Development 2.1.1

[Pfeil]

Summary by CodeRabbit

• Chores
  • Expanded CI to run builds across a broader JDK matrix and updated CI steps to use pinned Gradle/build and artifact actions.
  • Reworked code coverage to run in a dedicated coverage job on a newer JDK, publishing results to Codecov and updating JaCoCo tooling.
  • Upgraded Gradle and refreshed build/test dependency versions, including the Gradle publishing plugin, plus updated the Gradle wrapper scripts.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR migrates coverage reporting from Coveralls to Codecov by removing the Coveralls plugin and adding a dedicated coverage job, expands the JDK test matrix from [17, 21] to [17, 21, 25, 26], pins CI action versions, upgrades Gradle wrapper to 9.5.1 with networking configuration, modernizes both POSIX and Windows wrapper scripts to eliminate CLASSPATH handling, and updates multiple library and plugin dependencies including Jackson, JUnit BOM, and JaCoCo tooling.

Changes

Coverage Migration and CI Modernization

Layer / File(s)	Summary
Coverage migration from Coveralls to Codecov .github/workflows/gradle.yml, build.gradle	Removes the com.github.kt3k.coveralls plugin from the plugins block, updates JaCoCo toolVersion from 0.8.14 to 0.8.15, changes the xml.required comment to reference codecov instead of coveralls, and introduces a new coverage job that runs on ubuntu-latest with JDK 25 to execute JaCoCo verification (clean check jacocoTestReport) and publish results to Codecov.
JDK matrix expansion and CI action pinning .github/workflows/gradle.yml	Test matrix JDK versions expand from [17, 21] to [17, 21, 25, 26]; gradle/actions/setup-gradle is pinned to a specific revision and actions/upload-artifact is updated from v5 to v7; conditional Coveralls/javadoc steps that previously ran only for ubuntu-latest + JDK 21 are removed.
Gradle wrapper upgrade and networking config gradle/wrapper/gradle-wrapper.properties	Gradle version is updated from 8.14.3 to 9.5.1; wrapper download retry controls are added (retries=0, retryBackOffMs=500) alongside the retained networkTimeout=10000.
Shell and batch wrapper script modernization gradlew, gradlew.bat	CLASSPATH handling is removed from both scripts: POSIX script no longer assigns or converts the CLASSPATH variable and relies on -jar wrapper invocation; Windows script replaces shell-specific setlocal with explicit setlocal EnableExtensions, changes Java-not-found error handling to immediate exit via "%COMSPEC%" /c exit 1, and refactors execution/termination with a new :exitWithErrorLevel label. POSIX script header copyright year range and reference URLs are also updated.
Library and plugin version updates build.gradle	Upgrades io.freefair.maven-publish-java from 9.1.0 to 9.5.0, JUnit platform BOM from 6.0.1 to 6.1.0, Jackson (jacksonVersion) from 2.20.1 to 2.22.0, commons-io from 2.21.0 to 2.22.0, zip4j from 2.11.5 to 2.11.6, gg.jte:jte from 3.2.1 to 3.2.4, json-compare from 7.2 to 8.0, and slf4j-jdk14 from 2.0.17 to 2.0.18.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• kit-data-manager/ro-crate-java#204: Modifies build.gradle's JaCoCo tool version and Gradle plugin dependencies in overlapping areas.

Poem

A rabbit rewrote the CI with care,
Coveralls out, Codecov in the air!
JDKs expanded from old to brand new,
Scripts simplified—CLASSPATH went poof—broke through! 🐇
Gradle 9.5 speeds the builds, now we roam! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title "Development 2.1.1" is vague and does not clearly summarize the main changes; it appears to be a version number rather than a descriptive summary of the technical modifications.	Replace with a descriptive title that conveys the primary changes, such as "Upgrade Gradle to 9.5.1 and migrate from Coveralls to Codecov" or similar.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch development

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 670

Coverage remained the same at 91.327%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	2456
Covered Lines:	2243
Line Coverage:	91.33%
Coverage Strength:	0.91 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/gradle.yml (1)

16-18: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove the unused global COVERALLS_REPO_TOKEN env secret.

After migrating coverage upload to Codecov, exposing the Coveralls token to all jobs is unnecessary secret surface and violates least-privilege.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gradle.yml around lines 16 - 18, The COVERALLS_REPO_TOKEN
environment variable is still being exposed globally in the workflow file's env
section even though coverage reporting has been migrated to Codecov, creating an
unnecessary security exposure. Remove the entire COVERALLS_REPO_TOKEN
environment variable definition (lines 16-18) from the global env section in the
gradle.yml workflow file to follow the principle of least privilege and
eliminate unnecessary secret surface area.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gradle.yml:
- Line 24: The CI workflow matrix in .github/workflows/gradle.yml specifies only
JDK versions 21 and 25, but build.gradle declares Java 17 as the target
bytecode, creating a mismatch between the declared Java compatibility and what
is actually tested. Either add Java 17 to the jdk array in the workflow to
ensure the declared baseline is tested in CI, or update build.gradle to remove
Java 17 as the target bytecode and align it with the CI matrix versions being
tested. Choose whichever matches your actual Java 17 support policy for the
project.
- Line 28: The checkout steps in the workflow file are using the default
credential persistence behavior, which keeps GitHub tokens in local git config
and poses a security risk. Add `persist-credentials: false` to each checkout
step (the uses: actions/checkout action at the line shown and at the additional
locations mentioned in "Also applies to") to explicitly disable credential
persistence unless it is explicitly required for subsequent steps.
- Line 30: Replace the tag-based version pinning for the actions/setup-java and
codecov/codecov-action actions with commit SHA references instead of `@v5` tags.
Tag-based references are mutable and can introduce supply-chain risks, whereas
SHA pinning provides immutability and consistency with the other actions already
used in the workflow. Update each occurrence of these actions to use the full
commit SHA format (e.g., `@<full-commit-sha>`) instead of the version tag.

