ci: add JDK 21 verification stage workflow

[wisdommen]

Summary

Adds .github/workflows/maven-ci.yml byte-identical to the Phase 13 cohort canonical workflow (sha256 d28259b5d2cc14b8d4fb6d658676716e1f78d52207c5935e49a4af6e9f0d5748). Provides parallel JDK 17 + JDK 21 verification matrix (fail-fast: false) executing mvn -B test and mvn -B package on each axis to validate forward compatibility before any module bytecode floor bump.

This is the first impl gate of the Phase 14 deferred-GO 7-module Option C rollout, following the playbook proven in Phase 13 (UltiCleaner, UltiEssentials, UltiLogin, UltiMail, UltiSideBar).

Context

• Workstream: ultikits-maintainability
• Phase 14 gate: 14-03-ultibot-jdk21-stage-impl
• Design contract: .planning/workstreams/ultikits-maintainability/phases/14-v1-7-follow-up-disposition/14-02-deferred-go-option-c-rollout-design-SUMMARY.md
• Cohort canonical reference: Modules/UltiCleaner/.github/workflows/maven-ci.yml

Change shape

• Add-only (no prior maven-ci.yml existed in this repo).
• Single file: .github/workflows/maven-ci.yml.
• No POM change. No continue-on-error. No module bytecode floor change.

Test plan

• CI matrix executes on JDK 17 and JDK 21
• Both mvn -B test and mvn -B package succeed on each axis
• No regression in existing publish.yml workflow

Summary by CodeRabbit

• Chores
  • Added a streamlined CI workflow that runs on pushes and pull requests and delegates to a reusable build-and-test pipeline.
• Tests
  • Updated unit tests to include new service dependencies while preserving existing command behavior coverage.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions Maven CI wrapper workflow and updates BotCommandsTest to mock and supply new service dependencies to BotCommands construction.

Changes

Maven CI Workflow

Layer / File(s)	Summary
Maven CI wrapper workflow .github/workflows/maven-ci.yml	Adds a wrapper workflow named "Maven CI" that triggers on push and pull_request, sets repository contents: read permission, and runs a single ci job delegating to UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0 with inputs needs-nms: true, mc-version: '1.21.1', and secrets: inherit.

BotCommands Test Updates

Layer / File(s)	Summary
BotCommandsTest: add mocks and constructor args ultibot-core/src/test/java/com/ultikits/plugins/ultibot/commands/BotCommandsTest.java	Adds imports and @Mock fields for ActionServiceImpl, MacroServiceImpl, and SkinService, and updates setUp() to construct BotCommands with plugin, botManager, actionService, macroService, and skinService.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

In a hop and a twitch I mock and run,
A tiny wrapper sends builds on the sun,
Services lined up, all cozy and neat,
Tests sip the carrots — outcomes are sweet,
I nibble the logs and dance on my feet. 🐇

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims to 'add JDK 21 verification stage workflow', but the actual changes show the workflow now delegates to a reusable workflow from UltiKits/ci-workflows@v1.0.0 rather than defining a JDK matrix inline.	Update the title to reflect the actual change, such as 'ci: delegate Maven CI to shared UltiKits workflow' or 'ci: route CI through UltiKits/ci-workflows reusable workflow'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/jdk21-verification-stage

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven-ci.yml:
- Line 23: The workflow uses tag-based action references (e.g., the line with
"uses: actions/checkout@v4" and the other "uses:" entry around line 26) which
must be replaced with immutable commit SHAs; update each "uses:" that currently
targets a tag (like actions/checkout@v4 and the action at the other "uses:"
occurrence) to the corresponding action repository commit SHA (find the latest
stable commit in the action's repo and replace the tag with that SHA) so the
workflow is strictly pinned to immutable commits.
- Around line 22-23: The Checkout step using actions/checkout@v4 should disable
credential persistence to reduce token exposure; update the workflow step named
"Checkout" (the actions/checkout@v4 usage) to add the persist-credentials: false
input so credentials are not stored for subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fbff90d6-1df0-45e5-8a1e-cab5fb7455b4

📥 Commits

Reviewing files that changed from the base of the PR and between e38ad7e and 3c3b422.

📒 Files selected for processing (1)

• .github/workflows/maven-ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden checkout by disabling credential persistence.

At Line 22, actions/checkout should set persist-credentials: false to reduce token exposure risk in subsequent steps.

Suggested patch

       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout
	uses: actions/checkout@v4
	- name: Checkout
	uses: actions/checkout@v4
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-ci.yml around lines 22 - 23, The Checkout step using
actions/checkout@v4 should disable credential persistence to reduce token
exposure; update the workflow step named "Checkout" (the actions/checkout@v4
usage) to add the persist-credentials: false input so credentials are not stored
for subsequent steps.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/maven-ci.yml (1)

10-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the reusable workflow to an immutable commit SHA.

Line 10 uses a mutable tag (@v1.0.0), which is vulnerable to tag retargeting and violates strict pinning policies.

Suggested patch

-    uses: UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0
+    uses: UltiKits/ci-workflows/.github/workflows/maven-ci.yml@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven-ci.yml at line 10, The reusable workflow reference
currently uses a mutable tag ("uses:
UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0") which should be
pinned to an immutable commit SHA; update the uses value to the repository's
specific commit SHA (replace `@v1.0.0` with @<full-commit-sha>) so the reusable
workflow import is immutable and cannot be retargeted.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/maven-ci.yml:
- Line 10: The reusable workflow reference currently uses a mutable tag ("uses:
UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0") which should be
pinned to an immutable commit SHA; update the uses value to the repository's
specific commit SHA (replace `@v1.0.0` with @<full-commit-sha>) so the reusable
workflow import is immutable and cannot be retargeted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4dc5d7ab-cc3f-40e5-82a3-301e25f4fe6c

📥 Commits

Reviewing files that changed from the base of the PR and between 265f8e8 and 735c709.

📒 Files selected for processing (1)

• .github/workflows/maven-ci.yml