Automatically perform wrapper validation check in `setup-gradle`

Question

Automatically perform wrapper validation check in `setup-gradle`

Closed this issue 2 months ago · 5 comments

Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.

Doing this automatically for any workflow using setup-gradle and dependency-submission would increase coverage of wrapper validation and reduce the complexity for users adopting Gradle with GitHub actions. The functionality already exists with the validate-wrappers parameter: this issue is about enabling this by default.

Issues outstanding to allow this:

#281
#172

Answer 1 · 2022-11-25T20:16:24.000Z

Is there any timeline on this happening?

Answer 2 · 2023-03-13T23:49:49.000Z

Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.

I would recommend adding the Gradle wrapper validation check immediately after checkout in any workflow that may run a Gradle wrapper. This eliminates the risk of potentially running a bad wrapper at all in any workflow. For example:

name: Build
on: [ push, pull_request ]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: gradle/wrapper-validation-action@v1
      - uses: gradle/gradle-build-action@v2
      - run: ./gradlew clean build

Answer 3 · 2023-04-04T20:40:29.000Z

I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle can't use the verification action because it is regularly using pre-release builds to build Gradle.

Answer 4 · 2024-02-03T15:10:19.000Z

@bigdaz this looks like it may be possible now that Gradle publishes snapshot checksums, right?

Answer 5 · 2024-03-22T09:42:36.000Z

I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle can't use the verification action because it is regularly using pre-release builds to build Gradle.

If they are still not published, this could easily be mitigated by introducing a switch to disable wrapper validation for SNAPSHOT versions or completely. However, having validation enabled by default would make everyone safer.