Skip to content

Replace unauthenticated SDKMAN install with SHA-pinned orb command#3407

Merged
rickvdl merged 1 commit into
mainfrom
rickvdl/migrate-to-secure-sdkman-orb-command
Apr 30, 2026
Merged

Replace unauthenticated SDKMAN install with SHA-pinned orb command#3407
rickvdl merged 1 commit into
mainfrom
rickvdl/migrate-to-secure-sdkman-orb-command

Conversation

@rickvdl

@rickvdl rickvdl commented Apr 29, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Member

Bumps revenuecat/sdks-common-config to 3.20.0 and replaces the local install-sdkman command (which used unauthenticated curl https://get.sdkman.io | bash) with the new revenuecat/install-sdkman orb command, which pins SDKMAN to a SHA256-verified GitHub release.

Mirrors the pattern from sdks-circleci-orb#55.

The prior soft-fail wrapper around the SDKMAN install ("continuing with default Java") is dropped — the orb command intentionally fails hard on a SHA-256 mismatch, which is the security guarantee. The downstream sdk env install Java setup is preserved as its own run-step at each of the 28 invocation sites, with its existing soft-fail kept intact.

Note

Medium Risk
Changes CI bootstrapping for Java/SDKMAN; orb-based install may fail builds if verification or orb behavior differs, but impact is limited to pipeline execution (not runtime product code).

Overview
Replaces the custom install-sdkman implementation in .circleci/config.yml (curling get.sdkman.io) with the orb-provided revenuecat/install-sdkman command, shifting SDKMAN installation to a SHA-verified mechanism.

Bumps revenuecat/sdks-common-config from 3.17.0 to 3.20.0 while keeping the subsequent sdk env install Java setup step (still soft-failing to default Java on error).

Reviewed by Cursor Bugbot for commit 6aefb0d. Bugbot is set up for automated code reviews on this repo. Configure here.

@codecov

codecov Bot commented Apr 29, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.45%. Comparing base (1ace9ec) to head (6aefb0d).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3407   +/-   ##
=======================================
  Coverage   79.45%   79.45%           
=======================================
  Files         362      362           
  Lines       14539    14539           
  Branches     1976     1976           
=======================================
  Hits        11552    11552           
  Misses       2190     2190           
  Partials      797      797

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rickvdl rickvdl force-pushed the rickvdl/migrate-to-secure-sdkman-orb-command branch from 5c9e693 to af00e0b Compare April 30, 2026 06:59
@rickvdl rickvdl marked this pull request as ready for review April 30, 2026 07:05
@rickvdl rickvdl requested a review from a team as a code owner April 30, 2026 07:05
cursor[bot]
cursor Bot reviewed Apr 30, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit af00e0b834e4977bb5cf3fd83c47c0e9516d6328. Configure here.

Comment thread .circleci/config.yml Outdated
@rickvdl rickvdl force-pushed the rickvdl/migrate-to-secure-sdkman-orb-command branch from af00e0b to 6aefb0d Compare April 30, 2026 07:17
@rickvdl rickvdl added this pull request to the merge queue Apr 30, 2026
Merged via the queue into main with commit 255baf6 Apr 30, 2026
37 checks passed
@rickvdl rickvdl deleted the rickvdl/migrate-to-secure-sdkman-orb-command branch April 30, 2026 07:55
This was referenced May 6, 2026
Closed
Merged
matteinn pushed a commit to matteinn/purchases-android that referenced this pull request Jun 5, 2026
@RCGitBot
[AUTOMATIC] Release/10.4.0 (RevenueCat#3444)
d33cd4b 
**This is an automatic release.**

## RevenueCat SDK
### ✨ New Features
* Add optional support for setting obfuscated account id to product
changes (RevenueCat#3428) via Mark Villacampa (@MarkVillacampa)

## RevenueCatUI SDK
### Paywallv2
#### ✨ New Features
* Add slide transition to workflow paywalls (RevenueCat#3418) via Cesar de la Vega
(@vegaro)
* Workflow state & ViewModel infrastructure (RevenueCat#3416) via Cesar de la Vega
(@vegaro)
#### 🐞 Bugfixes
* Fix paywall layout direction for RTL locale overrides (PWENG-39)
(RevenueCat#3425) via Monika Mateska (@MonikaMateska)
* Apply ripple shape clip on a sibling Box to avoid clipping content
(RevenueCat#3395) via Toni Rico (@tonidero)

### 🔄 Other Changes
* build(deps): bump fastlane-plugin-revenuecat_internal from `21e02ec`
to `af7bb5c` (RevenueCat#3442) via dependabot[bot] (@dependabot[bot])
* Abstract workflow page transition animation behind sealed class
(RevenueCat#3430) via Cesar de la Vega (@vegaro)
* Add `single_step_fallback_id` field to `PublishedWorkflow` (RevenueCat#3436) via
Cesar de la Vega (@vegaro)
* build(deps): bump fastlane-plugin-revenuecat_internal from `2d11430`
to `21e02ec` (RevenueCat#3429) via dependabot[bot] (@dependabot[bot])
* Generalize `PaywallComponentsScaffold` for workflow reuse (RevenueCat#3417) via
Cesar de la Vega (@vegaro)
* perf: pre-warm workflow paywall step states off-thread (RevenueCat#3420) via
Cesar de la Vega (@vegaro)
* Update baseline profiles (RevenueCat#3427) via RevenueCat Git Bot (@RCGitBot)
* build(deps): bump fastlane-plugin-revenuecat_internal from `d24ab26`
to `2d11430` (RevenueCat#3426) via dependabot[bot] (@dependabot[bot])
* Replace unauthenticated SDKMAN install with SHA-pinned orb command
(RevenueCat#3407) via Rick (@rickvdl)
* Auto load paywall in paywall tester via local.properties (RevenueCat#3405) via
Cesar de la Vega (@vegaro)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: this is a version/release cut that mainly updates version
strings, changelogs, and doc deployment targets with no functional logic
changes beyond version identifiers.
> 
> **Overview**
> Cuts the `10.4.0` release by removing `-SNAPSHOT` across the project
(core `VERSION_NAME`, `Config.frameworkVersion`, sample/test app
dependency versions, and the root `.version` file).
> 
> Updates release collateral and publishing to point at `10.4.0`,
including changelogs (`CHANGELOG.md`/`CHANGELOG.latest.md`), docs
redirect (`docs/index.html`), and the CircleCI `docs-deploy` S3 sync
path (from `10.4.0-SNAPSHOT` to `10.4.0`).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f7b3604. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments
@ajpallares ajpallares ajpallares approved these changes

Assignees

No one assigned

Labels

pr:other

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rickvdl @ajpallares