ci: run platform-libs CI on the java17 runner label (#300) #11

Merged

hibryda merged 3 commits from ci/java17-runner-label into main 2026-05-28 22:44:30 +02:00

Conversation 3 Commits 3 Files changed 1 +16 -8

hibryda commented 2026-05-28 21:30:23 +02:00

Owner

Copy link

platform-libs CI runner toolchain fix (#300)

TL;DR — CONDITIONAL (needs runner re-register before CI can match). Repoints both CI jobs from runs-on: aim2be-rework (→ node:22-bookworm, no JDK/Maven → mvn exited 127 on every PR) to runs-on: java17, which the runner maps to maven:3.9-eclipse-temurin-17 (JDK 17 + Maven 3.9). Operator-chosen approach B (reusable label, DRY across the 8 Java services).

Changes

• .forgejo/workflows/ci.yml: maven-install + maven-verify → runs-on: java17; updated the JDK-provenance comments.
• Paired with im2be-mono scripts/forgejo-runner-setup.sh (RUNNER_LABELS += java17:docker://maven:3.9-eclipse-temurin-17, committed 68f5072).

⚠️ Required before this CI is green (operator)

Re-register the runner so it advertises the java17 label:

RUNNER_LABELS="aim2be-rework:docker://node:22-bookworm,java17:docker://maven:3.9-eclipse-temurin-17,ubuntu-latest:docker://node:22-bookworm,ubuntu-22.04:docker://node:22-bookworm,ubuntu-24.04:docker://node:22-bookworm" \
  scripts/forgejo-runner-setup.sh    # or just re-run it (the default now includes java17)

Until then this PR's own CI stays pending (no runner advertises java17). The hib-pr-reviewer R-cycle reviews the diff regardless.

Follow-up (not in this PR)

maven-verify (main-push) runs Testcontainers-Valkey ITs → the maven container needs Docker-socket access (act_runner valid_volumes + DOCKER_HOST). The per-PR mvn install (unit tests) needs only the image.

Verdict

CONDITIONAL — workflow-only; green pending the runner re-register.

---

im2be-platform-libs • #300 (approach B) • base main • 2026-05-28

## platform-libs CI runner toolchain fix (#300) **TL;DR — `CONDITIONAL` (needs runner re-register before CI can match).** Repoints both CI jobs from `runs-on: aim2be-rework` (→ `node:22-bookworm`, no JDK/Maven → `mvn` exited 127 on every PR) to **`runs-on: java17`**, which the runner maps to `maven:3.9-eclipse-temurin-17` (JDK 17 + Maven 3.9). Operator-chosen approach B (reusable label, DRY across the 8 Java services). ### Changes - `.forgejo/workflows/ci.yml`: `maven-install` + `maven-verify` → `runs-on: java17`; updated the JDK-provenance comments. - Paired with **im2be-mono `scripts/forgejo-runner-setup.sh`** (`RUNNER_LABELS` += `java17:docker://maven:3.9-eclipse-temurin-17`, committed `68f5072`). ### ⚠️ Required before this CI is green (operator) Re-register the runner so it advertises the `java17` label: ```bash RUNNER_LABELS="aim2be-rework:docker://node:22-bookworm,java17:docker://maven:3.9-eclipse-temurin-17,ubuntu-latest:docker://node:22-bookworm,ubuntu-22.04:docker://node:22-bookworm,ubuntu-24.04:docker://node:22-bookworm" \ scripts/forgejo-runner-setup.sh # or just re-run it (the default now includes java17) ``` Until then this PR's own CI stays **pending** (no runner advertises `java17`). The hib-pr-reviewer R-cycle reviews the diff regardless. ### Follow-up (not in this PR) `maven-verify` (main-push) runs Testcontainers-Valkey ITs → the maven container needs Docker-socket access (act_runner `valid_volumes` + `DOCKER_HOST`). The per-PR `mvn install` (unit tests) needs only the image. ### Verdict `CONDITIONAL` — workflow-only; green pending the runner re-register. --- *im2be-platform-libs • #300 (approach B) • base main • 2026-05-28*

hibryda added 1 commit 2026-05-28 21:30:23 +02:00

ci: run on the java17 runner label instead of aim2be-rework (#300) ... b9cb827915

The aim2be-rework label maps to node:22-bookworm (no JDK/Maven), so the
"Verify JDK 17 available" step + `mvn install` exited 127 on every PR. Operator
chose the reusable-label approach: both jobs now `runs-on: java17`, which the
runner maps to maven:3.9-eclipse-temurin-17 (JDK 17 + Maven 3.9 baked in) — see
im2be-mono scripts/forgejo-runner-setup.sh RUNNER_LABELS.

Requires the runner to be re-registered with the java17 label (operator re-runs
the setup script) before this CI can match a runner. Testcontainers ITs under
maven-verify (main-push) will need a Docker-socket follow-up.

pr-reviewer-bot commented 2026-05-28 21:31:48 +02:00

Member

Copy link

Superseded by round 2.

Show previous round

hib-pr-reviewer review — PR #11 (affinity-intelligence-rework/im2be-platform-libs)

Round 1 — head b9cb8279152e, base main, trigger opened

TL;DR: CONDITIONAL_APPROVE — kept 1 info-level unique-to-A finding (verified); B returned empty; no blocking or major issues.

Summary

Reconciliation: Round 1 — first arbitration for this PR (no prior Memora history).

No reusable patterns found in Memora for this repo. Reviewed the full file at .forgejo/workflows/ci.yml.

A's 1 finding (unique-to-A, info): Verified. Lines 29 and 53 both contain runs-on: java17 — a bare string label with no fallback. The comment block at lines 39-43 documents the runner dependency within the YAML, but there is no external ops-doc (e.g., RUNNER_REQUIREMENTS.md). Finding is factually grounded; kept at info.

B's 0 findings: B noted in its prose summary that pull_request: branches: [main] (line 24) limits CI to PRs targeting main — which contradicts the comment at line 9 that says "pull_request to any branch". However, B explicitly chose not to surface this as a structured finding (empty array), it appears pre-existing (not introduced by this diff), and A did not raise it either. Not elevated per Rule 4 / no-fresh-review principle.

Kept 1 finding (info). Persisted Run 1 summary to Memora (ID 315).

Blast Radius

Only one file changed: the Forgejo Actions CI workflow. The change affects the build pipeline runner label for both CI jobs but touches no application code, library interfaces, or shared configuration. Impact is limited to CI execution environment correctness.

BLAST_SCORE: 2/10

CI status (head b9cb8279152e)

Overall: ⏳ pending

2 checks: 2 pending

Check	State	Link
im2be-platform-libs CI / mvn install (pull_request)	⏳ pending	details
im2be-platform-libs CI / mvn verify (main only) (pull_request)	⏳ pending	details

Findings (1)

[INFO] Runner label is a bare string with no fallback — label availability is fully implicit

.forgejo/workflows/ci.yml:29

Both jobs (lines 29 and 53) specify runs-on: java17. If this self-hosted runner label is offline, deregistered, or renamed, all CI jobs will queue indefinitely with no diagnostic error — there is no fallback label or failure-fast guard in Forgejo Actions YAML. The inline comment at lines 39-43 documents the dependency well inside the file, but there is no external operations document (e.g., RUNNER_REQUIREMENTS.md or repo CLAUDE.md) that informs future platform operators which runner labels must be provisioned. Consider adding a brief note to an ops or onboarding doc listing the required self-hosted runner labels for this repository.

