ci: add verification-only Maven workflow#2
Conversation
📝 WalkthroughWalkthroughThis pull request adds a GitHub Actions continuous integration workflow for Maven-based testing and packaging on all pushes and pull requests, and downgrades Mockito test dependencies to version 4.11.0 to ensure compatibility with the build environment. ChangesBuild Infrastructure and Dependency Management
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/maven-ci.yml (1)
27-31: ⚡ Quick winAvoid duplicate test execution in CI.
Line 28 runs tests, then Line 31 runs
packagewhich runs tests again by default. This increases CI time with no extra coverage.⚡ Suggested simplification
- - name: Run tests - run: mvn -B test - - - name: Build package - run: mvn -B package + - name: Verify build + run: mvn -B verify🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/maven-ci.yml around lines 27 - 31, The CI is running tests twice: the "Run tests" step runs mvn -B test, and the "Build package" step runs mvn -B package which invokes tests again; to avoid duplicate execution, keep the "Run tests" step and modify the "Build package" step to skip tests by changing its command to mvn -B package -DskipTests (or alternatively remove the separate test step and run mvn -B package once), updating the step named "Build package" accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/maven-ci.yml:
- Around line 17-25: In .github/workflows/maven-ci.yml pin the GitHub Actions
used (replace actions/checkout@v4 and actions/setup-java@v4 with specific commit
SHAs) and add persist-credentials: false to the Checkout step to harden
credentials; also fix the duplicate Maven test runs by either removing the mvn
-B test step or adding -DskipTests (or -Dmaven.test.skip) to the mvn -B package
invocation so tests aren’t executed twice; likewise pin actions/setup-java and
actions/setup-node in .github/workflows/publish.yml to specific commit SHAs.
---
Nitpick comments:
In @.github/workflows/maven-ci.yml:
- Around line 27-31: The CI is running tests twice: the "Run tests" step runs
mvn -B test, and the "Build package" step runs mvn -B package which invokes
tests again; to avoid duplicate execution, keep the "Run tests" step and modify
the "Build package" step to skip tests by changing its command to mvn -B package
-DskipTests (or alternatively remove the separate test step and run mvn -B
package once), updating the step named "Build package" accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7954f3b2-fedf-4faa-80d6-b862e6d7abd1
📒 Files selected for processing (2)
.github/workflows/maven-ci.ymlpom.xml
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up JDK 8 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: temurin | ||
| java-version: '8' | ||
| cache: maven |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Unpinned action refs (should be empty):"
rg -nP '^\s*uses:\s*[^@\s]+@(?![0-9a-fA-F]{40}\b)' .github/workflows || true
echo
echo "Checkout steps for manual verification of persist-credentials:"
rg -nP '^\s*uses:\s*actions/checkout@' .github/workflows -A6 -B1 || trueRepository: UltiKits/UltiBackup
Length of output: 910
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- maven-ci.yml: checkout step ----"
awk 'NR>=1 && NR<=120 {print NR ":" $0}' .github/workflows/maven-ci.yml | sed -n '1,80p' >/tmp/maven_ci_head.txt
# print around checkout and with block
rg -n 'name: Checkout|uses: actions/checkout@|persist-credentials' .github/workflows/maven-ci.yml -n || true
echo
echo "---- maven-ci.yml: mvn invocations ----"
rg -n --fixed-string "mvn -B" .github/workflows/maven-ci.yml || true
echo
echo "---- maven-ci.yml: full steps (small file check) ----"
wc -l .github/workflows/maven-ci.yml
sed -n '1,220p' .github/workflows/maven-ci.ymlRepository: UltiKits/UltiBackup
Length of output: 1243
Pin GitHub Actions and harden checkout credentials (plus avoid duplicate Maven test runs)
- .github/workflows/maven-ci.yml:
actions/checkout@v4andactions/setup-java@v4are unpinned (use commit SHAs) and the checkout step is missingpersist-credentials: false. - .github/workflows/maven-ci.yml:
mvn -B testfollowed bymvn -B packagewill run tests twice (no-DskipTests/-Dmaven.test.skipis used); remove one step or skip tests for the package build. - .github/workflows/publish.yml: also contains unpinned
actions/setup-java@v4andactions/setup-node@v4.
🔒 Suggested hardening diff
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@<40-char-commit-sha>
+ with:
+ persist-credentials: false
- name: Set up JDK 8
- uses: actions/setup-java@v4
+ uses: actions/setup-java@<40-char-commit-sha>🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/maven-ci.yml around lines 17 - 25, In
.github/workflows/maven-ci.yml pin the GitHub Actions used (replace
actions/checkout@v4 and actions/setup-java@v4 with specific commit SHAs) and add
persist-credentials: false to the Checkout step to harden credentials; also fix
the duplicate Maven test runs by either removing the mvn -B test step or adding
-DskipTests (or -Dmaven.test.skip) to the mvn -B package invocation so tests
aren’t executed twice; likewise pin actions/setup-java and actions/setup-node in
.github/workflows/publish.yml to specific commit SHAs.
1 participant
Summary
mvn -B test, andmvn -B package.Scope
.github/workflows/maven-ci.ymlis included in this PR.PROJECT.mdwas not staged, committed, or pushed.Verification
PROJECT.mdvalidator passed: 27 pass / 0 warn / 0 fail / 22 skipped.Summary by CodeRabbit