From ae79618f12ec228286a0acc8b3da8433d999b21c Mon Sep 17 00:00:00 2001
From: Jiadong Bai <bobbaicloudwithpants@gmail.com>
Date: Mon, 4 May 2026 20:59:53 -0700
Subject: [PATCH 1/6] feat(build): bump Scala/Java services to Java 17 LTS

Java 11 premier support has ended and the temurin:11-* base images
accumulate fixable critical/high CVEs flagged by Docker Hub. Java 17 is
an active LTS through Sep 2029 and unblocks libraries that already
require 17+.

- bin/*.dockerfile (8 services): build base
  sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 ->
  ...-17.0.5_8_1.9.3_2.13.11; runtime eclipse-temurin:11-{jdk,jre}-jammy
  -> 17-{jdk,jre}-jammy.
- computing-unit-master/worker: add ENV JDK_JAVA_OPTIONS="--add-opens=
  java.base/java.nio=org.apache.arrow.memory.core,ALL-UNNAMED" so Apache
  Arrow's off-heap memory module keeps working under Java 17's strong
  encapsulation.
- .github/workflows/build.yml + build-and-push-images.yml: java-version
  11 -> 17 (matrix and setup-java steps).
- AGENTS.md: toolchain table.

Refs discussion #4001. Closes #4937.
---
 .github/workflows/build-and-push-images.yml   |  6 +++---
 .github/workflows/build.yml                   | 19 ++++++++++++++-----
 .run/ComputingUnitMaster.run.xml              |  3 +++
 .run/ComputingUnitWorker.run.xml              |  3 +++
 AGENTS.md                                     | 10 +++++++++-
 bin/access-control-service.dockerfile         |  4 ++--
 bin/computing-unit-master.dockerfile          |  7 +++++--
 bin/computing-unit-worker.dockerfile          |  7 +++++--
 bin/config-service.dockerfile                 |  4 ++--
 bin/file-service.dockerfile                   |  4 ++--
 bin/texera-web-application.dockerfile         |  4 ++--
 bin/workflow-compiling-service.dockerfile     |  4 ++--
 ...computing-unit-managing-service.dockerfile |  4 ++--
 13 files changed, 54 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/build-and-push-images.yml b/.github/workflows/build-and-push-images.yml
index 19534787f8b..ae998c9a9ef 100644
--- a/.github/workflows/build-and-push-images.yml
+++ b/.github/workflows/build-and-push-images.yml
@@ -123,7 +123,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: 11
+          java-version: 17
 
       - name: Setup sbt launcher
         uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22
@@ -325,7 +325,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: 11
+          java-version: 17
 
       - name: Setup sbt launcher
         uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22
@@ -405,7 +405,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: 11
+          java-version: 17
 
       - name: Setup sbt launcher
         uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 06be31230e8..39538ab1a76 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -144,11 +144,14 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-22.04]
-        java-version: [11]
+        java-version: [17]
     runs-on: ${{ matrix.os }}
     env:
       JAVA_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
       JVM_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
+      # Apache Arrow Java (java.nio) and Ehcache SizeOf (java.lang, java.util)
+      # reflect into java.base; JDK 17 strong encapsulation blocks them without --add-opens.
+      JDK_JAVA_OPTIONS: --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED
     services:
       postgres:
         image: postgres
@@ -175,7 +178,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: "temurin"
-          java-version: 11
+          java-version: 17
       - name: Create Databases
         # Must run before any sbt compile step: the build's JOOQ source
         # generators connect to texera_db while compiling.
@@ -262,11 +265,14 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-22.04]
-        java-version: [11]
+        java-version: [17]
     runs-on: ${{ matrix.os }}
     env:
       JAVA_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
       JVM_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
+      # Apache Arrow Java (java.nio) and Ehcache SizeOf (java.lang, java.util)
+      # reflect into java.base; JDK 17 strong encapsulation blocks them without --add-opens.
+      JDK_JAVA_OPTIONS: --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED
     services:
       postgres:
         image: postgres
@@ -293,7 +299,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: "temurin"
-          java-version: 11
+          java-version: 17
       - name: Setup Python for Scala-Python integration tests
         uses: actions/setup-python@v6
         with:
@@ -370,6 +376,9 @@ jobs:
     env:
       JAVA_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
       JVM_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
+      # Apache Arrow Java (java.nio) and Ehcache SizeOf (java.lang, java.util)
+      # reflect into java.base; JDK 17 strong encapsulation blocks them without --add-opens.
+      JDK_JAVA_OPTIONS: --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED
     services:
       # Each platform service transitively depends on DAO, which runs JOOQ
       # code generation at compile time and needs the live texera schema.
@@ -398,7 +407,7 @@ jobs:
         uses: actions/setup-java@v5
         with:
           distribution: "temurin"
-          java-version: 11
+          java-version: 17
       - name: Setup sbt launcher
         uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22
       - uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # v8.1.0
diff --git a/.run/ComputingUnitMaster.run.xml b/.run/ComputingUnitMaster.run.xml
index 5ffffb79e88..094518362bc 100644
--- a/.run/ComputingUnitMaster.run.xml
+++ b/.run/ComputingUnitMaster.run.xml
@@ -21,6 +21,9 @@ under the License.
     <option name="MAIN_CLASS_NAME" value="org.apache.texera.web.ComputingUnitMaster" />
     <module name="texera.amber" />
     <shortenClasspath name="ARGS_FILE" />
+    <envs>
+      <env name="JDK_JAVA_OPTIONS" value="--add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED" />
+    </envs>
     <extension name="coverage">
       <pattern>
         <option name="PATTERN" value="org.apache.texera.web.*" />
diff --git a/.run/ComputingUnitWorker.run.xml b/.run/ComputingUnitWorker.run.xml
index 854da672287..13d3198d640 100644
--- a/.run/ComputingUnitWorker.run.xml
+++ b/.run/ComputingUnitWorker.run.xml
@@ -21,6 +21,9 @@ under the License.
     <option name="MAIN_CLASS_NAME" value="org.apache.texera.web.ComputingUnitWorker" />
     <module name="texera.amber" />
     <shortenClasspath name="ARGS_FILE" />
+    <envs>
+      <env name="JDK_JAVA_OPTIONS" value="--add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED" />
+    </envs>
     <extension name="coverage">
       <pattern>
         <option name="PATTERN" value="org.apache.texera.web.*" />
diff --git a/AGENTS.md b/AGENTS.md
index cb1cd0fdb3a..ab4706a43de 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -66,7 +66,7 @@ merge.
 
 | Component | Version |
 | --- | --- |
-| Java | JDK 11 |
+| Java | JDK 17 |
 | Scala | 2.13 |
 | Python | 3.12 |
 | Node | 24 |
@@ -90,6 +90,14 @@ in [`udf.conf`](common/config/src/main/resources/udf.conf) or
 `export UDF_PYTHON_PATH="$(pwd)/../venv312/bin/python"` (env var overrides).
 Without it, `sbt` Python-integration tests fail to launch a worker.
 
+When running computing-unit master/worker outside their Docker images on
+JDK 17+, also `export JDK_JAVA_OPTIONS="--add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED"`.
+Without it, [Apache Arrow Java](https://arrow.apache.org/java/main/install.html)
+(off-heap `java.nio` access) and Ehcache `SizeOf` used by `Tuple.inMemSize`
+(reflective `java.lang`/`java.util` access) hit `InaccessibleObjectException`
+under JDK 17 strong encapsulation
+(refs [discussion #4001](https://github.com/apache/texera/discussions/4001)).
+
 ### Branch and commit naming
 
 Short, **Conventional Commits**, same shape for branch and commit subject.
diff --git a/bin/access-control-service.dockerfile b/bin/access-control-service.dockerfile
index fac67fb08b0..06b53a1ed99 100644
--- a/bin/access-control-service.dockerfile
+++ b/bin/access-control-service.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -52,7 +52,7 @@ RUN sbt clean AccessControlService/dist
 # Unzip the texera binary
 RUN unzip access-control-service/target/universal/access-control-service-*.zip -d target/
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera
 
diff --git a/bin/computing-unit-master.dockerfile b/bin/computing-unit-master.dockerfile
index 8f2fa2b999e..207a2329f81 100644
--- a/bin/computing-unit-master.dockerfile
+++ b/bin/computing-unit-master.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -64,7 +64,7 @@ RUN python3 bin/licensing/concat_license_binary.py amber/LICENSE-binary-combined
         amber/LICENSE-binary-java \
         amber/LICENSE-binary-python
 
-FROM eclipse-temurin:11-jdk-jammy AS runtime
+FROM eclipse-temurin:17-jdk-jammy AS runtime
 
 WORKDIR /texera/amber
 
@@ -99,6 +99,9 @@ COPY --from=build /texera/amber/LICENSE-binary-combined /texera/LICENSE
 COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE
 COPY --from=build /texera/licenses /texera/licenses
 COPY --from=build /texera/DISCLAIMER /texera/
+
+ENV JDK_JAVA_OPTIONS="--add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED"
+
 CMD ["bin/computing-unit-master"]
 
 EXPOSE 8085
diff --git a/bin/computing-unit-worker.dockerfile b/bin/computing-unit-worker.dockerfile
index c36a5a2698d..10ddf876103 100644
--- a/bin/computing-unit-worker.dockerfile
+++ b/bin/computing-unit-worker.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -64,7 +64,7 @@ RUN python3 bin/licensing/concat_license_binary.py amber/LICENSE-binary-combined
         amber/LICENSE-binary-java \
         amber/LICENSE-binary-python
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera/amber
 
@@ -97,6 +97,9 @@ COPY --from=build /texera/amber/LICENSE-binary-combined /texera/LICENSE
 COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE
 COPY --from=build /texera/licenses /texera/licenses
 COPY --from=build /texera/DISCLAIMER /texera/
+
+ENV JDK_JAVA_OPTIONS="--add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED"
+
 CMD ["bin/computing-unit-worker"]
 
 EXPOSE 8085
\ No newline at end of file
diff --git a/bin/config-service.dockerfile b/bin/config-service.dockerfile
index 251d5fdb8a0..c588a100be4 100644
--- a/bin/config-service.dockerfile
+++ b/bin/config-service.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -52,7 +52,7 @@ RUN sbt clean ConfigService/dist
 # Unzip the texera binary
 RUN unzip config-service/target/universal/config-service-*.zip -d target/
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera
 
diff --git a/bin/file-service.dockerfile b/bin/file-service.dockerfile
index 4decf696127..cdc05ecb90f 100644
--- a/bin/file-service.dockerfile
+++ b/bin/file-service.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -52,7 +52,7 @@ RUN sbt clean FileService/dist
 # Unzip the texera binary
 RUN unzip file-service/target/universal/file-service-*.zip -d target/
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera
 
diff --git a/bin/texera-web-application.dockerfile b/bin/texera-web-application.dockerfile
index f0d8fbdbf9d..7edaea27999 100644
--- a/bin/texera-web-application.dockerfile
+++ b/bin/texera-web-application.dockerfile
@@ -38,7 +38,7 @@ RUN echo "nodeLinker: node-modules" >> /frontend/.yarnrc.yml
 WORKDIR /frontend
 RUN yarn install && yarn run build
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -82,7 +82,7 @@ RUN python3 bin/licensing/concat_license_binary.py amber/LICENSE-binary-combined
         amber/LICENSE-binary-java \
         amber/LICENSE-binary-frontend
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera/amber
 # Copy built frontend files from the build-frontend stage to match FileAssetsBundle path (../../frontend/dist from /texera/amber)
diff --git a/bin/workflow-compiling-service.dockerfile b/bin/workflow-compiling-service.dockerfile
index a2617d7a4bc..fb41dd7ece5 100644
--- a/bin/workflow-compiling-service.dockerfile
+++ b/bin/workflow-compiling-service.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -52,7 +52,7 @@ RUN sbt clean WorkflowCompilingService/dist
 # Unzip the texera binary
 RUN unzip workflow-compiling-service/target/universal/workflow-compiling-service-*.zip -d target/
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera
 
diff --git a/bin/workflow-computing-unit-managing-service.dockerfile b/bin/workflow-computing-unit-managing-service.dockerfile
index 1edb94019a6..6665235b7eb 100644
--- a/bin/workflow-computing-unit-managing-service.dockerfile
+++ b/bin/workflow-computing-unit-managing-service.dockerfile
@@ -24,7 +24,7 @@
 # completeness or stability of the code, it does indicate that the project
 # has yet to be fully endorsed by the ASF.
 
-FROM sbtscala/scala-sbt:eclipse-temurin-jammy-11.0.17_8_1.9.3_2.13.11 AS build
+FROM sbtscala/scala-sbt:eclipse-temurin-jammy-17.0.5_8_1.9.3_2.13.11 AS build
 
 # Set working directory
 WORKDIR /texera
@@ -52,7 +52,7 @@ RUN sbt clean ComputingUnitManagingService/dist
 # Unzip the texera binary
 RUN unzip computing-unit-managing-service/target/universal/computing-unit-managing-service-*.zip -d target/
 
-FROM eclipse-temurin:11-jre-jammy AS runtime
+FROM eclipse-temurin:17-jre-jammy AS runtime
 
 WORKDIR /texera
 

From 17abe7d9fd07d3b1dc8d7273a64238cdfd47bc88 Mon Sep 17 00:00:00 2001
From: Jiadong Bai <bobbaicloudwithpants@gmail.com>
Date: Tue, 5 May 2026 10:16:28 -0700
Subject: [PATCH 2/6] ci(amber): move JDK 17 --add-opens into sbt-side
 JdkOptions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirror Apache Pekko's project/JdkOptions.scala pattern: keep the
required --add-opens flags in one sbt-side place and apply them via
Test / javaOptions on the amber subproject (with Test / fork := true).
This makes `sbt test` work out of the box on JDK 17 — no workflow env
var needed, and local devs running tests on JDK 17 don't need to
remember to export anything.

- project/JdkOptions.scala: 5 opens (4 from Pekko + java.util for
  Ehcache SizeOf used by Tuple.inMemSize).
- amber/build.sbt: Test / fork := true, Test / javaOptions ++=
  JdkOptions.versionSpecificJavaOptions.
- .github/workflows/build.yml: drop JDK_JAVA_OPTIONS env from amber,
  amber-integration, and platform jobs.

Dockerfile ENV and IntelliJ run configs are unchanged — they're not
sbt-driven.
---
 .github/workflows/build.yml |  9 ---------
 amber/build.sbt             |  7 +++++++
 project/JdkOptions.scala    | 40 +++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 9 deletions(-)
 create mode 100644 project/JdkOptions.scala

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 39538ab1a76..11aacbaa832 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -149,9 +149,6 @@ jobs:
     env:
       JAVA_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
       JVM_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
-      # Apache Arrow Java (java.nio) and Ehcache SizeOf (java.lang, java.util)
-      # reflect into java.base; JDK 17 strong encapsulation blocks them without --add-opens.
-      JDK_JAVA_OPTIONS: --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED
     services:
       postgres:
         image: postgres
@@ -270,9 +267,6 @@ jobs:
     env:
       JAVA_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
       JVM_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
-      # Apache Arrow Java (java.nio) and Ehcache SizeOf (java.lang, java.util)
-      # reflect into java.base; JDK 17 strong encapsulation blocks them without --add-opens.
-      JDK_JAVA_OPTIONS: --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED
     services:
       postgres:
         image: postgres
@@ -376,9 +370,6 @@ jobs:
     env:
       JAVA_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
       JVM_OPTS: -Xms2048M -Xmx2048M -Xss6M -XX:ReservedCodeCacheSize=256M -Dfile.encoding=UTF-8
-      # Apache Arrow Java (java.nio) and Ehcache SizeOf (java.lang, java.util)
-      # reflect into java.base; JDK 17 strong encapsulation blocks them without --add-opens.
-      JDK_JAVA_OPTIONS: --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED
     services:
       # Each platform service transitively depends on DAO, which runs JOOQ
       # code generation at compile time and needs the live texera schema.
diff --git a/amber/build.sbt b/amber/build.sbt
index 09e4628ab83..6b969733a60 100644
--- a/amber/build.sbt
+++ b/amber/build.sbt
@@ -51,6 +51,13 @@ conflictManager := ConflictManager.latestRevision
 // ensuring no parallel execution of multiple tasks
 concurrentRestrictions in Global += Tags.limit(Tags.Test, 1)
 
