setup-java v5.5.0: signature verification, Kona JDK, and Maven fixes
The actions/setup-java v5.5.0 release adds cryptographic signature verification for downloaded JDKs, support for a new distribution, and several quality-of-life improvements for Maven users. Here’s what changed since v5.4.0.
- Verify JDK download signatures: Set
verify-signature: trueand the action downloads the detached GPG signature and validates the JDK archive before installing it. Verification is supported today for the Temurin and Microsoft distributions, and enabling it for a distribution that doesn’t support it fails fast rather than silently skipping the check. You can supply your own trusted key withverify-signature-public-key. - New Tencent Kona JDK distribution: The new
konadistribution lets you install Tencent Kona JDK directly. - Install a JDK without making it the default. With
set-default: false, the action leavesJAVA_HOMEandPATHuntouched while still exportingJAVA_HOME__and registering the JDK in Maven toolchains, so a single step can use a specific JDK without disturbing the rest of your workflow. - Auto-detect the distribution from
.sdkmanrc: When you drive your Java version from a.sdkmanrcfile, the action now infers the distribution from the SDKMAN identifier suffix (e.g.,-temresolves to Temurin), so you no longer have to repeat it in thedistributioninput. - Cleaner Maven build logs by default: The action now sets
--no-transfer-progressinMAVEN_ARGSby default for Maven 3.9+ and the Maven Wrapper, giving you quieter logs out of the box. Any existingMAVEN_ARGSvalue is preserved, and you can restore the progress output withshow-download-progress: true. The generatedsettings.xmlalso disables interactive mode so Maven never blocks a CI run waiting on a prompt. - Fixed Maven toolchains no longer grow unexpectedly: Running the action multiple times in a job previously appended duplicate entries to
toolchains.xml. The generated file is now deduplicated by toolchain type and id, and your existing root attributes and non-JDK toolchains are preserved.
The v5.4.0 release shipped without a changelog post, so a few notable additions from that version are worth calling out too:
- The free GraalVM Community distribution (
graalvm-community) - A
javacproblem matcher that surfaces compiler errors and warnings as inline annotations on your pull requests - Maven Wrapper caching when you enable
cache: maven
For reproducible, supply-chain-safe builds, pin the action to the exact v5.5.0 release tag or to its full commit SHA (0f481fcb613427c0f801b606911222b5b6f3083a) for the strongest guarantee, rather than the floating v5 major tag.
For the full list of inputs and examples, see the setup-java advanced usage guide and the v5.5.0 release notes. As always, we welcome feedback and issues in the actions/setup-java repository.