---

Outside diff comments:
In @.github/workflows/gradle.yml:
- Around line 16-18: The COVERALLS_REPO_TOKEN environment variable is still
being exposed globally in the workflow file's env section even though coverage
reporting has been migrated to Codecov, creating an unnecessary security
exposure. Remove the entire COVERALLS_REPO_TOKEN environment variable definition
(lines 16-18) from the global env section in the gradle.yml workflow file to
follow the principle of least privilege and eliminate unnecessary secret surface
area.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 525c4f61-c482-4801-a7e0-8c0794ca8d2c

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff6e42 and b48f3d7.

📒 Files selected for processing (2)

• .github/workflows/gradle.yml
• build.gradle

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

build.gradle (1)

59-59: Move json-compare to testImplementation scope.

This dependency is used only in test code (UtilFunctionsTest.java and HelpFunctions.java), but is currently added to the runtime classpath via implementation. Use testImplementation to exclude it from the published runtime dependencies.

Suggested diff

-    implementation 'com.github.fslev:json-compare:8.0'
+    testImplementation 'com.github.fslev:json-compare:8.0'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build.gradle` at line 59, The json-compare dependency is currently declared
with the implementation scope in build.gradle at line 59, which includes it in
the runtime classpath. Since this dependency is only used in test code, change
the scope from implementation to testImplementation to exclude it from published
runtime dependencies.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@gradlew.bat`:
- Line 54: The error handling code that executes `"%COMSPEC%" /c exit 1` only
terminates the child command process but allows the parent batch script to
continue executing subsequent statements. After each error exit command in the
script, add an explicit control-flow directive such as `goto :eof` or `exit /b`
immediately following the exit statement to prevent execution fallthrough and
ensure the script terminates properly instead of attempting to run Gradle with
invalid or unset variables like JAVA_EXE.

---

Nitpick comments:
In `@build.gradle`:
- Line 59: The json-compare dependency is currently declared with the
implementation scope in build.gradle at line 59, which includes it in the
runtime classpath. Since this dependency is only used in test code, change the
scope from implementation to testImplementation to exclude it from published
runtime dependencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fa9819ec-2750-4709-b55c-090a221b36d5

📥 Commits

Reviewing files that changed from the base of the PR and between b48f3d7 and 8ffc89e.

⛔ Files ignored due to path filters (1)

• gradle/wrapper/gradle-wrapper.jar is excluded by !**/*.jar

📒 Files selected for processing (5)

• .github/workflows/gradle.yml
• build.gradle
• gradle/wrapper/gradle-wrapper.properties
• gradlew
• gradlew.bat

✅ Files skipped from review due to trivial changes (1)

• gradle/wrapper/gradle-wrapper.properties

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Show the Java-discovery exit commands and the immediately following control-flow lines.
python - <<'PY'
from pathlib import Path

lines = Path("gradlew.bat").read_text().splitlines()
for i, line in enumerate(lines, start=1):
    if line.strip() == '"%COMSPEC%" /c exit 1':
        print(f"Line {i}: {line}")
        for j in range(i + 1, min(i + 4, len(lines) + 1)):
            print(f"Line {j}: {lines[j - 1]}")
        print()
PY

Repository: kit-data-manager/ro-crate-java

Length of output: 282

---

🏁 Script executed:

#!/bin/bash
# Get the context around lines 40-80 in gradlew.bat
head -80 gradlew.bat | tail -50

Repository: kit-data-manager/ro-crate-java

Length of output: 1695

---

Add control-flow statements to prevent execution fallthrough after error handling.

"%COMSPEC%" /c exit 1 exits only the child cmd.exe process; the parent batch file continues executing the next statement. Both error paths at lines 54 and 68 lack explicit control-flow directives (goto :eof, exit /b) and will fall through into subsequent code, attempting to execute Gradle with invalid or unset JAVA_EXE instead of stopping at the error.

Proposed fix

 echo location of your Java installation. 1>&2
 
 "%COMSPEC%" /c exit 1
+goto :eof
 
 :findJavaFromJavaHome

 echo location of your Java installation. 1>&2
 
 "%COMSPEC%" /c exit 1
+goto :eof
 
 :execute

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"%COMSPEC%" /c exit 1
	"%COMSPEC%" /c exit 1
	goto :eof

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@gradlew.bat` at line 54, The error handling code that executes `"%COMSPEC%"
/c exit 1` only terminates the child command process but allows the parent batch
script to continue executing subsequent statements. After each error exit
command in the script, add an explicit control-flow directive such as `goto
:eof` or `exit /b` immediately following the exit statement to prevent execution
fallthrough and ensure the script terminates properly instead of attempting to
run Gradle with invalid or unset variables like JAVA_EXE.