mirror of
https://gitea.com/actions/setup-java.git
synced 2026-07-03 18:21:57 +08:00
* Add verify-signature plumbing and Temurin verification support * Rebuild dist after signature verification changes * Refine signature verification errors and regenerate dist * refactor: make gpg.ts generic, move Adoptium-specific constant to temurin distribution * fix: mock renameWinArchive in temurin tests and add signature e2e job * refactor: bundle Adoptium public key, replace keyserver lookup with local import * feat: add verify-signature-public-key input to allow custom GPG key override * refactor: extract Adoptium public key to adoptium-key.ts; tighten gpg.ts cleanup scope * Add verify-signature plumbing and Temurin verification support * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add Microsoft signature verification support * Regenerate dist bundles for Microsoft signature checks * Harden Microsoft signature URL handling * Add setup-java-microsoft-signature-verification e2e job * chore: regenerate dist files * Fix e2e-versions: remove duplicate job, update signature jobs to checkout@v7 with env vars * Fix Prettier formatting in test files * fix: mock renameWinArchive in microsoft-installer tests to fix Windows CI failure * fix: use --homedir flag instead of GNUPGHOME env var for Windows GPG compatibility The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert Windows-style paths in environment variables like GNUPGHOME. This caused GPG to fail with exit code 2 when verifying Microsoft JDK signatures on Windows, because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid POSIX path. Fix: pass --homedir as an explicit command-line argument to both gpg --import and gpg --verify. MSYS2 does correctly convert Windows paths in command-line arguments, so this approach works reliably on Windows, Linux, and macOS. * fix: convert Windows paths to POSIX format for MSYS2 GPG on Windows The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is an MSYS2-based binary that uses POSIX path conventions internally. When Windows-style paths with backslashes and drive letters (D:\a\_temp\...) are passed as arguments, GPG may fail to resolve them correctly, resulting in a fatal error (exit code 2). Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX format (/d/a/_temp/...) before passing them to any gpg command. On Linux and macOS the helper is a no-op. Applied to all four paths used in verifyPackageSignature: - gpgHome (--homedir argument) - publicKeyFile (--import argument) - signaturePath (--verify signature argument) - archivePath (--verify data argument) * Fix gpg test formatting --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Bruno Borges <brborges@microsoft.com>
162 lines
4.3 KiB
TypeScript
162 lines
4.3 KiB
TypeScript
import fs from 'fs';
|
|
import * as core from '@actions/core';
|
|
import * as auth from './auth';
|
|
import {
|
|
getBooleanInput,
|
|
isCacheFeatureAvailable,
|
|
getVersionFromFileContent
|
|
} from './util';
|
|
import * as toolchains from './toolchains';
|
|
import * as constants from './constants';
|
|
import {restore} from './cache';
|
|
import * as path from 'path';
|
|
import {getJavaDistribution} from './distributions/distribution-factory';
|
|
import {JavaInstallerOptions} from './distributions/base-models';
|
|
|
|
async function run() {
|
|
try {
|
|
const versions = core.getMultilineInput(constants.INPUT_JAVA_VERSION);
|
|
const distributionName = core.getInput(constants.INPUT_DISTRIBUTION, {
|
|
required: true
|
|
});
|
|
const versionFile = core.getInput(constants.INPUT_JAVA_VERSION_FILE);
|
|
const architecture = core.getInput(constants.INPUT_ARCHITECTURE);
|
|
const packageType = core.getInput(constants.INPUT_JAVA_PACKAGE);
|
|
const jdkFile = core.getInput(constants.INPUT_JDK_FILE);
|
|
const cache = core.getInput(constants.INPUT_CACHE);
|
|
const cacheDependencyPath = core.getInput(
|
|
constants.INPUT_CACHE_DEPENDENCY_PATH
|
|
);
|
|
const checkLatest = getBooleanInput(constants.INPUT_CHECK_LATEST, false);
|
|
const verifySignature = getBooleanInput(
|
|
constants.INPUT_VERIFY_SIGNATURE,
|
|
false
|
|
);
|
|
const verifySignaturePublicKey =
|
|
core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined;
|
|
let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID);
|
|
|
|
core.startGroup('Installed distributions');
|
|
|
|
if (versions.length !== toolchainIds.length) {
|
|
toolchainIds = [];
|
|
}
|
|
|
|
if (!versions.length && !versionFile) {
|
|
throw new Error('java-version or java-version-file input expected');
|
|
}
|
|
|
|
const installerInputsOptions: installerInputsOptions = {
|
|
architecture,
|
|
packageType,
|
|
checkLatest,
|
|
verifySignature,
|
|
verifySignaturePublicKey,
|
|
distributionName,
|
|
jdkFile,
|
|
toolchainIds
|
|
};
|
|
|
|
if (!versions.length) {
|
|
core.debug(
|
|
'java-version input is empty, looking for java-version-file input'
|
|
);
|
|
const content = fs.readFileSync(versionFile).toString().trim();
|
|
|
|
const version = getVersionFromFileContent(
|
|
content,
|
|
distributionName,
|
|
versionFile
|
|
);
|
|
core.debug(`Parsed version from file '${version}'`);
|
|
|
|
if (!version) {
|
|
throw new Error(
|
|
`No supported version was found in file ${versionFile}`
|
|
);
|
|
}
|
|
|
|
await installVersion(version, installerInputsOptions);
|
|
}
|
|
|
|
for (const [index, version] of versions.entries()) {
|
|
await installVersion(version, installerInputsOptions, index);
|
|
}
|
|
core.endGroup();
|
|
const matchersPath = path.join(__dirname, '..', '..', '.github');
|
|
core.info(`##[add-matcher]${path.join(matchersPath, 'java.json')}`);
|
|
|
|
await auth.configureAuthentication();
|
|
if (cache && isCacheFeatureAvailable()) {
|
|
await restore(cache, cacheDependencyPath);
|
|
}
|
|
} catch (error) {
|
|
core.setFailed((error as Error).message);
|
|
}
|
|
}
|
|
|
|
run();
|
|
|
|
async function installVersion(
|
|
version: string,
|
|
options: installerInputsOptions,
|
|
toolchainId = 0
|
|
) {
|
|
const {
|
|
distributionName,
|
|
jdkFile,
|
|
architecture,
|
|
packageType,
|
|
checkLatest,
|
|
verifySignature,
|
|
verifySignaturePublicKey,
|
|
toolchainIds
|
|
} = options;
|
|
|
|
const installerOptions: JavaInstallerOptions = {
|
|
architecture,
|
|
packageType,
|
|
checkLatest,
|
|
verifySignature,
|
|
verifySignaturePublicKey,
|
|
version
|
|
};
|
|
|
|
const distribution = getJavaDistribution(
|
|
distributionName,
|
|
installerOptions,
|
|
jdkFile
|
|
);
|
|
if (!distribution) {
|
|
throw new Error(
|
|
`No supported distribution was found for input ${distributionName}`
|
|
);
|
|
}
|
|
|
|
const result = await distribution.setupJava();
|
|
await toolchains.configureToolchains(
|
|
version,
|
|
distributionName,
|
|
result.path,
|
|
toolchainIds[toolchainId]
|
|
);
|
|
|
|
core.info('');
|
|
core.info('Java configuration:');
|
|
core.info(` Distribution: ${distributionName}`);
|
|
core.info(` Version: ${result.version}`);
|
|
core.info(` Path: ${result.path}`);
|
|
core.info('');
|
|
}
|
|
|
|
interface installerInputsOptions {
|
|
architecture: string;
|
|
packageType: string;
|
|
checkLatest: boolean;
|
|
verifySignature: boolean;
|
|
verifySignaturePublicKey: string | undefined;
|
|
distributionName: string;
|
|
jdkFile: string;
|
|
toolchainIds: Array<string>;
|
|
}
|