Bump to v3.5.0

Now that 'gradle/actions/wrapper-validation' has been released as v3.3.0, 
we remove this implementation and delegate via a composite action.

Fixes #198

.eslintignore

@@ -1,3 +0,0 @@
-dist/
-lib/
-node_modules/

.eslintrc.json

@@ -1,54 +0,0 @@
-{
-    "plugins": ["jest", "@typescript-eslint"],
-    "extends": ["plugin:github/recommended"],
-    "parser": "@typescript-eslint/parser",
-    "parserOptions": {
-      "ecmaVersion": 9,
-      "sourceType": "module",
-      "project": "./tsconfig.json"
-    },
-    "rules": {
-      "eslint-comments/no-use": "off",
-      "import/no-namespace": "off",
-      "i18n-text/no-en": "off",
-      "no-unused-vars": "off",
-      "sort-imports": "off",
-      "@typescript-eslint/no-unused-vars": "error",
-      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
-      "@typescript-eslint/no-require-imports": "error",
-      "@typescript-eslint/array-type": "error",
-      "@typescript-eslint/await-thenable": "error",
-      "camelcase": "off",
-      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
-      "@typescript-eslint/func-call-spacing": ["error", "never"],
-      "@typescript-eslint/no-array-constructor": "error",
-      "@typescript-eslint/no-empty-interface": "error",
-      "@typescript-eslint/no-explicit-any": "error",
-      "@typescript-eslint/no-extraneous-class": "error",
-      "@typescript-eslint/no-for-in-array": "error",
-      "@typescript-eslint/no-inferrable-types": "error",
-      "@typescript-eslint/no-misused-new": "error",
-      "@typescript-eslint/no-namespace": "error",
-      "@typescript-eslint/no-non-null-assertion": "warn",
-      "@typescript-eslint/no-unnecessary-qualifier": "error",
-      "@typescript-eslint/no-unnecessary-type-assertion": "error",
-      "@typescript-eslint/no-useless-constructor": "error",
-      "@typescript-eslint/no-var-requires": "error",
-      "@typescript-eslint/prefer-for-of": "warn",
-      "@typescript-eslint/prefer-function-type": "warn",
-      "@typescript-eslint/prefer-includes": "error",
-      "@typescript-eslint/prefer-string-starts-ends-with": "error",
-      "@typescript-eslint/promise-function-async": "error",
-      "@typescript-eslint/require-array-sort-compare": "error",
-      "@typescript-eslint/restrict-plus-operands": "error",
-      "semi": "off",
-      "@typescript-eslint/semi": ["error", "never"],
-      "@typescript-eslint/type-annotation-spacing": "error",
-      "@typescript-eslint/unbound-method": "error"
-    },
-    "env": {
-      "node": true,
-      "es6": true,
-      "jest/globals": true
-    }
-  }

.github/dependabot.yml

@@ -8,14 +8,3 @@ updates:
       github-actions:
         patterns:
         - "*"
-
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    ignore:
-      - dependency-name: "@types/node"
-    groups:
-      npm-dependencies:
-        patterns:
-        - "*"

.github/workflows/check-dist.yml

@@ -1,55 +0,0 @@
-# `dist/index.js` is a special file in Actions.
-# When you reference an action with `uses:` in a workflow,
-# `index.js` is the code that will run.
-# For our project, we generate this file through a build process from other source files.
-# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
-name: Check dist directory
-
-on:
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - '**.md'
-  pull_request:
-    paths-ignore:
-      - '**.md'
-  workflow_dispatch:
-
-jobs:
-  check-dist:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set Node.js 20.x
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20.x
-          cache: npm
-
-      - name: Validate package-lock
-        run: npx lockfile-lint --path package-lock.json --allowed-hosts npm yarn --validate-https
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Rebuild the dist/ directory
-        run: npm run build
-
-      - name: Compare the expected and actual dist/ directories
-        run: |
-          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
-            echo "Detected uncommitted changes after build.  See status below:"
-            git diff
-            exit 1
-          fi
-        id: diff
-
-      # If index.js was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v4
-        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
-        with:
-          name: dist
-          path: dist/

