chore: Migrate CI to sonatype central portal

[ryanpq]

Description

Migration of java sdk publishing from OSSRH to Sonatype Central Portal.

Sonatype has announced that the legacy OSSRH service (oss.sonatype.org) will reach end-of-life in June 2025. The openfga/java-sdk currently publishes to Maven Central via OSSRH. To avoid disruptions, we need to migrate publishing to the Central Portal (central.sonatype.com).

References

openfga/sdk-generator#562

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• New Features

  • Added support for including authorization model ID and consistency options in batch check requests.
  • Enhanced telemetry to capture authorization model ID in batch check requests.

• Bug Fixes

  • Clarified in documentation that the order of batch check results is not guaranteed; users should use correlation IDs to match responses.

• Documentation

  • Updated README to clarify batch check result ordering and renamed a section heading for clarity.

• Tests

  • Added a test to verify batch check requests with options for authorization model ID and consistency.

• Chores

  • Downgraded versions of several dependencies, plugins, and GitHub Actions.
  • Updated Sonatype Nexus repository URLs for publishing.

[coderabbitai]

Walkthrough

The changes involve downgrading versions of several dependencies and GitHub Actions in build scripts and workflow files, updating Sonatype Nexus repository URLs, and making documentation clarifications. In the Java client, telemetry attribute collection and batch check request customization were enhanced, and a new test was added to verify batch check behavior with options.

Changes

File(s)	Change Summary
.github/workflows/fossa.yaml	Downgraded fossas/fossa-action from v1.7.0 to v1.6.0 in two workflow steps.
.github/workflows/main.yaml	Downgraded gradle/actions/setup-gradle and wrapper-validation from v4.4.0 to v4.3.1; codecov-action from v5.4.3 to v5.4.2.
README.md	Renamed "Auth0 Client Credentials" heading; added note about non-guaranteed order in batchCheck results.
build.gradle	Downgraded Spotless, OpenTelemetry BOM, Mockito, JUnit Jupiter, and Testcontainers dependencies.
example/example1/build.gradle	Downgraded com.diffplug.spotless and org.jetbrains.kotlin.jvm plugin versions.
publish.gradle	Updated Sonatype Nexus repository URLs to new endpoints.
src/main/java/dev/openfga/sdk/api/OpenFgaApi.java	Added telemetry attribute collection for authorizationModelId in BatchCheckRequest.
src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java	Enhanced batchCheck to conditionally include consistency and authorization model ID from options or defaults.
src/main/java/dev/openfga/sdk/api/model/AbstractOpenApiSchema.java	Simplified the isNullable() method control flow.
src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java	Added test for batchCheck with options, verifying request structure and response handling.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant OpenFgaClient
    participant OpenFgaApi

    Client->>OpenFgaClient: batchCheck(checks, options)
    OpenFgaClient->>OpenFgaClient: Build BatchCheckRequest
    OpenFgaClient->>OpenFgaClient: If options.consistency, set on request
    OpenFgaClient->>OpenFgaClient: If options.authorizationModelId or default, set on request
    OpenFgaClient->>OpenFgaApi: batchCheck(storeId, request, configOverride)
    OpenFgaApi-->>OpenFgaClient: BatchCheckResponse
    OpenFgaClient-->>Client: BatchCheckResponse

Loading

sequenceDiagram
    participant OpenFgaApi
    participant Telemetry

    OpenFgaApi->>OpenFgaApi: buildTelemetryAttributes(request)
    alt request is BatchCheckRequest and authorizationModelId present
        OpenFgaApi->>Telemetry: Add FGA_CLIENT_REQUEST_MODEL_ID attribute
    end

Loading

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.38.1)

src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 78.57143% with 3 lines in your changes missing coverage. Please review.

Project coverage is 33.66%. Comparing base (eb13ccd) to head (3538ae1).

