ci: add GitHub Actions workflows and JReleaser configuration

[brettchaldecott]

Explain your changes

• Add CI workflow for automated testing and validation
• Add prerelease workflow for snapshot builds and testing
• Add release workflow for automated Maven Central publishing
• Configure JReleaser for streamlined release management
• Enable automated build, test, and deployment pipeline
• Support both snapshot and stable release processes

Checklist

• I have read the “Pull requests” section in the contributing guidelines.
• I agree to the terms within the code of conduct.

🛟 If you need help, consider asking for advice over in the Kinde community.

Summary by CodeRabbit

• Chores
  • Added CI workflows to build and test across Java 17 & 21 with artifact and test-report uploads.
  • Added PR security and code-quality checks (dependency scanning, SpotBugs/PMD/Checkstyle).
  • Added manual prerelease and release workflows with versioning, optional test skipping, GPG signing, artifact publishing, and run summaries.
  • Added centralized multi-module release configuration, changelog-driven release notes, and publishing/signing setup.
• Tests
  • Automated test execution with report generation, artifact retention, and conditional test steps.

[coderabbitai]

Walkthrough

Adds three GitHub Actions workflows (CI, prerelease, release) and a JReleaser configuration enabling multi-module publishing, signing, changelog-driven release notes, artifact uploads, and PR-specific security/quality checks; workflows support matrix builds, Maven caching, conditional tests, GPG setup, and artifact retention.

Changes

Cohort / File(s)	Summary
CI workflow .github/workflows/ci.yml	New CI workflow: JDK matrix (Java 17/21), Maven test/build jobs, test report generation and upload, Maven caching, artifact uploads, OWASP dependency-check and code-quality jobs (SpotBugs/PMD/Checkstyle) for PRs.
Pre-release workflow .github/workflows/prerelease.yml	New manual prerelease workflow: inputs for version/prerelease_type/skip_tests, JDK/Maven setup with cache, conditional tests, build (skip-tests option), GPG import from secrets, JReleaser prerelease invocation, artifact upload, run summary.
Release workflow .github/workflows/release.yml	New manual release workflow: inputs for version/release_type/skip_tests, conditional tests, build with optional test skip, GPG setup, JReleaser release invocation with dynamic args, artifact upload, run summary and release-note generation.
Release config jreleaser.yml	New JReleaser config: project metadata, GitHub release settings, conventional changelog, five distributions (multi-module) with Maven Central publishing and signing configuration, Nexus/OSSRH credential placeholders, announcers disabled.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant MVN as Maven
  participant QC as Quality Tools
  participant SEC as OWASP DepCheck
  participant Store as Artifact Store

  Dev->>GH: Push / Open PR
  GH->>GH: Matrix build (Java 17, 21)
  GH->>MVN: mvn test (uses cache)
  MVN-->>GH: Test reports
  GH->>Store: Upload test artifacts
  par Static analysis & security (PRs)
    GH->>QC: SpotBugs / PMD / Checkstyle
    GH->>SEC: Dependency-Check
  end
  GH->>MVN: mvn -DskipTests package
  GH->>Store: Upload build artifacts

Loading

sequenceDiagram
  autonumber
  actor Op as Operator
  participant GH as GitHub Actions
  participant MVN as Maven
  participant GPG as GPG Setup
  participant JR as JReleaser
  participant OSSRH as Maven Central (OSSRH)
  participant GHRel as GitHub Releases
  participant Store as Artifact Store

  Op->>GH: workflow_dispatch (version, type, skip_tests)
  opt run tests
    GH->>MVN: mvn test
  end
  GH->>MVN: mvn -DskipTests package
  GH->>GPG: Import keys from secrets
  GH->>JR: Run JReleaser (args from inputs)
  JR->>OSSRH: Publish & sign artifacts
  JR->>GHRel: Create release / tag / notes
  GH->>Store: Upload jreleaser/output/*
  GH-->>Op: Append run summary (version, type, tests skipped, link)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• DaveOrDead
• rairaman

Poem

A rabbit taps the CI bell,
Builds and tests in parallel swell.
Keys are tucked, releases prime,
Artifacts hop out on time.
Hop, sign, and ship — a release in rhyme. 🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly and clearly summarizes the addition of GitHub Actions workflows and the JReleaser configuration, reflecting the principal changes introduced in the pull request without extraneous details.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38f281d and ed40fc2.

📒 Files selected for processing (1)

• jreleaser.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• jreleaser.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (10)

jreleaser.yml (1)

15-20: Library coordinates: verify mainClass.

For SDK modules, project.java.mainClass is typically unnecessary and can be omitted. Confirm it’s intentional; otherwise remove to avoid confusion.

.github/workflows/ci.yml (4)

31-37: Duplicate Maven caching; prefer one cache.

You’re using actions/setup-java@v4 with cache: maven and also actions/cache@v4 on ~/.m2. This double-caches and can cause cache churn. Drop the explicit actions/cache steps and rely on setup‑java’s cache.

Apply this diff in all jobs:

-      - name: Cache Maven dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2

Also applies to: 75-81, 144-150

---

110-117: Pin the OWASP Dependency‑Check action; avoid @main.

Using @main is mutable and risky. Pin to a tagged release or a commit SHA to improve supply‑chain safety. Also consider setting JAVA_HOME: /opt/jdk if you see JAVA_HOME errors when combined with setup‑java, as per the action’s docs.

Example:

-        uses: dependency-check/Dependency-Check_Action@main
+        uses: dependency-check/Dependency-Check_Action@vX.Y.Z # or a commit SHA

The action recommends pinning and notes the JAVA_HOME caveat. (github.com)

---

12-19: Matrix: consider fail-fast: false.

Prevents one JDK failure from cancelling the other matrix runs; improves debuggability.

     strategy:
+      fail-fast: false
       matrix:
         java-version: [17, 21]

---

1-11: Tighten default permissions.

Add minimal permissions at the workflow level (e.g., permissions: contents: read) to follow least‑privilege.

 name: CI
+
+permissions:
+  contents: read

.github/workflows/release.yml (3)

55-61: Remove duplicate Maven cache; rely on setup‑java cache.

Same as CI: drop the explicit actions/cache@v4 step.

-      - name: Cache Maven dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2

Also applies to: 55-61

---

41-47: Checkout token: default is sufficient.

actions/checkout@v4 already uses GITHUB_TOKEN. You can remove the explicit token unless you need a PAT.

       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          fetch-depth: 0

---

29-40: Add concurrency control to prevent overlapping releases.

Protects against accidental double publishes.

 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    concurrency:
+      group: release-${{ github.ref }}
+      cancel-in-progress: true

.github/workflows/prerelease.yml (2)

54-60: Remove duplicate Maven cache; rely on setup‑java cache.

Same rationale as CI/release.

-      - name: Cache Maven dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2

---

28-39: Add concurrency control to prevent overlapping prereleases.

Use a group keyed by version input.

 jobs:
   prerelease:
     name: Pre-release
     runs-on: ubuntu-latest
+    concurrency:
+      group: prerelease-${{ inputs.version }}
+      cancel-in-progress: true

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06d1f02 and 6899db9.

📒 Files selected for processing (4)

• .github/workflows/ci.yml (1 hunks)
• .github/workflows/prerelease.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• jreleaser.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*

⚙️ CodeRabbit configuration file

**/*: Please focus on:

1. Code quality and best practices
2. Security considerations
3. Performance implications
4. Test coverage and quality
5. API design and consistency
6. Error handling and edge cases

For Java code specifically:

• Check for proper exception handling
• Verify async method implementations
• Review builder pattern usage
• Validate test coverage
• Check for memory leaks in async operations

Ignore:

• Generated code files
• Build artifacts
• Configuration files
• Documentation formatting

Files:

• jreleaser.yml

🪛 YAMLlint (1.37.1)

jreleaser.yml

[error] 26-26: duplication of key "name" in mapping

(key-duplicates)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (1)

jreleaser.yml (1)

212-246: Changelog + GitHub release notes conflict. Pick one.

You’ve enabled changelog and attempted to enable GitHub “generated release notes.” JReleaser supports either its own changelog or GitHub’s releaseNotes, not both. The diff above disables releaseNotes; alternatively, disable changelog if you prefer GitHub’s notes.

Confirm the intended source of truth (JReleaser changelog vs GitHub release notes) and keep only one enabled. (jreleaser.org)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

55-61: Remove the extra Maven cache.

actions/setup-java@v4 already restores and saves the Maven repository because you enabled cache: maven, so this additional actions/cache step on ~/.m2 is redundant. It adds risk of persisting transient config files (for example settings.xml with credentials) and can slow the workflow when both caches contend for the same path. Drop this block and let the Java setup action manage the cache on its own.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6899db9 and 38f281d.

📒 Files selected for processing (3)

• .github/workflows/prerelease.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• jreleaser.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/prerelease.yml
• jreleaser.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

[brettchaldecott]

This needs more testing