Conversation
…nto java-agent-layer
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check Tag | ||
| id: java-agent-check-tag | ||
| run: | | ||
| if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+(\.[0-9]+)*_java-agent ]]; then | ||
| echo "match=true" >> $GITHUB_OUTPUT | ||
| fi | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| with: | ||
| platforms: arm64, amd64 | ||
| - name: Publish Java Agent Layer | ||
| if: steps.java-agent-check-tag.outputs.match == 'true' | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| run: | | ||
| cd java-agent | ||
| ./publish-layers.sh No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 19 days ago
In general, the problem is fixed by defining explicit permissions for the workflow or specific job, limiting the GITHUB_TOKEN to only what is required. For this workflow, the steps only need to read repository contents (for actions/checkout) and do not require any write operations via GITHUB_TOKEN. Therefore, we can safely set contents: read as the job (or workflow) permissions.
The best minimal change without altering functionality is to add a permissions: block at the job level for publish-java-agent. This keeps the change tightly scoped and clearly associated with the job CodeQL flagged. We will insert:
permissions:
contents: readdirectly under runs-on: ubuntu-latest in .github/workflows/publish-java-agent.yml. No additional imports or methods are required, because this is purely a YAML configuration change for GitHub Actions.
| @@ -8,6 +8,8 @@ | ||
| jobs: | ||
| publish-java-agent: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: Check Tag | ||
| id: java-agent-check-tag |
There was a problem hiding this comment.
Pull request overview
Adds a new AWS Lambda layer packaging/publishing path for attaching the New Relic Java Agent (as an alternative to the existing OpenTracing Java layer approach).
Changes:
- Extend
libBuild.shto support a newjavaruntime for layer naming, S3 prefixing, compatible runtimes, and ECR publishing flags. - Introduce
java-agent/scripts to build (full + slim) and publish the Java agent layers, plus handler wrappers and defaults. - Add a GitHub Actions workflow to publish the Java agent layers on
v*_java-agenttags.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| libBuild.sh | Adds java (agent) runtime handling for naming, S3 prefix, compatible runtimes, and ECR publishing. |
| java-agent/versions.sh | Pins the Java agent version used for downloads/builds. |
| java-agent/build-layers.sh | Builds full/slim Java agent layer zip artifacts. |
| java-agent/publish-layers.sh | Publishes the built layer zips to all regions + ECR. |
| java-agent/lib-handler.sh | Wrapper logic to detect Java version and set JAVA_TOOL_OPTIONS + New Relic env defaults. |
| java-agent/java-handler-slim | Slim handler wrapper enabling lite-mode-related settings. |
| java-agent/java-handler-full | Full handler wrapper to attach the agent. |
| java-agent/README.md | Local build/publish instructions for the new Java agent layer. |
| .github/workflows/publish-java-agent.yml | CI workflow to publish Java agent layers on tag pushes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sashwatdas123
left a comment
Sashwatdas123
left a comment
There was a problem hiding this comment.
LGTM, thank you for raising this pr
Description
New lambda layer publish workflow that attatches the New Relic Java Agent.
This acts as an alternative Java solution to the Open Tracing layer.
There will be a full agent layer and a slim agent layer which has less visibility to improve cold start performance.
This deploys lambda layers with the expected ARNs (version section will increment and region can be changed):
Releases with the tag format
v**_java-agentshould trigger deploying the Java Agent layer.Github Issues
newrelic/newrelic-java-agent#2725
newrelic/newrelic-java-agent#2658