Fix vulnerability scan of release version (#504)

bestbeforetoday · web-flow · commit bdb8e5af8a18 · 2026-01-21T12:18:00.000Z
The Gradle version use in v2.5.7 and earlier does not support Java 25.
Generation of Gradle lockfile (used as input to the vulnerability scan) has just started actively failing with Java 25.

This change uses Java 21 for vulnerability scanning, which is supported
by Gradle 8.5 and later.

Signed-off-by: Mark S. Lewis &lt;Mark.S.Lewis@outlook.com&gt;
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -16,18 +16,19 @@ jobs:
   osv-scanner:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ inputs.ref }}
       # Go needed for scanning of v2.5.5 and earlier
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: stable
           cache: false
-      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: temurin
-          java-version: 25
+          # Releases v2.5.7 and earlier do not support Java 25
+          java-version: 21
       - uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       - name: Scan
         run: make scan
diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml
@@ -9,7 +9,7 @@ permissions:
   contents: read
 
 jobs:
-  latest-release-version:
+  release-version:
     name: Get latest release tag
     runs-on: ubuntu-latest
     outputs:
@@ -18,9 +18,13 @@ jobs:
       - id: tag-name
         run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"
 
-  scan:
-    name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
-    needs: latest-release-version
+  scan-release:
+    name: Scan ${{ needs.release-version.outputs.tag_name }}
+    needs: release-version
     uses: ./.github/workflows/scan.yml
     with:
-      ref: ${{ needs.latest-release-version.outputs.tag_name }}
+      ref: ${{ needs.release-version.outputs.tag_name }}
+
+  scan-latest:
+    name: Scan latest
+    uses: ./.github/workflows/scan.yml
