fix: add Multi-Release manifest attribute to shaded JARs for GraalVM/Truffle support by robfrank · Pull Request #3487 · ArcadeData/arcadedb

robfrank · 2026-02-20T12:40:01Z

GraalVM/Truffle JARs are transitively included in protocol module shaded JARs (e.g. gremlin via arcadedb-integration -> arcadedb-engine -> GraalVM). The maven-shade-plugin strips the Multi-Release: true manifest attribute, causing Truffle's CheckMultiReleaseSupport check to use the base class (returns false) instead of the Java-9+ versioned class (returns true).

Since shaded JARs sort alphabetically before the individual truffle-api and polyglot JARs, the JVM always loaded the broken version first, resulting in Engine$ImplHolder initialization failure.

Fix: add ManifestResourceTransformer with Multi-Release: true to the parent pom shade plugin configuration, as recommended by the GraalVM documentation for Uber/shaded JAR setups.

…Truffle support GraalVM/Truffle JARs are transitively included in protocol module shaded JARs (e.g. gremlin via arcadedb-integration -> arcadedb-engine -> GraalVM). The maven-shade-plugin strips the Multi-Release: true manifest attribute, causing Truffle's CheckMultiReleaseSupport check to use the base class (returns false) instead of the Java-9+ versioned class (returns true). Since shaded JARs sort alphabetically before the individual truffle-api and polyglot JARs, the JVM always loaded the broken version first, resulting in Engine$ImplHolder initialization failure. Fix: add ManifestResourceTransformer with Multi-Release: true to the parent pom shade plugin configuration, as recommended by the GraalVM documentation for Uber/shaded JAR setups. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

gemini-code-assist · 2026-02-20T12:40:13Z

Summary of Changes

Hello @robfrank, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical compatibility problem affecting GraalVM/Truffle when its dependencies are bundled into shaded JARs. The core issue stemmed from the build process inadvertently removing a crucial manifest attribute, leading to runtime initialization errors. By reconfiguring the build plugin to preserve this attribute, the change ensures seamless integration and correct functionality of GraalVM/Truffle within the project's shaded artifacts.

Highlights

GraalVM/Truffle Compatibility Fix: Resolved an issue where GraalVM/Truffle JARs, when transitively included in shaded JARs, failed to initialize correctly due to the Multi-Release: true manifest attribute being stripped by the maven-shade-plugin.
Manifest Attribute Restoration: Implemented a ManifestResourceTransformer within the maven-shade-plugin configuration to explicitly add the Multi-Release: true attribute, ensuring proper detection of Java 9+ versioned classes by Truffle's CheckMultiReleaseSupport.
Engine Initialization Failure Prevention: The fix prevents Engine$ImplHolder initialization failures that occurred when the JVM loaded the broken base class version instead of the correct Java 9+ versioned class from the shaded JARs.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

pom.xml
- Added a ManifestResourceTransformer to the maven-shade-plugin configuration.
- Configured the transformer to include the Multi-Release: true manifest entry.

Activity

No activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

mergify · 2026-02-20T12:40:42Z

🧪 CI Insights

Here's what we observed from your CI run for d2c441f.

🟢 All jobs passed!

But CI Insights is watching 👀

gemini-code-assist

Code Review

This pull request addresses a runtime initialization failure with GraalVM/Truffle when using shaded JARs. The issue is caused by the maven-shade-plugin stripping the Multi-Release: true manifest attribute, which is required by GraalVM's multi-release JARs. The fix adds a ManifestResourceTransformer to the parent pom.xml's shade plugin configuration to explicitly set Multi-Release: true in the manifest of shaded JARs. This is the correct approach as recommended by GraalVM documentation. The change is well-commented and effectively resolves the issue. I find the change to be correct and have no suggestions for improvement.

claude · 2026-02-20T12:41:58Z

Code Review - PR #3487

Summary

This PR addresses a critical GraalVM/Truffle initialization issue in shaded JARs by adding the Multi-Release: true manifest attribute to the parent POM's maven-shade-plugin configuration.

✅ Positive Aspects

Correct Root Cause Analysis: The PR correctly identifies that maven-shade-plugin strips the Multi-Release: true manifest attribute, causing Truffle's CheckMultiReleaseSupport to fail and use the base class instead of Java 9+ versioned classes.
Proper Fix Location: Adding the ManifestResourceTransformer to the parent POM ensures all modules that use the shade plugin inherit this fix (gremlin, mongodbw, postgresw, redisw, grpcw, bolt, metrics).
Good Documentation: The inline comment clearly explains why this change is necessary and what failure it prevents.
Minimal Impact: This is a non-invasive change that only adds metadata to the JAR manifest without modifying any code.
Alignment with GraalVM Best Practices: This follows the official GraalVM documentation recommendations for shaded/uber JARs.

🔍 Technical Review

Code Quality: ✅ Excellent

Clean XML formatting consistent with existing transformers
Proper placement within the <transformers> section
Clear, concise comment

Correctness: ✅ Verified

The Multi-Release manifest entry is the standard way to mark JARs as multi-release
This will propagate to all child modules using the parent shade plugin configuration

Performance: ✅ No Impact

This is a build-time change only; no runtime performance impact

Security: ✅ No Concerns

Adding manifest metadata poses no security risk
Multi-release JARs are a standard Java feature (JEP 238)

📋 Observations & Considerations

Test Coverage: While the fix is correct, consider:
- ✅ Existing tests like SQLDefinedJavascriptFunctionTest, PolyglotQueryTest, and PolyglotFunctionTest should now work properly in shaded JAR contexts
- ℹ️ The fix enables JavaScript functions (via GraalVM) to work in production distributions where protocol modules are shaded
- 💡 Recommendation: After merging, verify that a shaded JAR (e.g., from gremlin module) contains Multi-Release: true in its manifest by running:
```
mvn clean install -pl gremlin
unzip -p gremlin/target/arcadedb-gremlin-*-shaded.jar META-INF/MANIFEST.MF | grep Multi-Release
```
Affected Modules: The following modules inherit this configuration and will benefit:
- gremlin (uses GraalVM for GraphML/GraphSON handlers)
- mongodbw, postgresw, redisw, grpcw, bolt (protocol adapters)
- metrics (monitoring module)
Dependency Scope: ✅ The engine module correctly declares GraalVM dependencies at compile scope since it directly uses polyglot features. Protocol modules should use provided scope per CLAUDE.md guidelines.

🎯 Recommendations

Pre-Merge Verification (Optional but Recommended):

# Build with the fix
mvn clean install -DskipTests

# Verify manifest in a shaded JAR
unzip -p gremlin/target/arcadedb-gremlin-*-shaded.jar META-INF/MANIFEST.MF | grep -i multi-release

# Run polyglot tests to ensure no regression
mvn test -Dtest="*Polyglot*" -pl engine

Documentation: Consider adding a note in package/README-BUILDER.md or developer docs about this GraalVM requirement if teams create custom build configurations.
Future-Proofing: This fix is compatible with the modular builder (arcadedb-builder.sh) since it affects the Maven build process upstream of distribution assembly.

✅ Final Verdict

APPROVED ✅

This is a well-researched, correctly implemented fix for a critical runtime issue. The change:

Solves a real problem affecting JavaScript function execution in shaded distributions
Follows GraalVM best practices
Has no negative side effects
Is properly documented
Aligns with the project's coding standards

The fix enables ArcadeDB's polyglot scripting features (JavaScript functions, triggers) to work correctly in production deployments using shaded protocol modules.

Minor Typo Note: The branch name has a typo: fix/jsfuncions-thruffle (should be "functions" and "truffle"), but this doesn't affect the functionality.

Great work tracking down this tricky initialization issue! 🎉

codacy-production · 2026-02-20T13:46:12Z

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -9.86%	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (`d14e063`)	88194	63913	72.47%
Head commit (`d2c441f`)	118081 (+29887)	73934 (+10021)	62.61% (-9.86%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#3487)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings Change summary preferences

codecov · 2026-02-20T13:46:45Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.33%. Comparing base (d14e063) to head (d2c441f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3487      +/-   ##
==========================================
+ Coverage   63.50%   64.33%   +0.82%     
==========================================
  Files        1331     1331              
  Lines       88194    88194              
  Branches    18063    18063              
==========================================
+ Hits        56009    56741     +732     
+ Misses      24308    23516     -792     
- Partials     7877     7937      +60

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…Truffle support (#3487) GraalVM/Truffle JARs are transitively included in protocol module shaded JARs (e.g. gremlin via arcadedb-integration -> arcadedb-engine -> GraalVM). The maven-shade-plugin strips the Multi-Release: true manifest attribute, causing Truffle's CheckMultiReleaseSupport check to use the base class (returns false) instead of the Java-9+ versioned class (returns true). Since shaded JARs sort alphabetically before the individual truffle-api and polyglot JARs, the JVM always loaded the broken version first, resulting in Engine$ImplHolder initialization failure. Fix: add ManifestResourceTransformer with Multi-Release: true to the parent pom shade plugin configuration, as recommended by the GraalVM documentation for Uber/shaded JAR setups. (cherry picked from commit 9ed310c)

