Bump version to 1.3.7.

Bumps the npm-development group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@eslint/compat](https://github.com/eslint/rewrite/tree/HEAD/packages/compat) | `1.3.1` | `1.3.2` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.9` | `20.19.11` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.38.0` | `8.41.0` |
| [eslint](https://github.com/eslint/eslint) | `9.31.0` | `9.34.0` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.3` | `5.5.4` |
| [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) | `30.0.5` | `30.1.2` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `@eslint/compat` from 1.3.1 to 1.3.2
- [Release notes](https://github.com/eslint/rewrite/releases)
- [Changelog](https://github.com/eslint/rewrite/blob/main/packages/compat/CHANGELOG.md)
- [Commits](https://github.com/eslint/rewrite/commits/compat-v1.3.2/packages/compat)

Updates `@types/node` from 20.19.9 to 20.19.11
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@typescript-eslint/eslint-plugin` from 8.38.0 to 8.41.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.41.0/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.38.0 to 8.41.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.41.0/packages/parser)

Updates `eslint` from 9.31.0 to 9.34.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v9.31.0...v9.34.0)

Updates `eslint-plugin-prettier` from 5.5.3 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.5.3...v5.5.4)

Updates `jest` from 30.0.5 to 30.1.2
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/HEAD/packages/jest)

Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.4.0...v29.4.1)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: "@eslint/compat"
  dependency-version: 1.3.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: "@types/node"
  dependency-version: 20.19.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.41.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.41.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: eslint
  dependency-version: 9.34.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: jest
  dependency-version: 30.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -1,30 +1,19 @@
 version: 2
 updates:
-  - package-ecosystem: github-actions
-    directory: /
+  - package-ecosystem: 'github-actions'
+    directory: '/'
     schedule:
-      interval: monthly
+      interval: 'monthly'
     groups:
-      actions-minor:
-        update-types:
-          - minor
-          - patch
+      github-actions-updates:
+        patterns:
+          - '*'
 
-  - package-ecosystem: npm
-    directory: /
+  - package-ecosystem: 'npm'
+    directory: '/'
     schedule:
-      interval: monthly
-    ignore:
-      - dependency-name: '@types/node'
-        update-types:
-          - 'version-update:semver-major'
+      interval: 'monthly'
     groups:
-      npm-development:
-        dependency-type: development
-        update-types:
-          - minor
-          - patch
-      npm-production:
-        dependency-type: production
-        update-types:
-          - patch
+      npm-updates:
+        patterns:
+          - '*'

.github/workflows/check-dist.yml

@@ -32,11 +32,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -70,7 +70,7 @@ jobs:
       - if: ${{ failure() && steps.diff.outcome == 'failure' }}
         name: Upload Artifact
         id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: dist
           path: dist/

.github/workflows/ci.yml

@@ -18,9 +18,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -32,6 +32,8 @@ jobs:
         run: npm run lint
       - name: Test
         run: npm run test
+        env:
+          INPUT_GITHUB_TOKEN: ${{ github.token }} # for core.getInput()
 
   test-action:
     name: GraalVM
@@ -41,7 +43,7 @@ jobs:
       PASSES_GDS_TOKEN_CHECK: ${{ !matrix.set-gds-token || secrets.GDS_TOKEN != '' }}
     strategy:
       matrix:
-        java-version: ['23', '21', '17', '20', 'dev']
+        java-version: ['25', '21', '17', '20', 'dev']
         distribution: ['graalvm', 'graalvm-community']
         os: [
             ubuntu-latest, # Linux on Intel
@@ -56,7 +58,7 @@ jobs:
           - java-version: 'latest-ea'
             distribution: 'graalvm'
             os: ubuntu-latest
-          - java-version: '24-ea'
+          - java-version: '25-ea'
             distribution: 'graalvm'
             os: ubuntu-latest
           - java-version: '21'
@@ -81,7 +83,7 @@ jobs:
             os: ubuntu-latest
             set-gds-token: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -131,7 +133,7 @@ jobs:
           - version: '22.2.0' # for update notifications
             java-version: '17'
             components: 'native-image'
-            os: ubuntu-20.04
+            os: ubuntu-22.04
           - version: '21.2.0'
             java-version: '8' # for JDK 8 notification
             components: 'native-image'
@@ -149,7 +151,7 @@ jobs:
             components: 'native-image'
             os: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -206,7 +208,7 @@ jobs:
             components: 'native-image'
             os: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -255,7 +257,7 @@ jobs:
             distribution: 'mandrel'
             os: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -290,7 +292,7 @@ jobs:
         java-package: ['', 'jdk', 'jdk+fx']
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -330,7 +332,7 @@ jobs:
       contents: read
       pull-requests: write # for `native-image-pr-reports` option
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -353,7 +355,7 @@ jobs:
       contents: read
       pull-requests: write # for `native-image-pr-reports` option
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -376,7 +378,7 @@ jobs:
       contents: read
       pull-requests: write # for `native-image-pr-reports` option
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -400,7 +402,7 @@ jobs:
       contents: read
       pull-requests: write # for `native-image-pr-reports` option
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:
@@ -456,12 +458,12 @@ jobs:
       contents: write
     strategy:
       matrix:
-        java-version: ['24-ea', 'latest-ea']
+        java-version: ['26-ea', 'latest-ea']
         distribution: ['graalvm']
-        os: [macos-latest, windows-latest, ubuntu-latest]
+        os: [macos-latest, windows-latest, ubuntu-latest, ubuntu-22.04-arm]
         components: ['']
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run setup-graalvm action
         uses: ./
         with:

README.md

@@ -1,5 +1,7 @@
 # GitHub Action for GraalVM [![CI](https://github.com/graalvm/setup-graalvm/actions/workflows/ci.yml/badge.svg)](https://github.com/graalvm/setup-graalvm/actions/workflows/ci.yml)
-This GitHub action sets up [Oracle GraalVM][graalvm-medium], GraalVM [Community Edition (CE)][repo], [Enterprise Edition (EE)][graalvm-ee], [Mandrel][mandrel], or [Liberica Native Image Kit][liberica] as well as [Native Image][native-image] and GraalVM components such as [Truffle languages][truffle-languages].
+
+Set up your GitHub Actions workflow with a specific [GraalVM][graalvm] distribution, and use it both as your JDK and for [ahead-of-time Native Image compilation][graalvm].
+
 
 ## Key Features
 
@@ -7,12 +9,10 @@ This action:
 
 - supports Oracle GraalVM [releases][graalvm-dl], [EA builds][ea-builds], GraalVM Community Edition (CE) [releases], [dev builds][dev-builds], GraalVM Enterprise Edition (EE) [releases][graalvm-ee] (set [`gds-token`](#options)) 22.1.0 and later, [Mandrel][mandrel], and [Liberica Native Image Kit][liberica] (see [Options](#options))
 - exports a `$GRAALVM_HOME` environment variable
-- adds `$GRAALVM_HOME/bin` to the `$PATH` environment variable<br>(Native Image, Truffle languages, and tools can be invoked directly)
+- adds `$GRAALVM_HOME/bin` to the `$PATH` environment variable<br>(`native-image`, `javac`, and other JDK tools can be invoked directly)
 - sets `$JAVA_HOME` to `$GRAALVM_HOME` by default<br>(can be disabled via `set-java-home: 'false'`, see [Options](#options))
-- supports `x64` and `aarch64` (selected automatically, `aarch64` requires a [self-hosted runner][gha-self-hosted-runners])
+- supports `x64` and `aarch64/arm64` (see how to use [Linux arm64 runners](https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/))
 - supports dependency caching for Apache Maven, Gradle, and sbt (see [`cache` option](#options))
-- sets up Windows environments with build tools using [vcvarsall.bat][vcvarsall]
-- has built-in support for GraalVM components and the [GraalVM Updater][gu]
 
 
 ## Templates
@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: graalvm/setup-graalvm@v1
         with:
-          java-version: '21'      # See 'Options' for more details
+          java-version: '25'      # See 'Options' for more details
           distribution: 'graalvm' # See 'Supported distributions' for available options
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Example step
@@ -61,7 +61,7 @@ jobs:
 
       - uses: graalvm/setup-graalvm@v1
         with:
-          java-version: '21'
+          java-version: '25'
           distribution: 'graalvm'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
@@ -92,7 +92,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: graalvm/setup-graalvm@v1
         with:
-          java-version: '24-ea' # or 'latest-ea' for the latest Java version available
+          java-version: '26-ea' # or 'latest-ea' for the latest Java version available
           distribution: 'graalvm'
           github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
@@ -194,7 +194,7 @@ This actions can be configured with the following options:
 
 | Name            | Default  | Description |
 |-----------------|:--------:|-------------|
-| `java-version`<br>*(required)* | n/a | Java version <ul><li>major versions: `'23'`, `'21'`, `'17'`, `'11'`, `'8'`</li><li>specific versions: `'21.0.3'`, `'17.0.11'`</li><li>early access (EA) builds: `'24-ea'` *(requires `distribution: 'graalvm'`)*</li><li>latest EA build: `'latest-ea'` *(requires `distribution: 'graalvm'`)*</li><li>dev builds: `'dev'`</li></ul> |
+| `java-version`<br>*(required)* | n/a | Java version <ul><li>major versions: `'25'`, `'21'`, `'17'`, `'11'`, `'8'`</li><li>specific versions: `'21.0.3'`, `'17.0.11'`</li><li>early access (EA) builds: `'26-ea'` *(requires `distribution: 'graalvm'`)*</li><li>latest EA build: `'latest-ea'` *(requires `distribution: 'graalvm'`)*</li><li>dev builds: `'dev'`</li></ul> |
 | `distribution`  | `'graalvm'` | GraalVM distribution (see [supported distributions](#supported-distributions)) |
 | `java-package`  | `'jdk'` | The package type (`'jdk'` or `'jdk+fx'`). Currently applies to Liberica only. |
 | `github-token`  | `'${{ github.token }}'` | Token for communication with the GitHub API. Please set this to `${{ secrets.GITHUB_TOKEN }}` (see [templates](#templates)) to allow the action to authenticate with the GitHub API, which helps reduce rate-limiting issues. |
@@ -270,21 +270,16 @@ Only pull requests from committers that can be verified as having signed the OCA
 [gha-self-hosted-runners]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
 [gu]: https://www.graalvm.org/reference-manual/graalvm-updater/
 [graalvm]: https://www.graalvm.org/
-[graalvm-dl]: https://www.oracle.com/java/technologies/downloads/
-[graalvm-medium]: https://medium.com/graalvm/a-new-graalvm-release-and-new-free-license-4aab483692f5
+[graalvm-dl]: https://www.graalvm.org/downloads/
 [graalvm-ee]: https://www.oracle.com/downloads/graalvm-downloads.html
 [liberica]: https://bell-sw.com/liberica-native-image-kit/
 [mandrel]: https://github.com/graalvm/mandrel
 [mandrel-releases]: https://github.com/graalvm/mandrel/releases
 [mandrel-stable]: https://github.com/graalvm/mandrel/releases/latest
 [musl]: https://musl.libc.org/
-[native-image]: https://www.graalvm.org/native-image/
 [native-image-musl-build]: https://github.com/graalvm/setup-graalvm/blob/778131f1d6837ccd4b2e91382c31830896a2d56e/.github/workflows/test.yml#L74-L92
 [native-image-static]: https://github.com/oracle/graal/blob/fa6f4a974dedacf4688dcc430dd100849d9882f2/docs/reference-manual/native-image/StaticImages.md
 [oca]: https://oca.opensource.oracle.com
 [releases]: https://github.com/graalvm/graalvm-ce-builds/releases
-[repo]: https://github.com/oracle/graal
 [setup-java-caching]: https://github.com/actions/setup-java/tree/5b36705a13905facb447b6812d613a06a07e371d#caching-packages-dependencies
 [stable]: https://github.com/graalvm/graalvm-ce-builds/releases/latest
-[truffle-languages]: https://www.graalvm.org/reference-manual/languages/
-[vcvarsall]: https://docs.microsoft.com/en-us/cpp/build/building-on-the-command-line

__tests__/sbom.test.ts

@@ -145,6 +145,7 @@ describe('sbom feature', () => {
       writeFileSync(sbomPath, JSON.stringify(sbom, null, 2))
 
       mockFindSBOM([sbomPath])
+      jest.spyOn(core, 'getState').mockReturnValue(javaVersion)
 
       await processSBOM()
     }
@@ -190,6 +191,10 @@ describe('sbom feature', () => {
       ]
     }
 
+    it('should throw an error if setUpSBOMSupport was not called before processSBOM', async () => {
+      await expect(processSBOM()).rejects.toThrow('setUpSBOMSupport must be called before processSBOM')
+    })
+
     it('should process SBOM and display components', async () => {
       await setUpAndProcessSBOM(sampleSBOM)
 

eslint.config.mjs

@@ -53,7 +53,7 @@ export default [
 
       parserOptions: {
         project: ['tsconfig.eslint.json'],
-        tsconfigRootDir: '.'
+        tsconfigRootDir: __dirname
       }
     },
 

package.json

@@ -2,7 +2,7 @@
   "name": "setup-graalvm",
   "author": "GraalVM Community",
   "description": "GitHub Action for GraalVM",
-  "version": "1.3.1",
+  "version": "1.3.7",
   "private": true,
   "repository": {
     "type": "git",
@@ -33,43 +33,42 @@
   },
   "license": "UPL",
   "dependencies": {
-    "@actions/cache": "^4.0.0",
+    "@actions/cache": "^4.0.5",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
+    "@actions/github": "^6.0.1",
     "@actions/glob": "^0.5.0",
     "@actions/http-client": "^2.2.3",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
-    "@octokit/core": "^5.2.0",
-    "@octokit/types": "^13.8.0",
-    "@github/dependency-submission-toolkit": "^2.0.4",
-    "semver": "^7.7.1",
-    "uuid": "^11.0.5"
+    "@octokit/types": "^14.1.0",
+    "@github/dependency-submission-toolkit": "^2.0.5",
+    "semver": "^7.7.2",
+    "uuid": "^11.1.0"
   },
   "devDependencies": {
-    "@eslint/compat": "^1.2.6",
-    "@types/jest": "^29.5.14",
-    "@types/node": "^20.17.17",
-    "@types/semver": "^7.5.8",
+    "@eslint/compat": "^1.3.2",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^20.19.11",
+    "@types/semver": "^7.7.0",
     "@types/uuid": "^10.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.24.0",
-    "@typescript-eslint/parser": "^8.24.0",
+    "@typescript-eslint/eslint-plugin": "^8.41.0",
+    "@typescript-eslint/parser": "^8.31.1",
     "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.20.1",
-    "eslint-config-prettier": "^10.0.1",
-    "eslint-import-resolver-typescript": "^3.6.3",
-    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-jest": "^28.10.0",
-    "eslint-plugin-jsonc": "^2.19.1",
+    "eslint": "^9.34.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-import-resolver-typescript": "^4.4.4",
+    "eslint-plugin-import": "^2.32.0",
+    "eslint-plugin-jest": "^29.0.1",
+    "eslint-plugin-jsonc": "^2.20.1",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-prettier": "^5.2.3",
-    "jest": "^29.7.0",
+    "eslint-plugin-prettier": "^5.5.4",
+    "jest": "^30.1.2",
     "js-yaml": "^4.1.0",
-    "prettier": "^3.5.0",
-    "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.2.5",
+    "prettier": "^3.6.2",
+    "prettier-eslint": "^16.4.2",
+    "ts-jest": "^29.4.1",
     "ts-node": "^10.9.2",
-    "typescript": "^5.7.3"
+    "typescript": "^5.9.2"
   }
 }

src/constants.ts

@@ -1,6 +1,6 @@
 import * as otypes from '@octokit/types'
 
-export const ACTION_VERSION = '1.3.1'
+export const ACTION_VERSION = '1.3.7'
 
 export const INPUT_VERSION = 'version'
 export const INPUT_GDS_TOKEN = 'gds-token'

src/features/sbom.ts

@@ -10,8 +10,7 @@ import { setNativeImageOption } from '../utils'
 const INPUT_NI_SBOM = 'native-image-enable-sbom'
 const SBOM_FILE_SUFFIX = '.sbom.json'
 const MIN_JAVA_VERSION = '24.0.0'
-
-let javaVersionOrLatestEA: string | null = null
+const javaVersionKey = 'javaVersionKey'
 
 interface SBOM {
   components: Component[]
@@ -67,36 +66,36 @@ interface DependencySnapshot {
   >
 }
 
