Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
0c13eb5
[Automated] Update the native jar versions
Thevakumar-Luheerathan May 24, 2026
e3698ca
[Automated] Update the native jar versions
Thevakumar-Luheerathan May 24, 2026
5352ef6
Migrate to Gradle 9.5.1, Java 25, and Ballerina Lang 2201.14.0-SNAPSHOT
Thevakumar-Luheerathan May 24, 2026
85a75bd
Fix GraalVM CI to use Java 25 template on java-25-migration branch
May 28, 2026
8abccc0
Fix PR CI to use Java 25 template and add concurrency control
May 28, 2026
c99be7d
Merge master into java-25-migration to resolve conflicts
May 28, 2026
775f205
Fix ballerinaLangVersion to use timestamped SNAPSHOT build
May 28, 2026
0bd81cc
Upgrade JaCoCo to 0.8.13 and fix Gradle 9 exec() usage in ballerina-t…
Thevakumar-Luheerathan May 28, 2026
5b76bb4
Fix Gradle 9 incompatible project.exec closure usages in ballerina-tests
Jun 2, 2026
aa52235
[Automated] Update the native jar versions
Jun 2, 2026
c8d81ea
[Automated] Update the native jar versions
Jun 2, 2026
5f25428
[Automated] Update the native jar versions
Jun 2, 2026
2a331fa
Fix test cipher suites incompatible with Java 25
Jun 4, 2026
bb19eca
Fix SSL error message assertions for Java 25 compatibility
Jun 4, 2026
f67c428
Fix CI failures: Gradle 9.5.1 exec() removal and Windows Java 25 NPE
Jun 5, 2026
1c9f68b
Fix PR review comments: code quality and build improvements
Jun 26, 2026
4f6f3e9
Merge remote-tracking branch 'upstream/master' into java-25-migration
Jul 9, 2026
ad536bc
Update distribution version to 2201.14.0 in Ballerina.toml
Jul 9, 2026
a8653e8
Merge branch 'master' into java-25-migration
TharmiganK Jul 15, 2026
e376f85
Fix startSocksServer and stopSocksServer tasks using injected ExecOpe…
TharmiganK Jul 15, 2026
7334f8a
Fix startSocksServer and stopSocksServer tasks in integration-tests u…
TharmiganK Jul 16, 2026
21eb050
Update ballerina lang version
Jul 17, 2026
41b9909
Revert "Update ballerina lang version"
Jul 17, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-with-bal-test-graalvm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
call_stdlib_workflow:
name: Run StdLib Workflow
if: ${{ github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository_owner == 'ballerina-platform') }}
uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@main
uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@java-25-migration

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable workflow refs in repo workflows.
rg -nP '^\s*uses:\s*[^#\n]+@((main|master|[A-Za-z0-9._/-]+))\s*$' .github/workflows
# Expected: this line should be gone once pinned to a 40-char SHA.

Repository: ballerina-platform/module-ballerina-http

Length of output: 2936


Pin reusable workflow reference in build-with-bal-test-graalvm.yml to a commit SHA
./.github/workflows/build-with-bal-test-graalvm.yml line 43 references a reusable workflow with the mutable ref @java-25-migration—use the full commit SHA instead to keep CI behavior deterministic.

🔒 Suggested fix
-        uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@java-25-migration
+        uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@<full_commit_sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 43-43: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-with-bal-test-graalvm.yml at line 43, Update the
reusable workflow reference on the "uses:" line that currently ends with
"`@java-25-migration`" to a fixed commit SHA (replace "`@java-25-migration`" with
"@<full-commit-sha>") so CI is deterministic; locate the "uses:
ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@java-25-migration"
entry in build-with-bal-test-graalvm.yml and swap the mutable ref for the full
commit SHA of the target repo/tag, commit the change, and verify the workflow
runs.

with:
lang_tag: ${{ inputs.lang_tag }}
lang_version: ${{ inputs.lang_version }}
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/pull-request.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
name: PR Build

on: [pull_request]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
cancel-in-progress: true

on: pull_request

jobs:
call_workflow:
name: Run PR Build Workflow
if: ${{ github.repository_owner == 'ballerina-platform' }}
uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@main
uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@java-25-migration
secrets: inherit
Comment on lines +13 to 14

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find reusable workflow calls that are mutable and/or inherit all secrets.
rg -nP '^\s*uses:\s*[^#\n]+@([A-Za-z0-9._/-]+)\s*$|^\s*secrets:\s*inherit\s*$' .github/workflows
# Expected after fix:
# - `uses:` for external/reusable workflows pinned to full SHAs
# - no unconditional `secrets: inherit` unless explicitly justified

Repository: ballerina-platform/module-ballerina-http

Length of output: 3349


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/pull-request.yml"
echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,80p'

Repository: ballerina-platform/module-ballerina-http

Length of output: 192


🌐 Web query:

GitHub Actions reusable workflow security pin commit SHA secrets: inherit

💡 Result:

