PR for v1.5.9

[ThomasJejkal]

Summary by CodeRabbit

• Chores

  • Upgraded build tooling and many dependencies; enabled Java 17 compatibility; bumped Gradle version and adjusted wrapper invocation; updated CI/CD and Docker workflow actions; minor tooling/version tweaks.

• Tests

  • Added an integration test to verify Prometheus actuator metrics and endpoint exposure.

• Documentation

  • Fixed container URL formatting in the README.

[coderabbitai]

Walkthrough

Upgrades Gradle, plugins, and many dependencies; sets Java source/target to 17; updates Gradle wrapper to 9.1.0 and changes wrapper scripts to use java -jar; refreshes GitHub Action pins; adds an integration test for the Prometheus actuator; minor README link fix.

Changes

Cohort / File(s)	Change Summary
Build configuration build.gradle	Upgraded core plugins (Spring Boot → 3.5.6; io.freefair.lombok/io.freefair.maven-publish-java → 9.0.0; org.owasp.dependencycheck → 12.1.8; org.asciidoctor.jvm.convert → 4.0.5; com.gorylenko.gradle-git-properties → 2.5.3); added java { sourceCompatibility = 17; targetCompatibility = 17 }; bumped ext props javersVersion 7.7.0 → 7.9.0 and springDocVersion 2.8.4 → 2.8.13; updated multiple dependency versions (spring-data-elasticsearch, spring-messaging, Spring Cloud modules, spring-boot-admin-client, repo-core/service-base, nimbus-jose-jwt, postgresql, h2, spring-restdocs); Jacoco toolVersion 0.8.12 → 0.8.14.
Gradle wrapper distribution gradle/wrapper/gradle-wrapper.properties	Updated distributionUrl from Gradle 8.12.1 → Gradle 9.1.0.
Wrapper scripts gradlew, gradlew.bat	Changed invocation to java -jar $APP_HOME/gradle/wrapper/gradle-wrapper.jar; cleared previous CLASSPATH assignment referencing the wrapper JAR; adjusted JVM options comment.
CI — Docker publish workflow .github/workflows/docker-publish.yml	Updated action pins: actions/checkout@v4 → @v5; bumped docker/login-action, docker/metadata-action, and docker/build-push-action commit hashes. No step logic changes.
CI — CodeQL & Gradle workflows .github/workflows/codeql-analysis.yml, .github/workflows/gradle.yml	Updated GitHub Action versions: actions/checkout@v4 → @v5; CodeQL actions init/autobuild/analyze v3 → v4; actions/setup-java@v4 → @v5 in gradle.yml. No control-flow changes.
Tests src/test/java/.../ActuatorPrometheusTest.java	Added integration test ActuatorPrometheusTest with: testForNotExposedActuators() asserting many actuator endpoints return 404, and testActuator() asserting /actuator/prometheus returns 200 and contains specific repository metrics.
Test config src/test/resources/test-config/application-test.properties	Added management properties to expose endpoints and show health details (management.endpoints.web.exposure.include=*, management.endpoint.health.show-details=always).
Docs README.md	Minor link fix: removed URL-encoded %2F in Docker container link path.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer / CI
    participant Wrapper as gradlew / gradlew.bat
    participant Java as java
    participant GradleJar as gradle/wrapper/gradle-wrapper.jar
    participant GradleDist as Gradle distribution

    Dev->>Wrapper: ./gradlew <task>
    Wrapper->>Java: exec "java -jar $APP_HOME/gradle/wrapper/gradle-wrapper.jar" <args>
    Java->>GradleJar: run wrapper JAR (wrapper main)
    GradleJar->>GradleDist: download/bootstrap Gradle distribution if needed
    GradleDist->>Dev: execute requested build task / return status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add a test for monitoring supported by new repo-core library. #468 — Adds the same ActuatorPrometheusTest integration test and related test properties; likely a duplicate or upstream companion change.

