.eslintignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

.eslintrc.json

@@ -0,0 +1,54 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/recommended"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "i18n-text/no-en": "off",
+      "no-unused-vars": "off",
+      "sort-imports": "off",
+      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "camelcase": "off",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error",
+      "@typescript-eslint/no-non-null-assertion": "warn",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": "error",
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

.github/dependabot.yml

@@ -8,3 +8,14 @@ updates:
       github-actions:
         patterns:
         - "*"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "@types/node"
+    groups:
+      npm-dependencies:
+        patterns:
+        - "*"

.github/workflows/check-dist.yml

@@ -0,0 +1,54 @@
+# `dist/index.js` is a special file in Actions.
+# When you reference an action with `uses:` in a workflow,
+# `index.js` is the code that will run.
+# For our project, we generate this file through a build process from other source files.
+# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
+name: Check dist directory
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set Node.js 16.x
+        uses: actions/setup-node@v3.7.0
+        with:
+          node-version: 16.x
+      
+      - name: Validate package-lock
+        run: npx lockfile-lint --path package-lock.json --allowed-hosts npm yarn --validate-https
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Rebuild the dist/ directory
+        run: npm run build
+
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build.  See status below:"
+            git diff
+            exit 1
+          fi
+        id: diff
+
+      # If index.js was different than expected, upload the expected version as an artifact
+      - uses: actions/upload-artifact@v3
+        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
+        with:
+          name: dist
+          path: dist/

.github/workflows/ci.yml

@@ -7,61 +7,24 @@ on: # rebuild any PRs and main branch changes
       - 'releases/*'
 
 jobs:
-
-  # Integration test for successful validation of wrappers
-  test-validation-success:
-    name: 'Test: Validation success'
+  build: # make sure build/ci work properly
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Run wrapper-validation-action
-      id: action-test
-      uses: ./
+    - uses: actions/checkout@v3
+    - name: Set Node.js 16.x
+      uses: actions/setup-node@v3.7.0
+      with:
+        node-version: 16.x
+    - run: |
+        npm -v
+        node -v
+        npm install
+        npm run all
+  test: # make sure the action works on a clean machine without building
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./
       with:
         # to allow the invalid wrapper jar present in test data
         allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-
-    - name: Check outcome
-      env:
-        # Evaluate workflow expressions here as env variable values instead of inside shell script
-        # below to not accidentally inject code into shell script or break its syntax
-        FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
-        FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == '' }}
-      run: |
-        if [ "$FAILED_WRAPPERS_MATCHES" != "true" ] ; then
-          echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
-          exit 1
-        fi
-
-
-  # Integration test for failing validation of wrappers
-  test-validation-error:
-    name: 'Test: Validation error'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Run wrapper-validation-action
-      id: action-test
-      uses: ./
-      # Expected to fail; validated below
-      continue-on-error: true
-
-    - name: Check outcome
-      env:
-        # Evaluate workflow expressions here as env variable values instead of inside shell script
-        # below to not accidentally inject code into shell script or break its syntax
-        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
-        FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
-        FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == '__tests__/data/invalid/gradle-wrapper.jar|__tests__/data/invalid/gradlе-wrapper.jar' }}
-      run: |
-        if [ "$VALIDATION_FAILED" != "true" ] ; then
-          echo "Expected validation to fail, but it didn't"
-          exit 1
-        fi
-
-        if [ "$FAILED_WRAPPERS_MATCHES" != "true" ] ; then
-          echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
-          exit 1
-        fi

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,56 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '24 4 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.gitignore

@@ -0,0 +1,102 @@
+# Dependency directory
+node_modules
+
+# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# OS metadata
+.DS_Store
+Thumbs.db
+
+# Ignore built ts files
+__tests__/runner/*
+lib/**/*
+
+.idea/
+*.iml

.prettierignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

.prettierrc.json

@@ -0,0 +1,12 @@
+{
+  "printWidth": 80,
+  "tabWidth": 2,
+  "useTabs": false,
+  "semi": false,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "bracketSpacing": false,
+  "arrowParens": "avoid",
+  "parser": "typescript",
+  "endOfLine": "auto"
+}

CONTRIBUTING.md

@@ -0,0 +1,12 @@
+## Project Goals
+
+We aim to keep the scope of this project limited so that it is easy for maintainers to apply and forget about.
+
+### Goals
+
+To verify that all the gradle-wrapper.jar(s) in a given GitHub repository or pull request against that repo is an official Gradle Wrapper release.
+
+### Non-Goals
+
+It is not the goal of this action to verify that the gradle-wrapper.jar matches a specific version of Gradle,
+nor that the version declared in the build.gradle or gradle-wrapper.properties file matches.

