github · edburns · May 22, 2026 · May 22, 2026 · May 22, 2026 · May 23, 2026
@@ -11,6 +11,7 @@ on:
       - "dotnet/src/**"
       - "rust/src/**"
       - "rust/Cargo.toml"
+      - "java/src/**"
       - ".github/workflows/scenario-builds.yml"
   push:
     branches:
@@ -235,3 +236,46 @@ jobs:
             echo -e "Failures:$FAILURES"
             exit 1
           fi
+
+  # ── Java ────────────────────────────────────────────────────────────
+  build-java:
+    name: "Java scenarios"
+    if: github.event.repository.fork == false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: "temurin"
+          java-version: "17"
+          cache: "maven"
+
+      # Install SDK to local Maven repo so scenarios can resolve it
+      - name: Install SDK to local repo
+        working-directory: java
+        run: mvn install -DskipTests -q
+
+      - name: Build all Java scenarios
+        run: |
+          PASS=0; FAIL=0; FAILURES=""
+          for pom in $(find test/scenarios -path '*/java/pom.xml' | sort); do
+            dir=$(dirname "$pom")
+            scenario="${dir#test/scenarios/}"
+            echo "::group::$scenario"
+            if (cd "$dir" && mvn compile -q 2>&1); then
+              echo "✅ $scenario"
+              PASS=$((PASS + 1))
+            else
+              echo "❌ $scenario"
+              FAIL=$((FAIL + 1))
+              FAILURES="$FAILURES\n  $scenario"
+            fi
+            echo "::endgroup::"
+          done
+          echo ""
+          echo "Java builds: $PASS passed, $FAIL failed"
+          if [ "$FAIL" -gt 0 ]; then
+            echo -e "Failures:$FAILURES"
+            exit 1
+          fi
@@ -0,0 +1,186 @@
+## ghcp-sp-95
+
+### 10:44 Prompt
+
+In issue 95, you stated exactly this as the remedy for the branch protection problem.
+
+```bash
+gh api repos/github/copilot-sdk/rulesets \
+  -X POST \
+  --input - <<'EOF'
+{
+  "name": "ghcp-sp-95-java-branch-protection",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "include": ["refs/heads/main"],
+      "exclude": []
+    }
+  },
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    }
+  ],
+  "rules": [
+    { "type": "deletion" },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": false,
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": ["merge", "squash", "rebase"]
+      }
+    },
+    { "type": "non_fast_forward" }
+  ]
+}
+EOF
+```
+
+I have approval from the stakeholders to do this. But because I'm very new to the repo and want to protect my reputation as a careful and risk-averse engineer, I want to know exactly how I can revert exactly this change, should problems arise.
+
+Can you give me the command that will effectively "undo" the operation?
+
+### 10:48 Response
+
+The POST will return a JSON response containing an `id` field. To undo, you delete that specific ruleset:
+
+```bash
+gh api repos/github/copilot-sdk/rulesets/<RULESET_ID> -X DELETE
+```
+
+### Practical workflow:
+
+1. **When you create it**, capture the ID from the response:
+
+   ```bash
+   gh api repos/github/copilot-sdk/rulesets \
+     -X POST \
+     --input - <<'EOF'
+   ... (your payload) ...
+   EOF
+   ```
+
+   The response JSON will include `"id": 12345678`. Note that number.
+
+2. **If you need to revert:**
+
+   ```bash
+   gh api repos/github/copilot-sdk/rulesets/12345678 -X DELETE
+   ```
+
+3. **If you lose the ID**, you can find it:
+   ```bash
+   gh api repos/github/copilot-sdk/rulesets --jq '.[] | select(.name == "Protect main") | .id'
+   ```
+
+The DELETE removes the ruleset entirely — returning the repo to the state before you created it (assuming step 1 from the issue, deleting the classic branch protection, has already been done separately). There is no partial state; it's a clean removal.
+
+### 10:50 Prompt
+
+Here is the post again. I've changed the "name":
+
+```bash
+gh api repos/github/copilot-sdk/rulesets \
+  -X POST \
+  --input - <<'EOF'
+{
+  "name": "ghcp-sp-95-java-branch-protection",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "include": ["refs/heads/main"],
+      "exclude": []
+    }
+  },
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "always"
+    }
+  ],
+  "rules": [
+    { "type": "deletion" },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": false,
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false,
+        "allowed_merge_methods": ["merge", "squash", "rebase"]
+      }
+    },
+    { "type": "non_fast_forward" }
+  ]
+}
+EOF
+```
+
+Can you please write a PowerShell script I can execute that does the command and make s it so I can capture the necessary response? Write it to `temporary-prompts/ghcp-sp-95-enable-java-branch-protection.ps1`.