+// Fork the test JVM and apply JDK 17+ --add-opens flags. Pekko's
+// dispatcher/mailbox/scheduler reflect into jdk.internal.misc and
+// other internals; without these the actor-system tests deadlock
+// under strong encapsulation. See project/JdkOptions.scala.
+Test / fork := true
+Test / javaOptions ++= JdkOptions.versionSpecificJavaOptions
+
 // add python as an additional source
 Compile / unmanagedSourceDirectories += baseDirectory.value / "src" / "main" / "python"
 
diff --git a/project/JdkOptions.scala b/project/JdkOptions.scala
new file mode 100644
index 00000000000..a0a350b2beb
--- /dev/null
+++ b/project/JdkOptions.scala
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/*
+ * --add-opens flags required to run forked test JVMs under JDK 17+.
+ * Mirrors Apache Pekko's project/JdkOptions.scala
+ * (https://github.com/apache/pekko/blob/main/project/JdkOptions.scala),
+ * with one addition for Ehcache `SizeOf` (used by `Tuple.inMemSize`)
+ * tracked by discussion #4001.
+ */
+object JdkOptions {
+
+  lazy val versionSpecificJavaOptions: List[String] =
+    // Apache Pekko: Agrona UnsafeApi, virtual threads, dispatcher/mailbox primitives
+    "--add-opens=java.base/jdk.internal.misc=ALL-UNNAMED" ::
+    // Apache Pekko: virtual threads. Also Ehcache SizeOf reflection (Tuple.inMemSize).
+    "--add-opens=java.base/java.lang=ALL-UNNAMED" ::
+    // Apache Pekko: Aeron / NIO channel access
+    "--add-opens=java.base/sun.nio.ch=ALL-UNNAMED" ::
+    // Apache Pekko: LevelDB. Also Apache Arrow Java off-heap memory.
+    "--add-opens=java.base/java.nio=ALL-UNNAMED" ::
+    // Ehcache SizeOf reflection (Tuple.inMemSize)
+    "--add-opens=java.base/java.util=ALL-UNNAMED" :: Nil
+}

From 6b307fd295216623b7d864bc5b6775dba5495008 Mon Sep 17 00:00:00 2001
From: Jiadong Bai <bobbaicloudwithpants@gmail.com>
Date: Tue, 5 May 2026 13:24:44 -0700
Subject: [PATCH 3/6] ci(build): apply JDK 17 --add-opens project-wide via
 ThisBuild

The previous commit only set Test / fork + javaOptions in amber's own
build.sbt, but ArrowUtilsSpec lives under common/workflow-core and
common/workflow-operator. When the CI invokes WorkflowCore/jacoco and
WorkflowOperator/jacoco those tests still ran without --add-opens and
failed at MemoryUtil init.

Move the settings to ThisBuild scope in the root build.sbt so every
subproject's test JVM forks with the same flags; drop the now-duplicate
amber/build.sbt block.
---
 amber/build.sbt | 7 -------
 build.sbt       | 9 +++++++++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/amber/build.sbt b/amber/build.sbt
index 6b969733a60..09e4628ab83 100644
--- a/amber/build.sbt
+++ b/amber/build.sbt
@@ -51,13 +51,6 @@ conflictManager := ConflictManager.latestRevision
 // ensuring no parallel execution of multiple tasks
 concurrentRestrictions in Global += Tags.limit(Tags.Test, 1)
 
-// Fork the test JVM and apply JDK 17+ --add-opens flags. Pekko's
-// dispatcher/mailbox/scheduler reflect into jdk.internal.misc and
-// other internals; without these the actor-system tests deadlock
-// under strong encapsulation. See project/JdkOptions.scala.
-Test / fork := true
-Test / javaOptions ++= JdkOptions.versionSpecificJavaOptions
-
 // add python as an additional source
 Compile / unmanagedSourceDirectories += baseDirectory.value / "src" / "main" / "python"
 
diff --git a/build.sbt b/build.sbt
index e36722313e3..8edc66554ad 100644
--- a/build.sbt
+++ b/build.sbt
@@ -19,6 +19,15 @@ ThisBuild / organization := "org.apache.texera"
 ThisBuild / version      := "1.1.0-incubating"
 ThisBuild / scalaVersion := "2.13.18"
 
+// Fork every subproject's test JVM and apply the JDK 17+ --add-opens
+// flags. Pekko's dispatcher/mailbox/scheduler reflect into
+// jdk.internal.misc and other internals, and Apache Arrow + Ehcache
+// SizeOf reflect into java.nio / java.lang / java.util. Without these
+// the actor-system and Arrow-using tests fail under JDK 17 strong
+// encapsulation. See project/JdkOptions.scala.
+ThisBuild / Test / fork := true
+ThisBuild / Test / javaOptions ++= JdkOptions.versionSpecificJavaOptions
+
 // sbt-jacoco emits only HTML by default; add XML so Codecov can consume
 // per-module jacoco.xml at target/scala-2.13/jacoco/report/jacoco.xml.
 // JacocoPlugin defines a project-scoped default that overrides ThisBuild,

