chore: update GitHub Actions to use reusable workflows

- Update project.yml to new structured schema format
- Replace inline maven.yml with reusable workflow caller
- Replace inline maven-release.yml with reusable release.yml caller
- Add scorecards.yml for OpenSSF Scorecard security analysis
- Add dependency-review.yml for PR dependency scanning

All workflows now call cuioss-organization reusable workflows
pinned to v0.2.0 (SHA: 288f393bf5407c87ffd95c128cdf694761941308)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: cuioss-oliver

.github/project.yml

@@ -1,6 +1,25 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/cuioss/cuioss-organization/main/.github/actions/read-project-config/schema.json
 name: cui-java-module-template
-pages-reference: cui-java-module-template
-sonar-project-key: cuioss_cui-java-module-template
+description: Template for cuioss Java modules
+
 release:
   current-version: 1.0.0
   next-version: 1.1.0-SNAPSHOT
+  create-github-release: true
+
+maven-build:
+  java-versions: '["21","25"]'
+  java-version: '21'
+  enable-snapshot-deploy: true
+  maven-profiles-snapshot: 'release-snapshot,javadoc'
+  maven-profiles-release: 'release,javadoc'
+  npm-cache: false
+
+sonar:
+  project-key: cuioss_cui-java-module-template
+  enabled: true
+  skip-on-dependabot: true
+
+pages:
+  reference: cui-java-module-template
+  deploy-at-release: true

.github/workflows/dependency-review.yml

@@ -0,0 +1,9 @@
+# Example: Copy this to your repo as .github/workflows/dependency-review.yml
+name: Dependency Review
+
+on: [pull_request]
+
+jobs:
+  dependency-review:
+    uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0
+    secrets: inherit

.github/workflows/maven-release.yml

@@ -1,109 +1,18 @@
-name: Master Build
+# Example: Copy this to your repo as .github/workflows/maven.yml
+# Configuration is read from .github/project.yml - no inputs needed!
+name: Maven Build
 
 on:
   push:
-    branches: [ "main", "feature/*" ]
+    branches: [main, "feature/*", "fix/*", "dependabot/**"]
   pull_request:
-    branches: [ "main" ]
+    branches: [main]
+  workflow_dispatch:
 
 jobs:
   build:
-
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        version: [ 21,24 ]
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up JDK ${{ matrix.version }}
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          java-version: ${{ matrix.version }}
-          distribution: 'temurin'
-          cache: maven
-      - name: Build with Maven, Java ${{ matrix.version }}
-        run: ./mvnw --no-transfer-progress verify -Dmaven.compiler.release=${{ matrix.version }}
-
-  sonar-build:
-    needs: build
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Set up JDK 21 for Sonar-build
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          java-version: '21'
-          distribution: 'temurin'
-          cache: maven
-
-      - name: Cache SonarCloud packages
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: ~/.sonar/cache
-          key: ${{ runner.os }}-sonar
-          restore-keys: ${{ runner.os }}-sonar
-
-      - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1
-        name: Retrieve project metadata from '.github/project.yml'
-        id: metadata
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          metadata-file-path: '.github/project.yml'
-          local-file: true
-
-      - name: Build and analyze
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: ./mvnw -B --no-transfer-progress verify -Psonar -Dsonar.projectKey=${{steps.metadata.outputs.sonar-project-key}} sonar:sonar
-
-  deploy-snapshot:
-    needs: sonar-build
-    if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up JDK 17 for snapshot release
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          java-version: '21'
-          distribution: 'temurin'
-          server-id: central
-          server-username: MAVEN_USERNAME
-          server-password: MAVEN_PASSWORD
-          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
-          gpg-passphrase: MAVEN_GPG_PASSPHRASE
-          cache: maven
-
-      - name: Extract project version
-        id: project
-        run: echo ::set-output name=version::$(./mvnw --no-transfer-progress help:evaluate -Dexpression=project.version -q -DforceStdout)
-
-      - name: Deploy Snapshot with Maven, version ${{ steps.project.outputs.version }}
-        if: ${{endsWith(steps.project.outputs.version, '-SNAPSHOT')}}
-        run: |
-          ./mvnw -B --no-transfer-progress -Prelease-snapshot,javadoc deploy -Dmaven.test.skip=true
-        env:
-          MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+    # Run on push events, OR on pull_request only if from a fork
+    # This prevents duplicate runs: push handles internal branches, PR handles forks
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0
+    secrets: inherit

.github/workflows/maven.yml

@@ -0,0 +1,19 @@
+# Example: Copy this to your repo as .github/workflows/release.yml
+# Configuration is read from .github/project.yml - no inputs needed!
+name: Release
+
+on:
+  pull_request:
+    types: [closed]
+    paths:
+      - '.github/project.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+    uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0
+    secrets: inherit

.github/workflows/release.yml

@@ -0,0 +1,14 @@
+# Example: Copy this to your repo as .github/workflows/scorecards.yml
+name: Scorecard supply-chain security
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: [main]
+
+jobs:
+  analysis:
+    uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@288f393bf5407c87ffd95c128cdf694761941308 # v0.2.0
+    secrets: inherit