Skip to content

chore: Upgrade bff from spring to quarkus#220

Open
giampiero-ferrara wants to merge 106 commits intomainfrom
feature/migration-bff-quarkus
Open

chore: Upgrade bff from spring to quarkus#220
giampiero-ferrara wants to merge 106 commits intomainfrom
feature/migration-bff-quarkus

Conversation

@giampiero-ferrara
Copy link
Copy Markdown
Collaborator

@giampiero-ferrara giampiero-ferrara commented Apr 10, 2026

List of Changes

  • Migrated and consolidated onboarding-bff on Quarkus, aligned with the
    structure used by other microservices.
  • Refactored onboarding integration by removing the BFF client pattern in
    favor of a proper service layer (OnboardingService /
    OnboardingServiceImpl) outside the api package.
  • Aligned REST client configuration and application properties (cleanup,
    grouped sections with comments, renamed ms_core -> institution).
  • Aligned token/JWT handling with other microservices (iam, product,
    auth) and removed remaining unnecessary Spring remnants.
  • Moved Jackson/date codec configuration under config (same approach used in
    iam/product) and fixed BFF date deserialization issues.
  • Hardened logging to resolve GitHub Advanced Security findings (CodeQL Log Injection) through centralized sanitization (OWASP Encode.forJava).
  • Updated tests and technical documentation for the module.
  • Updated CI workflows:
    • split Cucumber integration tests into a dedicated workflow
      integration_tests_onboarding_bff.yml;
    • aligned integration test suite naming to CucumberSuiteTest (same
      convention as other microservices);
    • excluded Cucumber suite from standard test lifecycle (maven-surefire- plugin exclude), so clean install does not run it automatically;
    • fixed workflow permissions by removing pull-requests: write where not
      allowed in the reusable workflow chain.

Motivation and Context

This PR originates from the need to experimentally use an AI tool to perform a
migration of onboarding-bff from Spring to Quarkus, while keeping functional
parity and repository standards.

During this migration experiment, a number of issues emerged and were
addressed in this work:

  • 401 errors on downstream REST calls;
  • token/client configuration misalignment;
  • date deserialization failures;
  • security findings from GitHub Advanced Security scans.

The PR also improves CI reliability by:

  • running Cucumber integration tests only when explicitly requested;
  • removing PR workflow failures caused by reusable-workflow permission
    mismatch.

Overall goal: validate an AI-assisted migration path from Spring to Quarkus,
with human supervision and targeted corrections, aligned with the technical
and operational standards already adopted across the repository.

How Has This Been Tested?

  • Compiled the BFF module after refactoring.
  • Performed static/config-level validation of updated GitHub workflows.
  • Verified runtime wiring (REST clients/config/token flow) during local
    troubleshooting.
  • Re-tested real scenarios that previously reproduced:
    • 401 errors on downstream client calls;
    • OffsetDateTime deserialization failures when timezone offset is missing.
  • Re-checked impacted GHAS/CodeQL findings on updated logging points.

Screenshots (if appropriate):

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality
    to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

AI-assisted development disclosure

This PR was implemented with AI model assistance and supervised by me end-to-
end.
I reviewed all proposed changes and applied targeted manual adjustments where
needed (application logic, security, configuration, and CI workflows) before
finalizing.

@sonarqubecloud
Copy link
Copy Markdown

# Conflicts:
#	apps/onboarding-functions/src/main/java/it/pagopa/selfcare/onboarding/config/OnboardingFunctionConfig.java
#	infra/resources/onboarding-functions/dev-pnpg/onboarding.tf
#	infra/resources/onboarding-functions/prod-ar/onboarding.tf
#	infra/resources/onboarding-functions/prod-pnpg/onboarding.tf
#	infra/resources/onboarding-functions/uat-ar/onboarding.tf
#	infra/resources/onboarding-functions/uat-pnpg/onboarding.tf
# Conflicts:
#	.github/workflows/call_release_app.yml
#	apps/onboarding-bff/connector/rest/src/main/java/it/pagopa/selfcare/onboarding/connector/OnboardingMsConnectorImpl.java
#	apps/onboarding-bff/connector/rest/src/test/java/it/pagopa/selfcare/onboarding/connector/OnboardingMsConnectorImplTest.java
@sonarqubecloud
Copy link
Copy Markdown

@sonarqubecloud
Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants