Pin Jar/POM dependencies using checksums (#99)

- Sets up new workflow to update pinned dependencies - Avoid unnecessary builds in case of partial Renovate updates - Pin Gradle dependencies - Fix JUnit-BOM 5.8.0 sha - Set Renovate to sign-off commits and use assignee Resolves #98 {minor} Signed-off-by: Esta Nagy <[email protected]>
nagyesta · Jun 3, 2022 · a261dd4 · a261dd4
1 parent ae460ac
commit a261dd4
Show file tree

Hide file tree

Showing 10 changed files with 2,393 additions and 3 deletions.
diff --git a/.github/workflows/gradle-ci.yml b/.github/workflows/gradle-ci.yml
@@ -21,6 +21,7 @@ on:
       - '.github/workflows/**'
       - 'renovate.json'
       - '.whitesource'
+      - 'gradle/libs.versions.toml'
 
 permissions: read-all
 

diff --git a/.github/workflows/gradle-test-main.yml b/.github/workflows/gradle-test-main.yml
@@ -9,6 +9,7 @@ on:
     branches: [ main ]
     paths:
       - 'gradle/libs.versions.toml'
+      - 'gradle/verification-metadata.xml'
       - 'gradle/wrapper/gradle-wrapper.properties'
 
 permissions: read-all

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -23,6 +23,7 @@ on:
       - 'renovate.json'
       - '.whitesource'
       - 'gradle/libs.versions.toml'
+      - 'gradle/verification-metadata.xml'
       - 'gradle/wrapper/gradle-wrapper.properties'
 
 permissions: read-all

diff --git a/.github/workflows/release-trigger.yml b/.github/workflows/release-trigger.yml
@@ -49,6 +49,7 @@ jobs:
       - uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e  # tag=v6.0.0
         if: ${{ steps.check.outputs.has_tag == 0 || github.event.inputs.execution == 'Manual' }}
         with:
+          github-token: ${{ secrets.PUBLISH_KEY }}
           script: |
             github.rest.pulls.create({
               owner: "${{ github.repository_owner }}",

diff --git a/.github/workflows/update-dependency-checksums.yml b/.github/workflows/update-dependency-checksums.yml
@@ -0,0 +1,41 @@
+name: UpdateChecksums
+on:
+  push:
+    branches: [ renovate/** ]
+    paths:
+      - 'gradle/libs.versions.toml'
+
+permissions: read-all
+
+jobs:
+  build:
+    name: Dependency checksum pin action
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PUBLISH_KEY }}
+      - name: Set up JDK 11
+        uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf # tag=v2.5.0
+        with:
+          distribution: temurin
+          java-version: 11
+      - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed # tag=v2.1.7
+        with:
+          path: |
+            ~/.gradle/wrapper
+          key: ${{ runner.os }}-gradle-wrapper-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
+          restore-keys: |
+            ${{ runner.os }}-gradle-wrapper-
+      - name: "Remove previous version"
+        run: cp gradle/verification-metadata-clean.xml gradle/verification-metadata.xml
+      - name: "Update checksums"
+        run: ./gradlew --write-verification-metadata sha256
+      - name: "Git commit"
+        run: |
+          git config --global user.name 'Esta Nagy'
+          git config --global user.email '[email protected]'
+          git add gradle/verification-metadata.xml
+          git commit -asm "Pinning dependency checksums {patch}"
+          git push -f --set-upstream origin ${{ github.ref_name }}
diff --git a/build.gradle b/build.gradle
@@ -69,7 +69,13 @@ configure(subprojects.findAll({
     //noinspection GroovyUnusedAssignment
     sourceCompatibility = '11'
     repositories {
-        mavenCentral()
+        mavenCentral {
+            metadataSources {
+                mavenPom()
+                artifact()
+                ignoreGradleMetadataRedirection()
+            }
+        }
     }
 
     java {
@@ -209,6 +215,12 @@ ossIndexAudit {
 }
 
 repositories {
-    mavenCentral()
+    mavenCentral {
+        metadataSources {
+            mavenPom()
+            artifact()
+            ignoreGradleMetadataRedirection()
+        }
+    }
 }
 
diff --git a/gradle.properties b/gradle.properties
@@ -5,3 +5,4 @@ org.gradle.warning.mode=all
 org.gradle.daemon=true
 org.gradle.caching=true
 org.gradle.jvmargs=-Xmx1g -XX:MaxMetaspaceSize=256m -XX:+HeapDumpOnOutOfMemoryError
+org.gradle.dependency.verification.console=verbose
diff --git a/gradle/verification-metadata-clean.xml b/gradle/verification-metadata-clean.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                       xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.1.xsd">
+    <configuration>
+        <verify-metadata>true</verify-metadata>
+        <verify-signatures>false</verify-signatures>
+        <trusted-artifacts>
+            <trust file=".*-javadoc[.]jar" regex="true"/>
+            <trust file=".*-sources[.]jar" regex="true"/>
+            <trust file=".*[.]module" regex="true"/>
+        </trusted-artifacts>
+    </configuration>
+    <components>
+        <component group="org.junit" name="junit-bom" version="5.8.0">
+            <artifact name="junit-bom-5.8.0.pom">
+                <sha256 value="ad34ae93e3bc532625c16d7384b4209a3e1807ae5f56a4656bc52b8449fb76c1" origin="Generated by Gradle"/>
+            </artifact>
+        </component>
+    </components>
+</verification-metadata>
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
diff --git a/renovate.json b/renovate.json
@@ -1,6 +1,10 @@
 {
   "extends": [
-    "config:base"
+    "config:base",
+    ":gitSignOff"
+  ],
+  "assignees": [
+    "nagyesta"
   ],
   "commitMessageSuffix": "{patch}",
   "github-actions": {