Document wrapper-validation with Git LFS

docs/wrapper-validation.md

@@ -102,7 +102,8 @@ A wrapper jar can fail validation for a few reasons:
 1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
    or `allow-snapshot-wrappers` to `true`.
 2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
-3. The wrapper jar was not published by Gradle, and could be compromised.
+3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
+4. The wrapper jar was not published by Gradle, and could be compromised.
 
 If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
@@ -113,6 +114,17 @@ Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable beca
 - If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
 - If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
 
+#### Wrapper Jar stored with Git LFS
+If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
+restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
+
+```
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true  # gradle-wrapper.jar verification will fail without this
+```
+
 ## Resources
 
 To learn more about verifying the Gradle Wrapper JAR locally, see our