PR for v1.5.9

[ThomasJejkal]

Summary by CodeRabbit

• Chores

  • Upgraded build tooling and many libraries; enabled Java 17 compatibility; bumped Gradle and wrapper; simplified wrapper invocation; updated CI/CD and Docker workflow action versions; tooling/version tweaks (including coverage tool).

• Tests

  • Added an integration test validating Prometheus actuator metrics and endpoint exposure; test config exposes management endpoints for evaluation.

• Documentation

  • Fixed Docker container URL formatting in the README.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Upgrades Gradle wrapper, Gradle plugins and many dependencies; sets Java source/target to 17; switches wrapper scripts to use java -jar; updates GitHub Action pins; adds ActuatorPrometheus integration test and test properties; fixes two README links.

Changes

Cohort / File(s)	Change Summary
Build configuration build.gradle	Upgraded Spring Boot and multiple Gradle plugins and dependency versions; added java { sourceCompatibility = 17; targetCompatibility = 17 }; updated ext props (javersVersion, springDocVersion); bumped Jacoco toolVersion.
Gradle wrapper distribution gradle/wrapper/gradle-wrapper.properties	Updated distributionUrl from Gradle 8.12.1 → 9.2.1.
Wrapper scripts gradlew, gradlew.bat	Switched invocation to java -jar .../gradle-wrapper.jar; removed CLASSPATH/cygpath handling; adjusted argument/command construction.
CI — Docker publish workflow .github/workflows/docker-publish.yml	Updated action pins/hashes (e.g., actions/checkout → v5, updated docker action hashes). No control-flow changes.
CI — CodeQL & Gradle workflows .github/workflows/codeql-analysis.yml, .github/workflows/gradle.yml	Upgraded action versions (actions/checkout v4→v5, CodeQL actions v3→v4, actions/setup-java v4→v5). No control-flow changes.
Tests src/test/java/.../ActuatorPrometheusTest.java	Added integration test ActuatorPrometheusTest with testForNotExposedActuators() (asserts many actuator endpoints return 404) and testActuator() (asserts /actuator/prometheus returns 200 and contains specific metrics).
Test config src/test/resources/test-config/application-test.properties	Added management properties: management.endpoints.web.exposure.include=* and management.endpoint.health.show-details=always (duplicate exposure line present).
Docs README.md	Fixed Docker container link by removing URL-encoded %2F occurrences.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer / CI
    participant Wrapper as gradlew / gradlew.bat
    participant Java as java runtime
    participant WrapperJar as gradle/wrapper/gradle-wrapper.jar
    participant GradleDist as Gradle distribution

    Dev->>Wrapper: run ./gradlew <task>
    Wrapper->>Java: exec "java -jar $APP_HOME/gradle/wrapper/gradle-wrapper.jar" <args>
    Java->>WrapperJar: start GradleWrapperMain inside JAR
    WrapperJar->>GradleDist: download/bootstrap Gradle distribution if missing
    GradleDist->>Dev: execute requested build task / return status
    note right of GradleDist `#D6EAF8`: Wrapper updated → Gradle 9.2.1

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Points to review closely:

• Compatibility and breaking changes introduced by the Spring Boot / dependency version bumps in build.gradle (including plugin upgrades).
• Gradle wrapper upgrade plus gradlew / gradlew.bat invocation change to -jar and resulting behavior on CI and Windows.
• New integration test ActuatorPrometheusTest and application-test.properties changes (endpoint exposure and asserted metric names).
• CI workflow action version pins — ensure runner compatibility with updated actions.

Possibly related PRs

• Add a test for monitoring supported by new repo-core library. #468 — Adds the same ActuatorPrometheusTest and related test properties; likely directly related or overlapping.

Poem

🐇
I hopped through plugins, polished every jar,
Swapped CLASSPATH for a nimble little jar,
Actions refreshed and the wrapper takes flight,
Prometheus hums metrics into the night,
A rabbit's thump for every successful build delight.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'PR for v1.5.9' is vague and generic. While it mentions a version number, it does not clearly describe what the pull request contains or the primary changes being made, only identifying it as a release version.	Consider using a more descriptive title that summarizes the primary changes, such as 'Upgrade dependencies and plugins to support Spring Boot 3.5.8 and Gradle 9.2.1' or similar, to clearly convey the main scope of the pull request.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch development

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

build.gradle (1)

35-37: Update springBootVersion property to match the plugin.

The build now applies org.springframework.boot 3.5.8 (line 2), but the springBootVersion property still advertises 3.2.1. Downstream modules or dependency management imports that consume this property will continue pulling the 3.2.x BOM, creating a version split from the Gradle plugin and the managed dependencies you just upgraded. This was flagged in the previous review and remains unresolved.

Please bump the property to 3.5.8 (or remove it if truly unused) so all consumers stay aligned.

Apply this diff to fix the version mismatch:

-    set('springBootVersion', "3.2.1")
+    set('springBootVersion', "3.5.8")

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f07318b and 419bc1c.