From 706b29dbdbcb7f2d7b37a8c9cf21bf7dec1e539b Mon Sep 17 00:00:00 2001
From: Jiadong Bai <bobbaicloudwithpants@gmail.com>
Date: Tue, 5 May 2026 16:47:17 -0700
Subject: [PATCH 4/6] ci(build): pin forked test JVM CWD to build root

Forking changed the test JVM's CWD to the subproject directory, so
tests reading repo-root-relative paths (e.g. MockTexeraDB ->
sql/texera_ddl.sql) failed with NoSuchFileException. Set
ThisBuild / Test / baseDirectory back to the build root.
---
 build.sbt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build.sbt b/build.sbt
index 8edc66554ad..a8318ee83fc 100644
--- a/build.sbt
+++ b/build.sbt
@@ -25,8 +25,14 @@ ThisBuild / scalaVersion := "2.13.18"
 // SizeOf reflect into java.nio / java.lang / java.util. Without these
 // the actor-system and Arrow-using tests fail under JDK 17 strong
 // encapsulation. See project/JdkOptions.scala.
+//
+// Pin the forked test JVM's working directory to the build root so
+// tests that read repo-root-relative paths (e.g. `sql/texera_ddl.sql`
+// from MockTexeraDB) keep working. Without this, sbt defaults the
+// forked JVM's CWD to the subproject directory.
 ThisBuild / Test / fork := true
 ThisBuild / Test / javaOptions ++= JdkOptions.versionSpecificJavaOptions
+ThisBuild / Test / baseDirectory := (ThisBuild / baseDirectory).value
 
 // sbt-jacoco emits only HTML by default; add XML so Codecov can consume
 // per-module jacoco.xml at target/scala-2.13/jacoco/report/jacoco.xml.

From d24012d565791dbd0a2077d469a8b924149e1ac0 Mon Sep 17 00:00:00 2001
From: Jiadong Bai <bobbaicloudwithpants@gmail.com>
Date: Tue, 5 May 2026 16:58:02 -0700
Subject: [PATCH 5/6] ci(build): use .jvmopts instead of forked-test
 javaOptions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Earlier commits introduced Test / fork := true and a JdkOptions plugin
to inject JDK 17 --add-opens flags. Forking changed the test JVM's
CWD to each subproject directory, which broke tests that read
repo-root-relative paths (sql/texera_ddl.sql from MockTexeraDB), and
required a baseDirectory pin to fix.

Replace all of that with a single .jvmopts at the repo root: sbt's
launcher reads it and applies the flags to sbt's own JVM startup. With
Test / fork at its default (false), tests run in sbt's JVM and inherit
the flags — no fork overhead, no CWD change, no baseDirectory pin, no
sbt plugin file.

Drops:
  - project/JdkOptions.scala
  - ThisBuild / Test / fork := true
  - ThisBuild / Test / javaOptions ++= ...
  - ThisBuild / Test / baseDirectory := ...

Adds:
  - .jvmopts (5 --add-opens lines, attribution comments)
---
 .jvmopts                 | 18 ++++++++++++++++++
 build.sbt                | 15 ---------------
 project/JdkOptions.scala | 40 ----------------------------------------
 3 files changed, 18 insertions(+), 55 deletions(-)
 create mode 100644 .jvmopts
 delete mode 100644 project/JdkOptions.scala

