ci: pin Marketplace ZIP Signer to 0.1.43

[lukaszlenart]

Problem

The Nightly release job (and by extension the release workflow) intermittently fails at :signPlugin:

Execution failed for task ':signPlugin'.
> No Marketplace ZIP Signer executable found.
  Please ensure the `zipSigner()` entry is present in the project dependencies section
  or `intellijPlatform.signing.cliPath` extension property

This is misleading — zipSigner() is already declared and defaultRepositories() is configured. The build config is unchanged since the last successful publish (v261.19027-nightly.3, 2026-05-20).

Root cause

zipSigner() was declared without a version, so the signer is resolved as "latest". The gradle/actions/setup-gradle cache is restored from prior runs — including non-signing build.yml runs that never download marketplace-zip-signer. When the nightly restores such a cache, Gradle ends up with stale metadata and an empty signing configuration, producing the "no executable found" error. Re-running the job (which re-resolves) works around it, but the flake recurs.

Verified locally: the exact same config + marketplace-zip-signer:0.1.43 resolves and runs fine even on a cold, --refresh-dependencies download — confirming the failure is environment/cache-specific, not a config bug.

Fix

Pin the signer version so the dependency is always deterministically resolvable:

zipSigner("0.1.43")

0.1.43 is the version that "latest" currently resolves to, so this is behavior-preserving while removing the cache-dependent flake.

Testing

• signPlugin with the pinned version resolves and runs the signer (fails only on an intentionally-invalid test cert, not "no executable found").
• CHANGELOG updated under Unreleased.

🤖 Generated with Claude Code

[github-actions]

🔌 Plugin artifact ready for testing!

Download from Actions artifacts

Artifact: struts2-261.19027.1