Add self hosted runner for migration test GitHub Action workflow

[VenukshiMendis]

$subject

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d028d235-ba21-4172-893a-5847a2d9b291

📥 Commits

Reviewing files that changed from the base of the PR and between 26edaf2 and 57fa133.

📒 Files selected for processing (1)

• .github/workflows/migration-tests.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/migration-tests.yaml

---

📝 Walkthrough

Summary

This pull request updates the migration test GitHub Actions workflow to run key jobs on a self-hosted CodeBuild runner instead of GitHub-hosted runners.

Changes

• File modified: .github/workflows/migration-tests.yaml
• Jobs updated: update-and-build, prepare-and-migrate, version-bump
• Change: The runs-on setting for the above jobs was changed from ubuntu-latest to a CodeBuild runner named using codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }} (dynamic naming per run).
• Lines changed: +4/-4

Impact

Workflow execution for the migration tests now targets self-hosted CodeBuild infrastructure rather than GitHub-hosted runners, affecting where the jobs execute (e.g., resource and environment provider).

Walkthrough

The migration-tests workflow was modified to change the execution environment for three jobs: update-and-build, prepare-and-migrate, and version-bump. The runs-on configuration for each job was updated from the GitHub-hosted ubuntu-latest runner to a CodeBuild runner with dynamic naming that incorporates github.run_id and github.run_attempt. No changes were made to job logic, steps, permissions, or environment variables.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is minimal (only "$subject") and does not provide meaningful information about the changeset beyond restating the title.	Provide a description that explains the motivation, benefits, or context for using self-hosted runners instead of ubuntu-latest.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding self-hosted runners to the migration test GitHub Actions workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/migration-tests.yaml (2)

104-104: Verify matrix-job concurrency semantics for the shared runner label.

The prepare-and-migrate job uses a 4-entry matrix (mysql, mssql, postgre, oracle) but all four instances will request the identical runner label codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }} (the label does not include matrix.db_type or strategy.job-index). AWS CodeBuild's GitHub Actions integration is designed to start one CodeBuild build per queued job with that label, so this typically works, but please confirm in a test run that all four matrix legs actually get concurrent runners (and aren't serialized or collapsed onto one). If you observe queuing, append a matrix-unique suffix to the label, e.g.:

♻️ Optional: make the label unique per matrix leg

-    runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
+    runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}-${{ strategy.job-index }}

Additionally, several steps assume a GitHub-hosted Ubuntu runner environment:

• Line 415–416: sudo apt-get update && sudo apt-get install -y default-mysql-client python3 python3-pip — requires Debian/Ubuntu with passwordless sudo and network access to apt repos.
• Line 418–419: the comment "Docker is already available in GitHub Actions runners" is now stale; please update it or confirm the CodeBuild image ships with Docker daemon access (not just the CLI) so docker run -d with port bindings on host.docker.internal works.
• Line 804: python3 -m http.server 8000 needs port 8000 free on the runner host and routable from inside Docker via host.docker.internal:host-gateway.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/migration-tests.yaml at line 104, The prepare-and-migrate
job's runner label is identical across matrix legs causing possible
serialization; update the runs-on label string (the literal
"codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}") to
append a matrix-unique suffix such as "${{ matrix.db_type }}" or "${{
strategy.job-index }}", run a test workflow to confirm all four matrix legs get
concurrent CodeBuild builds, and if queuing is observed keep the unique suffix.
Also verify the CodeBuild image used by this job actually provides sudo+apt,
Docker daemon access (not just the CLI), and allows host-gateway
host.docker.internal port binding — either change the image to one that does or
adjust the steps that assume Ubuntu/apt and docker run; finally ensure the
python3 -m http.server 8000 step can bind and be reachable from containers (or
change to an alternate networking approach or free port) and update or remove
the stale comment about Docker availability accordingly.

---

1519-1519: LGTM on version-bump runner change, but double-check git push permissions on the CodeBuild runner.

The version-bump job writes back to the repo (lines 1549–1556) using github-actions[bot] and git push origin HEAD:${GITHUB_REF#refs/heads/}. On GitHub-hosted runners the GITHUB_TOKEN provided by actions/checkout@v4 is auto-configured as the credential helper; AWS CodeBuild-managed GitHub Actions runners also propagate GITHUB_TOKEN with the declared contents: write permission, so this should continue to work. Please verify on the first run that the push actually succeeds (no 403 from the push step) and that branch protection rules on master allow the bot push — the runner swap doesn't change those constraints but is a good moment to re-check.

Also note: this job runs on schedule (nightly cron, line 7) and, after the runner change, every nightly run will still spin up a CodeBuild build even when needs.update-and-build.outputs.latest_version equals the current version (the if: guard is only on the single push step at line 1539, not the job). Consider adding a job-level if: to avoid paying for an idle CodeBuild minute, e.g.:

♻️ Optional: skip the job when there is nothing to bump

   version-bump:
     needs: [update-and-build, prepare-and-migrate]
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
+    if: needs.update-and-build.outputs.latest_version != '' && needs.update-and-build.outputs.latest_version != needs.update-and-build.outputs.current_version
     permissions:
       contents: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/migration-tests.yaml at line 1519, The version-bump job
now runs on a CodeBuild runner (runs-on: codebuild-wso2_product-apim-...), so
verify the push step that uses git push origin HEAD:${GITHUB_REF#refs/heads/}
actually succeeds with the GITHUB_TOKEN credential provided by
actions/checkout@v4 on the new runner and that branch protection allows
github-actions[bot] pushes; run the pipeline once and confirm there is no 403 on
the push step and that the commit appears in the target branch. Additionally, to
avoid wasting CodeBuild minutes, add a job-level if: condition to the
version-bump job (using the same needs.update-and-build.outputs.latest_version
check used for the push step) so the entire CodeBuild job is skipped when there
is nothing to bump.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/migration-tests.yaml:
- Line 11: Update the runner label and environment verification: confirm an AWS
CodeBuild project named wso2_product-apim exists and is configured for GitHub
Actions webhook integration and that its compute image includes Docker, Java 21,
Python 3, unzip, wget, zip and sudo/apt-get; then modify the runs-on label
(currently "runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{
github.run_attempt }}") to include the matrix context (e.g. append ${{ matrix.db
}} or ${{ matrix.database }}) so concurrent matrix jobs (the matrix job that
spawns MySQL/MSSQL/Postgres/Oracle) request distinct runner labels and avoid
runner contention.

---

Nitpick comments:
In @.github/workflows/migration-tests.yaml:
- Line 104: The prepare-and-migrate job's runner label is identical across
matrix legs causing possible serialization; update the runs-on label string (the
literal "codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt
}}") to append a matrix-unique suffix such as "${{ matrix.db_type }}" or "${{
strategy.job-index }}", run a test workflow to confirm all four matrix legs get
concurrent CodeBuild builds, and if queuing is observed keep the unique suffix.
Also verify the CodeBuild image used by this job actually provides sudo+apt,
Docker daemon access (not just the CLI), and allows host-gateway
host.docker.internal port binding — either change the image to one that does or
adjust the steps that assume Ubuntu/apt and docker run; finally ensure the
python3 -m http.server 8000 step can bind and be reachable from containers (or
change to an alternate networking approach or free port) and update or remove
the stale comment about Docker availability accordingly.
- Line 1519: The version-bump job now runs on a CodeBuild runner (runs-on:
codebuild-wso2_product-apim-...), so verify the push step that uses git push
origin HEAD:${GITHUB_REF#refs/heads/} actually succeeds with the GITHUB_TOKEN
credential provided by actions/checkout@v4 on the new runner and that branch
protection allows github-actions[bot] pushes; run the pipeline once and confirm
there is no 403 on the push step and that the commit appears in the target
branch. Additionally, to avoid wasting CodeBuild minutes, add a job-level if:
condition to the version-bump job (using the same
needs.update-and-build.outputs.latest_version check used for the push step) so
the entire CodeBuild job is skipped when there is nothing to bump.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 550a068b-10c2-4ff2-ae2b-a77a3d1c8a13

📥 Commits

Reviewing files that changed from the base of the PR and between 443c246 and 26edaf2.

