Skip to content

Add jbangdev/setup-jbang action with tag v0.1.1#806

Open
tiagobento wants to merge 1 commit intoapache:mainfrom
tiagobento:tiagobento-setup-jbang
Open

Add jbangdev/setup-jbang action with tag v0.1.1#806
tiagobento wants to merge 1 commit intoapache:mainfrom
tiagobento:tiagobento-setup-jbang

Conversation

@tiagobento
Copy link
Copy Markdown

@tiagobento tiagobento commented May 6, 2026

Why this action is needed for your project

A new CI / PR checks system introduced in KIE (apache/incubator-kie-drools@eaed278) needs to run some scripts in order to produce efficient build partitioning for Maven builds. JBang was selected because it doesn't require any additional tooling for developers to install.

Any alternatives you've considered

Installing JBang manually but I would just be duplicating what the action already does. See manual installation instructions here. And the action's code here.

Any security concerns you've identified

None. jbagdev is the official organization of the JBang project in GitHub.

@tiagobento
Add jbangdev/setup-jbang action with tag v0.1.1
bc46913 
Signed-off-by: Tiago Bento <1584568+tiagobento@users.noreply.github.com>
@tiagobento tiagobento requested review from dfoulks1 and potiuk as code owners May 6, 2026 00:15
@potiuk potiuk mentioned this pull request May 6, 2026
Open
@potiuk
Copy link
Copy Markdown
Member

potiuk commented May 6, 2026

@tiagobento thanks for the PR. Heads up: I ran verify-action-build (the ASF security checker) against jbangdev/setup-jbang@2b1b465a… and it fails with 1 unverified binary download plus a pipe-to-shell (curl | sh) — high risk flag, both pointing at the same line:

curl -Ls https://sh.jbang.dev | bash -s - app setup

…and the equivalent iex "& { $(iwr https://ps.jbang.dev) } app setup" on Windows. The action's repo also has no LICENSE file. Manually inspected action.yml to confirm — there's no checksum, signature, or attestation step anywhere on the install path.

The good news is that upstream jbangdev/jbang already ships SHA256 sums and GPG signatures on every release, so this is a swap, not new infrastructure.

I've opened an issue with a concrete proposal: jbangdev/setup-jbang#16. Could you support it there and add a comment saying you'd like to use this from ASF infra? An ack from a real downstream consumer would help nudge it along.

Until verification lands upstream we can't approve this action — but it should be a quick fix once they pick a mechanism (sha256sum, gpg --verify, or sigstore are all accepted).

@potiuk potiuk mentioned this pull request May 6, 2026
Open
5 tasks
@tiagobento
Copy link
Copy Markdown
Author

tiagobento commented May 6, 2026

Thanks @potiuk! In the mean time, is it okay if I install a specific version manually and perform the checksums myself, in a temporary custom action? I can tag you in the PR where I do it, so that you can advise on best practices.

@potiuk
Copy link
Copy Markdown
Member

potiuk commented May 7, 2026

Thanks @potiuk! In the mean time, is it okay if I install a specific version manually and perform the checksums myself, in a temporary custom action? I can tag you in the PR where I do it, so that you can advise on best practices.

Sure. No need to tag me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfoulks1 dfoulks1 Awaiting requested review from dfoulks1 dfoulks1 is a code owner

@potiuk potiuk Awaiting requested review from potiuk potiuk is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tiagobento @potiuk