Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Official Gradle Wrapper Validation Action #3980

Merged
merged 4 commits into from
Nov 22, 2023
Merged

Official Gradle Wrapper Validation Action #3980

merged 4 commits into from
Nov 22, 2023

Conversation

IsakTheHacker
Copy link
Contributor

To protect against malicious gradle-wrapper.jar binaries, I have added an action that verifies its checksum.

See: https://github.com/gradle/wrapper-validation-action

home-assistant[bot]
home-assistant bot previously requested changes Oct 29, 2023
View reviewed changes
Copy link

@home-assistant home-assistant bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @IsakTheHacker

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

@home-assistant home-assistant bot marked this pull request as draft October 29, 2023 16:09
@home-assistant
Copy link

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

@IsakTheHacker IsakTheHacker marked this pull request as ready for review October 29, 2023 16:15
@jpelgrom
Copy link
Member

jpelgrom commented Nov 3, 2023
edited
Loading

Thanks for the suggestion!

To mitigate the risk described, I think the correct approach would be adding it to the existing pr.yml and onPush.yml workflows + jobs before Gradle runs. You currently add a new workflow, which would not prevent execution of the jar file as the other workflow also/still runs.

@IsakTheHacker
Copy link
Contributor Author

That is a great idea, didn't think about that. I have implemented your requested changes in pr.yml and onPush.yml respectively

jpelgrom
jpelgrom approved these changes Nov 15, 2023
View reviewed changes
Copy link
Member

@jpelgrom jpelgrom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay - looks good to me now

@JBassett JBassett merged commit af9f131 into home-assistant:master Nov 22, 2023
4 checks passed
@IsakTheHacker IsakTheHacker deleted the patch-1 branch November 23, 2023 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpelgrom jpelgrom jpelgrom approved these changes

@JBassett JBassett JBassett approved these changes

@home-assistant home-assistant[bot] home-assistant[bot] left review comments

Assignees
No one assigned
Labels
cla-signed Hacktoberfest
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IsakTheHacker @jpelgrom @JBassett