Bump version to 1.3.5.

Bumps [form-data](https://github.com/form-data/form-data) from 2.5.3 to 2.5.5.
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/v2.5.5/CHANGELOG.md)
- [Commits](https://github.com/form-data/form-data/compare/v2.5.3...v2.5.5)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 2.5.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/ci.yml

@@ -32,6 +32,8 @@ jobs:
         run: npm run lint
       - name: Test
         run: npm run test
+        env:
+          INPUT_GITHUB_TOKEN: ${{ github.token }} # for core.getInput()
 
   test-action:
     name: GraalVM
@@ -41,7 +43,7 @@ jobs:
       PASSES_GDS_TOKEN_CHECK: ${{ !matrix.set-gds-token || secrets.GDS_TOKEN != '' }}
     strategy:
       matrix:
-        java-version: ['23', '21', '17', '20', 'dev']
+        java-version: ['24', '21', '17', '20', 'dev']
         distribution: ['graalvm', 'graalvm-community']
         os: [
             ubuntu-latest, # Linux on Intel
@@ -56,7 +58,7 @@ jobs:
           - java-version: 'latest-ea'
             distribution: 'graalvm'
             os: ubuntu-latest
-          - java-version: '24-ea'
+          - java-version: '25-ea'
             distribution: 'graalvm'
             os: ubuntu-latest
           - java-version: '21'
@@ -131,7 +133,7 @@ jobs:
           - version: '22.2.0' # for update notifications
             java-version: '17'
             components: 'native-image'
-            os: ubuntu-20.04
+            os: ubuntu-22.04
           - version: '21.2.0'
             java-version: '8' # for JDK 8 notification
             components: 'native-image'

README.md

@@ -1,5 +1,7 @@
 # GitHub Action for GraalVM [![CI](https://github.com/graalvm/setup-graalvm/actions/workflows/ci.yml/badge.svg)](https://github.com/graalvm/setup-graalvm/actions/workflows/ci.yml)
-This GitHub action sets up [Oracle GraalVM][graalvm-medium], GraalVM [Community Edition (CE)][repo], [Enterprise Edition (EE)][graalvm-ee], [Mandrel][mandrel], or [Liberica Native Image Kit][liberica] as well as [Native Image][native-image] and GraalVM components such as [Truffle languages][truffle-languages].
+
+Set up your GitHub Actions workflow with a specific [GraalVM][graalvm] distribution, and use it both as your JDK and for [ahead-of-time Native Image compilation][graalvm].
+
 
 ## Key Features
 
@@ -7,12 +9,10 @@ This action:
 
 - supports Oracle GraalVM [releases][graalvm-dl], [EA builds][ea-builds], GraalVM Community Edition (CE) [releases], [dev builds][dev-builds], GraalVM Enterprise Edition (EE) [releases][graalvm-ee] (set [`gds-token`](#options)) 22.1.0 and later, [Mandrel][mandrel], and [Liberica Native Image Kit][liberica] (see [Options](#options))
 - exports a `$GRAALVM_HOME` environment variable
-- adds `$GRAALVM_HOME/bin` to the `$PATH` environment variable<br>(Native Image, Truffle languages, and tools can be invoked directly)
+- adds `$GRAALVM_HOME/bin` to the `$PATH` environment variable<br>(`native-image`, `javac`, and other JDK tools can be invoked directly)
 - sets `$JAVA_HOME` to `$GRAALVM_HOME` by default<br>(can be disabled via `set-java-home: 'false'`, see [Options](#options))
-- supports `x64` and `aarch64` (selected automatically, `aarch64` requires a [self-hosted runner][gha-self-hosted-runners])
+- supports `x64` and `aarch64/arm64` (see how to use [Linux arm64 runners](https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/))
 - supports dependency caching for Apache Maven, Gradle, and sbt (see [`cache` option](#options))
-- sets up Windows environments with build tools using [vcvarsall.bat][vcvarsall]
-- has built-in support for GraalVM components and the [GraalVM Updater][gu]
 