Bumps the github-actions group with 3 updates: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action), [github/codeql-action](https://github.com/github/codeql-action) and [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions). Updates `anthropics/claude-code-action` from 1.0.76 to 1.0.82 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.82 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.82> > > v1.0.81 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.81> > > v1.0.80 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.80> > > v1.0.79 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.79> > > v1.0.78 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.78> > > v1.0.77 > ------- > > Subprocess environment scrubbing for untrusted-input workflows > -------------------------------------------------------------- > > Workflows that configure `allowed_non_write_users` now automatically get `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1`, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed. > > **Why:** Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads `$ANTHROPIC_API_KEY` via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely. > > **What's scrubbed:** Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers. > > **What's kept:** `GITHUB_TOKEN` / `GH_TOKEN` — so wrapper scripts can still call the GitHub API. > > **Opt out:** Set `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0"` at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials. > > **No action required** for most users — if you've configured `allowed_non_write_users`, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server `env:` config) or use the opt-out. > > What's Changed > -------------- > > * Auto-set subprocess env scrub when allowed\_non\_write\_users is configured by [`@OctavianGuzu`](https://github.com/OctavianGuzu) in [anthropics/claude-code-action#1093](https://redirect.github.com/anthropics/claude-code-action/pull/1093) > > **Full Changelog**: <anthropics/claude-code-action@v1.0.76...v1.0.77> Commits * [`88c168b`](anthropics/claude-code-action@88c168b) chore: bump Claude Code to 2.1.87 and Agent SDK to 0.2.87 * [`e7b588b`](anthropics/claude-code-action@e7b588b) chore: bump Claude Code to 2.1.86 and Agent SDK to 0.2.86 * [`094bd24`](anthropics/claude-code-action@094bd24) chore: bump Claude Code to 2.1.85 and Agent SDK to 0.2.85 * [`3ac52d0`](anthropics/claude-code-action@3ac52d0) chore: bump Claude Code to 2.1.84 and Agent SDK to 0.2.84 * [`0ee1bee`](anthropics/claude-code-action@0ee1bee) chore: bump Claude Code to 2.1.83 and Agent SDK to 0.2.83 * [`ff9acae`](anthropics/claude-code-action@ff9acae) Auto-set subprocess env scrub when allowed\_non\_write\_users is configured ([#1093](https://redirect.github.com/anthropics/claude-code-action/issues/1093)) * See full diff in [compare view](anthropics/claude-code-action@6062f37...88c168b) Updates `github/codeql-action` from 4.34.1 to 4.35.1 Release notes *Sourced from [github/codeql-action's releases](https://github.com/github/codeql-action/releases).* > v4.35.1 > ------- > > * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781) > > v4.35.0 > ------- > > * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767) > * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773) Changelog *Sourced from [github/codeql-action's changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md).* > CodeQL Action Changelog > ======================= > > See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. > > [UNRELEASED] > ------------ > > No user facing changes. > > 4.35.1 - 27 Mar 2026 > -------------------- > > * Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#3781](https://redirect.github.com/github/codeql-action/pull/3781) > > 4.35.0 - 27 Mar 2026 > -------------------- > > * Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://redirect.github.com/github/codeql-action/pull/3767) > * Update default CodeQL bundle version to [2.25.1](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#3773](https://redirect.github.com/github/codeql-action/pull/3773) > > 4.34.1 - 20 Mar 2026 > -------------------- > > * Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://redirect.github.com/github/codeql-action/pull/3762) > > 4.34.0 - 20 Mar 2026 > -------------------- > > * Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://redirect.github.com/github/codeql-action/pull/3569) > * We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://redirect.github.com/github/codeql-action/pull/3584) > * Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://redirect.github.com/github/codeql-action/pull/3585) > > 4.33.0 - 16 Mar 2026 > -------------------- > > * Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://redirect.github.com/github/codeql-action/pull/3562) > > To opt out of this change: > > + **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. > + **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. > + **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. > * Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#3557](https://redirect.github.com/github/codeql-action/pull/3557) > * The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://redirect.github.com/github/codeql-action/pull/3559) > * Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://redirect.github.com/github/codeql-action/pull/3563) > * Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://redirect.github.com/github/codeql-action/pull/3564) > * A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://redirect.github.com/github/codeql-action/pull/3570) > > 4.32.6 - 05 Mar 2026 > -------------------- > > * Update default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#3548](https://redirect.github.com/github/codeql-action/pull/3548) > > 4.32.5 - 02 Mar 2026 > -------------------- > > * Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://redirect.github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#3507](https://redirect.github.com/github/codeql-action/pull/3507) > * Added an experimental change so that when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#3487](https://redirect.github.com/github/codeql-action/pull/3487) > * The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#3515](https://redirect.github.com/github/codeql-action/pull/3515) ... (truncated) Commits * [`c10b806`](github/codeql-action@c10b806) Merge pull request [#3782](https://redirect.github.com/github/codeql-action/issues/3782) from github/update-v4.35.1-d6d1743b8 * [`c5ffd06`](github/codeql-action@c5ffd06) Update changelog for v4.35.1 * [`d6d1743`](github/codeql-action@d6d1743) Merge pull request [#3781](https://redirect.github.com/github/codeql-action/issues/3781) from github/henrymercer/update-git-minimum-version * [`65d2efa`](github/codeql-action@65d2efa) Add changelog note * [`2437b20`](github/codeql-action@2437b20) Update minimum git version for overlay to 2.36.0 * [`ea5f719`](github/codeql-action@ea5f719) Merge pull request [#3775](https://redirect.github.com/github/codeql-action/issues/3775) from github/dependabot/npm\_and\_yarn/node-forge-1.4.0 * [`45ceeea`](github/codeql-action@45ceeea) Merge pull request [#3777](https://redirect.github.com/github/codeql-action/issues/3777) from github/mergeback/v4.35.0-to-main-b8bb9f28 * [`24448c9`](github/codeql-action@24448c9) Rebuild * [`7c51060`](github/codeql-action@7c51060) Update changelog and version after v4.35.0 * [`b8bb9f2`](github/codeql-action@b8bb9f2) Merge pull request [#3776](https://redirect.github.com/github/codeql-action/issues/3776) from github/update-v4.35.0-0078ad667 * Additional commits viewable in [compare view](github/codeql-action@3869755...c10b806) Updates `zgosalvez/github-actions-ensure-sha-pinned-actions` from 5.0.3 to 5.0.4 Release notes *Sourced from [zgosalvez/github-actions-ensure-sha-pinned-actions's releases](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases).* > v5.0.4 > ------ > > What's Changed > -------------- > > * Bump picomatch from 2.3.1 to 2.3.2 by [`@dependabot`](https://github.com/dependabot)[bot] in [zgosalvez/github-actions-ensure-sha-pinned-actions#302](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/302) > * Bump eslint from 10.0.3 to 10.1.0 by [`@dependabot`](https://github.com/dependabot)[bot] in [zgosalvez/github-actions-ensure-sha-pinned-actions#301](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/301) > * Bump brace-expansion by [`@dependabot`](https://github.com/dependabot)[bot] in [zgosalvez/github-actions-ensure-sha-pinned-actions#303](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/303) > * Bump yaml from 2.8.2 to 2.8.3 by [`@dependabot`](https://github.com/dependabot)[bot] in [zgosalvez/github-actions-ensure-sha-pinned-actions#300](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/300) > > **Full Changelog**: <zgosalvez/github-actions-ensure-sha-pinned-actions@v5...v5.0.4> Commits * [`ca46236`](zgosalvez/github-actions-ensure-sha-pinned-actions@ca46236) Bump yaml from 2.8.2 to 2.8.3 ([#300](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/issues/300)) * [`c1f725e`](zgosalvez/github-actions-ensure-sha-pinned-actions@c1f725e) Bump brace-expansion ([#303](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/issues/303)) * [`2a0679d`](zgosalvez/github-actions-ensure-sha-pinned-actions@2a0679d) Bump eslint from 10.0.3 to 10.1.0 ([#301](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/issues/301)) * [`4533f2e`](zgosalvez/github-actions-ensure-sha-pinned-actions@4533f2e) Bump picomatch from 2.3.1 to 2.3.2 ([#302](https://redirect.github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/issues/302)) * See full diff in [compare view](zgosalvez/github-actions-ensure-sha-pinned-actions@471d5ac...ca46236) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

