Create maven.yml

[slkgu957-ai]

Summary by CodeRabbit

• Chores
  • Continuous integration pipeline now automatically builds and validates the project on every code commit and pull request using Java 17 runtime with Maven build tool and dependency caching.
  • Added automated dependency security monitoring to continuously detect and track potential security vulnerabilities in the project's external dependencies through GitHub's advanced security integration.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions CI workflow is added to .github/workflows/maven.yml. The workflow executes on pushes to master and pull requests, installing JDK 17 with Maven, building the project, and uploading the Maven dependency graph to GitHub for Dependabot integration.

Changes

Cohort / File(s)	Summary
CI Workflow Setup .github/workflows/maven.yml	New workflow file configured to build the Maven project on master push and PR events. Includes JDK 17 provisioning, Maven caching, project build via package goal, and Maven dependency graph upload to GitHub Advanced Security.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow is born, swift and true,
Maven builds dance through and through,
Dependencies mapped with care,
GitHub's defenses now aware,
Automation hops—CI dreams come due! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Create maven.yml' is specific and directly describes the main change—adding a new GitHub Actions CI workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/maven.yml:
- Around line 14-15: The PR workflow currently runs the
maven-dependency-submission-action under pull_request which exposes a
write-capable GITHUB_TOKEN; split that step into a new job triggered only on
push (add a push: trigger) and give that new job job-level permissions:
contents: write, while keeping the existing pull_request build job’s
permissions: contents: read; specifically move the
maven-dependency-submission-action invocation out of the pull_request job into
the new push-only job, add permissions: { contents: write } to the new job and
ensure the original build job (the pull_request job) has permissions: {
contents: read } or no write permission.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b6c4c2d-6144-4a2d-b4b7-92e52f6696a5

📥 Commits

Reviewing files that changed from the base of the PR and between 4cb31aa and 863c021.

📒 Files selected for processing (1)

• .github/workflows/maven.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Scope dependency submission to a push-only job with explicit write permission.

maven-dependency-submission-action needs contents: write, but this job currently has no explicit permissions. Adding write permission to the existing PR build job would expose a write-capable token while Maven executes PR-controlled code. Split dependency submission into a push-only job and keep the build job read-only.

Reference: the action README documents that the default token needs contents: write to update the dependency graph: https://github.com/advanced-security/maven-dependency-submission-action

🔒 Proposed workflow split

 name: Java CI with Maven
 
 on:
   push:
     branches: [ "master" ]
   pull_request:
     branches: [ "master" ]
 
 jobs:
   build:
+    permissions:
+      contents: read
 
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
@@
     - name: Build with Maven
       run: mvn -B package --file pom.xml
 
-    # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
+  dependency-graph:
+    if: github.event_name == 'push'
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+        cache: maven
+
+    # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
     - name: Update dependency graph
       uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6

Run this read-only check after updating the workflow. Expected result: the build job has only contents: read, and the dependency submission action appears only in a push-gated job with contents: write.

#!/bin/bash
set -euo pipefail

workflow=".github/workflows/maven.yml"

echo "Relevant workflow lines:"
rg -n -C3 'permissions:|contents:|pull_request:|push:|if:|maven-dependency-submission-action' "$workflow"

Also applies to: 33-35

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/maven.yml around lines 14 - 15, The PR workflow currently
runs the maven-dependency-submission-action under pull_request which exposes a
write-capable GITHUB_TOKEN; split that step into a new job triggered only on
push (add a push: trigger) and give that new job job-level permissions:
contents: write, while keeping the existing pull_request build job’s
permissions: contents: read; specifically move the
maven-dependency-submission-action invocation out of the pull_request job into
the new push-only job, add permissions: { contents: write } to the new job and
ensure the original build job (the pull_request job) has permissions: {
contents: read } or no write permission.