 
 ## Templates
@@ -194,7 +194,7 @@ This actions can be configured with the following options:
 
 | Name            | Default  | Description |
 |-----------------|:--------:|-------------|
-| `java-version`<br>*(required)* | n/a | Java version <ul><li>major versions: `'23'`, `'21'`, `'17'`, `'11'`, `'8'`</li><li>specific versions: `'21.0.3'`, `'17.0.11'`</li><li>early access (EA) builds: `'24-ea'` *(requires `distribution: 'graalvm'`)*</li><li>latest EA build: `'latest-ea'` *(requires `distribution: 'graalvm'`)*</li><li>dev builds: `'dev'`</li></ul> |
+| `java-version`<br>*(required)* | n/a | Java version <ul><li>major versions: `'24'`, `'21'`, `'17'`, `'11'`, `'8'`</li><li>specific versions: `'21.0.3'`, `'17.0.11'`</li><li>early access (EA) builds: `'25-ea'` *(requires `distribution: 'graalvm'`)*</li><li>latest EA build: `'latest-ea'` *(requires `distribution: 'graalvm'`)*</li><li>dev builds: `'dev'`</li></ul> |
 | `distribution`  | `'graalvm'` | GraalVM distribution (see [supported distributions](#supported-distributions)) |
 | `java-package`  | `'jdk'` | The package type (`'jdk'` or `'jdk+fx'`). Currently applies to Liberica only. |
 | `github-token`  | `'${{ github.token }}'` | Token for communication with the GitHub API. Please set this to `${{ secrets.GITHUB_TOKEN }}` (see [templates](#templates)) to allow the action to authenticate with the GitHub API, which helps reduce rate-limiting issues. |
@@ -270,21 +270,16 @@ Only pull requests from committers that can be verified as having signed the OCA
 [gha-self-hosted-runners]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
 [gu]: https://www.graalvm.org/reference-manual/graalvm-updater/
 [graalvm]: https://www.graalvm.org/
-[graalvm-dl]: https://www.oracle.com/java/technologies/downloads/
+[graalvm-dl]: https://www.graalvm.org/downloads/
-[graalvm-medium]: https://medium.com/graalvm/a-new-graalvm-release-and-new-free-license-4aab483692f5
 [graalvm-ee]: https://www.oracle.com/downloads/graalvm-downloads.html
 [liberica]: https://bell-sw.com/liberica-native-image-kit/
 [mandrel]: https://github.com/graalvm/mandrel
 [mandrel-releases]: https://github.com/graalvm/mandrel/releases
 [mandrel-stable]: https://github.com/graalvm/mandrel/releases/latest
 [musl]: https://musl.libc.org/
-[native-image]: https://www.graalvm.org/native-image/
 [native-image-musl-build]: https://github.com/graalvm/setup-graalvm/blob/778131f1d6837ccd4b2e91382c31830896a2d56e/.github/workflows/test.yml#L74-L92
 [native-image-static]: https://github.com/oracle/graal/blob/fa6f4a974dedacf4688dcc430dd100849d9882f2/docs/reference-manual/native-image/StaticImages.md
 [oca]: https://oca.opensource.oracle.com
 [releases]: https://github.com/graalvm/graalvm-ce-builds/releases
-[repo]: https://github.com/oracle/graal
 [setup-java-caching]: https://github.com/actions/setup-java/tree/5b36705a13905facb447b6812d613a06a07e371d#caching-packages-dependencies
 [stable]: https://github.com/graalvm/graalvm-ce-builds/releases/latest
-[truffle-languages]: https://www.graalvm.org/reference-manual/languages/
-[vcvarsall]: https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line

__tests__/sbom.test.ts

@@ -145,6 +145,7 @@ describe('sbom feature', () => {
       writeFileSync(sbomPath, JSON.stringify(sbom, null, 2))
 
       mockFindSBOM([sbomPath])
+      jest.spyOn(core, 'getState').mockReturnValue(javaVersion)
 
       await processSBOM()
     }
@@ -190,6 +191,10 @@ describe('sbom feature', () => {
       ]
     }
 
