github GitHub Changelog · · 5.5.0

setup-java v5.5.0: signature verification, Kona JDK, and Maven fixes

feature patch

This release of actions/setup-java adds cryptographic signature verification for downloaded JDKs, support for Tencent Kona JDK, and several quality-of-life improvements for Maven users. Signature verification enhances build security by validating JDK archives before installation. The changes impact developers using the setup-java action, particularly those prioritizing build integrity and streamlined Maven workflows. Version 5.5.0 is now available, with specific fixes and features noted from previous versions as well.

  • Add cryptographic signature verification for JDK downloads
  • Support for Tencent Kona JDK distribution
  • Install JDK without setting it as default
  • Auto-detect JDK distribution from .sdkmanrc
  • Cleaner Maven build logs by default
Features (3)
  • Add cryptographic signature verification for JDK downloads

    The action now supports verifying downloaded JDK signatures using GPG. This feature, enabled by `verify-signature: true`, validates the JDK archive before installation and is supported for Temurin and Microsoft distributions. Users can also supply their own trusted key via `verify-signature-public-key`.

  • Support for Tencent Kona JDK distribution

    Users can now install Tencent Kona JDK directly using the new `konadistribution` option. This expands the range of available JDK distributions supported by the action.

  • Install JDK without setting it as default

    A new `set-default: false` input allows installing a JDK while leaving `JAVA_HOME` and `PATH` untouched. The JDK is still exported and registered in Maven toolchains, enabling specific JDK usage without altering the global environment.

Enhancements (2)
  • Auto-detect JDK distribution from .sdkmanrc

    When using a `.sdkmanrc` file to manage Java versions, the action now infers the JDK distribution from the SDKMAN identifier suffix. This removes the need to specify the distribution separately in the `distribution` input.

  • Cleaner Maven build logs by default

    For Maven 3.9+ and the Maven Wrapper, the action sets `--no-transfer-progress` in `MAVEN_ARGS` by default, resulting in quieter build logs. The interactive mode for Maven is also disabled by default in the generated `settings.xml` to prevent CI runs from blocking.

Fixes (1)
  • Fix unexpected growth of Maven toolchains entries

    A previous issue where running the action multiple times caused duplicate entries in `toolchains.xml` has been resolved. The generated file is now deduplicated by toolchain type and ID, preserving existing root attributes and non-JDK toolchains.

Read the original announcement →

https://github.blog/changelog/2026-07-08-setup-java-v5-5-0-signature-verification-kona-jdk-and-maven-fixes