Test Overhaul

[Schmarvinius]

CI/CD and Integration Test Overhaul: CF Bind-Based Service Binding

Refactor

♻️ This PR replaces environment-variable-based and mock-based service credential injection with real Cloud Foundry service bindings via cds bind. Integration tests now discover real service bindings from VCAP_SERVICES using DefaultServiceBindingAccessor, and CI workflows use CF login + npx cds bind for hybrid testing. Mutation testing (Pitest) has also been removed from the build pipeline.

Changes

GitHub Actions & Workflows

• .github/actions/cf-bind/action.yml (new): Composite action that installs CF CLI, logs in to Cloud Foundry, and binds objectstore and malware-scanner services via npx cds bind for hybrid test execution.
• .github/actions/scan-with-codeql/action.yml (new): Extracted CodeQL analysis into a standalone reusable action.
• .github/actions/integration-tests/action.yml: Removed test-type input and direct Maven invocations; tests now run via npx cds bind --exec -- mvn ... from integration-tests/mtx-local working directory.
• .github/actions/build/action.yml: Removed mutation-testing input and Pitest step; build now runs mvn clean install -DskipTests.
• .github/actions/scan-with-sonar/action.yml: Replaced SAP/project-piper-action with direct mvn sonar-maven-plugin:sonar invocation.
• .github/actions/scan-with-blackduck/action.yml: Replaced Piper-based BlackDuck scan with direct detect.sh invocation; renamed step to Get Revision.
• .github/workflows/pipeline.yml: Replaced build job (with matrix) + deploy-snapshot with a spotless check job; integration-tests matrix now uses auth-method × hyperscaler instead of test-type; added CF bind step to both integration-tests and sonarqube-scan jobs; extracted CodeQL into reusable action; removed deploy-snapshot job.
• .github/workflows/main.yml, pr.yml, release.yml: Added top-level permissions blocks; pinned all action references to commit SHAs; removed deploy-snapshot input from workflow calls.
• .github/workflows/issue.yml, prevent-issue-labeling.yml, stale.yml: Moved permissions to job level (permissions: {}at workflow level); pinned action SHAs.
• .github/dependabot.yml: Added cooldown.default-days: 7 for both Maven and GitHub Actions ecosystems; removed version ignore rule for com.sap.cds:*.

Integration Tests (Java)

• AWSClientIT, AzureClientIT, GoogleClientIT: Replaced environment variable + Mockito mock pattern with DefaultServiceBindingAccessor to discover real objectstore bindings from VCAP_SERVICES.
• AwsMtxOssStorageTest, AzureMtxOssStorageTest, GcpMtxOssStorageTest: Same refactor — now read bindings from VCAP_SERVICES instead of env vars.
• MalwareScanClientIT: Reads malware-scanner binding from VCAP_SERVICES; removed normalizePem helper and Mockito mocks.

Build Configuration

• cds-feature-attachments/pom.xml: Removed the entire pitest-maven plugin configuration and its dependencies.
• pom.xml: Removed Pitest plugin version management; consolidated cds.services.version and cds.cdsdk.version properties (removed separate build/latest-test split).
• .pipeline/config.yml: Removed (Piper pipeline config no longer needed).

Documentation

• CLAUDE.md, doc/Design.md: Removed all references to mutation testing; updated workflow descriptions to reflect the new CF bind-based integration test approach.

• 🔄 Regenerate and Update Summary

PR Bot Information

Version: 1.20.37

• Output Template: Default Template
• Correlation ID: 42dd0e65-2635-4e80-8e20-bb0d7f442acd
• LLM: anthropic--claude-4.6-sonnet
• File Content Strategy: Full file content
• Summary Prompt: Default Prompt
• Event Trigger: pull_request.opened