Automatically perform wrapper validation check in `setup-gradle`
Closed this issue · 5 comments
Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.
Doing this automatically for any workflow using setup-gradle
and dependency-submission
would increase coverage of wrapper validation and reduce the complexity for users adopting Gradle with GitHub actions. The functionality already exists with the validate-wrappers
parameter: this issue is about enabling this by default.
Issues outstanding to allow this:
Is there any timeline on this happening?
Currently, we recommend that users configure a separate workflow running the wrapper-validation-action to verify that the Gradle wrapper jar is not corrupted.
I would recommend adding the Gradle wrapper validation check immediately after checkout in any workflow that may run a Gradle wrapper. This eliminates the risk of potentially running a bad wrapper at all in any workflow. For example:
name: Build
on: [ push, pull_request ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: gradle/wrapper-validation-action@v1
- uses: gradle/gradle-build-action@v2
- run: ./gradlew clean build
I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle
can't use the verification action because it is regularly using pre-release builds to build Gradle.
@bigdaz this looks like it may be possible now that Gradle publishes snapshot checksums, right?
I think the biggest thing blocking this from happening is that currently Gradle doesn't publish wrapper SHAs for SNAPSHOT releases. As such, projects like gradle/gradle can't use the verification action because it is regularly using pre-release builds to build Gradle.
If they are still not published, this could easily be mitigated by introducing a switch to disable wrapper validation for SNAPSHOT versions or completely. However, having validation enabled by default would make everyone safer.