search

joreilly / Confetti

KMP GraphQL based conference project with Jetpack Compose Android, Compose for Wear, Compose Multiplatform and SwiftUI iOS clients along with GraphQL backend.
Apache License 2.0
806 stars 95 forks source link

Enable Gradle distribution verification #1463

Closed asos-edgeorge closed 3 weeks ago

asos-edgeorge commented 4 weeks ago

Enables Gradle distribution verification by adding the expected distributionSha256Sum value for Gradle 8.10 within the gradle/wrapper/gradle-wrapper.properties file. This ensures that any local/CI processes only use the verified and expected distribution of Gradle, protecting against supply-chain-style attacks. [^1]

You can verify this works as expected locally by running:

./gradlew wrapper --gradle-version=8.10 --distribution-type=bin --gradle-distribution-sha256-sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a

Finally, it's my understanding that Renovate should be able to update this value if it is present in future Gradle version updates. It's worth noting that #1442 may need to be rebased or otherwise re-generated should this be merged.

✨ Any questions, feel free to ask!

[^1]: There's a fun talk and blog about this...

martinbonnin commented 3 weeks ago

Happy droidcon London everyone 🎃 !