README.md

@@ -1,27 +1,59 @@
-> [!IMPORTANT]
-> As of `v3` this action has been superceded by `gradle/actions/wrapper-validation`.
-> Any workflow that uses `gradle/wrapper-validation-action@v3` will transparently delegate to `gradle/actions/wrapper-validation@v3`.
->
-> Users are encouraged to update their workflows, replacing:
-> ```
-> uses: gradle/wrapper-validation-action@v3
-> ```
->
-> with
-> ```
-> uses: gradle/actions/wrapper-validation@v3
-> ```
->
-> See the [wrapper-validation documentation](https://github.com/gradle/actions/tree/main/wrapper-validation) for up-to-date documentation for `gradle/actions/wrapper-validation`. 
+<p align="center">
+  <a href="https://github.com/gradle/wrapper-validation-action/actions"><img alt="gradle/wrapper-validation-action status" src="https://github.com/gradle/wrapper-validation-action/workflows/ci/badge.svg"></a>
+</p>
 
 # Gradle Wrapper Validation Action
 
-This action validates the checksums of _all_ [Gradle Wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html) JAR files present in the repository and fails if any unknown Gradle Wrapper JAR files are found.
+This action validates the checksums of [Gradle Wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html) JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.
 
-The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
+## The Gradle Wrapper Problem in Open Source
 
-### Example workflow
+The `gradle-wrapper.jar` is a binary blob of executable code that is checked into nearly
+[2.8 Million GitHub Repositories](https://github.com/search?l=&q=filename%3Agradle-wrapper.jar&type=Code).
 
+Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'.
+Many of these PRs are contributed by individuals outside of the organization maintaining the project.
+
+Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog.
+We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors.
+There is a certain amount of blind trust open source maintainers have.
+Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the `gradle-wrapper.jar` that looks like this.
+
+![Image of a GitHub Diff of Gradle Wrapper displaying text 'Binary file not shown.'](https://user-images.githubusercontent.com/1323708/71915219-477d7780-3149-11ea-9254-90c80dbffb0a.png)
+
+A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR.
+A malicious `gradle-wrapper.jar` could execute, download, or install arbitrary code while otherwise behaving like a completely normal `gradle-wrapper.jar`.
+
+## Solution
+
+We have created a simple GitHub Action that can be applied to any GitHub repository.
+This GitHub Action will do one simple task:
+verify that any and all `gradle-wrapper.jar` files in the repository match the SHA-256 checksums of any of our official releases.
+
+If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.
+
+Additionally, the action will find and SHA-256 hash all
+[homoglyph](https://en.wikipedia.org/wiki/Homoglyph)
+variants of files named `gradle-wrapper.jar`,
+for example a file named `gradlе-wrapper.jar` (which uses a Cyrillic `е` instead of `e`).
+The goal is to prevent homoglyph attacks which may be very difficult to spot in a GitHub diff.
+We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/playframework/pull/1/files).
+
+## Usage
+
+### Add to an existing Workflow
+
+Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
+
+```yaml
+uses: gradle/wrapper-validation-action@v1
+```
+
+### Add a new dedicated Workflow
+
+Here's a sample complete workflow you can add to your repositories:
+
+**`.github/workflows/gradle-wrapper-validation.yml`**
 ```yaml
 name: "Validate Gradle Wrapper"
 on: [push, pull_request]
@@ -31,11 +63,44 @@ jobs:
     name: "Validation"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: gradle/wrapper-validation-action@v3
+      - uses: actions/checkout@v3
+      - uses: gradle/wrapper-validation-action@v1
 ```
 
-As of `v3`, the `gradle/wrapper-validation-action` action delegates to `gradle/actions/wrapper-validation` with the same version.
-Configuration and usage of these actions is identical for releases with the same version number.
+## Contributing to an external GitHub Repository
 
-See the [full wrapper-validation documentation](https://github.com/gradle/actions/tree/main/wrapper-validation) for more details. 
+Since [GitHub Actions](https://github.com/features/actions)
+are completely free for open source projects and are automatically enabled on almost all projects,
+adding this check to a project's build is as simple as contributing a PR.
+Enabling the check requires no overhead on behalf of the project maintainer beyond merging the action.
+
+You can add this action to your favorite Gradle based project without checking out their source locally via the
+GitHub Web UI thanks to the 'Create new file' button.
+
+![GitHub 'Create new file' Button bar picture](https://user-images.githubusercontent.com/1323708/73676469-6c023c00-4682-11ea-8c0a-5a1e2d29b17f.png)
+
+Simply add a new file named `.github/workflows/gradle-wrapper-validation.yml` with the contents mentioned above.
+
+We recommend the message commit contents of:
+ - Title: `Official Gradle Wrapper Validation Action`
+ - Body (at minimum): `See: https://github.com/gradle/wrapper-validation-action`
+
+From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
+
+## Reporting Failures
+
+If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
+we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
+
+**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
+
+If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
+
+If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
+and one of our valid release, you can compare them using this online utility: [diffoscope](https://try.diffoscope.org/).
+Regardless of what you find, we still kindly request that you reach out to us and let us know.
+
+## Resources
+
+To learn more about verifying the Gradle Wrapper JAR locally, see our
+[guide on the topic](https://docs.gradle.org/current/userguide/gradle_wrapper.html#wrapper_checksum_verification).

RELEASING.md

@@ -0,0 +1,14 @@
+# Release
+
+* starting on `main`
+* `npm install`
+* `npm run all`
+* Commit and push any changes to the `dist` directory. Wait for CI.
+* `git tag v1.0.x && git push --tags` with the actual version number
+* `git tag -f -a v1 && git push -f --tags`
+* go to https://github.com/gradle/wrapper-validation-action/releases
+  * edit and publish the now drafted `v1` release
+  * create a new release from the new full version number `v1.0.x`, list the fixed issues and publish the release
+* go to https://github.com/marketplace/actions/gradle-wrapper-validation
+  * verify that it displays the latest README
+  * verify that the version dropdown displays the new version

__tests__/checksums.test.ts

@@ -0,0 +1,32 @@
+import * as checksums from '../src/checksums'
+import nock from 'nock'
+import {afterEach, describe, expect, test, jest} from '@jest/globals'
+
+jest.setTimeout(30000)
+
+test('fetches wrapper jars checksums', async () => {
+  const validChecksums = await checksums.fetchValidChecksums(false)
+  expect(validChecksums.length).toBeGreaterThan(10)
+})
+
+describe('retry', () => {
+  afterEach(() => {
+    nock.cleanAll()
+  })
+
+  describe('for /versions/all API', () => {
+    test('retry three times', async () => {
+      nock('https://services.gradle.org', {allowUnmocked: true})
+        .get('/versions/all')
+        .times(3)
+        .replyWithError({
+          message: 'connect ECONNREFUSED 104.18.191.9:443',
+          code: 'ECONNREFUSED'
+        })
+
+      const validChecksums = await checksums.fetchValidChecksums(false)
+      expect(validChecksums.length).toBeGreaterThan(10)
+      nock.isDone()
+    })
+  })
+})

__tests__/find.test.ts

@@ -0,0 +1,12 @@
+import * as path from 'path'
+import * as find from '../src/find'
+import {expect, test} from '@jest/globals'
+
+test('finds test data wrapper jars', async () => {
+  const repoRoot = path.resolve('.')
+  const wrapperJars = await find.findWrapperJars(repoRoot)
+  expect(wrapperJars.length).toBe(3)
+  expect(wrapperJars).toContain('__tests__/data/valid/gradle-wrapper.jar')
+  expect(wrapperJars).toContain('__tests__/data/invalid/gradle-wrapper.jar')
+  expect(wrapperJars).toContain('__tests__/data/invalid/gradlе-wrapper.jar') // homoglyph
+})

