Merge pull request #143 from contentstack/fix/DX-6183

chore: migrate java repo to GitHub Release–based publish flow with strict version gating

Author: cs-raj

.github/workflows/back-merge-pr.yml

@@ -0,0 +1,59 @@
+# Opens a PR from master → development after changes land on master (back-merge).
+#
+# Org/repo Settings → Actions → General → Workflow permissions: read and write
+# (so GITHUB_TOKEN can create pull requests). Or use a PAT in secret GH_TOKEN.
+
+name: Back-merge master to development
+
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  open-back-merge-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Open back-merge PR if needed
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          git fetch origin development master
+
+          MASTER_SHA=$(git rev-parse origin/master)
+          DEV_SHA=$(git rev-parse origin/development)
+
+          if [ "$MASTER_SHA" = "$DEV_SHA" ]; then
+            echo "master and development are at the same commit; nothing to back-merge."
+            exit 0
+          fi
+
+          EXISTING=$(gh pr list --repo "${{ github.repository }}" \
+            --base development \
+            --head master \
+            --state open \
+            --json number \
+            --jq 'length')
+
+          if [ "$EXISTING" -gt 0 ]; then
+            echo "An open PR from master to development already exists; skipping."
+            exit 0
+          fi
+
+          gh pr create --repo "${{ github.repository }}" \
+            --base development \
+            --head master \
+            --title "chore: back-merge master into development" \
+            --body "Automated back-merge after changes landed on \`master\`. Review and merge to keep \`development\` in sync."
+
+          echo "Created back-merge PR master → development."

.github/workflows/check-branch.yml

@@ -0,0 +1,87 @@
+# Runs only when production code under src/main/ changes. Version must be > latest v* tag
+# (not compared to the base branch, so rebases onto an already-bumped main still pass when tag requires a new release).
+
+name: Check Version Bump
+
+on:
+  pull_request:
+
+jobs:
+  check-version-bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Validate version and changelog updates
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          VERSION_FILE="pom.xml"
+          CHANGELOG_FILE="CHANGELOG.md"
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          mapfile -t CHANGED_FILES < <(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
+          if [ "${#CHANGED_FILES[@]}" -eq 0 ]; then
+            echo "No changed files detected."
+            exit 0
+          fi
+
+          is_production_source_change() {
+            local f="$1"
+            [[ "$f" == src/main/* ]]
+          }
+
+          has_source_changes=false
+          for file in "${CHANGED_FILES[@]}"; do
+            if is_production_source_change "$file"; then
+              has_source_changes=true
+              break
+            fi
+          done
+
+          if [ "$has_source_changes" = false ]; then
+            echo "Skipping: no src/main/ production code changes."
+            exit 0
+          fi
+
+          changed_file() {
+            local target="$1"
+            for file in "${CHANGED_FILES[@]}"; do
+              if [ "$file" = "$target" ]; then
+                return 0
+              fi
+            done
+            return 1
+          }
+
+          changed_file "$VERSION_FILE" || { echo "Version bump required in $VERSION_FILE."; exit 1; }
+          changed_file "$CHANGELOG_FILE" || { echo "Matching changelog update required in $CHANGELOG_FILE."; exit 1; }
+
+          extract_version() {
+            python3 -c 'import sys,xml.etree.ElementTree as ET;r=ET.fromstring(sys.stdin.read());ns={"m":r.tag.split("}")[0].strip("{")} if r.tag.startswith("{") else None;n=(r.find("m:version",ns) if ns else r.find("version"));print((n.text or "").strip() if n is not None else "")'
+          }
+
+          head_version=$(extract_version < "$VERSION_FILE")
+          # Changelog uses "## Date" sections with versions on "#### vX.Y.Z" lines; support that and legacy "## vX.Y.Z".
+          CHANGELOG_HEAD=$(
+            sed -nE 's/^####[[:space:]]+v?([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$CHANGELOG_FILE" | head -1
+          )
+          if [ -z "$CHANGELOG_HEAD" ]; then
+            CHANGELOG_HEAD=$(sed -nE 's/^##[[:space:]]+v?([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$CHANGELOG_FILE" | head -1)
+          fi
+
+          [ -n "$CHANGELOG_HEAD" ] || { echo "::error::Could not find a version in $CHANGELOG_FILE (expected '#### vX.Y.Z' under a date section or legacy '## vX.Y.Z')."; exit 1; }
+          [ "$CHANGELOG_HEAD" = "$head_version" ] || { echo "::error::$CHANGELOG_FILE top release version ($CHANGELOG_HEAD) does not match project version ($head_version)."; exit 1; }
+
+          latest_tag=$(git tag --list 'v*' --sort=-version:refname | sed -n '1p')
+          latest_version="${latest_tag#v}"
+          [ -n "$latest_version" ] || latest_version="0.0.0"
+
+          version_gt() {
+            python3 -c 'import sys;v=lambda s:[int(x) if x.isdigit() else 0 for x in (s.strip().lstrip("v").split("-",1)[0].split("+",1)[0].split(".")+["0","0","0"])[:3]];print("true" if v(sys.argv[1])>v(sys.argv[2]) else "false")' "$1" "$2"
+          }
+
+          [ "$(version_gt "$head_version" "$latest_version")" = "true" ] || { echo "Version must be greater than latest tag version ($latest_version). Found $head_version."; exit 1; }

.github/workflows/check-version-bump.yml

@@ -4,12 +4,15 @@ on:
     types: [created]
 jobs:
   publish-maven:
+    if: ${{ startsWith(github.event.release.tag_name, 'v') && !github.event.release.draft }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
     steps:
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.release.tag_name }}
       - name: Set up Maven Central Repository
         uses: actions/setup-java@v3
         with:
@@ -27,17 +30,20 @@ jobs:
           MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
   publish-github:
+    if: ${{ startsWith(github.event.release.tag_name, 'v') && !github.event.release.draft }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.release.tag_name }}
       - name: Set up Java for publishing to GitHub Packages
         uses: actions/setup-java@v3
         with:
           java-version: '17'
           distribution: 'adopt'
           server-id: github
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
-          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          gpg-passphrase: GPG_PASSPHRASE
       - name: Set up Maven settings for Central and GitHub
         run: |
           mkdir -p $HOME/.m2
@@ -58,4 +64,4 @@ jobs:
       - name: Publish to GitHub Packages
         run: mvn --batch-mode -Dgpg.passphrase=${{ secrets.GPG_PASSPHRASE }} deploy
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/maven-publish.yml

@@ -33,7 +33,7 @@
 | Single test class | `mvn test -Dtest=UtilTests` |
 | Javadoc | `mvn javadoc:javadoc` |
 | Sample (after `mvn install` with skips if needed) | `mvn -f sample/pom.xml compile` |
-| **CI** | Java **17** publish: `.github/workflows/maven-publish.yml` · SCA: `.github/workflows/sca-scan.yml` · branch rules: `.github/workflows/check-branch.yml` |
+| **CI** | Java **17** publish: `.github/workflows/maven-publish.yml` (GitHub **Release** for tag `v*`, draft releases skipped) · SCA: `.github/workflows/sca-scan.yml` · back-merge automation: `.github/workflows/back-merge-pr.yml` |
 
 ## Where the documentation lives: skills
 

AGENTS.md

@@ -1,12 +1,18 @@
-# Changelog
+# CHANGELOG
 
 A brief description of what changes project contains
 
+## Apr 30, 2026
+
+#### v1.5.1
+
+- Fix: Upgraded `org.springframework:spring-web` to 7.0.7 to address Snyk-reported vulnerabilities in Spring Framework (including transitive `spring-core`)
+
 ## Apr 20, 2026
 
