Enable JDK vendor selection on dispatch event

[koppor]

User description

Follow-up to JabRef#721

Now and then we need/want to switch JDKs. Temurin, Bellsoft, Temurin. Now, I want to try OpenJ). With #13937 this is now more easily possible.

Workaround for gradlex-org/java-module-packaging#93 included.

---

Example for IBM

Received JVM installation metadata from 'D:\a\.gradle\jdks\eclipse_openj9-25-amd64-windows.2': {JAVA_HOME=D:\a\.gradle\jdks\eclipse_openj9-25-amd64-windows.2, JAVA_VERSION=25, JAVA_VENDOR=IBM Corporation, RUNTIME_NAME=IBM Semeru Runtime Open Edition, RUNTIME_VERSION=25+36-LTS, VM_NAME=Eclipse OpenJ9 VM, VM_VERSION=25+36-openj9-0.55.0, VM_VENDOR=Eclipse OpenJ9, OS_ARCH=amd64}

Steps to test

Try dispatch with this PR.

Mandatory checks

• I own the copyright of the code submitted and I license it under the MIT license
• I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I described the change in CHANGELOG.md in a way that is understandable for the average user (if change is visible to the user)
• [/] I checked the user documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request updating file(s) in https://github.com/JabRef/user-documentation/tree/main/en.

---

PR Type

Enhancement

---

Description

• Enable JDK vendor selection via workflow dispatch inputs

• Support multiple JDK distributions (Temurin, Bellsoft, OpenJ9, etc.)

• Parameterize setup-gradle action with distribution and Java version

• Add JVM vendor detection and conditional jlink options for IBM JDKs

• Output JDK information to GitHub step summary for debugging

---

Diagram Walkthrough

flowchart LR
  A["Workflow Dispatch Inputs"] -->|jvmDistribution| B["setup-gradle Action"]
  A -->|jvmVendor| C["Gradle Toolchain Config"]
  B --> D["Setup JDK with Selected Distribution"]
  C --> E["Patch Gradle Build Files"]
  E --> F["Build with Selected JDK Vendor"]
  G["IBM JDK Detection"] --> H["Conditional jlink Options"]
  H --> I["Generate CDS Archive if not IBM"]

Loading

File Walkthrough

	Relevant files
Enhancement	action.yml Parameterize JDK distribution and version inputs                  .github/actions/setup-gradle/action.yml Added distribution input parameter with default value 'corretto' Added javaVersion input parameter with default value '25' Updated setup-java action to use parameterized inputs instead of hardcoded values +13/-2    binaries.yml Add JDK vendor and distribution workflow dispatch inputs  .github/workflows/binaries.yml Added jvmDistribution workflow dispatch input with 13 distribution options Added jvmVendor workflow dispatch input with 14 vendor options Output jvmDistribution from conditions job for downstream use Added JVM vendor and distribution logging to step summary Pass jvmDistribution to setup-gradle action Added step to output current Java environment details +73/-1    org.jabref.gradle.base.targets.gradle.kts Add IBM JDK detection and conditional jlink options            build-logic/src/main/kotlin/org.jabref.gradle.base.targets.gradle.kts Added IBM JDK detection using toolchain metadata vendor check Conditionally exclude --generate-cds-archive jlink option for IBM JDKs Removed hardcoded --generate-cds-archive from default jlink options Added comment referencing OpenJ9 issue for the conditional logic +11/-1    build.gradle.kts Remove hardcoded jlink option and add imports                        jabkit/build.gradle.kts Added imports for JavaPluginExtension and JavaToolchainService Removed hardcoded --generate-cds-archive jlink option Added comment referencing base targets gradle file for general jlink options Added blank line for formatting consistency +5/-1
Documentation	org.jabref.gradle.feature.compile.gradle.kts Add documentation comment for vendor configuration              build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts Added comment indicating that vendor changes require binaries.yml updates Clarified that sed operations in CI need to match vendor changes +1/-0
Formatting	build.gradle.kts Add imports and formatting improvements                                    jabgui/build.gradle.kts Added imports for JavaPluginExtension and JavaToolchainService Added blank line for formatting consistency Added blank line before targetsWithOs("linux") block +5/-0

---

[koppor]

Intermediate output:

Starting process 'command '/usr/lib/jvm/temurin-21-jdk-amd64/bin/java''. Working directory: /home/runner/.gradle/.tmp/tmp-jvm6284672125656544819probe Command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java -Xmx32m -Xms32m -cp . JavaProbe
Successfully started process 'command '/usr/lib/jvm/temurin-21-jdk-amd64/bin/java''

Where the hell is temurin installed?

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Command injection risk Description: The sed command uses user-controlled input ${{ inputs.jvmVendor }} without validation or sanitization, potentially allowing command injection if the input contains special characters or shell metacharacters that could escape the sed context. binaries.yml [377-385] Referred Code if: ${{ github.event_name == 'workflow_dispatch' && inputs.jvmVendor != 'AMAZON' }} shell: bash run: | set -ex PS4='+$LINENO: ' SED_I=(-i) [[ '${{ startsWith(matrix.os, 'macos') }}' == 'true' ]] && SED_I=(-i '') sed "${SED_I[@]}" "s/AMAZON/${{ inputs.jvmVendor }}/" build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts cat build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Generic variable name: Variable ibm uses a generic name that doesn't clearly express its purpose as a boolean flag indicating IBM JDK detection. Referred Code .map { it.metadata.vendor.contains("IBM", ignoreCase = true) } Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated workflow input: The jvmVendor input is directly used in sed command without validation, potentially allowing command injection if malicious values are provided. Referred Code sed "${SED_I[@]}" "s/AMAZON/${{ inputs.jvmVendor }}/" build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts cat build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix incorrect workflow dispatch input access To correctly access the jvmVendor workflow dispatch input, replace inputs.jvmVendor with github.event.inputs.jvmVendor in the if condition and the run step. .github/workflows/binaries.yml [376-385] - name: Patch used JDK - if: ${{ github.event_name == 'workflow_dispatch' && inputs.jvmVendor != 'AMAZON' }} + if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.jvmVendor != 'AMAZON' }} shell: bash run: | set -ex PS4='+$LINENO: ' SED_I=(-i) [[ '${{ startsWith(matrix.os, 'macos') }}' == 'true' ]] && SED_I=(-i '') - sed "${SED_I[@]}" "s/AMAZON/${{ inputs.jvmVendor }}/" build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts + sed "${SED_I[@]}" "s/AMAZON/${{ github.event.inputs.jvmVendor }}/" build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts cat build-logic/src/main/kotlin/org.jabref.gradle.feature.compile.gradle.kts Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a bug where workflow_dispatch inputs are accessed with the wrong context (inputs instead of github.event.inputs), which would cause the newly added step to fail or be skipped incorrectly.	High
More