feat: add Phase 6 — CI/CD pipelines, Docker image, Helm chart, and release setup

Add GitHub Actions workflows (CI, release to Maven Central, SonarCloud),
multi-stage Dockerfile with ZGC, docker-compose for local dev, Helm chart
with HPA and health probes, and Maven Central publishing profile in pom.xml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aksOps

.dockerignore

@@ -0,0 +1,9 @@
+.git
+target
+node_modules
+*.md
+docs/
+tests/
+.github/
+helm/
+src/osscodeiq/

.github/workflows/ci-java.yml

@@ -0,0 +1,30 @@
+name: Java CI
+on:
+  push:
+    branches: [java]
+    paths: ['src/**', 'pom.xml']
+  pull_request:
+    branches: [java]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: ['25']
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: ${{ matrix.java }}
+          cache: 'maven'
+      - run: mvn clean verify -B
+      - uses: actions/upload-artifact@v4
+        with:
+          name: test-results
+          path: target/surefire-reports/
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: target/site/jacoco/

.github/workflows/release-java.yml

@@ -0,0 +1,44 @@
+name: Release to Maven Central
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g., 0.1.0)'
+        required: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '25'
+          cache: 'maven'
+          server-id: central
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+          gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+      - name: Set release version
+        env:
+          RELEASE_VERSION: ${{ inputs.version }}
+        run: mvn versions:set -DnewVersion="$RELEASE_VERSION"
+      - name: Deploy to Maven Central
+        env:
+          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+        run: mvn clean deploy -P release -B
+      - name: Tag release
+        env:
+          RELEASE_VERSION: ${{ inputs.version }}
+        run: |
+          git tag "v${RELEASE_VERSION}"
+          git push origin "v${RELEASE_VERSION}"
+      - uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ inputs.version }}
+          generate_release_notes: true
+          files: target/code-iq-*.jar

.github/workflows/sonarcloud-java.yml

@@ -0,0 +1,28 @@
+name: SonarCloud Java
+on:
+  push:
+    branches: [java]
+    paths: ['src/**', 'pom.xml']
+  pull_request:
+    branches: [java]
+
+jobs:
+  sonar:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '25'
+          cache: 'maven'
+      - name: Build and analyze
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: >
+          mvn clean verify sonar:sonar -B
+          -Dsonar.projectKey=RandomCodeSpace_code-iq-java
+          -Dsonar.organization=randomcodespace
+          -Dsonar.host.url=https://sonarcloud.io

Dockerfile

@@ -0,0 +1,18 @@
+# Multi-stage build
+FROM eclipse-temurin:25-jdk AS builder
+WORKDIR /build
+COPY pom.xml .
+COPY src ./src
+RUN --mount=type=cache,target=/root/.m2 \
+    mvn clean package -DskipTests -B
+
+# Runtime
+FROM eclipse-temurin:25-jre
+WORKDIR /app
+COPY --from=builder /build/target/code-iq-*.jar app.jar
+
+# AOT cache training (optional, for faster startup)
+# RUN java -XX:AOTCacheOutput=app.aot -Dspring.context.exit=onRefresh -jar app.jar || true
+
+EXPOSE 8080
+ENTRYPOINT ["java", "-XX:+UseZGC", "-jar", "app.jar"]

docker-compose.yml

@@ -0,0 +1,11 @@
+version: '3.8'
+services:
+  code-iq:
+    build: .
+    ports:
+      - "8080:8080"
+    volumes:
+      - ./data:/app/data
+    environment:
+      - SPRING_PROFILES_ACTIVE=serving
+      - CODEIQ_GRAPH_PATH=/app/data/graph.db

helm/code-iq/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: code-iq
+description: OSSCodeIQ — deterministic code knowledge graph server
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+maintainers:
+  - name: RandomCodeSpace
+    url: https://github.com/RandomCodeSpace
+sources:
+  - https://github.com/RandomCodeSpace/code-iq

helm/code-iq/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-code-iq-config
+  labels:
+    app: {{ .Release.Name }}-code-iq
+data:
+  application.yml: |
+    spring:
+      profiles:
+        active: serving
+    codeiq:
+      graph:
+        path: /app/data/graph.db
+    management:
+      endpoints:
+        web:
+          exposure:
+            include: health,info,metrics
+      endpoint:
+        health:
+          probes:
+            enabled: true

helm/code-iq/templates/deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-code-iq
+  labels:
+    app: {{ .Release.Name }}-code-iq
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-code-iq
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-code-iq
+    spec:
+      containers:
+        - name: code-iq
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: HAZELCAST_CLUSTER_NAME
+              value: {{ .Values.hazelcast.clusterName | quote }}
+            - name: HAZELCAST_SERVICE_NAME
+              value: {{ .Values.hazelcast.serviceName | quote }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.probes.readiness.path }}
+              port: http
+            initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.probes.liveness.path }}
+              port: http
+            initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /app/data
+      volumes:
+        - name: data
+          emptyDir: {}

helm/code-iq/templates/hpa.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ .Release.Name }}-code-iq
+  labels:
+    app: {{ .Release.Name }}-code-iq
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ .Release.Name }}-code-iq
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPU }}
+{{- end }}