Poem

🐰
I nibbled at plugins, hopped into jars,
Switched wrapper steps and tuned some stars,
Actions refreshed, the tests take a peek,
Prometheus metrics hum mild and meek,
A tiny rabbit cheer for every green mark.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The pull request title "PR for v1.5.9" is generic and lacks meaningful description of the changeset. While it references a version number suggesting a release/version bump context, it fails to communicate what actually changed. The changes encompass extensive updates across multiple areas: dependency upgrades (Spring Boot, Spring Cloud, database drivers, etc.), Gradle version upgrade (8.12.1 to 9.1.0), GitHub Actions updates, Java compatibility configurations, and a new integration test. A developer scanning the commit history would only see the version reference without understanding whether this PR adds features, updates dependencies, fixes bugs, adds tests, or performs other maintenance—all of which are present here. The phrasing "PR for" adds no informational value and obscures the actual purpose of the changes.	Consider revising the title to be more descriptive of the primary changes. Examples might include "Upgrade dependencies and build tools for v1.5.9 release" or "Update Spring Boot, Gradle, and GitHub Actions for v1.5.9" to clearly communicate the scope of this version bump PR. The title should help reviewers understand at a glance that this PR involves systematic upgrades rather than a simple version reference.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch development

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e6475bf and f933fb2.

📒 Files selected for processing (3)

• .github/workflows/codeql-analysis.yml (3 hunks)
• .github/workflows/docker-publish.yml (2 hunks)
• build.gradle (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/docker-publish.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build (macOS-latest, 17)
• GitHub Check: build (ubuntu-latest, 17)
• GitHub Check: Analyze (java)
• GitHub Check: build (macOS-latest, 17)
• GitHub Check: build (ubuntu-latest, 17)
• GitHub Check: GitGuardian Security Checks

🔇 Additional comments (4)

build.gradle (3)

2-2: Plugin version upgrades align with broader tooling modernization.

The updates to Spring Boot 3.5.6 and supporting plugins (Lombok, Maven Publish, Dependency Check, Asciidoctor, Git Properties) are consistent with the Gradle 9.1.0 and Java 17 upgrades described in the PR objectives.

Also applies to: 4-9

---

25-28: Java 17 compatibility settings are properly configured.

The explicit Java 17 source and target compatibility block correctly implements the stated PR objective. This is appropriate and aligns with the Gradle 9.1.0 upgrade.

---

64-64: Dependency updates are well-aligned and appropriately versioned.

The updates across Spring Data, Spring Cloud, Spring Boot Admin, and infrastructure dependencies (PostgreSQL, H2, Jacoco) are consistent semantic version bumps. These align with the Java 17 and Spring Boot 3.5.6 modernization and include appropriate security updates (e.g., nimbus-jose-jwt 10.5, PostgreSQL 42.7.8).

Also applies to: 66-66, 69-72, 79-80, 86-86, 101-101, 103-103, 105-105, 153-153

.github/workflows/codeql-analysis.yml (1)

41-41: All GitHub Actions versions are current and stable — no issues found.

actions/checkout@v5 and github/codeql-action@v4 (v4.30.7, released Oct 6, 2025) are the latest stable versions. The workflow correctly pins all three CodeQL steps to v4, and these routine updates are widely adopted with no breaking changes affecting the Java/CodeQL analysis workflow.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (7)

.github/workflows/docker-publish.yml (2)

16-22: Add top‑level concurrency to avoid overlapping image publishes on rapid pushes

Prevents racing pushes for the same ref.

 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+concurrency:
+  group: docker-publish-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 # Only one job for creating and pushing Docker image
 jobs:

---

59-65: Enable Buildx remote cache to speed up subsequent builds

Uses the GitHub Actions cache backend; safe and commonly used with build-push-action.

       - name: Build and push Docker image
         uses: docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

src/test/java/edu/kit/datamanager/repo/test/integration/ActuatorPrometheusTest.java (5)

78-80: Remove unused JUnitRestDocumentation Rule

The Rule is declared but not used; drop it to reduce noise.

-  @Rule
-  public JUnitRestDocumentation restDocumentation = new JUnitRestDocumentation();

---

68-74: Consolidate repeated @TestPropertySource annotations

Combine into a single annotation for readability and easier maintenance.

-@TestPropertySource(properties = {"spring.datasource.url=jdbc:h2:mem:db_prometheus;DB_CLOSE_DELAY=-1;MODE=LEGACY;NON_KEYWORDS=VALUE"})
-@TestPropertySource(properties = {"spring.jpa.database-platform=org.hibernate.dialect.H2Dialect"})
-@TestPropertySource(properties = {"spring.jpa.defer-datasource-initialization=true"})
-@TestPropertySource(properties = {"repo.monitoring.enabled=true"})
-@TestPropertySource(properties = {"repo.monitoring.serviceName=base_repo_test"})
-@TestPropertySource(properties = {"management.endpoints.web.exposure.include=prometheus"})
+@TestPropertySource(properties = {
+        "spring.datasource.url=jdbc:h2:mem:db_prometheus;DB_CLOSE_DELAY=-1;MODE=LEGACY;NON_KEYWORDS=VALUE",
+        "spring.jpa.database-platform=org.hibernate.dialect.H2Dialect",
+        "spring.jpa.defer-datasource-initialization=true",
+        "repo.monitoring.enabled=true",
+        "repo.monitoring.serviceName=base_repo_test",
+        "management.endpoints.web.exposure.include=prometheus"
+})

---

96-107: Trim .andDo(print()) to keep CI logs clean

Printing every request clutters logs and slows builds. Keep prints only when debugging failures.

-    this.mockMvc.perform(get("/actuator/beans")).andDo(print()).andExpect(status().isNotFound());
+    this.mockMvc.perform(get("/actuator/beans")).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/caches")).andDo(print()).andExpect(status().isNotFound());
+    this.mockMvc.perform(get("/actuator/caches")).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/conditions")).andDo(print()).andExpect(status().isNotFound());
+    this.mockMvc.perform(get("/actuator/conditions")).andExpect(status().isNotFound());
...apply similarly to the remaining endpoints...

---

110-116: Also assert Prometheus content type; drop print

Prometheus should respond with text/plain (OpenMetrics v0.0.4 exposition). Check compatibility to avoid parameter/charset brittleness.

+import org.springframework.http.MediaType;
@@
-    this.mockMvc.perform(get("/actuator/prometheus")).andDo(print()).andExpect(status().isOk())
+    this.mockMvc.perform(get("/actuator/prometheus")).andExpect(status().isOk())
+            .andExpect(content().contentTypeCompatibleWith(MediaType.TEXT_PLAIN))
             .andExpect(content().string(Matchers.containsString("# TYPE base_repo_test_requests_served_total")))
             .andExpect(content().string(Matchers.containsString("# TYPE base_repo_test_unique_users")))
             .andExpect(content().string(Matchers.containsString("# TYPE base_repo_test_registered_users")))
             .andReturn();

---

93-107: Reduce duplication by looping over non‑exposed endpoints

Keeps the test short and easier to extend.

-    // Check that all other endpoints are not exposed
-    this.mockMvc.perform(get("/actuator/beans")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/caches")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/conditions")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/configprops")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/env")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/loggers")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/heapdump")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/threaddump")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/metrics")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/scheduledtasks")).andDo(print()).andExpect(status().isNotFound());
-    this.mockMvc.perform(get("/actuator/mappings")).andDo(print()).andExpect(status().isNotFound());
+    for (String ep : new String[]{
+            "/actuator/beans", "/actuator/caches", "/actuator/conditions", "/actuator/configprops",
+            "/actuator/env", "/actuator/loggers", "/actuator/heapdump", "/actuator/threaddump",
+            "/actuator/metrics", "/actuator/scheduledtasks", "/actuator/mappings"}) {
+        this.mockMvc.perform(get(ep)).andExpect(status().isNotFound());
+    }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7be3c84 and 65f039c.

📒 Files selected for processing (3)

• .github/workflows/docker-publish.yml (2 hunks)
• build.gradle (5 hunks)
• src/test/java/edu/kit/datamanager/repo/test/integration/ActuatorPrometheusTest.java (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• build.gradle

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build (ubuntu-latest, 17)
• GitHub Check: Analyze (java)
• GitHub Check: build (ubuntu-latest, 17)

🔇 Additional comments (1)

.github/workflows/docker-publish.yml (1)

35-35: Pin checkout action to a specific SHA and enable full fetch-depth

• Replace actions/checkout@v5 with actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 to avoid supply-chain risks.
• Add fetch-depth: 0 so docker/metadata-action can access full tag history.

Apply:

       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          fetch-depth: 0

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

JUnit 4 runner in a Spring Boot 3.x stack — confirm Vintage engine presence or plan Jupiter migration

You’re using JUnit 4 (SpringRunner, @before, @rule). Ensure the build includes junit-vintage-engine, or migrate tests to JUnit Jupiter to align with modern Spring Test support. Based on learnings.

Run to confirm dependencies and usage:

---

🏁 Script executed:

#!/bin/bash
# Find explicit JUnit dependencies and engines
rg -nP -C2 '(junit-?vintage|junit-?jupiter|org\.junit\.jupiter|org\.junit\.vintage|junit[:"]\s*4\.)' \
  -g '!**/build/**' -g '!**/out/**'

# Spot JUnit4 annotations in tests
rg -nP -C2 'org\.junit\.(Test|Before|Rule)|@RunWith\(SpringRunner\.class\)' src/test

Length of output: 10993

---

🏁 Script executed:

#!/bin/bash
# Search for JUnit dependencies in Maven pom.xml
rg -nP '<artifactId>junit' -C1 -g 'pom.xml'
rg -nP 'org\.junit\.vintage|org\.junit\.jupiter' -g 'pom.xml'

# If Gradle build script present, search for junit dependencies
rg -nP 'junit' -g 'build.gradle' -g 'build.gradle.kts'

Length of output: 358

---

Add JUnit Vintage engine or migrate tests to JUnit Jupiter
Your integration tests (e.g. using SpringRunner, @rule, @before) rely on JUnit 4, but build.gradle only declares testImplementation "junit:junit:4.13.2" (no vintage engine). Spring Boot 3.x uses JUnit Platform, so either add the Vintage engine:

testRuntimeOnly "org.junit.vintage:junit-vintage-engine"

or migrate your tests to JUnit Jupiter.

🤖 Prompt for AI Agents

In
src/test/java/edu/kit/datamanager/repo/test/integration/ActuatorPrometheusTest.java
around lines 56 to 61, the test class uses JUnit 4 constructs (SpringRunner,
@RunWith) but the build lacks the JUnit Vintage engine so tests will not run
under JUnit Platform; either add the Vintage engine to build.gradle as a test
runtime dependency (org.junit.vintage:junit-vintage-engine) so JUnit4 tests run
on the JUnit Platform, or migrate the test to JUnit Jupiter by replacing
@RunWith(SpringRunner.class) with @ExtendWith(SpringExtension.class) and
updating any @Before/@After/@Rule usages to their JUnit 5 equivalents.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/test/resources/test-config/application-test.properties (1)

38-39: Remove duplicate management property entries.

These two keys are already defined later in this file (Lines 57 and 59), so the later values override these additions. Please drop one set to avoid confusion.

- management.endpoints.web.exposure.include=*
- management.endpoint.health.show-details=always

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ab79696 and e6475bf.

📒 Files selected for processing (2)

• build.gradle (5 hunks)
• src/test/resources/test-config/application-test.properties (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Analyze (java)
• GitHub Check: build (macOS-latest, 17)
• GitHub Check: build (ubuntu-latest, 17)
• GitHub Check: build (macOS-latest, 17)
• GitHub Check: build (ubuntu-latest, 17)
• GitHub Check: GitGuardian Security Checks

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Update springBootVersion property to match the plugin

The build now applies org.springframework.boot 3.5.6, but the springBootVersion property still advertises 3.2.1. Downstream modules or dependency management imports that consume this property will continue pulling the 3.2.x BOM, creating a version split from the Gradle plugin and the managed dependencies you just upgraded. Please bump the property to 3.5.6 (or remove it if truly unused) so all consumers stay aligned.

-    set('springBootVersion', "3.2.1")
+    set('springBootVersion', "3.5.6")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	set('javersVersion', "7.9.0")
	set('springBootVersion', "3.2.1")
	set('springDocVersion', "2.8.4")
	set('springDocVersion', "2.8.13")
	set('javersVersion', "7.9.0")
	set('springBootVersion', "3.5.6")
	set('springDocVersion', "2.8.13")

🤖 Prompt for AI Agents

In build.gradle around lines 35 to 37, the springBootVersion property is set to
3.2.1 while the project applies org.springframework.boot plugin version 3.5.6,
causing a mismatch between the plugin and any consumers of the property; update
the property value to "3.5.6" (or remove the property if it is unused) so
dependency management and downstream modules use the same Spring Boot BOM as the
applied plugin.