[Security] Harden supply chain dependencies#20
Open
daniel-mohedano wants to merge 2 commits intomasterfrom
Open
[Security] Harden supply chain dependencies#20daniel-mohedano wants to merge 2 commits intomasterfrom
daniel-mohedano wants to merge 2 commits intomasterfrom
Conversation
…pendency pinning - Add Gradle dependency lockfiles to pin all transitive dependency versions - Enable dependency locking (`lockAllConfigurations`) across all subprojects - Add `distributionSha256Sum` to gradle-wrapper.properties for integrity verification - Add `gradle/actions/wrapper-validation` step to both GHA workflows - Update `actions/checkout` from v2 to v4 in test workflow (was 4 major versions behind) - Pin `gradle/actions/setup-gradle` to commit SHA with exact version comment (v4.4.3) - Add TODO for deprecated openjdk:8 image in GitLab CI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mavenLocal() serves artifacts without Gradle Module Metadata, causing junit-bom (a platform dependency declared in JUnit's .module metadata) to be missing from the dependency graph locally but present in CI. Restricting mavenLocal to SNAPSHOT versions ensures releases always resolve from Maven Central with full metadata, making lockfiles consistent across local and CI environments. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gradle.lockfile) to pin all transitive dependency versions and enablelockAllConfigurations()across all subprojectsmavenLocal()to SNAPSHOT versions only, ensuring releases always resolve from Maven Central with full Gradle Module Metadata (fixes inconsistent lockfile resolution between local and CI)distributionSha256Sumtogradle-wrapper.propertiesfor Gradle distribution integrity verificationgradle/actions/wrapper-validationCI step to both GHA workflows (tests + release)actions/checkoutfrom v2 to v4 in test workflow (was 4 major versions behind)gradle/actions/setup-gradleto commit SHA with exact version comment (v4.4.3instead of floatingv4)openjdk:8image in GitLab CI (tag removed from Docker Hub, needs migration as part of release process refactor)What's NOT changed (and why)
openjdk:8image: deprecated and removed from Docker Hub — requires migration to e.g.eclipse-temurin:11-jdk, deferred to release process refactorapt/pipinstalls: transient CI tools, not part of the build artifact supply chaingpg:1): internal image, low riskTest plan
./gradlew buildpasses locally with dependency locking enabledactions/checkoutv4🤖 Generated with Claude Code