mirror of
https://github.com/actions/setup-java.git
synced 2026-07-04 05:00:20 +03:00
b150355f04
* Add verify-signature plumbing and Temurin verification support * Rebuild dist after signature verification changes * Refine signature verification errors and regenerate dist * refactor: make gpg.ts generic, move Adoptium-specific constant to temurin distribution * fix: mock renameWinArchive in temurin tests and add signature e2e job * refactor: bundle Adoptium public key, replace keyserver lookup with local import * feat: add verify-signature-public-key input to allow custom GPG key override * refactor: extract Adoptium public key to adoptium-key.ts; tighten gpg.ts cleanup scope * Add verify-signature plumbing and Temurin verification support * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add Microsoft signature verification support * Regenerate dist bundles for Microsoft signature checks * Harden Microsoft signature URL handling * Add setup-java-microsoft-signature-verification e2e job * chore: regenerate dist files * Fix e2e-versions: remove duplicate job, update signature jobs to checkout@v7 with env vars * Fix Prettier formatting in test files * fix: mock renameWinArchive in microsoft-installer tests to fix Windows CI failure * fix: use --homedir flag instead of GNUPGHOME env var for Windows GPG compatibility The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert Windows-style paths in environment variables like GNUPGHOME. This caused GPG to fail with exit code 2 when verifying Microsoft JDK signatures on Windows, because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid POSIX path. Fix: pass --homedir as an explicit command-line argument to both gpg --import and gpg --verify. MSYS2 does correctly convert Windows paths in command-line arguments, so this approach works reliably on Windows, Linux, and macOS. * fix: convert Windows paths to POSIX format for MSYS2 GPG on Windows The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is an MSYS2-based binary that uses POSIX path conventions internally. When Windows-style paths with backslashes and drive letters (D:\a\_temp\...) are passed as arguments, GPG may fail to resolve them correctly, resulting in a fatal error (exit code 2). Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX format (/d/a/_temp/...) before passing them to any gpg command. On Linux and macOS the helper is a no-op. Applied to all four paths used in verifyPackageSignature: - gpgHome (--homedir argument) - publicKeyFile (--import argument) - signaturePath (--verify signature argument) - archivePath (--verify data argument) * Fix gpg test formatting --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Bruno Borges <brborges@microsoft.com>
236 lines
7.2 KiB
TypeScript
236 lines
7.2 KiB
TypeScript
import * as core from '@actions/core';
|
|
import * as tc from '@actions/tool-cache';
|
|
|
|
import fs from 'fs';
|
|
import path from 'path';
|
|
import semver from 'semver';
|
|
import * as gpg from '../../gpg';
|
|
|
|
import {ADOPTIUM_PUBLIC_KEY} from './adoptium-key';
|
|
import {JavaBase} from '../base-installer';
|
|
import {ITemurinAvailableVersions} from './models';
|
|
import {
|
|
JavaDownloadRelease,
|
|
JavaInstallerOptions,
|
|
JavaInstallerResults
|
|
} from '../base-models';
|
|
import {
|
|
extractJdkFile,
|
|
getNextPageUrlFromLinkHeader,
|
|
getDownloadArchiveExtension,
|
|
isVersionSatisfies,
|
|
renameWinArchive,
|
|
MAX_PAGINATION_PAGES,
|
|
validatePaginationUrl
|
|
} from '../../util';
|
|
|
|
export {ADOPTIUM_PUBLIC_KEY} from './adoptium-key';
|
|
|
|
export enum TemurinImplementation {
|
|
Hotspot = 'Hotspot'
|
|
}
|
|
|
|
export class TemurinDistribution extends JavaBase {
|
|
constructor(
|
|
installerOptions: JavaInstallerOptions,
|
|
private readonly jvmImpl: TemurinImplementation
|
|
) {
|
|
super(`Temurin-${jvmImpl}`, installerOptions);
|
|
}
|
|
|
|
/**
|
|
* @internal For cross-distribution reuse only. Not intended as a public API.
|
|
*/
|
|
public async findPackageForDownload(
|
|
version: string
|
|
): Promise<JavaDownloadRelease> {
|
|
const availableVersionsRaw = await this.getAvailableVersions();
|
|
const availableVersionsWithBinaries = availableVersionsRaw
|
|
.filter(item => item.binaries.length > 0)
|
|
.map(item => {
|
|
// normalize 17.0.0-beta+33.0.202107301459 to 17.0.0+33.0.202107301459 for earlier access versions
|
|
const formattedVersion = this.stable
|
|
? item.version_data.semver
|
|
: item.version_data.semver.replace('-beta+', '+');
|
|
return {
|
|
version: formattedVersion,
|
|
url: item.binaries[0].package.link,
|
|
signatureUrl: item.binaries[0].package.signature_link
|
|
} as JavaDownloadRelease;
|
|
});
|
|
|
|
const satisfiedVersions = availableVersionsWithBinaries
|
|
.filter(item => isVersionSatisfies(version, item.version))
|
|
.sort((a, b) => {
|
|
return -semver.compareBuild(a.version, b.version);
|
|
});
|
|
|
|
const resolvedFullVersion =
|
|
satisfiedVersions.length > 0 ? satisfiedVersions[0] : null;
|
|
if (!resolvedFullVersion) {
|
|
const availableVersionStrings = availableVersionsWithBinaries.map(
|
|
item => item.version
|
|
);
|
|
throw this.createVersionNotFoundError(version, availableVersionStrings);
|
|
}
|
|
|
|
return resolvedFullVersion;
|
|
}
|
|
|
|
protected async downloadTool(
|
|
javaRelease: JavaDownloadRelease
|
|
): Promise<JavaInstallerResults> {
|
|
core.info(
|
|
`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`
|
|
);
|
|
let javaArchivePath = await tc.downloadTool(javaRelease.url);
|
|
|
|
if (this.verifySignature) {
|
|
if (!javaRelease.signatureUrl) {
|
|
throw new Error(
|
|
`Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.`
|
|
);
|
|
}
|
|
core.info(`Verifying Java package signature...`);
|
|
try {
|
|
await gpg.verifyPackageSignature(
|
|
javaArchivePath,
|
|
javaRelease.signatureUrl,
|
|
this.verifySignaturePublicKey ?? ADOPTIUM_PUBLIC_KEY
|
|
);
|
|
} catch (error) {
|
|
throw new Error(
|
|
`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${
|
|
(error as Error).message
|
|
}`
|
|
);
|
|
}
|
|
}
|
|
|
|
core.info(`Extracting Java archive...`);
|
|
const extension = getDownloadArchiveExtension();
|
|
if (process.platform === 'win32') {
|
|
javaArchivePath = renameWinArchive(javaArchivePath);
|
|
}
|
|
const extractedJavaPath = await extractJdkFile(javaArchivePath, extension);
|
|
|
|
const archiveName = fs.readdirSync(extractedJavaPath)[0];
|
|
const archivePath = path.join(extractedJavaPath, archiveName);
|
|
const version = this.getToolcacheVersionName(javaRelease.version);
|
|
|
|
const javaPath = await tc.cacheDir(
|
|
archivePath,
|
|
this.toolcacheFolderName,
|
|
version,
|
|
this.architecture
|
|
);
|
|
|
|
return {version: javaRelease.version, path: javaPath};
|
|
}
|
|
|
|
protected get toolcacheFolderName(): string {
|
|
return super.toolcacheFolderName;
|
|
}
|
|
|
|
protected supportsSignatureVerification(): boolean {
|
|
return true;
|
|
}
|
|
|
|
private async getAvailableVersions(): Promise<ITemurinAvailableVersions[]> {
|
|
const platform = this.getPlatformOption();
|
|
const arch = this.distributionArchitecture();
|
|
const imageType = this.packageType;
|
|
const versionRange = encodeURI('[1.0,100.0]'); // retrieve all available versions
|
|
const releaseType = this.stable ? 'ga' : 'ea';
|
|
|
|
if (core.isDebug()) {
|
|
console.time('Retrieving available versions for Temurin took'); // eslint-disable-line no-console
|
|
}
|
|
|
|
const baseRequestArguments = [
|
|
`project=jdk`,
|
|
'vendor=adoptium',
|
|
`heap_size=normal`,
|
|
'sort_method=DEFAULT',
|
|
'sort_order=DESC',
|
|
`os=${platform}`,
|
|
`architecture=${arch}`,
|
|
`image_type=${imageType}`,
|
|
`release_type=${releaseType}`,
|
|
`jvm_impl=${this.jvmImpl.toLowerCase()}`
|
|
].join('&');
|
|
|
|
const requestArguments = `${baseRequestArguments}&page_size=20&page=0`;
|
|
let availableVersionsUrl: string | null =
|
|
`https://api.adoptium.net/v3/assets/version/${versionRange}?${requestArguments}`;
|
|
const availableVersions: ITemurinAvailableVersions[] = [];
|
|
let pageCount = 0;
|
|
if (core.isDebug()) {
|
|
core.debug(`Gathering available versions from '${availableVersionsUrl}'`);
|
|
}
|
|
|
|
while (availableVersionsUrl) {
|
|
pageCount++;
|
|
const response =
|
|
await this.http.getJson<ITemurinAvailableVersions[]>(
|
|
availableVersionsUrl
|
|
);
|
|
const paginationPage = response.result;
|
|
const nextUrl = getNextPageUrlFromLinkHeader(response.headers);
|
|
if (
|
|
nextUrl &&
|
|
!validatePaginationUrl(nextUrl, 'https://api.adoptium.net')
|
|
) {
|
|
core.warning(
|
|
`Ignoring pagination link with unexpected origin: ${nextUrl}`
|
|
);
|
|
availableVersionsUrl = null;
|
|
} else {
|
|
availableVersionsUrl = nextUrl;
|
|
}
|
|
|
|
if (paginationPage === null || paginationPage.length === 0) {
|
|
break;
|
|
}
|
|
|
|
availableVersions.push(...paginationPage);
|
|
|
|
if (pageCount >= MAX_PAGINATION_PAGES) {
|
|
core.warning(
|
|
`Reached pagination safeguard limit (${MAX_PAGINATION_PAGES} pages) while listing Temurin releases.`
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (core.isDebug()) {
|
|
core.startGroup('Print information about available versions');
|
|
console.timeEnd('Retrieving available versions for Temurin took'); // eslint-disable-line no-console
|
|
core.debug(`Available versions: [${availableVersions.length}]`);
|
|
core.debug(
|
|
availableVersions.map(item => item.version_data.semver).join(', ')
|
|
);
|
|
core.endGroup();
|
|
}
|
|
|
|
return availableVersions;
|
|
}
|
|
|
|
private getPlatformOption(): string {
|
|
// Adoptium has own platform names so need to map them
|
|
switch (process.platform) {
|
|
case 'darwin':
|
|
return 'mac';
|
|
case 'win32':
|
|
return 'windows';
|
|
case 'linux':
|
|
if (fs.existsSync('/etc/alpine-release')) {
|
|
return 'alpine-linux';
|
|
}
|
|
return 'linux';
|
|
default:
|
|
return process.platform;
|
|
}
|
|
}
|
|
}
|