ci: Add GitHub Actions CI for Linux and Windows, update Mac workflow

[laileni-aws]

Summary

Adds GitHub Actions CI workflows for Linux and Windows unit tests, and updates the existing Mac workflow to match. Linux and Windows now run tests against IDE versions 2025.1, 2025.2, and 2025.3 in a matrix and Mac runs on 2025.3 version.

Workflows

Workflow	Runner	Gradle command
linux-unit-tests.yml	ubuntu-latest	check coverageReport -x gitSecrets
windows-unit-tests.yml	windows-latest	coverageReport
mac.yml (updated)	macos-latest	check coverageReport -x gitSecrets

All workflows trigger on push to main and PRs targeting main, feature/*, fix/*, test/*.

Build config fixes

• Coroutine pool size: Added systemProperty("kotlinx.coroutines.scheduler.core.pool.size", "4") to test JVM args in toolkit-intellij-subplugin.gradle.kts. GHA runners have 2 CPU cores, which starves the IntelliJ Fleet kernel Transactor when kotlinx.coroutines defaults pool size to CPU count.

• Cognito test race condition: Changed verify(cognitoClient, times(1)) to verify(cognitoClient, atLeast(2)) in AwsCognitoCredentialsProviderTest.testGetCredentialsExpired. The NonBlocking prefetch strategy causes additional getCredentialsForIdentity calls on slower CI runners.

Platform-specific notes

• Linux: Requires Xvfb (Xvfb :99) for AWT/Swing display support needed by IntelliJ test framework.
• Windows: Runs coverageReport only (not check), matching the existing CodeBuild buildspec behavior.
• gitSecrets: Skipped via -x gitSecrets on Linux and Mac. The Gradle-downloaded git-secrets script has shell compatibility issues on GHA Ubuntu runners (/bin/sh → dash). GitHub's built-in secret scanning provides equivalent coverage.

Common configuration across all workflows

• JDK 21 Corretto
• Gradle caching via gradle/actions/setup-gradle@v4
• -Dorg.gradle.jvmargs=-Xmx4g
• LOCAL_ENV_RUN=true, CI=true
• fetch-depth: 0
• --continue flag
• Test report artifact upload on failure (14-day retention)
• PR: ci: Add GitHub Actions CI for Linux and Windows, update Mac workflow #34

Checklist

• My code follows the code style of this project
• I have added tests to cover my changes
• A short description of the change has been added to the CHANGELOG if the change is customer-facing in the IDE.
• I have added metrics for my changes (if required)

License

I confirm that my contribution is made under the terms of the Apache 2.0 license.

Generally, the fix is to explicitly define a permissions block in the workflow (at the root or per job) to restrict the GITHUB_TOKEN to the least privileges required. For this specific workflow, the job only checks out code and uploads artifacts, so contents: read is sufficient. No steps modify issues, pull requests, or repository contents.

The best minimal-impact fix is to add a permissions section to the linux-unit-tests job. This keeps the change localized and avoids affecting other workflows or jobs. Concretely, in .github/workflows/linux-unit-tests.yml, within the linux-unit-tests job definition, add:

    permissions:
      contents: read

right after the runs-on: ubuntu-latest line (or anywhere within the job’s top-level keys). No imports or additional methods are needed; this is purely a YAML configuration change. Functionality remains the same, but the GITHUB_TOKEN is now explicitly limited.

In general, the fix is to explicitly declare a permissions: block for the workflow or the specific job, granting only the minimal required scopes. For this job, the steps only read repository contents (for checkout) and interact with the Actions artifact service; they do not need to write to repository contents, issues, or pull requests. The minimal safe configuration is to set contents: read, which is precisely what the CodeQL message suggests as a starting point.

The most direct and non-invasive fix is to add a permissions: block under the windows-unit-tests job, so it only affects this job and does not change behavior for any other jobs that might exist in the workflow file (we are only shown one, but this approach stays conservative). Concretely, in .github/workflows/windows-unit-tests.yml, insert:

    permissions:
      contents: read

between the name: and runs-on: keys for the windows-unit-tests job (around lines 11–12). No new imports or external dependencies are needed, and no existing functionality changes, because GitHub’s standard actions (actions/checkout, actions/setup-java, actions/upload-artifact) all work with read-only contents permissions.

[github-actions]

Qodana for JVM

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

• Register at Qodana Cloud and configure the action
• Use GitHub Code Scanning with Qodana
• Host Qodana report at GitHub Pages
• Inspect and use qodana.sarif.json (see the Qodana SARIF format for details)

To get *.log files or any other Qodana artifacts, run the action with upload-result option set to true,
so that the action will upload the files as the job artifacts:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2025.1.1
        with:
          upload-result: true

Contact Qodana team

Contact us at qodana-support@jetbrains.com

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions