Added Validate Gradle wrapper step on PR Github Action. There is the potential for a malicious actor to replace the original Gradle wrapper JAR with a modified one by submitting a pull request that seemingly only upgrades the Gradle version. This Github action step verifies the checksum of the Wrapper JAR to ensure that it has not been tampered. More info here
Added configuration on build.gradle so the -all distribution is downloaded after running the gradle update command: ./gradlew wrapper --gradle-version X.Y.Z
champo
commented
1 year ago
Validate Gradle wrapperstep on PR Github Action. There is the potential for a malicious actor to replace the original Gradle wrapper JAR with a modified one by submitting a pull request that seemingly only upgrades the Gradle version. This Github action step verifies the checksum of the Wrapper JAR to ensure that it has not been tampered. More info herebuild.gradleso the-alldistribution is downloaded after running the gradle update command:./gradlew wrapper --gradle-version X.Y.Z