Files with missing lines	Patch %	Lines
src/main/java/dev/openfga/sdk/api/OpenFgaApi.java	66.66%	0 Missing and 1 partial ⚠️
...java/dev/openfga/sdk/api/client/OpenFgaClient.java	90.00%	0 Missing and 1 partial ⚠️
...v/openfga/sdk/api/model/AbstractOpenApiSchema.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #171      +/-   ##
============================================
+ Coverage     33.42%   33.66%   +0.23%     
- Complexity      994     1003       +9     
============================================
  Files           182      182              
  Lines          6878     6889      +11     
  Branches        772      776       +4     
============================================
+ Hits           2299     2319      +20     
+ Misses         4476     4466      -10     
- Partials        103      104       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

README.md (1)

613-642: Code snippet does not compile – multiple typos and syntax errors

The example introduced for batchCheck contains several issues that will confuse users copying it verbatim:

1. var reequst – typo in variable name.
2. Two of the list elements use new ClientCheckRequest() instead of new ClientBatchCheckItem().
3. Superfluous commas terminate the method-chaining lines (Java disallows this).
4. Missing closing quote/parenthesis in .correlationId("cor-3).
5. The final two builder calls (.maxParallelRequests(5) / .maxBatchSize(20)) are split by a semicolon, breaking the chain.

A minimal correction:

-var reequst = new ClientBatchCheckRequest().checks(
+var request = new ClientBatchCheckRequest().checks(
     List.of(
         new ClientBatchCheckItem()
             .user("user:81684243-9356-4421-8fbf-a4f8d36aa31b")
             .relation("viewer")
             ._object("document:0192ab2a-d83f-756d-9397-c5ed9f3cb69a")
             .correlationId("cor-1") // optional, one will be generated for you if not provided
             .contextualTuples(List.of(
                 new ClientTupleKey()
                     .user("user:81684243-9356-4421-8fbf-a4f8d36aa31b")
                     .relation("editor")
                     ._object("document:0192ab2a-d83f-756d-9397-c5ed9f3cb69a")
             )),
-        new ClientCheckRequest()
+        new ClientBatchCheckItem()
             .user("user:81684243-9356-4421-8fbf-a4f8d36aa31b")
             .relation("admin")
             ._object("document:0192ab2a-d83f-756d-9397-c5ed9f3cb69a")
-            .correlationId("cor-2") // optional, one will be generated for you if not provided
+            .correlationId("cor-2") // optional, one will be generated for you if not provided
             .contextualTuples(List.of(
                 new ClientTupleKey()
                     .user("user:81684243-9356-4421-8fbf-a4f8d36aa31b")
                     .relation("editor")
                     ._object("document:0192ab2a-d83f-756d-9397-c5ed9f3cb69a")
             )),
-        new ClientCheckRequest()
+        new ClientBatchCheckItem()
             .user("user:81684243-9356-4421-8fbf-a4f8d36aa31b")
             .relation("creator")
             ._object("document:0192ab2a-d83f-756d-9397-c5ed9f3cb69a")
-            .correlationId("cor-3), // optional, one will be generated for you if not provided
+            .correlationId("cor-3"), // optional, one will be generated for you if not provided
         new ClientBatchCheckItem()
             .user("user:81684243-9356-4421-8fbf-a4f8d36aa31b")
             .relation("deleter")
             ._object("document:0192ab2a-d83f-756d-9397-c5ed9f3cb69a")
             .correlationId("cor-4") // optional, one will be generated for you if not provided
     )
 );

 var options = new ClientBatchCheckOptions()
     .additionalHeaders(Map.of("Some-Http-Header", "Some value"))
     .authorizationModelId("01GXSA8YR785C4FYS3C0RTG7B1")
-    .maxParallelRequests(5); // Max number of requests to issue in parallel, defaults to 10 
-    .maxBatchSize(20); // Max number of batches to split the list of checks into, defaults to 50
+    .maxParallelRequests(5) // Max number of requests to issue in parallel, defaults to 10
+    .maxBatchSize(20);      // Max number of batches to split the list of checks into, defaults to 50

Consider running the README snippets through a quick compile/lint check to prevent this type of drift in future PRs.

🧹 Nitpick comments (7)

build.gradle (1)

78-80: JUnit/Mockito roll-back — any failing tests on 5.13.0/5.18.0?

No code in the repository shows incompatibility with the newer versions. Please document the rationale; otherwise keep the latest patch releases to benefit from bug & CVE fixes.

example/example1/build.gradle (1)

3-5: Keep plugin versions aligned with root build

If the root project remains on Kotlin 2.1.21 in the future, diverging here will eventually break gradle :example:check because of mismatched stdlib versions. Prefer inheriting the version via plugins { id "org.jetbrains.kotlin.jvm" version rootProject.kotlinVersion }.

.github/workflows/main.yaml (1)

37-38: Downgrading Codecov action drops SHA-validation

v5.4.3 started verifying upload integrity; v5.4.2 does not. Consider staying on the latest patch release.

src/main/java/dev/openfga/sdk/api/model/AbstractOpenApiSchema.java (1)

137-142: Return a primitive boolean instead of Boolean for clearer intent

isNullable() never returns null after the latest change (it always returns either Boolean.TRUE or Boolean.FALSE).
Switching the return type to the primitive boolean would:

• eliminate unnecessary boxing/unboxing,
• guarantee a non-null response by type, and
• slightly simplify call-sites (if (schema.isNullable()) … instead of unboxing).

-    public Boolean isNullable() {
-        if (Boolean.TRUE.equals(isNullable)) {
-            return Boolean.TRUE;
-        }
-        return Boolean.FALSE;
+    public boolean isNullable() {
+        return Boolean.TRUE.equals(isNullable);
     }

src/main/java/dev/openfga/sdk/api/OpenFgaApi.java (1)

1154-1161: Nice – telemetry now captures authorizationModelId for BatchCheckRequest

The extra attribute closes a gap in observability. 👍
Longer-term, the same “copy-paste” block appears for 6 request types (CheckRequest, ExpandRequest, …). Consider extracting a small helper (e.g., putModelIdIfPresent(Object request, Map<Attribute,String> attrs)) to reduce duplication and future drift.

README.md (1)

608-609: Eliminate blank line inside the blockquote

markdownlint (MD028) flags the empty line that follows the > **Note** … text.

-> **Note**: The order of `batchCheck` results is not guaranteed to match the order of the checks provided. Use `correlationId` to pair responses with requests.
-
-> Passing `ClientBatchCheckOptions` is optional. All fields of `ClientBatchCheckOptions` are optional.
+> **Note**: The order of `batchCheck` results is not guaranteed to match the order of the checks provided. Use `correlationId` to pair responses with requests.
+> Passing `ClientBatchCheckOptions` is optional. All fields of `ClientBatchCheckOptions` are optional.

src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java (1)

2043-2074: LGTM with minor consistency suggestion.

The test correctly verifies that the batchCheck method includes authorization model ID and consistency options in the request body when provided. The test structure, mocking, and assertions are all appropriate.

Minor observation: This test uses .join() on line 2067, while most other tests in this file use .get() for CompletableFuture operations. Consider using .get() for consistency with the existing test patterns.

-        ClientBatchCheckResponse response = fga.batchCheck(request, options).join();
+        ClientBatchCheckResponse response = fga.batchCheck(request, options).get();

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb13ccd and 3538ae1.

📒 Files selected for processing (10)

• .github/workflows/fossa.yaml (1 hunks)
• .github/workflows/main.yaml (3 hunks)
• README.md (2 hunks)
• build.gradle (4 hunks)
• example/example1/build.gradle (1 hunks)
• publish.gradle (1 hunks)
• src/main/java/dev/openfga/sdk/api/OpenFgaApi.java (1 hunks)
• src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java (1 hunks)
• src/main/java/dev/openfga/sdk/api/model/AbstractOpenApiSchema.java (1 hunks)
• src/test/java/dev/openfga/sdk/api/client/OpenFgaClientTest.java (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/main/java/dev/openfga/sdk/api/OpenFgaApi.java (1)

src/main/java/dev/openfga/sdk/telemetry/Attributes.java (1)

• Attributes (31-216)

🪛 markdownlint-cli2 (0.17.2)

README.md

609-609: Blank line inside blockquote
null

(MD028, no-blanks-blockquote)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (java)

🔇 Additional comments (7)

.github/workflows/fossa.yaml (1)

25-33: Why downgrade fossas/fossa-action?

v1.7.0 contains the Gradle-project detection and a bug-fix for large dependency graphs. Rolling back to v1.6.0 may silently skip those improvements and will not receive further security updates.

Please confirm that the downgrade is intentional and still compatible with the latest FOSSA SaaS backend.

build.gradle (2)

68-70: Downgrading OpenTelemetry BOM loses critical fixes

OTel 1.50.0 fixed context-propagation NPEs that affect async SDK calls (§ otel-java#6996). Verify that reverting to 1.49.0 will not break BatchCheck telemetry recently added.