📒 Files selected for processing (1)

• .github/workflows/migration-tests.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

AWS CodeBuild GitHub Actions managed self-hosted runner label format runs-on codebuild project name run_id run_attempt

💡 Result:

The label format for AWS CodeBuild's managed self-hosted GitHub Actions runner, used in the runs-on key of GitHub Actions workflows, is codebuild--${{ github.run_id }}-${{ github.run_attempt }}. This is the required base label, where is replaced with the exact name of your CodeBuild project configured with the GitHub webhook. The ${{ github.run_id }} and ${{ github.run_attempt }} are GitHub context variables that uniquely identify the workflow run and attempt, ensuring proper mapping and cleanup. Example: jobs: build: runs-on: codebuild-myProject-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v4 Optional overrides can be added as additional labels or legacy suffixes, such as: - Multi-label: image:arm-3.0, instance-size:medium, fleet:myFleet, buildspec-override:true - Legacy single label: codebuild--${{ github.run_id }}-${{ github.run_attempt }}-image-arm-3.0-instance-size-medium-with-buildspec This format enables CodeBuild to process GitHub Actions jobs on managed self-hosted runners with native AWS integration.

Citations:

• 1: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-action-runners-update-labels.html
• 2: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner-overview.html
• 3: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner-questions.html
• 4: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html
• 5: https://aws.amazon.com/blogs/devops/aws-codebuild-managed-self-hosted-github-action-runners/

---

🏁 Script executed:

cat -n .github/workflows/migration-tests.yaml | head -120

Repository: wso2/product-apim

Length of output: 5182

---

🏁 Script executed:

cat -n .github/workflows/migration-tests.yaml | sed -n '101,250p'

Repository: wso2/product-apim

Length of output: 8448

---

🏁 Script executed:

cat -n .github/workflows/migration-tests.yaml | sed -n '310,330p'

Repository: wso2/product-apim

Length of output: 1092

---

🏁 Script executed:

# Check for tool usage in the workflow
rg -n "(docker|java|python|unzip|wget|zip|apt-get|apt)" .github/workflows/migration-tests.yaml | head -40

Repository: wso2/product-apim

Length of output: 4137

---

🏁 Script executed:

# Check if Python or apt-get/sudo are used in the workflow
rg -n "(python|apt-get|apt |sudo)" .github/workflows/migration-tests.yaml

Repository: wso2/product-apim

Length of output: 596

---

🏁 Script executed:

# Check if zip command is actually used (not just unzip)
rg -n "^\s+zip " .github/workflows/migration-tests.yaml

Repository: wso2/product-apim

Length of output: 110

---

Runner label format is correct; verify CodeBuild project configuration and compute image capabilities.

The label codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }} follows the AWS CodeBuild documented pattern. However, confirm that an AWS CodeBuild project named wso2_product-apim exists in your target account/region and is configured with GitHub Actions webhook integration; otherwise jobs will hang indefinitely waiting for a runner.

Also verify that the project's compute image includes Docker, Java 21, Python 3, unzip, wget, zip, and sudo-capable apt-get, as these tools are required by the workflow steps (lines 314–316, 332–341, 401, 415–416, 804, 1384).

Note: The matrix job (line 104) spawns four concurrent database variants (MySQL, MSSQL, PostgreSQL, Oracle) all requesting the same runner label. Ensure your CodeBuild configuration can provision multiple runner instances concurrently for the same label, or consider adding matrix context to the label to differentiate them.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/migration-tests.yaml at line 11, Update the runner label
and environment verification: confirm an AWS CodeBuild project named
wso2_product-apim exists and is configured for GitHub Actions webhook
integration and that its compute image includes Docker, Java 21, Python 3,
unzip, wget, zip and sudo/apt-get; then modify the runs-on label (currently
"runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{
github.run_attempt }}") to include the matrix context (e.g. append ${{ matrix.db
}} or ${{ matrix.database }}) so concurrent matrix jobs (the matrix job that
spawns MySQL/MSSQL/Postgres/Oracle) request distinct runner labels and avoid
runner contention.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.15%. Comparing base (83eb9a0) to head (26edaf2).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #14175      +/-   ##
============================================
- Coverage     19.05%    9.15%   -9.90%     
+ Complexity     1419      718     -701     
============================================
  Files           361      361              
  Lines         17719    17719              
  Branches       1897     1897              
============================================
- Hits           3377     1623    -1754     
- Misses        14301    16070    +1769     
+ Partials         41       26      -15     

Flag	Coverage Δ
integration_tests	9.15% <ø> (-9.90%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.