From 7da48975d8bcf6c87ade496d0547caedd6fc1962 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 4 Jun 2026 09:38:41 +0200
Subject: [PATCH 1/2] [DIRMINA-1197] Add a Java CI workflow (branch `2.0.X`)

Introduce a GitHub Actions workflow that builds and tests this branch on current runners and action versions.

- Run on ubuntu-latest, windows-latest and macos-latest, testing JDK 8 on Temurin. macOS ARM has no Temurin JDK 8 build, so that combination uses Zulu instead.
- Use actions/checkout@v6 (without persisting credentials), actions/setup-java@v5 (with Maven caching), and an actions/upload-artifact@v7 step for the surefire reports.
- Limit push builds to the maintained production branches so internal feature branches are not built twice.
- Add a workflow-level concurrency group that cancels superseded pull request runs while letting pushes to the production branches run to completion.
- Run `mvn verify` under an explicit bash shell, and set per-job permissions.

Assisted-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yaml | 77 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .github/workflows/ci.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 000000000..1e978fd79
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,77 @@
+# SPDX-License-Identifier: Apache-2.0
+name: Java CI
+
+on:
+  # Build only the production branches on push, so internal feature branches do not trigger a build twice (once on push, once on the pull request).
+  push:
+    # Restricts push builds to these branches, even if the workflow is copied to another branch.
+    branches:
+      - 2.0.X
+      - 2.1.X
+      - 2.2.X
+  # Build every pull request targeting the branch this workflow lives on.
+  pull_request:
+
+# Permissions are granted per job.
+permissions: { }
+
+# Check all pushes to production branches, but interrupt a PR job if a new commit is pushed.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        java-version: [8]
+        distribution: [temurin]
+        include:
+          # There is no Temurin JDK 8 release for macOS ARM.
+          - os: macos-latest
+            java-version: 8
+            distribution: zulu
+      fail-fast: false
+    name: Test JDK ${{ matrix.java-version }}, ${{ matrix.os }}
+
+    # Actions from the `actions` and `github` organizations are pinned to a major version tag rather than a commit SHA.
+    # This is a deliberate decision:
+    #
+    # - Those organizations have strong expertise in securing GitHub Actions.
+    # - A compromise of either organization would likely also compromise the GitHub Actions service itself, so pinning would not help.
+    # - These actions release frequently.
+    #
+    # The residual risk is deemed acceptable in exchange for less Dependabot churn across the maintained branches.
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          # Don't persist the GitHub token used to check out the repository.
+          persist-credentials: false
+
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: ${{ matrix.distribution }}
+          cache: maven
+
+      - name: Test with Maven
+        shell: bash
+        run: |
+          mvn verify \
+          --show-version --batch-mode --errors --no-transfer-progress
+
+      # Upload the test results, even when the build failed.
+      - name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v7
+        with:
+          name: "test-report-${{matrix.os}}-${{matrix.distribution}}-${{matrix.java-version}}-${{github.run_number}}-${{github.run_attempt}}"
+          # Don't warn or fail when no tests ran (e.g. a compilation failure).
+          if-no-files-found: ignore
+          path: |
+            **/target/surefire-reports

From a522b16b4c8b6b0d1d46db11b45949e5d2b165a6 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Thu, 4 Jun 2026 10:28:14 +0200
Subject: [PATCH 2/2] fix: use `-Pserial`

---
 .github/workflows/ci.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1e978fd79..8da0a4e68 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -63,6 +63,7 @@ jobs:
         shell: bash
         run: |
           mvn verify \
+          -Pserial \
           --show-version --batch-mode --errors --no-transfer-progress
 
       # Upload the test results, even when the build failed.