Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add gradle wrapper validation #577

Merged
merged 2 commits into from
Sep 19, 2023
Merged

Add gradle wrapper validation #577

merged 2 commits into from
Sep 19, 2023

Conversation

jobarr-amzn
Copy link
Contributor

Issue #, if available: https://github.com/amazon-ion/ion-java/security/code-scanning/16

Description of changes:

We have a spurious "binary artifacts" alert from OSSF scorecard, for gradle-wrapper.jar.

According to ossf/scorecard#2039 this ought to be silenced if we use the gradle/wrapper-validation-action action.

Gradle publishes this workflow to allow validation of gradle wrapper JARs to ensure that they actually are the jars published by Gradle. See: https://github.com/gradle/wrapper-validation-action#add-to-an-existing-workflow

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jobarr-amzn
Add gradle wrapper validation
731370b 
Gradle publishes this workflow to allow validation of gradle wrapper JARs to ensure that they actually are the jars published by Gradle. See: https://github.com/gradle/wrapper-validation-action#add-to-an-existing-workflow
@codecov
Copy link

codecov bot commented Sep 19, 2023
edited
Loading

Codecov Report

Patch has no changes to coverable lines.

📢 Thoughts on this report? Let us know!.

@jobarr-amzn
Copy link
Contributor Author

From the jdk 17 run above:

Run gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
  with:
    min-wrapper-count: 1
    allow-snapshots: false
✓ Found known Gradle Wrapper JAR files:
  91941f522fbfd4431cf57e445fc3d5200c85f957bda2de5251353cf11174f4b5 gradle/wrapper/gradle-wrapper.jar

@jobarr-amzn jobarr-amzn merged commit 61c8a6c into master Sep 19, 2023
7 checks passed
@jobarr-amzn jobarr-amzn deleted the gradle-wrapper-validation branch January 16, 2024 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@popematt popematt popematt approved these changes

Assignees

@popematt popematt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jobarr-amzn @popematt