mirror of
https://github.com/gradle/wrapper-validation-action
synced 2024-11-27 10:42:03 +00:00
Clarify reporting failures documentation
This commit is contained in:
parent
cc54f530e7
commit
d39c60192d
1 changed files with 5 additions and 9 deletions
14
README.md
14
README.md
|
@ -92,17 +92,13 @@ From there, you can easily follow the rest of the prompts to create a Pull Reque
|
|||
If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
|
||||
we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
|
||||
|
||||
**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
|
||||
|
||||
If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
|
||||
|
||||
If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
|
||||
and one of our valid release, you can compare them using this online utility: [DiffScope](https://try.diffoscope.org/).
|
||||
Regardless of what you find, we still kindly request that you reach out to us and let us know about any issues you encountered.
|
||||
|
||||
|
||||
**Note:** When _initially_ applying this action to your project,
|
||||
if your `gradle-wrapper.jar` was generated by Gradle 3.3 to 4.0, the check will fail.
|
||||
This is because these `gradle-wrapper.jar` versions were dynamically generated by Gradle in a non-reproducible manner.
|
||||
As such, it's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison.
|
||||
If the Gradle version in use is out of this range it is possible that your Wrapper JAR is out of sync.
|
||||
To fix this run `./gradlew wrapper`. If the Gradle version in use is in the problematic range, you should consider upgrading.
|
||||
Regardless of what you find, we still kindly request that you reach out to us and let us know.
|
||||
|
||||
## Resources
|
||||
|
||||
|
|
Loading…
Reference in a new issue