ci/reproducible builds: pin Java version (#6447)

* ci/reproducible builds: pin Java version * ci/reproducible builds: fix aarch64 builds * ci/reproducible builds: chech java hash
2026-03-29 10:09:59 +00:00 · 2025-11-20 09:33:37 +00:00
parent f853f84d03
commit 247ab16a74
1 changed files with 23 additions and 5 deletions
--- a/Dockerfile.build
+++ b/Dockerfile.build
@@ -6,7 +6,9 @@ FROM ubuntu:${TAG} AS build

 ARG GHC=9.6.3
 ARG CABAL=3.10.2.0
-ARG JAVA=17
+ARG JAVA_VER=17.0.17.10.1
+ARG JAVA_HASH_AMD64=e3e11daa5c22a45153bbeff1a0c21bf08631791e4e8d8ed14deba31c7cf9af1a
+ARG JAVA_HASH_ARM64=2b460859b681757b33a7591b6238ecaf51569d05d2684984e5f0a89c6514acbc

 ENV TZ=Etc/UTC \
    DEBIAN_FRONTEND=noninteractive
@@ -44,10 +46,26 @@ RUN apt-get update && \
 # depends on libjpeg.so.8 and liblcms2.so.2 which are NOT copied into final
 # /usr/lib/runtime/lib directory and I do not have time to figure out gradle.kotlin
 # to fix this :(
-RUN curl --proto '=https' --tlsv1.2 -sSf 'https://apt.corretto.aws/corretto.key' | gpg --dearmor -o /usr/share/keyrings/corretto-keyring.gpg &&\
-    echo "deb [signed-by=/usr/share/keyrings/corretto-keyring.gpg] https://apt.corretto.aws stable main" > /etc/apt/sources.list.d/corretto.list &&\
-    apt update &&\
-    apt install -y java-${JAVA}-amazon-corretto-jdk
+RUN export JAVA_FILENAME='java-corretto.deb' \
+           JAVA_VER_MAJOR=$(printf "${JAVA_VER}" | awk -F. '{print $1}') \
+           JAVA_VER_DEB=$(printf "${JAVA_VER}" | sed 's/\.1$/-1/') && \
+    case "$(uname -m)" in \
+        x86_64)  export JAVA_ARCH='amd64' JAVA_HASH="$JAVA_HASH_AMD64" ;; \
+        aarch64) export JAVA_ARCH='arm64' JAVA_HASH="$JAVA_HASH_ARM64" ;; \
+        *) echo "unknown arch $(uname -m)" && exit 1 ;; \
+    esac && \
+    curl --proto '=https' --tlsv1.2 -sSf \
+         "https://corretto.aws/downloads/resources/${JAVA_VER}/java-${JAVA_VER_MAJOR}-amazon-corretto-jdk_${JAVA_VER_DEB}_${JAVA_ARCH}.deb" \
+         -o "${JAVA_FILENAME}" && \
+    if echo "${JAVA_HASH}  ${JAVA_FILENAME}" | sha256sum -c -; then \
+        if apt install -y ./"${JAVA_FILENAME}"; then \
+            rm ./"${JAVA_FILENAME}"; \
+        else \
+            echo "Failed to install Java Corretto" && exit 1; \
+        fi \
+    else \
+        echo "Checksum mismatch" && exit 1; \
+    fi

 # Specify bootstrap Haskell versions
 ENV BOOTSTRAP_HASKELL_GHC_VERSION=${GHC}