feat: P4ADEV-1531 add initial example config (#1)

.github/CODEOWNERS

@@ -1 +1,2 @@
 # Add the repository's code owners here
+* @pagopa/p4pa-admins @pagopa/payments-cloud-admin

.github/workflows/codereview.yml

@@ -0,0 +1,49 @@
+name: TEMPLATE-PAYMENTS - Code Review
+
+on:
+  push:
+    branches:
+      - main
+      - uat
+      - develop
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+        with:
+          fetch-depth: 0
+
+      - name: Setup Java
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 #v4.2.1
+        with:
+          distribution: 'corretto'
+          java-version: 21
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x ./gradlew
+
+      - name: Build with Gradle
+        working-directory: ./
+        run: ./gradlew clean build jacocoTestReport
+
+      - name: Sonar Scan
+        working-directory: ./
+        run: >
+          ./gradlew sonar
+          -Dorg.gradle.jvmargs=-Xmx4096M
+          -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.organization=${{ vars.SONARCLOUD_ORG }}
+          -Dsonar.projectKey=${{ vars.SONARCLOUD_PROJECT_KEY }}
+          -Dsonar.projectName="${{ vars.SONARCLOUD_PROJECT_NAME }}"
+          -Dsonar.token=${{ secrets.SONAR_TOKEN }}
+          -Dsonar.sources=src/main
+          -Dsonar.tests=src/test
+          -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/jacoco/test/jacocoTestReport.xml
+          -Dsonar.exclusions='**/enums/**, **/model/**, **/dto/**, **/*Constant*, **/*Config.java, **/*Scheduler.java, **/*Application.java, **/src/test/**, **/Dummy*.java'

.github/workflows/config/trivy.yaml

@@ -0,0 +1,3 @@
+db:
+  repository: "public.ecr.aws/aquasecurity/trivy-db:2"
+  java-repository: "public.ecr.aws/aquasecurity/trivy-java-db:1"

.github/workflows/security-scan.yml

@@ -0,0 +1,70 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Trivy tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.
+name: Container Scan
+
+on:
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop", "uat", "main" ]
+  workflow_dispatch:
+  schedule:
+    - cron: '00 07 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  BuildAndScan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    outputs:
+      CVE_CRITICAL: ${{env.CVE_CRITICAL}}
+      CVE_HIGH: ${{env.CVE_HIGH}}
+      CVE_MEDIUM: ${{env.CVE_MEDIUM}}
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+      - name: Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled
+        id: scan
+        uses: aquasecurity/[email protected] #v0.28.0
+        with:
+          trivy-config: 'config/trivy.yaml'
+          image-ref: "localbuild/testimage:latest"
+          format: 'sarif'
+          output: 'results.sarif'
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@99c9897648dded3fe63d6f328c46089dd57735ca #codeql bundle v2.17.0
+        with:
+          sarif_file: 'results.sarif'
+      - name: CVE Description escaped extraction and print
+        run: |
+          SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
+          echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
+          echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
+          echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
+
+          echo $SCAN_RESULTS
+      - name: Fails if CVE HIGH or CRITICAL are detected
+        id: cve-threshold
+        if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
+        run: exit 1
+  SendSlackNotification:
+    needs: BuildAndScan
+    uses: ./.github/workflows/send-notification.yml
+    if: always() && (needs.BuildAndScan.outputs.CVE_HIGH > 0 || needs.BuildAndScan.outputs.CVE_CRITICAL > 0)
+    with:
+      CVE_CRITICAL: ${{needs.BuildAndScan.outputs.CVE_CRITICAL}}
+      CVE_HIGH: ${{needs.BuildAndScan.outputs.CVE_HIGH}}
+      CVE_MEDIUM: ${{needs.BuildAndScan.outputs.CVE_MEDIUM}}
+    secrets: inherit

