Test older versions of GraalVM CE on Windows Server 2025 #57

linghengqian · 2025-08-12T02:52:45Z

Test older versions of GraalVM CE on Windows Server 2025. Let's see what the problem is with the older version of GraalVM CE.

.github/workflows/test.yml

+    name: NativeTest - ${{ matrix.graalvm-distribution }} for JDK ${{ matrix.java }} on ${{ matrix.os }}
+    if: github.repository == 'linghengqian/hive-server2-jdbc-driver'
+    strategy:
+      matrix:
+        java: [ '24.2.2' ]
+        os: [ 'windows-2025' ]
+        graalvm-distribution: [ 'mandrel' ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Rancher Desktop without GUI on Windows Server
+        run: |
+          ./subprojects/doc/helpful_tools/uninstall-docker-engine-for-wcow.ps1
+          winget install --id jazzdelightsme.WingetPathUpdater --source winget
+          winget install --id SUSE.RancherDesktop --source winget
+          rdctl start --application.start-in-background --container-engine.name=moby --kubernetes.enabled=false
+          ./subprojects/doc/helpful_tools/wait-for-rancher-desktop-backend.ps1
+          "PATH=$env:PATH" >> $env:GITHUB_ENV
+      - uses: graalvm/setup-graalvm@v1
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: ${{ matrix.graalvm-distribution }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          cache: 'maven'
+          native-image-job-reports: 'true'
+      - name: NativeTest on ${{ matrix.os }}
+        run: ./mvnw -PnativeTestInJava23+ clean test
+  native-test-ci-on-liberica:


To fix this issue, add an explicit permissions block to your workflow so that all jobs limit their access to the GITHUB_TOKEN according to the principle of least privilege. Since none of the jobs in your workflow appear to require write permissions (they run code checks and tests, do checkouts, and set up environments), the minimal recommended setting is contents: read. This can be added at the top level (applies to all jobs unless overridden), or individually per job if some jobs need additional permissions. The fix is best performed by editing .github/workflows/test.yml by adding the following block after the name section and before the on: section:

permissions: contents: read

No other changes or imports are necessary.

.github/workflows/test.yml

+        os: [ 'windows-2025' ]
+        graalvm-distribution: [ 'liberica' ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Rancher Desktop without GUI on Windows Server
+        run: |
+          iwr -Uri "https://raw.githubusercontent.com/microsoft/Windows-Containers/refs/heads/Main/helpful_tools/Install-DockerCE/uninstall-docker-ce.ps1" -OutFile uninstall-docker-ce.ps1
+          .\uninstall-docker-ce.ps1 -Force
+          ri .\uninstall-docker-ce.ps1
+          winget install --id jazzdelightsme.WingetPathUpdater --source winget
+          winget install --id SUSE.RancherDesktop --source winget
+          rdctl start --application.start-in-background --container-engine.name=moby --kubernetes.enabled=false
+          ./subprojects/doc/helpful_tools/wait-for-rancher-desktop-backend.ps1
+          "PATH=$env:PATH" >> $env:GITHUB_ENV
+      - uses: graalvm/setup-graalvm@v1
+        with:
+          java-version: ${{ matrix.java }}
+          distribution: ${{ matrix.graalvm-distribution }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          cache: 'maven'
+          native-image-job-reports: 'true'
+      - name: NativeTest on ${{ matrix.os }}
+        run: ./mvnw -PnativeTestInJava23+ clean test
+  native-test-ci-on-oracle-graalvm:
+    name: NativeTest - ${{ matrix.graalvm-distribution }} for JDK ${{ matrix.java }} on ${{ matrix.os }}
+    if: github.repository == 'linghengqian/hive-server2-jdbc-driver'
+    strategy:
+      matrix:
+        java: [ '24.0.2' ]


To fix the issue, you should add an explicit permissions: block to your workflow or directly to the job shown (starting at line 116 for "native-test-ci-on-liberica"). Since most CI/test jobs typically require only the ability to read repository contents (not write), you can add a minimal permissions: entry specifying contents: read either at the top (root) level or for each job individually.

General fix: Add permissions: at the root of the workflow (above jobs:) if all jobs require the same reduced permissions, or add an explicit block to each job if different jobs need different permissions.

Best approach here: Insert the following near line 15 (above or below name: Test):
permissions: contents: read
This applies to all jobs unless a job sets its own permissions.

If only specific jobs need the block: Add it inside the relevant job.

For the error specifically highlighted at line 116, you can add:
permissions: contents: read
directly after the name: field in the native-test-ci-on-liberica job.

Files/regions to change:
You can add a root-level permissions: block, or a per-job block inside the affected job (native-test-ci-on-liberica). Prefer root-level unless exceptions are needed.

Methods/imports/definitions:
No dependencies or imports required; purely a YAML field addition.

linghengqian added the enhancement New feature or request label Aug 12, 2025

linghengqian force-pushed the test-windows branch from a9000f7 to ac4c76e Compare August 13, 2025 09:02

linghengqian mentioned this pull request Aug 13, 2025

Support running nativeTest under GraalVM Native Image on Windows 11 apache/shardingsphere#35052

Open

4 tasks

linghengqian force-pushed the test-windows branch 2 times, most recently from d41b7fc to 7fe530e Compare August 14, 2025 12:27

github-advanced-security bot found potential problems Aug 14, 2025

View reviewed changes

linghengqian force-pushed the test-windows branch 2 times, most recently from 47c9806 to 0d2a65e Compare August 14, 2025 13:03

linghengqian force-pushed the test-windows branch from 0d2a65e to 9432209 Compare September 19, 2025 08:56

github-advanced-security bot found potential problems Sep 19, 2025

View reviewed changes

linghengqian force-pushed the test-windows branch 2 times, most recently from 168642c to 3a259e9 Compare September 19, 2025 09:34

Test older versions of GraalVM CE on Windows Server 2025

4e41869

linghengqian force-pushed the test-windows branch from 3a259e9 to 4e41869 Compare September 19, 2025 09:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Test older versions of GraalVM CE on Windows Server 2025 #57

Test older versions of GraalVM CE on Windows Server 2025 #57

Uh oh!

linghengqian commented Aug 12, 2025 •

edited

Loading

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

@@ -13,6 +13,8 @@
             # limitations under the License.
             name: Test
+            permissions:
+              contents: read
             on:
               pull_request:
                 branches:

Test older versions of GraalVM CE on Windows Server 2025 #57

Are you sure you want to change the base?

Test older versions of GraalVM CE on Windows Server 2025 #57

Uh oh!

Conversation

linghengqian commented Aug 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

linghengqian commented Aug 12, 2025 •

edited

Loading