Added Validate Gradle wrapper step on PR Github Action. There is the potential for a malicious actor to replace the original Gradle wrapper JAR with a modified one by submitting a pull request that seemingly only upgrades the Gradle version. This Github action step verifies the checksum of the Wrapper JAR to ensure that it has not been tampered. More info here
Added configuration on build.gradle so the -all distribution is downloaded after running the gradle update command: ./gradlew wrapper --gradle-version X.Y.Z
Validate Gradle wrapper
step on PR Github Action. There is the potential for a malicious actor to replace the original Gradle wrapper JAR with a modified one by submitting a pull request that seemingly only upgrades the Gradle version. This Github action step verifies the checksum of the Wrapper JAR to ensure that it has not been tampered. More info herebuild.gradle
so the-all
distribution is downloaded after running the gradle update command:./gradlew wrapper --gradle-version X.Y.Z