Add self hosted runner for Github actions

[PasanT9]

$subject

Summary by CodeRabbit

• Chores
  • Updated the continuous integration build environment configuration.

[coderabbitai]

Walkthrough

The GitHub Actions workflow in maven.yml updates the execution environment for three jobs (build, run-benchmark-test, show-report) from ubuntu-latest to CodeBuild runners with dynamically generated labels using GitHub context variables.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/maven.yml	Updated runs-on field for three jobs from ubuntu-latest to CodeBuild runner labels with dynamic naming pattern: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Off to the CodeBuild warren we go,
Where runners leap with a swifter flow,
Three jobs now jump through the builder's door,
Ubuntu's dust settles forevermore!
With dynamic labels, our workflows now shine,
A hop toward performance—oh, how divine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: migrating GitHub Actions job execution from ubuntu-latest to a CodeBuild self-hosted runner.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/maven.yml:
- Line 15: The workflow currently sets runs-on to a self-hosted CodeBuild runner
(the runs-on entry) which allows untrusted PR code to run on your infra; update
the workflow so that pull_request events (fork PRs) never use the self-hosted
runner by adding a conditional that detects PRs (e.g., checking
github.event_name or github.event.pull_request.head.repo.fork) and selects a
safe runner for those cases, ensuring the runs-on assignment for the jobs
referenced by the existing runs-on line (and the other two occurrences at the
same pattern) uses the self-hosted runner only for trusted events (push to
protected branches or workflow_dispatch) and falls back to a GitHub-hosted
runner for untrusted PRs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 82cab697-3f43-4119-9e2f-2cbd06478de0

📥 Commits

Reviewing files that changed from the base of the PR and between 4fe625c and df216d3.

📒 Files selected for processing (1)

• .github/workflows/maven.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Block untrusted PR code from self-hosted runners.

Line 15, Line 73, and Line 102 now run pull_request workloads on self-hosted CodeBuild runners. That allows untrusted PR code (especially fork PRs) to execute on your infrastructure.

🔒 Suggested guard for fork PRs

 jobs:
   build:
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
@@
   run-benchmark-test:
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}
@@
   show-report:
-    if: ${{ always() && !cancelled() }}
+    if: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && always() && !cancelled() }}
     needs: build
     runs-on: codebuild-wso2_product-apim-${{ github.run_id }}-${{ github.run_attempt }}

Also applies to: 73-73, 102-102

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/maven.yml at line 15, The workflow currently sets runs-on
to a self-hosted CodeBuild runner (the runs-on entry) which allows untrusted PR
code to run on your infra; update the workflow so that pull_request events (fork
PRs) never use the self-hosted runner by adding a conditional that detects PRs
(e.g., checking github.event_name or github.event.pull_request.head.repo.fork)
and selects a safe runner for those cases, ensuring the runs-on assignment for
the jobs referenced by the existing runs-on line (and the other two occurrences
at the same pattern) uses the self-hosted runner only for trusted events (push
to protected branches or workflow_dispatch) and falls back to a GitHub-hosted
runner for untrusted PRs.