build(registry): publish to Forgejo Maven package registry (PR-PLATFORM-CI-1) #10

Merged

hibryda merged 2 commits from feat/maven-registry-deploy into main 2026-05-28 17:30:35 +02:00

Conversation 2 Commits 2 Files changed 2 +91 -1

hibryda commented 2026-05-28 17:16:19 +02:00

Owner

Copy link

Forgejo Maven package registry — resolves the identity PR #5 MAJOR

Adds <distributionManagement> (id forgejo-air) → the affinity-intelligence-rework org's Forgejo Maven package registry, so platform-libs 1.1.0-SNAPSHOT is resolvable from a remote. This is the operator-chosen fix ("build the Maven registry first") for the identity PR #5 R3 MAJOR — a SNAPSHOT coordinate with no remote repo fails any clean/ephemeral build.

Consumers add a matching <repositories> entry (identity-service PR #5 R4 does this); credentials live ONLY in ~/.m2/settings.xml under <server id="forgejo-air"> (a write:package Forgejo token), never in the POM.

Verified end-to-end (2026-05-28)

• mvn -DskipTests deploy → all 6 modules + parent uploaded 1.1.0-SNAPSHOT (timestamped 1.1.0-20260528.151158-1) to the registry — BUILD SUCCESS.
• A fresh empty local repo resolved com.aim2be:redis-outbox-backend:1.1.0-SNAPSHOT from the registry (no local install) — BUILD SUCCESS.
• Registry read is anonymous/public (HTTP 200 without a token) → a clean CI resolves with zero creds; only deploy (write) needs the token.

Deploy from any JDK17 host (does NOT need the Forgejo Actions runner — its toolchain bug is the separate half of PR-PLATFORM-CI-1, task #300).

Note: the Forgejo mvn install CI check stays red here for that runner-toolchain reason; verified locally.

## Forgejo Maven package registry — resolves the identity PR #5 MAJOR Adds `<distributionManagement>` (id `forgejo-air`) → the affinity-intelligence-rework org's Forgejo Maven package registry, so platform-libs `1.1.0-SNAPSHOT` is resolvable from a **remote**. This is the operator-chosen fix ("build the Maven registry first") for the identity PR #5 R3 MAJOR — a SNAPSHOT coordinate with no remote repo fails any clean/ephemeral build. Consumers add a matching `<repositories>` entry (identity-service PR #5 R4 does this); credentials live ONLY in `~/.m2/settings.xml` under `<server id="forgejo-air">` (a `write:package` Forgejo token), never in the POM. ### Verified end-to-end (2026-05-28) - `mvn -DskipTests deploy` → all 6 modules + parent uploaded `1.1.0-SNAPSHOT` (timestamped `1.1.0-20260528.151158-1`) to the registry — BUILD SUCCESS. - A **fresh empty local repo** resolved `com.aim2be:redis-outbox-backend:1.1.0-SNAPSHOT` from the registry (no local install) — BUILD SUCCESS. - Registry **read is anonymous/public** (HTTP 200 without a token) → a clean CI resolves with zero creds; only deploy (write) needs the token. Deploy from any JDK17 host (does NOT need the Forgejo Actions runner — its toolchain bug is the separate half of PR-PLATFORM-CI-1, task #300). Note: the Forgejo `mvn install` CI check stays red here for that runner-toolchain reason; verified locally.

hibryda added 1 commit 2026-05-28 17:16:19 +02:00

build(registry): publish to Forgejo Maven package registry (PR-PLATFORM-CI-1) ... 2d86c0f2e5

Add <distributionManagement> (id forgejo-air) targeting the affinity-intelligence
-rework org's Forgejo Maven package registry, so platform-libs 1.1.0-SNAPSHOT is
resolvable from a REMOTE — resolving the identity PR #5 R3 MAJOR (a SNAPSHOT
coordinate with no remote repo fails any clean/ephemeral build). Consumers add a
matching <repositories> entry; credentials live ONLY in ~/.m2/settings.xml under
<server id="forgejo-air"> (a write:package Forgejo token), never in the POM.

Verified end-to-end (2026-05-28):
- mvn -DskipTests deploy → all 6 modules + parent uploaded 1.1.0-SNAPSHOT
  (timestamped 1.1.0-20260528.151158-1) to the registry, BUILD SUCCESS.
- A FRESH empty local repo resolved com.aim2be:redis-outbox-backend:1.1.0-SNAPSHOT
  from the registry (no local install), BUILD SUCCESS.
- Registry READ is anonymous/public (HTTP 200 without a token), so a clean CI
  resolves with zero creds — only deploy (write) needs the token.

Deploy from any JDK17 host (does NOT need the Forgejo Actions runner, which is
still toolchain-broken — that half of PR-PLATFORM-CI-1 is separate).

pr-reviewer-bot commented 2026-05-28 17:20:24 +02:00

Member

Copy link

Superseded by round 2.

Show previous round

hib-pr-reviewer review — PR #10 (affinity-intelligence-rework/im2be-platform-libs)

Round 1 — head 2d86c0f2e5fb, base main, trigger opened

TL;DR: CONDITIONAL_APPROVE — kept 1 unique-to-A minor finding (verified: no source/javadoc plugins); B's summary-only observations noted in prose, not promoted to findings.

Summary

Arbitration — Round 1

One finding from A (unique, minor) was verified and kept. Reviewer B returned an empty findings array but mentioned two concerns in their narrative summary; per the output contract (rule 6) and my reconciliation mandate (not a fresh review), those summary-only observations are captured here in prose only.

A's finding — verified KEPT: Grep over the full pom.xml confirms zero occurrences of maven-source-plugin or maven-javadoc-plugin. The pluginManagement block (lines 120-149) contains only maven-compiler-plugin, maven-surefire-plugin, and maven-failsafe-plugin. With distributionManagement now live, mvn deploy will publish assembled JARs only — no sources or javadoc artifacts. Finding is grounded; retained as minor.

B's summary observations (not in findings[]): (1) .forgejo/workflows/ci.yml line 14 explicitly reads # Future: PR-PLATFORM-CI-1 adds a tag-push job — no such job appears in the file; the PR adds only the POM-side distributionManagement. (2) pom.xml:22-24 retains a TODO referencing PR-PLATFORM-CI-1; configuring distributionManagement partially satisfies it but the altDeploymentRepository CI step and the stale comment remain. B chose to omit these from findings[]; as arbiter I do not generate fresh findings, so they stay as prose notes only. The stale TODO is low-severity and consistent with A's defer posture.

Blast Radius

The diff touches only pom.xml, adding a distributionManagement block that establishes the Forgejo Maven registry endpoint. While a single-file change, the effect is cross-cutting: once a deploy is triggered, all five library modules are published to a shared registry endpoint consumed by 8 downstream services. Misconfiguration would block resolution for all consumers, but the structural change here is mechanically correct.

BLAST_SCORE: 4/10

CI status (head 2d86c0f2e5fb)

Overall: ✗ failure

2 checks: 2 pending

Check	State	Link
im2be-platform-libs CI / mvn install (pull_request)	⏳ pending	details
im2be-platform-libs CI / mvn verify (main only) (pull_request)	⏳ pending	details

Findings (1)

[MINOR] No maven-source-plugin or maven-javadoc-plugin configured — mvn deploy will publish main JARs only

pom.xml:106

Verified: grep across the full pom.xml finds no occurrences of either plugin. The pluginManagement block (lines 120-149) contains only maven-compiler-plugin, maven-surefire-plugin, and maven-failsafe-plugin. Activating distributionManagement means mvn deploy will upload compiled JARs but produce no *-sources.jar or *-javadoc.jar artifacts. For a shared library consumed by 8 services, missing sources JARs degrade IDE navigation for every downstream consumer at release time. Recommended fix: add both plugins to pluginManagement with <executions><execution><goals><goal>jar</goal></goals></execution></executions> bound to the verify phase. Acceptable to defer until first release cut, but file now so it isn't forgotten.

Verdict

CONDITIONAL_APPROVE

---

_{hib-pr-reviewer • round 1 • 1 finding (1m) • 2026-05-28T15:19:10.848Z → 2026-05-28T15:20:23.970Z • posted-as: pr-reviewer-bot}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 2._ <details> <summary>Show previous round</summary> ## hib-pr-reviewer review — PR #10 (affinity-intelligence-rework/im2be-platform-libs) **Round 1** — head `2d86c0f2e5fb`, base `main`, trigger `opened` **TL;DR:** CONDITIONAL_APPROVE — kept 1 unique-to-A minor finding (verified: no source/javadoc plugins); B's summary-only observations noted in prose, not promoted to findings. ### Summary ## Arbitration — Round 1 One finding from A (unique, minor) was verified and kept. Reviewer B returned an empty findings array but mentioned two concerns in their narrative summary; per the output contract (rule 6) and my reconciliation mandate (not a fresh review), those summary-only observations are captured here in prose only. **A's finding — verified KEPT:** Grep over the full `pom.xml` confirms zero occurrences of `maven-source-plugin` or `maven-javadoc-plugin`. The `pluginManagement` block (lines 120-149) contains only `maven-compiler-plugin`, `maven-surefire-plugin`, and `maven-failsafe-plugin`. With `distributionManagement` now live, `mvn deploy` will publish assembled JARs only — no sources or javadoc artifacts. Finding is grounded; retained as minor. **B's summary observations (not in findings[]):** (1) `.forgejo/workflows/ci.yml` line 14 explicitly reads `# Future: PR-PLATFORM-CI-1 adds a tag-push job` — no such job appears in the file; the PR adds only the POM-side `distributionManagement`. (2) `pom.xml:22-24` retains a TODO referencing `PR-PLATFORM-CI-1`; configuring `distributionManagement` partially satisfies it but the `altDeploymentRepository` CI step and the stale comment remain. B chose to omit these from findings[]; as arbiter I do not generate fresh findings, so they stay as prose notes only. The stale TODO is low-severity and consistent with A's defer posture. ### Blast Radius The diff touches only `pom.xml`, adding a `distributionManagement` block that establishes the Forgejo Maven registry endpoint. While a single-file change, the effect is cross-cutting: once a deploy is triggered, all five library modules are published to a shared registry endpoint consumed by 8 downstream services. Misconfiguration would block resolution for all consumers, but the structural change here is mechanically correct. **BLAST_SCORE: 4/10** ### CI status (head `2d86c0f2e5fb`) **Overall: ✗ failure** 2 checks: 2 pending | Check | State | Link | |---|---|---| | im2be-platform-libs CI / mvn install (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/75/jobs/0) | | im2be-platform-libs CI / mvn verify (main only) (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/75/jobs/1) | ### Findings (1) #### **[MINOR]** No `maven-source-plugin` or `maven-javadoc-plugin` configured — `mvn deploy` will publish main JARs only _pom.xml:106_ Verified: grep across the full `pom.xml` finds no occurrences of either plugin. The `pluginManagement` block (lines 120-149) contains only `maven-compiler-plugin`, `maven-surefire-plugin`, and `maven-failsafe-plugin`. Activating `distributionManagement` means `mvn deploy` will upload compiled JARs but produce no `*-sources.jar` or `*-javadoc.jar` artifacts. For a shared library consumed by 8 services, missing sources JARs degrade IDE navigation for every downstream consumer at release time. Recommended fix: add both plugins to `pluginManagement` with `<executions><execution><goals><goal>jar</goal></goals></execution></executions>` bound to the `verify` phase. Acceptable to defer until first release cut, but file now so it isn't forgotten. ### Verdict **CONDITIONAL_APPROVE** --- _{hib-pr-reviewer • round 1 • 1 finding (1m) • 2026-05-28T15:19:10.848Z → 2026-05-28T15:20:23.970Z • posted-as: pr-reviewer-bot} </details>

