library-api: add deployment workflow and version management

Implement semantic versioning workflow with automated Cloud Run deployment:

**Deployment infrastructure:**
- GitHub Actions workflow (.github/workflows/deploy-library-api.yml)
  - Triggered by tags matching library-api-v*
  - Validates version sync between git tag and pom.xml
  - Builds Docker image using Dockerfile.jvm
  - Pushes to Google Artifact Registry with :v{version} and :latest tags
  - Deploys to Cloud Run with matching revision name

**Version management:**
- bin/tag-release: Atomically updates pom.xml and creates git tag
- bin/validate-library-api-version: Pre-push hook validator
- Semantic versioning: MAJOR.MINOR.PATCH (e.g., 0.3.0)

**Docker:**
- Multi-stage Kogito-based Dockerfile (Dockerfile.jvm)
- Java 17 runtime on Red Hat UBI 9
- Optimized for Quarkus JVM mode

**Configuration changes:**
- pom.xml: Updated groupId to org.codeforphilly.bdt

**Cloud Run target:**
- Project: benefit-decision-toolkit-play
- Region: us-central1
- Public/unauthenticated access

Version tags, Docker tags, and Cloud Run revision names stay synchronized throughout the release process.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: prestoncabe

.github/workflows/deploy-library-api.yml

@@ -0,0 +1,122 @@
+# This workflow uses devbox for dependency management and builds/deploys the library API
+# to Cloud Run when a version tag is pushed (e.g., library-api-v1.0.0).
+
+name: 'Build and Deploy Library API to Cloud Run'
+
+on:
+  push:
+    tags:
+      - 'library-api-v*'
+
+env:
+  PROJECT_ID: 'benefit-decision-toolkit-play'
+  REGION: 'us-central1'
+  SERVICE: 'benefit-decision-toolkit-play'
+  API_NAME: 'library-api'
+  WORKLOAD_IDENTITY_PROVIDER: 'projects/1034049717668/locations/global/workloadIdentityPools/github-actions-google-cloud/providers/github'
+
+jobs:
+  deploy:
+    runs-on: 'ubuntu-latest'
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@v4'
+
+      # Devbox needs a .env file to exist, even if it's empty
+      - name: 'Create .env file'
+        run: touch .env
+
+      # Setup devbox which includes all our dependencies: Maven, JDK 21, Quarkus, etc.
+      - name: 'Install devbox'
+        uses: 'jetify-com/[email protected]'
+        with:
+          enable-cache: true
+
+      # Extract version from pom.xml (source of truth) using Maven
+      - name: 'Extract version from pom.xml'
+        id: extract_version
+        run: |
+          # Use -f to specify the pom.xml path (devbox runs from repo root)
+          VERSION=$(devbox run -q -- mvn -f library-api/pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout 2>&1 | tail -1 | xargs)
+
+          echo "Extracted VERSION: '${VERSION}'"
+
+          # Validate it's a semantic version
+          if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "ERROR: Invalid version format: '$VERSION'"
+            echo "Expected semantic version (e.g., 0.1.2)"
+            exit 1
+          fi
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          # Create revision-safe version string (replace dots with dashes for Cloud Run)
+          REVISION_VERSION=$(echo "${VERSION}" | tr '.' '-')
+          echo "revision_version=${REVISION_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Extracted version from pom.xml: ${VERSION}"
+          echo "Revision version: ${REVISION_VERSION}"
+
+      # Validate that git tag exists for this pom.xml version
+      - name: 'Validate git tag matches pom.xml version'
+        run: |
+          devbox run -q -- bin/validate-library-api-version
+
+      # Configure Workload Identity Federation and generate an access token
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
+          service_account: cicd-build-deploy-api@benefit-decision-toolkit-play.iam.gserviceaccount.com
+          project_id: ${{ env.PROJECT_ID }}
+
+      # Configure Docker to use gcloud as a credential helper (using devbox gcloud)
+      - name: 'Configure Docker'
+        run: |
+          devbox run -q -- gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev
+
+      # Build the Quarkus app with Maven using devbox environment
+      - name: 'Build Quarkus App'
+        working-directory: library-api
+        run: |
+          devbox run -q build-library-api-ci
+
+      - name: 'Build and Push Container'
+        working-directory: library-api
+        run: |-
+          VERSION="${{ steps.extract_version.outputs.version }}"
+          DOCKER_TAG_VERSIONED="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:v${VERSION}"
+          DOCKER_TAG_LATEST="${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:latest"
+
+          # Build and tag with version
+          docker build -f src/main/docker/Dockerfile.jvm --tag "${DOCKER_TAG_VERSIONED}" --tag "${DOCKER_TAG_LATEST}" .
+
+          # Push both tags
+          docker push "${DOCKER_TAG_VERSIONED}"
+          docker push "${DOCKER_TAG_LATEST}"
+
+          echo "Pushed images:"
+          echo "  - ${DOCKER_TAG_VERSIONED}"
+          echo "  - ${DOCKER_TAG_LATEST}"
+
+      - name: 'Deploy to Cloud Run'
+        id: deploy
+        uses: 'google-github-actions/deploy-cloudrun@v2'
+        with:
+          service: '${{ env.API_NAME }}'
+          region: '${{ env.REGION }}'
+          image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/${{ env.API_NAME }}:v${{ steps.extract_version.outputs.version }}'
+          tag: '${{ env.API_NAME }}-v${{ steps.extract_version.outputs.revision_version }}'
+          flags: '--allow-unauthenticated --max-instances=2 --service-account=library-api-service-account@${{ env.PROJECT_ID }}.iam.gserviceaccount.com'
+
+      # Show deployment output
+      - name: 'Show deployment output'
+        run: |
+          echo "Deployment complete!"
+          echo "Service URL: ${{ steps.deploy.outputs.url }}"
+          echo "Version: v${{ steps.extract_version.outputs.version }}"
+          echo "Revision: ${{ env.API_NAME }}-v${{ steps.extract_version.outputs.revision_version }}"

bin/validate-library-api-version

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+
+# library-api Version Validation Script
+# Ensures pom.xml version matches git tag
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+LIBRARY_API_DIR="$REPO_ROOT/library-api"
+POM_FILE="$LIBRARY_API_DIR/pom.xml"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+print_error() {
+    echo -e "${RED}ERROR: $1${NC}" >&2
+}
+
+print_success() {
+    echo -e "${GREEN}✓ $1${NC}"
+}
+
+print_warning() {
+    echo -e "${YELLOW}⚠ $1${NC}"
+}
+
+# Check if we're in a git repository
+if ! git rev-parse --git-dir > /dev/null 2>&1; then
+    print_error "Not in a git repository"
+    exit 1
+fi
+
+# Check if pom.xml exists
+if [ ! -f "$POM_FILE" ]; then
+    print_error "pom.xml not found at $POM_FILE"
+    exit 1
+fi
+
+# Check if Maven is available
+if ! command -v mvn &> /dev/null; then
+    print_error "Maven (mvn) not found. Please install Maven or use devbox."
+    exit 1
+fi
+
+# Extract version from pom.xml using Maven
+cd "$LIBRARY_API_DIR"
+POM_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout 2>/dev/null || echo "")
+
+if [ -z "$POM_VERSION" ]; then
+    print_error "Could not extract version from pom.xml"
+    exit 1
+fi
+
+# Expected git tag based on pom.xml version
+EXPECTED_TAG="library-api-v${POM_VERSION}"
+
+# Check if we're being called in a pre-push hook context
+# In that case, check if a library-api-v* tag is being pushed
+if [ -n "$1" ] && [ "$1" = "--pre-push-hook" ]; then
+    # Read stdin to get refs being pushed
+    TAG_BEING_PUSHED=""
+    while read local_ref local_sha remote_ref remote_sha; do
+        # Check if it's a tag push matching library-api-v*
+        if [[ "$remote_ref" =~ refs/tags/library-api-v.* ]]; then
+            TAG_BEING_PUSHED="${remote_ref#refs/tags/}"
+
+            # Validate the tag matches pom.xml version
+            if [ "$TAG_BEING_PUSHED" != "$EXPECTED_TAG" ]; then
+                echo ""
+                print_error "Version mismatch detected!"
+                echo ""
+                echo "  Tag being pushed:     $TAG_BEING_PUSHED"
+                echo "  Expected tag:         $EXPECTED_TAG"
+                echo "  pom.xml version:      $POM_VERSION"
+                echo ""
+                echo "To fix this issue:"
+                echo "  1. Delete the incorrect tag: git tag -d $TAG_BEING_PUSHED"
+                echo "  2. Use the helper script: cd library-api && ./bin/tag-release $POM_VERSION"
+                echo ""
+                exit 1
+            fi
+
+            print_success "Version validation passed: $TAG_BEING_PUSHED matches pom.xml version $POM_VERSION"
+            exit 0
+        fi
+    done
+
+    # No library-api tag being pushed, validation not needed
+    exit 0
+fi
+
+# Manual validation mode (not in pre-push hook)
+# Check if the expected tag exists locally or remotely
+TAG_EXISTS_LOCAL=$(git tag -l "$EXPECTED_TAG")
+TAG_EXISTS_REMOTE=$(git ls-remote --tags origin "$EXPECTED_TAG" 2>/dev/null | grep -c "$EXPECTED_TAG" || echo "0")
+
+if [ -n "$TAG_EXISTS_LOCAL" ]; then
+    print_success "Local tag $EXPECTED_TAG exists and matches pom.xml version $POM_VERSION"
+    exit 0
+elif [ "$TAG_EXISTS_REMOTE" -gt 0 ]; then
+    print_success "Remote tag $EXPECTED_TAG exists and matches pom.xml version $POM_VERSION"
+    exit 0
+else
+    print_warning "No git tag found for current pom.xml version"
+    echo ""
+    echo "  pom.xml version:      $POM_VERSION"
+    echo "  Expected tag:         $EXPECTED_TAG"
+    echo ""
+    echo "To create a release tag:"
+    echo "  cd library-api && ./bin/tag-release $POM_VERSION"
+    echo ""
+    exit 1
+fi

