Add force-download option for reproducible builds #979
Description
Description:
Add a new option to this task to force a download of the JDK, rather than use the installed version in the tool cache. For example:
- uses: actions/setup-java@v5
with:
distribution: temurin
java-version: '25.0.2'
force-download: true # New option - ignore tool-cacheJustification:
Currently, GitHub runner images use apt-get install temurin-${version}-jdk to pre-install Java. Adoptium's Debian packages include a dependency on adoptium-ca-certificates (or integrate with
ca-certificates-java). The cacerts file gets symlinked to /etc/ssl/certs/adoptium/cacerts, which is a shared keystore that integrates with the system's certificate store via update-ca-certificates.
This means the version of cacerts in the tool-cache is system dependent. When using a tool like jlink/jpackage, the cacerts gets bundled into the custom Java runtime image, making the build non-reproducible.
Forcing this action to perform a fresh download means that Java is simply extracted from the relevant .zip or tar.gz without modification of the cacerts file, resolving the issue.
Workaround
The workaround for now is to delete any Java installations in the tool-cache before running setup-java:
- name: Clear Java tool-cache for reproducibility
shell: bash
run: rm -rf "$RUNNER_TOOL_CACHE"/Java_*