GitHub Actions setup-java 5.5 adds optional cryptographic signature verification for downloaded JDKs, plus Tencent Kona support and Maven workflow fixes. Use this when Java CI needs stronger supply-chain checks without replacing the standard setup-java action. Enable verify-signature: true for supported distributions such as Temurin and Microsoft, pin the action to v5.5.0 or its full commit SHA, and fail fast when a distribution cannot verify signatures instead of silently accepting an unchecked JDK download. This is a TOOL candidate, not a broad news post: it helps teams harden Java workflows, but it does not materially change the whole developer platform.