Wasteful network utilization?

[quat1024]

Projects using the Gradle wrapper include the URL to it in ./gradle/gradle.properties:

distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.1-bin.zip # 👈 here
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists

The https://services.gradle.org/versions/all API also includes the URL to each Gradle version:

{
  "version" : "7.6.1",
  "buildTime" : "20230224135442+0000",
  "current" : false,
  //...
  "downloadUrl" : "https://services.gradle.org/distributions/gradle-7.6.1-bin.zip", // 👈 here
  "checksumUrl" : "https://services.gradle.org/distributions/gradle-7.6.1-bin.zip.sha256",
  "wrapperChecksumUrl" : "https://services.gradle.org/distributions/gradle-7.6.1-wrapper.jar.sha256"
}

But right now, the fetchValidChecksums function connects to all 216 wrapperChecksumUrls mentioned in the index. Isn't it possible to check gradle.properties, and at least make an educated guess as to which .sha256 URL to download first?

It's true that gradle.properties is only parsed by the wrapper jar itself (if you put malware in the jar it doesn't matter what's in gradle.properties), so it's important to only treat hints in gradle.properties as hints, but it's a hint that best-case saves over 200 HTTP requests.

In an ideal world the services.gradle.org API would directly return hashes instead of requiring indirection, though...

Additionally, it looks like there's an allow-checksums option in the action, which lets the user specify additional hashes that are considered valid wrapper jars. If the hash matches one of those, what's the point in downloading any hashes from services.gradle.org?

[JLLeitschuh]

Seems reasonable. Interested in opening a pull request?

[bigdaz]

Fixed by #161