Comments (5)
Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.
I would recommend adding the Gradle wrapper validation check immediately after checkout in any workflow that may run a Gradle wrapper. This eliminates the risk of potentially running a bad wrapper at all in any workflow. For example:
name: Build
on: [ push, pull_request ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: gradle/wrapper-validation-action@v1
- uses: gradle/gradle-build-action@v2
- run: ./gradlew clean build
from actions.
Is there any timeline on this happening?
from actions.
I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle
can't use the verification action because it is regularly using pre-release builds to build Gradle.
from actions.
@bigdaz this looks like it may be possible now that Gradle publishes snapshot checksums, right?
from actions.
I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle can't use the verification action because it is regularly using pre-release builds to build Gradle.
If they are still not published, this could easily be mitigated by introducing a switch to disable wrapper validation for SNAPSHOT versions or completely. However, having validation enabled by default would make everyone safer.
from actions.
Related Issues (20)
- Build scan badge is too small in Job Summary HOT 5
- Remove or update existing PR comments when adding a new one HOT 1
- Generate dependency graph file inside the build directory HOT 8
- Dependency-submission fails to find workflow files when `DEPENDENCY_GRAPH_REPORT_DIR` is specified
- Dependency submission fails with HttpError HOT 14
- Provide input parameters for key environment variable supported by GitHub Dependency Graph plugin HOT 5
- The setup-gradle action should make the Gradle wrapper executable HOT 5
- Provide assistance to users attempting to resolve vulnerable dependencies
- Artifact downloaded but 'No dependency graph files found to submit' when using `download-and-submit` HOT 4
- How to configure this action to ignore plugin dependencies? HOT 4
- [Question] Inconsistent gradle configuration exclusion results HOT 12
- The `setup-gradle` action with `dependency-graph` option fails with Gradle Project Isolation HOT 13
- Cache cleanup should use the same Gradle executable as the build HOT 2
- Dependency graph are generated for all Gradle jobs following a `dependnecy-submission` step
- dependency-submissoin fails job even with upgraded dependencies HOT 4
- Dependency-submission setup recursively. HOT 2
- class cast from DependencyExtractorBuildService to DependencyExtractor failed on self-hosted runner HOT 4
- Failing to restore Gradle Cache because of "Error: Content-Length not found on blob response" HOT 5
- Does the build scan will reveal the secret key? HOT 1
- Error: Cache upload failed because file read failed with EBADF: bad file descriptor, read HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from actions.