setup-java v5.5.0: signature verification, Kona JDK, and Maven fixes
This release of actions/setup-java adds cryptographic signature verification for downloaded JDKs, support for Tencent Kona JDK, and several quality-of-life improvements for Maven users. Signature verification enhances build security by validating JDK archives before installation. The changes impact developers using the setup-java action, particularly those prioritizing build integrity and streamlined Maven workflows. Version 5.5.0 is now available, with specific fixes and features noted from previous versions as well.
- →Add cryptographic signature verification for JDK downloads
- →Support for Tencent Kona JDK distribution
- →Install JDK without setting it as default
- →Auto-detect JDK distribution from .sdkmanrc
- →Cleaner Maven build logs by default
Features (3) ›
- Add cryptographic signature verification for JDK downloads
The action now supports verifying downloaded JDK signatures using GPG. This feature, enabled by `verify-signature: true`, validates the JDK archive before installation and is supported for Temurin and Microsoft distributions. Users can also supply their own trusted key via `verify-signature-public-key`.
- Support for Tencent Kona JDK distribution
Users can now install Tencent Kona JDK directly using the new `konadistribution` option. This expands the range of available JDK distributions supported by the action.
- Install JDK without setting it as default
A new `set-default: false` input allows installing a JDK while leaving `JAVA_HOME` and `PATH` untouched. The JDK is still exported and registered in Maven toolchains, enabling specific JDK usage without altering the global environment.
Enhancements (2) ›
- Auto-detect JDK distribution from .sdkmanrc
When using a `.sdkmanrc` file to manage Java versions, the action now infers the JDK distribution from the SDKMAN identifier suffix. This removes the need to specify the distribution separately in the `distribution` input.
- Cleaner Maven build logs by default
For Maven 3.9+ and the Maven Wrapper, the action sets `--no-transfer-progress` in `MAVEN_ARGS` by default, resulting in quieter build logs. The interactive mode for Maven is also disabled by default in the generated `settings.xml` to prevent CI runs from blocking.
Fixes (1) ›
- Fix unexpected growth of Maven toolchains entries
A previous issue where running the action multiple times caused duplicate entries in `toolchains.xml` has been resolved. The generated file is now deduplicated by toolchain type and ID, preserving existing root attributes and non-JDK toolchains.
https://github.blog/changelog/2026-07-08-setup-java-v5-5-0-signature-verification-kona-jdk-and-maven-fixes