Spring Boot 3.5 compatibility and pipeline follow-up

[RichardSlater]

[No work item - Spring Boot compatibility and pipeline follow-up]

📲 What

This PR is not a pure Dependabot consolidation.

It contains the previously consolidated dependency-update baseline from chore/consolidate-dependabot-prs-squashed-2026-03-26, plus additional manual changes that affect runtime, CI behavior, and repository tooling:

• Spring Cloud alignment in java/pom.xml to a Spring Boot 3.5-compatible train (2025.0.1)
• Removal of spring.cloud.compatibility-verifier.enabled=false from runtime and test config
• Replacement of broader Spring Cloud starters with spring-cloud-context
• Java 17 baseline enforcement via Maven Enforcer
• Azure DevOps publish-task changes to avoid deprecated or misleading coverage and test-result warnings
• Documentation and specification updates describing the supported runtime path and rollback notes
• New .specify/** spec-kit workflow assets and .github/skills/** PR automation support, plus related agent and prompt guidance

If reviewers want to approve dependency bumps independently, the dependency-only baseline already exists on branch chore/consolidate-dependabot-prs-squashed-2026-03-26.

🤔 Why

The original “Dependabot consolidation” framing is too broad for this branch.

The manual changes are needed because the repository was carrying unsupported Spring Boot and Spring Cloud behavior and noisy CI publish warnings that should be reviewed as operational changes, not as routine version bumps. This branch also introduces repo-level workflow and automation assets that materially expand scope and should be visible in the PR description so reviewers can assess them deliberately.

• Spring Boot 3.5.x requires a compatible Spring Cloud train; this branch aligns that explicitly.
• Disabling the compatibility verifier is an operational runtime workaround and needed to be removed or clearly called out for review.
• The Azure DevOps publish steps were relying on defaults and deprecated coverage publishing, which produced misleading warnings in CI.
• The .specify and .github/skills additions change contributor workflow and automation surface area, so they should not be hidden under a dependency-only label.

🛠 How

• Kept the dependency-consolidation history intact as the baseline.
• Applied the Spring compatibility changes in the Java module and verified the branch with:
  • cd java && ./mvnw fmt:format
  • cd java && ./mvnw test
  • cd java && ./mvnw -Dgpg.skip=true verify
• Updated shared post-build pipeline templates to:
  • switch from PublishCodeCoverageResults@1 to @2
  • publish explicit Java surefire and JaCoCo outputs
  • skip publishing when no report files exist instead of emitting false-positive warnings
• Added repository workflow and tooling assets under .specify/** and .github/skills/**, and adjusted guidance and configuration files to avoid misleading or unsafe defaults

👀 Evidence

• Java validation passed locally on this branch:
  • ./mvnw fmt:format
  • ./mvnw test
  • ./mvnw -Dgpg.skip=true verify
• Supporting docs updated:
  • docs/spring-boot-3.5-migration.md
  • specs/001-spring-boot-vuln-mitigation/*

🕵️ How to test

1. Review the dependency-only baseline separately on chore/consolidate-dependabot-prs-squashed-2026-03-26 if you want an isolated dependency-bump review.
2. On this branch, verify the runtime and config changes in:
   • java/pom.xml
   • java/src/main/resources/application.yml
   • java/src/test/resources/application-test.yml
3. Verify the pipeline publish mitigation in:
   • build/azDevOps/azure/templates/steps/build/post-build-tasks.yml
   • build/azDevOps/azure/templates/steps/build/post-build-tasks-cli.yml
4. Verify the workflow and tooling additions under:
   • .specify/**
   • .github/skills/**
   • .github/agents/**
   • .vscode/settings.json
5. Re-run the Java module checks:
   • cd java && ./mvnw fmt:format && ./mvnw test && ./mvnw -Dgpg.skip=true verify

✅ Acceptance criteria Checklist

• Code peer reviewed?
• Documentation has been updated to reflect the changes?
• Passing all automated tests, including a successful deployment?
• Passing any exploratory testing?
• Rebased or merged with latest changes from development and re-tested?
• Meeting the Coding Standards?

[RichardSlater]

Addressed the two active review threads for PR #1556 in commit 3a1ba92.

Changes made:

• Added codeCoverageTool: "JaCoCo" to PublishCodeCoverageResults@2 in post-build-tasks.yml
• Added codeCoverageTool: "JaCoCo" to PublishCodeCoverageResults@2 in post-build-tasks-cli.yml

Local validation:

• Build: cd java && ./mvnw -q -DskipTests package
• Test: cd java && ./mvnw -q test
• Lint: yamllint -c yamllint.conf build/azDevOps/azure/templates/steps/build/post-build-tasks.yml build/azDevOps/azure/templates/steps/build/post-build-tasks-cli.yml
• Pre-commit: not configured in this repository

[RichardSlater]

/azp run

[azure-pipelines]

Azure Pipelines failed to run 1 pipeline(s).

[RichardSlater]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 66 out of 67 changed files in this pull request and generated 2 comments.

[Copilot]

This section describes Spring Boot/Spring Cloud compatibility, but the doc header above still references stacks-modules-parent:3.0.98 while this PR updates the Java module parent to 3.0.139 (java/pom.xml). Please update the overview to reflect the current parent POM version (or avoid pinning a specific parent version) so the guidance stays accurate.

[Copilot]

Spelling: variable description says "key retriaval"; should be "key retrieval".

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud