This document outlines the security measures and supply chain security practices for the jdkvalhalla Homebrew tap. We take the security of our users seriously and have implemented multiple layers of protection.

If you discover a security vulnerability, please report it by:

1. DO NOT open a public issue
2. Email security concerns to the repository maintainers
3. Provide detailed information about the vulnerability
4. Allow reasonable time for a fix before public disclosure

Manual Approval Required: All releases require manual approval before distribution to prevent automatic deployment of potentially compromised JDK builds.

• Releases use GitHub Environments with required reviewers
• The release-approval environment must be configured with trusted reviewers
• Configuration: Settings > Environments > release-approval > Required reviewers

SHA256 Checksums: All JDK downloads are verified using SHA256 checksums.

• Checksums are embedded in the Homebrew formula and cask files
• Homebrew automatically verifies downloads before installation
• Any checksum mismatch will abort the installation

GPG Verification (when available): We check for GPG signatures from OpenJDK.

• OpenJDK EA builds typically don't provide GPG signatures
• When available, signatures will be verified automatically
• Current status is logged in release workflows

Each release includes an SBOM in SPDX 2.3 format:

• Provides transparency about package contents
• Includes licensing information
• Available as a release asset (sbom-*.spdx.json)
• Enables downstream verification and compliance

CodeQL Analysis:

• Runs on every push and pull request
• Weekly scheduled scans on Mondays
• Analyzes Python and Ruby code
• Uses extended security and quality queries

Dependabot:

• Monitors GitHub Actions dependencies
• Weekly checks for updates
• Automated pull requests for dependency updates
• Configured in .github/dependabot.yml

Request Timeouts: All network requests have 30-second timeouts to prevent hanging operations.

HTTPS Only: All downloads and API requests use HTTPS.

Pinned Actions: All GitHub Actions use SHA-pinned versions for immutability.

Limited Permissions: Workflows follow the principle of least privilege.

• release.yml: Only contents: write and pull-requests: write
• Other workflows: Minimal required permissions

First-Time Contributor Approval:

• First-time contributors require manual approval to run workflows
• Protects against malicious workflow modifications
• Configure in: Settings > Actions > General > Fork pull request workflows

Input Validation:

• All shell variables are properly quoted
• set -euo pipefail used in bash scripts for error handling
• Version strings validated before use

Branch Protection (recommended configuration):

• Require pull request reviews before merging
• Require status checks to pass (Validate workflow)
• Require up-to-date branches before merging
• Require conversation resolution before merging

Comprehensive Logging:

• All release steps are logged
• Verification status recorded in workflow outputs
• Git tags preserve release history
• Release notes include detailed changelogs

1. Check the Formula/Cask:

   brew cat artagon/jdkvalhalla/jdkvalhalla@27

   Verify the SHA256 checksums are present

2. Review Release Notes:

   • Visit the Releases page
   • Check for the SBOM file
   • Review the changelog for unexpected changes

3. Verify Installation:

   # After installation
   java -version

   Confirm the version matches the expected build

Download the SBOM from the release assets:

curl -LO https://github.com/Artagon/homebrew-jdkvalhalla/releases/download/v{VERSION}/sbom-{VERSION}.spdx.json

Verify it contains expected package information.

1. Never commit secrets (API keys, tokens, credentials)
2. Test locally before submitting pull requests
3. Follow secure coding practices:
   • Quote shell variables
   • Validate inputs
   • Use timeouts for network operations
4. Keep dependencies updated
5. Review Dependabot PRs promptly

Changes to workflows require extra scrutiny:

• Avoid adding new network calls without timeouts
• Don't disable security features (e.g., set -e)
• Maintain least-privilege permissions
• Document security implications

1. Immediate Actions:

   • Pause all releases
   • Revoke compromised credentials
   • Assess impact scope

2. Investigation:

   • Review audit logs
   • Check for unauthorized changes
   • Verify integrity of recent releases

3. Communication:

   • Notify users via GitHub Security Advisory
   • Provide remediation steps
   • Document timeline and impact

4. Remediation:

   • Release patched version
   • Update security measures
   • Conduct post-mortem

• SPDX 2.3: Software Bill of Materials format
• Semantic Versioning: Version numbering follows JDK versioning
• GitHub Security Best Practices: Actions and workflow security

SLSA Provenance (planned):

• Will implement when OpenJDK supports SLSA
• Provides cryptographic guarantees about build process
• Enables comprehensive supply chain verification

Multi-Source Verification (planned):

• Cross-check versions against multiple sources
• Verify consistency across distribution channels
• Detect potential tampering

• GitHub Actions: Weekly Dependabot checks
• Homebrew formula: Updated when new JDK builds are released
• Security patches: Applied immediately upon discovery

• Security improvements: Implemented promptly
• Breaking changes: Announced in advance
• Deprecations: Minimum 30-day notice

For security concerns, please contact the repository maintainers through:

• GitHub Issues (for non-sensitive topics)
• Email (for security vulnerabilities - see repository contact info)

This security policy is based on industry best practices and GitHub's security recommendations.

Last Updated: 2026-03-26 Policy Version: 1.1