build: add CI pipeline to publish docker images

.github/actions/gradle-setup/action.yml

@@ -0,0 +1,30 @@
+#
+#  Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+name: "Setup Gradle"
+description: "Setup Gradle"
+runs:
+  using: "composite"
+  steps:
+    # Install Java and cache MVD Gradle build.
+    - uses: actions/setup-java@v3
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+        cache: 'gradle'

.github/actions/push-tag/action.yml

@@ -0,0 +1,93 @@
+#
+#  Copyright (c) 2025 Cofinity-X
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+
+---
+name: "Publish Github release and tag"
+description: "Publish Github release and tag"
+inputs:
+  version:
+    required: true
+    description: "The version to be used in the tag and release publication"
+  token:
+    required: true
+    description: "Github token"
+  is_latest:
+    required: true
+    description: "Boolean that defines if a release is latest or not"
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v4
+    - name: Prepare Git Config
+      shell: bash
+      run: |
+        # Prepare git env
+        git config user.name "eclipse-edc-bot"
+        git config user.email "edc-bot@eclipse.org"
+    - name: Create Release Tag
+      id: create_release_tag
+      shell: bash
+      run: |
+        # informative
+        git branch -a
+        git tag
+
+        # Create & push tag
+        git tag ${{ inputs.version }}
+        git push origin ${{ inputs.version }}
+    - name: Create GitHub Release
+      uses: ncipollo/release-action@v1
+      with:
+        generateReleaseNotes: true
+        tag: ${{ inputs.version }}
+        token: ${{ inputs.token }}
+        makeLatest: ${{ inputs.is_latest }}
+        removeArtifacts: false
+    - uses: ./.github/actions/gradle-setup
+    - name: Set new snapshot version
+      if: ${{ inputs.is_latest }}
+      shell: bash
+      run: |
+        # Extract release version
+        IFS=.- read -r RELEASE_VERSION_MAJOR RELEASE_VERSION_MINOR RELEASE_VERSION_PATCH SNAPSHOT<<<"${{ inputs.version}}"
+        INC=0
+        # Compute new snapshot version, do not increment snapshot on non-final releases, e.g. -rc1
+        if [ -z $SNAPSHOT ]; then
+          # snapshot
+          echo "${{ inputs.version }} is a final release version, increase patch for next snapshot"
+          INC=1
+        else
+          echo "${{ inputs.version }} is not a final release version (contains \"$SNAPSHOT\"), will not increase patch"
+        fi
+
+        VERSION="$RELEASE_VERSION_MAJOR.$((RELEASE_VERSION_MINOR+$INC)).0-SNAPSHOT"
+        SNAPSHOT_VERSION=$VERSION
+
+        # Persist the "version" in the gradle.properties
+        sed -i "s/version=.*/version=$SNAPSHOT_VERSION/g" gradle.properties
+
+        # Persist the "version" in the version catalog
+        sed -i 's/edc\s*=\s*".*"/edc = "$SNAPSHOT_VERSION"/g' gradle/libs.versions.toml
+
+        # Commit and push to origin main
+        git add gradle.properties
+        git commit --message "Introduce new snapshot version $SNAPSHOT_VERSION"
+
+        git push

.github/workflows/build-docker.yaml

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2026 Metaform Systems, Inc.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Contributors:
+#      Metaform Systems, Inc. - initial API and implementation
+#
+
+
+name: Build and Push Launcher Images
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: [ "Verify" ]
+    types:
+      - completed
+    branches: [ main ]
+
+jobs:
+  build-and-push-postgres:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set lowercase repository name
+        id: repo
+        run: |
+          repo_lowercase=$(echo "$GITHUB_REPOSITORY" | tr '[:upper:]' '[:lower:]')
+          echo "repo_lowercase=${repo_lowercase}" >> "$GITHUB_OUTPUT"
+
+
+  build-and-push-docker:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set lowercase repository name
+        id: repo
+        run: |
+          repo_lowercase=$(echo "$GITHUB_REPOSITORY" | tr '[:upper:]' '[:lower:]')
+          echo "repo_lowercase=${repo_lowercase}" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ steps.repo.outputs.repo_lowercase }}/${{ matrix.name }}:latest
+            ghcr.io/${{ steps.repo.outputs.repo_lowercase }}/${{ matrix.name }}:${{ github.sha }}
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+          platforms: linux/amd64,linux/arm64

