add package scripts from https://github.com/Project516/NumberGuessing… #13
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds cross-platform packaging scripts and release automation so the Java CLI app can be shipped as ready-to-run archives, including platform-specific bundles with an embedded JRE.
Changes:
- Add simple
run.sh/run.batlaunchers and ascripts/readme to support packaged distributions. - Introduce
package-zip.sh,package-win.sh,package-mac.sh, andpackage-linux.shto build generic and OS-specific archives (with bundled JREs for Windows/macOS/Linux). - Extend the GitHub Actions release workflow to call the new packaging scripts and upload the new archives as release assets.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/run.sh |
Shell launcher for app.jar used in the generic ZIP distribution. |
scripts/run.bat |
Windows launcher for app.jar used in the generic ZIP distribution. |
scripts/README.md |
Brief documentation describing the purpose of the packaging scripts. |
package-zip.sh |
Builds the generic JavaAppTemplate.zip distribution with the fat JAR plus launcher scripts and docs. |
package-win.sh |
Builds a Windows-specific ZIP with a bundled Windows JRE and a launcher batch file (currently has a JAR name mismatch between game.jar and app.jar). |
package-mac.sh |
Builds a macOS ZIP with a bundled macOS JRE and a launcher shell script using the JRE’s Contents/Home layout. |
package-linux.sh |
Builds a Linux .tar.xz with a bundled Linux JRE and a launcher shell script. |
.github/workflows/release.yml |
Updates the release workflow to invoke the new packaging scripts and upload all generated archives as release assets (currently triggers redundant Gradle builds). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Build JAR with Gradle | ||
| run: ./gradlew build | ||
|
|
||
| - name: Build ZIP archive | ||
| run: ./package-zip.sh | ||
|
|
||
| - name: Build Windows package with bundled JRE | ||
| run: ./package-win.sh | ||
|
|
||
| - name: Build macOS package with bundled JRE | ||
| run: ./package-mac.sh | ||
|
|
||
| - name: Build Linux package with bundled JRE | ||
| run: ./package-linux.sh |
There was a problem hiding this comment.
With the addition of these packaging steps, ./gradlew build is now executed once in the workflow (line 26) and again inside each of package-zip.sh, package-win.sh, package-mac.sh, and package-linux.sh. This causes up to five Gradle builds per release, which is unnecessary work on CI; consider either dropping the standalone "Build JAR" step and relying on the packaging scripts, or parameterizing the scripts so they can reuse an existing build when run from the workflow.
| cat > ${PACKAGE_NAME}/run.bat << 'EOF' | ||
| @echo off | ||
| jre\bin\java.exe -jar app.jar |
There was a problem hiding this comment.
In this packaging script the JAR is copied as game.jar (line 34), but the generated run.bat below invokes java.exe -jar app.jar (line 46). This mismatch means the bundled Windows package will fail at runtime with "Unable to access jarfile app.jar" because that file does not exist in the package; the name used in the copy command and the batch launcher should be made consistent (either both app.jar or both game.jar).
| jre\bin\java.exe -jar app.jar | |
| jre\bin\java.exe -jar game.jar |
| ADOPTIUM_BASE_URL="https://api.adoptium.net/v3/binary/latest/25/ga" | ||
|
|
||
| # Clean up any previous builds | ||
| rm -rf ${PACKAGE_NAME} | ||
| rm -rf ${JRE_DIR} | ||
| rm -f ${PACKAGE_NAME}.zip | ||
|
|
||
| # Build the application using Gradle | ||
| echo "Building application..." | ||
| ./gradlew build | ||
|
|
||
| # Download JRE for Windows from Eclipse Adoptium | ||
| echo "Downloading JRE for Windows..." | ||
| mkdir -p ${JRE_DIR} | ||
| curl -L "${ADOPTIUM_BASE_URL}/windows/x64/jre/hotspot/normal/eclipse?project=jdk" -o ${JRE_DIR}/jre-windows.zip |
There was a problem hiding this comment.
This script downloads a Windows JRE from ADOPTIUM_BASE_URL using curl with a mutable latest selector and immediately bundles it without any checksum or signature verification. If an attacker compromises the Adoptium endpoint or the network path, the build will silently package and distribute a malicious JRE that end users execute via run.bat, enabling a supply-chain compromise. To harden this, pin to a specific JRE build and verify its integrity (e.g., checksum or signature) before extraction, failing the build on mismatch.
| ADOPTIUM_BASE_URL="https://api.adoptium.net/v3/binary/latest/25/ga" | ||
|
|
||
| # Clean up any previous builds | ||
| rm -rf ${PACKAGE_NAME} | ||
| rm -rf ${JRE_DIR} | ||
| rm -f ${PACKAGE_NAME}.zip | ||
|
|
||
| # Build the application using Gradle | ||
| echo "Building application..." | ||
| ./gradlew build | ||
|
|
||
| # Download JRE for macOS from Eclipse Adoptium | ||
| echo "Downloading JRE for macOS..." | ||
| mkdir -p ${JRE_DIR} | ||
| curl -L "${ADOPTIUM_BASE_URL}/mac/x64/jre/hotspot/normal/eclipse?project=jdk" -o ${JRE_DIR}/jre-macos.tar.gz |
There was a problem hiding this comment.
This script downloads a macOS JRE from ADOPTIUM_BASE_URL using curl with a mutable latest selector and immediately bundles it without any checksum or signature verification. If an attacker compromises the Adoptium endpoint or the network path, the build will silently package and distribute a malicious JRE that end users execute via the generated run.sh, enabling a supply-chain compromise. To harden this, pin to a specific JRE build and verify its integrity (e.g., checksum or signature) before extraction, failing the build on mismatch.
| ADOPTIUM_BASE_URL="https://api.adoptium.net/v3/binary/latest/25/ga" | ||
|
|
||
| # Clean up any previous builds | ||
| rm -rf ${PACKAGE_NAME} | ||
| rm -rf ${JRE_DIR} | ||
| rm -f ${PACKAGE_NAME}.tar.xz | ||
| rm -f ${PACKAGE_NAME}.tar.gz | ||
|
|
||
| # Build the application using Gradle | ||
| echo "Building application..." | ||
| ./gradlew build | ||
|
|
||
| # Download JRE for Linux from Eclipse Adoptium | ||
| echo "Downloading JRE for Linux..." | ||
| mkdir -p ${JRE_DIR} | ||
| curl -L "${ADOPTIUM_BASE_URL}/linux/x64/jre/hotspot/normal/eclipse?project=jdk" -o ${JRE_DIR}/jre-linux.tar.gz |
There was a problem hiding this comment.
This script downloads a Linux JRE from ADOPTIUM_BASE_URL using curl with a mutable latest selector and immediately bundles it without any checksum or signature verification. If an attacker compromises the Adoptium endpoint or the network path, the build will silently package and distribute a malicious JRE that end users execute via the generated run.sh, enabling a supply-chain compromise. To harden this, pin to a specific JRE build and verify its integrity (e.g., checksum or signature) before extraction, failing the build on mismatch.
…Game