Closed sullis closed 3 years ago
@mockitoguy
Apart from that we're using Travis, not Github actions, what is the purpose of performing additional validation?
@koral-- That validation can be useful to confirm that the wrapper upgrade proposed in a PR is not the rogue one. For example, that check could detect malicious gradle-wrapper.jar
which always downloads Gradle from arbitrary location, ignoring defined SHA hash.
However, as you noted, using Travis instead of GitHub Actions is a very good point which complicates that PR in ShipKit ;).
Apart from that we're using Travis, not Github actions, what is the purpose of performing additional validation?
@koral-- That validation can be useful to confirm that the wrapper upgrade proposed in a PR is not the rogue one. For example, that check could detect malicious
gradle-wrapper.jar
which always downloads Gradle from arbitrary location, ignoring defined SHA hash.
Gradle's GitHub Action validates the Gradle wrapper jar against a known list of valid checksums.
The gradle-wrapper.properties
file in the ShipKit repo could contain a rogue checksum.
OK now I get it. So it seems that we can have this GH action validation in parallel with Travis. GitHub allows multiple PR checks. What do you think guys?
For me it's ok to validate gradle-wrapper using GH Actions.
ping @mstachniuk @koral--
https://blog.gradle.org/gradle-wrapper-checksum-verification-github-action