---

109-111: Testcontainers 1.21.0 lacks the fix for Docker 26 on macOS

1.21.1 added a workaround for the new cgroup layout. Consider staying on 1.21.1 unless the downgrade solves a specific Central-Portal issue.

.github/workflows/main.yaml (2)

28-38: gradle/actions/setup-gradle@v4.3.1 missed the fix for corrupted build-cache keys

v4.4.0 introduced deterministic cache-key generation for Gradle 8.8+. Reverting may increase CI time due to more cache misses.

---

61-66: Wrapper-validation downgrade

Gradle 8.8 changed the distribution checksum format. v4.3.1 cannot validate wrappers generated by 8.8+. Ensure your wrapper remains ≤ 8.7 or keep v4.4.0.

README.md (1)

177-177: Heading rename looks good

Dropping the “Auth0” qualifier makes the section title more generic and consistent with the other credential-type headings.

src/main/java/dev/openfga/sdk/api/client/OpenFgaClient.java (1)

714-730: LGTM! Enhanced BatchCheckRequest construction with proper conditional parameter handling.

The changes correctly implement conditional inclusion of consistency and authorization model ID parameters. The logic properly prioritizes options over client defaults and includes appropriate null/whitespace checks before setting the authorization model ID.

This enhancement aligns well with similar patterns used in other methods like check, expand, and listObjects in the same class.

[coderabbitai]

⚠️ Potential issue

Spotless downgrade re-introduces CVE-2024-34329 transitively

Spotless 7.0.4 shaded the vulnerable commons-text range; 7.0.3 did not.
Unless the downgrade is required for the Central-Portal migration, keep 7.0.4 or explicitly override commons-text.

-    id 'com.diffplug.spotless' version '7.0.3'
+    id 'com.diffplug.spotless' version '7.0.4'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	id 'com.diffplug.spotless' version '7.0.3'
	id 'com.diffplug.spotless' version '7.0.4'

🤖 Prompt for AI Agents

In build.gradle around lines 7 to 8, the Spotless plugin version is downgraded
to 7.0.3, which reintroduces the CVE-2024-34329 vulnerability due to an unshaded
vulnerable commons-text dependency. To fix this, either revert the Spotless
plugin version back to 7.0.4 or, if the downgrade is necessary, explicitly add a
dependency override for commons-text to a safe version that mitigates the
vulnerability.

[coderabbitai]

⚠️ Potential issue

Verify new Central-Portal endpoints

According to Sonatype’s migration guide the staging API is
https://central.sonatype.com/api/v1/staging and snapshots stay on s01.oss.sonatype.org.
The URLs used here (ossrh-staging-api.central.sonatype.com and /repository/maven-snapshots/) are not documented and may 404.

-            nexusUrl.set(uri('https://ossrh-staging-api.central.sonatype.com/service/local/'))
-            snapshotRepositoryUrl.set(uri('https://central.sonatype.com/repository/maven-snapshots/'))
+            nexusUrl.set(uri('https://central.sonatype.com/api/v1/staging'))
+            snapshotRepositoryUrl.set(uri('https://s01.oss.sonatype.org/content/repositories/snapshots/'))

Also, the workflows still use OSSRH_USERNAME/OSSRH_TOKEN; Central Portal requires a generated ‘token’ credential instead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	nexusUrl.set(uri('https://ossrh-staging-api.central.sonatype.com/service/local/'))
	snapshotRepositoryUrl.set(uri('https://central.sonatype.com/repository/maven-snapshots/'))
	username.set(System.getenv('MAVEN_USERNAME'))
	nexusUrl.set(uri('https://central.sonatype.com/api/v1/staging'))
	snapshotRepositoryUrl.set(uri('https://s01.oss.sonatype.org/content/repositories/snapshots/'))
	username.set(System.getenv('MAVEN_USERNAME'))

🤖 Prompt for AI Agents

In publish.gradle around lines 54 to 56, update the nexusUrl to
'https://central.sonatype.com/api/v1/staging' as per Sonatype's migration guide,
and change the snapshotRepositoryUrl to use the 's01.oss.sonatype.org' domain
for snapshots. Also, replace the environment variables for authentication from
'OSSRH_USERNAME' and 'OSSRH_TOKEN' to use the new Central Portal generated token
credentials accordingly.