+   # Visit https://sonarcloud.io
+   # Click "+" → Analyze new project
+   # Select "GreenButtonAlliance/OpenESPI-GreenButton-Java"
+   # Choose "With GitHub Actions"
+   ```
+
+2. **Configure Organization:**
+   - Organization key: `greenbuttonalliance`
+   - Project key: `GreenButtonAlliance_OpenESPI-GreenButton-Java`
+
+3. **Quality Gate:**
+   - Uses SonarCloud default quality gate
+   - Can be customized in SonarCloud project settings
+
+### Configuration Files
+
+- **`sonar-project.properties`** - Main SonarCloud configuration
+  - Defines project structure
+  - Configures coverage paths
+  - Sets exclusions
+  - Defines module structure
+
+- **`pom.xml`** - Maven configuration
+  - SonarCloud Maven plugin version
+  - JaCoCo coverage plugin
+  - SonarCloud properties
+
+## Code Coverage
+
+### JaCoCo Configuration
+
+- Minimum coverage: 50% line coverage
+- Reports generated in: `**/target/site/jacoco/`
+- XML reports uploaded to SonarCloud
+
+### Viewing Coverage
+
+1. **Locally:**
+   ```bash
+   mvn clean test jacoco:report
+   open openespi-common/target/site/jacoco/index.html
+   ```
+
+2. **SonarCloud:**
+   - Visit https://sonarcloud.io/project/overview?id=GreenButtonAlliance_OpenESPI-GreenButton-Java
+   - View coverage metrics and trends
+
+## Running CI/CD Locally
+
+### Run Tests Locally
+```bash
+# All tests
+mvn clean test
+
+# Specific module
+mvn test -pl openespi-common
+
+# With coverage
+mvn clean test jacoco:report
+```
+
+### Run SonarCloud Analysis Locally
+```bash
+# Set SONAR_TOKEN environment variable
+export SONAR_TOKEN=your-token-here
+
+# Run analysis
+mvn clean verify sonar:sonar \
+  -Dsonar.projectKey=GreenButtonAlliance_OpenESPI-GreenButton-Java \
+  -Dsonar.organization=greenbuttonalliance \
+  -Dsonar.host.url=https://sonarcloud.io
+```
+
+### Run Integration Tests
+```bash
+# Requires Docker running
+mvn verify -Pintegration-tests
+```
+
+## Database Services in CI
+
+GitHub Actions workflows include MySQL and PostgreSQL services for testing:
+
+- **MySQL 8.0**: Port 3306
+  - Database: `test_db`
+  - User: `root`
+  - Password: `root`
+
+- **PostgreSQL 15**: Port 5432
+  - Database: `test_db`
+  - User: `postgres`
+  - Password: `postgres`
+
+## Troubleshooting
+
+### Tests Failing in CI but Pass Locally
+
+1. **Check Java version:**
+   - CI uses Java 21 (Temurin distribution)
+   - Verify local Java version: `java -version`
+
+2. **Database issues:**
+   - CI uses MySQL 8.0 and PostgreSQL 15
+   - Check local database versions match
+
+3. **Environment variables:**
+   - Review `SPRING_PROFILES_ACTIVE` settings
+   - Check application-test.yml configuration
+
+### SonarCloud Analysis Fails
+
+1. **Token issues:**
+   - Verify `SONAR_TOKEN` secret is set correctly
+   - Check token hasn't expired
+
+2. **Quality gate failures:**
+   - Review SonarCloud dashboard for issues
+   - Check coverage requirements met (minimum 50%)
+
+3. **Build failures:**
+   - Ensure `mvn clean verify` succeeds locally
+   - Check all tests pass before SonarCloud analysis
+
+### Security Scan Issues
+
+1. **OWASP Dependency Check:**
+   - Review `target/dependency-check-report.html`
+   - Update vulnerable dependencies
+   - Use `mvn versions:display-dependency-updates`
+
+## Migration from CircleCI
+
+The old CircleCI configuration (`openespi-thirdparty/.circleci/config.yml`) is deprecated:
+
+**Issues with old config:**
+- Used Java 8 (outdated)
+- Tests were skipped
+- Only covered ThirdParty module
+- Hardcoded SonarCloud token (security risk)
+
+**Migration benefits:**
+- Modern Java 21
+- All modules tested
+- Secure token management
+- Full monorepo support
+- Better integration with GitHub
+
+### Deprecation Notice
+
+The CircleCI configuration should be removed after verifying GitHub Actions workflows are working correctly.
+
+## Best Practices
+
+1. **Never commit tokens:**
+   - Always use GitHub Secrets
+   - Never hardcode in workflow files
+
+2. **Run tests before push:**
+   ```bash
+   mvn clean test
+   ```
+
+3. **Check coverage locally:**
+   ```bash
+   mvn clean test jacoco:report
+   ```
+
+4. **Review SonarCloud before merging:**
+   - Check quality gate status
+   - Review new issues in PR
+
+5. **Keep dependencies updated:**
+   - Run `mvn versions:display-dependency-updates` regularly
+   - Address security vulnerabilities promptly
+
+## Support
+
+For help with CI/CD setup and configuration:
+
+- **GitHub Actions**: https://docs.github.com/en/actions
+- **SonarCloud**: https://docs.sonarcloud.io
+- **JaCoCo**: https://www.jacoco.org/jacoco/trunk/doc/
+- **Issues**: https://github.com/GreenButtonAlliance/OpenESPI-GreenButton-Java/issues