Security & supply chainsetup-java 5.5.0 adds JDK signature verification, if you remember to enable it
GitHub's actions/setup-java 5.5.0 adds opt-in GPG signature verification for downloaded JDKs, plus a Kona distribution parameter and a set of Maven quality fixes. It closes a real supply-chain gap for Java CI jobs, but existing pipelines keep pulling unsigned JDKs until someone flips the switch.