.github/workflows/pull-request.yaml

@@ -0,0 +1,48 @@
+#
+# Copyright (c) 2026 Metaform Systems, Inc.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Contributors:
+#      Metaform Systems, Inc. - initial API and implementation
+#
+
+
+name: Scan Pull Request
+
+on:
+  pull_request:
+    branches: [ main ]
+    types: [ opened, edited, synchronize, reopened, labeled, unlabeled ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check-pull-request-title:
+    runs-on: ubuntu-latest
+    continue-on-error: false
+    steps:
+      - uses: actions/checkout@v6
+      - uses: deepakputhraya/action-pr-title@master
+        with:
+          # Match pull request titles conventional commit syntax (https://www.conventionalcommits.org/en/v1.0.0/)
+          # (online tool for regex quick check: https://regex101.com/r/V5J8kh/1)
+          #
+          # Valid examples would be
+          # - fix: resolve minor issue
+          # - docs(Sample5): update docs for configuration
+          # - feat(management-api)!: change path to access contract agreements
+          #
+          # Invalid examples would be
+          # - Add cool feature
+          # - Feature/some cool improvement
+          # - fix: resolve minor issue.
+          regex: '^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\(\w+((,|\/|\\)?\s?\w+)+\))?!?: [\S ]{1,160}[^\.]$'
+          allowed_prefixes: 'build,chore,ci,docs,feat,fix,perf,refactor,revert,style,test'
+          prefix_case_sensitive: true

.github/workflows/verify.yaml

@@ -0,0 +1,58 @@
+#
+# Copyright (c) 2026 Metaform Systems, Inc.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Contributors:
+#      Metaform Systems, Inc. - initial API and implementation
+#
+
+
+---
+name: "Verify"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+  workflow_run:
+    workflows: [ "Draft Release" ]
+    types:
+      - completed
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  verify-license-headers:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: "Check for files without a license header"
+        run: |-
+          # checks all java, yaml, kts and sql files for an Apache 2.0 license header
+          cmd="grep -riL \"SPDX-License-Identifier: Apache-2.0\" --include=\*.{java,ts,html,css,yaml,yml,kts,sql,tf} --exclude-dir={.gradle,\*\openapi} ."
+          violations=$(eval $cmd | wc -l)
+          if [[ $violations -ne 0 ]] ; then
+            echo "::warning::$violations files without license headers were found";
+            eval $cmd;
+          fi
+
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ./.github/actions/gradle-setup
+      - name: Run Unit tests
+        run: ./gradlew test
+

Dockerfile

@@ -0,0 +1,36 @@
+# Build stage
+FROM gradle:8.5-jdk21 AS build
+WORKDIR /app
+
+# Copy gradle files for dependency caching
+COPY build.gradle settings.gradle gradlew ./
+COPY gradle ./gradle
+
+# Download dependencies (cached layer)
+RUN ./gradlew dependencies --no-daemon
+
+# Copy source code
+COPY src ./src
+
+# Build the application
+RUN ./gradlew bootJar --no-daemon
+
+# Runtime stage
+FROM eclipse-temurin:21-jre-alpine
+WORKDIR /app
+
+# Create non-root user
+RUN addgroup -S spring && adduser -S spring -G spring
+USER spring:spring
+
+# Copy the built jar from build stage
+COPY --from=build /app/build/libs/*.jar app.jar
+
+# Expose application port
+EXPOSE 8081
+
+# Set default profile
+ENV SPRING_PROFILES_ACTIVE=prod
+
+# Run the application
+ENTRYPOINT ["java", "-jar", "app.jar"]

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME