refactor: split into core library and per-version test modules

[javier-godoy]

Compile the library once against Vaadin 14 in a self-contained core module, and run a single shared test suite against Vaadin 14/23/24/25 via dedicated test-v* modules. Each test module adds the shared sources from tests-shared via build-helper and pins its own Vaadin runtime; surefire selection runs the legacy (*Test24) suites on 14/23/24 and the Jackson (*Test25) suites on 25.

Close #34

Summary by CodeRabbit

• Chores
  • Centralized dependency/version management and restructured build for clearer module ownership.
  • Bumped package version to 0.9.4-SNAPSHOT.
• Tests
  • Added shared test infrastructure and modules to run the test suite against Vaadin 14, 23, 24, and 25.
  • CI updated to a matrix job that builds/tests per Vaadin version.

[coderabbitai]

Walkthrough

Maven build restructured from a single-module library into an aggregator with a shared core library and four version-specific test modules, each pinning a distinct Vaadin runtime (14, 23, 24, 25). Shared test configuration centralizes dependencies and test selection; version modules inherit it and pin their own Vaadin versions. A test is updated for cross-version compatibility.

Changes

Multi-version test matrix

Layer / File(s)	Summary
Root POM aggregator structure pom.xml	Root pom.xml converted to aggregator parent; declares modules (core, tests-shared, tests-v14/23/24/25) and centralizes shared version properties and dependencyManagement entries.
Core library module with build configuration core/pom.xml	Standalone core module producing json-migration-helper with dependencies (vaadin-core, ASM, Jackson optional; Lombok provided; gwt-elemental compile), ASM post-processor execution during process-classes, JAR manifest customization, license enforcement, and profiles for directory packaging, GPG signing, and central publishing.
Shared test foundation and configuration tests-shared/pom.xml	Shared test aggregator POM declaring common test dependencies, injecting shared test source root via build-helper-maven-plugin, and configuring maven-surefire-plugin with default test includes inherited by version modules.
Vaadin version-specific test modules tests-v14/pom.xml, tests-v23/pom.xml, tests-v24/pom.xml, tests-v25/pom.xml	Four thin test modules, each pinning a Vaadin version (14.11.13, 23.3.35, 24.10.6, 25.1.5) and inheriting from tests-shared; tests-v14 excludes LitRenderer test, tests-v23 adds servlet API dependency, tests-v25 overrides Surefire to run *Test25 and Vaadin-25-specific tests.
Test compatibility for multi-version execution tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LitRendererMigrationExtensionTest.java	LitRendererMigrationExtensionTest refactored to remove reflection-based LitRenderer construction and version assumptions; replaces reflective calls with direct typed invocations and adds conditional UI setup for Vaadin < 24.
CI matrix .github/workflows/maven.yml	Replaces single Vaadin 24 job with a matrix job that builds/tests tests-v${{ matrix.vaadin }} for Vaadin versions 14/23/24/25 and pins matching JDKs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• mlopezFC
• paodb

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main refactoring effort—splitting the monolithic build into a core library module and per-version test modules, matching the PR's primary objective.
Linked Issues check	✅ Passed	All code-level requirements from issue #34 are met: core module compiles independently, tests-shared centralizes shared test sources, four version-specific test modules (tests-v14/23/24/25) are created with pinned Vaadin runtimes, root pom.xml aggregates the build, and GitHub Actions matrix tests all versions.
Out of Scope Changes check	✅ Passed	All changes directly support the restructuring objective; no unrelated modifications detected. Maven build files, test files, and CI workflow changes align with splitting the project into core and per-version test modules.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch split-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[javier-godoy]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core/pom.xml`:
- Around line 87-92: The POM declares jackson-databind:3.0.0 which requires Java
17 while the project compiles to Java 8 and also has compile-time imports of
tools.jackson.databind.* and tools.jackson.databind.node.* (causing hard
linkage); fix by either (A) downgrading the jackson-databind dependency to a
Java‑8 compatible 2.x release (e.g., replace version 3.0.0 with a 2.x line such
as 2.14.x and correct groupId to com.fasterxml.jackson.core if needed) or (B)
bump the project compilation target
(maven.compiler.target/maven.compiler.release) to Java 17 so Jackson 3 is
supported — update the dependency element for jackson-databind and/or the
maven.compiler.* properties accordingly and ensure code imports
(tools.jackson.databind.* / tools.jackson.databind.node.*) remain compatible
with the chosen Jackson version.

In `@pom.xml`:
- Around line 28-47: The pom currently only sets
maven.compiler.source/target=1.8 in the root properties, but runtime for tests
must match Vaadin/Jackson baselines; update the build to select JVMs per module
(tests-v24 → Java 17, tests-v25 → Java 21) by configuring Maven Toolchains or CI
per-module JVMs and ensure surefire/failsafe forks into those JDKs (adjust
maven-surefire-plugin configuration to fork using the toolchain/JVM), and remove
any assumption that changing maven.compiler.source/target alone fixes runtime
JDK; locate the root properties (maven.compiler.source/target), modules
tests-v24 and tests-v25, and the maven-surefire-plugin configuration to
implement the toolchains/CI JVM matrix so tests run on the required JDKs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea47fc9e-336d-470a-bf99-90a53934b56d

📥 Commits

Reviewing files that changed from the base of the PR and between a48a586 and 0c7f7d4.

📒 Files selected for processing (118)

• core/pom.xml
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ClassInstrumentationJacksonHelper.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ClassInstrumentationUtil.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalArrayNode.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalBooleanNode.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalNodeAsmPostProcessor.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalNullNode.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalNumberNode.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalObjectNode.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalPendingJavaScriptResult.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/ElementalStringNode.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/InstrumentationViewInitializer.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/InstrumentedRoute.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/JsonCodec.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/JsonMigration.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/JsonMigrationHelper.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/JsonMigrationHelper25.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/JsonSerializer.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/LegacyJsonMigrationHelper.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/LitRendererAsmPostProcessor.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/LitRendererMigrationExtension.java
• core/src/main/java/com/flowingcode/vaadin/jsonmigration/UnsupportedJsonValueImpl.java
• pom.xml
• tests-shared/pom.xml
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/BaseClientCallable.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_ArrayOfJsonObject__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_D__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_I__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonArray__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonBoolean__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonNull__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonNumber__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonObjectVarargs__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonObject__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonString__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_JsonValue__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_String__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable_Z__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__D.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__I.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__Integer.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonArray.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonBoolean.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonNull.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonNumber.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonObject.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonString.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__JsonValue.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallable__Z.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallablesTest.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallablesTest24.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ClientCallablesTest25.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/ExtendsLegacyClientCallablePrivate__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/JsonMigrationHelper25Test.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_D__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_I__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonArray__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonBoolean__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonNull__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonNumber__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonObject__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonString__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_JsonValue__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_String__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate_Z__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__D.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__I.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__Integer.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonArray.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonBoolean.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonNull.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonNumber.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonObject.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonString.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__JsonValue.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablePrivate__Z.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_AllowInert__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_ArrayOfJsonObject__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_ArrayOfJsonString__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_D__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_I__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonArray__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonBoolean__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonNull__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonNumber__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonObjectVarargs__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonObject__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonString__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_JsonValue__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_String__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable_Z__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__D.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__I.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__Integer.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonArray.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonBoolean.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonNull.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonNumber.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonObject.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonString.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__JsonValue.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__V.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallable__Z.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablesPrivateTest.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablesPrivateTest24.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablesPrivateTest25.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablesTest.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablesTest24.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LegacyClientCallablesTest25.java
• tests-shared/src/test/java/com/flowingcode/vaadin/jsonmigration/LitRendererMigrationExtensionTest.java
• tests-shared/src/test/java/com/vaadin/flow/component/internal/AllowInert.java
• tests-v14/pom.xml
• tests-v23/pom.xml
• tests-v24/pom.xml
• tests-v25/pom.xml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven.yml:
- Around line 17-49: The job currently inherits default GITHUB_TOKEN scopes; add
a least-privilege permissions block to the build job to restrict token access
(e.g. add a permissions mapping under the "build" job such as permissions:
contents: read and any other required read-only scopes like packages: read) so
the workflow uses a read-only token instead of the default full-scoped token.
- Around line 39-45: Update the GitHub Actions workflow to harden third-party
action usage: replace the mutable actions/checkout@v3 and actions/setup-java@v3
references with their pinned commit SHAs (use the specific commit SHA for each
action), set actions/checkout to include persist-credentials: false, and add an
explicit least-privilege permissions block (e.g., permissions: contents: read)
at the workflow level to avoid relying on defaults; locate these changes around
the uses of actions/checkout and actions/setup-java in the maven.yml workflow
and apply them together.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1e9024fe-950b-43f1-851f-4d31e601fb4c

📥 Commits

Reviewing files that changed from the base of the PR and between 0c7f7d4 and 1b5f1b7.

📒 Files selected for processing (1)

• .github/workflows/maven.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add least-privilege permissions for GITHUB_TOKEN.

This job currently inherits default token scopes. Add explicit read-only permissions to reduce blast radius if any action/step is compromised.

Suggested patch

 name: Java CI with Maven

 on:
   push:
     branches: [ "master" ]
   pull_request:
     branches: [ "master" ]

+permissions:
+  contents: read
+
 jobs:

🧰 Tools

🪛 actionlint (1.7.12)

[error] 39-39: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

[error] 41-41: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[warning] 39-39: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[warning] 19-49: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

---

[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven.yml around lines 17 - 49, The job currently inherits
default GITHUB_TOKEN scopes; add a least-privilege permissions block to the
build job to restrict token access (e.g. add a permissions mapping under the
"build" job such as permissions: contents: read and any other required read-only
scopes like packages: read) so the workflow uses a read-only token instead of
the default full-scoped token.

Source: Linters/SAST tools

[javier-godoy]

@coderabbitai Report as a new issue

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

gh issue create \
  --repo FlowingCode/JsonMigrationHelper \
  --assignee javier-godoy \
  --title "ci: add least-privilege permissions block to GitHub Actions workflow" \
  --body "## Summary

The \`.github/workflows/maven.yml\` build job currently inherits default \`GITHUB_TOKEN\` scopes, which is overly broad. A least-privilege \`permissions\` block should be added at the workflow (or job) level to reduce the blast radius if any action or step is compromised.

## Suggested fix

Add the following block to the workflow (top-level, after the \`on:\` section):

\`\`\`yaml
permissions:
  contents: read
\`\`\`

If the workflow ever needs to read packages from GHPR, also add \`packages: read\`.

## References

- Flagged in PR `#36` — comment: https://github.com/FlowingCode/JsonMigrationHelper/pull/36#discussion_r3388417899
- Detected by [zizmor](https://github.com/woodruffw/zizmor) rule \`excessive-permissions\`

## Requested by

`@javier-godoy`"

Length of output: 1058

---

---

@javier-godoy, the issue has been created: FlowingCode/JsonMigrationHelper#37 — ci: add least-privilege permissions block to GitHub Actions workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: resolve current supported major tags to immutable SHAs.
# Expected: choose a supported major tag and pin to its commit SHA in workflow YAML.

set -euo pipefail

for repo in actions/checkout actions/setup-java; do
  echo "== $repo =="
  for tag in v4 v5; do
    code=$(curl -s -o /tmp/ref.json -w "%{http_code}" \
      "https://api.github.com/repos/$repo/git/ref/tags/$tag")
    if [ "$code" = "200" ]; then
      sha=$(jq -r '.object.sha' /tmp/ref.json)
      echo "$tag -> $sha"
    fi
  done
done

Repository: FlowingCode/JsonMigrationHelper

Length of output: 311

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the full workflow with line numbers but keep output bounded by showing only relevant sections
FILE=".github/workflows/maven.yml"

echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,220p'

Repository: FlowingCode/JsonMigrationHelper

Length of output: 176

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/maven.yml"
echo "== grep uses/permissions/persist-credentials in $FILE =="
rg -n "uses:\s*actions/(checkout|setup-java)@|permissions:|persist-credentials" "$FILE" || true

echo
echo "== file excerpt around checkout/setup-java =="
awk 'NR>=30 && NR<=80 {printf "%5d  %s\n", NR, $0}' "$FILE"

echo
echo "== full file (bounded) =="
awk '{printf "%5d  %s\n", NR, $0}' "$FILE"

Repository: FlowingCode/JsonMigrationHelper

Length of output: 3264

---

🌐 Web query:

actions/checkout persist-credentials default true write permissions later steps

💡 Result:

In the actions/checkout action, the persist-credentials input defaults to true [1][2]. When enabled, this setting configures the local Git repository with the authentication token or SSH key used to check out the code [1][3]. This allows subsequent steps in the same job to execute authenticated Git commands (such as git fetch or git push) automatically without requiring further configuration [1][4]. Regarding security and permissions: 1. Credential Security: In newer versions of actions/checkout, credentials are stored in a secure, separate file under $RUNNER_TEMP rather than directly in the.git/config file, which helps prevent accidental credential leakage (for example, if artifacts are published) [1][4][5]. The token is automatically removed during the post-job cleanup phase [1][3]. 2. Access Scope: While setting persist-credentials to true configures Git to use these credentials, it does not fundamentally change the accessibility of the GITHUB_TOKEN within a job [6][5]. The GITHUB_TOKEN is available to all steps within a job by default, regardless of the actions/checkout configuration [6][5]. Consequently, an action could technically access the token through other channels even if persist-credentials is set to false [5]. 3. Opting Out: If you prefer not to have the credentials persisted in the Git configuration for your workflow steps, you can explicitly set persist-credentials: false in your workflow file [1][3]. Top results: [1][3][4][5]

Citations:

• 1: https://github.com/actions/checkout/?tab=readme-ov-file
• 2: https://github.com/actions/checkout/blob/72f2cec99f417b1a1c5e2e88945068983b7965f9/action.yml
• 3: https://github.com/actions/checkout/blob/85e6279cec87321a52edac9c87bce653a07cf6c2/README.md
• 4: https://github.com/actions/checkout/tree/v6.0.2?tab=readme-ov-file
• 5: [security] Escalate concerning default persist-credentials=true please actions/checkout#2312
• 6: Remove persist-credentials or change the default to false actions/checkout#485

---

🌐 Web query:

actions/setup-java cache: maven required workflow permissions contents actions write

💡 Result:

The actions/setup-java action does not require "contents: write" permissions for caching Maven dependencies [1][2]. The official documentation explicitly recommends setting permissions to "contents: read" to ensure proper functionality [1][3]. The "contents: read" permission is sufficient because the action only needs to read your dependency files (e.g., pom.xml) to calculate the cache key and access the internal GitHub Actions Cache service, which is managed by the workflow environment [1][2][4]. You do not need write access to your repository contents to manage these dependencies [1].

Citations:

• 1: https://github.com/actions/setup-java/blob/main/README.md
• 2: https://github.com/actions/setup-java
• 3: actions/setup-java@99d3141
• 4: https://deepwiki.com/actions/setup-java/3.1-dependency-caching

---

Harden third-party GitHub Actions in .github/workflows/maven.yml (pin + disable checkout credential persistence).

• At lines 39-41, replace mutable/older actions/checkout@v3 and actions/setup-java@v3 with pinned commit SHAs.
• Set persist-credentials: false for actions/checkout (defaults to true).
• Add an explicit least-privilege permissions: block (e.g., contents: read) instead of relying on defaults.

Suggested patch

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
+        with:
+          persist-credentials: false
       - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654

🧰 Tools

🪛 actionlint (1.7.12)

[error] 39-39: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

[error] 41-41: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[warning] 39-39: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven.yml around lines 39 - 45, Update the GitHub Actions
workflow to harden third-party action usage: replace the mutable
actions/checkout@v3 and actions/setup-java@v3 references with their pinned
commit SHAs (use the specific commit SHA for each action), set actions/checkout
to include persist-credentials: false, and add an explicit least-privilege
permissions block (e.g., permissions: contents: read) at the workflow level to
avoid relying on defaults; locate these changes around the uses of
actions/checkout and actions/setup-java in the maven.yml workflow and apply them
together.

Source: Linters/SAST tools

[javier-godoy]

@coderabbitai Create an isue about this

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh issue create \
  --repo FlowingCode/JsonMigrationHelper \
  --title "ci: harden GitHub Actions workflow (pin action SHAs, least-privilege permissions)" \
  --assignee "javier-godoy" \
  --body "## Summary

The \`.github/workflows/maven.yml\` workflow uses mutable version tags (\`actions/checkout@v3\`, \`actions/setup-java@v3\`) and relies on default permissions, which poses a supply-chain security risk.

## Findings

1. **Unpinned action references** – \`actions/checkout@v3\` and \`actions/setup-java@v3\` should be pinned to immutable commit SHAs to prevent unexpected changes or supply-chain attacks.
2. **Credential persistence** – \`actions/checkout\` defaults to \`persist-credentials: true\`, which persists the GITHUB_TOKEN in the Git config for the duration of the job. Setting \`persist-credentials: false\` is the safer default for jobs that do not need authenticated Git operations after checkout.
3. **Implicit permissions** – The workflow does not declare an explicit \`permissions:\` block. Adding \`permissions: contents: read\` (or the minimum required) follows the principle of least privilege.

Additionally, \`actionlint\` reports that the v3 runners for both actions are too old to run on GitHub Actions and should be updated.

## References

- Flagged during review of PR `#36` in comment https://github.com/FlowingCode/JsonMigrationHelper/pull/36#discussion_r3388417907
- Requested by `@javier-godoy`
"

Length of output: 1546

---

---

@javier-godoy, the issue has been created: https://github.com/FlowingCode/JsonMigrationHelper/issues/38