Skip to content

Add checkGradleChecksum.sh to verify gradle wrapper jars on CI #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 20, 2019
Merged

Add checkGradleChecksum.sh to verify gradle wrapper jars on CI #436

merged 1 commit into from
Aug 20, 2019

Conversation

ZacSweers
Copy link
Contributor

Followup from the discussion in #433

This adds a CI check to verify the gradle wrapper jar checksum before running any gradle builds, using guidance from https://docs.gradle.org/current/userguide/gradle_wrapper.html#wrapper_checksum_verification

My bash-fu isn't amazing so I'm sure there's a cleaner way to parse the gradle version out of that property file

Successful pass looks like this:

$ ./.ci/checkGradleChecksum.sh    
Checking Gradle wrapper jar for version: 5.6
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    64  100    64    0     0    127      0 --:--:-- --:--:-- --:--:--   127
gradle-wrapper.jar: OK

Failure looks like this and fails the build:

$ ./.ci/checkGradleChecksum.sh                                                                                                          
Checking Gradle wrapper jar for version: 5.6
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    64  100    64    0     0    102      0 --:--:-- --:--:-- --:--:--   102
gradle-wrapper2.jar: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
Gradle wrapper failed checksum verification. Please investigate.

@ZacSweers
Copy link
Contributor Author

In action on CI

image

@ZacSweers ZacSweers changed the title Add checkGradleChecksum.sh to verify gradle jars on CI Add checkGradleChecksum.sh to verify gradle wrapper jars on CI Aug 20, 2019
@nedtwigg
Copy link
Member

Awesome! I'll slowly copy-paste this around my other projects as well, thanks! Might be worth a blog post / discuss.gradle.org post. Nice to have something to just copy-paste.

@nedtwigg nedtwigg merged commit aa9484e into diffplug:master Aug 20, 2019
@ZacSweers ZacSweers deleted the z/verifyChecksum branch August 20, 2019 03:58
@ZacSweers
Copy link
Contributor Author

Yeah and I'm sure it can be improved as well. They do technically have a mechanism to set an expected checksum as a property in that file, but then you have to manually update it every time you update gradle. This felt like a happy medium to always try whatever version your properties script is pinned to

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ZacSweers @nedtwigg