Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically perform wrapper validation check in setup-gradle #12

Open
bigdaz opened this issue Jan 28, 2022 · 5 comments
Open

Automatically perform wrapper validation check in setup-gradle #12

bigdaz opened this issue Jan 28, 2022 · 5 comments
Labels
enhancement New feature or request

Comments

@bigdaz
Copy link
Member

bigdaz commented Jan 28, 2022
edited

Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.

Doing this automatically for any workflow using setup-gradle would increase coverage of wrapper validation and reduce the complexity for users adopting Gradle with GitHub actions.

We could also leverage the wrapper-check to avoid executing an invalid wrapper jar in dependency-submission
@bigdaz bigdaz added the enhancement New feature or request label Jan 28, 2022
@eygraber
Copy link

Is there any timeline on this happening?

@erichaagdev
Copy link
Member

Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.

I would recommend adding the Gradle wrapper validation check immediately after checkout in any workflow that may run a Gradle wrapper. This eliminates the risk of potentially running a bad wrapper at all in any workflow. For example:

name: Build
on: [ push, pull_request ]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: gradle/wrapper-validation-action@v1
      - uses: gradle/gradle-build-action@v2
      - run: ./gradlew clean build

@JLLeitschuh
Copy link
Contributor

I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle can't use the verification action because it is regularly using pre-release builds to build Gradle.

@bigdaz bigdaz transferred this issue from gradle/gradle-build-action Feb 1, 2024
@bigdaz bigdaz mentioned this issue Feb 1, 2024
Closed
@JLLeitschuh
Copy link
Contributor

@bigdaz this looks like it may be possible now that Gradle publishes snapshot checksums, right?

@bigdaz bigdaz changed the title Automatically perform wrapper validation check Automatically perform wrapper validation check in setup-gradle Feb 9, 2024
@bigdaz bigdaz mentioned this issue Feb 10, 2024
Closed
@guillermocalvo guillermocalvo mentioned this issue Feb 21, 2024
Merged
@leonard84
Copy link
Member

I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle can't use the verification action because it is regularly using pre-release builds to build Gradle.

If they are still not published, this could easily be mitigated by introducing a switch to disable wrapper validation for SNAPSHOT versions or completely. However, having validation enabled by default would make everyone safer.

@bigdaz bigdaz self-assigned this Apr 11, 2024
@bigdaz bigdaz mentioned this issue Apr 11, 2024
Closed
@bigdaz bigdaz removed their assignment Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bigdaz @eygraber @leonard84 @JLLeitschuh @erichaagdev