Move to JDK 25 for build only#1709
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (13)
✅ Files skipped from review due to trivial changes (7)
🚧 Files skipped from review as they are similar to previous changes (5)
📝 WalkthroughWalkthroughUpgrades the project build toolchain to Java 25 and Gradle 9.6: configures git line-ending normalization, regenerates wrapper scripts ( ChangesBuild infrastructure upgrade (Java 25 / Gradle 9.6)
Java source formatting via googleJavaFormat 1.35.0
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (3)
.github/workflows/gradle.yml (1)
33-33: ⚡ Quick winConsider pinning the GitHub Action to a commit hash.
The
actions/setup-java@v5reference uses a tag rather than a commit hash. Pinning to a specific commit SHA provides better security and reproducibility by preventing tag manipulation.🔒 Example of pinning to a commit hash
- - name: Setup java 25 for building - uses: actions/setup-java@v5 + - name: Setup java 25 for building + uses: actions/setup-java@v5 # v5.2.0 + # uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061bNote: Replace the commit hash with the actual SHA for the v5 release you intend to use.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/gradle.yml at line 33, Replace the tag reference in the `actions/setup-java@v5` action with a specific commit SHA hash instead of using the version tag. Find the uses statement that references `actions/setup-java@v5` and change it to pin to a full commit hash (the SHA of the v5 release). This improves security and reproducibility by preventing potential tag manipulation. You can find the correct commit SHA from the official actions/setup-java releases on GitHub.Source: Linters/SAST tools
build.gradle (1)
52-52: Version2.22is valid but consider using2.22.0for consistency.Maven Central confirms that
jackson-annotations:2.22is a valid release version and will resolve correctly. However, using the explicit patch version2.22.0would match the version specifiers used forjackson-coreandjackson-databind, improving consistency across Jackson dependencies.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@build.gradle` at line 52, The jackson-annotations dependency in build.gradle uses version 2.22 without an explicit patch version, which is inconsistent with the other Jackson dependencies that use the format X.Y.Z. Update the version of the jackson-annotations dependency from 2.22 to 2.22.0 to maintain consistency across all Jackson dependency declarations in the build file.gradle/wrapper/gradle-wrapper.properties (1)
5-6: Reconfigure retry settings to enable download resilience.The current configuration sets
retryBackOffMs=500whileretries=0, which disables retries entirely. This means the backoff setting is unused. If download reliability is desired, enable retries by settingretriesto a positive value (e.g.,retries=3). Whenretries=0(the default), the wrapper makes only a single download attempt.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@gradle/wrapper/gradle-wrapper.properties` around lines 5 - 6, The gradle-wrapper.properties file has retry functionality disabled with `retries=0`, which renders the `retryBackOffMs=500` setting ineffective since no retries are attempted. To enable download resilience, change the `retries` parameter from its current value of 0 to a positive integer such as 3. This will activate the retry mechanism and ensure that the `retryBackOffMs` backoff timing is actually used when download failures occur.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/gradle.yml:
- Line 33: Replace the tag reference in the `actions/setup-java@v5` action with
a specific commit SHA hash instead of using the version tag. Find the uses
statement that references `actions/setup-java@v5` and change it to pin to a full
commit hash (the SHA of the v5 release). This improves security and
reproducibility by preventing potential tag manipulation. You can find the
correct commit SHA from the official actions/setup-java releases on GitHub.
In `@build.gradle`:
- Line 52: The jackson-annotations dependency in build.gradle uses version 2.22
without an explicit patch version, which is inconsistent with the other Jackson
dependencies that use the format X.Y.Z. Update the version of the
jackson-annotations dependency from 2.22 to 2.22.0 to maintain consistency
across all Jackson dependency declarations in the build file.
In `@gradle/wrapper/gradle-wrapper.properties`:
- Around line 5-6: The gradle-wrapper.properties file has retry functionality
disabled with `retries=0`, which renders the `retryBackOffMs=500` setting
ineffective since no retries are attempted. To enable download resilience,
change the `retries` parameter from its current value of 0 to a positive integer
such as 3. This will activate the retry mechanism and ensure that the
`retryBackOffMs` backoff timing is actually used when download failures occur.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 6779d061-7d12-40d4-84d0-3f79a302b1de
⛔ Files ignored due to path filters (1)
gradle/wrapper/gradle-wrapper.jaris excluded by!**/*.jar
📒 Files selected for processing (11)
.github/workflows/gradle.ymladminapi/src/main/java/io/minio/admin/MinioAdminClient.javaapi/src/main/java/io/minio/Checksum.javaapi/src/main/java/io/minio/PartReader.javaapi/src/main/java/io/minio/errors/MinioException.javabuild.gradlefunctional/TestMinioClient.javagradle/wrapper/gradle-wrapper.propertiesgradlewgradlew.batspotbugs-filter.xml
balamurugana
force-pushed
the
Move-to-JDK-25-for-build-only
branch
from
9b40df5 to
bfc1340
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/gradle.yml:
- Line 33: The actions/setup-java action on line 33 uses the mutable tag `@v5`
which weakens supply-chain integrity. Replace `@v5` with a full immutable commit
SHA (e.g., `@abc1234def5678`...) to pin the action to a specific version and
ensure CI/CD security. You can find the appropriate commit SHA by checking the
GitHub releases page for the actions/setup-java repository.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 31abcdd3-5661-4c8e-b6e4-7066f91dea0d
⛔ Files ignored due to path filters (1)
gradle/wrapper/gradle-wrapper.jaris excluded by!**/*.jar
📒 Files selected for processing (12)
.gitattributes.github/workflows/gradle.ymladminapi/src/main/java/io/minio/admin/MinioAdminClient.javaapi/src/main/java/io/minio/Checksum.javaapi/src/main/java/io/minio/PartReader.javaapi/src/main/java/io/minio/errors/MinioException.javabuild.gradlefunctional/TestMinioClient.javagradle/wrapper/gradle-wrapper.propertiesgradlewgradlew.batspotbugs-filter.xml
✅ Files skipped from review due to trivial changes (6)
- .gitattributes
- api/src/main/java/io/minio/Checksum.java
- adminapi/src/main/java/io/minio/admin/MinioAdminClient.java
- api/src/main/java/io/minio/errors/MinioException.java
- functional/TestMinioClient.java
- api/src/main/java/io/minio/PartReader.java
🚧 Files skipped from review as they are similar to previous changes (5)
- spotbugs-filter.xml
- gradle/wrapper/gradle-wrapper.properties
- gradlew.bat
- gradlew
- build.gradle
|
|
||
| - name: Setup java 17 for building | ||
| - name: Setup java 25 for building | ||
| uses: actions/setup-java@v5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify all workflow actions are pinned to SHAs (read-only check)
rg -n --glob ".github/workflows/*.yml" '^\s*uses:\s*[^@]+@[^0-9a-fA-F]'Repository: minio/minio-java
Length of output: 209
🏁 Script executed:
#!/bin/bash
# First, find workflow files in the repository
find . -type f -name "*.yml" -o -name "*.yaml" | grep -E "\.github/workflows" | head -20Repository: minio/minio-java
Length of output: 131
🏁 Script executed:
#!/bin/bash
# List contents of .github/workflows directory
if [ -d ".github/workflows" ]; then
ls -la .github/workflows/
else
echo "Directory does not exist"
find . -type d -name "workflows" 2>/dev/null
fiRepository: minio/minio-java
Length of output: 301
🏁 Script executed:
#!/bin/bash
# If gradle.yml exists, read it to check line 33
if [ -f ".github/workflows/gradle.yml" ]; then
sed -n '25,40p' .github/workflows/gradle.yml | cat -n
else
echo "gradle.yml not found at expected path"
fiRepository: minio/minio-java
Length of output: 747
🌐 Web query:
actions/setup-java v5 commit SHA GitHub Actions pinning best practices 2026
💡 Result:
