Merge branch 'main' into copilot/support-caching-maven-plugin-dependencies

This commit is contained in:
Bruno Borges
2026-07-07 15:02:10 -04:00
committed by GitHub
46 changed files with 4316 additions and 350 deletions
+1
View File
@@ -80,6 +80,7 @@ export function generate(
'@xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance',
'@xsi:schemaLocation':
'http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd',
interactiveMode: false,
servers: {
server: [
{
+8
View File
@@ -6,6 +6,9 @@ export const INPUT_JAVA_PACKAGE = 'java-package';
export const INPUT_DISTRIBUTION = 'distribution';
export const INPUT_JDK_FILE = 'jdkFile';
export const INPUT_CHECK_LATEST = 'check-latest';
export const INPUT_SET_DEFAULT = 'set-default';
export const INPUT_VERIFY_SIGNATURE = 'verify-signature';
export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
export const INPUT_SERVER_ID = 'server-id';
export const INPUT_SERVER_USERNAME = 'server-username';
export const INPUT_SERVER_PASSWORD = 'server-password';
@@ -28,5 +31,10 @@ export const MVN_SETTINGS_FILE = 'settings.xml';
export const MVN_TOOLCHAINS_FILE = 'toolchains.xml';
export const INPUT_MVN_TOOLCHAIN_ID = 'mvn-toolchain-id';
export const INPUT_MVN_TOOLCHAIN_VENDOR = 'mvn-toolchain-vendor';
export const INPUT_SHOW_DOWNLOAD_PROGRESS = 'show-download-progress';
export const MAVEN_ARGS_ENV = 'MAVEN_ARGS';
export const MAVEN_NO_TRANSFER_PROGRESS_FLAG = '-ntp';
export const MAVEN_NO_TRANSFER_PROGRESS_LONG_FLAG = '--no-transfer-progress';
export const DISTRIBUTIONS_ONLY_MAJOR_VERSION = ['corretto'];
+33 -3
View File
@@ -20,6 +20,9 @@ export abstract class JavaBase {
protected packageType: string;
protected stable: boolean;
protected checkLatest: boolean;
protected setDefault: boolean;
protected verifySignature: boolean;
protected verifySignaturePublicKey: string | undefined;
constructor(
protected distribution: string,
@@ -36,6 +39,12 @@ export abstract class JavaBase {
this.architecture = installerOptions.architecture || os.arch();
this.packageType = installerOptions.packageType;
this.checkLatest = installerOptions.checkLatest;
this.setDefault =
installerOptions.setDefault !== undefined
? installerOptions.setDefault
: true;
this.verifySignature = installerOptions.verifySignature ?? false;
this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey;
}
protected abstract downloadTool(
@@ -46,6 +55,12 @@ export abstract class JavaBase {
): Promise<JavaDownloadRelease>;
public async setupJava(): Promise<JavaInstallerResults> {
if (this.verifySignature && !this.supportsSignatureVerification()) {
throw new Error(
`Input 'verify-signature' is not supported for distribution '${this.distribution}'.`
);
}
let foundJava = this.findInToolcache();
if (foundJava && !this.checkLatest) {
core.info(`Resolved Java ${foundJava.version} from tool-cache`);
@@ -169,8 +184,15 @@ export abstract class JavaBase {
foundJava.path = macOSPostfixPath;
}
core.info(`Setting Java ${foundJava.version} as the default`);
this.setJavaDefault(foundJava.version, foundJava.path);
if (this.setDefault) {
core.info(`Setting Java ${foundJava.version} as the default`);
this.setJavaDefault(foundJava.version, foundJava.path);
} else {
core.info(
`Installing Java ${foundJava.version} (not setting as default)`
);
this.setJavaEnvironment(foundJava.version, foundJava.path);
}
return foundJava;
}
@@ -179,6 +201,10 @@ export abstract class JavaBase {
return `Java_${this.distribution}_${this.packageType}`;
}
protected supportsSignatureVerification(): boolean {
return false;
}
protected getToolcacheVersionName(version: string): string {
if (!this.stable) {
if (version.includes('+')) {
@@ -298,9 +324,13 @@ export abstract class JavaBase {
}
protected setJavaDefault(version: string, toolPath: string) {
const majorVersion = version.split('.')[0];
core.exportVariable('JAVA_HOME', toolPath);
core.addPath(path.join(toolPath, 'bin'));
this.setJavaEnvironment(version, toolPath);
}
protected setJavaEnvironment(version: string, toolPath: string) {
const majorVersion = version.split('.')[0];
core.setOutput('distribution', this.distribution);
core.setOutput('path', toolPath);
core.setOutput('version', version);
+4
View File
@@ -3,6 +3,9 @@ export interface JavaInstallerOptions {
architecture: string;
packageType: string;
checkLatest: boolean;
setDefault?: boolean;
verifySignature?: boolean;
verifySignaturePublicKey?: string;
}
export interface JavaInstallerResults {
@@ -13,4 +16,5 @@ export interface JavaInstallerResults {
export interface JavaDownloadRelease {
version: string;
url: string;
signatureUrl?: string;
}
+1 -2
View File
@@ -127,8 +127,7 @@ export class CorrettoDistribution extends JavaBase {
private getAvailableVersionsForPlatform(
eligibleVersions:
| ICorrettoAllAvailableVersions['os']['arch']['imageType']
| undefined
ICorrettoAllAvailableVersions['os']['arch']['imageType'] | undefined
): ICorrettoAvailableVersions[] {
const availableVersions: ICorrettoAvailableVersions[] = [];
+5 -1
View File
@@ -16,6 +16,7 @@ import {
GraalVMDistribution
} from './graalvm/installer';
import {JetBrainsDistribution} from './jetbrains/installer';
import {KonaDistribution} from './kona/installer';
enum JavaDistribution {
Adopt = 'adopt',
@@ -33,7 +34,8 @@ enum JavaDistribution {
SapMachine = 'sapmachine',
GraalVM = 'graalvm',
GraalVMCommunity = 'graalvm-community',
JetBrains = 'jetbrains'
JetBrains = 'jetbrains',
Kona = 'kona'
}
export function getJavaDistribution(
@@ -82,6 +84,8 @@ export function getJavaDistribution(
return new GraalVMCommunityDistribution(installerOptions);
case JavaDistribution.JetBrains:
return new JetBrainsDistribution(installerOptions);
case JavaDistribution.Kona:
return new KonaDistribution(installerOptions);
default:
return null;
}
+191
View File
@@ -0,0 +1,191 @@
import * as core from '@actions/core';
import * as tc from '@actions/tool-cache';
import semver from 'semver';
import fs from 'fs';
import path from 'path';
import {JavaBase} from '../base-installer';
import {IKonaReleaseInfo, IKonaRelease} from './models';
import {
JavaDownloadRelease,
JavaInstallerOptions,
JavaInstallerResults
} from '../base-models';
import {
extractJdkFile,
getDownloadArchiveExtension,
isVersionSatisfies,
renameWinArchive
} from '../../util';
export class KonaDistribution extends JavaBase {
constructor(installerOptions: JavaInstallerOptions) {
super('Kona', installerOptions);
}
protected async downloadTool(
javaRelease: JavaDownloadRelease
): Promise<JavaInstallerResults> {
core.info(
`Downloading Kona JDK ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`
);
const javaArchivePath = await tc.downloadTool(javaRelease.url);
core.info(`Extracting Java archive...`);
const extension = getDownloadArchiveExtension();
const archivePath =
process.platform === 'win32'
? renameWinArchive(javaArchivePath)
: javaArchivePath;
const extractedJavaPath = await extractJdkFile(archivePath, extension);
const archiveName = fs.readdirSync(extractedJavaPath)[0];
const jdkDirectory = path.join(extractedJavaPath, archiveName);
const version = this.getToolcacheVersionName(javaRelease.version);
const javaPath = await tc.cacheDir(
jdkDirectory,
this.toolcacheFolderName,
version,
this.architecture
);
return {version: javaRelease.version, path: javaPath};
}
protected async findPackageForDownload(
version: string
): Promise<JavaDownloadRelease> {
if (!this.stable) {
throw new Error('Kona provides stable releases only');
}
if (this.packageType !== 'jdk') {
throw new Error('Kona provides jdk only');
}
const availableReleases = await this.getAvailableReleases();
const releases = availableReleases
.filter(item => {
return isVersionSatisfies(version, item.version);
})
.map(item => {
return {
version: item.version,
url: item.downloadUrl
} as JavaDownloadRelease;
})
.sort((a, b) => -semver.compareBuild(a.version, b.version));
if (!releases.length) {
throw new Error(
`No Kona release for the specified version "${version}" on OS "${this.getOs()}" and arch "${this.getArch()}".`
);
}
return releases[0];
}
private async getAvailableReleases(): Promise<IKonaRelease[]> {
if (core.isDebug()) {
console.time('Retrieving available releases for Kona took'); // eslint-disable-line no-console
}
const releaseInfo = await this.fetchReleaseInfo();
if (!releaseInfo) {
throw new Error(`Couldn't fetch Kona release information`);
}
const availableReleases = this.chooseReleases(
this.getOs(),
this.getArch(),
releaseInfo
);
if (core.isDebug()) {
core.startGroup('Print information about available releases');
console.timeEnd('Retrieving available releases for Kona took'); // eslint-disable-line no-console
core.debug(availableReleases.map(item => item.version).join(', '));
core.endGroup();
}
return availableReleases;
}
private async fetchReleaseInfo(): Promise<IKonaReleaseInfo | null> {
const releasesInfoUrl =
'https://tencent.github.io/konajdk/releases/kona-v1.json';
try {
core.debug(`Fetching Kona release info from URL: ${releasesInfoUrl}`);
return (await this.http.getJson<IKonaReleaseInfo>(releasesInfoUrl))
.result;
} catch (err) {
core.debug(
`Fetching Kona release info from the URL: ${releasesInfoUrl} failed with the error: ${
(err as Error).message
}`
);
return null;
}
}
private chooseReleases(
os: string,
arch: string,
releaseInfo: IKonaReleaseInfo
): IKonaRelease[] {
const releases: IKonaRelease[] = [];
for (const majorVersion in releaseInfo) {
const versions = releaseInfo[majorVersion];
for (const version of versions) {
if (!version.latest) {
continue;
}
for (const file of version.files) {
if (file.os === os && file.arch === arch) {
releases.push({
version: version.version,
jdkVersion: version.jdkVersion,
os: os,
arch: arch,
downloadUrl: version.baseUrl + file.filename,
checksum: file.checksum
});
break;
}
}
}
}
return releases;
}
private getOs(): string {
switch (process.platform) {
case 'darwin':
return 'macos';
case 'win32':
return 'windows';
default:
return process.platform;
}
}
private getArch(): string {
switch (this.architecture) {
case 'arm64':
return 'aarch64';
case 'x64':
return 'x86_64';
default:
return this.architecture;
}
}
}
+25
View File
@@ -0,0 +1,25 @@
export interface IKonaReleaseInfo {
[majorVersion: string]: {
version: string;
jdkVersion: string;
latest: boolean;
baseUrl: string;
files: {
os: string; // linux, macos, windows
arch: string; // x86_64, aarch64
filename: string;
checksum: string;
}[];
}[];
}
export interface IKonaRelease {
version: string;
jdkVersion: string;
os: string; // linux, macos, windows
arch: string; // x86_64, aarch64
downloadUrl: string;
checksum: string; // SHA-256 digest
}
+1 -5
View File
@@ -4,11 +4,7 @@ export type Bitness = '32' | '64';
export type ArchType = 'arm' | 'ppc' | 'sparc' | 'x86';
export type OsVersions =
| 'linux'
| 'linux-musl'
| 'macos'
| 'solaris'
| 'windows';
'linux' | 'linux-musl' | 'macos' | 'solaris' | 'windows';
export interface ArchitectureOptions {
bitness: Bitness;
+9 -3
View File
@@ -69,9 +69,15 @@ export class LocalDistribution extends JavaBase {
foundJava.path = macOSPostfixPath;
}
core.info(`Setting Java ${foundJava.version} as default`);
this.setJavaDefault(foundJava.version, foundJava.path);
if (this.setDefault) {
core.info(`Setting Java ${foundJava.version} as the default`);
this.setJavaDefault(foundJava.version, foundJava.path);
} else {
core.info(
`Installing Java ${foundJava.version} (not setting as default)`
);
this.setJavaEnvironment(foundJava.version, foundJava.path);
}
return foundJava;
}
+36 -1
View File
@@ -10,12 +10,16 @@ import {
getGitHubHttpHeaders,
renameWinArchive
} from '../../util';
import * as gpg from '../../gpg';
import {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
import * as core from '@actions/core';
import * as tc from '@actions/tool-cache';
import fs from 'fs';
import path from 'path';
import {TypedResponse} from '@actions/http-client/lib/interfaces';
export {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
export class MicrosoftDistributions extends JavaBase {
constructor(installerOptions: JavaInstallerOptions) {
super('Microsoft', installerOptions);
@@ -29,6 +33,26 @@ export class MicrosoftDistributions extends JavaBase {
);
let javaArchivePath = await tc.downloadTool(javaRelease.url);
if (this.verifySignature) {
if (!javaRelease.signatureUrl) {
throw new Error(
`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`
);
}
core.info(`Verifying Java package signature...`);
try {
await gpg.verifyPackageSignature(
javaArchivePath,
javaRelease.signatureUrl,
this.verifySignaturePublicKey ?? MICROSOFT_PUBLIC_KEY
);
} catch (error) {
throw new Error(
`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}`
);
}
}
core.info(`Extracting Java archive...`);
const extension = getDownloadArchiveExtension();
if (process.platform === 'win32') {
@@ -80,12 +104,23 @@ export class MicrosoftDistributions extends JavaBase {
throw this.createVersionNotFoundError(range, availableVersionStrings);
}
const file = foundRelease.files[0] as {
download_url: string;
signature_url?: string;
};
const signatureUrl = file.signature_url ?? `${file.download_url}.sig`;
return {
url: foundRelease.files[0].download_url,
url: file.download_url,
signatureUrl,
version: foundRelease.version
};
}
protected supportsSignatureVerification(): boolean {
return true;
}
private async getAvailableVersions(): Promise<tc.IToolRelease[] | null> {
// TODO get these dynamically!
// We will need Microsoft to add an endpoint where we can query for versions.
@@ -0,0 +1,21 @@
// Microsoft Build of OpenJDK GPG signing key
// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc
export const MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BSN Pgp v1.1.0.0
mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL
RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+
UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl
/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6
r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx
fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh
IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB
CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB
icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL
MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ
EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq
yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy
JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4
Fa133tP85xzJEq1XeXm8WeLFo2wV
=rHCS
-----END PGP PUBLIC KEY BLOCK-----`;
+33
View File
@@ -0,0 +1,33 @@
// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B)
// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B
export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT
QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ
PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a
9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf
+11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa
Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL
ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y
Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH
AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG
7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk
kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj
pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju
NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf
l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+
Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj
SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl
UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z
E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q
VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f
B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg
FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/
Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF
yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34
hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj
0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU
6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ
wI4qF/KKq9BfyfucAs0ykA==
=XLag
-----END PGP PUBLIC KEY BLOCK-----`;
+32 -1
View File
@@ -4,7 +4,9 @@ import * as tc from '@actions/tool-cache';
import fs from 'fs';
import path from 'path';
import semver from 'semver';
import * as gpg from '../../gpg';
import {ADOPTIUM_PUBLIC_KEY} from './adoptium-key';
import {JavaBase} from '../base-installer';
import {ITemurinAvailableVersions} from './models';
import {
@@ -22,6 +24,8 @@ import {
validatePaginationUrl
} from '../../util';
export {ADOPTIUM_PUBLIC_KEY} from './adoptium-key';
export enum TemurinImplementation {
Hotspot = 'Hotspot'
}
@@ -50,7 +54,8 @@ export class TemurinDistribution extends JavaBase {
: item.version_data.semver.replace('-beta+', '+');
return {
version: formattedVersion,
url: item.binaries[0].package.link
url: item.binaries[0].package.link,
signatureUrl: item.binaries[0].package.signature_link
} as JavaDownloadRelease;
});
@@ -80,6 +85,28 @@ export class TemurinDistribution extends JavaBase {
);
let javaArchivePath = await tc.downloadTool(javaRelease.url);
if (this.verifySignature) {
if (!javaRelease.signatureUrl) {
throw new Error(
`Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.`
);
}
core.info(`Verifying Java package signature...`);
try {
await gpg.verifyPackageSignature(
javaArchivePath,
javaRelease.signatureUrl,
this.verifySignaturePublicKey ?? ADOPTIUM_PUBLIC_KEY
);
} catch (error) {
throw new Error(
`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${
(error as Error).message
}`
);
}
}
core.info(`Extracting Java archive...`);
const extension = getDownloadArchiveExtension();
if (process.platform === 'win32') {
@@ -105,6 +132,10 @@ export class TemurinDistribution extends JavaBase {
return super.toolcacheFolderName;
}
protected supportsSignatureVerification(): boolean {
return true;
}
private async getAvailableVersions(): Promise<ITemurinAvailableVersions[]> {
const platform = this.getPlatformOption();
const arch = this.distributionArchitecture();
+1
View File
@@ -11,6 +11,7 @@ export interface ITemurinAvailableVersions {
package: {
checksum: string;
checksum_link: string;
signature_link?: string;
download_count: number;
link: string;
metadata_link: string;
+68
View File
@@ -2,6 +2,7 @@ import * as fs from 'fs';
import * as path from 'path';
import * as io from '@actions/io';
import * as exec from '@actions/exec';
import * as tc from '@actions/tool-cache';
import * as util from './util';
import {ExecOptions} from '@actions/exec/lib/interfaces';
@@ -9,6 +10,17 @@ export const PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc');
const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/;
// Convert a Windows path (D:\a\_temp\...) to a POSIX path (/d/a/_temp/...).
// The Git-bundled GPG on Windows (MSYS2-based) uses POSIX path conventions
// internally. Passing Windows paths with backslashes can cause fatal GPG errors
// (exit code 2), so all paths passed to GPG must be in POSIX format on Windows.
export function toGpgPath(p: string): string {
if (process.platform !== 'win32') return p;
return p
.replace(/\\/g, '/')
.replace(/^([A-Za-z]):\//, (_, drive) => `/${drive.toLowerCase()}/`);
}
export async function importKey(privateKey: string) {
fs.writeFileSync(PRIVATE_KEY_FILE, privateKey, {
encoding: 'utf-8',
@@ -53,3 +65,59 @@ export async function deleteKey(keyFingerprint: string) {
}
);
}
export async function verifyPackageSignature(
archivePath: string,
signatureUrl: string,
publicKeyContent: string
) {
const signaturePath = await tc.downloadTool(signatureUrl);
let gpgHome: string;
try {
gpgHome = fs.mkdtempSync(
path.join(util.getTempDir(), 'verify-signature-gpg-home-')
);
} catch (error) {
try {
await io.rmRF(signaturePath);
} catch {
// ignore cleanup failures
}
throw new Error(
`Failed to create temporary GPG home directory for signature verification: ${
(error as Error).message
}`
);
}
try {
const publicKeyFile = path.join(gpgHome, 'public-key.asc');
fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'});
const options: ExecOptions = {silent: true};
await exec.exec(
'gpg',
[
'--homedir',
toGpgPath(gpgHome),
'--batch',
'--import',
toGpgPath(publicKeyFile)
],
options
);
await exec.exec(
'gpg',
[
'--homedir',
toGpgPath(gpgHome),
'--batch',
'--verify',
toGpgPath(signaturePath),
toGpgPath(archivePath)
],
options
);
} finally {
await io.rmRF(signaturePath);
await io.rmRF(gpgHome);
}
}
+69
View File
@@ -0,0 +1,69 @@
import * as core from '@actions/core';
import {getBooleanInput} from './util';
import {
INPUT_SHOW_DOWNLOAD_PROGRESS,
MAVEN_ARGS_ENV,
MAVEN_NO_TRANSFER_PROGRESS_FLAG,
MAVEN_NO_TRANSFER_PROGRESS_LONG_FLAG
} from './constants';
/**
* Configures the MAVEN_ARGS environment variable so that Maven suppresses
* artifact transfer/download progress output by default, producing cleaner
* CI logs.
*
* Behavior:
* - When `show-download-progress` is `false` (the default), `-ntp`
* (`--no-transfer-progress`) is appended to any existing MAVEN_ARGS value.
* - When `show-download-progress` is `true`, MAVEN_ARGS is left untouched so
* the user's own configuration (and Maven's default progress output) is
* preserved.
*
* The change is idempotent: if MAVEN_ARGS already disables transfer progress
* (via `-ntp` or `--no-transfer-progress`) nothing is added. Any pre-existing
* MAVEN_ARGS value is preserved.
*
* MAVEN_ARGS is honored by Maven 3.9.0+ and the Maven Wrapper; older Maven
* versions ignore it, so this is a no-op there. It has no effect on non-Maven
* builds such as Gradle or sbt.
*/
export function configureMavenArgs(): void {
const showDownloadProgress = getBooleanInput(
INPUT_SHOW_DOWNLOAD_PROGRESS,
false
);
if (showDownloadProgress) {
core.debug(
`${INPUT_SHOW_DOWNLOAD_PROGRESS} is true; leaving ${MAVEN_ARGS_ENV} unchanged`
);
return;
}
const existingArgs = (process.env[MAVEN_ARGS_ENV] ?? '').trim();
const alreadyDisabled = existingArgs
.split(/\s+/)
.some(
arg =>
arg === MAVEN_NO_TRANSFER_PROGRESS_FLAG ||
arg === MAVEN_NO_TRANSFER_PROGRESS_LONG_FLAG
);
if (alreadyDisabled) {
core.debug(
`${MAVEN_ARGS_ENV} already disables transfer progress; leaving it unchanged`
);
return;
}
const updatedArgs = existingArgs
? `${existingArgs} ${MAVEN_NO_TRANSFER_PROGRESS_FLAG}`
: MAVEN_NO_TRANSFER_PROGRESS_FLAG;
core.exportVariable(MAVEN_ARGS_ENV, updatedArgs);
core.info(
`Configured ${MAVEN_ARGS_ENV} to include ${MAVEN_NO_TRANSFER_PROGRESS_FLAG} to suppress Maven transfer progress logs. ` +
`Set '${INPUT_SHOW_DOWNLOAD_PROGRESS}: true' to keep the download progress output.`
);
}
+67 -19
View File
@@ -12,13 +12,12 @@ import {restore} from './cache';
import * as path from 'path';
import {getJavaDistribution} from './distributions/distribution-factory';
import {JavaInstallerOptions} from './distributions/base-models';
import {configureMavenArgs} from './maven-args';
async function run() {
try {
const versions = core.getMultilineInput(constants.INPUT_JAVA_VERSION);
const distributionName = core.getInput(constants.INPUT_DISTRIBUTION, {
required: true
});
let distributionName = core.getInput(constants.INPUT_DISTRIBUTION);
const versionFile = core.getInput(constants.INPUT_JAVA_VERSION_FILE);
const architecture = core.getInput(constants.INPUT_ARCHITECTURE);
const packageType = core.getInput(constants.INPUT_JAVA_PACKAGE);
@@ -28,6 +27,13 @@ async function run() {
constants.INPUT_CACHE_DEPENDENCY_PATH
);
const checkLatest = getBooleanInput(constants.INPUT_CHECK_LATEST, false);
const setDefault = getBooleanInput(constants.INPUT_SET_DEFAULT, true);
const verifySignature = getBooleanInput(
constants.INPUT_VERIFY_SIGNATURE,
false
);
const verifySignaturePublicKey =
core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined;
let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID);
core.startGroup('Installed distributions');
@@ -40,45 +46,78 @@ async function run() {
throw new Error('java-version or java-version-file input expected');
}
const installerInputsOptions: installerInputsOptions = {
architecture,
packageType,
checkLatest,
distributionName,
jdkFile,
toolchainIds
};
if (!versions.length) {
core.debug(
'java-version input is empty, looking for java-version-file input'
);
const content = fs.readFileSync(versionFile).toString().trim();
const version = getVersionFromFileContent(
const versionInfo = getVersionFromFileContent(
content,
distributionName,
versionFile
);
core.debug(`Parsed version from file '${version}'`);
core.debug(`Parsed version from file '${versionInfo?.version}'`);
if (!version) {
if (!versionInfo) {
throw new Error(
`No supported version was found in file ${versionFile}`
);
}
await installVersion(version, installerInputsOptions);
}
// Use distribution from file if available, otherwise use the input
if (versionInfo.distribution) {
core.info(
`Using distribution '${versionInfo.distribution}' from ${versionFile}`
);
distributionName = versionInfo.distribution;
} else if (!distributionName) {
throw new Error(
'distribution input is required when not specified in the version file'
);
}
for (const [index, version] of versions.entries()) {
await installVersion(version, installerInputsOptions, index);
const installerInputsOptions: installerInputsOptions = {
architecture,
packageType,
checkLatest,
setDefault,
verifySignature,
verifySignaturePublicKey,
distributionName,
jdkFile,
toolchainIds
};
await installVersion(versionInfo.version, installerInputsOptions);
} else {
// When using java-version input, distribution is still required
if (!distributionName) {
throw new Error('distribution input is required');
}
const installerInputsOptions: installerInputsOptions = {
architecture,
packageType,
checkLatest,
setDefault,
verifySignature,
verifySignaturePublicKey,
distributionName,
jdkFile,
toolchainIds
};
for (const [index, version] of versions.entries()) {
await installVersion(version, installerInputsOptions, index);
}
}
core.endGroup();
const matchersPath = path.join(__dirname, '..', '..', '.github');
core.info(`##[add-matcher]${path.join(matchersPath, 'java.json')}`);
await auth.configureAuthentication();
configureMavenArgs();
if (cache && isCacheFeatureAvailable()) {
await restore(cache, cacheDependencyPath);
}
@@ -100,6 +139,9 @@ async function installVersion(
architecture,
packageType,
checkLatest,
setDefault,
verifySignature,
verifySignaturePublicKey,
toolchainIds
} = options;
@@ -107,6 +149,9 @@ async function installVersion(
architecture,
packageType,
checkLatest,
setDefault,
verifySignature,
verifySignaturePublicKey,
version
};
@@ -141,6 +186,9 @@ interface installerInputsOptions {
architecture: string;
packageType: string;
checkLatest: boolean;
setDefault: boolean;
verifySignature: boolean;
verifySignaturePublicKey: string | undefined;
distributionName: string;
jdkFile: string;
toolchainIds: Array<string>;
+89 -39
View File
@@ -83,47 +83,76 @@ export function generateToolchainDefinition(
id: string,
jdkHome: string
) {
let xmlObj;
if (original?.length) {
xmlObj = xmlCreate(original)
.root()
.ele({
toolchain: {
type: 'jdk',
provides: {
version: `${version}`,
vendor: `${vendor}`,
id: `${id}`
},
configuration: {
jdkHome: `${jdkHome}`
}
}
});
} else
xmlObj = xmlCreate({
toolchains: {
'@xmlns': 'http://maven.apache.org/TOOLCHAINS/1.1.0',
'@xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance',
'@xsi:schemaLocation':
'http://maven.apache.org/TOOLCHAINS/1.1.0 https://maven.apache.org/xsd/toolchains-1.1.0.xsd',
toolchain: [
{
type: 'jdk',
provides: {
version: `${version}`,
vendor: `${vendor}`,
id: `${id}`
},
configuration: {
jdkHome: `${jdkHome}`
}
}
]
let jsToolchains: Toolchain[] = [
{
type: 'jdk',
provides: {
version: `${version}`,
vendor: `${vendor}`,
id: `${id}`
},
configuration: {
jdkHome: `${jdkHome}`
}
});
}
];
// default root attributes, used when the existing file does not declare its own
let rootAttributes: Record<string, string> = {
'@xmlns': 'http://maven.apache.org/TOOLCHAINS/1.1.0',
'@xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance',
'@xsi:schemaLocation':
'http://maven.apache.org/TOOLCHAINS/1.1.0 https://maven.apache.org/xsd/toolchains-1.1.0.xsd'
};
if (original?.length) {
// convert existing toolchains into TS native objects for better handling
// xmlbuilder2 will convert the document into a `{toolchains: { toolchain: [] | {} }}` structure
// instead of the desired `toolchains: [{}]` one or simply `[{}]`
const jsObj = xmlCreate(original)
.root()
.toObject() as unknown as ExtractedToolchains;
if (jsObj.toolchains) {
// preserve the existing root attributes (xmlns, schemaLocation, …) so we don't
// silently rewrite user-managed metadata or change the effective XML namespace;
// xmlbuilder2 exposes attributes as `@`-prefixed keys on the element object
const existingAttributes = Object.fromEntries(
Object.entries(jsObj.toolchains).filter(([key]) => key.startsWith('@'))
) as Record<string, string>;
// fall back to the defaults only for attributes the existing file is missing
rootAttributes = {...rootAttributes, ...existingAttributes};
return xmlObj.end({
if (jsObj.toolchains.toolchain) {
// in case only a single child exists xmlbuilder2 will not create an array and using verbose = true equally doesn't work here
// See https://oozcitak.github.io/xmlbuilder2/serialization.html#js-object-and-map-serializers for details
if (Array.isArray(jsObj.toolchains.toolchain)) {
jsToolchains.push(...jsObj.toolchains.toolchain);
} else {
jsToolchains.push(jsObj.toolchains.toolchain);
}
}
}
// remove potential duplicates based on type & id (which should be a unique combination);
// self.findIndex will only return the first occurrence, ensuring duplicates are skipped
jsToolchains = jsToolchains.filter(
(value, index, self) =>
