Unable to setup java when using self-hosted runner behind proxy with authorization (must upgrade http-client version)

[pkrulec-cen57570]

Description:
TLDR: Update http-client dependency to 1.0.11.

We have a self-hosted runner which is behind a corporate proxy with authorization. We use CNTLM for the auth via NTLMv2 and the self-hosted runner is configured to use "http://localhost:3128" (where CNTLM listens) as HTTP and HTTPS proxy.

Once the Action is executed, it fails with following error:

Run actions/setup-java@v2
Trying to resolve the latest version from remote
##[debug]Gathering available versions from 'https://api.adoptopenjdk.net/v3/assets/version/%5B1.0,100.0%5D?project=jdk&vendor=adoptopenjdk&heap_size=normal&sort_method=DEFAULT&sort_order=DESC&os=linux&architecture=x64&image_type=jdk&release_type=ga&jvm_impl=hotspot&page_size=20&page=0'
(node:259) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Error: tunneling socket could not be established, statusCode=407
##[debug]Node Action run completed with exit code 1

This is due to a bug in http-client which has been fixed in version 1.0.11.

Task version:
v2.3.0

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Repro steps:

1. Setup CNTLM to authorize requests to corporate proxy
2. Setup self-hosted runner to use your CNTLM as a proxy
3. Execute a workflow with actions/setup-java

Expected behavior:
Action setup-java does not pass empty credentials to proxy, lets CNTLM use it's own configured credentials and downloads and installs java on the runner.

Actual behavior:
Action setup-java passes empty credentials to proxy, CNTLM forwards those empty credentials to parent proxy and gets 407 Proxy authorization required.

[dmitry-shibanov]

Hello @pavelkrulec-ext96968. We released a new version of setup-java and updated v2 tag. Could you please confirm that it resolves your issue.

[dmitry-shibanov]

Hello everyone. I'm closing the issue, because the new version of action was released. If you have any concerns feel free to ping us.

[kamlesh-singh-ey]

Run actions/setup-java@v2
Trying to resolve the latest version from remote
(node:7105) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Error: tunneling socket could not be established, statusCode=407

I am facing the same issue, even after using the V2 tag.

[dmitry-shibanov]

Hello @kamlesh-singh-ey. Could you please try to use the latest major tag to test it ?

[to-wi]

Run actions/setup-java@v3
Trying to resolve the latest version from remote
(node:2214075) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use node --trace-deprecation ... to show where the warning was created)
Error: tunneling socket could not be established, statusCode=407

it is still the same for me, even on v3. any hints?

the proxy settings are picked up, because in the worker logs I can see
[INFO HostContext] Configuring authenticated proxy http://user:password@myproxy.com:3128 for all HTTP requests.