Merge branch 'master' into releases/v1

* master:
  Bump lodash from 4.17.20 to 4.17.21
  fix: introduce retry to stabilize the workflow
  test: reproduce the problem by jest
  Bump hosted-git-info from 2.8.8 to 2.8.9
  Bump y18n from 4.0.0 to 4.0.1
  Create codeql-analysis.yml
  Bump node-notifier from 8.0.0 to 8.0.1
  Bump @actions/core from 1.2.5 to 1.2.6
  Upgrade dependencies
  Clarify reporting failures documentation
  Bump lodash from 4.17.15 to 4.17.19
  checksums: Remove some superfluous type declarations
  Make lint pass on Windows / for files with CRLF line endings
  Build
  Remove now unneeded typescript definitions for unhomoglyph
  Upgrade prod dependencies
  Drop now removed upstream eslint typescript rules
  Upgrade dev dependencies
  Refine RELEASING.md

.eslintrc.json

@@ -1,6 +1,6 @@
 {
     "plugins": ["jest", "@typescript-eslint"],
-    "extends": ["plugin:github/es6"],
+    "extends": ["plugin:github/typescript"],
     "parser": "@typescript-eslint/parser",
     "parserOptions": {
       "ecmaVersion": 9,
@@ -16,13 +16,9 @@
       "@typescript-eslint/no-require-imports": "error",
       "@typescript-eslint/array-type": "error",
       "@typescript-eslint/await-thenable": "error",
-      "@typescript-eslint/ban-ts-ignore": "error",
       "camelcase": "off",
-      "@typescript-eslint/camelcase": "error",
-      "@typescript-eslint/class-name-casing": "error",
       "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
       "@typescript-eslint/func-call-spacing": ["error", "never"],
-      "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
       "@typescript-eslint/no-array-constructor": "error",
       "@typescript-eslint/no-empty-interface": "error",
       "@typescript-eslint/no-explicit-any": "error",
@@ -32,7 +28,6 @@
       "@typescript-eslint/no-misused-new": "error",
       "@typescript-eslint/no-namespace": "error",
       "@typescript-eslint/no-non-null-assertion": "warn",
-      "@typescript-eslint/no-object-literal-type-assertion": "error",
       "@typescript-eslint/no-unnecessary-qualifier": "error",
       "@typescript-eslint/no-unnecessary-type-assertion": "error",
       "@typescript-eslint/no-useless-constructor": "error",
@@ -40,7 +35,6 @@
       "@typescript-eslint/prefer-for-of": "warn",
       "@typescript-eslint/prefer-function-type": "warn",
       "@typescript-eslint/prefer-includes": "error",
-      "@typescript-eslint/prefer-interface": "error",
       "@typescript-eslint/prefer-string-starts-ends-with": "error",
       "@typescript-eslint/promise-function-async": "error",
       "@typescript-eslint/require-array-sort-compare": "error",
@@ -55,4 +49,4 @@
       "es6": true,
       "jest/globals": true
     }
-  }
+  }

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,56 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '24 4 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.prettierrc.json

@@ -1,11 +1,12 @@
 {
-    "printWidth": 80,
-    "tabWidth": 2,
-    "useTabs": false,
-    "semi": false,
-    "singleQuote": true,
-    "trailingComma": "none",
-    "bracketSpacing": false,
-    "arrowParens": "avoid",
-    "parser": "typescript"
-  }
+  "printWidth": 80,
+  "tabWidth": 2,
+  "useTabs": false,
+  "semi": false,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "bracketSpacing": false,
+  "arrowParens": "avoid",
+  "parser": "typescript",
+  "endOfLine": "auto"
+}

README.md

@@ -92,17 +92,13 @@ From there, you can easily follow the rest of the prompts to create a Pull Reque
 If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
 
+**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
+
+If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
+
 If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
 and one of our valid release, you can compare them using this online utility: [DiffScope](https://try.diffoscope.org/).
-Regardless of what you find, we still kindly request that you reach out to us and let us know about any issues you encountered.
-
-
-**Note:** When _initially_ applying this action to your project,
-if your `gradle-wrapper.jar` was generated by Gradle 3.3 to 4.0, the check will fail.
-This is because these `gradle-wrapper.jar` versions were dynamically generated by Gradle in a non-reproducible manner.
-As such, it's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison.
-If the Gradle version in use is out of this range it is possible that your Wrapper JAR is out of sync.
-To fix this run `./gradlew wrapper`. If the Gradle version in use is in the problematic range, you should consider upgrading.
+Regardless of what you find, we still kindly request that you reach out to us and let us know.
 
 ## Resources
 

RELEASING.md

@@ -12,3 +12,6 @@
 * go to https://github.com/gradle/wrapper-validation-action/releases
   * edit and publish the now drafted `v1` release
   * create a new release from the new full version number `v1.0.x`, list the fixed issues and publish the release
+* go to https://github.com/marketplace/actions/gradle-wrapper-validation
+  * verify that it displays the latest README
+  * verify that the version dropdown displays the new version

__tests__/checksums.test.ts

@@ -1,6 +1,29 @@
 import * as checksums from '../src/checksums'
+import nock from 'nock'
 
 test('fetches wrapper jars checksums', async () => {
   const validChecksums = await checksums.fetchValidChecksums(false)
   expect(validChecksums.length).toBeGreaterThan(10)
 })
+
+describe('retry', () => {
+  afterEach(() => {
+    nock.cleanAll()
+  })
+
+  describe('for /versions/all API', () => {
+    test('retry three times', async () => {
+      nock('https://services.gradle.org', {allowUnmocked: true})
+        .get('/versions/all')
+        .times(3)
+        .replyWithError({
+          message: 'connect ECONNREFUSED 104.18.191.9:443',
+          code: 'ECONNREFUSED'
+        })
+
+      const validChecksums = await checksums.fetchValidChecksums(false)
+      expect(validChecksums.length).toBeGreaterThan(10)
+      nock.isDone()
+    })
+  })
+})

__tests__/validate.test.ts

@@ -12,8 +12,8 @@ test('succeeds if all found wrapper jars are valid', async () => {
 
   expect(result.toDisplayString()).toBe(
     '✓ Found known Gradle Wrapper JAR files:\n' +
-    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
-    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
       '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
   )
 })
@@ -43,8 +43,8 @@ test('fails if invalid wrapper jars are found', async () => {
 
   expect(result.toDisplayString()).toBe(
     '✗ Found unknown Gradle Wrapper JAR files:\n' +
-    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
-    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
       '✓ Found known Gradle Wrapper JAR files:\n' +
       '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
   )
@@ -61,8 +61,8 @@ test('fails if not enough wrapper jars are found', async () => {
 
   expect(result.toDisplayString()).toBe(
     '✗ Found unknown Gradle Wrapper JAR files:\n' +
-    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
-    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
       '✗ Other validation errors:\n' +
       '  Expected to find at least 4 Gradle Wrapper JARs but got only 3\n' +
       '✓ Found known Gradle Wrapper JAR files:\n' +

package.json

@@ -25,23 +25,24 @@
   "author": "YourNameOrOrganization",
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.2.0",
-    "typed-rest-client": "^1.7.1",
-    "unhomoglyph": "^1.0.3"
+    "@actions/core": "1.2.6",
+    "typed-rest-client": "1.8.4",
+    "unhomoglyph": "1.0.6"
   },
   "devDependencies": {
-    "@types/jest": "^24.0.23",
-    "@types/node": "^12.12.24",
-    "@typescript-eslint/parser": "^2.8.0",
-    "@zeit/ncc": "^0.20.5",
-    "eslint": "^5.16.0",
-    "eslint-plugin-github": "^2.0.0",
-    "eslint-plugin-jest": "^22.21.0",
-    "jest": "^24.9.0",
-    "jest-circus": "^24.9.0",
-    "js-yaml": "^3.13.1",
-    "prettier": "^1.19.1",
-    "ts-jest": "^24.2.0",
-    "typescript": "^3.6.4"
+    "@types/jest": "26.0.14",
+    "@types/node": "12.12.62",
+    "@typescript-eslint/parser": "4.2.0",
+    "@zeit/ncc": "0.22.3",
+    "eslint": "7.9.0",
+    "eslint-plugin-github": "4.1.1",
+    "eslint-plugin-jest": "24.0.2",
+    "jest": "26.4.2",
+    "jest-circus": "26.4.2",
+    "js-yaml": "3.14.0",
+    "nock": "^13.0.11",
+    "prettier": "2.1.2",
+    "ts-jest": "26.4.0",
+    "typescript": "4.0.3"
   }
 }

src/checksums.ts

@@ -1,21 +1,26 @@
 import * as httpm from 'typed-rest-client/HttpClient'
 
-const httpc = new httpm.HttpClient('gradle/wrapper-validation-action')
+const httpc = new httpm.HttpClient(
+  'gradle/wrapper-validation-action',
+  undefined,
+  {allowRetries: true, maxRetries: 3}
+)
 
 export async function fetchValidChecksums(
   allowSnapshots: boolean
 ): Promise<string[]> {
-  const all: object[] = await httpGetJsonArray(
-    'https://services.gradle.org/versions/all'
-  )
-  const withChecksum = all.filter(entry =>
-    entry.hasOwnProperty('wrapperChecksumUrl')
+  const all = await httpGetJsonArray('https://services.gradle.org/versions/all')
+  const withChecksum = all.filter(
+    entry =>
+      typeof entry === 'object' &&
+      entry != null &&
+      entry.hasOwnProperty('wrapperChecksumUrl')
   )
   const allowed = withChecksum.filter(
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (entry: any) => allowSnapshots || !entry.snapshot
   )
-  const checksumUrls: string[] = allowed.map(
+  const checksumUrls = allowed.map(
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (entry: any) => entry.wrapperChecksumUrl as string
   )
@@ -25,7 +30,7 @@ export async function fetchValidChecksums(
   return [...new Set(checksums)]
 }
 
-async function httpGetJsonArray(url: string): Promise<object[]> {
+async function httpGetJsonArray(url: string): Promise<unknown[]> {
   return JSON.parse(await httpGetText(url))
 }
 

src/declarations.d.ts

@@ -1,4 +0,0 @@
-declare module 'unhomoglyph' {
-  function unhomoglyph(input: string): string
-  export = unhomoglyph
-}