Summary
Update the CI workflow to pin actions/setup-java to an immutable commit SHA instead of using the floating tag actions/setup-java@v4.
Why
The current workflow uses a mutable action reference in .github/workflows/CI.yml. Pinning the action to an exact commit SHA improves supply-chain security and aligns the workflow with stricter CI/SAST policies that require immutable action references.
Affected area
Required change
Replace the current uses: actions/setup-java@v4 reference with the exact approved commit SHA for the same action revision, keeping the step behavior otherwise unchanged.
Acceptance criteria
.github/workflows/CI.yml no longer uses a floating tag for actions/setup-java- The workflow references
actions/setup-java using a full commit SHA
- The JDK configuration remains functionally the same (Java 21, Temurin, Gradle cache)
- CI continues to run successfully after the change
References
Requested by
Summary
Update the CI workflow to pin
actions/setup-javato an immutable commit SHA instead of using the floating tagactions/setup-java@v4.Why
The current workflow uses a mutable action reference in
.github/workflows/CI.yml. Pinning the action to an exact commit SHA improves supply-chain security and aligns the workflow with stricter CI/SAST policies that require immutable action references.Affected area
.github/workflows/CI.ymlRequired change
Replace the current
uses: actions/setup-java@v4reference with the exact approved commit SHA for the same action revision, keeping the step behavior otherwise unchanged.Acceptance criteria
.github/workflows/CI.ymlno longer uses a floating tag foractions/setup-javaactions/setup-javausing a full commit SHAReferences
Requested by