Verdict

CONDITIONAL_APPROVE

---

_{hib-pr-reviewer • round 1 • 1 finding (1i) • 2026-05-28T19:30:47.316Z → 2026-05-28T19:31:48.451Z • posted-as: pr-reviewer-bot}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 2._ <details> <summary>Show previous round</summary> ## hib-pr-reviewer review — PR #11 (affinity-intelligence-rework/im2be-platform-libs) **Round 1** — head `b9cb8279152e`, base `main`, trigger `opened` **TL;DR:** CONDITIONAL_APPROVE — kept 1 info-level unique-to-A finding (verified); B returned empty; no blocking or major issues. ### Summary **Reconciliation: Round 1 — first arbitration for this PR (no prior Memora history).** No reusable patterns found in Memora for this repo. Reviewed the full file at `.forgejo/workflows/ci.yml`. **A's 1 finding (unique-to-A, info):** Verified. Lines 29 and 53 both contain `runs-on: java17` — a bare string label with no fallback. The comment block at lines 39-43 documents the runner dependency within the YAML, but there is no external ops-doc (e.g., `RUNNER_REQUIREMENTS.md`). Finding is factually grounded; kept at `info`. **B's 0 findings:** B noted in its prose summary that `pull_request: branches: [main]` (line 24) limits CI to PRs targeting `main` — which contradicts the comment at line 9 that says "pull_request to any branch". However, B explicitly chose not to surface this as a structured finding (empty array), it appears pre-existing (not introduced by this diff), and A did not raise it either. Not elevated per Rule 4 / no-fresh-review principle. Kept 1 finding (info). Persisted Run 1 summary to Memora (ID 315). ### Blast Radius Only one file changed: the Forgejo Actions CI workflow. The change affects the build pipeline runner label for both CI jobs but touches no application code, library interfaces, or shared configuration. Impact is limited to CI execution environment correctness. **BLAST_SCORE: 2/10** ### CI status (head `b9cb8279152e`) **Overall: ⏳ pending** 2 checks: 2 pending | Check | State | Link | |---|---|---| | im2be-platform-libs CI / mvn install (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/78/jobs/0) | | im2be-platform-libs CI / mvn verify (main only) (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/78/jobs/1) | ### Findings (1) #### **[INFO]** Runner label is a bare string with no fallback — label availability is fully implicit _.forgejo/workflows/ci.yml:29_ Both jobs (lines 29 and 53) specify `runs-on: java17`. If this self-hosted runner label is offline, deregistered, or renamed, all CI jobs will queue indefinitely with no diagnostic error — there is no fallback label or failure-fast guard in Forgejo Actions YAML. The inline comment at lines 39-43 documents the dependency well inside the file, but there is no external operations document (e.g., `RUNNER_REQUIREMENTS.md` or repo `CLAUDE.md`) that informs future platform operators which runner labels must be provisioned. Consider adding a brief note to an ops or onboarding doc listing the required self-hosted runner labels for this repository. ### Verdict **CONDITIONAL_APPROVE** --- _{hib-pr-reviewer • round 1 • 1 finding (1i) • 2026-05-28T19:30:47.316Z → 2026-05-28T19:31:48.451Z • posted-as: pr-reviewer-bot} </details>

hibryda added 1 commit 2026-05-28 22:23:02 +02:00

ci: align pull_request trigger comment with branches:[main] + re-trigger on java17 runner (#300) ... 3349798d8c

R1 verdict CONDITIONAL_APPROVE (kept=1 info):

(1) info .forgejo/workflows/ci.yml:9 — header said "pull_request to any branch"
    but the `on:` block (line 24) is `pull_request: branches: [main]`.
    Reviewer-B also noted this line-9↔line-24 contradiction but did not elevate
    it. platform-libs is a library with `main` as its sole integration branch,
    so the trigger filter is correct; the comment was the stale half.

Fix: reword the line-9 trigger doc to "pull_request targeting `main`" so the
header matches the actual trigger. The R1 info finding (no external ops-doc for
the `java17` label) is already covered by the line 3-4 pointer to
im2be-mono scripts/forgejo-runner-setup.sh — no RUNNER_REQUIREMENTS.md added
(over-doc for an info-level finding, rule 63).

