Skip to content

build(security): verify Gradle distribution#799

Open
Rerowros wants to merge 1 commit into
MetaCubeX:mainfrom
Rerowros:codex/verify-gradle-distribution
Open

build(security): verify Gradle distribution#799
Rerowros wants to merge 1 commit into
MetaCubeX:mainfrom
Rerowros:codex/verify-gradle-distribution

Conversation

@Rerowros

Copy link
Copy Markdown

Summary

  • pin the SHA-256 checksum for the Gradle 8.10.2 binary distribution used by the Wrapper

Security rationale

The Gradle Wrapper executes before project build logic. Without distributionSha256Sum, the downloaded distribution is trusted solely through transport security. Gradle recommends setting this property so the Wrapper rejects a distribution whose bytes do not match the expected release artifact.

The checksum was retrieved directly from:

Relevant Gradle guidance:

Validation

  • gradlew.bat --version — passed; resolved Gradle 8.10.2 on JDK 21
  • git diff --check — passed
  • pre-commit/PR static preflight — no findings

Review provenance

Based on a Codex Security finding and prepared with the requested Codex / GPT-5.6 Sol workflow.

Human review is explicitly requested before merge. Please independently compare the checksum with Gradle's official release checksum.

Risk / rollout notes

  • one-line build-security change only
  • no dependency, Wrapper JAR, application code, or submodule changes

@Rerowros Rerowros marked this pull request as ready for review July 11, 2026 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant