Commit Graph

10 Commits

Author SHA1 Message Date
John b150355f04 feat: Add verify-signature plumbing and Temurin+Microsoft verification support (#1060)
* Add verify-signature plumbing and Temurin verification support

* Rebuild dist after signature verification changes

* Refine signature verification errors and regenerate dist

* refactor: make gpg.ts generic, move Adoptium-specific constant to temurin distribution

* fix: mock renameWinArchive in temurin tests and add signature e2e job

* refactor: bundle Adoptium public key, replace keyserver lookup with local import

* feat: add verify-signature-public-key input to allow custom GPG key override

* refactor: extract Adoptium public key to adoptium-key.ts; tighten gpg.ts cleanup scope

* Add verify-signature plumbing and Temurin verification support

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Add Microsoft signature verification support

* Regenerate dist bundles for Microsoft signature checks

* Harden Microsoft signature URL handling

* Add setup-java-microsoft-signature-verification e2e job

* chore: regenerate dist files

* Fix e2e-versions: remove duplicate job, update signature jobs to checkout@v7 with env vars

* Fix Prettier formatting in test files

* fix: mock renameWinArchive in microsoft-installer tests to fix Windows CI failure

* fix: use --homedir flag instead of GNUPGHOME env var for Windows GPG compatibility

The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert
Windows-style paths in environment variables like GNUPGHOME. This caused GPG
to fail with exit code 2 when verifying Microsoft JDK signatures on Windows,
because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid
POSIX path.

Fix: pass --homedir as an explicit command-line argument to both gpg --import
and gpg --verify. MSYS2 does correctly convert Windows paths in command-line
arguments, so this approach works reliably on Windows, Linux, and macOS.

* fix: convert Windows paths to POSIX format for MSYS2 GPG on Windows

The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is
an MSYS2-based binary that uses POSIX path conventions internally. When
Windows-style paths with backslashes and drive letters (D:\a\_temp\...)
are passed as arguments, GPG may fail to resolve them correctly, resulting
in a fatal error (exit code 2).

Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX
format (/d/a/_temp/...) before passing them to any gpg command. On Linux
and macOS the helper is a no-op.

Applied to all four paths used in verifyPackageSignature:
- gpgHome (--homedir argument)
- publicKeyFile (--import argument)
- signaturePath (--verify signature argument)
- archivePath (--verify data argument)

* Fix gpg test formatting

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Bruno Borges <brborges@microsoft.com>
2026-06-29 13:19:49 +01:00
John b24df5bba5 Make the Adoptopenjdk package type look at the Temurin repo first for latest assets (#522)
* Make the Adoptopenjdk package type look at the Temurin repo first for latest assets

* Address Copilot code review comments

- Use strict equality (===, !==) instead of loose equality (==, !=) for all comparisons
- Properly handle caught errors with instanceof type narrowing before accessing properties
- Only fall back to legacy AdoptOpenJDK for specific version-not-found errors
- Rethrow unexpected errors to avoid masking real issues (network failures, rate limits, etc.)
- Fix error message check to match actual error text ('No matching version found')
- Remove unnecessary undefined check since method return type is never undefined
- Add @internal JSDoc annotation to TemurinDistribution.findPackageForDownload()
- Update tests to properly mock Temurin lookup failures for fallback behavior testing
- Rebuild dist files

* Always fall back to legacy AdoptOpenJDK but log all Temurin failures

- Change error handling to gracefully fall back for all errors, not just version-not-found
- Log version-not-found errors as notices with migration guidance
- Log other Temurin failures as debug messages for troubleshooting
- Improves resilience: users always get a result even if Temurin API has issues
- Maintains visibility: failures are still logged for debugging

* Fixes from review

* Fixes from review

* Fixes from review

* Regenerate dist
2026-06-12 16:30:59 +01:00
John 43120bc3c3 Implement pagination with link headers for Adoptium based apis (#1014)
* Use Link headers for Adoptium pagination

* Fix nullable pagination URL types and rebuild dist

* Add 1000-page safeguard for JetBrains pagination

* Adjust plan for pagination safeguard scope

* Move pagination safeguard to non-JetBrains installers

* Add 1000-page safeguard to Adopt Temurin and Semeru pagination

* Fix Prettier formatting in adopt, semeru, and temurin installer files

* Fix CI audit failure by updating vulnerable transitive deps

* Address PR review: RFC-compliant Link parsing, SSRF validation, centralized constant

- Make getNextPageUrlFromLinkHeader RFC 8288 compliant by splitting
  link-values and checking for rel=next anywhere in the parameters,
  not just as the first parameter after the semicolon.
- Add validatePaginationUrl utility to reject pagination URLs that
  point to unexpected origins (SSRF mitigation).
- Centralize MAX_PAGINATION_PAGES in util.ts instead of duplicating
  across Adopt, Semeru, and Temurin installers.
- Add tests for rel not being the first parameter, and for URL
  origin validation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address code review feedback on pagination implementation

- Tighten rel regex with word boundary to prevent false positives
  (e.g., rel="nextsomething" no longer matches).
- Use parsed.origin comparison in validatePaginationUrl to correctly
  handle explicit default ports (e.g., :443 for HTTPS).
- Fix pagination safeguard tests to use same-origin URLs so they
  actually exercise the 1000-page limit instead of being rejected
  by origin validation on the first request.
- Add test for rel="nextsomething" not matching.
- Add test for explicit default port acceptance.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix prettier formatting in util.test.ts

* Rebuild dist/ to fix check-dist CI failure

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-12 11:50:16 +01:00
George Adams 576b821f29 Merge pull request #674 from gdams/alpine
temurin: add support for Alpine Linux
2026-06-12 09:18:56 +01:00
Chiranjib Swain 0756542bc5 Refactor error handling and improve test logging for installers (#989)
* Refactor error handling for version not found cases across multiple installers

* Mock core.error in tests to suppress error logs

* fix(graalvm): improve error messages for EA version not found scenarios

* refactor(tests): update error messages for version not found scenarios

* fix(graalvm): enhance error messages for version not found scenarios

* fix(graalvm): improve error messages for version not found scenarios with updated download URL

* fix(graalvm): improve error handling for EA version not found scenarios with clearer messages
2026-04-13 12:44:45 -05:00
Priya Gupta 83a06ff9d9 Fix Windows archives extraction issue (#689) 2024-10-10 16:32:25 -05:00
Ivan 0de5c66fc0 Add and configure ESLint and update configuration for Prettier (#458)
* Add ESLint config and update Prettier

* Update test files

* Rebuild action

* Update docs

* Update licenses

* Update tsconfig

* Rebuild action

* Update tsconfig.json

* Fix console.time calls

* Rebuild action

* Rebuild action on Linux
2023-03-09 14:49:35 +02:00
Wes Morgan 3617c43588 Default to runner architecture (#376) 2022-10-11 01:47:17 +02:00
Dmitry Shibanov d854b6da19 Add support for multiple jdks (#368) 2022-09-08 15:26:54 +02:00
Jochen Schalanda 4b1b3d4a82 Add support for Eclipse Temurin (#201)
* Add support for Adoptium OpenJDK

Refs https://github.com/actions/setup-java/issues/191

* Rename distribution to Eclipse Temurin

* Update end-to-end tests in GitHub workflows

* Exclude e2e tests for Temurin JREs for now

* fix version

* Update e2e-versions.yml

* Handle Eclipse Temurin version suffixes ("beta")

* Add test for new version suffix "beta"

* Add updated `index.js`

* fix an issue

Co-authored-by: Maxim Lobanov <maxim-lobanov@github.com>
2021-08-06 13:12:36 +03:00