Re-trigger rationale: run #78 (mvn install) failed pre-registration because no
runner advertised `java17`. The label is now registered server-side
(.runner re-declared on daemon restart: "declare successfully", labels
[aim2be-rework java17 ubuntu-latest ubuntu-22.04 ubuntu-24.04]). This push
re-runs CI on maven:3.9-eclipse-temurin-17.

Verification:
- runner labels (server-side declare): java17 present
- CI re-run: pending this push — will confirm green before merge

pr-reviewer-bot commented 2026-05-28 22:26:03 +02:00

Member

Copy link

Superseded by round 3.

Show previous round

hib-pr-reviewer review — PR #11 (affinity-intelligence-rework/im2be-platform-libs)

Round 2 — head 3349798d8c20, base main, trigger synchronize

TL;DR: CONDITIONAL_APPROVE — kept 1 unique-to-A finding (queue-forever risk) and 1 unique-to-B finding (idiomatic array form), both verified against HEAD; no blocking issues.

Summary

Arbitration Summary

No prior Memora run history existed for this PR (first entry created as Run 2). Verified the HEAD file at /var/lib/pr-reviewer/repos/affinity-intelligence-rework/im2be-platform-libs/1063/.forgejo/workflows/ci.yml.

Finding A (unique): Confirmed runs-on: java17 bare scalar at line 29 and line 53. timeout-minutes: 15 (line 30) and timeout-minutes: 20 (line 54) are present and verified — these count execution time only, not queue wait. The queue-forever risk if the java17 label is unregistered is real and grounded. Kept.

Finding B (unique): Confirmed the same runs-on: java17 scalar form at lines 29 and 53. The [self-hosted, java17] array convention is the documented idiomatic form for Forgejo/GitHub Actions self-hosted runners; it prevents accidental match with a future hosted runner and signals scheduling intent clearly. The suggestion is actionable and costs nothing. Kept.

The two findings address distinct concerns at the same location (A = operational readiness; B = mechanical convention). No findings overlap or contradict. Persisted Run 2 block to Memora (memory id 316).

Blast Radius

Only one CI workflow file changed (.forgejo/workflows/ci.yml). The blast radius is limited to the CI pipeline for this single library repo — no production code, no shared libraries, no migration files are touched.

BLAST_SCORE: 1/10

CI status (head 3349798d8c20)

Overall: ✗ failure

2 checks: 2 pending

Check	State	Link
im2be-platform-libs CI / mvn install (pull_request)	⏳ pending	details
im2be-platform-libs CI / mvn verify (main only) (pull_request)	⏳ pending	details

Findings (2)

[MINOR] Bare java17 runner label — queue-forever risk if label is not yet registered

.forgejo/workflows/ci.yml:29

Both maven-install (line 29) and maven-verify (line 53) use runs-on: java17. timeout-minutes: 15/20 (lines 30, 54) count execution time only — if no runner carrying the java17 label is registered with the Forgejo instance, both jobs will silently queue indefinitely.

Pre-merge question: has the java17 label been registered on at least one active self-hosted runner before this PR lands? The comment references im2be-mono scripts/forgejo-runner-setup.sh RUNNER_LABELS; task #300 — confirming that script has been run (or linking to the tracking commit/issue in im2be-mono) would close this concern.

[MINOR] Single-string runs-on label — use [self-hosted, java17] array form

.forgejo/workflows/ci.yml:29

Both maven-install (line 29) and maven-verify (line 53) use runs-on: java17 as a bare scalar. The idiomatic Forgejo/GitHub Actions convention for self-hosted runners is the array form:

# before
runs-on: java17

# after
runs-on: [self-hosted, java17]

The self-hosted label is applied automatically to every self-hosted Forgejo runner, so no extra provisioning is required. Benefits: (a) immediately signals to readers this is NOT a hosted runner; (b) prevents a future hosted-runner option named java17 from accidentally matching; (c) aligns with Forgejo Actions documentation examples. Applies identically to line 53.

Verdict

CONDITIONAL_APPROVE

---

_{hib-pr-reviewer • round 2 • 2 findings (2m) • 2026-05-28T20:24:47.600Z → 2026-05-28T20:26:03.132Z • posted-as: pr-reviewer-bot}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 3._ <details> <summary>Show previous round</summary> ## hib-pr-reviewer review — PR #11 (affinity-intelligence-rework/im2be-platform-libs) **Round 2** — head `3349798d8c20`, base `main`, trigger `synchronize` **TL;DR:** CONDITIONAL_APPROVE — kept 1 unique-to-A finding (queue-forever risk) and 1 unique-to-B finding (idiomatic array form), both verified against HEAD; no blocking issues. ### Summary ## Arbitration Summary No prior Memora run history existed for this PR (first entry created as Run 2). Verified the HEAD file at `/var/lib/pr-reviewer/repos/affinity-intelligence-rework/im2be-platform-libs/1063/.forgejo/workflows/ci.yml`. **Finding A (unique):** Confirmed `runs-on: java17` bare scalar at line 29 and line 53. `timeout-minutes: 15` (line 30) and `timeout-minutes: 20` (line 54) are present and verified — these count execution time only, not queue wait. The queue-forever risk if the `java17` label is unregistered is real and grounded. **Kept.** **Finding B (unique):** Confirmed the same `runs-on: java17` scalar form at lines 29 and 53. The `[self-hosted, java17]` array convention is the documented idiomatic form for Forgejo/GitHub Actions self-hosted runners; it prevents accidental match with a future hosted runner and signals scheduling intent clearly. The suggestion is actionable and costs nothing. **Kept.** The two findings address distinct concerns at the same location (A = operational readiness; B = mechanical convention). No findings overlap or contradict. Persisted Run 2 block to Memora (memory id 316). ### Blast Radius Only one CI workflow file changed (.forgejo/workflows/ci.yml). The blast radius is limited to the CI pipeline for this single library repo — no production code, no shared libraries, no migration files are touched. **BLAST_SCORE: 1/10** ### CI status (head `3349798d8c20`) **Overall: ✗ failure** 2 checks: 2 pending | Check | State | Link | |---|---|---| | im2be-platform-libs CI / mvn install (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/79/jobs/0) | | im2be-platform-libs CI / mvn verify (main only) (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/79/jobs/1) | ### Findings (2) #### **[MINOR]** Bare `java17` runner label — queue-forever risk if label is not yet registered _.forgejo/workflows/ci.yml:29_ Both `maven-install` (line 29) and `maven-verify` (line 53) use `runs-on: java17`. `timeout-minutes: 15`/`20` (lines 30, 54) count **execution time only** — if no runner carrying the `java17` label is registered with the Forgejo instance, both jobs will silently queue indefinitely. Pre-merge question: has the `java17` label been registered on at least one active self-hosted runner before this PR lands? The comment references `im2be-mono scripts/forgejo-runner-setup.sh RUNNER_LABELS; task #300` — confirming that script has been run (or linking to the tracking commit/issue in im2be-mono) would close this concern. #### **[MINOR]** Single-string `runs-on` label — use `[self-hosted, java17]` array form _.forgejo/workflows/ci.yml:29_ Both `maven-install` (line 29) and `maven-verify` (line 53) use `runs-on: java17` as a bare scalar. The idiomatic Forgejo/GitHub Actions convention for self-hosted runners is the array form: ```yaml # before runs-on: java17 # after runs-on: [self-hosted, java17] ``` The `self-hosted` label is applied automatically to every self-hosted Forgejo runner, so no extra provisioning is required. Benefits: (a) immediately signals to readers this is NOT a hosted runner; (b) prevents a future hosted-runner option named `java17` from accidentally matching; (c) aligns with Forgejo Actions documentation examples. Applies identically to line 53. ### Verdict **CONDITIONAL_APPROVE** --- _{hib-pr-reviewer • round 2 • 2 findings (2m) • 2026-05-28T20:24:47.600Z → 2026-05-28T20:26:03.132Z • posted-as: pr-reviewer-bot} </details>

hibryda added 1 commit 2026-05-28 22:38:41 +02:00

ci: point java17 comments at the maven-node-ci image (Node+JDK+Maven) (#300) ... b46554f88b

R2 verdict CONDITIONAL_APPROVE (2 info kept, neither blocking):
  - A: queue-forever risk if `java17` is unregistered — now registered + declared.
  - B: prefer `[self-hosted, java17]` array form — deferred; this runner carries
       no `self-hosted` label, so adopting the array would require adding it
       (tracked separately, not in this comment-only change).