diff --git a/.jvmopts b/.jvmopts
new file mode 100644
index 00000000000..dc2851da70a
--- /dev/null
+++ b/.jvmopts
@@ -0,0 +1,18 @@
+# JVM options for sbt's launcher script. Read by `sbt` from the build
+# root and applied to sbt's own JVM (which also runs the tests when
+# Test / fork := false, the default for this project).
+#
+# JDK 17+ --add-opens flags required by:
+#   - Apache Pekko (dispatcher / mailbox / scheduler use sun.misc.Unsafe
+#     via jdk.internal.misc, plus java.lang for virtual threads and
+#     sun.nio.ch for Aeron / NIO channels).
+#     https://github.com/apache/pekko/blob/main/project/JdkOptions.scala
+#   - Apache Arrow Java off-heap memory (java.nio).
+#     https://arrow.apache.org/java/main/install.html
+#   - Ehcache SizeOf reflection used by Tuple.inMemSize (java.lang +
+#     java.util). Refs discussion #4001.
+--add-opens=java.base/jdk.internal.misc=ALL-UNNAMED
+--add-opens=java.base/java.lang=ALL-UNNAMED
+--add-opens=java.base/sun.nio.ch=ALL-UNNAMED
+--add-opens=java.base/java.nio=ALL-UNNAMED
+--add-opens=java.base/java.util=ALL-UNNAMED
diff --git a/build.sbt b/build.sbt
index a8318ee83fc..e36722313e3 100644
--- a/build.sbt
+++ b/build.sbt
@@ -19,21 +19,6 @@ ThisBuild / organization := "org.apache.texera"
 ThisBuild / version      := "1.1.0-incubating"
 ThisBuild / scalaVersion := "2.13.18"
 
-// Fork every subproject's test JVM and apply the JDK 17+ --add-opens
-// flags. Pekko's dispatcher/mailbox/scheduler reflect into
-// jdk.internal.misc and other internals, and Apache Arrow + Ehcache
-// SizeOf reflect into java.nio / java.lang / java.util. Without these
-// the actor-system and Arrow-using tests fail under JDK 17 strong
-// encapsulation. See project/JdkOptions.scala.
-//
-// Pin the forked test JVM's working directory to the build root so
-// tests that read repo-root-relative paths (e.g. `sql/texera_ddl.sql`
-// from MockTexeraDB) keep working. Without this, sbt defaults the
-// forked JVM's CWD to the subproject directory.
-ThisBuild / Test / fork := true
-ThisBuild / Test / javaOptions ++= JdkOptions.versionSpecificJavaOptions
-ThisBuild / Test / baseDirectory := (ThisBuild / baseDirectory).value
-
 // sbt-jacoco emits only HTML by default; add XML so Codecov can consume
 // per-module jacoco.xml at target/scala-2.13/jacoco/report/jacoco.xml.
 // JacocoPlugin defines a project-scoped default that overrides ThisBuild,
diff --git a/project/JdkOptions.scala b/project/JdkOptions.scala
deleted file mode 100644
index a0a350b2beb..00000000000
--- a/project/JdkOptions.scala
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/*
- * --add-opens flags required to run forked test JVMs under JDK 17+.
- * Mirrors Apache Pekko's project/JdkOptions.scala
- * (https://github.com/apache/pekko/blob/main/project/JdkOptions.scala),
- * with one addition for Ehcache `SizeOf` (used by `Tuple.inMemSize`)
- * tracked by discussion #4001.
- */
-object JdkOptions {
-
-  lazy val versionSpecificJavaOptions: List[String] =
-    // Apache Pekko: Agrona UnsafeApi, virtual threads, dispatcher/mailbox primitives
-    "--add-opens=java.base/jdk.internal.misc=ALL-UNNAMED" ::
-    // Apache Pekko: virtual threads. Also Ehcache SizeOf reflection (Tuple.inMemSize).
-    "--add-opens=java.base/java.lang=ALL-UNNAMED" ::
-    // Apache Pekko: Aeron / NIO channel access
-    "--add-opens=java.base/sun.nio.ch=ALL-UNNAMED" ::
-    // Apache Pekko: LevelDB. Also Apache Arrow Java off-heap memory.
-    "--add-opens=java.base/java.nio=ALL-UNNAMED" ::
-    // Ehcache SizeOf reflection (Tuple.inMemSize)
-    "--add-opens=java.base/java.util=ALL-UNNAMED" :: Nil
-}

From 8d74587e7b7f9a97342955be46dca2b26b04beba Mon Sep 17 00:00:00 2001
From: Jiadong Bai <bobbaicloudwithpants@gmail.com>
Date: Tue, 5 May 2026 23:44:59 -0700
Subject: [PATCH 6/6] add asf header

---
 .jvmopts | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.jvmopts b/.jvmopts
index dc2851da70a..d27383a1a86 100644
--- a/.jvmopts
+++ b/.jvmopts
@@ -1,3 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
 # JVM options for sbt's launcher script. Read by `sbt` from the build
 # root and applied to sbt's own JVM (which also runs the tests when
 # Test / fork := false, the default for this project).