As of June 2026, pinning GitHub Actions to a full-length commit SHA is considered the industry-standard security best practice [1][2][3]. Use of Commit SHAs Pinning to a full-length 40-character commit SHA provides immutability [1][4][5]. Unlike tags (e.g., v5) or branches (e.g., main), which are mutable and can be moved or force-pushed by an attacker to point to malicious code, a commit SHA points to a specific, unchangeable state of the repository [1][6][7]. Best Practices for 2026 1. Always Use Full SHAs: Pin all third-party actions to their full commit SHA to prevent supply chain attacks [2][3][7]. 2. Maintain Human-Readability: Append the version tag as a comment to the SHA pin for clarity, for example: uses: actions/setup-java@d81c4e45f3ac973cc936d79104023e20054ba578 # v5.0.1 [2][3][7]. 3. Automate Maintenance: Do not manage pins manually. Use tools like Renovate (with the helpers:pinGitHubActionDigests preset) or dependabot to automatically open pull requests when new versions are released, ensuring your dependencies stay current without sacrificing security [2][3][6]. 4. Enforce via Policy: Organizations and repositories can now enable policies to require SHA pinning [1][8]. If enabled, any workflow using a mutable tag or branch will fail [2][5]. It is recommended to enable this enforcement where possible to ensure universal compliance [2][7]. 5. Audit Sub-actions: Be aware that even if you pin a primary action, it may internally reference other unpinned actions [3][7][5]. While full workflow-level dependency locking is a feature on the 2026 security roadmap to address this, users should be cautious and monitor action security [9][3]. Regarding setup-java v5: The latest release as of June 2026 is v5.3.0, released on 2026-06-16 [10]. To pin to a specific version of setup-java, navigate to the action's repository on GitHub, view the tags or commit history to find the 40-character SHA associated with the desired release, and use it in your workflow file [11][12][4]. Top results for reference: [1] GitHub Docs: Secure use of GitHub Actions [2] Lullabot: Always pin GitHub Actions to a commit hash [3] CNCF: Securing CI/CD for an open source project [8] GitHub Blog: GitHub Actions policy supports SHA pinning [7] Opera Omnia: Stop trusting mutable references
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://architecture.lullabot.com/adr/20260505-pin-github-actions-to-hash/
- 3: https://www.cncf.io/blog/2026/06/12/securing-ci-cd-for-an-open-source-project-locking-down-dependencies/
- 4: https://docs.github.com/en/actions/how-tos/create-and-publish-actions/manage-custom-actions
- 5: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
- 6: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 7: https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/
- 8: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 9: https://github.blog/news-insights/product-news/whats-coming-to-our-github-actions-2026-security-roadmap/
- 10: https://github.com/actions/setup-java/releases/tag/v5.3.0
- 11: http://github.com/actions/setup-java
- 12: actions/setup-java@d81c4e4
🏁 Script executed:
#!/bin/bash
# Check if there are other actions in the workflow and their pinning status
cat .github/workflows/gradle.yml | grep -n "uses:" | head -20Repository: minio/minio-java
Length of output: 175
Pin actions/setup-java to a full commit SHA.
Line 33 uses a mutable tag (@v5), which weakens supply-chain integrity in CI. Pin to an immutable commit digest.
Suggested change
- name: Setup java 25 for building
- uses: actions/setup-java@v5
+ uses: actions/setup-java@d81c4e45f3ac973cc936d79104023e20054ba578 # v5.3.0
with:
distribution: temurin
java-version: '25'📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/setup-java@v5 | |
| - name: Setup java 25 for building | |
| uses: actions/setup-java@d81c4e45f3ac973cc936d79104023e20054ba578 # v5.3.0 | |
| with: | |
| distribution: temurin | |
| java-version: '25' |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/gradle.yml at line 33, The actions/setup-java action on
line 33 uses the mutable tag `@v5` which weakens supply-chain integrity. Replace
`@v5` with a full immutable commit SHA (e.g., `@abc1234def5678`...) to pin the
action to a specific version and ensure CI/CD security. You can find the
appropriate commit SHA by checking the GitHub releases page for the
actions/setup-java repository.
Source: Linters/SAST tools
Signed-off-by: Bala.FA <bala@minio.io>
balamurugana
force-pushed
the
Move-to-JDK-25-for-build-only
branch
from
bfc1340 to
ca6b18f
Compare
2 participants
Summary by CodeRabbit