Pankraz76 · Pankraz76 · Dec 16, 2025 · Pankraz76 · Dec 16, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: GH Actions CI
+name: GH Actions CI ♻️
 
 on:
   push:
@@ -33,7 +33,7 @@ jobs:
   build:
     permissions:
       contents: read
-    name: OpenJDK 25 - ${{matrix.rdbms}}
+    name: OpenJDK - 🟢 ${{matrix.rdbms}}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -57,19 +57,19 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - name: Reclaim Disk Space
+      - name: Reclaim Disk Space 💾
         run: .github/ci-prerequisites.sh
-      - name: Start database
+      - name: Start database 🗄️
         env:
           RDBMS: ${{ matrix.rdbms }}
         run: ci/database-start.sh
-      - name: Set up Java 25
+      - name: Set up Java 25 ☕️
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: 'temurin'
           java-version: '25'
 
-      - name: Generate cache key
+      - name: Generate cache key 🔑
         id: cache-key
         run: |
           CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}"
@@ -79,7 +79,7 @@ jobs:
           echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT
           echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT
           echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
-      - name: Cache Maven/Gradle Dependency/Dist Caches
+      - name: Cache Maven/Gradle Dependency/Dist Caches 📦
         id: cache-maven
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         # if it's not a pull request, we restore and save the cache
@@ -97,7 +97,7 @@ jobs:
           restore-keys: |
             ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
-      - name: Restore Maven/Gradle Dependency/Dist Caches
+      - name: Restore Maven/Gradle Dependency/Dist Caches 📥
         uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         # if it a pull request, we restore the cache but we don't save it
         if: github.event_name == 'pull_request'
@@ -112,7 +112,7 @@ jobs:
             ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
 
-      - name: Run build script
+      - name: Run build script 🏗️
         run: ./ci/build-github.sh
         shell: bash
         env:
@@ -125,29 +125,29 @@ jobs:
       # For jobs running on 'pull_request', upload build scan data.
       # The actual publishing must be done in a separate job (see ci-report.yml).
       # We don't write to the remote cache as that would be unsafe.
-      - name: Upload GitHub Actions artifact for the Develocity build scan
+      - name: Upload GitHub Actions artifact for the Develocity build scan 📤
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
         with:
           name: build-scan-data-${{ matrix.rdbms }}
           path: ~/.gradle/build-scan-data
 
-      - name: Upload test reports (if Gradle failed)
+      - name: Upload test reports (if Gradle failed) 📊
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-reports-java11-${{ matrix.rdbms }}
           path: |
             ./**/target/reports/tests/
-      - name: Omit produced artifacts from build cache
+      - name: Omit produced artifacts from build cache 🧹
         run: ./ci/before-cache.sh
 
   # Job for builds on Oracle TP infrastructure.
   # This is untrusted, even for pushes, see below.
   otp:
     permissions:
       contents: read
-    name: GraalVM 25 - ${{matrix.rdbms}}
+    name: GraalVM - 🟦 ${{matrix.rdbms}}
     runs-on: [ self-hosted, Linux, X64, OracleTestPilot ]
     strategy:
       fail-fast: false
@@ -161,12 +161,12 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - name: Set up Java 25
+      - name: Set up Java 25 ☕️
         uses: graalvm/setup-graalvm@aafbedb8d382ed0ca6167d3a051415f20c859274 # v1.2.8
         with:
           distribution: 'graalvm'
           java-version: '25'
-      - name: Generate cache key
+      - name: Generate cache key 🔑
         id: cache-key
         run: |
           CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}"
@@ -176,7 +176,7 @@ jobs:
           echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT
           echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT
           echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
-      - name: Cache Maven/Gradle Dependency/Dist Caches
+      - name: Cache Maven/Gradle Dependency/Dist Caches 📦
         id: cache-maven
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         # if it's not a pull request, we restore and save the cache
@@ -194,7 +194,7 @@ jobs:
           restore-keys: |
             ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
-      - name: Restore Maven/Gradle Dependency/Dist Caches
+      - name: Restore Maven/Gradle Dependency/Dist Caches 📥
         uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         # if it is a pull request, we restore the cache but we don't save it
         if: github.event_name == 'pull_request'
@@ -216,7 +216,7 @@ jobs:
           action: create
           user: hibernate_orm_test_1,hibernate_orm_test_2,hibernate_orm_test_3,hibernate_orm_test_4
 
-      - name: Run build script
+      - name: Run build script 🏗️
         env:
           RDBMS: ${{ matrix.rdbms }}
           RUNID: ${{ github.run_number }}
@@ -242,41 +242,41 @@ jobs:
       # The actual publishing must be done in a separate job (see ci-report.yml).
       # We don't write to the remote cache as that would be unsafe.
       # That's even on push, because we do not trust Atlas runners to hold secrets: they are shared infrastructure.
-      - name: Upload GitHub Actions artifact for the Develocity build scan
+      - name: Upload GitHub Actions artifact for the Develocity build scan 📤
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: "${{ !cancelled() }}"
         with:
           name: build-scan-data-${{ matrix.rdbms }}
           path: ~/.gradle/build-scan-data
-      - name: Upload test reports (if Gradle failed)
+      - name: Upload test reports (if Gradle failed) 📊
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-reports-java11-${{ matrix.rdbms }}
           path: |
             ./**/target/reports/tests/
-      - name: Omit produced artifacts from build cache
+      - name: Omit produced artifacts from build cache 🧹
         run: ./ci/before-cache.sh
 
   # Static code analysis check
   format_checks:
     permissions:
       contents: read
-    name: Static code analysis
+    name: Static code analysis 🔍
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - name: Reclaim disk space and sanitize user home
+      - name: Reclaim disk space and sanitize user home 💾
         run: .github/ci-prerequisites-atlas.sh
-      - name: Set up Java 25
+      - name: Set up Java 25 ☕️️
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: 'temurin'
           java-version: '25'
 
-      - name: Generate cache key
+      - name: Generate cache key 🔑
         id: cache-key
         run: |
           CURRENT_BRANCH="${{ github.repository != 'hibernate/hibernate-orm' && 'fork' || github.base_ref || github.ref_name }}"
@@ -286,7 +286,7 @@ jobs:
           echo "buildtool-monthly-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}" >> $GITHUB_OUTPUT
           echo "buildtool-monthly-branch-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}" >> $GITHUB_OUTPUT
           echo "buildtool-cache-key=${ROOT_CACHE_KEY}-${CURRENT_MONTH}-${CURRENT_BRANCH}-${CURRENT_DAY}" >> $GITHUB_OUTPUT
-      - name: Cache Maven/Gradle Dependency/Dist Caches
+      - name: Cache Maven/Gradle Dependency/Dist Caches 📦
         id: cache-maven
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         # if it's not a pull request, we restore and save the cache
@@ -304,7 +304,7 @@ jobs:
           restore-keys: |
             ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-
-      - name: Restore Maven/Gradle Dependency/Dist Caches
+      - name: Restore Maven/Gradle Dependency/Dist Caches 📥
         uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         # if it a pull request, we restore the cache but we don't save it
         if: github.event_name == 'pull_request'
@@ -319,30 +319,33 @@ jobs:
             ${{ steps.cache-key.outputs.buildtool-monthly-branch-cache-key }}-
             ${{ steps.cache-key.outputs.buildtool-monthly-cache-key }}-    
 
-      - name: Run build script
+      - name: Run build script 🏗️
         run: ./gradlew formatChecks
         env:
           # For jobs running on 'push', publish build scan and cache immediately.
           # This won't work for pull requests, since they don't have access to secrets.
           POPULATE_REMOTE_GRADLE_CACHE: ${{ github.event_name == 'push' && github.repository == 'hibernate/hibernate-orm' && 'true' || 'false' }}
           DEVELOCITY_ACCESS_KEY: "${{ secrets.DEVELOCITY_ACCESS_KEY }}"
 
+      - name: Sanity Check 🦉
+        run: ./gradlew rewriteDryRun -Dorg.gradle.jvmargs=-Xmx3G
+
       # For jobs running on 'pull_request', upload build scan data.
       # The actual publishing must be done in a separate job (see ci-report.yml).
       # We don't write to the remote cache as that would be unsafe.
-      - name: Upload GitHub Actions artifact for the Develocity build scan
+      - name: Upload GitHub Actions artifact for the Develocity build scan 📤
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: "${{ github.event_name == 'pull_request' && !cancelled() }}"
         with:
           name: build-scan-data-sca
           path: ~/.gradle/build-scan-data
 
-      - name: Upload test reports (if Gradle failed)
+      - name: Upload test reports (if Gradle failed) 📊
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-reports-java11-sca
           path: |
             ./**/target/reports/tests/
-      - name: Omit produced artifacts from build cache
-        run: ./ci/before-cache.sh
+      - name: Omit produced artifacts from build cache 🧹
+        run: ./ci/before-cache.sh
diff --git a/build.gradle b/build.gradle
@@ -4,38 +4,28 @@
  */
 
 buildscript {
-//	repositories {
-//		mavenCentral()
-//	}
-
 	dependencies {
-//		classpath 'org.asciidoctor:asciidoctor-gradle-plugin:1.5.7'
 		classpath buildscriptLibs.forbiddenapis
 		classpath 'org.junit.platform:junit-platform-gradle-plugin:1.0.3'
 	}
 }
 
-
 plugins {
-	id "local.module"
-
-	id "org.hibernate.build.version-injection" version "2.2.0" apply false
-	id 'org.hibernate.orm.database-service' apply false
 	id 'biz.aQute.bnd' version '7.1.0' apply false
-
-	id "com.diffplug.spotless" version "7.0.4"
+	id 'com.diffplug.spotless' version '8.1.0'
+	id 'com.dorongold.task-tree' version '4.0.1'
+	id 'eclipse'
+	id 'idea'
+	id 'io.github.gradle-nexus.publish-plugin' version '2.0.0'
+	id 'local.module'
 	id 'org.checkerframework' version '0.6.61'
+	id 'org.hibernate.build.version-injection' version '2.2.0' apply false
 	id 'org.hibernate.orm.build.jdks'
-
-	id 'io.github.gradle-nexus.publish-plugin' version '2.0.0'
-
-	id 'idea'
+	id 'org.hibernate.orm.database-service' apply false
 	id 'org.jetbrains.gradle.plugin.idea-ext' version '1.1.10'
-	id 'eclipse'
-	id "com.dorongold.task-tree" version "4.0.1"
+	id 'org.openrewrite.rewrite' version '7.22.0' apply false
 }
 
-
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Releasing
 
@@ -57,8 +47,6 @@ tasks.register('ciBuild') {
 			"which should be performed from these CI jobs"
 }
 
-
-
 // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 // Misc...
 
@@ -71,9 +59,10 @@ wrapper {
 	//distributionType = Wrapper.DistributionType.ALL
 }
 
-
 idea {
 	module {
 		name = "hibernate-orm"
 	}
 }
+
+apply from: rootProject.file("${rootDir}/gradle/sanity.gradle")
diff --git a/gradle/sanity.gradle b/gradle/sanity.gradle
@@ -0,0 +1,18 @@
+project.apply(plugin: "org.openrewrite.rewrite")
+
+dependencies {
+	rewrite("org.openrewrite.recipe:rewrite-static-analysis:2.23.0")
+//	rewrite("org.openrewrite.recipe:rewrite-testing-frameworks:3.23.0")
+//	rewrite("org.openrewrite.recipe:rewrite-migrate-java:3.23.0")
+}
+
+repositories {
+	mavenCentral()
+}
+
+rewrite {
+	activeRecipe("org.hibernate.openrewrite.SanityCheck")
+	configFile = project.getRootProject().file("${rootDir}/gradle/sanity.yml")
+	setExportDatatables(true)
+	setFailOnDryRunResults(true)
+}
diff --git a/gradle/sanity.yml b/gradle/sanity.yml
@@ -0,0 +1,21 @@
+---
+type: specs.openrewrite.org/v1beta/recipe
+name: org.hibernate.openrewrite.SanityCheck
+displayName: Apply all common best practices
+description: Comprehensive code quality recipe combining modernization, security, and best practices.
+recipeList:
+  - org.openrewrite.java.format.RemoveTrailingWhitespace
+# - org.openrewrite.staticanalysis.EqualsAvoidsNull
+# - org.openrewrite.java.migrate.lang.var.UseVarForGenericMethodInvocations # bug;
+# - org.openrewrite.java.migrate.lang.var.UseVarForGenericsConstructors # 700 changes...
+# - org.openrewrite.java.migrate.lang.var.UseVarForObject # 6k changes...
+# - org.openrewrite.java.migrate.lang.var.UseVarForPrimitive # 1,8k changes...
+# - org.openrewrite.java.testing.junit.JupiterBestPractices
+# - org.openrewrite.java.testing.junit5.CleanupAssertions
+# - org.openrewrite.staticanalysis.RemoveUnusedPrivateMethods
+# - tech.picnic.errorprone.refasterrules.EqualityRulesRecipes
+# - tech.picnic.errorprone.refasterrules.NullRulesRecipes
+# - tech.picnic.errorprone.refasterrules.StreamRulesRecipes
+# - tech.picnic.errorprone.refasterrules.StringRulesRecipes
+# - tech.picnic.errorprone.refasterrules.TimeRulesRecipes
+---