+
+### 10:55 Response
+
+Created [](file:///e%3A/workareas/copilot-sdk-java-00/temporary-prompts/ghcp-sp-95-enable-java-branch-protection.ps1)
+
+Created at ghcp-sp-95-enable-java-branch-protection.ps1. It pipes the JSON payload to `gh api`, parses the response to extract the ruleset ID, and prints the exact DELETE command you'd need to revert.
+
+Made changes.
+
+### 10:54 Prompt
+
+Here is the output
+
+```
+Ruleset created successfully.
+  Name: ghcp-sp-95-java-branch-protection
+  ID:   16552308
+
+To revert this change:
+  gh api repos/github/copilot-sdk/rulesets/16552308 -X DELETE
+```
+
+### 20:00 Response
+
+Phase 1 is complete. Here's a summary:
+
+Phase 1 Complete ✅
+
+Two commits made on edburns/80-java-monorepo-add-01:
+
+1.  446547c — Copied all Java SDK source files into java/ (src, pom.xml, config, scripts, docs, mvnw, etc.)
+2.  f0aebe7 — Updated pom.xml to use local monorepo test harness instead of git clone:
+    - Removed antrun git-clone plugin entirely
+    - Changed copilot.sdk.clone.dir to ${project.basedir}/.. (monorepo root)
+    - Updated <scm> URLs to github/copilot-sdk
+    - Updated comments to reflect monorepo layout
+
+Verification: mvn clean verify passes — BUILD SUCCESS (9 min, all tests green).
+
+## dd-2989720-move-to-monorepo
+
+The file `80-java-monorepo-add-01-remove-before-merge\dd-2989727-move-java-to-monorepo-plan.md` is a high-level plan for migrating the code in `..\copilot-sdk-java-00` (source), which is a local clone of https://github.com/github/copilot-sdk-java , to reside in the `java` directory within `copilot-sdk-00` (dest), which is a local clone of https://github.com/github/copilot-sdk .
+
+Read the whole thing now.
+
+Next, I want the agent to handle "Phase 1: Copy Source Code (No Workflows Yet)". Note that the markdown strikethrough steps have already been completed.
+
+Next, write out a fully detailed prompt sufficient to feed to an agent with `copilot --yolo` to instruct the agent to do Phase 1.
+
+- ✅✅✅ Assume copilot will be invoked in `copilot-sdk-00` (dest) and that `..\copilot-sdk-java-00` is the correct relative path for the source.
+- ✅✅✅ Tell the agent about the paths.
+- ✅✅✅ Tell the agent it is safe to do the work in the current topic branch, making fine-grained commits with reasonable commit log messages.
+- Tell the agent to read `80-java-monorepo-add-01-remove-before-merge\dd-2989727-move-java-to-monorepo-plan.md` first.
+- ❌❌❌ Tell the agent to not do any other phases.
+
+Write the prompt to the file `80-java-monorepo-add-01-remove-before-merge\dd-2997995.md`.
@@ -0,0 +1,95 @@
+### 16:23 Prompt
+
+Evaluate `java-sdk-tests.yml` and show me the differences with the file from which it was derived, `copilot-sdk-java-00/.github/workflows/build-test.yml`.
