Development 2.1.1

[Pfeil]

Summary by CodeRabbit

• Chores
  • Expanded CI to run builds across a broader JDK matrix, updated Gradle setup and artifact upload steps to pinned actions, and moved coverage reporting into a dedicated job on a newer JDK.
  • Updated Gradle tooling: upgraded the Gradle wrapper (including networking retry settings), refreshed Gradle and build dependency versions, and adjusted JaCoCo configuration for current coverage publishing.
  • Added a Java/Gradle dev container with Node.js tooling and build-time version checks for a smoother local development setup.

[coderabbitai]

Warning

Review limit reached

@Pfeil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 23 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bbe8ca05-776e-4e82-8268-ee5f00fcdc0f

📥 Commits

Reviewing files that changed from the base of the PR and between 58914b7 and aebc360.

📒 Files selected for processing (7)

• .github/workflows/codeql-analysis.yml
• .github/workflows/gradle.yml
• .github/workflows/publishRelease.yml
• build.gradle
• gradle/wrapper/gradle-wrapper.properties
• gradlew
• gradlew.bat

📝 Walkthrough

Walkthrough

The PR migrates coverage reporting from Coveralls to Codecov by removing the Coveralls plugin and adding a dedicated coverage job, expands the JDK test matrix from [17, 21] to [17, 21, 25, 26], pins CI action versions, upgrades Gradle wrapper to 9.5.1 with networking configuration, modernizes both POSIX and Windows wrapper scripts to eliminate CLASSPATH handling, updates multiple library and plugin dependencies including Jackson, JUnit BOM, and JaCoCo tooling, and adds a development container with Java 25 and Node.js support.

Changes

Coverage Migration and CI Modernization

Layer / File(s)	Summary
Coverage migration from Coveralls to Codecov .github/workflows/gradle.yml, build.gradle	Removes the com.github.kt3k.coveralls plugin from the plugins block, updates JaCoCo toolVersion from 0.8.14 to 0.8.15, changes the xml.required comment to reference codecov instead of coveralls, and introduces a new coverage job that runs on ubuntu-latest with JDK 25 to execute JaCoCo verification (clean check jacocoTestReport) and publish results to Codecov.
JDK matrix expansion and CI action pinning .github/workflows/gradle.yml	Test matrix JDK versions expand from [17, 21] to [17, 21, 25, 26]; gradle/actions/setup-gradle is pinned to a specific revision and actions/upload-artifact is updated from v5 to v7; conditional Coveralls/javadoc steps that previously ran only for ubuntu-latest + JDK 21 are removed.
Gradle wrapper upgrade and networking config gradle/wrapper/gradle-wrapper.properties	Gradle version is updated from 8.14.3 to 9.5.1; wrapper download retry controls are added (retries=0, retryBackOffMs=500) alongside the retained networkTimeout=10000.
Shell and batch wrapper script modernization gradlew, gradlew.bat	CLASSPATH handling is removed from both scripts: POSIX script no longer assigns or converts the CLASSPATH variable and relies on -jar wrapper invocation; Windows script replaces shell-specific setlocal with explicit setlocal EnableExtensions, changes Java-not-found error handling to immediate exit via "%COMSPEC%" /c exit 1, and refactors execution/termination with a new :exitWithErrorLevel label. POSIX script header copyright year range and reference URLs are also updated.
Library and plugin version updates build.gradle	Upgrades io.freefair.maven-publish-java from 9.1.0 to 9.5.0, JUnit platform BOM from 6.0.1 to 6.1.0, Jackson (jacksonVersion) from 2.20.1 to 2.22.0, commons-io from 2.21.0 to 2.22.0, zip4j from 2.11.5 to 2.11.6, gg.jte:jte from 3.2.1 to 3.2.4, json-compare from 7.2 to 8.0, and slf4j-jdk14 from 2.0.17 to 2.0.18.

Development Container Setup

Layer / File(s)

Summary

Dev container image and configuration .devcontainer/Dockerfile, .devcontainer/devcontainer.json

Introduces a new .devcontainer/Dockerfile based on Java 25 that installs Node.js via NodeSource 24.x package manager and globally installs the ro-crate-html-js npm package with build-time verification steps. Adds .devcontainer/devcontainer.json configuration file that specifies the container name ("Java (Gradle)"), builds the image via the Dockerfile, enables the Zed editor Java extension, and forwards port 8080 for local development access.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• kit-data-manager/ro-crate-java#204: Modifies build.gradle's JaCoCo tool version and Gradle plugin dependencies in overlapping areas.

Poem

A rabbit rewrote the CI with care,
Coveralls out, Codecov in the air!
JDKs expanded from old to brand new,
Scripts simplified—CLASSPATH went poof—broke through! 🐇
Dev containers and Gradle 9.5 roam! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Development 2.1.1' is vague and generic, using a version number format that does not convey meaningful information about the changeset's primary modifications.	Replace with a descriptive title that highlights the main changes, such as 'Upgrade Gradle to 9.5.1, update CI workflows, and add devcontainer configuration' or 'Update build tooling, CI/CD pipeline, and development environment setup'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch development

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coveralls]

Coverage Report for CI Build 670

Coverage remained the same at 91.327%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	2456
Covered Lines:	2243
Line Coverage:	91.33%
Coverage Strength:	0.91 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/gradle.yml (1)

16-18: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove the unused global COVERALLS_REPO_TOKEN env secret.

After migrating coverage upload to Codecov, exposing the Coveralls token to all jobs is unnecessary secret surface and violates least-privilege.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gradle.yml around lines 16 - 18, The COVERALLS_REPO_TOKEN
environment variable is still being exposed globally in the workflow file's env
section even though coverage reporting has been migrated to Codecov, creating an
unnecessary security exposure. Remove the entire COVERALLS_REPO_TOKEN
environment variable definition (lines 16-18) from the global env section in the
gradle.yml workflow file to follow the principle of least privilege and
eliminate unnecessary secret surface area.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gradle.yml:
- Line 24: The CI workflow matrix in .github/workflows/gradle.yml specifies only
JDK versions 21 and 25, but build.gradle declares Java 17 as the target
bytecode, creating a mismatch between the declared Java compatibility and what
is actually tested. Either add Java 17 to the jdk array in the workflow to
ensure the declared baseline is tested in CI, or update build.gradle to remove
Java 17 as the target bytecode and align it with the CI matrix versions being
tested. Choose whichever matches your actual Java 17 support policy for the
project.
- Line 28: The checkout steps in the workflow file are using the default
credential persistence behavior, which keeps GitHub tokens in local git config
and poses a security risk. Add `persist-credentials: false` to each checkout
step (the uses: actions/checkout action at the line shown and at the additional
locations mentioned in "Also applies to") to explicitly disable credential
persistence unless it is explicitly required for subsequent steps.
- Line 30: Replace the tag-based version pinning for the actions/setup-java and
codecov/codecov-action actions with commit SHA references instead of `@v5` tags.
Tag-based references are mutable and can introduce supply-chain risks, whereas
SHA pinning provides immutability and consistency with the other actions already
used in the workflow. Update each occurrence of these actions to use the full
commit SHA format (e.g., `@<full-commit-sha>`) instead of the version tag.

---

Outside diff comments:
In @.github/workflows/gradle.yml:
- Around line 16-18: The COVERALLS_REPO_TOKEN environment variable is still
being exposed globally in the workflow file's env section even though coverage
reporting has been migrated to Codecov, creating an unnecessary security
exposure. Remove the entire COVERALLS_REPO_TOKEN environment variable definition
(lines 16-18) from the global env section in the gradle.yml workflow file to
follow the principle of least privilege and eliminate unnecessary secret surface
area.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 525c4f61-c482-4801-a7e0-8c0794ca8d2c

📥 Commits

Reviewing files that changed from the base of the PR and between 4ff6e42 and b48f3d7.

📒 Files selected for processing (2)

• .github/workflows/gradle.yml
• build.gradle

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

build.gradle (1)

59-59: Move json-compare to testImplementation scope.

This dependency is used only in test code (UtilFunctionsTest.java and HelpFunctions.java), but is currently added to the runtime classpath via implementation. Use testImplementation to exclude it from the published runtime dependencies.