hibryda referenced this pull request from a commit 2026-05-28 17:26:54 +02:00

build(registry): publish -sources + -javadoc JARs (PR #10 R1)

hibryda added 1 commit 2026-05-28 17:26:54 +02:00

build(registry): publish -sources + -javadoc JARs (PR #10 R1) ... 0bc1f67f7e

R1 verdict CONDITIONAL_APPROVE, 1 MINOR:

(1) MINOR — no maven-source-plugin / maven-javadoc-plugin, so `mvn deploy`
    published only main JARs; a shared library consumed by 8 services should ship
    -sources + -javadoc for downstream IDE navigation.

Fix: add both plugins to the parent <build><plugins> (versions managed by the
spring-boot-starter-parent BOM) — every child JAR module now attaches a
-sources.jar (source:jar-no-fork) + a -javadoc.jar (javadoc:jar). javadoc config:
  - doclint=all,-missing — validates the javadoc that EXISTS (HTML, @link, tag
    syntax) but does not fail on members without comments (standard published-lib
    config; private fields are excluded from output anyway).
  - <tags> registers the JDK doc tags apiNote/implSpec/implNote (the code uses
    @apiNote per the JDK convention; otherwise "unknown tag: apiNote").
Also fixed archunit-rules EntityVersionParityArchTest Javadoc: a line-start
`@Version` was parsed as a block tag → "unknown tag: Version"; wrapped as
{@code @Version}.

Verified: mvn -DskipTests package → all 6 modules produce both -sources.jar +
-javadoc.jar, BUILD SUCCESS. Re-deployed to the registry — main + sources +
javadoc now published for every module (1.1.0-20260528.152612-2).

pr-reviewer-bot commented 2026-05-28 17:29:48 +02:00

Member

Copy link

hib-pr-reviewer review — PR #10 (affinity-intelligence-rework/im2be-platform-libs)

Round 2 — head 0bc1f67f7e6a, base main, trigger synchronize

TL;DR: NO_NEW_FINDINGS — No new findings this round.

Summary

[quorum-converged] A=0 = B=0. ## Round 2 — PR #10 (build(registry): publish to Forgejo Maven package registry)

Round 1 finding status

The sole open finding from round 1 — No maven-source-plugin or maven-javadoc-plugin configured — is fully resolved in this diff. Both plugins are now declared in <build><plugins> at lines 157–214 of pom.xml.

Diff analysis

pom.xml

• distributionManagement: both <repository> and <snapshotRepository> correctly target the Forgejo packages API endpoint; using the same <id> for both is valid since they share credentials and point to the same URL (Forgejo dispatches by version suffix).
• maven-source-plugin with jar-no-fork: correct goal choice (avoids a redundant compile fork). No explicit <version> needed — verified that spring-boot-starter-parent 3.x does manage this plugin in its pluginManagement. Both source and javadoc plugins will correctly skip the pom-packaged parent module (the source plugin checks project.packaging == "pom" internally; the javadoc plugin's AbstractJavadocMojo similarly early-exits for pom modules).
• maven-javadoc-plugin with doclint:all,-missing: valid lint stance for a library (validates well-formed tags / HTML / @link targets without rejecting missing @param/@return prose). Custom @apiNote, @implSpec, @implNote tag registrations are correct for Java 17 source that uses JDK convention tags.
• <quiet>true</quiet>: acceptable; does not suppress doclint errors, only informational lines.

archunit-rules/…/EntityVersionParityArchTest.java

• Old @Version bare in a Javadoc block comment would be treated by javadoc as an unknown block tag and would fail under doclint:all once the plugin is active. The replacement {@code @Version} is the correct Javadoc inline-code escape. This fix is necessary for the build to pass with the new plugin configuration.

CI status (head 0bc1f67f7e6a)

Overall: ✗ failure

2 checks: 2 pending

Check	State	Link
im2be-platform-libs CI / mvn install (pull_request)	⏳ pending	details
im2be-platform-libs CI / mvn verify (main only) (pull_request)	⏳ pending	details

Findings

No new findings this round.

Quorum converged on empty findings (A + B both returned 0).

Verdict

NO_NEW_FINDINGS

---

_{hib-pr-reviewer • round 2 • 0 findings • 2026-05-28T15:26:55.258Z → 2026-05-28T15:29:48.426Z • posted-as: pr-reviewer-bot • [bookkeeping fallback]}

## hib-pr-reviewer review — PR #10 (affinity-intelligence-rework/im2be-platform-libs) **Round 2** — head `0bc1f67f7e6a`, base `main`, trigger `synchronize` **TL;DR:** NO_NEW_FINDINGS — No new findings this round. ### Summary [quorum-converged] A=0 = B=0. ## Round 2 — PR #10 (`build(registry): publish to Forgejo Maven package registry`) ### Round 1 finding status The sole open finding from round 1 — *No `maven-source-plugin` or `maven-javadoc-plugin` configured* — is **fully resolved** in this diff. Both plugins are now declared in `<build><plugins>` at lines 157–214 of `pom.xml`. ### Diff analysis **`pom.xml`** - `distributionManagement`: both `<repository>` and `<snapshotRepository>` correctly target the Forgejo packages API endpoint; using the same `<id>` for both is valid since they share credentials and point to the same URL (Forgejo dispatches by version suffix). - `maven-source-plugin` with `jar-no-fork`: correct goal choice (avoids a redundant compile fork). No explicit `<version>` needed — verified that `spring-boot-starter-parent` 3.x does manage this plugin in its pluginManagement. Both source and javadoc plugins will correctly skip the `pom`-packaged parent module (the source plugin checks `project.packaging == "pom"` internally; the javadoc plugin's `AbstractJavadocMojo` similarly early-exits for pom modules). - `maven-javadoc-plugin` with `doclint:all,-missing`: valid lint stance for a library (validates well-formed tags / HTML / @link targets without rejecting missing `@param`/`@return` prose). Custom `@apiNote`, `@implSpec`, `@implNote` tag registrations are correct for Java 17 source that uses JDK convention tags. - `<quiet>true</quiet>`: acceptable; does not suppress doclint errors, only informational lines. **`archunit-rules/…/EntityVersionParityArchTest.java`** - Old `@Version` bare in a Javadoc block comment would be treated by javadoc as an unknown block tag and would fail under `doclint:all` once the plugin is active. The replacement `{@code @Version}` is the correct Javadoc inline-code escape. This fix is necessary for the build to pass with the new plugin configuration. ### CI status (head `0bc1f67f7e6a`) **Overall: ✗ failure** 2 checks: 2 pending | Check | State | Link | |---|---|---| | im2be-platform-libs CI / mvn install (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/76/jobs/0) | | im2be-platform-libs CI / mvn verify (main only) (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/76/jobs/1) | ### Findings **No new findings this round.** _Quorum converged on empty findings (A + B both returned 0)._ ### Verdict **NO_NEW_FINDINGS** --- _{hib-pr-reviewer • round 2 • 0 findings • 2026-05-28T15:26:55.258Z → 2026-05-28T15:29:48.426Z • posted-as: pr-reviewer-bot • [bookkeeping fallback]}

hibryda merged commit 2408ea78c8 into main 2026-05-28 17:30:35 +02:00

hibryda deleted branch feat/maven-registry-deploy 2026-05-28 17:30:35 +02:00

hibryda referenced this pull request from a commit 2026-05-28 17:30:35 +02:00

build(registry): publish platform-libs to Forgejo Maven registry + sources/javadoc JARs (#10)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

affinity-intelligence-rework/im2be-platform-libs!10

No description provided.