* Harden workflows with least-privilege permissions and zizmor
Apply GitHub Actions security best practices to the action's own
workflows and integrate zizmor to catch regressions.
- Add explicit least-privilege `permissions:` to every workflow
(contents: read for read-only workflows; default-deny `{}` with
job-scoped grants for codeql, publish-immutable-actions and
update-config-files).
- Set `persist-credentials: false` on all checkout steps that don't
need the GITHUB_TOKEN afterwards.
- Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars
to avoid template injection.
- Pin the alpine container image (alpine:latest -> alpine:3.21).
- Add a zizmor CI workflow that uploads SARIF to code scanning, plus a
`.github/zizmor.yml` pinning policy (ref-pin for actions/* and
github/*, hash-pin for third-party actions).
zizmor now reports no findings (offline and online).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Fix indentation of if: in zizmor SARIF upload step
The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.
Indent `if:` to 8 spaces so it nests under the step alongside uses/with.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* chore(e2e-versions): Add e2e test scenario on `setup-java-version-from-file-major-minor-patch-with-dist` for `.sdkmanrc`
* chore(e2e-versions): Update `setup-java-version-from-file-major-minor-patch-with-dist` test to include the file name of the java-version-file that is used
* feat: Add support for `.sdkmanrc` as *Java Version File*
* chore: Add test for the latest known sdkman java versions
* docs(advanced-usage): Document support for `.sdkmanrc` as java-version-file
* chore(docs): Anyone can contribute and maintain 🤷
* Update advanced-usage.md
Add example step/file for `.sdkmanrc`
* Update advanced-usage.md
* Update util.ts
* chore: format and rebuild
* chore: untouch toolchains.ts
* fix check dist error
---------
Co-authored-by: mahabaleshwars <147705296+mahabaleshwars@users.noreply.github.com>
* added support for tool version file
* testing with one regex
* working regex
* Checked for the file extension
* added e2e checks for tool version
* removed error warning
* updated regex to support early version
* updated regex for early version support
* updated regex for early version
* updated regex to accept early versions
* added coreinfo to analyze
* updated the regex
* updated regex
* new regex for early version
* updated regex to match the new version file format
* new regex
* changed the regex
* redex updated
* used java version regex
* regex updated
* regex modified
* regex updated
* regex updated
* regex updated
* updated regex to support early versions
* Regex updated to support all java versions
* Documentation updated to add tool version description
* Documentation updated for the tool version file
* update the advanced doc and readme file to specify tool version changes
* eat: bump to use node20 runtime, actions/checkout to v4
* docs: update version of setup-java in documentation and e2e tests
---------
Co-authored-by: Ivan Zosimov <ivanzosimov@github.com>
* Add microsoft distribution of the JDK.
* Fix formatting to match prettier.
* Rebuild js.
* Fix archive suffix for Windows.
* Update src/distributions/microsoft/installer.ts
Co-authored-by: Brian Cristante <33549821+brcrista@users.noreply.github.com>
* Update src/distributions/microsoft/installer.ts
Co-authored-by: Brian Cristante <33549821+brcrista@users.noreply.github.com>
* Add support for the microsoft distribution.
* revert lockfile changes
* npm run format
* fix e2e-versions.yml
* eliminate duplication in version numbers
* Fix test
Co-authored-by: Brendan Burns <brendan.d.burns@gmail.com>
Co-authored-by: Brian Cristante <33549821+brcrista@users.noreply.github.com>
* Add support for Adoptium OpenJDK
Refs https://github.com/actions/setup-java/issues/191
* Rename distribution to Eclipse Temurin
* Update end-to-end tests in GitHub workflows
* Exclude e2e tests for Temurin JREs for now
* fix version
* Update e2e-versions.yml
* Handle Eclipse Temurin version suffixes ("beta")
* Add test for new version suffix "beta"
* Add updated `index.js`
* fix an issue
Co-authored-by: Maxim Lobanov <maxim-lobanov@github.com>
Bruno Borges
dependabot[bot]
George Adams
guicamest
priya-kinthali
the-mod
Gregory Mitchell
mahabaleshwars
Fabio Niephaus
Tobias
HarithaVattikuti
K.B.Dharun Krishna
Accelerator1996
Akihiro Nishikawa
Jordie
Ivan
Dmitry Shibanov
IvanZosimov
Evgenii Korolevskii
Fabio Niephaus
Dmitry Shibanov
Manuel
Brendan Burns
Даниил Разоренов
Maxim Lobanov
Jochen Schalanda
Marcel