chore: Upgrade bff from spring to quarkus by giampiero-ferrara · Pull Request #220 · pagopa/selfcare

giampiero-ferrara · 2026-04-10T12:40:48Z

List of Changes

Migrated and consolidated onboarding-bff on Quarkus, aligned with the
structure used by other microservices.
Refactored onboarding integration by removing the BFF client pattern in
favor of a proper service layer (OnboardingService /
OnboardingServiceImpl) outside the api package.
Aligned REST client configuration and application properties (cleanup,
grouped sections with comments, renamed ms_core -> institution).
Aligned token/JWT handling with other microservices (iam, product,
auth) and removed remaining unnecessary Spring remnants.
Moved Jackson/date codec configuration under config (same approach used in
iam/product) and fixed BFF date deserialization issues.
Hardened logging to resolve GitHub Advanced Security findings (CodeQL Log Injection) through centralized sanitization (OWASP Encode.forJava).
Updated tests and technical documentation for the module.
Updated CI workflows:
- split Cucumber integration tests into a dedicated workflow
  integration_tests_onboarding_bff.yml;
- aligned integration test suite naming to CucumberSuiteTest (same
  convention as other microservices);
- excluded Cucumber suite from standard test lifecycle (maven-surefire- plugin exclude), so clean install does not run it automatically;
- fixed workflow permissions by removing pull-requests: write where not
  allowed in the reusable workflow chain.

Motivation and Context

This PR originates from the need to experimentally use an AI tool to perform a
migration of onboarding-bff from Spring to Quarkus, while keeping functional
parity and repository standards.

During this migration experiment, a number of issues emerged and were
addressed in this work:

401 errors on downstream REST calls;
token/client configuration misalignment;
date deserialization failures;
security findings from GitHub Advanced Security scans.

The PR also improves CI reliability by:

running Cucumber integration tests only when explicitly requested;
removing PR workflow failures caused by reusable-workflow permission
mismatch.

Overall goal: validate an AI-assisted migration path from Spring to Quarkus,
with human supervision and targeted corrections, aligned with the technical
and operational standards already adopted across the repository.

How Has This Been Tested?

Compiled the BFF module after refactoring.
Performed static/config-level validation of updated GitHub workflows.
Verified runtime wiring (REST clients/config/token flow) during local
troubleshooting.
Re-tested real scenarios that previously reproduced:
- 401 errors on downstream client calls;
- OffsetDateTime deserialization failures when timezone offset is missing.
Re-checked impacted GHAS/CodeQL findings on updated logging points.

Screenshots (if appropriate):

N/A

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality
to not work as expected)

Checklist:

My change requires a change to the documentation.
I have updated the documentation accordingly.

AI-assisted development disclosure

This PR was implemented with AI model assistance and supervised by me end-to-
end.
I reviewed all proposed changes and applied targeted manual adjustments where
needed (application logic, security, configuration, and CI workflows) before
finalizing.

sonarqubecloud · 2026-04-20T12:51:14Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

…rkus

# Conflicts: # apps/onboarding-functions/src/main/java/it/pagopa/selfcare/onboarding/config/OnboardingFunctionConfig.java # infra/resources/onboarding-functions/dev-pnpg/onboarding.tf # infra/resources/onboarding-functions/prod-ar/onboarding.tf # infra/resources/onboarding-functions/prod-pnpg/onboarding.tf # infra/resources/onboarding-functions/uat-ar/onboarding.tf # infra/resources/onboarding-functions/uat-pnpg/onboarding.tf

# Conflicts: # .github/workflows/call_release_app.yml # apps/onboarding-bff/connector/rest/src/main/java/it/pagopa/selfcare/onboarding/connector/OnboardingMsConnectorImpl.java # apps/onboarding-bff/connector/rest/src/test/java/it/pagopa/selfcare/onboarding/connector/OnboardingMsConnectorImplTest.java

sonarqubecloud · 2026-04-23T07:59:37Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2026-04-24T09:32:19Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Improved rest-client

d50140d

giampiero-ferrara requested review from a team and giulia-tremolada as code owners April 10, 2026 12:40

github-actions Bot added docs onboarding-bff labels Apr 10, 2026

giampiero-ferrara added 11 commits April 10, 2026 14:42

Merge branch 'main' into feature/migration-bff-quarkus

0e6b967

Removed old infra reference

b109b51

Updated client

056c314

Fixed rest client

e095a2b

Fixed error

e207776

Refactored module

c0bec33

Fixed pom

0daf581

Fixed client

e01d475

Removing layer of connector

5830cf6

Removing layer of api

501f6c5

Refactored packages

c36c82c

github-advanced-security AI found potential problems Apr 13, 2026

View reviewed changes

giampiero-ferrara added 9 commits April 13, 2026 11:30

Updated openapi annotation

e64787f

Updated junit test

189d44a

Added test dependency

200bc27

Fixed model

902e012

Updated junit test

55fa1cc

Fixed security and junit test

5eb8dd2

Refactored client

71d0bfc

Fixed property

cc5db0e

Fixed model

0dd41de

github-advanced-security AI found potential problems Apr 13, 2026

View reviewed changes

giampiero-ferrara added 2 commits April 13, 2026 15:02

Fixed junit test

efe0496

Removed selc-commons-base

03de04c

giampiero-ferrara had a problem deploying to dev-cd April 20, 2026 07:32 — with GitHub Actions Error

giampiero-ferrara temporarily deployed to dev-ci April 20, 2026 12:35 — with GitHub Actions Inactive

giampiero-ferrara temporarily deployed to dev-cd April 20, 2026 12:37 — with GitHub Actions Inactive

Fixed action

5ad9908

giampiero-ferrara added 20 commits April 20, 2026 15:00

Fixed function depends_on

b006738

Testing

2ffa1b1

Fixed app_insights

02e55f9

Merge branch 'main' into feature/migration-bff-quarkus

efb09e4

Merge branch 'fix/infra-onboarding-ms' into feature/migration-bff-qua…

8a94a31

…rkus

Testing action

ad1519b

Revert infra plan

3488d9d

Added permission into runner

796cdcd

Merge branch 'main' into feature/migration-bff-quarkus

c6c9aee

Fixed mapper

f080348

Updated release_app

62935ed

Merge branch 'main' into feature/migration-bff-quarkus

4646ccc

Fixed gitignore

d649007

Fixed missing import

e077dc3

Fixed api on parse enum

11b80f2

Fixed controller

81240b7

Fixed mock

c22fd25

Fixed code

02e41c5

giampiero-ferrara added 3 commits April 23, 2026 09:59

Fixed test

270c648

Fixed junit test

4e9343a

Merge branch 'main' into feature/migration-bff-quarkus

9e1788a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Upgrade bff from spring to quarkus#220

chore: Upgrade bff from spring to quarkus#220
giampiero-ferrara wants to merge 106 commits intomainfrom
feature/migration-bff-quarkus

giampiero-ferrara commented Apr 10, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud Bot commented Apr 20, 2026

Uh oh!

sonarqubecloud Bot commented Apr 23, 2026

Uh oh!

sonarqubecloud Bot commented Apr 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

giampiero-ferrara commented Apr 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

List of Changes

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

Checklist:

AI-assisted development disclosure

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

sonarqubecloud Bot commented Apr 20, 2026

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented Apr 23, 2026

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented Apr 24, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

giampiero-ferrara commented Apr 10, 2026 •

edited

Loading