Replace unauthenticated SDKMAN install with SHA-pinned orb command#1736
Merged
Conversation
a1220e6 to
56aaad5
Compare
56aaad5 to
30538a4
Compare
ajpallares
approved these changes
Apr 30, 2026
RCGitBot
added a commit
that referenced
this pull request
May 7, 2026
**This is an automatic release.** ## RevenueCat SDK ### 📦 Dependency Updates * [AUTOMATIC BUMP] Updates purchases-hybrid-common to 18.4.0 (#1744) via RevenueCat Git Bot (@RCGitBot) * [Android 10.3.1](https://github.com/RevenueCat/purchases-android/releases/tag/10.3.1) * [Android 10.3.0](https://github.com/RevenueCat/purchases-android/releases/tag/10.3.0) * [Android 10.2.1](https://github.com/RevenueCat/purchases-android/releases/tag/10.2.1) * [iOS 5.70.0](https://github.com/RevenueCat/purchases-ios/releases/tag/5.70.0) * [iOS 5.69.0](https://github.com/RevenueCat/purchases-ios/releases/tag/5.69.0) * [Web 1.38.0](https://github.com/RevenueCat/purchases-js/releases/tag/1.38.0) * [Web 1.37.0](https://github.com/RevenueCat/purchases-js/releases/tag/1.37.0) * [Web 1.36.0](https://github.com/RevenueCat/purchases-js/releases/tag/1.36.0) * [Web 1.35.1](https://github.com/RevenueCat/purchases-js/releases/tag/1.35.1) * [Web 1.35.0](https://github.com/RevenueCat/purchases-js/releases/tag/1.35.0) * [AUTOMATIC BUMP] Updates purchases-hybrid-common to 18.3.0 (#1741) via RevenueCat Git Bot (@RCGitBot) * [AUTOMATIC BUMP] Updates purchases-hybrid-common to 18.2.0 (#1739) via RevenueCat Git Bot (@RCGitBot) ### 🔄 Other Changes * Bump fastlane-plugin-revenuecat_internal from `21e02ec` to `af7bb5c` (#1743) via dependabot[bot] (@dependabot[bot]) * Bump fastlane-plugin-revenuecat_internal from `2d11430` to `21e02ec` (#1742) via dependabot[bot] (@dependabot[bot]) * Bump fastlane-plugin-revenuecat_internal from `d24ab26` to `2d11430` (#1740) via dependabot[bot] (@dependabot[bot]) * Replace unauthenticated SDKMAN install with SHA-pinned orb command (#1736) via Rick (@rickvdl) * Bump fastlane from 2.233.0 to 2.233.1 (#1737) via dependabot[bot] (@dependabot[bot]) * Bump fastlane-plugin-revenuecat_internal from `b822f01` to `d24ab26` (#1734) via dependabot[bot] (@dependabot[bot]) * Add web SDK to release automations (#1732) via Toni Rico (@tonidero) * Bump fastlane-plugin-revenuecat_internal from `58cccc8` to `b822f01` (#1730) via dependabot[bot] (@dependabot[bot]) * Bump fastlane from 2.232.2 to 2.233.0 (#1731) via dependabot[bot] (@dependabot[bot]) * Bump fastlane-plugin-revenuecat_internal from `a1eed48` to `58cccc8` (#1729) via dependabot[bot] (@dependabot[bot]) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk release-only change that bumps package/plugin version strings and updates changelogs without altering runtime logic. > > **Overview** > Bumps the Flutter Purchases SDK and `purchases_ui_flutter` package versions from `10.0.1` to `10.0.2` across `pubspec.yaml`, Android/iOS/macOS build metadata, and plugin version constants (including web). > > Updates `CHANGELOG.md` and `CHANGELOG-LATEST.md` with the `10.0.2` release notes (notably the `purchases-hybrid-common` 18.4.0 bump and related automation/tooling updates), and updates `purchases_ui_flutter` to depend on `purchases_flutter: ^10.0.2`. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 5e027ca. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps
revenuecat/sdks-common-configto3.20.0and replaces the localinstall-sdkmancommand (which used unauthenticatedcurl https://get.sdkman.io | bash) with the newrevenuecat/install-sdkmanorb command, which pins SDKMAN to a SHA256-verified GitHub release.Mirrors the pattern from sdks-circleci-orb#55.
The prior soft-fail wrapper around the SDKMAN install ("continuing with default Java") is dropped — the orb command intentionally fails hard on a SHA-256 mismatch, which is the security guarantee. The downstream
sdk env installJava setup is preserved as its own run-step at each invocation site, with its existing soft-fail kept intact. The local command'srootparameter is also dropped: the orb command auto-resolvesSDKMAN_DIRto$HOME/.sdkman, which matches both the previous default (/root) for docker-as-root executors and the explicit/home/circlecifor the machine executor.Note
Medium Risk
Touches CI bootstrap for Java/SDKMAN across multiple jobs; failures could break builds/tests, but the change is scoped to pipeline configuration and improves supply-chain security.
Overview
Upgrades the
revenuecat/sdks-common-configCircleCI orb from3.16.0to3.20.0.Replaces the custom
install-sdkmanimplementation (previouslycurl | bashwith a configurableroot) withrevenuecat/install-sdkman, and updates job invocations to use the simplified command while keeping the subsequentsdk env installJava setup step.Reviewed by Cursor Bugbot for commit 30538a4. Bugbot is set up for automated code reviews on this repo. Configure here.