From 3fab0dd67041d7ae6b738660fb102cbc028bc723 Mon Sep 17 00:00:00 2001
From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
Date: Thu, 7 Aug 2025 09:31:38 +0300
Subject: [PATCH] chore: use Java 21 for building sigstore-java

This change bumps JDK we use when building the project, and it is mainly
to avoid known bugs in the toolchain.

The resulting binaries should still be compatible with Java 11.

At the same time, the commit skips "./gradlew test" checks for Java 11,
and we still execute tests with Java 11 via conformance.yml.

It would allow us to bump testing libraries as some of them require Java 17.

Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
---
 .github/workflows/ci.yaml                            | 11 ++++++-----
 .github/workflows/conformance.yml                    | 12 ++++++------
 .github/workflows/examples.yaml                      |  4 ++--
 .../release-sigstore-gradle-plugin-from-tag.yaml     |  6 +++---
 .../workflows/release-sigstore-java-from-tag.yaml    |  6 +++---
 .github/workflows/tuf-conformance.yml                |  8 ++++----
 build-logic/build-parameters/build.gradle.kts        |  2 +-
 settings.gradle.kts                                  |  9 +++++++++
 8 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f5568426..aa9671eb 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -19,7 +19,8 @@ jobs:
   build:
     strategy:
       matrix:
-        java-version: [11, 17]
+        # sigstore-java still supports Java 11, however, we test it with conformance-tests only
+        java-version: [17, 21]
       fail-fast: false
 
     concurrency:
@@ -39,10 +40,10 @@ jobs:
     - name: Set up JDK ${{ matrix.java-version }}
       uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
       with:
-        # We need Java 17 for the build, so we install it always
+        # We need Java 21 for the build, so we install it always
         java-version: |
           ${{ matrix.java-version }}
-          17
+          21
         distribution: 'temurin'
     - name: Setup Go environment
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
@@ -62,9 +63,9 @@ jobs:
 
     - name: Ensure sigstore-java self signing still works
       if: ${{ !github.event.pull_request.head.repo.fork }}
-      run: ./gradlew sigstore-java:publishToMavenLocal -Prelease -PskipPgpSigning
+      run: ./gradlew -Porg.gradle.java.installations.auto-download=false sigstore-java:publishToMavenLocal -Prelease -PskipPgpSigning
 
     - name: Test sigstore-java/sandbox
       run: |
         cd sandbox
-        ./gradlew build
+        ./gradlew -Porg.gradle.java.installations.auto-download=false build
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index 8df3e461..245c22a0 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       max-parallel: 1
       matrix:
-        java-version: [11, 17]
+        java-version: [11, 17, 21]
         sigstore-env: [production, staging]
       fail-fast: false
 
@@ -30,21 +30,21 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
 
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Build sigstore-java cli and server jar
-        run: ./gradlew :sigstore-cli:serverShadowJar
-      
+        run: ./gradlew -Porg.gradle.java.installations.auto-download=false :sigstore-cli:serverShadowJar
+
       - name: Start test server in background
         run: java -jar ${{ github.workspace }}/sigstore-cli/build/libs/sigstore-cli-server-all.jar &
-      
+
       - name: Wait for server to be ready
         run: curl --retry-connrefused --retry 10 --retry-delay 1 --fail http://localhost:8080/
 
diff --git a/.github/workflows/examples.yaml b/.github/workflows/examples.yaml
index 29c627eb..0c479d05 100644
--- a/.github/workflows/examples.yaml
+++ b/.github/workflows/examples.yaml
@@ -72,14 +72,14 @@ jobs:
     - name: Setup Java
       uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
       with:
-        java-version: 17
+        java-version: 21
         distribution: 'temurin'
 
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
     - name: install sigstore java development jars into mavenLocal
-      run: ./gradlew publishToMavenLocal -Prelease -PskipSigning
+      run: ./gradlew -Porg.gradle.java.installations.auto-download=false publishToMavenLocal -Prelease -PskipSigning
 