Root cause of the prior fast-fail (runs #78/#79): the `java17` label mapped to
the bare maven:3.9-eclipse-temurin-17 image, which has NO Node. actions/checkout
is a Node action run inside the job container, so it died before `mvn` ran.
Approach A (operator-chosen): a custom image
git.hemoglobina.store/affinity-intelligence-rework/maven-node-ci:3.9-temurin17
(maven base pinned by digest + Node 20 LTS), built/pushed by im2be-mono
ci/forgejo-runner-maven-node/build-push.sh and mapped to the `java17` label.

This commit updates the ci.yml header comments to cite the real image + the
Node-for-checkout reason, and re-triggers CI on the now-correct mapping.

Verification:
- image pushed + public-pullable (anon OCI token -> HTTP 200)
- runner re-declared: labels [aim2be-rework java17 ...]; java17 -> maven-node-ci
- CI re-run: pending this push -- will confirm green before merge

pr-reviewer-bot commented 2026-05-28 22:41:17 +02:00

Member

Copy link

hib-pr-reviewer review — PR #11 (affinity-intelligence-rework/im2be-platform-libs)

Round 3 — head b46554f88baf, base main, trigger synchronize

TL;DR: CONDITIONAL_APPROVE — 1 agreed finding kept (bare runs-on: java17 on lines 32+57, open since round 1); no new issues introduced by this diff.

Summary

Reconciliation — Round 3

Memora lookup: No prior run history found for this PR (both queries returned 0 results). Created new memory (ID 319) with review_count: 3 as the fall-back create-new path.

File verification: Read .forgejo/workflows/ci.yml at HEAD. Lines 32 and 57 confirmed to contain runs-on: java17 (bare string) exactly as both reviewers described.

Agreement: A and B cite the same file, same lines (32 and 57), materially equivalent body, same severity (minor). Rule 1 applies — agreed finding kept unchanged.

No unique-to-one findings requiring independent verification.

Result: 1 agreed finding kept, 0 dropped, 0 new findings added.

Blast Radius

Change is confined to a single CI workflow file. The only observable blast radius is Forgejo Actions job routing — if both runner labels resolve correctly the functional impact is zero. A mis-labeled runner would silently stall CI for this repo only.

BLAST_SCORE: 2/10

CI status (head b46554f88baf)

Overall: ✓ success

2 checks: 2 pending

Check	State	Link
im2be-platform-libs CI / mvn install (pull_request)	⏳ pending	details
im2be-platform-libs CI / mvn verify (main only) (pull_request)	⏳ pending	details

Findings (1)

[MINOR] Both jobs use bare runs-on: java17 — recommend array form [self-hosted, java17] (open since round 1)

.forgejo/workflows/ci.yml:32

Lines 32 (maven-install) and 57 (maven-verify) both specify runs-on: java17 as a bare string. This finding has been raised in every round and remains unaddressed.

Concrete risk: If no Forgejo runner is registered with exactly the label java17, both jobs will queue silently and indefinitely — there is no routing error surfaced to the PR author. The array form [self-hosted, java17] is the idiomatic way to express intent (self-hosted target + capability label) and avoids any ambiguity in hybrid setups where a bare string might accidentally match a GitHub-hosted runner name.

Suggested change for both jobs:

    runs-on: [self-hosted, java17]

Forgejo automatically assigns the self-hosted label to every self-hosted runner, so no runner-side change is required — just the YAML update. If the project intentionally omits self-hosted because all runners are self-hosted and the label matching is unambiguous in this Forgejo instance, please add a comment in the YAML explaining that decision so this finding can be closed in a future round.

