ci: consolidate pmd, checkstyle, spotbugs into one static-analysis job with inline PR annotations

Replaces the separate pmd and checkstyle jobs with a single static-analysis job. Step 1 compiles and generates PMD/Checkstyle reports (no *:check goals → no Maven cascade-skip; every module's XML is produced). Step 2 is a Python pass that emits GitHub workflow-command annotations from each violation and exits 1 if any are found — fail-fast that bypasses SpotBugs (slow) when there are PMD/Checkstyle issues. Step 3 re-runs Maven `pmd:check pmd:cpd-check checkstyle:check` as a safety-net for official-tool validation. Steps 4-6 mirror the same pattern for SpotBugs (only run if PMD/Checkstyle are clean). Drops the now-redundant pmd/checkstyle/spotbugs goals from maven-verify (now just `mvn clean verify`). line-endings stays separate. Uses `-T 2C` (8 worker threads on a 4 vCPU runner; benchmark on this branch showed ~25% wall-clock saving over sequential).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: joaodinissf

.github/workflows/verify.yml

@@ -4,7 +4,7 @@ on:
     branches: [master]
   pull_request:
 jobs:
-  pmd:
+  static-analysis:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
@@ -14,20 +14,114 @@ jobs:
           java-version: '21'
       - name: Set up Workspace Environment Variable
         run: echo "WORKSPACE=${{ github.workspace }}" >> $GITHUB_ENV
-      - name: PMD Check
-        run: mvn pmd:pmd pmd:cpd pmd:check pmd:cpd-check -f ./ddk-parent/pom.xml --batch-mode --fail-at-end
-  checkstyle:
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654  # v5
+      - name: Cache Maven dependencies
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5
         with:
-          distribution: 'temurin'
-          java-version: '21'
-      - name: Set up Workspace Environment Variable
-        run: echo "WORKSPACE=${{ github.workspace }}" >> $GITHUB_ENV
-      - name: Checkstyle Check
-        run: mvn checkstyle:checkstyle checkstyle:check -f ./ddk-parent/pom.xml --batch-mode --fail-at-end
+          path: /home/runner/.m2/repository
+          key: ${{ runner.os }}-maven-0-${{ hashFiles('**/pom.xml') }}
+      - name: Compile + generate PMD/Checkstyle reports
+        # Report goals (pmd:pmd, pmd:cpd, checkstyle:checkstyle) never fail the build, so
+        # every module's XML is produced — no Maven cascade-skip. Compile first for PMD's
+        # type-resolving rules. Note: pmd:pmd may miss a few edge-case rules that only
+        # surface in pmd:check (see PR description for the maven-pmd-plugin quirk).
+        run: |
+          mvn -T 2C -f ./ddk-parent/pom.xml --batch-mode --fail-at-end \
+            compile \
+            pmd:pmd pmd:cpd \
+            checkstyle:checkstyle
+      - name: Annotate + count PMD/Checkstyle violations
+        # Parse every pmd.xml and checkstyle-result.xml in one Python pass. Emits a GitHub
+        # workflow-command annotation per violation (visible inline in PR Files-changed) and
+        # exits 1 if total > 0 — fail-fast that bypasses SpotBugs (slow) when there are
+        # already known PMD/Checkstyle issues. Runs even if a previous step failed.
+        if: always()
+        run: |
+          python3 - <<'EOF'
+          import os, sys
+          from xml.etree import ElementTree as ET
+          from pathlib import Path
+
+          root = Path(os.environ.get('GITHUB_WORKSPACE', '.'))
+          count = 0
+
+          def annot(level, file, line, title, msg):
+              global count
+              count += 1
+              msg = (msg or '').strip().replace('\n', ' ')[:1000]
+              try:
+                  rel = Path(file).relative_to(root)
+              except ValueError:
+                  rel = file
+              print(f"::{level} file={rel},line={line},title={title}::{msg}")
+
+          for xml in root.rglob('target/pmd.xml'):
+              for f in ET.parse(xml).getroot().findall('file'):
+                  for v in f.findall('violation'):
+                      level = 'error' if v.attrib.get('priority') == '1' else 'warning'
+                      annot(level, f.attrib['name'], v.attrib.get('beginline', '1'),
+                            f"PMD/{v.attrib.get('rule','')}", v.text)
+
+          for xml in root.rglob('target/checkstyle-result.xml'):
+              for f in ET.parse(xml).getroot().findall('file'):
+                  for e in f.findall('error'):
+                      level = 'error' if e.attrib.get('severity') == 'error' else 'warning'
+                      annot(level, f.attrib['name'], e.attrib.get('line', '1'),
+                            f"Checkstyle/{e.attrib.get('source','').split('.')[-1]}",
+                            e.attrib.get('message',''))
+
+          print(f"PMD/Checkstyle violations: {count}")
+          if count > 0:
+              sys.exit(1)
+          EOF
+      - name: Enforce PMD/Checkstyle thresholds (Maven safety-net)
+        # Redundant in the success case (Python check above already passed). Provides
+        # official-tool validation in case the Python parser misreads schema.
+        run: |
+          mvn -T 2C -f ./ddk-parent/pom.xml --batch-mode --fail-at-end \
+            pmd:check pmd:cpd-check \
+            checkstyle:check
+      - name: Generate SpotBugs report
+        run: |
+          mvn -T 2C -f ./ddk-parent/pom.xml --batch-mode --fail-at-end \
+            spotbugs:spotbugs
+      - name: Annotate + count SpotBugs violations
+        if: always()
+        run: |
+          python3 - <<'EOF'
+          import os, sys
+          from xml.etree import ElementTree as ET
+          from pathlib import Path
+
+          root = Path(os.environ.get('GITHUB_WORKSPACE', '.'))
+          count = 0
+
+          def annot(level, file, line, title, msg):
+              global count
+              count += 1
+              msg = (msg or '').strip().replace('\n', ' ')[:1000]
+              try:
+                  rel = Path(file).relative_to(root)
+              except ValueError:
+                  rel = file
+              print(f"::{level} file={rel},line={line},title={title}::{msg}")
+
+          for xml in root.rglob('target/spotbugsXml.xml'):
+              for b in ET.parse(xml).getroot().findall('BugInstance'):
+                  sl = b.find('SourceLine')
+                  lm = b.find('LongMessage')
+                  if sl is not None and lm is not None:
+                      annot('warning', sl.attrib.get('sourcepath', '?'),
+                            sl.attrib.get('start', '1'),
+                            f"SpotBugs/{b.attrib.get('type','')}", lm.text)
+
+          print(f"SpotBugs violations: {count}")
+          if count > 0:
+              sys.exit(1)
+          EOF
+      - name: Enforce SpotBugs threshold (Maven safety-net)
+        run: |
+          mvn -T 2C -f ./ddk-parent/pom.xml --batch-mode --fail-at-end \
+            spotbugs:check
   line-endings:
     runs-on: ubuntu-24.04
     steps:
@@ -64,10 +158,8 @@ jobs:
         with:
           path: /home/runner/.m2/repository
           key: ${{ runner.os }}-maven-0-${{ hashFiles('**/pom.xml') }}
-      - name: Build with Maven  within a virtual X Server Environment
-        # Run pmd:pmd and pmd:cpd first to generate reports for all modules, then run pmd:check and pmd:cpd-check
-        # This ensures all violations are collected and reported before the build fails
-        run: xvfb-run mvn clean verify checkstyle:check pmd:pmd pmd:cpd pmd:check pmd:cpd-check spotbugs:check -f ./ddk-parent/pom.xml --batch-mode --fail-at-end
+      - name: Build with Maven within a virtual X Server Environment
+        run: xvfb-run mvn clean verify -f ./ddk-parent/pom.xml --batch-mode --fail-at-end
       - name: Fail on missing surefire reports
         # Tycho-Surefire writes no TEST-*.xml when discovery is empty — fail the job in that case.
         if: always()