Issue #148 scope jdt2jar Dockerfile to submodule, add GHCR publish and CI Docker builds

- Move Dockerfile from repo root to jdt2jar/ (built with -f jdt2jar/Dockerfile .)
- Add jdt2jar/.dockerignore to exclude build artifacts
- Rewrite jdt2jar/README.md with full Docker/GHCR usage instructions
- Update root README.md to signpost to jdt2jar submodule for optional tool
- Add docker-build job to ci.yml (Java 25, smoke test)
- Add docker-build job to maven.yml (Java 25, smoke test after tests pass)
- Add docker-publish job to release-on-tag.yml (pushes version + latest to ghcr.io)
- Release notes now include Docker image pull commands

How to verify:
  docker build -t jdt2jar -f jdt2jar/Dockerfile .
  docker run --rm jdt2jar --help

Author: simbo1905

.github/workflows/ci.yml

@@ -46,3 +46,33 @@ jobs:
               sys.exit(1)
           print(f"OK totals: {totals}")
           PY
+
+  docker-build:
+    name: Build Docker image (Java 25)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v4
+        with:
+          distribution: oracle
+          java-version: '25'
+          cache: 'maven'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: jdt2jar/Dockerfile
+          push: false
+          load: true
+          tags: jdt2jar:ci
+
+      - name: Smoke test
+        run: |
+          docker run --rm jdt2jar:ci --help

.github/workflows/maven.yml

@@ -52,4 +52,35 @@ jobs:
         restore-keys: ${{ runner.os }}-m2-java25
 
     - name: Test full project (Java 25)
-      run: mvn clean test
+      run: mvn clean test
+
+  docker-build:
+    name: Build Docker image (Java 25)
+    runs-on: ubuntu-latest
+    needs: test-java25
+    
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Set up JDK 25
+      uses: actions/setup-java@v4
+      with:
+        java-version: '25'
+        distribution: 'oracle'
+        cache: 'maven'
+    
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    
+    - name: Build Docker image
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        file: jdt2jar/Dockerfile
+        push: false
+        load: true
+        tags: jdt2jar:ci
+    
+    - name: Smoke test
+      run: |
+        docker run --rm jdt2jar:ci --help

.github/workflows/release-on-tag.yml

@@ -6,8 +6,9 @@ on:
       - 'release/[0-9]*.[0-9]*.[0-9]*'
 
 permissions:
-  contents: write    # push tags, push commits
+  contents: write
   pull-requests: write
+  packages: write
 
 concurrency:
   group: release-${{ github.ref }}
@@ -34,11 +35,26 @@ jobs:
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
           gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#release/}" >> "$GITHUB_OUTPUT"
+
       - name: Create GitHub Release with notes
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ github.ref_name }}
           generate_release_notes: true
+          body: |
+            ## Docker Image
+
+            Pre-built distroless container image available on GitHub Container Registry:
+
+            ```bash
+            docker pull ghcr.io/${{ github.repository_owner }}/java.util.json.java21/jdt2jar:${{ steps.version.outputs.version }}
+            docker pull ghcr.io/${{ github.repository_owner }}/java.util.json.java21/jdt2jar:latest
+            ```
+
+            See [jdt2jar/README.md](https://github.com/${{ github.repository }}/blob/main/jdt2jar/README.md) for usage.
 
       - name: Build and Deploy to Central (release profile)
         env:
@@ -76,3 +92,42 @@ jobs:
             --base main \
             --head "${{ steps.prbranch.outputs.branch }}" \
           || echo "PR already exists or nothing to compare"
+
+  docker-publish:
+    name: Publish Docker image to GHCR
+    runs-on: ubuntu-latest
+    needs: release
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@v4
+        with:
+          distribution: oracle
+          java-version: '25'
+          cache: 'maven'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#release/}" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: jdt2jar/Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/java.util.json.java21/jdt2jar:${{ steps.version.outputs.version }}
+            ghcr.io/${{ github.repository_owner }}/java.util.json.java21/jdt2jar:latest

README.md

@@ -336,9 +336,7 @@ Such vulnerabilities existed at one point in the upstream OpenJDK sandbox implem
 
 ## JSON Type Definition (JTD) Validator
 
-This repo contains an incubating JTD validator that has the core JSON API as its only dependency. This sub-project demonstrates how to build realistic JSON heavy logic using the API. It follows Data Oriented Programming principles: it compiles JTD schemas into an immutable structure of records. For validation it parses the JSON document to the generic structure and uses the thread-safe parsed schema and a stack to visit and validate the parsed JSON.
-
-A complete JSON Type Definition validator is included (module: json-java21-jtd).
+A complete JSON Type Definition validator is included (module: `json-java21-jtd`), implementing RFC 8927 with a stack-machine interpreter and optional bytecode codegen (JDK 24+).
 
 ### Empty Schema `{}` Semantics (RFC 8927)
 
@@ -350,43 +348,19 @@ Per **RFC 8927 (JSON Typedef)**, the empty schema `{}` is the **empty form** and
 > `empty = {}`  
 > **Empty form:** A schema in the empty form accepts all JSON values and produces no errors.
 
-⚠️ Note: Some tools or in-house validators mistakenly interpret `{}` as "object with no
-properties allowed." **That is not JTD.** This implementation follows RFC 8927 strictly.
-
 ```java
 import json.java21.jtd.Jtd;
 import jdk.sandbox.java.util.json.*;
 
-// Compile JTD schema
-JsonValue schema = Json.parse("""
-  {
-    "properties": {
-      "name": {"type": "string"},
-      "age": {"type": "int32"}
-    }
-  }
-""");
-
-// Validate JSON
-JsonValue data = Json.parse("{\"name\":\"Alice\",\"age\":30}");
+JsonValue schema = Json.parse("{\"properties\":{\"name\":{\"type\":\"string\"}}}");
+JsonValue data = Json.parse("{\"name\":\"Alice\"}");
 Jtd validator = new Jtd();
 Jtd.Result result = validator.validate(schema, data);
 // result.isValid() => true
 ```
 
 ### JTD RFC 8927 Compliance
 
-The validator provides full RFC 8927 compliance with comprehensive test coverage:
-
-```bash
-# Run all JTD compliance tests
-./mvnw test -pl json-java21-jtd -Dtest=JtdSpecIT
-
-# Run with detailed logging
-./mvnw test -pl json-java21-jtd -Djava.util.logging.ConsoleHandler.level=FINE
-```
-
-Features:
 - ✅ Eight mutually-exclusive schema forms (RFC 8927 §2.2)
 - ✅ Standardized error format with instance and schema paths
 - ✅ Primitive type validation with proper ranges
@@ -395,6 +369,12 @@ Features:
 - ✅ Discriminator tag exemption from additional properties
 - ✅ Stack-based validation preventing StackOverflowError
 
+## JTD to JAR Compiler (Optional)
+
+An optional `jdt2jar` CLI tool and distroless Docker image are available for offline JTD validator packaging. It compiles a JTD schema into a standalone validator JAR at build time, eliminating the JDK 24+ runtime requirement for generated validators. The generated JARs run on JDK 21+.
+
+See [`jdt2jar/README.md`](jdt2jar/README.md) for build instructions, container usage, and the pre-built image on GitHub Container Registry (`ghcr.io`).
+
 ## Building
 
 Requires JDK 21 or later. Build with Maven:

jdt2jar/.dockerignore

@@ -0,0 +1,21 @@
+# Build outputs
+**/target/
+
+# IDE
+.idea/
+*.iml
+.vscode/
+.eclipse/
+
+# OS
+.DS_Store
+
+# Git
+.git/
+.gitignore
+
+# Env
+.env
+
+# Local test artifacts
+/tmp/jdt2jar-*/

Dockerfile jdt2jar/DockerfileDockerfile renamed to jdt2jar/Dockerfile

@@ -5,13 +5,12 @@ WORKDIR /build
 COPY . .
 RUN ["./mvnw", "-pl", "jdt2jar", "-am", "package", "-DskipTests", "-Dsurefire.failIfNoSpecifiedTests=false"]
 RUN ["java", "-cp", "/build/jdt2jar/target/jdt2jar.jar", "json.java21.jdt2jar.build.DockerImageBuilder", "/build/jdt2jar/target/jdt2jar.jar", "/opt/jre"]
-RUN ["mkdir", "-p", "/work/tmp"]
-RUN ["chmod", "1777", "/work/tmp"]
+RUN ["mkdir", "-p", "/empty-work/tmp", "/empty-app"]
 
 FROM gcr.io/distroless/base-debian13:nonroot
-WORKDIR /work
+COPY --from=build --chown=65532:65532 /empty-work /work
+COPY --from=build --chown=65532:65532 /empty-app /app
 ENV JAVA_TOOL_OPTIONS="-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 -Djava.io.tmpdir=/work/tmp -XX:+ExitOnOutOfMemoryError"
 COPY --from=build /opt/jre /jre
 COPY --from=build /build/jdt2jar/target/jdt2jar.jar /app/jdt2jar.jar
-COPY --from=build /work /work
 ENTRYPOINT ["/jre/bin/java","-jar","/app/jdt2jar.jar"]

jdt2jar/README.md

@@ -1,6 +1,6 @@
 # jdt2jar
 
-`jdt2jar` compiles a JTD schema into a standalone validator JAR at build time.
+`jdt2jar` compiles a JTD schema into a standalone validator JAR at build time. The generated JAR runs on JDK 21+ with no JDK 24+ runtime dependency.
 
 ## CLI
 
@@ -10,21 +10,71 @@ jdt2jar <schema.json> [options]
 
 Options:
 
-- `--output <path>`: output JAR path
-- `--package <name>`: generated package name
-- `--class <name>`: validator class name
+- `--output <path>`: output JAR path (default: `<schema-name>-validator.jar`)
+- `--package <name>`: generated package name (default: `jtd.generated`)
+- `--class <name>`: validator class name (default: `SchemaValidator`)
 - `--main`: include a standalone `java -jar` entry point
-- `--runtime <version>`: target bytecode version
+- `--runtime <version>`: target bytecode version (default: 21)
 - `--include-sources`: write a companion `.java` file next to the JAR
 - `--help`: show usage
 
-## Container
+## Container Image
 
-Build with the root `Dockerfile` and run it as a non-root distroless image.
+A minimal distroless container image is available for offline schema compilation without a full JDK.
+
+### Pre-built Image (GitHub Container Registry)
+
+```bash
+# Pull the latest image
+docker pull ghcr.io/simbo1905/java.util.json.java21/jdt2jar:latest
+
+# Pull a specific release version
+docker pull ghcr.io/simbo1905/java.util.json.java21/jdt2jar:2026.02.05
+```
+
+### Build Locally
+
+Requires Docker and JDK 24+ (for the build stage). Build from the repository root:
+
+```bash
+docker build -t jdt2jar -f jdt2jar/Dockerfile .
+```
+
+### Usage
+
+```bash
+# Show help
+docker run --rm ghcr.io/simbo1905/java.util.json.java21/jdt2jar:latest --help
+
+# Compile a schema to a validator JAR (using docker cp for file I/O)
+cid=$(docker create --name jdt2jar-build ghcr.io/simbo1905/java.util.json.java21/jdt2jar:latest /work/person.jtd.json --output /work/person-validator.jar --main)
+docker cp person.jtd.json jdt2jar-build:/work/person.jtd.json
+docker start -a jdt2jar-build
+docker cp jdt2jar-build:/work/person-validator.jar .
+docker rm jdt2jar-build
+
+# Validate a payload with the generated JAR
+java -jar person-validator.jar --validate payload.json
+# Or validate inside a container
+cid=$(docker create --name jdt2jar-validate --entrypoint /jre/bin/java ghcr.io/simbo1905/java.util.json.java21/jdt2jar:latest -jar /work/person-validator.jar --validate /work/payload.json)
+docker cp person-validator.jar jdt2jar-validate:/work/person-validator.jar
+docker cp payload.json jdt2jar-validate:/work/payload.json
+docker start -a jdt2jar-validate
+docker rm jdt2jar-validate
+```
+
+### Image Properties
+
+- **Base**: `gcr.io/distroless/base-debian13:nonroot`
+- **Runtime**: jlink-minimized JDK 24 (~40 MB)
+- **Total size**: ~111 MB disk / ~31 MB content
+- **User**: `nonroot` (uid 65532)
+- **Shell**: none (distroless)
+- **Writable directories**: `/work` (for schema input and JAR output)
+
+### Security Scanning
 
 ```bash
-docker build -t jdt2jar .
-docker run --rm jdt2jar --help
-syft packages image:jdt2jar
-grype jdt2jar
+syft packages image:ghcr.io/simbo1905/java.util.json.java21/jdt2jar:latest
+grype ghcr.io/simbo1905/java.util.json.java21/jdt2jar:latest
 ```