cicd/setup-java
1
0
Fork 0
mirror of https://github.com/actions/setup-java.git synced 2026-06-24 00:30:28 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
1bcf9fb12cf4aa7d266a90ae39939e61372fe520
setup-java/.github/workflows/e2e-versions.yml
T
Bruno Borges 1d25252804 chore: Harden workflows: least-privilege permissions + zizmor integration (#1039) 
* Harden workflows with least-privilege permissions and zizmor

Apply GitHub Actions security best practices to the action's own
workflows and integrate zizmor to catch regressions.

- Add explicit least-privilege `permissions:` to every workflow
  (contents: read for read-only workflows; default-deny `{}` with
  job-scoped grants for codeql, publish-immutable-actions and
  update-config-files).
- Set `persist-credentials: false` on all checkout steps that don't
  need the GITHUB_TOKEN afterwards.
- Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars
  to avoid template injection.
- Pin the alpine container image (alpine:latest -> alpine:3.21).
- Add a zizmor CI workflow that uploads SARIF to code scanning, plus a
  `.github/zizmor.yml` pinning policy (ref-pin for actions/* and
  github/*, hash-pin for third-party actions).

zizmor now reports no findings (offline and online).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix indentation of if: in zizmor SARIF upload step

The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.

Indent `if:` to 8 spaces so it nests under the step alongside uses/with.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-23 18:10:17 +01:00