Suggested diff

-    implementation 'com.github.fslev:json-compare:8.0'
+    testImplementation 'com.github.fslev:json-compare:8.0'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build.gradle` at line 59, The json-compare dependency is currently declared
with the implementation scope in build.gradle at line 59, which includes it in
the runtime classpath. Since this dependency is only used in test code, change
the scope from implementation to testImplementation to exclude it from published
runtime dependencies.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@gradlew.bat`:
- Line 54: The error handling code that executes `"%COMSPEC%" /c exit 1` only
terminates the child command process but allows the parent batch script to
continue executing subsequent statements. After each error exit command in the
script, add an explicit control-flow directive such as `goto :eof` or `exit /b`
immediately following the exit statement to prevent execution fallthrough and
ensure the script terminates properly instead of attempting to run Gradle with
invalid or unset variables like JAVA_EXE.

---

Nitpick comments:
In `@build.gradle`:
- Line 59: The json-compare dependency is currently declared with the
implementation scope in build.gradle at line 59, which includes it in the
runtime classpath. Since this dependency is only used in test code, change the
scope from implementation to testImplementation to exclude it from published
runtime dependencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fa9819ec-2750-4709-b55c-090a221b36d5

📥 Commits

Reviewing files that changed from the base of the PR and between b48f3d7 and 8ffc89e.

⛔ Files ignored due to path filters (1)

• gradle/wrapper/gradle-wrapper.jar is excluded by !**/*.jar

📒 Files selected for processing (5)

• .github/workflows/gradle.yml
• build.gradle
• gradle/wrapper/gradle-wrapper.properties
• gradlew
• gradlew.bat

✅ Files skipped from review due to trivial changes (1)

• gradle/wrapper/gradle-wrapper.properties

[coderabbitai]

🧹 Nitpick comments (2)

.devcontainer/Dockerfile (2)

4-6: ⚡ Quick win

Add --no-install-recommends to reduce image size and attack surface.

The apt-get install command lacks --no-install-recommends, which installs unnecessary suggested packages.

♻️ Proposed fix

-RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
-    apt-get install -y nodejs && \
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
+    apt-get install -y --no-install-recommends nodejs && \
     rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile around lines 4 - 6, The apt-get install command for
nodejs lacks the --no-install-recommends flag, which causes unnecessary
suggested packages to be installed, increasing image size and attack surface.
Add the --no-install-recommends flag to the apt-get install -y nodejs command to
prevent installation of recommended but non-essential packages.

Source: Linters/SAST tools

---

7-7: Pin the npm package version for reproducible builds.

The ro-crate-html-js package is installed globally without a version constraint. Unpinned installations can lead to non-reproducible builds across environments when the package releases updates.

♻️ Proposed fix

-RUN npm install -g ro-crate-html-js
+RUN npm install -g ro-crate-html-js@1.4.19 && \
+    npm cache clean --force

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile at line 7, In the RUN npm install command for
ro-crate-html-js, add a version constraint to pin the package to a specific
version. Modify the package specification to include a version number using the
format package@version (for example, package@1.2.3) instead of just the package
name alone. This ensures that the same version is installed consistently across
all builds and environments.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.devcontainer/Dockerfile:
- Around line 4-6: The apt-get install command for nodejs lacks the
--no-install-recommends flag, which causes unnecessary suggested packages to be
installed, increasing image size and attack surface. Add the
--no-install-recommends flag to the apt-get install -y nodejs command to prevent
installation of recommended but non-essential packages.
- Line 7: In the RUN npm install command for ro-crate-html-js, add a version
constraint to pin the package to a specific version. Modify the package
specification to include a version number using the format package@version (for
example, package@1.2.3) instead of just the package name alone. This ensures
that the same version is installed consistently across all builds and
environments.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec80824e-372b-4447-a6d8-6951c0c40ecb

📥 Commits

Reviewing files that changed from the base of the PR and between 8ffc89e and 58914b7.

📒 Files selected for processing (2)

• .devcontainer/Dockerfile
• .devcontainer/devcontainer.json