+    it('should throw an error if setUpSBOMSupport was not called before processSBOM', async () => {
+      await expect(processSBOM()).rejects.toThrow('setUpSBOMSupport must be called before processSBOM')
+    })
+
     it('should process SBOM and display components', async () => {
       await setUpAndProcessSBOM(sampleSBOM)
 

package.json

@@ -2,7 +2,7 @@
   "name": "setup-graalvm",
   "author": "GraalVM Community",
   "description": "GitHub Action for GraalVM",
-  "version": "1.3.1",
+  "version": "1.3.5",
   "private": true,
   "repository": {
     "type": "git",
@@ -33,43 +33,42 @@
   },
   "license": "UPL",
   "dependencies": {
-    "@actions/cache": "^4.0.0",
+    "@actions/cache": "^4.0.3",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
+    "@actions/github": "^6.0.1",
     "@actions/glob": "^0.5.0",
     "@actions/http-client": "^2.2.3",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
-    "@octokit/core": "^5.2.0",
+    "@octokit/types": "^14.1.0",
-    "@octokit/types": "^13.8.0",
+    "@github/dependency-submission-toolkit": "^2.0.5",
-    "@github/dependency-submission-toolkit": "^2.0.4",
+    "semver": "^7.7.2",
-    "semver": "^7.7.1",
+    "uuid": "^11.1.0"
-    "uuid": "^11.0.5"
   },
   "devDependencies": {
-    "@eslint/compat": "^1.2.6",
+    "@eslint/compat": "^1.3.1",
     "@types/jest": "^29.5.14",
-    "@types/node": "^20.17.17",
+    "@types/node": "^20.19.4",
-    "@types/semver": "^7.5.8",
+    "@types/semver": "^7.7.0",
     "@types/uuid": "^10.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.24.0",
+    "@typescript-eslint/eslint-plugin": "^8.35.1",
-    "@typescript-eslint/parser": "^8.24.0",
+    "@typescript-eslint/parser": "^8.31.1",
     "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.20.1",
+    "eslint": "^9.30.1",
-    "eslint-config-prettier": "^10.0.1",
+    "eslint-config-prettier": "^10.1.5",
-    "eslint-import-resolver-typescript": "^3.6.3",
+    "eslint-import-resolver-typescript": "^4.4.4",
-    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-jest": "^28.10.0",
+    "eslint-plugin-jest": "^29.0.1",
-    "eslint-plugin-jsonc": "^2.19.1",
+    "eslint-plugin-jsonc": "^2.20.1",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-prettier": "^5.2.3",
+    "eslint-plugin-prettier": "^5.5.1",
     "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "prettier": "^3.5.0",
+    "prettier": "^3.6.2",
-    "prettier-eslint": "^16.3.0",
+    "prettier-eslint": "^16.4.2",
-    "ts-jest": "^29.2.5",
+    "ts-jest": "^29.4.0",
     "ts-node": "^10.9.2",
-    "typescript": "^5.7.3"
+    "typescript": "^5.8.3"
   }
 }

src/constants.ts

@@ -1,6 +1,6 @@
 import * as otypes from '@octokit/types'
 
-export const ACTION_VERSION = '1.3.1'
+export const ACTION_VERSION = '1.3.5'
 
 export const INPUT_VERSION = 'version'
 export const INPUT_GDS_TOKEN = 'gds-token'

src/features/sbom.ts

@@ -10,8 +10,7 @@ import { setNativeImageOption } from '../utils'
 const INPUT_NI_SBOM = 'native-image-enable-sbom'
 const SBOM_FILE_SUFFIX = '.sbom.json'
 const MIN_JAVA_VERSION = '24.0.0'
-
+const javaVersionKey = 'javaVersionKey'
-let javaVersionOrLatestEA: string | null = null
 
 interface SBOM {
   components: Component[]
@@ -67,36 +66,36 @@ interface DependencySnapshot {
   >
 }
 
-export function setUpSBOMSupport(javaVersionOrDev: string, distribution: string): void {
+export function setUpSBOMSupport(javaVersion: string, distribution: string): void {
   if (!isFeatureEnabled()) {
     return
   }
 
-  validateJavaVersionAndDistribution(javaVersionOrDev, distribution)
+  validateJavaVersionAndDistribution(javaVersion, distribution)
-  javaVersionOrLatestEA = javaVersionOrDev
+  core.saveState(javaVersionKey, javaVersion)
-  setNativeImageOption(javaVersionOrLatestEA, '--enable-sbom=export')
+  setNativeImageOption(javaVersion, '--enable-sbom=export')
   core.info('Enabled SBOM generation for Native Image build')
 }
 
-function validateJavaVersionAndDistribution(javaVersionOrDev: string, distribution: string): void {
+function validateJavaVersionAndDistribution(javaVersion: string, distribution: string): void {
   if (distribution !== c.DISTRIBUTION_GRAALVM) {
     throw new Error(
       `The '${INPUT_NI_SBOM}' option is only supported for Oracle GraalVM (distribution '${c.DISTRIBUTION_GRAALVM}'), but found distribution '${distribution}'.`
     )
   }
 
-  if (javaVersionOrDev === 'dev') {
+  if (javaVersion === 'dev') {
     throw new Error(`The '${INPUT_NI_SBOM}' option is not supported for java-version 'dev'.`)
   }
 
-  if (javaVersionOrDev === 'latest-ea') {
+  if (javaVersion === 'latest-ea') {
     return
   }
 
-  const coercedJavaVersion = semver.coerce(javaVersionOrDev)
+  const coercedJavaVersion = semver.coerce(javaVersion)
   if (!coercedJavaVersion || semver.gt(MIN_JAVA_VERSION, coercedJavaVersion)) {
     throw new Error(
-      `The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersionOrDev}'.`
+      `The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersion}'.`
     )
   }
 }
@@ -106,7 +105,8 @@ export async function processSBOM(): Promise<void> {
     return
   }
 
-  if (javaVersionOrLatestEA === null) {
+  const javaVersion = core.getState(javaVersionKey)
+  if (!javaVersion) {
     throw new Error('setUpSBOMSupport must be called before processSBOM')
   }
 
@@ -116,7 +116,7 @@ export async function processSBOM(): Promise<void> {
     const sbomData = parseSBOM(sbomContent)
     const components = mapToComponentsWithDependencies(sbomData)
     printSBOMContent(components)
-    const snapshot = convertSBOMToSnapshot(sbomPath, components)
+    const snapshot = convertSBOMToSnapshot(javaVersion, sbomPath, components)
     await submitDependencySnapshot(snapshot)
   } catch (error) {
     throw new Error(
@@ -184,7 +184,7 @@ function printSBOMContent(components: Component[]): void {
   core.info('==================')
 }
 
-function convertSBOMToSnapshot(sbomPath: string, components: Component[]): DependencySnapshot {
+function convertSBOMToSnapshot(javaVersion: string, sbomPath: string, components: Component[]): DependencySnapshot {
   const context = github.context
   const sbomFileName = basename(sbomPath)
 
@@ -203,7 +203,7 @@ function convertSBOMToSnapshot(sbomPath: string, components: Component[]): Depen
     },
     detector: {
       name: 'Oracle GraalVM',
-      version: javaVersionOrLatestEA ?? '',
+      version: javaVersion,
       url: 'https://www.graalvm.org/'
     },
     scanned: new Date().toISOString(),

src/utils.ts

@@ -1,25 +1,15 @@
 import * as c from './constants'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import * as httpClient from '@actions/http-client'
 import * as semver from 'semver'
 import * as tc from '@actions/tool-cache'
 import * as fs from 'fs'
 import { ExecOptions, exec as e } from '@actions/exec'
 import { readFileSync, readdirSync } from 'fs'
-import { Octokit } from '@octokit/core'
 import { createHash } from 'crypto'
 import { join } from 'path'
 import { tmpdir } from 'os'
-
+import { GitHub } from '@actions/github/lib/utils'
-// Set up Octokit for github.com only and in the same way as @actions/github (see https://git.io/Jy9YP)
-const baseUrl = 'https://api.github.com'
-const GitHubDotCom = Octokit.defaults({
-  baseUrl,
-  request: {
-    agent: new httpClient.HttpClient().getAgent(baseUrl)
-  }
-})
 
