Add support for Amazon Corretto binaries

[giltene]

With work being done towards adding additional binary distributions of OpenJDK as options (likely under the "distro" option, see e.g. #67), it would be useful to include Amazon Corretto among the distro options.

[alvdavi]

Corretto member here.

Looking at #67, yes, that seems to be a valid framework for us

[WtfJoke]

Would be also interested.

The releases can be found in:
https://github.com/corretto/corretto-8/releases
or
https://github.com/corretto/corretto-11/releases
or
https://github.com/corretto/corretto-jdk/releases (jdk15+)

I could imagine to contribute towards it, but we dont have any GITHUB TOKEN available in order to make authenticated github api calls (to query the releases). So this might be a dealbreaker to support coretto in this action.

[WtfJoke]

@dmitry-shibanov @konradpabjan any ideas how we can solve that restriction with the github api calls? Would introduce an optional github token a viable solution?

[maxim-lobanov]

Does Corretto provides any API except GitHub Repos API?
There is a way to use GitHub System token but I worry that anyway, it will require a huge number of API calls since you will have to paginate a lot of pages with releases through GitHub API that will impact action performance.

[eddumelendez]

why don't use foojay api which provide urls for all providers

See #142

[maxim-lobanov]

#142 (comment)

I do have have some security concerns too that might make this a blocker (following up on this). Using the Disco API introduces a single point of failure that if compromised could for example lead to malicious binaries being downloaded. Given that the Disco API is outside of the control of GitHub and the attack surface this could be very concerning for a lot of our customers (Enterprise in particular). The API is also fairly new (~3 months).

[giltene]

If the distro selected provides signatures (which Corretto, in this example does) and the foojay disco API provided those signatures, we can easily verify the authenticity of the binary pulled, and rule out any possibility of an intermediate party being g compromised and maliciously pointing to wrong binaries. All it will take is for setup-java to have a [statically maintained] set of known/trusted distro signers.

[WtfJoke]

Does Corretto provides any API except GitHub Repos API?

According to Correto Documentation 8/11/16 it seems like the only way to access older version is github (across these 3 repos).

However they provide the latest version as a permalink in following format:
https://corretto.aws/latest/amazon-corretto-[corretto_version]-[cpu_arch]-[os]-[package_type].[file_extension]

For example:
https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz
redirects to
https://corretto.aws/downloads/resources/11.0.11.9.1/amazon-corretto-11.0.11.9.1-linux-x64.tar.gz

So I guess you could construct urls to download specific versions (or latest). But as they seem to have their own versioning format you wont be able to use unspecific versions like 11.0.11 (without crawling release names before).

EDIT:
About the versioning format:

The source code for each release is recorded by a branch or a tag with a name of this form. XXX stands for the OpenJDK 8 update number, YY for the OpenJDK 8 build number, and Z for the Corretto-specific revision number. The latter starts at 1 and is incremented in subsequent releases as long as the update and build number remain constant.

@alvdavi do you know if you provide any sort of api for coretto?

EDIT2: I guess fetching all tags of those repos could be a way without doing too many requests and get to know the versions.

[joschi]

@alvdavi do you know if you provide any sort of api for coretto?

@benty-amzn @hyandell @cliveverghese Any input on this? 😃

[alex-schwartzman-at-stratify]

Even if GITHUB_TOKEN is required, it is still better than nothing. There are options - some developers may use their personal access tokens, others may use a GitHub App installed, which has all the access.

[alex-schwartzman-at-stratify]

EDIT2: I guess fetching all tags of those repos could be a way without doing too many requests and get to know the versions.

For the start, it would be sufficient to have the latest of 8,11,15 :) And the permalink format would work perfectly for that purpose.

[alex-schwartzman-at-stratify]

For those who are still suffering of missing Corretto11, one may use plain jdkfile distribution of setup-java

      - name: Cache jdk binary
        uses: actions/cache@v2
        with:
          path: ${{ runner.temp }}/jdk
          key: ${{ runner.os }}-jdk-11
          restore-keys: ${{ runner.os }}-jdk

      - name: retrieve latest corretto 11 jdk
        run: |
          test -d ${{ runner.temp }}/jdk || mkdir ${{ runner.temp }}/jdk
          test -f ${{ runner.temp }}/jdk/amazon-corretto-11-x64-linux-jdk.tar.gz || ( wget -qP ${{ runner.temp }}/jdk https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz )
          

      - name: Set up JDK 11 from file
        uses: actions/setup-java@v2
        with:
          distribution: 'jdkfile'
          jdkFile: ${{ runner.temp }}/jdk/amazon-corretto-11-x64-linux-jdk.tar.gz
          java-version: '11.0.0'
          architecture: x64
          cache: "maven"

Please, note Cache jdk binary - it will spare the extra download from amazon. With all the downsides of the caching, of course :)

[WtfJoke]

Please, note Cache jdk binary - it will spare the extra download from amazon. With all the downsides of the caching, of course :)

Forgot to share our workflow. It has the advantage that its only cached, when no new verison is released.
It uses curl to follow the redirect (-L) to get the final url, but dont download anything (-I). That url is the cache key, so as soon as a new coretto version is released a new version is downloaded and cached right away (when there is no new version, it will be restored from the cache) :)

      - name: Get latest Corretto URL
        id: get-latest-corretto-url
        run: >-
          echo "::set-output name=URL::$(curl -LIs -o /dev/null -w
          %{url_effective}
          https://corretto.aws/downloads/latest/amazon-corretto-8-x64-linux-jdk.tar.gz)"
      - uses: actions/cache@v2
        id: corretto-cache
        name: Restore Corretto
        with:
          path: ./amazon-corretto-8-x64-linux-jdk.tar.gz
          key: >-
            ${{ runner.os }}-corretto-${{
            steps.get-latest-corretto-url.outputs.URL }}
      - name: Download AWS Corretto
        if: steps.corretto-cache.outputs.cache-hit != 'true'
        run: >-
          wget
          https://corretto.aws/downloads/latest/amazon-corretto-8-x64-linux-jdk.tar.gz
      - name: Set up JDK 1.8
        uses: actions/setup-java@v2
        with:
          distribution: jdkfile
          java-version: '8'
          architecture: x64
          jdkFile: ./amazon-corretto-8-x64-linux-jdk.tar.gz

EDIT: The provided link of lutkerd refers to that github page: https://corretto.github.io/corretto-downloads/

[gliptak]

there is also https://github.com/corretto/corretto-17

https://github.com/corretto/corretto-17/releases

https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/downloads-list.html

[lutkerd]

Corretto has published a json file that contains the latest versions and hashes of the releases. The resources in indexmap_with_checksum.json will be the latest available versions via http://corretto.aws/<resource>.

[WtfJoke]

I've opened up a PR (#312) to support the installation of the available major corretto versions (eg 8, 11, 15, 16, 17, 18).

It uses the indexmap_with_checksum.json, which @lutkerd linked to from https://corretto.github.io/corretto-downloads/

[musketyr]

hi @deki. I believe, you need to use v3 of setup-java action.

[deki]

Thanks, just noticed it as well and deleted the comment but you were to fast ;-)