Refactor CI

[infeo]

This PR aligns the CI to other, already updated repositories (e.g. siv-mode or cryptofs).

It

• merges the build and deploy workflows into one workflow
• adds build attestation
• Pins CI actions (references Feature: Pin CI Actions version cryptomator#4015)
• Updates the build JDK to 25

[coderabbitai]

Walkthrough

Updates CI workflows: introduces a global JAVA_VERSION and pins/upgrades actions in .github/workflows/build.yml, adds checksum calculation, signing/attestation, and merges Central/GitHub-package deployment and release creation into the build pipeline as downstream jobs. Removes standalone publish-central.yml and publish-github.yml workflows. Updates Java version and pins actions in codeql-analysis.yml and dependency-check.yml. Changes include workflow permission expansions, artifact provenance steps, and CHANGELOG.md notes about pinning CI actions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• [skip ci] bump dependency-check-workflow to version 3 #95: Updates .github/workflows/dependency-check.yml (workflow reference and Java version), touching the same dependency-check workflow configuration.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title "Refactor CI" directly and clearly describes the main change: reorganizing and modernizing the CI workflows, which is the primary objective of the changeset.
Description check	✅ Passed	The description comprehensively explains the key changes: merging workflows, adding attestation, pinning actions, and updating JDK, all of which are substantiated by the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/build.yml:
- Around line 14-18: The job-level permissions block is missing repository
contents read access so checkout will fail; update the permissions section (the
permissions: block in the build job) to include contents: read alongside
id-token: write and attestations: write so actions/checkout can read the repo
(i.e., add the contents: read permission to the permissions mapping).
- Around line 69-103: The "Enforce to use tagged version" step in the
deploy-central job uses an undefined shell variable $GIT_TAG causing
versions:set to fail; replace it with the correct GitHub Actions tag variable
(github.ref_name or the runner variable GITHUB_REF_NAME) or export it into the
step environment before calling ./mvnw; update the step referenced by its name
"Enforce to use tagged version" to use $GITHUB_REF_NAME (or set
GIT_TAG="${GITHUB_REF_NAME}" in the run block) so versions:set receives the
actual tag value.

♻️ Duplicate comments (1)

.github/workflows/build.yml (1)

104-135: Same undefined $GIT_TAG in deploy-github.
Apply the same fix as the deploy-central job.

[overheadhunter]

if we want to make "all builds equal", we might also want to make this build reproducible? since we already use mvnw, it's a small change to the pom.xml:

1. fix all plugin versions (including default plugins such as maven-clean-plugin)
2. add project.build.outputTimestamp (can be an arbitrary but fixed date such as 2000-01-01)
3. verify if two builds yield identical artifacts:
   1. ./mvnw clean install
   2. ./mvnw clean package artifact:compare -DskipTests

[infeo]

@overheadhunter Regarding reproducible builds: I want to adjust the pom in a follow-up PR. This focus solely on the CI.