feat(graalvm): GraalVM support for Idempotency utility #2061
Conversation
…om powertools-common.
…veryIssueNotifier
…for graalvm unit tests.
…o make sure sub-sub-modules are also covered.
…ion, powertools-tracing.
…ts to treat DynamoDBLocal as external process instead of starting it via JVM which is not compatible with GraalVM.
Dependency ReviewThe following issues were found:
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - id: checkout | ||
| name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - name: Setup GraalVM | ||
| uses: graalvm/setup-graalvm@7f488cf82a3629ee755e4e97342c01d6bed318fa # v1.3.5 | ||
| with: | ||
| java-version: "21" | ||
| distribution: "graalvm" | ||
| cache: maven | ||
| - id: graalvm-native-test | ||
| name: GraalVM Native Test | ||
| run: | | ||
| # Build the entire project first to ensure test-jar dependencies are available | ||
| mvn -B -q install -DskipTests | ||
|
|
||
| # Find modules with graalvm-native profile and run tests recursively. | ||
| # This will make sure to discover new GraalVM supported modules automatically in the future. | ||
| find . -name "pom.xml" -path "./powertools-*" | while read module; do | ||
| if grep -q "<id>graalvm-native</id>" "$module"; then | ||
| module_dir=$(dirname "$module") | ||
| echo "Regenerating GraalVM metadata for $module_dir" | ||
| mvn -B -q -f "$module" -Pgenerate-graalvm-files clean test | ||
| echo "Running GraalVM native tests for $module_dir" | ||
| mvn -B -q -f "$module" -Pgraalvm-native test | ||
| fi | ||
| done |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix the problem, you should add a permissions block to the workflow file. The block can be added at the root level (applies to all jobs) or at the job level (applies only to specific jobs). Since neither job appears to require write access (they only check out code and run builds/tests), the minimal permissions required are contents: read. This restricts the GITHUB_TOKEN to read-only access to repository contents, following the principle of least privilege. The best place to add this block is immediately after the name: and run-name: fields, before the jobs: section, so it applies to all jobs in the workflow.
| @@ -59,6 +59,8 @@ | ||
|
|
||
| name: Build | ||
| run-name: Build - ${{ github.event_name }} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| java-build: |
|
Summary
Changes
Issue number: #1834
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.