Hi Jacopo, Thanks for this documentation.
I have added a complement about that in https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz#ReleaseManagementGuideforOFBiz-Creatinganewreleasebranch Jacques Le 25/03/2026 à 11:57, [email protected] a écrit :
This is an automated email from the ASF dual-hosted git repository. jacopoc pushed a commit to branch trunk in repositoryhttps://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new cbae69f235 Add README file to document the current CI/CD configuration cbae69f235 is described below commit cbae69f23585e840fe8675b50d58aca07ef3139e Author: Jacopo Cappellato<[email protected]> AuthorDate: Wed Mar 25 11:36:16 2026 +0100 Add README file to document the current CI/CD configuration --- .github/README.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/.github/README.md b/.github/README.md new file mode 100644 index 0000000000..4364320fa0 --- /dev/null +++ b/.github/README.md @@ -0,0 +1,59 @@ +# GitHub CI/CD Configuration + +## Workflows + +- `gradle.yaml` + Build and checks (style, Javadoc) + → Trigger: push / PR on `trunk` and `release*` + +- `codeql-analysis.yml` + Security analysis (Java + JavaScript) + → Trigger: push / PR + weekly on `trunk` and `release*` + +- `docker-image.yaml` + Build and push images to `ghcr.io/apache/ofbiz` + → Trigger: push on `trunk` / `release*` + tags + +- `dependency-review.yml` + Vulnerability scanning for dependencies in PRs + → Trigger: all PRs + +- `scorecard.yml` + OpenSSF security scorecard + → Trigger: `trunk` + weekly + +### Workflow behavior + +- `push` → uses the workflow from the target branch +- `pull_request` → uses the workflow from the source branch +- `schedule` → always uses `trunk` + +Workflows are maintained on all branches (`trunk` and `release*`) using the same triggers. + +New branches inherit workflow files from `trunk` at creation time. + +`scorecard.yml` runs only on `trunk` (default branch). + +## Dependabot + +Read **only from `trunk`**. + +Updates: +- GitHub Actions +- Docker base images +- NPM (`themes/common-theme/.../js`) + +Each ecosystem includes: +- one configuration for `trunk` +- one configuration for each `release*` branch + +## New release branch checklist + +Before creating a new release branch from `trunk`, update `dependabot.yml` (on `trunk`) by adding a `target-branch` entry for: +- npm +- github-actions +- docker + +Then create the release branch. + +Dependabot will automatically keep the new branch up to date. \ No newline at end of file
