From 8d9c5ec403c99f0092f61408163474860beea8bf Mon Sep 17 00:00:00 2001
From: Jean-Kevin KPADEY <jeankevin.kpadey@gmail.com>
Date: Sat, 30 May 2026 12:26:37 +0200
Subject: [PATCH 1/2] fix(ci): add actions:read permission for cross-workflow
 artifact download

---
 .github/workflows/maven-verify.yml      | 10 +++++++++-
 .github/workflows/sonar-pr-analysis.yml | 15 ++++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/maven-verify.yml b/.github/workflows/maven-verify.yml
index f9cc5d74..1a73fb7f 100644
--- a/.github/workflows/maven-verify.yml
+++ b/.github/workflows/maven-verify.yml
@@ -51,8 +51,14 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: sonar-build
-          path: '**/target/'
+          path: |
+            **/target/classes/**
+            **/target/test-classes/**
+            **/target/jacoco.xml
+            **/target/site/jacoco/**
+            **/target/surefire-reports/**
           retention-days: 1
+          if-no-files-found: error
       - name: Upload PR metadata
         if: github.event_name == 'pull_request'
         uses: actions/upload-artifact@v4
@@ -60,6 +66,8 @@ jobs:
           name: pr-meta
           path: .pr-meta/
           retention-days: 1
+          if-no-files-found: error
+          include-hidden-files: true
 
   generate-docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sonar-pr-analysis.yml b/.github/workflows/sonar-pr-analysis.yml
index 523d2136..1b7ebb12 100644
--- a/.github/workflows/sonar-pr-analysis.yml
+++ b/.github/workflows/sonar-pr-analysis.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: read
+  actions: read
 
 jobs:
   sonar:
@@ -22,13 +23,6 @@ jobs:
           path: .pr-meta
           run-id: ${{ github.event.workflow_run.id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: sonar-build
-          path: .
-          run-id: ${{ github.event.workflow_run.id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Read PR metadata
         id: pr-meta
         run: |
@@ -41,6 +35,13 @@ jobs:
         with:
           ref: ${{ steps.pr-meta.outputs.head_sha }}
           fetch-depth: 0
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: sonar-build
+          path: .
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up JDK
         uses: actions/setup-java@v5
         with:

From 125262dfe48b47295cecb731b6ebed0c187d1e0c Mon Sep 17 00:00:00 2001
From: Jean-Kevin KPADEY <jeankevin.kpadey@gmail.com>
Date: Sat, 30 May 2026 20:39:16 +0200
Subject: [PATCH 2/2] fix(ci): restrict generate-docs to push events and remove
 dead jacoco path

- generate-docs job now only runs on push to main, not on PRs.
  Its failure would set workflow conclusion to 'failure' and prevent
  the sonar-pr-analysis workflow_run trigger from firing.
- Remove dead artifact upload path '**/target/jacoco.xml'; JaCoCo
  report goal writes to target/site/jacoco/jacoco.xml which is already
  covered by the '**/target/site/jacoco/**' glob.
---
 .github/workflows/maven-verify.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/maven-verify.yml b/.github/workflows/maven-verify.yml
index 1a73fb7f..d62d9da6 100644
--- a/.github/workflows/maven-verify.yml
+++ b/.github/workflows/maven-verify.yml
@@ -54,7 +54,6 @@ jobs:
           path: |
             **/target/classes/**
             **/target/test-classes/**
-            **/target/jacoco.xml
             **/target/site/jacoco/**
             **/target/surefire-reports/**
           retention-days: 1
@@ -72,6 +71,7 @@ jobs:
   generate-docs:
     runs-on: ubuntu-latest
     needs: verify
+    if: github.event_name == 'push'
     steps:
       - uses: actions/checkout@v6
         with: