Add self hosted runner for Github actions

[PasanT9]

$subject

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f2b119c9-207f-49af-a140-54b27aa5e8a2

📥 Commits

Reviewing files that changed from the base of the PR and between df216d3 and 41527ef.

📒 Files selected for processing (1)

• .github/workflows/maven.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/maven.yml

---

📝 Walkthrough

Changes

This pull request updates the GitHub Actions workflow configuration to use self-hosted runners instead of the default GitHub-hosted runners.

Modified file: .github/workflows/maven.yml

Changes made:

• Updated the runs-on configuration for all three workflow jobs (build, run-benchmark-test, and show-report) to use a dynamically generated CodeBuild runner name: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
• No changes to job logic, steps, or commands; only the execution environment configuration was modified

Impact: The workflow will now execute on self-hosted CodeBuild infrastructure instead of GitHub's managed runner environment, allowing for greater control over the build environment and resources.

Walkthrough

The GitHub Actions workflow in maven.yml updates the execution environment for three jobs (build, run-benchmark-test, show-report) from ubuntu-latest to CodeBuild runners with dynamically generated labels using GitHub context variables.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/maven.yml	Updated runs-on field for three jobs from ubuntu-latest to CodeBuild runner labels with dynamic naming pattern: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Off to the CodeBuild warren we go,
Where runners leap with a swifter flow,
Three jobs now jump through the builder's door,
Ubuntu's dust settles forevermore!
With dynamic labels, our workflows now shine,
A hop toward performance—oh, how divine! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description field contains only '$subject' with no substantive content explaining the change, its motivation, or impact.	Provide a meaningful description explaining why self-hosted runners are being introduced and any relevant context for reviewers.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change—replacing Ubuntu runners with a self-hosted CodeBuild runner across all three jobs in the workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/maven.yml:
- Line 15: The workflow currently sets runs-on to a self-hosted CodeBuild runner
(the runs-on entry) which allows untrusted PR code to run on your infra; update
the workflow so that pull_request events (fork PRs) never use the self-hosted
runner by adding a conditional that detects PRs (e.g., checking
github.event_name or github.event.pull_request.head.repo.fork) and selects a
safe runner for those cases, ensuring the runs-on assignment for the jobs
referenced by the existing runs-on line (and the other two occurrences at the
same pattern) uses the self-hosted runner only for trusted events (push to
protected branches or workflow_dispatch) and falls back to a GitHub-hosted
runner for untrusted PRs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 82cab697-3f43-4119-9e2f-2cbd06478de0

📥 Commits

Reviewing files that changed from the base of the PR and between 4fe625c and df216d3.

📒 Files selected for processing (1)

• .github/workflows/maven.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Block untrusted PR code from self-hosted runners.

Line 15, Line 73, and Line 102 now run pull_request workloads on self-hosted CodeBuild runners. That allows untrusted PR code (especially fork PRs) to execute on your infrastructure.

🔒 Suggested guard for fork PRs

 jobs:
   build:
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
@@
   run-benchmark-test:
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
@@
   show-report:
-    if: ${{ always() && !cancelled() }}
+    if: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && always() && !cancelled() }}
     needs: build
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}

Also applies to: 73-73, 102-102

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/maven.yml at line 15, The workflow currently sets runs-on
to a self-hosted CodeBuild runner (the runs-on entry) which allows untrusted PR
code to run on your infra; update the workflow so that pull_request events (fork
PRs) never use the self-hosted runner by adding a conditional that detects PRs
(e.g., checking github.event_name or github.event.pull_request.head.repo.fork)
and selects a safe runner for those cases, ensuring the runs-on assignment for
the jobs referenced by the existing runs-on line (and the other two occurrences
at the same pattern) uses the self-hosted runner only for trusted events (push
to protected branches or workflow_dispatch) and falls back to a GitHub-hosted
runner for untrusted PRs.