chore: Java 17 migration (Phases 1-3) - build config, CI, and dependency upgrades

[devin-ai-integration]

Java 17 Migration (Phases 1-3)

Summary

Migrates the project from Java 11 to Java 17, upgrading Spring Boot from 2.6.3 → 2.7.18 and all major dependencies. Includes source code fixes required by breaking API changes in JJWT 0.12.x and Netflix DGS 5.5.1.

Build config changes (build.gradle, .github/workflows/gradle.yml):

• Java source/target compatibility: 11 → 17
• Spring Boot: 2.6.3 → 2.7.18
• DGS codegen plugin: 5.0.6 → 6.0.3
• Netflix DGS: 4.9.21 → 5.5.1 (+ forced graphql-java:19.2 to resolve federation compatibility)
• JJWT: 0.11.2 → 0.12.5
• MyBatis: 2.2.2 → 2.3.2, Joda-Time: 2.10.13 → 2.12.7, SQLite JDBC: 3.36.0.3 → 3.45.0.0
• REST Assured: 4.5.1 → 5.4.0 (with explicit rest-assured-common and spring-commons to prevent Spring BOM downgrade)
• CI pipeline: JDK 11 → JDK 17

Source code fixes:

• DefaultJwtService: migrated from deprecated JJWT 0.11 API (parserBuilder, setSubject, parseClaimsJws, getBody) to 0.12 API (parser, subject, parseSignedClaims, getPayload). Switched key creation from SecretKeySpec + SignatureAlgorithm.HS512 to Keys.hmacShaKeyFor().
• ArticleDatafetcher / CommentDatafetcher: replaced graphql.relay.DefaultPageInfo with DGS-generated io.spring.graphql.types.PageInfo to fix type incompatibility introduced by DGS 5.5.1.

Review & Testing Checklist for Human

• JWT algorithm change (HIGH RISK): Keys.hmacShaKeyFor() auto-selects HMAC algorithm based on key byte length (HS256 for 32-47 bytes, HS384 for 48-63, HS512 for 64+). The old code hardcoded HS512. Verify the production jwt.secret value is ≥64 bytes, otherwise the signing algorithm silently downgrades and all existing tokens become invalid after deployment.
• DGS + graphql-java version mismatch: DGS 5.5.1 officially targets graphql-java 18.x, but we force 19.2 to satisfy federation-graphql-java-support. Test GraphQL queries/mutations manually to ensure no runtime issues.
• Run the app locally (./gradlew bootRun) and verify REST API endpoints work (e.g., curl http://localhost:8080/tags, user registration/login, article CRUD).
• Verify pagination in GraphQL responses — the PageInfo type change affects hasPreviousPage/hasNextPage field names.

Notes

• All 68 existing tests pass locally with Java 17.
• Link to Devin run: https://app.devin.ai/sessions/069fe88aac2e4c199ca4ed88e9884331
• Requested by: @VedantKh

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.