fix(#858): add SHA256 entries for sources jars and Gradle distribution#15
Merged
Merged
Conversation
…all versions The Kotlin Gradle plugin (build classpath, separate from the project's declared kotlin 2.3.21 runtime) brings in kotlin-reflect 2.3.0 and kotlin-stdlib 2.3.0 as transitive deps. The third-pass verification report flagged their .pom and .module metadata files as missing checksums. Changes: - <trusted-artifacts> regex pattern for *-sources.jar and *-javadoc.jar (IDE/dev artifacts, never on runtime classpath — the right scalable fix for IDE source-resolution sync). - Explicit <component> for gradle:gradle:9.4.1 (gradle-9.4.1-src.zip is a .zip, not a .jar, so doesn't match the regex). - Explicit <component> for kotlin-reflect:2.3.0 (.pom) and kotlin-stdlib:2.3.0 (.module) — these are real runtime metadata files at the version pulled by the Kotlin Gradle plugin's own dependency tree, distinct from the project's 2.3.21. Removed the per-file -sources.jar entries from the first cut: now covered by the regex. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…tadata When a contributor bumps a dependency, Gradle wrapper, or plugin, the verification metadata needs new SHA256 entries. Doing this by hand is error-prone — `./gradlew --write-verification-metadata sha256 help` only resolves what `help` happens to touch, which misses the plugin classpath, test classpath, and several other resolution paths. Added scripts/update-verification-metadata.sh: - Wraps `--write-verification-metadata sha256` with the right task list (help, :dependencies for runtimeClasspath, :buildEnvironment, :compileKotlin, :compileTestKotlin) so every classpath the project actually uses gets covered in one invocation. - Forces --refresh-dependencies so SHAs match upstream Maven Central bytes, not stale cache from another machine. - Defensively confirms the <trusted-artifacts> regex block survived the regeneration; restores from backup with a loud error if it didn't. - Prints a diff summary and explicit next-step commands (review, add, or revert). Also includes the 3 entries the script discovered the existing config was missing: groovy-bom-4.0.11.module, junit-bom-5.13.1.module, and junit-bom-5.9.2.pom. (Gradle's regen also strips XML comments — the rationale for trusted-artifacts now lives in the script header instead, since that's where contributors look when this gets weird.) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bash script was *nix-only — Windows contributors using PowerShell or
cmd had no way to run it. Replaced with a `updateVerificationMetadata`
Gradle task in build.gradle.kts, which works on every platform via the
existing gradlew/gradlew.bat entry points.
Same invocation everywhere:
./gradlew updateVerificationMetadata # macOS / Linux / WSL / Git Bash
gradlew.bat updateVerificationMetadata # Windows native
Implementation detail: the task uses ProcessBuilder rather than the
deprecated `project.exec { }` API. Detects Windows via os.name and
chooses gradlew.bat vs ./gradlew accordingly. All other behavior
(snapshot, regen, trust-block defensive check, diff summary, next-step
hints) carries over from the bash script.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.