Skip to content

Official Gradle Wrapper Validation GitHub Action #51066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 27, 2020
Merged

Official Gradle Wrapper Validation GitHub Action #51066

merged 1 commit into from
Feb 27, 2020

Conversation

JLLeitschuh
Copy link
Contributor

@mark-vieira
Copy link
Contributor

Very interesting. So the existing validation in place is only for the distribution, right? There's currently nothing that actually validates the wrapper itself has not been tampered with?

@JLLeitschuh
Copy link
Contributor Author

There is an implied assumption that you are trusting services.gradle.org is serving the correct json at https://services.gradle.org/versions/all

Assuming that the gradle-wrapper.jar you have checked into your repository matches at least one of the SHA-512 checksums we publish for all of our releases, this action will pass.

@JLLeitschuh
Copy link
Contributor Author

JLLeitschuh commented Jan 15, 2020
edited
Loading

Ohhhh. I understand. Correct, the checksum verification that you can commit to gradle-wrapper.properties does not verify the gradle-wrapper.jar hasn't been tampered with.

The goal of this action is to fill this gap.

@cbuescher cbuescher added the :Delivery/Build Build or test infrastructure label Jan 16, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (:Core/Infra/Build)

@JLLeitschuh
Copy link
Contributor Author

Ping @mark-vieira

@rjernst rjernst requested a review from mark-vieira February 19, 2020 00:44
@rjernst
Copy link
Member

rjernst commented Feb 26, 2020

@mark-vieira can you please review this?

mark-vieira
mark-vieira approved these changes Feb 27, 2020
View reviewed changes
Copy link
Contributor

@mark-vieira mark-vieira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay on this. Thanks for the submission @JLLeitschuh.

@mark-vieira mark-vieira merged commit 8bf265e into elastic:master Feb 27, 2020
@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mark-vieira mark-vieira mark-vieira approved these changes

Assignees
No one assigned
Labels
:Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JLLeitschuh @mark-vieira @elasticmachine @rjernst @cbuescher