// ensure non-jdk toolchains are kept in the results, we must not touch them because they belong to the user
value.type !== 'jdk' ||
// keep toolchains that lack a usable string id (e.g. partially-formed user files);
// we cannot safely deduplicate them and must not crash while reading them
typeof value.provides?.id !== 'string' ||
index ===
self.findIndex(
t => t.type === value.type && t.provides?.id === value.provides?.id
)
);
}
return xmlCreate({
toolchains: {
...rootAttributes,
toolchain: jsToolchains
}
}).end({
format: 'xml',
wellFormed: false,
headless: false,
@@ -166,3 +195,24 @@ async function writeToolchainsFileToDisk(
flag: 'w'
});
}
interface ExtractedToolchains {
toolchains: {
// root attributes such as xmlns / schemaLocation are exposed as `@`-prefixed keys
[attribute: `@${string}`]: string;
toolchain?: Toolchain[] | Toolchain;
};
}
// Toolchain type definition according to Maven Toolchains XSD 1.1.0
interface Toolchain {
type: string;
provides:
| {
version: string;
vendor: string;
id: string;
}
| any;
configuration: any;
}
+61 -6
View File
@@ -127,12 +127,18 @@ export function isCacheFeatureAvailable(): boolean {
return false;
}
export interface VersionInfo {
version: string;
distribution?: string;
}
export function getVersionFromFileContent(
content: string,
distributionName: string,
versionFile: string
): string | null {
): VersionInfo | null {
let javaVersionRegExp: RegExp;
let extractedDistribution: string | undefined;
function getFileName(versionFile: string) {
return path.basename(versionFile);
@@ -143,15 +149,27 @@ export function getVersionFromFileContent(
javaVersionRegExp =
/^java\s+(?:\S*-)?(?<version>\d+(?:\.\d+)*([+_.-](?:openj9[-._]?\d[\w.-]*|java\d+|jre[-_\w]*|OpenJDK\d+[\w_.-]*|[a-z0-9]+))*)/im;
} else if (versionFileName == '.sdkmanrc') {
javaVersionRegExp = /^java\s*=\s*(?<version>[^-]+)/m;
// Match both version and optional distribution identifier
javaVersionRegExp =
/^java\s*=\s*(?<version>[^-\s]+)(?:-(?<distribution>[a-z0-9]+))?/m;
} else {
javaVersionRegExp = /(?<version>(?<=(^|\s|-))(\d+\S*))(\s|$)/;
}
const capturedVersion = content.match(javaVersionRegExp)?.groups?.version
? (content.match(javaVersionRegExp)?.groups?.version as string)
const match = content.match(javaVersionRegExp);
const capturedVersion = match?.groups?.version
? (match.groups.version as string)
: '';
// Extract distribution from .sdkmanrc file
if (versionFileName == '.sdkmanrc' && match?.groups?.distribution) {
const sdkmanDist = match.groups.distribution;
extractedDistribution = mapSdkmanDistribution(sdkmanDist);
core.debug(
`Parsed distribution '${extractedDistribution}' from SDKMAN identifier '${sdkmanDist}'`
);
}
core.debug(
`Parsed version '${capturedVersion}' from file '${versionFileName}'`
);
@@ -172,12 +190,49 @@ export function getVersionFromFileContent(
return null;
}
if (DISTRIBUTIONS_ONLY_MAJOR_VERSION.includes(distributionName)) {
// Apply DISTRIBUTIONS_ONLY_MAJOR_VERSION logic whenever the effective distribution
// (either explicitly provided or extracted from the version file) is in the list.
if (
DISTRIBUTIONS_ONLY_MAJOR_VERSION.includes(
extractedDistribution || distributionName
)
) {
const coerceVersion = semver.coerce(version) ?? version;
version = semver.major(coerceVersion).toString();
}
return version.toString();
return {
version: version.toString(),
distribution: extractedDistribution
};
}
// Map SDKMAN distribution identifiers to setup-java distribution names
function mapSdkmanDistribution(sdkmanDist: string): string | undefined {
const distributionMap: Record<string, string> = {
tem: 'temurin',
sem: 'semeru',
albba: 'dragonwell',
zulu: 'zulu',
amzn: 'corretto',
graal: 'graalvm',
graalce: 'graalvm',
librca: 'liberica',
ms: 'microsoft',
oracle: 'oracle',
sapmchn: 'sapmachine',
jbr: 'jetbrains',
dragonwell: 'dragonwell',
kona: 'kona'
};
const mapped = distributionMap[sdkmanDist.toLowerCase()];
if (!mapped) {
core.warning(
`Unknown SDKMAN distribution identifier '${sdkmanDist}'. Please specify the distribution explicitly.`
);
}
return mapped;
}
// By convention, action expects version 8 in the format `8.*` instead of `1.8`