An action to verify the checksum of a io.takari wrapper jar against maven central
APACHE-2.0 License
A simple action to validate a maven-wrapper.jar
binary checked into source control against maven central.
A simple search for filename:maven-wrapper.jar
on GitHub reveals over half a million instances of this filename checked in. Let's try to make it less dangerous.
Inspired by https://github.com/gradle/wrapper-validation-action
This is developed as part of the OpenSSF Digital Identity WG.
maven-wrapper.jar
checked into the repo matches the file on maven.org by comparing sha256
hashes
md5
and sha1
hashes.mvnw
script is actually using this maven-wrapper.jar
NOTE: This action is not yet published
Create a new action with the following configuration
name: Validate maven wrapper
on: [push, pull_request]
jobs:
validation:
name: "Validation"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: loosebazooka/maven-wrapper-validation-action@<tbd>
.mvn/wrapper/maven-wrapper.jar
in repolocal-sha256
maven-wrapper.jar/META-INF/MANIFEST.MF
for Implementation-Version
io.takari:maven-wrapper:<version>
on maven.orgremote-sha256
local-sha256
== remote-sha256