615 lines
19 KiB
YAML
Raw Blame History

name: Validate Java e2e
on:
push:
branches:
- main
- releases/*
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
schedule:
- cron: '0 */12 * * *'
workflow_dispatch:
permissions:
contents: read
jobs:
setup-java-major-versions:
name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-15-intel, windows-latest, ubuntu-latest]
distribution: [
'temurin',
'adopt',
'adopt-openj9',
'zulu',
'liberica',
'microsoft',
'semeru',
'corretto',
'dragonwell',
'sapmachine',
'jetbrains'
] # internally 'adopt-hotspot' is the same as 'adopt'
version: ['21', '11', '17']
exclude:
- distribution: microsoft
version: 8
- distribution: dragonwell
os: macos-15-intel
include:
- distribution: microsoft
os: windows-latest
version: 25
- distribution: microsoft
os: ubuntu-latest
version: 25
- distribution: microsoft
os: macos-latest
version: 25
- distribution: oracle
os: macos-15-intel
version: 17
- distribution: oracle
os: windows-latest
version: 21
- distribution: oracle
os: ubuntu-latest
version: 21
- distribution: graalvm
os: macos-latest
version: 17.0.12
- distribution: graalvm
os: windows-latest
version: 21
- distribution: graalvm
os: ubuntu-latest
version: 21
- distribution: graalvm
os: ubuntu-latest
version: '24-ea'
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: ${{ matrix.distribution }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-alpine-linux:
name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - alpine-linux - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
container:
image: alpine:3.21
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest]
distribution: ['temurin', 'sapmachine']
version: ['21', '17']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: Install bash
run: apk add --no-cache bash
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: ${{ matrix.distribution }}
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-major-minor-versions:
name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
needs: setup-java-major-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution: ['temurin', 'zulu', 'liberica']
version:
- '11.0'
- '21.0'
- '17.0.7+7'
include:
- distribution: oracle
os: ubuntu-latest
version: '21.0.4'
- distribution: graalvm
os: ubuntu-latest
version: '21.0.4'
- distribution: dragonwell
os: ubuntu-latest
version: '11.0'
- distribution: dragonwell
os: ubuntu-latest
version: '11.0.13+9'
- distribution: sapmachine
os: ubuntu-latest
version: '17.0.7'
- distribution: jetbrains
os: ubuntu-latest
version: '11.0.11'
- distribution: jetbrains
os: ubuntu-latest
version: '17.0.7'
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: ${{ matrix.distribution }}
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-check-latest:
name: ${{ matrix.distribution }} ${{ matrix.version }} - check-latest flag - ${{ matrix.os }}
needs: setup-java-major-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution:
[
'temurin',
'zulu',
'liberica',
'dragonwell',
'sapmachine',
'jetbrains'
]
exclude:
- distribution: dragonwell
os: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version: 11
check-latest: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java
env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11" "$JAVA_PATH"
shell: bash
setup-java-multiple-jdks:
name: ${{ matrix.distribution }} ${{ matrix.version }} - multiple jdks - ${{ matrix.os }}
needs: setup-java-major-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution:
[
'temurin',
'zulu',
'liberica',
'dragonwell',
'sapmachine',
'jetbrains'
]
exclude:
- distribution: dragonwell
os: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version: |
11
17
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java env variables
run: |
$versionsArr = "11","17"
foreach ($version in $versionsArr)
{
$envName = "JAVA_HOME_${version}_${env:RUNNER_ARCH}"
$JavaVersionPath = [Environment]::GetEnvironmentVariable($envName)
if (-not (Test-Path "$JavaVersionPath")) {
Write-Host "$envName is not found"
exit 1
}
}
shell: pwsh
- name: Verify Java
env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "17" "$JAVA_PATH"
shell: bash
setup-java-ea-versions-zulu:
name: zulu ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
needs: setup-java-major-minor-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-15-intel, windows-latest, ubuntu-latest]
version: ['17-ea', '15.0.0-ea.14']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: zulu
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-ea-versions-temurin:
name: temurin ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
needs: setup-java-major-minor-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
version: ['17-ea']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: temurin
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-ea-versions-sapmachine:
name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
needs: setup-java-major-minor-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
version: ['17-ea', '21-ea']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: sapmachine
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-custom-package-type:
name: ${{ matrix.distribution }} ${{ matrix.version }} (${{ matrix.java-package }}-x64) - ${{ matrix.os }}
needs: setup-java-major-minor-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-15-intel, windows-latest, ubuntu-latest]
distribution:
['temurin', 'zulu', 'liberica', 'semeru', 'sapmachine', 'jetbrains']
java-package: ['jre']
version: ['17.0']
include:
- distribution: 'zulu'
java-package: jre+fx
version: '21'
os: ubuntu-latest
- distribution: 'zulu'
java-package: jdk+fx
version: '21.0'
os: ubuntu-latest
- distribution: 'liberica'
java-package: jdk+fx
version: '21'
os: ubuntu-latest
- distribution: 'liberica'
java-package: jre+fx
version: '11'
os: ubuntu-latest
- distribution: 'corretto'
java-package: jre
version: '8'
os: windows-latest
- distribution: 'jetbrains'
java-package: jdk+jcef
version: '11'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jdk+jcef
version: '17'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jdk+jcef
version: '21'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jre+jcef
version: '11'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jre+jcef
version: '17'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jre+jcef
version: '21'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jdk+ft
version: '17'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jdk+ft
version: '21'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jre+ft
version: '17'
os: ubuntu-latest
- distribution: 'jetbrains'
java-package: jre+ft
version: '21'
os: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
java-package: ${{ matrix.java-package }}
distribution: ${{ matrix.distribution }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
# Only Liberica and Zulu provide x86
setup-java-x86:
name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-${{ matrix.architecture }}) - ${{ matrix.os }}
needs: setup-java-major-minor-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
# x86 is not supported on macOS
os: [windows-latest, ubuntu-22.04]
distribution: ['liberica', 'zulu', 'corretto']
version: ['11']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version: ${{ matrix.version }}
architecture: 'x86'
- name: Verify Java
env:
JAVA_VERSION: ${{ matrix.version }}
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH"
shell: bash
setup-java-version-both-version-inputs-presents:
name: ${{ matrix.distribution }} version (should be from input) - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution: ['temurin', 'microsoft', 'corretto']
java-version-file: ['.java-version', '.tool-versions']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file
shell: bash
run: echo "17" > .java-version
- name: Create .tool-versions file
shell: bash
run: echo "java 17" > .tool-versions
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version: 11
java-version-file: ${{matrix.java-version-file }}
- name: Verify Java
env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11" "$JAVA_PATH"
shell: bash
setup-java-version-from-file-major-notation:
name: ${{ matrix.distribution }} version from file X - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution: ['temurin', 'zulu', 'liberica', 'microsoft', 'corretto']
java-version-file: ['.java-version', '.tool-versions']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file
shell: bash
run: echo "11" > .java-version
- name: Create .tool-versions file
shell: bash
run: echo "java 11" > .tool-versions
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version-file: ${{matrix.java-version-file }}
- name: Verify Java
env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "11" "$JAVA_PATH"
shell: bash
setup-java-version-from-file-major-minor-patch-notation:
name: ${{ matrix.distribution }} version from file X.Y.Z - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution: ['adopt', 'adopt-openj9', 'zulu']
java-version-file: ['.java-version', '.tool-versions']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file
shell: bash
run: echo "17.0.10" > .java-version
- name: Create .tool-versions file
shell: bash
run: echo "java 17.0.10" > .tool-versions
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version-file: ${{matrix.java-version-file }}
- name: Verify Java
env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "17.0.10" "$JAVA_PATH"
shell: bash
setup-java-version-from-file-major-minor-patch-with-dist:
name: ${{ matrix.distribution }} version from file '${{ matrix.java-version-file }}' - ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
distribution: ['adopt', 'zulu', 'liberica']
java-version-file: ['.java-version', '.tool-versions', '.sdkmanrc']
steps:
- name: Checkout
uses: actions/checkout@v7
with:
persist-credentials: false
- name: Create .java-version file
shell: bash
run: echo "openjdk64-17.0.10" > .java-version
- name: Create .tool-versions file
shell: bash
run: echo "java openjdk64-17.0.10" > .tool-versions
- name: Create .sdkmanrc file
shell: bash
run: echo "java=17.0.10-tem" > .sdkmanrc
- name: setup-java
uses: ./
id: setup-java
with:
distribution: ${{ matrix.distribution }}
java-version-file: ${{matrix.java-version-file }}
- name: Verify Java
env:
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
run: bash __tests__/verify-java.sh "17.0.10" "$JAVA_PATH"
shell: bash
Reference in New Issue View Git Blame Copy Permalink