Factor out setup-* actions

[koppor]

User description

Streamlines our workflows by extracting the common steps

Caches LTWA download to reduce load on their servers - and to make CI more stable

Steps to test

See CI steps pass

Mandatory checks

• I own the copyright of the code submitted and I license it under the MIT license
• [/] I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I described the change in CHANGELOG.md in a way that is understandable for the average user (if change is visible to the user)
• [/] I checked the user documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request updating file(s) in https://github.com/JabRef/user-documentation/tree/main/en.

---

PR Type

Enhancement

---

Description

• Extract common setup steps into reusable GitHub Actions

• Add LTWA file caching to reduce external server load

• Consolidate JDK, Gradle, and JBang setup across workflows

• Simplify workflow files by replacing duplicated steps with action references

---

Diagram Walkthrough

flowchart LR
  A["Duplicated setup steps<br/>across workflows"] -->|"Factor out"| B["setup-gradle action"]
  A -->|"Factor out"| C["setup-with-gitversion action"]
  B -->|"Includes"| D["JDK setup"]
  B -->|"Includes"| E["Gradle setup"]
  B -->|"Includes"| F["JBang setup<br/>with caching"]
  B -->|"Includes"| G["LTWA file<br/>caching"]
  C -->|"Includes"| H["GitVersion setup"]
  C -->|"References"| B
  I["Multiple workflows"] -->|"Use"| B
  I -->|"Use"| C

Loading

File Walkthrough

Relevant files

Enhancement

15 files action.yml New composite action for JDK, Gradle, JBang setup                .github/actions/setup-gradle/action.yml New composite action that sets up JDK 24 (Corretto), Gradle, and JBang Implements caching for LTWA CSV file to reduce external server load Generates monthly cache key for JBang to maintain fresh dependencies Consolidates five separate setup steps into a single reusable action +32/-0    action.yml New composite action for GitVersion and gradle setup          .github/actions/setup-with-gitversion/action.yml New composite action that combines GitVersion setup with gradle setup Installs and executes GitVersion for version management References the setup-gradle action for JDK and build tool configuration Provides a complete setup workflow for version-aware builds +13/-0    binaries.yml Replace setup steps with reusable action                                  .github/workflows/binaries.yml Replace 40+ lines of duplicated setup steps with single setup-with-gitversion action Removes manual GitVersion, JDK, Gradle, and JBang configuration steps Maintains existing checkout and platform-specific package installation logic +1/-30    publish.yml Replace setup steps with reusable action                                  .github/workflows/publish.yml Replace 35+ lines of duplicated setup steps with setup-with-gitversion action Removes manual GitVersion, JDK, Gradle, and JBang cache configuration Simplifies workflow while maintaining version management functionality +1/-29    run-openrewrite.yml Replace setup steps with reusable action                                  .github/workflows/run-openrewrite.yml Replace 30+ lines of setup steps with setup-gradle action Rename step from "Fetch PR branch" to "Checkout PR branch" for clarity Removes manual JDK, Gradle, and JBang cache configuration +2/-23    sbom-pr.yml Replace setup steps with reusable action                                  .github/workflows/sbom-pr.yml Replace 15+ lines of setup steps with setup-gradle action Rename step from "Check out repository" to "Checkout source" Add submodules and show-progress flags to checkout configuration Removes manual JDK and Gradle setup +4/-11    tests-code-fetchers.yml Replace setup steps with reusable action                                  .github/workflows/tests-code-fetchers.yml Replace 30+ lines of duplicated setup steps with setup-gradle action Removes manual JDK, Gradle, and JBang cache configuration Simplifies fetcher test workflow configuration +1/-22    tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 30+ lines of setup steps with setup-gradle action in checkstyle job Replace 30+ lines of setup steps in openrewrite job Replace 25+ lines of setup steps in modernizer job Removes manual JDK, Gradle, and JBang cache configuration across three jobs +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 25+ lines of setup steps with setup-gradle action in javadoc job Add submodules and show-progress flags to checkout configuration Removes manual JDK, Gradle, and JBang cache configuration +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 25+ lines of setup steps with setup-gradle action in unit tests job Removes manual JDK, Gradle, and JBang cache configuration Removes comment about JBang cache update placement +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 25+ lines of setup steps with setup-gradle action in jablib tests job Removes manual JDK, Gradle, and JBang cache configuration +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 20+ lines of setup steps with setup-gradle action in smoke test job Removes manual JDK, Gradle, and JBang cache configuration +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 25+ lines of setup steps with setup-gradle action in database tests job Removes manual JDK, Gradle, and JBang cache configuration +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 30+ lines of setup steps with setup-gradle action in jbang-build job Adds conditional execution based on changed files detection Removes manual JDK and JBang cache configuration +13/-228 tests-code.yml Replace setup steps with reusable action                                  .github/workflows/tests-code.yml Replace 25+ lines of setup steps with setup-gradle action in jabkit-build job Removes manual JDK and JBang cache configuration +13/-228

---

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned action reference Description: Using @main branch reference for jbangdev/setup-jbang action instead of a pinned version or commit SHA allows arbitrary code execution if the upstream repository is compromised, as the action runs with workflow permissions. action.yml [32-32] Referred Code uses: jbangdev/setup-jbang@main
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Parameterize the Java version Parameterize the java-version in the setup-gradle action by adding an input with a default of '24' to fix a breaking change for jobs that require a different JDK version. .github/actions/setup-gradle/action.yml [1-11] name: Setup JDK, JBang, and gradle description: Setup JDK, JBang and gradle +inputs: + java-version: + description: 'Version of JDK to use' + required: false + default: '24' runs: using: composite steps: - name: Setup JDK uses: actions/setup-java@v5 with: - java-version: '24' + java-version: ${{ inputs.java-version }} distribution: 'corretto' check-latest: true Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that hardcoding the java-version to '24' in the new composite action is a breaking change for workflows that previously used Java 25, which would cause those jobs to fail.	High
General	Improve cache restore key specificity Improve the JBang cache restore-keys by adding ${{ runner.os }} to make it more specific and prevent potential conflicts between different operating systems. .github/actions/setup-gradle/action.yml [24-30] - name: Cache JBang uses: actions/cache@v5 with: path: ~/.jbang key: ${{ steps.cache-key.outputs.cache_key }} - restore-keys: + restore-keys: | + jbang-${{ runner.os }}- jbang- Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly points out that the JBang cache may contain OS-specific files, and adding runner.os to the restore key improves cache robustness by preventing cross-OS cache restoration issues.	Low
Update