ci: add minimal GitHub Actions test workflow

[stden]

Summary

Adds a minimal GitHub Actions workflow to run tests for this repository.

• Detected stack: java
• Workflow path:
• Conservative defaults only; no runtime code changes.

Why

This repository did not have a GitHub Actions workflow that runs tests.

Notes

• Triggered on push to / and pull requests.
• Kept intentionally minimal and non-breaking.

---

Summary by cubic

Adds a minimal GitHub Actions workflow to run Maven tests for this Java repo. It runs on pushes to main/master and on pull requests, uses Temurin Java 17 on ubuntu-latest, and uses mvnw if present (falls back to mvn).

^{Written for commit fe1275e. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Configured automated testing infrastructure to validate code changes on repository updates.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added to automatically run Maven tests on pushes to main/master branches and pull requests, using Java 17 on Ubuntu with preference for the Maven wrapper when available.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/tests.yml	New GitHub Actions workflow that executes Maven tests (via mvnw or mvn) on a Java 17 environment for main/master pushes and pull requests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A workflow so keen, with tests running clean,
Maven and Java, a technical dream!
On every commit, the checks now shall fly,
With ubuntu and mvnw standing by.
CI/CD magic, no longer denied! 🧙‍♂️✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add minimal GitHub Actions test workflow' directly and clearly describes the main change: adding a GitHub Actions workflow for testing. It is concise, specific, and accurately reflects the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/add-test-workflow-20260218150430

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/tests.yml (2)

13-16: Enable Maven dependency caching to speed up runs.

actions/setup-java@v4 has built-in support for caching the local Maven repository; without it, all dependencies are re-downloaded on every run.

⚡ Proposed fix: add Maven cache

       - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: '17'
+          cache: 'maven'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tests.yml around lines 13 - 16, Update the
actions/setup-java@v4 step to enable Maven caching by adding the "cache:
'maven'" and "cache-dependency-path: '**/pom.xml'" keys under the step's with
block (so the setup-java step that currently has distribution: 'temurin' and
java-version: '17' will also include cache: 'maven' and cache-dependency-path:
'**/pom.xml'), which enables automatic caching of the local Maven repository
between workflow runs.

---

12-13: Pin actions to full commit SHAs instead of mutable major-version tags.

@v4 tags can be force-pushed by maintainers (or a compromised account), silently introducing malicious code into your CI pipeline. Pinning to an immutable SHA eliminates this supply-chain risk.

🔒 Proposed fix: pin to commit SHAs

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tests.yml around lines 12 - 13, Replace the mutable
major-version action references to immutable commit SHAs: locate the uses lines
for actions/checkout@v4 and actions/setup-java@v4 in the workflow and replace
those tokens with the corresponding full commit SHAs for actions/checkout and
actions/setup-java (so the workflow references actions/checkout@<full-sha> and
actions/setup-java@<full-sha>), ensuring you fetch the canonical commit SHAs
from the official GitHub repos/releases and update any related references or
inputs for the Checkout and Setup Java steps to preserve behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/tests.yml:
- Around line 8-10: The workflow currently lacks an explicit permissions block
so GITHUB_TOKEN may inherit overly broad repo defaults; add a top-level
permissions declaration in the workflow (outside the jobs block) that restricts
GITHUB_TOKEN to least privilege for the test job (for example set permissions:
contents: read) to ensure the "test" job only gets read access to repository
contents.

---

Nitpick comments:
In @.github/workflows/tests.yml:
- Around line 13-16: Update the actions/setup-java@v4 step to enable Maven
caching by adding the "cache: 'maven'" and "cache-dependency-path: '**/pom.xml'"
keys under the step's with block (so the setup-java step that currently has
distribution: 'temurin' and java-version: '17' will also include cache: 'maven'
and cache-dependency-path: '**/pom.xml'), which enables automatic caching of the
local Maven repository between workflow runs.
- Around line 12-13: Replace the mutable major-version action references to
immutable commit SHAs: locate the uses lines for actions/checkout@v4 and
actions/setup-java@v4 in the workflow and replace those tokens with the
corresponding full commit SHAs for actions/checkout and actions/setup-java (so
the workflow references actions/checkout@<full-sha> and
actions/setup-java@<full-sha>), ensuring you fetch the canonical commit SHAs
from the official GitHub repos/releases and update any related references or
inputs for the Checkout and Setup Java steps to preserve behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add an explicit permissions block to restrict GITHUB_TOKEN scope.

Without a permissions declaration, this workflow inherits the repository's default token permissions, which may be write-all depending on org/repo settings. A test-only workflow needs at most contents: read.

🔒 Proposed fix: add least-privilege permissions

 jobs:
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	test:
	runs-on: ubuntu-latest
	jobs:
	test:
	permissions:
	contents: read
	runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tests.yml around lines 8 - 10, The workflow currently
lacks an explicit permissions block so GITHUB_TOKEN may inherit overly broad
repo defaults; add a top-level permissions declaration in the workflow (outside
the jobs block) that restricts GITHUB_TOKEN to least privilege for the test job
(for example set permissions: contents: read) to ensure the "test" job only gets
read access to repository contents.