Gradle secure hash algorithm (SHA) pinning is in place through the distributionSha256Sum attribute in gradle-wrapper.properties. This means the gradle-wrapper must upgrade through the ./gradlew wrapper command.
Example gradle-wrapper.properties
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionSha256Sum=2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046
distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
networkTimeout=10000
validateDistributionUrl=true
Use the following command to update the gradle wrapper. Run the same command twice, reason.
./gradlew wrapper --gradle-version=8.10.2 --distribution-type=bin --gradle-distribution-sha256-sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26Flags:
gradle-versionself explanatorydistribution-typeset tobinshort for binary refers to the gradle bin, often in this formatgradle-8.10.2-bin.zipgradle-distribution-sha256-sumthe SHA 256 checksum from this page, pick the binary checksum for the version used
The gradle wrapper update can include:
- gradle-wrapper.jar
- gradle-wrapper.properties
- gradlew
- gradlew.bat
You can use the following command to check the SHA 256 checksum of a file
shasum -a 256 gradle-8.10.2-bin.zipThere are GitHub Actions workflows for a hotfix pull request and merging a hotfix to a temporary hotfix branch.
The temporary hotfix branch is currently expected to be named "temp/hotfix". If a different name is
desired please edit the value under "branches:" in .github/workflows/on_push_hotfix.yml.
The hotfix branch name should be in the format "hotfix/M.m.p".
Once the hotfix PR has been approved and the "Squash and merge" button pressed, the merge title must be in the format "Merge pull request #xxx from govuk-one-login/release/M.m.p" to allow for the correct version to be extracted and used as a tag.