📒 Files selected for processing (3)

• .github/workflows/docker-publish.yml (2 hunks)
• build.gradle (5 hunks)
• gradle/wrapper/gradle-wrapper.properties (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• gradle/wrapper/gradle-wrapper.properties

🔇 Additional comments (3)

build.gradle (2)

2-2: Plugin version updates look good.

The plugin upgrades (Spring Boot 3.5.8, Lombok 9.1.0, Maven Publish 9.1.0, dependency-check 12.1.9, Asciidoctor 4.0.5, git-properties 2.5.4) are coordinated and align with the Gradle 9.2.1 upgrade mentioned in the PR.

Also applies to: 4-9

---

25-28: Java 17 source/target compatibility aligns with Gradle and plugin upgrades.

The addition of Java 17 compatibility is well-placed and consistent with the modern dependency versions in this build.

.github/workflows/docker-publish.yml (1)

35-35: actions/checkout@v5 is compatible with this workflow.

The v5 upgrade requires GitHub Actions runner v2.327.1+, which is provided by the ubuntu-latest matrix. No breaking changes affect the downstream Docker login/build steps in this workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/docker-publish.yml | head -70

Repository: kit-data-manager/base-repo

Length of output: 3360

---

🏁 Script executed:

#!/bin/bash
# Verify Docker action commit hashes against official GitHub releases

# We'll check the releases and tags for each Docker action repository
echo "=== Verifying docker/login-action commit hash ==="
# Hash: 28fdb31ff34708d19615a74d67103ddc2ea9725c

echo "=== Verifying docker/metadata-action commit hash ==="
# Hash: c299e40c65443455700f0fdfc63efafe5b349051

echo "=== Verifying docker/build-push-action commit hash ==="
# Hash: 9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d

# Try to get release information from GitHub API for each action
for action in "login-action" "metadata-action" "build-push-action"; do
  repo="docker/${action}"
  echo ""
  echo "=== Checking releases for $repo ==="
  curl -s "https://api.github.com/repos/${repo}/releases?per_page=10" | jq -r '.[] | "\(.tag_name): \(.published_at) - Draft: \(.draft), Prerelease: \(.prerelease)"' 2>/dev/null | head -5
done

Repository: kit-data-manager/base-repo

Length of output: 1339

---

🏁 Script executed:

#!/bin/bash
# Get detailed release information with commit hashes

for action in "login-action" "metadata-action" "build-push-action"; do
  repo="docker/${action}"
  echo ""
  echo "=== Release details for $repo ==="
  
  # Get releases with tag names and their commit info
  curl -s "https://api.github.com/repos/${repo}/releases?per_page=20" | jq -r '.[] | "\(.tag_name): commit SHA information available"' 2>/dev/null
done

# Now let's try to find specific commits in the tags
echo ""
echo "=== Checking specific commit hashes ==="

# For login-action: 28fdb31ff34708d19615a74d67103ddc2ea9725c
echo "docker/login-action commit 28fdb31..."
curl -s "https://api.github.com/repos/docker/login-action/commits/28fdb31ff34708d19615a74d67103ddc2ea9725c" | jq -r '.commit.message, .author.date' 2>/dev/null | head -2

# For metadata-action: c299e40c65443455700f0fdfc63efafe5b349051
echo ""
echo "docker/metadata-action commit c299e40c..."
curl -s "https://api.github.com/repos/docker/metadata-action/commits/c299e40c65443455700f0fdfc63efafe5b349051" | jq -r '.commit.message, .author.date' 2>/dev/null | head -2

# For build-push-action: 9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d
echo ""
echo "docker/build-push-action commit 9e436ba9..."
curl -s "https://api.github.com/repos/docker/build-push-action/commits/9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d" | jq -r '.commit.message, .author.date' 2>/dev/null | head -2

Repository: kit-data-manager/base-repo

Length of output: 3110

---

🏁 Script executed:

#!/bin/bash
# Find which releases contain these commits

echo "=== Finding release versions for pinned commits ==="

# Get all tags for each repo and their commit SHAs
echo ""
echo "docker/login-action - finding version for 28fdb31ff34708d19615a74d67103ddc2ea9725c"
curl -s "https://api.github.com/repos/docker/login-action/git/matching-refs/tags/v" | jq -r '.[] | "\(.ref): \(.object.sha)"' 2>/dev/null | grep -E "v3|v2" | head -20

echo ""
echo "docker/metadata-action - finding version for c299e40c65443455700f0fdfc63efafe5b349051"
curl -s "https://api.github.com/repos/docker/metadata-action/git/matching-refs/tags/v" | jq -r '.[] | "\(.ref): \(.object.sha)"' 2>/dev/null | grep -E "v5|v4" | head -20

echo ""
echo "docker/build-push-action - finding version for 9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d"
curl -s "https://api.github.com/repos/docker/build-push-action/git/matching-refs/tags/v" | jq -r '.[] | "\(.ref): \(.object.sha)"' 2>/dev/null | grep -E "v6|v5" | head -20

Repository: kit-data-manager/base-repo

Length of output: 3435

---

🏁 Script executed:

#!/bin/bash
# Get detailed commit information for the pinned commits

echo "=== Commit details for pinned hashes ==="

echo ""
echo "docker/login-action@28fdb31ff34708d19615a74d67103ddc2ea9725c"
curl -s "https://api.github.com/repos/docker/login-action/commits/28fdb31ff34708d19615a74d67103ddc2ea9725c" | jq -r '.commit | "\(.author.date): \(.message)"' 2>/dev/null

echo ""
echo "docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051"
curl -s "https://api.github.com/repos/docker/metadata-action/commits/c299e40c65443455700f0fdfc63efafe5b349051" | jq -r '.commit | "\(.author.date): \(.message)"' 2>/dev/null

echo ""
echo "docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d"
curl -s "https://api.github.com/repos/docker/build-push-action/commits/9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d" | jq -r '.commit | "\(.author.date): \(.message)"' 2>/dev/null

# Now check if there are any advisories or security issues
echo ""
echo "=== Checking for security advisories ==="
for action in "login-action" "metadata-action" "build-push-action"; do
  repo="docker/${action}"
  echo ""
  echo "$repo:"
  curl -s "https://api.github.com/repos/${repo}/security/advisories" | jq -r '.[] | "\(.ghsa_id): \(.summary)"' 2>/dev/null | head -3
done

Repository: kit-data-manager/base-repo

Length of output: 898

---

Update Docker action pins to use released versions instead of unreleased commits.

Two of the three Docker action commits do not correspond to any official release:

• Line 40 (docker/login-action@28fdb31ff...): Pinned to an unreleased commit from October 17, 2025, which is after the latest stable release v3.6.0 (September 29, 2025). This commit should be pinned to v3.6.0 or verified as a release candidate.

• Line 59 (docker/build-push-action@9e436ba9f2d...): Pinned to an unreleased commit from September 29, 2025. The latest stable release is v6.18.0 (May 27, 2025). This commit is significantly newer than any released version and should be replaced with a stable release tag.

• Line 52 (docker/metadata-action@c299e40c...): ✓ Correctly pinned to v5.10.0 (latest stable release as of November 27, 2025).

Using unreleased commits bypasses the official release review process and introduces unnecessary risk. Pin to stable release versions (e.g., v3.6.0, v6.18.0) instead.

🤖 Prompt for AI Agents

.github/workflows/docker-publish.yml around line 40: the docker actions are
pinned to unreleased commit SHAs which bypass release review and add risk;
replace docker/login-action@28fdb31ff34708d19615a74d67103ddc2ea9725c with the
released tag docker/[email protected], and replace
docker/build-push-action@9e436ba9f2d... (line 59) with
docker/[email protected]; leave docker/[email protected] as-is and
verify workflow still works after updating these tags.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, locate the build.gradle file
find . -name "build.gradle" -type f

Repository: kit-data-manager/base-repo

Length of output: 84

---

🏁 Script executed:

# Check file size and read the build.gradle file
wc -l ./build.gradle && echo "---" && cat -n ./build.gradle

Repository: kit-data-manager/base-repo

Length of output: 6508

---

🏁 Script executed:

# Check if springBootVersion property is used elsewhere in gradle files
grep -r "springBootVersion" . --include="*.gradle" 2>/dev/null

# Also check the referenced gradle profile files
echo "--- Checking profile-minimal.gradle ---"
cat ./gradle/profile-minimal.gradle 2>/dev/null || echo "File not found"

echo "--- Checking profile-complete.gradle ---"  
cat ./gradle/profile-complete.gradle 2>/dev/null || echo "File not found"

Repository: kit-data-manager/base-repo

Length of output: 815

---

🏁 Script executed:

# Search for any usage of springBootVersion variable in code or documentation
rg "springBootVersion" --type gradle --type java 2>/dev/null | grep -v "set('springBootVersion"

# Also check if there are any imports or references in other build files
find . -name "*.gradle" -o -name "*.properties" | xargs grep -l "springBootVersion" 2>/dev/null

Repository: kit-data-manager/base-repo

Length of output: 84

---

Remove the unused springBootVersion property and verify dependency compatibility.

The dependency versions (Spring Data Elasticsearch 5.5.6, Spring Messaging 7.0.1, Spring Cloud modules 4.3.x, Spring Boot Admin 3.5.6, repo-core 1.2.6, service-base 1.3.6, nimbus-jose-jwt 10.6, PostgreSQL 42.7.8, H2 2.4.240, spring-restdocs-mockmvc 3.0.5, and Jacoco 0.8.14) align with Spring Boot 3.5.8. However, the ext block defines an unused springBootVersion property set to "3.2.1" (line 36) that should be removed to avoid confusion. The effective Spring Boot version is 3.5.8 from the plugin declaration.