 #### v1.5.0
 
-- Enhancement: Live Preview Editable tags 
+- Enhancement: Live Preview Editable tags
 
 ## Mar 23, 2026
 
@@ -36,7 +42,7 @@ A brief description of what changes project contains
 
 #### v1.2.11
 
-- Fix: ignore td/th in case of attrs has void:true 
+- Fix: ignore td/th in case of attrs has void:true
 
 ## May 14, 2024
 
@@ -48,7 +54,7 @@ A brief description of what changes project contains
 
 #### v1.2.9
 
-- Fixed vulnerability issue related to strAttrs and children. 
+- Fixed vulnerability issue related to strAttrs and children.
 
 ## April 23, 2024
 
@@ -136,4 +142,3 @@ A brief description of what changes project contains
 ## Support
 
 - For support, email fake@fake.com or join our Slack channel.
-

Changelog.md CHANGELOG.mdChangelog.md renamed to CHANGELOG.md

@@ -4,7 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.contentstack.sdk</groupId>
     <artifactId>utils</artifactId>
-    <version>1.5.0</version>
+    <version>1.5.1</version>
     <packaging>jar</packaging>
     <name>Contentstack-utils</name>
     <description>Java Utils SDK for Contentstack Content Delivery API, Contentstack is a headless CMS</description>
@@ -28,7 +28,7 @@
         <maven-release-plugin.version>2.5.3</maven-release-plugin.version>
         <validation-version>2.0.1.Final</validation-version>
         <json-version>20251224</json-version>
-        <spring-web-version>7.0.6</spring-web-version>
+        <spring-web-version>7.0.7</spring-web-version>
         <org.apache.commons-text>1.15.0</org.apache.commons-text>
     </properties>
 
@@ -212,8 +212,7 @@
                             <use>false</use>
                             <source>17</source>
                             <links>
-                                <link>http://docs.oracle.com/javase/8/docs/api/</link>
-                                <link>http://docs.oracle.com/javase/8/docs/api/</link>
+                                <link>https://docs.oracle.com/en/java/javase/17/docs/api/</link>
                             </links>
                             <doclint>none</doclint>
                         </configuration>

pom.xml

@@ -16,7 +16,7 @@ description: PR checklist and optional Blocker/Major/Minor — use when reviewin
 ### API design and stability
 
 - [ ] **Public API:** New or changed methods on `Utils`, `GQL`, `DefaultOption`, or `interfaces` are necessary, Javadoc’d, and safe for `com.contentstack.sdk:utils` consumers.
-- [ ] **Backward compatibility:** Breaking changes only with major version / **`Changelog.md`** plan.
+- [ ] **Backward compatibility:** Breaking changes only with major version / **`CHANGELOG.md`** plan.
 - [ ] **Naming:** Consistent with existing Utils and RTE/embedded terminology.
 
 ### Error handling and robustness

skills/code-review/SKILL.md

@@ -15,7 +15,7 @@ description: Branches, CI, build and test commands, PR expectations, optional TD
 
 ### Branches
 
-- Default integration for PRs is often **`staging`**; merging into **`master`** may be restricted (see `.github/workflows/check-branch.yml`).
+- Feature/fix PRs should target **`development`**. Release PRs are raised directly from **`development`** to **`master`**.
 - Feature/fix branches often use ticket-style names (e.g. `fix/DX-5734`).
 
 ### Running tests and builds
@@ -28,7 +28,7 @@ description: Branches, CI, build and test commands, PR expectations, optional TD
 ### Pull requests
 
 - Describe the change; link issues/tickets when applicable.
-- Keep public API backward-compatible unless releasing a breaking version; update **`Changelog.md`** for user-visible behavior.
+- Keep public API backward-compatible unless releasing a breaking version; update **`CHANGELOG.md`** for user-visible behavior.
 - Use **`skills/code-review/SKILL.md`** as the review checklist.
 
 ### Optional: TDD