     - name: calculate development version
       id: dev_version
diff --git a/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml b/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml
index fc2514fa..887d6ce6 100644
--- a/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml
+++ b/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml
@@ -47,10 +47,10 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
 
       - name: Setup Gradle
@@ -58,7 +58,7 @@ jobs:
 
       - name: Build, Sign and Release to Gradle Plugin Portal
         run: |
-          ./gradlew publishPlugins -Prelease -Pgradle.publish.key=$GRADLE_PUBLISH_KEY -Pgradle.publish.secret=$GRADLE_PUBLISH_SECRET
+          ./gradlew -Porg.gradle.java.installations.auto-download=false publishPlugins -Prelease -Pgradle.publish.key=$GRADLE_PUBLISH_KEY -Pgradle.publish.secret=$GRADLE_PUBLISH_SECRET
         env:
           ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }}
           ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }}
diff --git a/.github/workflows/release-sigstore-java-from-tag.yaml b/.github/workflows/release-sigstore-java-from-tag.yaml
index 5866079c..5bc0a600 100644
--- a/.github/workflows/release-sigstore-java-from-tag.yaml
+++ b/.github/workflows/release-sigstore-java-from-tag.yaml
@@ -48,10 +48,10 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
 
       - name: Setup Gradle
@@ -59,7 +59,7 @@ jobs:
 
       - name: Build, Sign and Release to Maven Central
         run: |
-          ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository :sigstore-maven-plugin:publishMavenJavaPublicationToSonatypeRepository -Prelease
+          ./gradlew -Porg.gradle.java.installations.auto-download=false clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository :sigstore-maven-plugin:publishMavenJavaPublicationToSonatypeRepository -Prelease
         env:
           ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }}
           ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }}
diff --git a/.github/workflows/tuf-conformance.yml b/.github/workflows/tuf-conformance.yml
index 180efe16..8220d496 100644
--- a/.github/workflows/tuf-conformance.yml
+++ b/.github/workflows/tuf-conformance.yml
@@ -12,7 +12,7 @@ jobs:
     strategy:
       max-parallel: 1
       matrix:
-        java-version: [11, 17]
+        java-version: [11, 17, 21]
       fail-fast: false
 
     concurrency:
@@ -28,17 +28,17 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
-          java-version: 17
+          java-version: 21
           distribution: 'temurin'
 
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
       - name: Build tuf cli
-        run: ./gradlew :tuf-cli:build
+        run: ./gradlew -Porg.gradle.java.installations.auto-download=false :tuf-cli:build
 
       - name: Unpack tuf distribution
         run: tar -xvf ${{ github.workspace }}/tuf-cli/build/distributions/tuf-cli-*.tar --strip-components 1
diff --git a/build-logic/build-parameters/build.gradle.kts b/build-logic/build-parameters/build.gradle.kts
index 2f337056..94f41681 100644
--- a/build-logic/build-parameters/build.gradle.kts
+++ b/build-logic/build-parameters/build.gradle.kts
@@ -14,7 +14,7 @@ buildParameters {
     }
     val projectName = "sigstore-java"
     integer("jdkBuildVersion") {
-        defaultValue.set(17)
+        defaultValue.set(21)
         mandatory.set(true)
         description.set("JDK version to use for building $projectName. If the value is 0, then the current Java is used. (see https://docs.gradle.org/8.4/userguide/toolchains.html#sec:consuming)")
     }
diff --git a/settings.gradle.kts b/settings.gradle.kts
index 48d85287..e451e5f3 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -1,5 +1,14 @@
+plugins {
+    id("org.gradle.toolchains.foojay-resolver-convention") version "1.0.0"
+}
+
 rootProject.name = "sigstore-java-root"
 
+if (JavaVersion.current() < JavaVersion.VERSION_21) {
+    throw UnsupportedOperationException("Please use Java 21+ for launching Gradle when building ${rootProject.name}, the current Java is ${JavaVersion.current().majorVersion}. " +
+            "If you want to execute tests with a different Java version, use -PjdkTestVersion=${JavaVersion.current().majorVersion}")
+}
+
 includeBuild("build-logic-commons")
 includeBuild("build-logic")