Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Gradle Wrapper files do not match version supplied in gradle-wrapper.properties #4276

Closed
ed-george opened this issue Mar 9, 2024 · 2 comments · Fixed by #4277
Closed

[Bug] Gradle Wrapper files do not match version supplied in gradle-wrapper.properties #4276

ed-george opened this issue Mar 9, 2024 · 2 comments · Fixed by #4277
Labels
bug needs triage

Comments

@ed-george
Copy link
Contributor

Describe the bug

The local Gradle wrapper related files within the project do not match the expected files for the Gradle version specified within the gradle-wrapper.properties file

distributionUrl=https\://services.gradle.org/distributions/gradle-8.2-bin.zip

This might be as the expected ./gradlew wrapper was not previously used to upgrade the wrapper and the file was edited manually

How to Reproduce

Run gradlew wrapper --gradle-version=8.2 --distribution-type=bin locally and observe there's a difference in a number of wrapper related files

$ ./gradlew wrapper --gradle-version=8.2 --distribution-type=bin

# [Truncated]

BUILD SUCCESSFUL in 5s
4 actionable tasks: 2 executed, 2 up-to-date 

$ git status --porcelain
 M gradle/wrapper/gradle-wrapper.jar
 M gradle/wrapper/gradle-wrapper.properties
 M gradlew
 M gradlew.bat

Expected behavior

gradlew wrapper --gradle-version=8.2 --distribution-type=bin --gradle-distribution-sha256-sum=38f66cd6eef217b4c35855bb11ea4e9fbc53594ccccb5fb82dfd317ef8c2c5a3

Running the above within the project will ensure the relevant Gradle wrapper files for Gradle 8.2 are added.

Additionally, by providing the expected SHA-256 checksum for the Gradle 8.2 distribution (source) in this way, a distributionSha256Sum property is created within gradle-wrapper.properties which provides additional protection against Gradle supply chain attacks by ensuring future downloads via the distributionUrl are matched against the checksum and failing the builds otherwise.

See this post and relevant docs for more information.

Environment

- All local/remote development environments
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 9, 2024

Thank you for opening an Issue in our Repository.
The issue has been forwarded to the team and we'll follow up as soon as we have time to investigate.
As stated in our Contribution Guidelines, requests for feedback should be addressed via the Feedback section in the Android app.

@ed-george ed-george mentioned this issue Mar 10, 2024
Merged
@joshliebe
Copy link
Contributor

Thanks for this, I’ll discuss it with the team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update Gradle Wrapper files
2 participants
@ed-george @joshliebe