New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate gradlew scripts #16
Comments
That doesn't always really work. Some organizations modify their gradlew scripts when updating them in order to, for example, increase the memory the wrapper is given. When doing that, the checksum can't be validated. |
That's a fair point, but I still think that there should be an option (or another step in the workflow) to check the scripts for those who don't need to modify them. |
@eskatos how difficult would it be to also generate SHA checksums for the |
@JLLeitschuh it shouldn't be difficult. But it'll require work to automate generating the hashes, publishing them where appropriate etc.. You could have a look at how the wrapper jar hashes are handled, it should be similar both in where and how it's done. Then we could update this action to consume them for more validation. As said above, I wonder what the signal/noise ratio would be given the line endings potential problem and the fact it is intended that people modify it if they need to e.g. change the Gradle client VM options. |
I would vote for an opt-out of the additional check (in the sense of security first). |
|
I also agree. While some users may modify their scripts, I have not personally seen it before. It would be incredibly nice to have in order to verify the integrity of the scripts. An opt out is a fine solution in my opinion. And I think normalization of line endings would be the way to go as already mentioned. |
Also validate
gradlew
andgradlew.bat
scripts.These are not blobs so it is harder to overlook something, but I think these should be checked too.
The text was updated successfully, but these errors were encountered: