ci: add JDK 21 verification stage workflow#2
Conversation
Adds .github/workflows/maven-ci.yml byte-identical to the Phase 13 cohort canonical workflow (sha256 d28259b5d2cc14b8d4fb6d658676716e1f78 d52207c5935e49a4af6e9f0d5748). Provides parallel JDK 17 + JDK 21 verification matrix (fail-fast: false), executing `mvn -B test` and `mvn -B package` on each axis to validate forward compatibility before any module bytecode floor bump. Workstream: ultikits-maintainability Phase 14 gate: 14-03-ultibot-jdk21-stage-impl
📝 WalkthroughWalkthroughAdds a GitHub Actions Maven CI wrapper workflow and updates BotCommandsTest to mock and supply new service dependencies to BotCommands construction. ChangesMaven CI Workflow
BotCommands Test Updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/maven-ci.yml:
- Line 23: The workflow uses tag-based action references (e.g., the line with
"uses: actions/checkout@v4" and the other "uses:" entry around line 26) which
must be replaced with immutable commit SHAs; update each "uses:" that currently
targets a tag (like actions/checkout@v4 and the action at the other "uses:"
occurrence) to the corresponding action repository commit SHA (find the latest
stable commit in the action's repo and replace the tag with that SHA) so the
workflow is strictly pinned to immutable commits.
- Around line 22-23: The Checkout step using actions/checkout@v4 should disable
credential persistence to reduce token exposure; update the workflow step named
"Checkout" (the actions/checkout@v4 usage) to add the persist-credentials: false
input so credentials are not stored for subsequent steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: fbff90d6-1df0-45e5-8a1e-cab5fb7455b4
📒 Files selected for processing (1)
.github/workflows/maven-ci.yml
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Harden checkout by disabling credential persistence.
At Line 22, actions/checkout should set persist-credentials: false to reduce token exposure risk in subsequent steps.
Suggested patch
- name: Checkout
uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/maven-ci.yml around lines 22 - 23, The Checkout step using
actions/checkout@v4 should disable credential persistence to reduce token
exposure; update the workflow step named "Checkout" (the actions/checkout@v4
usage) to add the persist-credentials: false input so credentials are not stored
for subsequent steps.
BotCommands ctor was widened 2->5 params (ActionServiceImpl, MacroServiceImpl, SkinService) in d4f961d; this updates the lagging test to mock all five deps and pass them. Unblocks UltiBot CI. Workstream: ultikits-maintainability Gate: 14-04A-ultibot-test-remediation Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/maven-ci.yml (1)
10-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the reusable workflow to an immutable commit SHA.
Line 10 uses a mutable tag (
@v1.0.0), which is vulnerable to tag retargeting and violates strict pinning policies.Suggested patch
- uses: UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0 + uses: UltiKits/ci-workflows/.github/workflows/maven-ci.yml@<full_commit_sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/maven-ci.yml at line 10, The reusable workflow reference currently uses a mutable tag ("uses: UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0") which should be pinned to an immutable commit SHA; update the uses value to the repository's specific commit SHA (replace `@v1.0.0` with @<full-commit-sha>) so the reusable workflow import is immutable and cannot be retargeted.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/maven-ci.yml:
- Line 10: The reusable workflow reference currently uses a mutable tag ("uses:
UltiKits/ci-workflows/.github/workflows/maven-ci.yml@v1.0.0") which should be
pinned to an immutable commit SHA; update the uses value to the repository's
specific commit SHA (replace `@v1.0.0` with @<full-commit-sha>) so the reusable
workflow import is immutable and cannot be retargeted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4dc5d7ab-cc3f-40e5-82a3-301e25f4fe6c
📒 Files selected for processing (1)
.github/workflows/maven-ci.yml
1 participant
Summary
Adds
.github/workflows/maven-ci.ymlbyte-identical to the Phase 13 cohort canonical workflow (sha256d28259b5d2cc14b8d4fb6d658676716e1f78d52207c5935e49a4af6e9f0d5748). Provides parallel JDK 17 + JDK 21 verification matrix (fail-fast: false) executingmvn -B testandmvn -B packageon each axis to validate forward compatibility before any module bytecode floor bump.This is the first impl gate of the Phase 14 deferred-GO 7-module Option C rollout, following the playbook proven in Phase 13 (UltiCleaner, UltiEssentials, UltiLogin, UltiMail, UltiSideBar).
Context
ultikits-maintainability14-03-ultibot-jdk21-stage-impl.planning/workstreams/ultikits-maintainability/phases/14-v1-7-follow-up-disposition/14-02-deferred-go-option-c-rollout-design-SUMMARY.mdModules/UltiCleaner/.github/workflows/maven-ci.ymlChange shape
maven-ci.ymlexisted in this repo)..github/workflows/maven-ci.yml.continue-on-error. No module bytecode floor change.Test plan
mvn -B testandmvn -B packagesucceed on each axispublish.ymlworkflowSummary by CodeRabbit