Automatically perform wrapper validation check in setup-gradle
#12
Comments
|
Is there any timeline on this happening? |
I would recommend adding the Gradle wrapper validation check immediately after checkout in any workflow that may run a Gradle wrapper. This eliminates the risk of potentially running a bad wrapper at all in any workflow. For example: name: Build
on: [ push, pull_request ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: gradle/wrapper-validation-action@v1
- uses: gradle/gradle-build-action@v2
- run: ./gradlew clean build |
|
I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like |
|
@bigdaz this looks like it may be possible now that Gradle publishes snapshot checksums, right? |
bigdaz
changed the title
setup-gradle
If they are still not published, this could easily be mitigated by introducing a switch to disable wrapper validation for SNAPSHOT versions or completely. However, having validation enabled by default would make everyone safer. |
- Add 'allow-snapshot-wrappers' input parameter - Default 'validate-wrappers' to 'true' Fixes #12
- Add 'allow-snapshot-wrappers' input parameter - Default 'validate-wrappers' to 'true' Fixes #12
- Add 'allow-snapshot-wrappers' input parameter - Default 'validate-wrappers' to 'true' Fixes #12
Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.
Doing this automatically for any workflow using
setup-gradleanddependency-submissionwould increase coverage of wrapper validation and reduce the complexity for users adopting Gradle with GitHub actions. The functionality already exists with thevalidate-wrappersparameter: this issue is about enabling this by default.Issues outstanding to allow this:
The text was updated successfully, but these errors were encountered: