Skip to content

Commit 505612c

Browse files
[GHA] Fix mvnw checksum pinning
Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
1 parent 9fd8692 commit 505612c

1 file changed

Lines changed: 22 additions & 6 deletions

File tree

.github/workflows/update-maven.yml

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,21 +41,37 @@ jobs:
4141
VERSION: ${{ steps.maven.outputs.version }}
4242
run: ./mvnw wrapper:wrapper -Dmaven="${VERSION}"
4343

44-
- name: Patch SHA512 into wrapper properties
45-
# Add the SHA to properties file.
46-
# We might need the -L for curl, as after a new release all old SHA files will move to archive folder.
44+
- name: Patch SHA256 into wrapper properties
45+
# Apache Maven only publishes .sha512 files, so we download the zip and compute SHA-256 locally.
46+
# We might need the -L for curl, as after a new release all old files will move to archive folder.
4747
env:
4848
VERSION: ${{ steps.maven.outputs.version }}
4949
run: |
5050
MAJOR=$(echo "$VERSION" | cut -d. -f1)
51-
SHA=$(curl -sL "https://downloads.apache.org/maven/maven-${MAJOR}/${VERSION}/binaries/apache-maven-${VERSION}-bin.zip.sha512")
52-
if [[ ! "$SHA" =~ ^[0-9a-f]{128}$ ]]; then
51+
BASE_URL="https://downloads.apache.org/maven/maven-${MAJOR}/${VERSION}/binaries/apache-maven-${VERSION}-bin.zip"
52+
ZIP=$(mktemp)
53+
curl -sLf "$BASE_URL" -o "$ZIP"
54+
EXPECTED_SHA512=$(curl -sLf "${BASE_URL}.sha512")
55+
if [[ ! "$EXPECTED_SHA512" =~ ^[0-9a-f]{128}$ ]]; then
5356
echo "Error: invalid SHA-512 checksum downloaded for Maven ${VERSION}" >&2
5457
exit 1
5558
fi
59+
ACTUAL_SHA512=$(sha512sum "$ZIP" | awk '{print $1}')
60+
if [[ "$ACTUAL_SHA512" != "$EXPECTED_SHA512" ]]; then
61+
echo "Error: SHA-512 mismatch for Maven ${VERSION} zip (expected: ${EXPECTED_SHA512}, got: ${ACTUAL_SHA512})" >&2
62+
exit 1
63+
fi
64+
SHA256=$(sha256sum "$ZIP" | awk '{print $1}')
65+
rm -f "$ZIP"
66+
if [[ ! "$SHA256" =~ ^[0-9a-f]{64}$ ]]; then
67+
echo "Error: failed to compute a valid SHA-256 checksum for Maven ${VERSION}" >&2
68+
exit 1
69+
fi
5670
PROPS=".mvn/wrapper/maven-wrapper.properties"
71+
sed -i '/^distributionSha256Sum=/d' "$PROPS"
72+
echo "distributionSha256Sum=${SHA256}" >> "$PROPS"
73+
# remove entry for SHA-512 if present, as it is not yet supported by wrapper
5774
sed -i '/^distributionSha512Sum=/d' "$PROPS"
58-
echo "distributionSha512Sum=${SHA}" >> "$PROPS"
5975
6076
- name: Open PR if changed
6177
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # 8.1.1

0 commit comments

Comments
 (0)