gradle/wrapper-validation-action
1
0
Fork 0
mirror of https://github.com/gradle/wrapper-validation-action synced 2024-11-23 17:22:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Clarify reporting failures documentation

Browse source
This commit is contained in:
Sterling Greene 2020-07-24 13:48:47 -04:00 committed by GitHub
parent cc54f530e7
commit d39c60192d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -92,17 +92,13 @@ From there, you can easily follow the rest of the prompts to create a Pull Reque
If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
and one of our valid release, you can compare them using this online utility: [DiffScope](https://try.diffoscope.org/).
Regardless of what you find, we still kindly request that you reach out to us and let us know about any issues you encountered.
**Note:** When _initially_ applying this action to your project,
if your `gradle-wrapper.jar` was generated by Gradle 3.3 to 4.0, the check will fail.
This is because these `gradle-wrapper.jar` versions were dynamically generated by Gradle in a non-reproducible manner.
As such, it's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison.
If the Gradle version in use is out of this range it is possible that your Wrapper JAR is out of sync.
To fix this run `./gradlew wrapper`. If the Gradle version in use is in the problematic range, you should consider upgrading.
Regardless of what you find, we still kindly request that you reach out to us and let us know.
## Resources