-export function setUpSBOMSupport(javaVersionOrDev: string, distribution: string): void {
+export function setUpSBOMSupport(javaVersion: string, distribution: string): void {
   if (!isFeatureEnabled()) {
     return
   }
 
-  validateJavaVersionAndDistribution(javaVersionOrDev, distribution)
-  javaVersionOrLatestEA = javaVersionOrDev
-  setNativeImageOption(javaVersionOrLatestEA, '--enable-sbom=export')
+  validateJavaVersionAndDistribution(javaVersion, distribution)
+  core.saveState(javaVersionKey, javaVersion)
+  setNativeImageOption(javaVersion, '--enable-sbom=export')
   core.info('Enabled SBOM generation for Native Image build')
 }
 
-function validateJavaVersionAndDistribution(javaVersionOrDev: string, distribution: string): void {
+function validateJavaVersionAndDistribution(javaVersion: string, distribution: string): void {
   if (distribution !== c.DISTRIBUTION_GRAALVM) {
     throw new Error(
       `The '${INPUT_NI_SBOM}' option is only supported for Oracle GraalVM (distribution '${c.DISTRIBUTION_GRAALVM}'), but found distribution '${distribution}'.`
     )
   }
 
-  if (javaVersionOrDev === 'dev') {
+  if (javaVersion === 'dev') {
     throw new Error(`The '${INPUT_NI_SBOM}' option is not supported for java-version 'dev'.`)
   }
 
-  if (javaVersionOrDev === 'latest-ea') {
+  if (javaVersion === 'latest-ea') {
     return
   }
 
-  const coercedJavaVersion = semver.coerce(javaVersionOrDev)
+  const coercedJavaVersion = semver.coerce(javaVersion)
   if (!coercedJavaVersion || semver.gt(MIN_JAVA_VERSION, coercedJavaVersion)) {
     throw new Error(
-      `The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersionOrDev}'.`
+      `The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersion}'.`
     )
   }
 }
@@ -106,7 +105,8 @@ export async function processSBOM(): Promise<void> {
     return
   }
 
-  if (javaVersionOrLatestEA === null) {
+  const javaVersion = core.getState(javaVersionKey)
+  if (!javaVersion) {
     throw new Error('setUpSBOMSupport must be called before processSBOM')
   }
 
@@ -116,7 +116,7 @@ export async function processSBOM(): Promise<void> {
     const sbomData = parseSBOM(sbomContent)
     const components = mapToComponentsWithDependencies(sbomData)
     printSBOMContent(components)
-    const snapshot = convertSBOMToSnapshot(sbomPath, components)
+    const snapshot = convertSBOMToSnapshot(javaVersion, sbomPath, components)
     await submitDependencySnapshot(snapshot)
   } catch (error) {
     throw new Error(
@@ -184,7 +184,7 @@ function printSBOMContent(components: Component[]): void {
   core.info('==================')
 }
 
-function convertSBOMToSnapshot(sbomPath: string, components: Component[]): DependencySnapshot {
+function convertSBOMToSnapshot(javaVersion: string, sbomPath: string, components: Component[]): DependencySnapshot {
   const context = github.context
   const sbomFileName = basename(sbomPath)
 
@@ -203,7 +203,7 @@ function convertSBOMToSnapshot(sbomPath: string, components: Component[]): Depen
     },
     detector: {
       name: 'Oracle GraalVM',
-      version: javaVersionOrLatestEA ?? '',
+      version: javaVersion,
       url: 'https://www.graalvm.org/'
     },
     scanned: new Date().toISOString(),

src/utils.ts

@@ -1,25 +1,15 @@
 import * as c from './constants'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import * as httpClient from '@actions/http-client'
 import * as semver from 'semver'
 import * as tc from '@actions/tool-cache'
 import * as fs from 'fs'
 import { ExecOptions, exec as e } from '@actions/exec'
 import { readFileSync, readdirSync } from 'fs'
-import { Octokit } from '@octokit/core'
 import { createHash } from 'crypto'
 import { join } from 'path'
 import { tmpdir } from 'os'
-
-// Set up Octokit for github.com only and in the same way as @actions/github (see https://git.io/Jy9YP)
-const baseUrl = 'https://api.github.com'
-const GitHubDotCom = Octokit.defaults({
-  baseUrl,
-  request: {
-    agent: new httpClient.HttpClient().getAgent(baseUrl)
-  }
-})
+import { GitHub } from '@actions/github/lib/utils'
 
 export async function exec(commandLine: string, args?: string[], options?: ExecOptions | undefined): Promise<void> {
   const exitCode = await e(commandLine, args, options)
@@ -29,9 +19,7 @@ export async function exec(commandLine: string, args?: string[], options?: ExecO
 }
 
 export async function getLatestRelease(repo: string): Promise<c.LatestReleaseResponse['data']> {
-  const githubToken = getGitHubToken()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
+  const octokit = getOctokit()
   return (
     await octokit.request('GET /repos/{owner}/{repo}/releases/latest', {
       owner: c.GRAALVM_GH_USER,
@@ -41,9 +29,7 @@ export async function getLatestRelease(repo: string): Promise<c.LatestReleaseRes
 }
 
 export async function getContents(repo: string, path: string): Promise<c.ContentsResponse['data']> {
-  const githubToken = getGitHubToken()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
+  const octokit = getOctokit()
   return (
     await octokit.request('GET /repos/{owner}/{repo}/contents/{path}', {
       owner: c.GRAALVM_GH_USER,
@@ -58,9 +44,7 @@ export async function getTaggedRelease(
   repo: string,
   tag: string
 ): Promise<c.LatestReleaseResponse['data']> {
-  const githubToken = getGitHubToken()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
+  const octokit = getOctokit()
   return (
     await octokit.request('GET /repos/{owner}/{repo}/releases/tags/{tag}', {
       owner,
@@ -75,9 +59,7 @@ export async function getMatchingTags(
   repo: string,
   tagPrefix: string
 ): Promise<c.MatchingRefsResponse['data']> {
-  const githubToken = getGitHubToken()
-  const options = githubToken.length > 0 ? { auth: githubToken } : {}
-  const octokit = new GitHubDotCom(options)
+  const octokit = getOctokit()
   return (
     await octokit.request('GET /repos/{owner}/{repo}/git/matching-refs/tags/{tagPrefix}', {
       owner,
@@ -156,8 +138,15 @@ export function isPREvent(): boolean {
   return process.env[c.ENV_GITHUB_EVENT_NAME] === c.EVENT_NAME_PULL_REQUEST
 }
 
-function getGitHubToken(): string {
-  return core.getInput(c.INPUT_GITHUB_TOKEN)
+function getOctokit(): InstanceType<typeof GitHub> {
+  /* Set up GitHub instance manually because @actions/github does not allow unauthenticated access */
+  const GitHubWithPlugins = GitHub.plugin()
+  const token = core.getInput(c.INPUT_GITHUB_TOKEN)
+  if (token) {
+    return new GitHubWithPlugins({ auth: `token ${token}` })
+  } else {
+    return new GitHubWithPlugins() /* unauthenticated */
+  }
 }
 
 export async function findExistingPRCommentId(bodyStartsWith: string): Promise<number | undefined> {
@@ -166,7 +155,7 @@ export async function findExistingPRCommentId(bodyStartsWith: string): Promise<n
   }
 
   const context = github.context
-  const octokit = github.getOctokit(getGitHubToken())
+  const octokit = getOctokit()
   try {
     const comments = await octokit.paginate(octokit.rest.issues.listComments, {
       ...context.repo,
@@ -189,7 +178,7 @@ export async function updatePRComment(content: string, commentId: number): Promi
   }
 
   try {
-    await github.getOctokit(getGitHubToken()).rest.issues.updateComment({
+    await getOctokit().rest.issues.updateComment({
       ...github.context.repo,
       comment_id: commentId,
       body: content
@@ -207,7 +196,7 @@ export async function createPRComment(content: string): Promise<void> {
   }
   const context = github.context
   try {
-    await github.getOctokit(getGitHubToken()).rest.issues.createComment({
+    await getOctokit().rest.issues.createComment({
       ...context.repo,
       issue_number: context.payload.pull_request?.number as number,
       body: content

tsconfig.json

@@ -2,6 +2,7 @@
   "$schema": "https://json.schemastore.org/tsconfig",
   "extends": "./tsconfig.base.json",
   "compilerOptions": {
+    "isolatedModules": true,
     "module": "NodeNext",
     "moduleResolution": "NodeNext",
     "outDir": "./dist"