+
+
+### 16:25 Response
+
+Read [](file:///c%3A/Users/edburns/workareas/copilot-sdk-00/.github/workflows/java-sdk-tests.yml)
+
+Read [](file:///c%3A/Users/edburns/workareas/copilot-sdk-java-00/.github/workflows/build-test.yml#1-1), lines 1 to 150
+
+Here's a comparison of the key differences:
+
+## Structural Differences
+
+| Aspect | build-test.yml (source) | java-sdk-tests.yml (new) |
+|--------|--------------------------|---------------------------|
+| **Name** | "Build & Test" | "Java SDK Tests" |
+| **Schedule trigger** | Weekly cron (Sundays 00:00 UTC) | Removed |
+| **Push paths** | `paths-ignore` (README, LICENSE, .github) | No path filter on push to main |
+| **PR paths** | `paths-ignore` pattern | `paths` include pattern (`java/**`, `test/**`, workflow file) with doc exclusions |
+| **OS matrix** | `ubuntu-latest` only | 3-OS matrix (`ubuntu`, `macos`, `windows`) |
+| **Working directory** | None (repo root = java root) | `working-directory: ./java` |
+| **Smoke test job** | Yes (calls `run-smoke-test.yml`, gates main job) | Removed (deferred to Phase 3) |
+| **Permissions** | `contents: write`, `checks: write`, `pull-requests: write` | `contents: read` only |
+
+## Removed Features (intentionally per plan)
+
+- **Smoke test job** — Phase 3 concern
+- **JaCoCo badge generation** + PR creation — not needed in monorepo CI
+- **`validate reference-impl-sync completeness` step** — Phase 4 concern
+- **Upload test results for site generation** — not needed in monorepo CI
+- **`COPILOT_GITHUB_TOKEN` / `COPILOT_CLI_PATH` env vars** — not used
+- **Clone-based test harness setup** (`cd target/copilot-sdk/nodejs && npm ci`) — replaced by local harness install
+
+## Added/Changed Features
+
+- **3-OS matrix** — matches other monorepo SDK test workflows
+- **Explicit Node.js setup** + `npm ci` on nodejs and harness — replaces the clone-based approach since harness is now local
+- **Path-scoped PR triggers** — only fires when java, test, or the workflow itself changes
+- **Spotless/Javadoc gated to Linux only** (`if: runner.os == 'Linux'`) — avoids redundant formatting checks on all 3 OS
+- **Action versions use tags** (`@v6.0.2`) instead of pinned commit SHAs — less secure but more readable; the source used full SHA pins
+
+## Potential Concerns
+
+1. **No SHA-pinned actions** — The source pinned actions to exact commit SHAs (e.g., `actions/checkout@de0fac2e...`). The new file uses version tags (`@v6.0.2`, `@v5`, `@v6`). This is less secure against supply-chain attacks but matches the style used in some monorepo workflows.
+
+2. **Missing `persist-credentials: false`** on checkout — the source had this explicitly set for security.
+
+3. **No `COPILOT_GITHUB_TOKEN`** — The source passed this to `mvn verify` for E2E tests that talk to a live Copilot CLI. If E2E tests in the monorepo still need a real token (vs. only the replay proxy), this would cause test failures. However, since the monorepo E2E tests use the replay proxy from harness, this is likely fine.
+
+4. **`distribution: "microsoft"`** for JDK — both files use this, which is consistent.
+
+5. **Push trigger has no path filter** — PRs are path-filtered, but pushes to `main` will run on every push regardless of which files changed. Other monorepo workflows (e.g., `dotnet-sdk-tests.yml`) may or may not have this same pattern — worth checking for consistency.
+
+### 16:25 Response
+
+Concerns
+
+1. I want a push path filter. Should only run on channges to `/java`. 
+
+2. For the 3-OS matrix, make it only for `ubuntu-latest`.
+
+3. For permissions, make it have the same as `build-tests.yml`.
+
+4. Yes, I do want the Jacoco badge creation. Copy that entire mechanism from `copilot-sdk-java-00`.
+
+5. You stated
+
+   `COPILOT_GITHUB_TOKEN / COPILOT_CLI_PATH env vars — not used` 
+
+   Why is this? Looking at `build-tests.yml` those things are clearly in there:
+
+   ```yml
+   - name: Run Java SDK tests
+     env:
+       CI: "true"
+       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
+       COPILOT_CLI_PATH: ${{ steps.setup-copilot.outputs.path }}
+     run: mvn verify
+   ```
+
+   Surely we need them on the `copilot-sdk-00` side as well. There are Java tests that don't just use the relay proxy.
+
+6. Consider this review comment:
+
+   > No SHA-pinned actions — The source pinned actions to exact commit SHAs (e.g., actions/checkout@de0fac2e...). The new file uses version tags (@v6.0.2, @v5, @v6). This is less secure against supply-chain attacks but matches the style used in some monorepo workflows.
+
+   I want the pinned actions.
+
+7. Consider this review comment:
+
+   > Missing persist-credentials: false on checkout — the source had this explicitly set for security.
+
+   I want this set here as well.