ci: add verification-only Maven workflow

[wisdommen]

Summary

• Add verification-only Maven CI workflow.
• Uses Temurin Java 8, Maven cache, mvn -B test, and mvn -B package.
• No deploy/publish/release behavior.

Scope

• Only .github/workflows/maven-ci.yml is included in this PR.
• Local untracked PROJECT.md was not staged, committed, or pushed.

Verification

• Local static workflow contract check passed.
• Workspace PROJECT.md validator passed: 27 pass / 0 warn / 0 fail / 22 skipped.

Summary by CodeRabbit

• Chores
  • Implemented GitHub Actions continuous integration workflow that automatically executes Maven build verification and packaging on all repository pushes and pull requests
  • Updated test framework dependencies to improve compatibility and stability in the testing infrastructure

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds a GitHub Actions continuous integration workflow for Maven-based testing and packaging on all pushes and pull requests, and downgrades Mockito test dependencies to version 4.11.0 to ensure compatibility with the build environment.

Changes

Build Infrastructure and Dependency Management

Layer / File(s)	Summary
GitHub Actions Maven CI workflow .github/workflows/maven-ci.yml	New workflow triggered on all branch pushes and pull requests, configured with read-only permissions. Checks out code, sets up Temurin JDK 8 with Maven cache, then runs mvn -B test and mvn -B package.
Mockito dependency version update pom.xml	Test dependencies for mockito-junit-jupiter and mockito-inline are updated from version 5.5.0 to 4.11.0 in the Mockito section.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow springs to life, with each push and pull,
Maven tests dance freely, the CI pipeline's full,
Mockito steps backward—a version, nothing more,
Build automation clicks into place at the door! 🔧

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the primary change: adding a GitHub Actions Maven workflow for verification purposes. It is clear, specific, and concise.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/project-md

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/maven-ci.yml (1)

27-31: ⚡ Quick win

Avoid duplicate test execution in CI.

Line 28 runs tests, then Line 31 runs package which runs tests again by default. This increases CI time with no extra coverage.

⚡ Suggested simplification

-      - name: Run tests
-        run: mvn -B test
-
-      - name: Build package
-        run: mvn -B package
+      - name: Verify build
+        run: mvn -B verify

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-ci.yml around lines 27 - 31, The CI is running tests
twice: the "Run tests" step runs mvn -B test, and the "Build package" step runs
mvn -B package which invokes tests again; to avoid duplicate execution, keep the
"Run tests" step and modify the "Build package" step to skip tests by changing
its command to mvn -B package -DskipTests (or alternatively remove the separate
test step and run mvn -B package once), updating the step named "Build package"
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven-ci.yml:
- Around line 17-25: In .github/workflows/maven-ci.yml pin the GitHub Actions
used (replace actions/checkout@v4 and actions/setup-java@v4 with specific commit
SHAs) and add persist-credentials: false to the Checkout step to harden
credentials; also fix the duplicate Maven test runs by either removing the mvn
-B test step or adding -DskipTests (or -Dmaven.test.skip) to the mvn -B package
invocation so tests aren’t executed twice; likewise pin actions/setup-java and
actions/setup-node in .github/workflows/publish.yml to specific commit SHAs.

---

Nitpick comments:
In @.github/workflows/maven-ci.yml:
- Around line 27-31: The CI is running tests twice: the "Run tests" step runs
mvn -B test, and the "Build package" step runs mvn -B package which invokes
tests again; to avoid duplicate execution, keep the "Run tests" step and modify
the "Build package" step to skip tests by changing its command to mvn -B package
-DskipTests (or alternatively remove the separate test step and run mvn -B
package once), updating the step named "Build package" accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7954f3b2-fedf-4faa-80d6-b862e6d7abd1

📥 Commits

Reviewing files that changed from the base of the PR and between ebec1bd and fec89a5.

📒 Files selected for processing (2)

• .github/workflows/maven-ci.yml
• pom.xml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Unpinned action refs (should be empty):"
rg -nP '^\s*uses:\s*[^@\s]+@(?![0-9a-fA-F]{40}\b)' .github/workflows || true

echo
echo "Checkout steps for manual verification of persist-credentials:"
rg -nP '^\s*uses:\s*actions/checkout@' .github/workflows -A6 -B1 || true

Repository: UltiKits/UltiBackup

Length of output: 910

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- maven-ci.yml: checkout step ----"
awk 'NR>=1 && NR<=120 {print NR ":" $0}' .github/workflows/maven-ci.yml | sed -n '1,80p' >/tmp/maven_ci_head.txt
# print around checkout and with block
rg -n 'name: Checkout|uses: actions/checkout@|persist-credentials' .github/workflows/maven-ci.yml -n || true
echo
echo "---- maven-ci.yml: mvn invocations ----"
rg -n --fixed-string "mvn -B" .github/workflows/maven-ci.yml || true
echo
echo "---- maven-ci.yml: full steps (small file check) ----"
wc -l .github/workflows/maven-ci.yml
sed -n '1,220p' .github/workflows/maven-ci.yml

Repository: UltiKits/UltiBackup

Length of output: 1243

---

Pin GitHub Actions and harden checkout credentials (plus avoid duplicate Maven test runs)

• .github/workflows/maven-ci.yml: actions/checkout@v4 and actions/setup-java@v4 are unpinned (use commit SHAs) and the checkout step is missing persist-credentials: false.
• .github/workflows/maven-ci.yml: mvn -B test followed by mvn -B package will run tests twice (no -DskipTests/-Dmaven.test.skip is used); remove one step or skip tests for the package build.
• .github/workflows/publish.yml: also contains unpinned actions/setup-java@v4 and actions/setup-node@v4.

🔒 Suggested hardening diff

       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@<40-char-commit-sha>
+        with:
+          persist-credentials: false

       - name: Set up JDK 8
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@<40-char-commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-ci.yml around lines 17 - 25, In
.github/workflows/maven-ci.yml pin the GitHub Actions used (replace
actions/checkout@v4 and actions/setup-java@v4 with specific commit SHAs) and add
persist-credentials: false to the Checkout step to harden credentials; also fix
the duplicate Maven test runs by either removing the mvn -B test step or adding
-DskipTests (or -Dmaven.test.skip) to the mvn -B package invocation so tests
aren’t executed twice; likewise pin actions/setup-java and actions/setup-node in
.github/workflows/publish.yml to specific commit SHAs.