From 7faa8cc1d7b9a4f91eb3f596382bda9254f44e5e Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Wed, 21 Jan 2026 11:32:00 +0000
Subject: [PATCH] Fix vulnerability scan of release version

The Gradle version use in v2.5.7 and earlier does not support Java 25.
Generation of Gradle lockfile (used as input to the vulnerability scan) has just started actively failing with Java 25.

This change uses Java 21 for vulnerability scanning, which is supported
by Gradle 8.5 and later.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
---
 .github/workflows/scan.yml           |  9 +++++----
 .github/workflows/scheduled-scan.yml | 14 +++++++++-----
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 81c560e9..9ffd926e 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -16,18 +16,19 @@ jobs:
   osv-scanner:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ inputs.ref }}
       # Go needed for scanning of v2.5.5 and earlier
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: stable
           cache: false
-      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
+      - uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           distribution: temurin
-          java-version: 25
+          # Releases v2.5.7 and earlier do not support Java 25
+          java-version: 21
       - uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       - name: Scan
         run: make scan
diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml
index cfbe5687..191af837 100644
--- a/.github/workflows/scheduled-scan.yml
+++ b/.github/workflows/scheduled-scan.yml
@@ -9,7 +9,7 @@ permissions:
   contents: read
 
 jobs:
-  latest-release-version:
+  release-version:
     name: Get latest release tag
     runs-on: ubuntu-latest
     outputs:
@@ -18,9 +18,13 @@ jobs:
       - id: tag-name
         run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"
 
-  scan:
-    name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
-    needs: latest-release-version
+  scan-release:
+    name: Scan ${{ needs.release-version.outputs.tag_name }}
+    needs: release-version
     uses: ./.github/workflows/scan.yml
     with:
-      ref: ${{ needs.latest-release-version.outputs.tag_name }}
+      ref: ${{ needs.release-version.outputs.tag_name }}
+
+  scan-latest:
+    name: Scan latest
+    uses: ./.github/workflows/scan.yml