Commit Graph
8 Commits
Author SHA1 Message Date
Bruno BorgesGitHubCopilotCopilot Autofix powered by AIcopilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
6c4d4a5025 feat: suppress Maven transfer progress via MAVEN_ARGS by default (add show-download-progress input) (#1053)
* feat: suppress Maven transfer progress via MAVEN_ARGS by default

Set MAVEN_ARGS to include -ntp (--no-transfer-progress) so Maven invocations
in the job produce cleaner CI logs without download/transfer progress noise.
Add a new optional 'show-download-progress' input (default false); set it to
true to keep the progress output.

The change preserves any existing MAVEN_ARGS value (the flag is appended,
not overwritten) and is idempotent (it won't add the flag twice if -ntp or
--no-transfer-progress is already present). Applies on all platforms; honored
by Maven 3.9.0+ and the Maven Wrapper, and is a no-op for non-Maven builds.

- action.yml: add show-download-progress input
- src/constants.ts: add input + MAVEN_ARGS constants
- src/maven-args.ts: new configureMavenArgs()
- src/setup-java.ts: invoke configureMavenArgs() during setup
- __tests__/maven-args.test.ts: unit tests
- docs/advanced-usage.md: document the behavior and input
- dist: rebuild bundled action

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Update generated dist for Maven args log change

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-07-02 17:12:50 -04:00
623c707d77 chore: enforce pre-PR validation (aggregate scripts, git hooks, PR checklist) (#1061)
* chore: enforce pre-PR validation with aggregate scripts, git hooks, and PR checklist

Add tooling to help contributors run the same checks as CI before
submitting a pull request, reducing avoidable format/lint/build failures.

- Add aggregate npm scripts:
  - `npm run check` runs format-check + lint + build + test (mirrors CI)
  - `npm run fix` runs format + lint:fix + build
- Add husky + lint-staged git hooks (installed via `npm install`):
  - pre-commit formats and lints staged files
  - pre-push rebuilds dist/ and runs the test suite
- Add a checklist item to the PR template prompting contributors to run
  `npm run check` locally
- Document the aggregate scripts and hooks in docs/contributors.md

dist/ is intentionally not auto-committed by CI to avoid pwn-request
security risks; the existing `Check dist/` workflow continues to verify it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-26 08:07:16 +01:00
1bcf9fb12c dist: Address Copilot review suggestions from PR #1042 (GraalVM Community) (#1059)
- installer: surface a clear error when the GraalVM Community releases
  listing is not a JSON array, instead of silently treating an error
  payload (rate limit, auth failure, etc.) as "no releases" which later
  surfaced as a misleading "version not found" error.
- docs: fix the GraalVM Community advanced-usage example to check the
  installed binary versions (java/native-image --version) rather than
  running a non-existent HelloWorldApp classpath that fails when copied.
- tests: cover the new non-array release listing error path.

Rebuilt dist bundle.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-23 13:37:44 -04:00
fa2c6508d1 docs: note jdkfile approach for Early Access / unreleased JDK builds (#1058)
* docs: note jdkfile approach for Early Access / unreleased JDK builds

Clarify in advanced-usage that the existing 'jdkfile' distribution can be
used to install Early Access (EA) or other unreleased JDK builds not
provided directly by setup-java, by downloading the archive in a prior
step and pointing jdkFile at it. Adds a concrete EA example.

Addresses #612.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-23 13:23:45 -04:00
1d25252804 chore: Harden workflows: least-privilege permissions + zizmor integration (#1039)
* Harden workflows with least-privilege permissions and zizmor

Apply GitHub Actions security best practices to the action's own
workflows and integrate zizmor to catch regressions.

- Add explicit least-privilege `permissions:` to every workflow
  (contents: read for read-only workflows; default-deny `{}` with
  job-scoped grants for codeql, publish-immutable-actions and
  update-config-files).
- Set `persist-credentials: false` on all checkout steps that don't
  need the GITHUB_TOKEN afterwards.
- Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars
  to avoid template injection.
- Pin the alpine container image (alpine:latest -> alpine:3.21).
- Add a zizmor CI workflow that uploads SARIF to code scanning, plus a
  `.github/zizmor.yml` pinning policy (ref-pin for actions/* and
  github/*, hash-pin for third-party actions).

zizmor now reports no findings (offline and online).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fix indentation of if: in zizmor SARIF upload step

The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.

Indent `if:` to 8 spaces so it nests under the step alongside uses/with.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-23 18:10:17 +01:00
668c1ea991 docs: add post-install keytool import for the JDK cacerts trust store (#1051)
Document how to make the installed JDK trust an internal CA at application
runtime by importing it into $JAVA_HOME/lib/security/cacerts with keytool
after setup-java runs. Clarifies this is the runtime trust layer, distinct
from the download/transport layer (NODE_EXTRA_CA_CERTS), and notes hosted vs
self-hosted persistence caveats.

Refs #640 #1035

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-22 21:59:01 -04:00
a9a46fbe09 docs: document self-signed certificate / internal CA handling for GitHub Enterprise (#1050)
Adds an advanced-usage section explaining the 'self signed certificate in
certificate chain' error seen on GitHub Enterprise Server and behind
TLS-inspecting proxies. Recommends the secure fix of trusting the internal
CA via NODE_EXTRA_CA_CERTS (or the OS trust store on self-hosted runners),
with a GitHub Enterprise callout, and warns against disabling TLS
verification since the JDK download has no checksum fallback.

Refs #640

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-22 21:51:01 -04:00
525097081d Update undici artifacts to 6.27.0 (license cache + dist) (#1040)
* Update undici license cache to 6.27.0

The Licensed check failed because the cached license record for undici
was pinned to 6.24.1 while the installed dependency is 6.27.0, causing
"license: mit, allowed: false" / source enumeration errors.

Regenerate the cached record with `licensed cache` so it matches the
installed version. `licensed status` now reports 0 errors.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Rebuild dist with undici 6.27.0

The committed dist/ bundle was built with undici 6.24.1, but the
lockfile resolves undici 6.27.0. The check-dist workflow rebuilds the
bundle and detected this drift (uncommitted changes after build).

Rebuild dist/setup and dist/cleanup with `npm run build` so the
committed bundle matches the installed undici 6.27.0, aligning with the
license cache update in this PR.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-22 16:43:17 -04:00