ci: test each Vaadin version on its exact baseline JDK

[javier-godoy]

The previous CI workflow ran a single JDK 17 job over the whole aggregator. This broke the tests-v25 build (Vaadin 25 is compiled to Java 21 bytecode and cannot load on JDK 17), and missed verifying Vaadin 14 on Java 8 and Vaadin 23 on Java 11.

Changes

• .github/workflows/maven.yml — replaces the single-job build with a matrix of four independent jobs, each targeting the exact JDK baseline of the Vaadin version under test:

Job	Module	Build JDK	Run JDK
JDK 8	tests-v14	17	8
JDK 11	tests-v23	17	11
JDK 17	tests-v24	17	17
JDK 21	tests-v25	21	21

• The JDK 8/11 jobs compile on JDK 17 (required because the shared *Test25 sources import Jackson 3, which is Java 17 bytecode) and fork the Surefire test JVM onto the older runtime via -Djvm.
• tests-shared/pom.xml — removes JsonMigrationHelper25Test from the default surefire run-set. That suite tests the Jackson-backed JsonMigrationHelper25, which is only the active implementation on Vaadin 25 (and Jackson 3 requires Java 17+ at runtime). It stays in the tests-v25 include list where it belongs.

Verified locally on all four JDKs using the exact matrix commands: 76 / 77 / 77 / 83 tests pass with zero failures.

Summary by CodeRabbit

• Chores
  • Refactored CI workflow to separate build and runtime Java selections, conditionally install runtimes, and ensure tests run on the intended JVM for better cross-version validation.
  • Updated test selection rules so version-specific test suites are clearer and unnecessary explicit test entries were removed, improving test organization and reliability.

[coderabbitai]

Walkthrough

The PR refactors the GitHub Actions Maven test matrix to separate runtime JDK (for executing tests) from build JDK (for compiling) and updates Surefire includes so per-module test suites (tests-v14/v23/v24 vs tests-v25) run under the intended JVM configuration.

Changes

CI Test Matrix and JDK Forking

Layer / File(s)	Summary
Maven matrix and JDK forking setup .github/workflows/maven.yml	Replaces Vaadin-keyed matrix with explicit run-java, build-java, module, and test-jvm fields; job wiring installs runtime JDK only when different from build JDK, configures build JDK as Maven's JAVA_HOME, and calls mvn -B package -pl ${{ matrix.module }} -am ${{ matrix.test-jvm }} so tests can fork to the specified runtime JVM.
Surefire test selection coordination tests-shared/pom.xml	Clarifies comments that tests-v25 uses Jackson *Test25 suites while tests-v14/v23/v24 use legacy *Test24 suites; removes explicit JsonMigrationHelper25Test.java inclusion from the default includes block, leaving **/*Test24.java in that include section.

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• FlowingCode/JsonMigrationHelper#36: Both PRs modify CI/Maven wiring and tests-shared/Surefire setup introduced in PR #36.

Suggested reviewers

• scardanzan
• paodb

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: updating CI to test each Vaadin version on its exact baseline JDK, addressing the root cause of prior test failures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-20260610

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/maven.yml (1)

19-64: 💤 Low value

Consider adding security hardening to the workflow (optional).

The static analysis tools flag several security best practices that could be applied:

1. Credential persistence: Add persist-credentials: false to the checkout step to prevent credentials from being accessible to later steps via the git config.
2. Explicit permissions: Add a permissions: block to grant only the minimum required token permissions (likely just contents: read).
3. Pin actions to commit hashes: Replace version tags like @v3 with commit SHA hashes to prevent supply-chain attacks via tag updates.

These are established security best practices but may be beyond this PR's scope if not already part of the project's security policy.

🔒 Example hardening (if desired)

 jobs:
-
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       # ... matrix ...
     name: JDK ${{ matrix.run-java }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up runtime JDK ${{ matrix.run-java }}
       if: matrix.run-java != matrix.build-java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.run-java }}
         distribution: 'temurin'
     # ...
     - name: Set up build JDK ${{ matrix.build-java }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.build-java }}
         distribution: 'temurin'

(Pinning to commit hashes is even more secure but harder to maintain.)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maven.yml around lines 19 - 64, Add workflow hardening:
set persist-credentials: false on the "actions/checkout@v3" step (the checkout
step), add an explicit permissions block granting only contents: read for the
job (or workflow) to minimize token scope, and replace mutable action tags
"actions/checkout@v3" and "actions/setup-java@v3" (used in the "Set up runtime
JDK" and "Set up build JDK" steps) with pinned commit SHAs; ensure the checkout
step and both setup-java steps are updated and the permissions block is added
near the job definition.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven.yml:
- Around line 48-62: Update the GitHub Actions steps that reference legacy
action versions: change the uses entries for actions/checkout@v3 to
actions/checkout@v6 and both actions/setup-java@v3 occurrences to
actions/setup-java@v5, preserving the existing with keys (java-version,
distribution) and the cache: maven setting; ensure the conditional block (if:
matrix.run-java != matrix.build-java) and the separate "Set up runtime JDK" and
"Set up build JDK" step names remain unchanged so behavior and JVM home handling
are preserved.

---

Nitpick comments:
In @.github/workflows/maven.yml:
- Around line 19-64: Add workflow hardening: set persist-credentials: false on
the "actions/checkout@v3" step (the checkout step), add an explicit permissions
block granting only contents: read for the job (or workflow) to minimize token
scope, and replace mutable action tags "actions/checkout@v3" and
"actions/setup-java@v3" (used in the "Set up runtime JDK" and "Set up build JDK"
steps) with pinned commit SHAs; ensure the checkout step and both setup-java
steps are updated and the permissions block is added near the job definition.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3808dbc1-e267-4c7a-a2ce-7b500af3bb03

📥 Commits

Reviewing files that changed from the base of the PR and between 4f9d773 and f4c1d9b.

📒 Files selected for processing (2)

• .github/workflows/maven.yml
• tests-shared/pom.xml

[javier-godoy]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[javier-godoy]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maven.yml:
- Around line 48-58: Replace floating action tags and disable checkout
credential persistence: update the "actions/checkout" invocation to use the
immutable SHA df4cb1c069e1874edd31b4311f1884172cec0e10 and add with:
persist-credentials: false to that step, and change both "actions/setup-java"
steps (the ones named "Set up runtime JDK ${{ matrix.run-java }}" and "Set up
build JDK ${{ matrix.build-java }}") to use the immutable SHA
be666c2fcd27ec809703dec50e508c2fdc7f6654 instead of `@v5`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d14b380a-21ae-40d0-b7f3-4f5a5503973d

📥 Commits

Reviewing files that changed from the base of the PR and between f4c1d9b and 1a30519.

📒 Files selected for processing (1)

• .github/workflows/maven.yml