In a GitHub Actions workflow that calls a reusable workflow, secrets: inherit is supported and it passes the caller workflow’s secrets to the directly called reusable workflow. Specifically, reusable workflow docs show secrets: inherit in a job that uses another workflow via uses: owner/repo/.github/workflows/<file>@<ref>, and they note that you can reference inherited secrets even when they’re not explicitly defined under the reusable workflow’s on: workflow_call secret list [1]. The workflow syntax reference also describes passing secrets and the jobs.<job_id>.secrets.inherit form for passing all calling-workflow secrets into the directly called workflow [2]. For security pinning: when referencing reusable workflows (and third-party actions), you should pin the uses: reference to a specific immutable identifier. GitHub’s “Secure use” guidance says using a full-length commit SHA is the only way to treat an action as an immutable release, and pinning to a full-length commit SHA mitigates the risk of a backdoor being added to the action’s repository [3]. The reusable-workflow docs explicitly state that the {ref} portion can be a SHA, release tag, or branch name, and that using the commit SHA is the safest option for stability and security [1]. So the best practice pattern is: - Pin the reusable workflow uses: ref to a full-length commit SHA (not a branch like main, not a moving tag) [1][3]. - If you need secrets from the caller, use secrets: inherit only when the called workflow is trusted and you intentionally want to pass all caller secrets through the workflow chain (note secrets are only passed to the directly called workflow, not implicitly further) [2][4]. Example (caller workflow job that pins reusable workflow and inherits secrets): - uses: ORG/REPO/.github/workflows/reusable.yml@<full-length-commit-sha> - secrets: inherit [1][2]. Security note on scope: GitHub docs clarify that in a workflow chain A > B > C, workflow C will only receive secrets from A if A passes secrets to B, and then B passes them to C; secrets: inherit does not automatically propagate beyond the directly called workflow [4].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/pull-request.yml"
echo "== $FILE (lines 8-22) =="
awk 'NR>=8 && NR<=22 {printf "%d:%s\n", NR, $0}' "$FILE"

Repository: ballerina-platform/module-ballerina-http

Length of output: 412


🌐 Web query:

ballerina-platform/ballerina-library pull-request-build-template.yml java-25-migration secrets inherit

💡 Result:

I couldn’t locate the specific file path you mentioned (ballerina-platform/ballerina-library pull-request-build-template.yml java-25-migration secrets inherit). What I can confirm from authoritative sources is the following relevant parts: 1) How secrets: inherit works for reusable GitHub workflows - In GitHub Actions, you can call a reusable workflow and pass secrets implicitly using secrets: inherit. The called (reusable) workflow can then reference those secrets even if they aren’t explicitly defined in the called workflow’s on inputs/keys. [1] - You can also pass all calling workflow secrets to a directly called workflow with jobs.<job_id>.secrets.inherit. [1] 2) Example showing secrets: inherit used with a Ballerina-library reusable workflow - In ballerina-platform/module-ballerinax-azure.ai.search, the repository’s .github/workflows/pull-request.yml calls a reusable workflow in ballerina-platform/ballerina-library and sets secrets: inherit. [2] 3) Evidence around “Java 25 migration” context (Ballerina-related) - There is an open issue about “Getting warnings when running in Java 25” in ballerina-platform/ballerina-lang, indicating Java 25-specific runtime warnings are a consideration in the Ballerina ecosystem. [3] - A Java 25 migration guide exists (OpenRewrite) but it’s about upgrading Java codebases broadly; it doesn’t directly confirm any specific pull-request-build-template.yml behavior in ballerina-library. [4] If you share the exact repo URL (or paste the relevant portion of the pull-request-build-template.yml and/or the java-25-migration job block), I can verify precisely whether and where secrets: inherit is used and how the Java 25 migration is wired in that template.

Citations:


Pin the reusable workflow ref to an immutable commit SHA and avoid secrets: inherit
.github/workflows/pull-request.yml calls ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@java-25-migration and uses secrets: inherit, forwarding all caller secrets to the reusable workflow.

    uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@java-25-migration
    secrets: inherit
🔐 Suggested hardening
-    uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@java-25-migration
-    secrets: inherit
+    uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@<full_commit_sha>
+    secrets:
+      REQUIRED_SECRET_NAME: ${{ secrets.REQUIRED_SECRET_NAME }}
🧰 Tools
🪛 zizmor (1.25.2)

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 13-13: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pull-request.yml around lines 13 - 14, The reusable
workflow invocation currently uses a mutable branch ref and forwards all secrets
with "secrets: inherit", which is unsafe; change the "uses:
ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@java-25-migration"
to a specific immutable commit SHA (replace the `@java-25-migration` ref with the
exact commit SHA) and remove "secrets: inherit", instead explicitly pass only
the needed secrets (e.g., "secrets: MY_SECRET: ${{ secrets.MY_SECRET }}" for
each required secret) so that you pin the workflow version and limit secret
exposure.

1 change: 1 addition & 0 deletions 2201.12.x
Submodule 2201.12.x added at 5352ef
Loading
Loading