search

mockito / shipkit

Toolkit for shipping it used by Mockito library
http://shipkit.org
MIT License
158 stars 35 forks source link

add Gradle Wrapper validation #881

Closed sullis closed 3 years ago

sullis commented 4 years ago

https://blog.gradle.org/gradle-wrapper-checksum-verification-github-action 

sullis commented 4 years ago
Screen Shot 2020-08-23 at 12 34 58 PM

@mockitoguy

szpak commented 4 years ago

Apart from that we're using Travis, not Github actions, what is the purpose of performing additional validation?

@koral-- That validation can be useful to confirm that the wrapper upgrade proposed in a PR is not the rogue one. For example, that check could detect malicious gradle-wrapper.jar which always downloads Gradle from arbitrary location, ignoring defined SHA hash.

However, as you noted, using Travis instead of GitHub Actions is a very good point which complicates that PR in ShipKit ;).

sullis commented 4 years ago

Apart from that we're using Travis, not Github actions, what is the purpose of performing additional validation?

@koral-- That validation can be useful to confirm that the wrapper upgrade proposed in a PR is not the rogue one. For example, that check could detect malicious gradle-wrapper.jar which always downloads Gradle from arbitrary location, ignoring defined SHA hash.

Gradle's GitHub Action validates the Gradle wrapper jar against a known list of valid checksums.

The gradle-wrapper.properties file in the ShipKit repo could contain a rogue checksum.

koral-- commented 4 years ago

OK now I get it. So it seems that we can have this GH action validation in parallel with Travis. GitHub allows multiple PR checks. What do you think guys?

mstachniuk commented 4 years ago

For me it's ok to validate gradle-wrapper using GH Actions.

sullis commented 3 years ago

ping @mstachniuk @koral--