ci: fast static analysis with early-fail lint + inline SARIF (PMD/Checkstyle/SpotBugs)

[joaodinissf]

Problem

Today a single PMD or Checkstyle nit only surfaces after the ~15-minute build: maven-verify runs clean verify and re-runs every static-analysis goal on top of it. So "I forgot a semicolon" feedback arrives ~14 minutes late, and the analysis work is duplicated.

What this does

Four independent parallel jobs (verify.yml), so feedback is early and findings show up inline:

Job	Runs	Gate
lint	compile + pmd:pmd + checkstyle:checkstyle (SARIF) + pmd:cpd-check, -T 2C	count merged SARIF (+ cpd.xml grep)
spotbugs	compile + spotbugs:spotbugs (SARIF), -Xmx4g	count merged SARIF
maven-verify	clean verify (build + tests only)	Tycho-surefire
line-endings	git check	shell

• lint goes red in ~3–5 min on its own check, independent of the build — a lint issue no longer waits behind ~14 min of build+tests.
• SpotBugs is isolated in its own lane (it's the slow analysis), so it never delays lint.
• maven-verify drops the redundant analysis goals it used to re-run.
• All three analyzers emit SARIF 2.1.0, merged per tool and uploaded to Code Scanning (security-events: write) → inline annotations on the diff + Security tab. No custom annotator script.

Why count-gate, not the :check goals

The pmd:check / spotbugs:check goals @Execute-fork a second analysis and can't emit SARIF; run without the full compile classpath they false-positive on type-resolving rules (e.g. InvalidLogMessageFormat on the SLF4J trailing-Throwable idiom). So each report goal runs once (full-reactor compile → correct results + SARIF) and the gate just counts. Full rationale, the report-vs-check tables, and the fidelity caveats are in docs/ci-static-analysis-design.md.

Optimizes / trades off

• Optimizes: feedback latency (lint ~3–5 min vs ~14) and overall wall-clock (~10 min vs ~14.5, since the redundant analysis is gone).
• Trades off: more total compute — compile runs once per parallel job. This is a deliberate, cheap trade here: the repo is public (CI is free) and low-activity, so we buy early + inline feedback with compute that costs nothing.

Validation

• Clean run → all four jobs green; wall-clock ~10 min.
• Planted one violation per tool → lint and spotbugs correctly went red (exact counts), and Code Scanning ingested PMD/Checkstyle/SpotBugs SARIF → annotations appeared on the PR diff + Security tab.

Notes

• CPD gating is wired (pmd:cpd-check + <duplication> grep) but inert until chore: pmd.cpd.min set to 100000 effectively disables CPD #1339 lowers the token threshold (pmd.cpd.min=100000 currently disables it) — tracked separately. CPD has no SARIF renderer, so it gates but doesn't annotate inline.
• Branch protection (admin, at merge): required checks change pmd + checkstyle → lint + spotbugs; keep line-endings, maven-verify.
• See also docs/ci-measurement-protocol.md for how to gather trustworthy timing medians.

Supersedes #1333 (sequential, Python) and #1337 (parallel, Python).

🤖 Generated with Claude Code