Note: the Verify JDK 17 available step mitigates the toolchain-absence risk (loud fail if the image drifts) but does not mitigate the silent-queue risk from an unregistered or mis-labeled runner.

Verdict

CONDITIONAL_APPROVE

---

_{hib-pr-reviewer • round 3 • 1 finding (1m) • 2026-05-28T20:40:22.385Z → 2026-05-28T20:41:17.375Z • posted-as: pr-reviewer-bot}

## hib-pr-reviewer review — PR #11 (affinity-intelligence-rework/im2be-platform-libs) **Round 3** — head `b46554f88baf`, base `main`, trigger `synchronize` **TL;DR:** CONDITIONAL_APPROVE — 1 agreed finding kept (bare `runs-on: java17` on lines 32+57, open since round 1); no new issues introduced by this diff. ### Summary ## Reconciliation — Round 3 **Memora lookup:** No prior run history found for this PR (both queries returned 0 results). Created new memory (ID 319) with `review_count: 3` as the fall-back create-new path. **File verification:** Read `.forgejo/workflows/ci.yml` at HEAD. Lines 32 and 57 confirmed to contain `runs-on: java17` (bare string) exactly as both reviewers described. **Agreement:** A and B cite the same file, same lines (32 and 57), materially equivalent body, same severity (minor). Rule 1 applies — agreed finding kept unchanged. **No unique-to-one findings** requiring independent verification. **Result:** 1 agreed finding kept, 0 dropped, 0 new findings added. ### Blast Radius Change is confined to a single CI workflow file. The only observable blast radius is Forgejo Actions job routing — if both runner labels resolve correctly the functional impact is zero. A mis-labeled runner would silently stall CI for this repo only. **BLAST_SCORE: 2/10** ### CI status (head `b46554f88baf`) **Overall: ✓ success** 2 checks: 2 pending | Check | State | Link | |---|---|---| | im2be-platform-libs CI / mvn install (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/80/jobs/0) | | im2be-platform-libs CI / mvn verify (main only) (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-platform-libs/actions/runs/80/jobs/1) | ### Findings (1) #### **[MINOR]** Both jobs use bare `runs-on: java17` — recommend array form `[self-hosted, java17]` (open since round 1) _.forgejo/workflows/ci.yml:32_ Lines 32 (`maven-install`) and 57 (`maven-verify`) both specify `runs-on: java17` as a bare string. This finding has been raised in every round and remains unaddressed. **Concrete risk:** If no Forgejo runner is registered with exactly the label `java17`, both jobs will queue silently and indefinitely — there is no routing error surfaced to the PR author. The array form `[self-hosted, java17]` is the idiomatic way to express intent (self-hosted target + capability label) and avoids any ambiguity in hybrid setups where a bare string might accidentally match a GitHub-hosted runner name. **Suggested change for both jobs:** ```yaml runs-on: [self-hosted, java17] ``` Forgejo automatically assigns the `self-hosted` label to every self-hosted runner, so no runner-side change is required — just the YAML update. If the project intentionally omits `self-hosted` because all runners are self-hosted and the label matching is unambiguous in this Forgejo instance, please add a comment in the YAML explaining that decision so this finding can be closed in a future round. Note: the `Verify JDK 17 available` step mitigates the *toolchain-absence* risk (loud fail if the image drifts) but does **not** mitigate the *silent-queue* risk from an unregistered or mis-labeled runner. ### Verdict **CONDITIONAL_APPROVE** --- _{hib-pr-reviewer • round 3 • 1 finding (1m) • 2026-05-28T20:40:22.385Z → 2026-05-28T20:41:17.375Z • posted-as: pr-reviewer-bot}

hibryda merged commit 2ed4d4012c into main 2026-05-28 22:44:30 +02:00

hibryda deleted branch ci/java17-runner-label 2026-05-28 22:44:30 +02:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

affinity-intelligence-rework/im2be-platform-libs!11

No description provided.