__tests__/hash.test.ts

@@ -0,0 +1,12 @@
+import * as path from 'path'
+import * as hash from '../src/hash'
+import {expect, test} from '@jest/globals'
+
+test('can sha256 files', async () => {
+  const sha = await hash.sha256File(
+    path.resolve('__tests__/data/invalid/gradle-wrapper.jar')
+  )
+  expect(sha).toEqual(
+    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+  )
+})

__tests__/validate.test.ts

@@ -0,0 +1,74 @@
+import * as path from 'path'
+import * as validate from '../src/validate'
+import {expect, test, jest} from '@jest/globals'
+
+jest.setTimeout(30000)
+
+const baseDir = path.resolve('.')
+
+test('succeeds if all found wrapper jars are valid', async () => {
+  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [
+    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+  ])
+
+  expect(result.isValid()).toBe(true)
+
+  expect(result.toDisplayString()).toBe(
+    '✓ Found known Gradle Wrapper JAR files:\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
+      '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
+  )
+})
+
+test('fails if invalid wrapper jars are found', async () => {
+  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [])
+
+  expect(result.isValid()).toBe(false)
+
+  expect(result.valid).toEqual([
+    new validate.WrapperJar(
+      '__tests__/data/valid/gradle-wrapper.jar',
+      '3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce'
+    )
+  ])
+
+  expect(result.invalid).toEqual([
+    new validate.WrapperJar(
+      '__tests__/data/invalid/gradle-wrapper.jar',
+      'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+    ),
+    new validate.WrapperJar(
+      '__tests__/data/invalid/gradlе-wrapper.jar', // homoglyph
+      'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+    )
+  ])
+
+  expect(result.toDisplayString()).toBe(
+    '✗ Found unknown Gradle Wrapper JAR files:\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
+      '✓ Found known Gradle Wrapper JAR files:\n' +
+      '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
+  )
+})
+
+test('fails if not enough wrapper jars are found', async () => {
+  const result = await validate.findInvalidWrapperJars(baseDir, 4, false, [])
+
+  expect(result.isValid()).toBe(false)
+
+  expect(result.errors).toEqual([
+    'Expected to find at least 4 Gradle Wrapper JARs but got only 3'
+  ])
+
+  expect(result.toDisplayString()).toBe(
+    '✗ Found unknown Gradle Wrapper JAR files:\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
+      '✗ Other validation errors:\n' +
+      '  Expected to find at least 4 Gradle Wrapper JARs but got only 3\n' +
+      '✓ Found known Gradle Wrapper JAR files:\n' +
+      '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
+  )
+})

action.yml

@@ -18,21 +18,11 @@ inputs:
 
 outputs:
   failed-wrapper:
-    description: 'The path of the Gradle Wrapper(s) JAR that failed validation. Path is a platform-dependent relative path to git repository root. Multiple paths are separated by a | character.'
-    value: ${{ steps.wrapper-validation.outputs.failed-wrapper }}
+    description: The path of the Gradle Wrapper(s) JAR that failed validation.
 
 runs:
-  using: "composite"
-  steps:
-    - name: Wrapper Validation
-      id: wrapper-validation
-      uses: gradle/actions/wrapper-validation@v3.5.0
-      with:
-        min-wrapper-count: ${{ inputs.min-wrapper-count }}
-        allow-snapshots: ${{ inputs.allow-snapshots }}
-        allow-checksums: ${{ inputs.allow-checksums }}
-      env:
-        GRADLE_ACTION_ID: gradle/wrapper-validation-action
+  using: 'node16'
+  main: 'dist/index.js'
 
 branding:
   icon: 'shield'

jest.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  clearMocks: true,
+  moduleFileExtensions: ['js', 'ts', 'json'],
+  testMatch: ['**/*.test.ts'],
+  preset: 'ts-jest',
+  verbose: true,
+  setupFilesAfterEnv: ['./jest.setup.js']
+}

jest.setup.js

@@ -0,0 +1 @@
+jest.setTimeout(10000) // in milliseconds

package.json

@@ -0,0 +1,48 @@
+{
+  "name": "wrapper-validation-action",
+  "version": "0.0.0",
+  "private": true,
+  "description": "Gradle Wrapper Validation Action",
+  "main": "lib/main.js",
+  "scripts": {
+    "build": "tsc",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
+    "lint": "eslint src/**/*.ts",
+    "pack": "ncc build",
+    "test": "jest",
+    "all": "npm run build && npm run format && npm run lint && npm run pack && npm test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/gradle/wrapper-validation-action.git"
+  },
+  "keywords": [
+    "actions",
+    "node",
+    "setup"
+  ],
+  "author": "Gradle Inc.",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/core": "1.10.0",
+    "typed-rest-client": "1.8.11",
+    "unhomoglyph": "1.0.6"
+  },
+  "devDependencies": {
+    "@types/node": "16.18.38",
+    "@typescript-eslint/parser": "6.1.0",
+    "@vercel/ncc": "0.36.1",
+    "eslint": "8.45.0",
+    "eslint-plugin-github": "4.9.2",
+    "eslint-plugin-jest": "27.2.3",
+    "eslint-plugin-prettier": "5.0.0",
+    "glob-parent": "6.0.2",
+    "jest": "29.6.1",
+    "js-yaml": "4.1.0",
+    "nock": "13.3.2",
+    "prettier": "3.0.0",
+    "ts-jest": "29.1.1",
+    "typescript": "5.1.6"
+  }
+}

src/checksums.ts

@@ -0,0 +1,40 @@
+import * as httpm from 'typed-rest-client/HttpClient'
+
+const httpc = new httpm.HttpClient(
+  'gradle/wrapper-validation-action',
+  undefined,
+  {allowRetries: true, maxRetries: 3}
+)
+
+export async function fetchValidChecksums(
+  allowSnapshots: boolean
+): Promise<string[]> {
+  const all = await httpGetJsonArray('https://services.gradle.org/versions/all')
+  const withChecksum = all.filter(
+    entry =>
+      typeof entry === 'object' &&
+      entry != null &&
+      entry.hasOwnProperty('wrapperChecksumUrl')
+  )
+  const allowed = withChecksum.filter(
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (entry: any) => allowSnapshots || !entry.snapshot
+  )
+  const checksumUrls = allowed.map(
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (entry: any) => entry.wrapperChecksumUrl as string
+  )
+  const checksums = await Promise.all(
+    checksumUrls.map(async (url: string) => httpGetText(url))
+  )
+  return [...new Set(checksums)]
+}
+
+async function httpGetJsonArray(url: string): Promise<unknown[]> {
+  return JSON.parse(await httpGetText(url))
+}
+
+async function httpGetText(url: string): Promise<string> {
+  const response = await httpc.get(url)
+  return await response.readBody()
+}

src/find.ts

@@ -0,0 +1,27 @@
+import * as util from 'util'
+import * as path from 'path'
+import * as fs from 'fs'
+import unhomoglyph from 'unhomoglyph'
+
+const readdir = util.promisify(fs.readdir)
+
+export async function findWrapperJars(baseDir: string): Promise<string[]> {
+  const files = await recursivelyListFiles(baseDir)
+  return files
+    .filter(file => unhomoglyph(file).endsWith('gradle-wrapper.jar'))
+    .map(wrapperJar => path.relative(baseDir, wrapperJar))
+    .sort((a, b) => a.localeCompare(b))
+}
+
+async function recursivelyListFiles(baseDir: string): Promise<string[]> {
+  const childrenNames = await readdir(baseDir)
+  const childrenPaths = await Promise.all(
+    childrenNames.map(async childName => {
+      const childPath = path.resolve(baseDir, childName)
+      return fs.lstatSync(childPath).isDirectory()
+        ? recursivelyListFiles(childPath)
+        : new Promise(resolve => resolve([childPath]))
+    })
+  )
+  return Array.prototype.concat(...childrenPaths)
+}

src/hash.ts

@@ -0,0 +1,18 @@
+import * as crypto from 'crypto'
+import * as fs from 'fs'
+
+export async function sha256File(path: string): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const hash = crypto.createHash('sha256')
+    const stream = fs.createReadStream(path)
+    stream.on('data', data => hash.update(data))
+    stream.on('end', () => {
+      stream.destroy()
+      resolve(hash.digest('hex'))
+    })
+    stream.on('error', error => {
+      stream.destroy()
+      reject(error)
+    })
+  })
+}