.github/workflows/send-notification.yml

@@ -0,0 +1,49 @@
+name: "Send notification"
+
+on:
+  workflow_call:
+    inputs:
+      CVE_CRITICAL:
+        required: true
+        type: string
+      CVE_HIGH:
+        required: true
+        type: string
+      CVE_MEDIUM:
+        required: true
+        type: string
+    secrets:
+      SLACK_WEBHOOK_URL:
+        required: true
+
+jobs:
+  Notify:
+    name: Notify Slack
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send notification to Slack
+        id: slack
+        uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 #v1.25.0
+        with:
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "header",
+                  "text": {
+                    "type": "plain_text",
+                    "text": "[ ${{ github.event.repository.name }} ]"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": " `CRITICAL` : *${{ inputs.CVE_CRITICAL }}*\n\n`HIGH` : *${{ inputs.CVE_HIGH }}*\n\n`MEDIUM` : *${{ inputs.CVE_MEDIUM }}*\n\n<https://github.com/${{ github.repository }}/security/code-scanning${{ github.event.pull_request.number != '' && format('?query=pr:{0}', github.event.pull_request.number) || '' }} | See details on GitHub>"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

Dockerfile

@@ -0,0 +1,156 @@
+# syntax=docker/dockerfile:1.4
+
+#
+# 🎯 Version Management
+#
+ARG CORRETTO_VERSION="21-alpine3.17"
+ARG CORRETTO_SHA="6ed399441760d860717318db95fc50846bd0173145ec728733e69b782ead78e4"
+ARG GRADLE_VERSION="8.10.2"
+ARG GRADLE_DOWNLOAD_SHA256="31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26"
+ARG APPINSIGHTS_VERSION="3.5.2"
+
+# 🌍 Timezone Configuration
+ARG TZ="Europe/Rome"
+
+# 🔧 Build Configuration
+ARG GRADLE_OPTS="-Dorg.gradle.daemon=false \
+    -Dorg.gradle.parallel=true \
+    -Dorg.gradle.caching=true \
+    -Dorg.gradle.configureondemand=true \
+    -Dorg.gradle.jvmargs=-Xmx2g"
+
+# 👤 App Configuration
+ARG APP_USER="appuser"
+ARG APP_GROUP="appgroup"
+ARG APP_HOME="/app"
+ARG GRADLE_HOME="/opt/gradle"
+
+#
+# 📥 Base Setup Stage
+#
+FROM amazoncorretto:${CORRETTO_VERSION}@sha256:${CORRETTO_SHA} AS base
+ARG APP_USER
+ARG APP_GROUP
+
+# Install base packages
+RUN apk add --no-cache \
+    wget \
+    unzip \
+    bash \
+    shadow
+
+# Create Gradle user
+RUN groupadd --system --gid 1000 ${APP_GROUP} && \
+    useradd --system --gid ${APP_GROUP} --uid 1000 --shell /bin/bash --create-home ${APP_USER}
+
+#
+# 📦 Gradle Setup Stage
+#
+FROM base AS gradle-setup
+ARG GRADLE_VERSION
+ARG GRADLE_DOWNLOAD_SHA256
+ARG GRADLE_HOME
+ARG GRADLE_OPTS
+ARG APP_USER
+ARG APP_GROUP
+
+# Set environment variables for Gradle
+ENV GRADLE_OPTS="${GRADLE_OPTS}"
+ENV GRADLE_HOME="${GRADLE_HOME}"
+ENV PATH="${GRADLE_HOME}/bin:${PATH}"
+
+WORKDIR /tmp
+
+# Download and verify Gradle with progress bar
+RUN echo "Downloading Gradle ${GRADLE_VERSION}..." && \
+    wget --progress=bar:force --output-document=gradle.zip \
+        "https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-bin.zip" && \
+    echo "Verifying download..." && \
+    echo "${GRADLE_DOWNLOAD_SHA256}  gradle.zip" | sha256sum -c - && \
+    echo "Installing Gradle..." && \
+    unzip -q gradle.zip && \
+    mv "gradle-${GRADLE_VERSION}" "${GRADLE_HOME}" && \
+    ln -s "${GRADLE_HOME}/bin/gradle" /usr/bin/gradle && \
+    rm gradle.zip && \
+    # Setup Gradle user directories
+    mkdir -p /home/${APP_USER}/.gradle && \
+    chown --recursive ${APP_USER}:${APP_GROUP} /home/${APP_USER} && \
+    # Verify installation
+    echo "Verifying Gradle installation..." && \
+    gradle --version
+
+# Create Gradle volume
+VOLUME /home/${APP_USER}/.gradle
+
+#
+# 📚 Dependencies Stage
+#
+FROM gradle-setup AS dependencies
+
+WORKDIR /build
+
+# Copy build configuration
+COPY --chown=${APP_USER}:${APP_GROUP} build.gradle.kts settings.gradle.kts ./
+COPY --chown=${APP_USER}:${APP_GROUP} gradle.lockfile ./
+COPY --chown=${APP_USER}:${APP_GROUP} openapi openapi/
+
+# Generate OpenAPI stubs and download dependencies
+RUN mkdir -p src/main/java && \
+    chown -R ${APP_USER}:${APP_GROUP} /build && \
+    chmod -R 775 /build
+
+USER ${APP_USER}
+
+RUN gradle openApiGenerate dependencies --no-daemon
+
+#
+# 🏗️ Build Stage
+#
+FROM dependencies AS build
+
+# Copy source code
+COPY --chown=${APP_USER}:${APP_GROUP} src src/
+
+# Build application
+RUN gradle bootJar --no-daemon
+
+#
+# 🚀 Runtime Stage
+#
+FROM amazoncorretto:${CORRETTO_VERSION}@sha256:${CORRETTO_SHA} AS runtime
+ARG APP_USER
+ARG APP_GROUP
+ARG APP_HOME
+ARG APPINSIGHTS_VERSION
+ARG TZ
+
+WORKDIR ${APP_HOME}
+
+# Set timezone environment variable
+ENV TZ=${TZ}
+
+# 🛡️ Security Setup and Timezone
+RUN apk upgrade --no-cache && \
+    apk add --no-cache \
+        tini \
+        curl \
+        # Configure timezone + ENV=TZ
+        tzdata && \
+    # Create user and group
+    addgroup -S ${APP_GROUP} && \
+    adduser -S ${APP_USER} -G ${APP_GROUP}
+
+# 📦 Copy Artifacts
+COPY --from=build /build/build/libs/*.jar ${APP_HOME}/app.jar
+ADD --chmod=644 https://github.com/microsoft/ApplicationInsights-Java/releases/download/${APPINSIGHTS_VERSION}/applicationinsights-agent-${APPINSIGHTS_VERSION}.jar ${APP_HOME}/applicationinsights-agent.jar
+
+# 📝 Set Permissions
+RUN chown -R ${APP_USER}:${APP_GROUP} ${APP_HOME}
+
+# 🔌 Container Configuration
+EXPOSE 8080
+USER ${APP_USER}
+
+# 🎬 Startup Configuration
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["java", "-jar", "/app/app.jar"]

README.md

@@ -1,3 +1,54 @@
-# template-payments-java-repository
+# Example Repository Template
 
-A starter template for application projects, featuring standard GitHub Actions workflows and a Terraform setup (AZURE) for managing GitHub variables and secrets.
+This repository serves as an **example template** to kick-start your projects with pre-configured files and folders for **OpenAPI**, **Helm**, **Gradle**, **Java**, and **JUnit testing**. It is designed to streamline the initial setup of new projects and ensure consistency in project structure.
+
+---
+
+## 📂 Repository Structure
+
+Here is a quick overview of the files and directories included in this repository:
+
+```plaintext
+.
+├── .github/            # GitHub configuration files
+├── openapi/            # OpenAPI specification files
+├── helm/               # Helm charts for Kubernetes deployments
+├── src/                # Source code for the Java application
+│   ├── main/
+│   └── test/
+├── build.gradle.kts    # Gradle build file
+├── settings.gradle.kts # Gradle settings file
+├── Dockerfile          # Docker build file
+├── README.md           # Project documentation
+└── .gitignore          # Git ignore rules
+```
+
+## 🚀 Features
+
+### 📜 OpenAPI
+- Example OpenAPI specification file (`template-payments-java-repository.openapi.yaml`) to document your RESTful APIs.
+- Compatible with tools like Swagger and Postman.
+
+### ⚙️ Helm
+- Template Helm charts for deploying your Java application on Kubernetes.
+- Includes `values.yaml` for parameter configuration and pre-defined deployment manifests.
+
+### 🔧 Gradle
+- `build.gradle` file with dependencies and plugins for building, testing, and running your Java application.
+- Compatible with Java 8+.
+
+### ☕ Java
+- Example Java application structure with a simple `HelloWorld` class.
+
+### ✅ JUnit
+- Example JUnit test cases under the `test/` directory to help you get started with unit testing.
+
+---
+
+## 🛠️ Getting Started
+
+### Prerequisites
+Ensure the following tools are installed on your machine:
+1. **Java 21+**
+2. **Gradle** (or use the Gradle wrapper included in the repository)
+3. **Docker** (for Helm-related tasks, optional)