robfrank added this to the 26.3.1 milestone Feb 20, 2026

robfrank merged commit 9ed310c into main Feb 20, 2026
9 of 12 checks passed

gemini-code-assist bot reviewed Feb 20, 2026

View reviewed changes

lvca assigned robfrank Feb 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: add Multi-Release manifest attribute to shaded JARs for GraalVM/Truffle support#3487

fix: add Multi-Release manifest attribute to shaded JARs for GraalVM/Truffle support#3487
robfrank merged 1 commit intomainfrom
fix/jsfuncions-thruffle

robfrank commented Feb 20, 2026

Uh oh!

gemini-code-assist bot commented Feb 20, 2026

Uh oh!

Uh oh!

mergify bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

claude bot commented Feb 20, 2026

Uh oh!

codacy-production bot commented Feb 20, 2026

Uh oh!

codecov bot commented Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

robfrank commented Feb 20, 2026

Uh oh!

gemini-code-assist bot commented Feb 20, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

Uh oh!

mergify bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🧪 CI Insights

🟢 All jobs passed!

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

claude bot commented Feb 20, 2026

Code Review - PR #3487

Summary

✅ Positive Aspects

🔍 Technical Review

📋 Observations & Considerations

🎯 Recommendations

✅ Final Verdict

Uh oh!

codacy-production bot commented Feb 20, 2026

Coverage summary from Codacy

See diff coverage on Codacy

See your quality gate settings Change summary preferences

Uh oh!

codecov bot commented Feb 20, 2026

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

mergify bot commented Feb 20, 2026 •

edited

Loading