src/main.ts

@@ -0,0 +1,36 @@
+import * as path from 'path'
+import * as core from '@actions/core'
+
+import * as validate from './validate'
+
+export async function run(): Promise<void> {
+  try {
+    const result = await validate.findInvalidWrapperJars(
+      path.resolve('.'),
+      +core.getInput('min-wrapper-count'),
+      core.getInput('allow-snapshots') === 'true',
+      core.getInput('allow-checksums').split(',')
+    )
+    if (result.isValid()) {
+      core.info(result.toDisplayString())
+    } else {
+      core.setFailed(
+        `Gradle Wrapper Validation Failed!\n  See https://github.com/gradle/wrapper-validation-action#reporting-failures\n${result.toDisplayString()}`
+      )
+      if (result.invalid.length > 0) {
+        core.setOutput(
+          'failed-wrapper',
+          `${result.invalid.map(w => w.path).join('|')}`
+        )
+      }
+    }
+  } catch (error) {
+    if (error instanceof Error) {
+      core.setFailed(error.message)
+    } else {
+      core.setFailed(`Unknown object was thrown: ${error}`)
+    }
+  }
+}
+
+run()

src/validate.ts

@@ -0,0 +1,86 @@
+import * as find from './find'
+import * as checksums from './checksums'
+import * as hash from './hash'
+
+export async function findInvalidWrapperJars(
+  gitRepoRoot: string,
+  minWrapperCount: number,
+  allowSnapshots: boolean,
+  allowChecksums: string[]
+): Promise<ValidationResult> {
+  const wrapperJars = await find.findWrapperJars(gitRepoRoot)
+  const result = new ValidationResult([], [])
+  if (wrapperJars.length < minWrapperCount) {
+    result.errors.push(
+      `Expected to find at least ${minWrapperCount} Gradle Wrapper JARs but got only ${wrapperJars.length}`
+    )
+  }
+  if (wrapperJars.length > 0) {
+    const validChecksums = await checksums.fetchValidChecksums(allowSnapshots)
+    validChecksums.push(...allowChecksums)
+    for (const wrapperJar of wrapperJars) {
+      const sha = await hash.sha256File(wrapperJar)
+      if (!validChecksums.includes(sha)) {
+        result.invalid.push(new WrapperJar(wrapperJar, sha))
+      } else {
+        result.valid.push(new WrapperJar(wrapperJar, sha))
+      }
+    }
+  }
+  return result
+}
+
+export class ValidationResult {
+  valid: WrapperJar[]
+  invalid: WrapperJar[]
+  errors: string[] = []
+
+  constructor(valid: WrapperJar[], invalid: WrapperJar[]) {
+    this.valid = valid
+    this.invalid = invalid
+  }
+
+  isValid(): boolean {
+    return this.invalid.length === 0 && this.errors.length === 0
+  }
+
+  toDisplayString(): string {
+    let displayString = ''
+    if (this.invalid.length > 0) {
+      displayString += `✗ Found unknown Gradle Wrapper JAR files:\n${ValidationResult.toDisplayList(
+        this.invalid
+      )}`
+    }
+    if (this.errors.length > 0) {
+      if (displayString.length > 0) displayString += '\n'
+      displayString += `✗ Other validation errors:\n  ${this.errors.join(
+        `\n  `
+      )}`
+    }
+    if (this.valid.length > 0) {
+      if (displayString.length > 0) displayString += '\n'
+      displayString += `✓ Found known Gradle Wrapper JAR files:\n${ValidationResult.toDisplayList(
+        this.valid
+      )}`
+    }
+    return displayString
+  }
+
+  private static toDisplayList(wrapperJars: WrapperJar[]): string {
+    return `  ${wrapperJars.map(wj => wj.toDisplayString()).join(`\n  `)}`
+  }
+}
+
+export class WrapperJar {
+  path: string
+  checksum: string
+
+  constructor(path: string, checksum: string) {
+    this.path = path
+    this.checksum = checksum
+  }
+
+  toDisplayString(): string {
+    return `${this.checksum} ${this.path}`
+  }
+}

tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "target": "ES2021",                       /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
+    "outDir": "./lib",                        /* Redirect output structure to the directory. */
+    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    "strict": true,                           /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
+    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+  },
+  "exclude": ["node_modules", "**/*.test.ts"]
+}