library-api/bin/tag-release

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+
+# library-api Release Tagging Script
+# This script ensures pom.xml version and git tag stay in sync
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+LIBRARY_API_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+POM_FILE="$LIBRARY_API_DIR/pom.xml"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+print_error() {
+    echo -e "${RED}ERROR: $1${NC}" >&2
+}
+
+print_success() {
+    echo -e "${GREEN}✓ $1${NC}"
+}
+
+print_info() {
+    echo -e "${YELLOW}→ $1${NC}"
+}
+
+# Check if version argument provided
+if [ $# -eq 0 ]; then
+    print_error "No version specified"
+    echo "Usage: $0 <version>"
+    echo "Example: $0 1.0.0"
+    exit 1
+fi
+
+VERSION="$1"
+
+# Validate semantic versioning format
+if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    print_error "Invalid version format: $VERSION"
+    echo "Version must follow semantic versioning: MAJOR.MINOR.PATCH (e.g., 1.0.0)"
+    exit 1
+fi
+
+TAG_NAME="library-api-v${VERSION}"
+
+print_info "Preparing to tag library-api release: $VERSION"
+echo ""
+
+# Check if we're in a git repository
+if ! git rev-parse --git-dir > /dev/null 2>&1; then
+    print_error "Not in a git repository"
+    exit 1
+fi
+
+# Check if tag already exists
+if git rev-parse "$TAG_NAME" >/dev/null 2>&1; then
+    print_error "Tag $TAG_NAME already exists"
+    echo "Use 'git tag -d $TAG_NAME' to delete it locally if needed"
+    exit 1
+fi
+
+# Check if pom.xml exists
+if [ ! -f "$POM_FILE" ]; then
+    print_error "pom.xml not found at $POM_FILE"
+    exit 1
+fi
+
+# Update pom.xml version using Maven
+print_info "Updating pom.xml version to $VERSION..."
+
+cd "$LIBRARY_API_DIR"
+
+# Use Maven versions plugin to update project version
+if ! mvn versions:set -DnewVersion="$VERSION" -DgenerateBackupPoms=false > /dev/null 2>&1; then
+    print_error "Failed to update pom.xml version using Maven"
+    exit 1
+fi
+
+# Verify the update by extracting the project version
+CURRENT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout 2>/dev/null || echo "")
+
+if [ "$CURRENT_VERSION" != "$VERSION" ]; then
+    print_error "Failed to update pom.xml version"
+    echo "Current version in pom.xml: $CURRENT_VERSION"
+    echo "Expected version: $VERSION"
+    exit 1
+fi
+
+print_success "Updated pom.xml to version $VERSION"
+
+# Stage pom.xml
+print_info "Staging pom.xml..."
+git add "$POM_FILE"
+print_success "Staged pom.xml"
+
+# Create commit
+print_info "Creating commit..."
+git commit -m "Bump library-api version to $VERSION"
+print_success "Created commit"
+
+# Create tag
+print_info "Creating git tag $TAG_NAME..."
+git tag -a "$TAG_NAME" -m "Release library-api $VERSION"
+print_success "Created tag $TAG_NAME"
+
+echo ""
+print_success "Release preparation complete!"
+echo ""
+echo "Next steps:"
+echo "  1. Review the changes: git show"
+echo "  2. Push the commit: git push origin $(git rev-parse --abbrev-ref HEAD)"
+echo "  3. Push the tag: git push origin $TAG_NAME"
+echo ""
+echo "Pushing the tag will trigger the GitHub Actions deployment workflow."

library-api/pom.xml

@@ -2,10 +2,10 @@
 <project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <modelVersion>4.0.0</modelVersion>
-  <groupId>org.prestoncabe</groupId>
-  <artifactId>benefit-decision-toolkit</artifactId>
-  <version>v0.0.1</version>
-  <name>Benefit Decision Toolkit</name>
+  <groupId>org.codeforphilly.bdt</groupId>
+  <artifactId>bdt-library-api</artifactId>
+  <version>0.3.0</version>
+  <name>BDT Library API</name>
 
   <properties>
     <compiler-plugin.version>3.11.0</compiler-plugin.version>

library-api/src/main/docker/Dockerfile.jvm

@@ -0,0 +1,16 @@
+FROM registry.access.redhat.com/ubi9/openjdk-17:1.20
+
+ENV LANGUAGE='en_US:en'
+
+# We make four distinct layers so if there are application changes the library layers can be re-used
+COPY --chown=185 target/quarkus-app/lib/ /deployments/lib/
+COPY --chown=185 target/quarkus-app/*.jar /deployments/
+COPY --chown=185 target/quarkus-app/app/ /deployments/app/
+COPY --chown=185 target/quarkus-app/quarkus/ /deployments/quarkus/
+
+EXPOSE 8080
+USER 185
+ENV JAVA_OPTS_APPEND="-Dquarkus.http.host=0.0.0.0 -Dquarkus.http.port=${PORT:-8080} -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
+ENV JAVA_APP_JAR="/deployments/quarkus-run.jar"
+
+ENTRYPOINT [ "/opt/jboss/container/java/run/run-java.sh" ]