 export async function exec(commandLine: string, args?: string[], options?: ExecOptions | undefined): Promise<void> {
   const exitCode = await e(commandLine, args, options)
@@ -29,9 +19,7 @@ export async function exec(commandLine: string, args?: string[], options?: ExecO
 }
 
 export async function getLatestRelease(repo: string): Promise<c.LatestReleaseResponse['data']> {
-  const githubToken = getGitHubToken()
+  const octokit = getOctokit()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
   return (
     await octokit.request('GET /repos/{owner}/{repo}/releases/latest', {
       owner: c.GRAALVM_GH_USER,
@@ -41,9 +29,7 @@ export async function getLatestRelease(repo: string): Promise<c.LatestReleaseRes
 }
 
 export async function getContents(repo: string, path: string): Promise<c.ContentsResponse['data']> {
-  const githubToken = getGitHubToken()
+  const octokit = getOctokit()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
   return (
     await octokit.request('GET /repos/{owner}/{repo}/contents/{path}', {
       owner: c.GRAALVM_GH_USER,
@@ -58,9 +44,7 @@ export async function getTaggedRelease(
   repo: string,
   tag: string
 ): Promise<c.LatestReleaseResponse['data']> {
-  const githubToken = getGitHubToken()
+  const octokit = getOctokit()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
   return (
     await octokit.request('GET /repos/{owner}/{repo}/releases/tags/{tag}', {
       owner,
@@ -75,9 +59,7 @@ export async function getMatchingTags(
   repo: string,
   tagPrefix: string
 ): Promise<c.MatchingRefsResponse['data']> {
-  const githubToken = getGitHubToken()
+  const octokit = getOctokit()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
   return (
     await octokit.request('GET /repos/{owner}/{repo}/git/matching-refs/tags/{tagPrefix}', {
       owner,
@@ -156,8 +138,15 @@ export function isPREvent(): boolean {
   return process.env[c.ENV_GITHUB_EVENT_NAME] === c.EVENT_NAME_PULL_REQUEST
 }
 
-function getGitHubToken(): string {
+function getOctokit(): InstanceType<typeof GitHub> {
-  return core.getInput(c.INPUT_GITHUB_TOKEN)
+  /* Set up GitHub instance manually because @actions/github does not allow unauthenticated access */
+  const GitHubWithPlugins = GitHub.plugin()
+  const token = core.getInput(c.INPUT_GITHUB_TOKEN)
+  if (token) {
+    return new GitHubWithPlugins({ auth: `token ${token}` })
+  } else {
+    return new GitHubWithPlugins() /* unauthenticated */
+  }
 }
 
 export async function findExistingPRCommentId(bodyStartsWith: string): Promise<number | undefined> {
@@ -166,7 +155,7 @@ export async function findExistingPRCommentId(bodyStartsWith: string): Promise<n
   }
 
   const context = github.context
-  const octokit = github.getOctokit(getGitHubToken())
+  const octokit = getOctokit()
   try {
     const comments = await octokit.paginate(octokit.rest.issues.listComments, {
       ...context.repo,
@@ -189,7 +178,7 @@ export async function updatePRComment(content: string, commentId: number): Promi
   }
 
   try {
-    await github.getOctokit(getGitHubToken()).rest.issues.updateComment({
+    await getOctokit().rest.issues.updateComment({
       ...github.context.repo,
       comment_id: commentId,
       body: content
@@ -207,7 +196,7 @@ export async function createPRComment(content: string): Promise<void> {
   }
   const context = github.context
   try {
-    await github.getOctokit(getGitHubToken()).rest.issues.createComment({
+    await getOctokit().rest.issues.createComment({
       ...context.repo,
       issue_number: context.payload.pull_request?.number as number,
       body: content

tsconfig.json

@@ -2,6 +2,7 @@
   "$schema": "https://json.schemastore.org/tsconfig",
   "extends": "./tsconfig.base.json",
   "compilerOptions": {
+    "isolatedModules": true,
     "module": "NodeNext",
     "moduleResolution": "NodeNext",
     "outDir": "./dist"