On Mon, 8 Mar 2021 21:23:47 GMT, John Neffenger <github.com+1413266+jgn...@openjdk.org> wrote:
>>> 1. This commit adds a tampered Gradle Wrapper JAR file, which should go >>> undetected. >>> 2. The next commit will add the Official Gradle Wrapper Validation Action, >>> which should detect the tampered file. >>> 3. The final commit will remove the tampered file and replace it with the >>> original Gradle 4.8 Wrapper. >> >> This sounds like a good plan to test it. > > So far, so good. The tampered file was not detected: > >  > > The next commit will add the Official Gradle Wrapper Validation Action. It might be better to include the validation task in the same [`submit.yml`](https://github.com/openjdk/jfx/blob/master/.github/workflows/submit.yml) file as the pre-submit tests, as a separate job. That way it will get the same set of conditions triggering it as the other pre-submit jobs. In particular, we don't use the "on pull_request" trigger for our github actions run, since all actions triggered on any pull request in any repo in the openjdk org will be run in the context of the openjdk organization and we would blow our limits too quickly. Also, this should be limited to the set of branches that `submit.yml` uses. If there is a good reason to keep it in a separate file, then I would at least duplicate this part from submit.yml: on: # Run GitHub actions on every push to all branches except the main production branches, also # exclude any branch starting with "WIP". push: branches-ignore: - master - main - 'jfx[0-9]+' - 'WIP*' ------------- PR: https://git.openjdk.java.net/jfx/pull/419
