REF-5: Create GitHub based pipeline and fix the build toolchain

[thomasnymand]

Summary

Adds a GitHub Actions CI pipeline and fixes the build toolchain so mvn clean install is reproducible and green.

• CI pipeline (.github/workflows/build.yml): runs mvn -B clean install on Temurin 11 with Maven dependency caching, triggered on push (master / feature / hotfix branches) and PRs to master.
• Reproducible build on JDK 11 (required by the hsqldb 2.7.1 test dependency, which is Java 11 bytecode) while keeping the published artifact Java 8 compatible:
  • maven-compiler-plugin 3.3 → 3.8.1, source/target 1.8 → <release>8</release> (compiles against the Java 8 API so no newer API can leak into the bytecode).
  • demo: pin oiosaml3.java to ${project.version} instead of a stale hardcoded version.
  • Ignore HSQLDB mem.* scratch files left by DatabaseSessionHandlerTest.
• Restore certificate revocation tests: the previous test PKI was decommissioned, so REVOKED_CERTIFICATE is replaced with a new revoked cert from the live cti-gov.dk PKI and CRLCheckerTest is re-enabled.

Verification

mvn clean install on Temurin 11: BUILD SUCCESS, Tests run: 107, Failures: 0, Errors: 0, Skipped: 0. The four revocation tests pass in sub-second time (vs. 75s timeouts against the dead PKI), confirming they genuinely exercise live OCSP/CRL.

Notes / follow-ups

• The four CRLCheckerTest cases make real outbound calls to ca1.cti-gov.dk during the build, including in CI — if GitHub runners cannot reach that host they will regress to slow timeouts/failures. Consider gating them behind a profile/tag if that becomes a problem.
• The new revoked test cert expires 2026-07-03 (~2 weeks); it will need refreshing with a longer-lived revoked cert before then.

🤖 Generated with Claude Code