.github/workflows/ci.yml

@@ -7,25 +7,61 @@ on: # rebuild any PRs and main branch changes
       - 'releases/*'
 
 jobs:
-  build: # make sure build/ci work properly
+
+  # Integration test for successful validation of wrappers
+  test-validation-success:
+    name: 'Test: Validation success'
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - name: Set Node.js 20.x
-      uses: actions/setup-node@v4
-      with:
-        node-version: 20.x
-        cache: npm
-    - run: |
-        npm -v
-        node -v
-        npm install
-        npm run all
-  test: # make sure the action works on a clean machine without building
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: ./
+
+    - name: Run wrapper-validation-action
+      id: action-test
+      uses: ./
       with:
         # to allow the invalid wrapper jar present in test data
         allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+
+    - name: Check outcome
+      env:
+        # Evaluate workflow expressions here as env variable values instead of inside shell script
+        # below to not accidentally inject code into shell script or break its syntax
+        FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
+        FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == '' }}
+      run: |
+        if [ "$FAILED_WRAPPERS_MATCHES" != "true" ] ; then
+          echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
+          exit 1
+        fi
+
+
+  # Integration test for failing validation of wrappers
+  test-validation-error:
+    name: 'Test: Validation error'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Run wrapper-validation-action
+      id: action-test
+      uses: ./
+      # Expected to fail; validated below
+      continue-on-error: true
+
+    - name: Check outcome
+      env:
+        # Evaluate workflow expressions here as env variable values instead of inside shell script
+        # below to not accidentally inject code into shell script or break its syntax
+        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
+        FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
+        FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == '__tests__/data/invalid/gradle-wrapper.jar|__tests__/data/invalid/gradlе-wrapper.jar' }}
+      run: |
+        if [ "$VALIDATION_FAILED" != "true" ] ; then
+          echo "Expected validation to fail, but it didn't"
+          exit 1
+        fi
+
+        if [ "$FAILED_WRAPPERS_MATCHES" != "true" ] ; then
+          echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
+          exit 1
+        fi

.github/workflows/codeql-analysis.yml

@@ -1,56 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  schedule:
-    - cron: '24 4 * * 6'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3

.gitignore

@@ -1,102 +0,0 @@
-# Dependency directory
-node_modules
-
-# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
-# dotenv environment variables file
-.env
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# next.js build output
-.next
-
-# nuxt.js build output
-.nuxt
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
-
-# OS metadata
-.DS_Store
-Thumbs.db
-
-# Ignore built ts files
-__tests__/runner/*
-lib/**/*
-
-.idea/
-*.iml

.prettierignore

@@ -1,3 +0,0 @@
-dist/
-lib/
-node_modules/

.prettierrc.json

@@ -1,12 +0,0 @@
-{
-  "printWidth": 80,
-  "tabWidth": 2,
-  "useTabs": false,
-  "semi": false,
-  "singleQuote": true,
-  "trailingComma": "none",
-  "bracketSpacing": false,
-  "arrowParens": "avoid",
-  "parser": "typescript",
-  "endOfLine": "auto"
-}

.tool-versions

@@ -1,2 +0,0 @@
-# Configuration file for asdf version manager
-nodejs 20.10.0

CONTRIBUTING.md

@@ -1,12 +0,0 @@
-## Project Goals
-
-We aim to keep the scope of this project limited so that it is easy for maintainers to apply and forget about.
-
-### Goals
-
-To verify that all the gradle-wrapper.jar(s) in a given GitHub repository or pull request against that repo is an official Gradle Wrapper release.
-
-### Non-Goals
-
-It is not the goal of this action to verify that the gradle-wrapper.jar matches a specific version of Gradle,
-nor that the version declared in the build.gradle or gradle-wrapper.properties file matches.

README.md

@@ -1,59 +1,27 @@
-<p align="center">
-  <a href="https://github.com/gradle/wrapper-validation-action/actions"><img alt="gradle/wrapper-validation-action status" src="https://github.com/gradle/wrapper-validation-action/workflows/ci/badge.svg"></a>
-</p>
+> [!IMPORTANT]
+> As of `v3` this action has been superceded by `gradle/actions/wrapper-validation`.
+> Any workflow that uses `gradle/wrapper-validation-action@v3` will transparently delegate to `gradle/actions/wrapper-validation@v3`.
+>
+> Users are encouraged to update their workflows, replacing:
+> ```
+> uses: gradle/wrapper-validation-action@v3
+> ```
+>
+> with
+> ```
+> uses: gradle/actions/wrapper-validation@v3
+> ```
+>
+> See the [wrapper-validation documentation](https://github.com/gradle/actions/tree/main/wrapper-validation) for up-to-date documentation for `gradle/actions/wrapper-validation`. 
 
 # Gradle Wrapper Validation Action
 
-This action validates the checksums of [Gradle Wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html) JAR files present in the source tree and fails if unknown Gradle Wrapper JAR files are found.
+This action validates the checksums of _all_ [Gradle Wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html) JAR files present in the repository and fails if any unknown Gradle Wrapper JAR files are found.
 
-## The Gradle Wrapper Problem in Open Source
+The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
 
-The `gradle-wrapper.jar` is a binary blob of executable code that is checked into nearly
-[2.8 Million GitHub Repositories](https://github.com/search?l=&q=filename%3Agradle-wrapper.jar&type=Code).
+### Example workflow
 
-Searching across GitHub you can find many pull requests (PRs) with helpful titles like 'Update to Gradle xxx'.
-Many of these PRs are contributed by individuals outside of the organization maintaining the project.
-
-Many maintainers are incredibly grateful for these kinds of contributions as it takes an item off of their backlog.
-We assume that most maintainers do not consider the security implications of accepting the Gradle Wrapper binary from external contributors.
-There is a certain amount of blind trust open source maintainers have.
-Further compounding the issue is that maintainers are most often greeted in these PRs with a diff to the `gradle-wrapper.jar` that looks like this.
-
-![Image of a GitHub Diff of Gradle Wrapper displaying text 'Binary file not shown.'](https://user-images.githubusercontent.com/1323708/71915219-477d7780-3149-11ea-9254-90c80dbffb0a.png)
-
-A fairly simple social engineering supply chain attack against open source would be contribute a helpful “Updated to Gradle xxx” PR that contains malicious code hidden inside this binary JAR.
-A malicious `gradle-wrapper.jar` could execute, download, or install arbitrary code while otherwise behaving like a completely normal `gradle-wrapper.jar`.
-
-## Solution
-
-We have created a simple GitHub Action that can be applied to any GitHub repository.
-This GitHub Action will do one simple task:
-verify that any and all `gradle-wrapper.jar` files in the repository match the SHA-256 checksums of any of our official releases.
-
-If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.
-
-Additionally, the action will find and SHA-256 hash all
-[homoglyph](https://en.wikipedia.org/wiki/Homoglyph)
-variants of files named `gradle-wrapper.jar`,
-for example a file named `gradlе-wrapper.jar` (which uses a Cyrillic `е` instead of `e`).
-The goal is to prevent homoglyph attacks which may be very difficult to spot in a GitHub diff.
-We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/playframework/pull/1/files).
-
-## Usage
-
-### Add to an existing Workflow
-
-Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
-
-```yaml
-uses: gradle/wrapper-validation-action@v1
-```
-
-### Add a new dedicated Workflow
-
-Here's a sample complete workflow you can add to your repositories:
-
-**`.github/workflows/gradle-wrapper-validation.yml`**
 ```yaml
 name: "Validate Gradle Wrapper"
 on: [push, pull_request]
@@ -64,43 +32,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: gradle/wrapper-validation-action@v1
+      - uses: gradle/wrapper-validation-action@v3
 ```
 
-## Contributing to an external GitHub Repository
+As of `v3`, the `gradle/wrapper-validation-action` action delegates to `gradle/actions/wrapper-validation` with the same version.
+Configuration and usage of these actions is identical for releases with the same version number.
 
-Since [GitHub Actions](https://github.com/features/actions)
-are completely free for open source projects and are automatically enabled on almost all projects,
-adding this check to a project's build is as simple as contributing a PR.
-Enabling the check requires no overhead on behalf of the project maintainer beyond merging the action.
-
-You can add this action to your favorite Gradle based project without checking out their source locally via the
-GitHub Web UI thanks to the 'Create new file' button.
-
-![GitHub 'Create new file' Button bar picture](https://user-images.githubusercontent.com/1323708/73676469-6c023c00-4682-11ea-8c0a-5a1e2d29b17f.png)
-
-Simply add a new file named `.github/workflows/gradle-wrapper-validation.yml` with the contents mentioned above.
-
-We recommend the message commit contents of:
- - Title: `Official Gradle Wrapper Validation Action`
- - Body (at minimum): `See: https://github.com/gradle/wrapper-validation-action`
-
-From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
-
-## Reporting Failures
-
-If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
-we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
-
-**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
-
-If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
-
-If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
-and one of our valid release, you can compare them using this online utility: [diffoscope](https://try.diffoscope.org/).
-Regardless of what you find, we still kindly request that you reach out to us and let us know.
-
-## Resources
-
-To learn more about verifying the Gradle Wrapper JAR locally, see our
-[guide on the topic](https://docs.gradle.org/current/userguide/gradle_wrapper.html#wrapper_checksum_verification).
+See the [full wrapper-validation documentation](https://github.com/gradle/actions/tree/main/wrapper-validation) for more details. 

RELEASING.md

@@ -1,14 +0,0 @@
-# Release
-
-* starting on `main`
-* `npm install`
-* `npm run all`
-* Commit and push any changes to the `dist` directory. Wait for CI.
-* `git tag v1.0.x && git push --tags` with the actual version number
-* `git tag -f -a v1 && git push -f --tags`
-* go to https://github.com/gradle/wrapper-validation-action/releases
-  * edit and publish the now drafted `v1` release
-  * create a new release from the new full version number `v1.0.x`, list the fixed issues and publish the release
-* go to https://github.com/marketplace/actions/gradle-wrapper-validation
-  * verify that it displays the latest README
-  * verify that the version dropdown displays the new version

__tests__/checksums.test.ts

@@ -1,32 +0,0 @@
-import * as checksums from '../src/checksums'
-import nock from 'nock'
-import {afterEach, describe, expect, test, jest} from '@jest/globals'
-
-jest.setTimeout(30000)
-
-test('fetches wrapper jars checksums', async () => {
-  const validChecksums = await checksums.fetchValidChecksums(false)
-  expect(validChecksums.length).toBeGreaterThan(10)
-})
-
-describe('retry', () => {
-  afterEach(() => {
-    nock.cleanAll()
-  })
-
-  describe('for /versions/all API', () => {
-    test('retry three times', async () => {
-      nock('https://services.gradle.org', {allowUnmocked: true})
-        .get('/versions/all')
-        .times(3)
-        .replyWithError({
-          message: 'connect ECONNREFUSED 104.18.191.9:443',
-          code: 'ECONNREFUSED'
-        })
-
-      const validChecksums = await checksums.fetchValidChecksums(false)
-      expect(validChecksums.length).toBeGreaterThan(10)
-      nock.isDone()
-    })
-  })
-})

__tests__/find.test.ts

@@ -1,12 +0,0 @@
-import * as path from 'path'
-import * as find from '../src/find'
-import {expect, test} from '@jest/globals'
-
-test('finds test data wrapper jars', async () => {
-  const repoRoot = path.resolve('.')
-  const wrapperJars = await find.findWrapperJars(repoRoot)
-  expect(wrapperJars.length).toBe(3)
-  expect(wrapperJars).toContain('__tests__/data/valid/gradle-wrapper.jar')
-  expect(wrapperJars).toContain('__tests__/data/invalid/gradle-wrapper.jar')
-  expect(wrapperJars).toContain('__tests__/data/invalid/gradlе-wrapper.jar') // homoglyph
-})

__tests__/hash.test.ts

@@ -1,12 +0,0 @@
-import * as path from 'path'
-import * as hash from '../src/hash'
-import {expect, test} from '@jest/globals'
-
-test('can sha256 files', async () => {
-  const sha = await hash.sha256File(
-    path.resolve('__tests__/data/invalid/gradle-wrapper.jar')
-  )
-  expect(sha).toEqual(
-    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
-  )
-})

__tests__/validate.test.ts

@@ -1,74 +0,0 @@
-import * as path from 'path'
-import * as validate from '../src/validate'
-import {expect, test, jest} from '@jest/globals'
-
-jest.setTimeout(30000)
-
-const baseDir = path.resolve('.')
-
-test('succeeds if all found wrapper jars are valid', async () => {
-  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [
-    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
-  ])
-
-  expect(result.isValid()).toBe(true)
-
-  expect(result.toDisplayString()).toBe(
-    '✓ Found known Gradle Wrapper JAR files:\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
-      '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
-  )
-})
-
-test('fails if invalid wrapper jars are found', async () => {
-  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [])
-
-  expect(result.isValid()).toBe(false)
-
-  expect(result.valid).toEqual([
-    new validate.WrapperJar(
-      '__tests__/data/valid/gradle-wrapper.jar',
-      '3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce'
-    )
-  ])
-
-  expect(result.invalid).toEqual([
-    new validate.WrapperJar(
-      '__tests__/data/invalid/gradle-wrapper.jar',
-      'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
-    ),
-    new validate.WrapperJar(
-      '__tests__/data/invalid/gradlе-wrapper.jar', // homoglyph
-      'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
-    )
-  ])
-
-  expect(result.toDisplayString()).toBe(
-    '✗ Found unknown Gradle Wrapper JAR files:\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
-      '✓ Found known Gradle Wrapper JAR files:\n' +
-      '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
-  )
-})
-
-test('fails if not enough wrapper jars are found', async () => {
-  const result = await validate.findInvalidWrapperJars(baseDir, 4, false, [])
-
-  expect(result.isValid()).toBe(false)
-
-  expect(result.errors).toEqual([
-    'Expected to find at least 4 Gradle Wrapper JARs but got only 3'
-  ])
-
-  expect(result.toDisplayString()).toBe(
-    '✗ Found unknown Gradle Wrapper JAR files:\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
-      '✗ Other validation errors:\n' +
-      '  Expected to find at least 4 Gradle Wrapper JARs but got only 3\n' +
-      '✓ Found known Gradle Wrapper JAR files:\n' +
-      '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
-  )
-})

action.yml

@@ -18,11 +18,21 @@ inputs:
 
 outputs:
   failed-wrapper:
-    description: The path of the Gradle Wrapper(s) JAR that failed validation.
+    description: 'The path of the Gradle Wrapper(s) JAR that failed validation. Path is a platform-dependent relative path to git repository root. Multiple paths are separated by a | character.'
+    value: ${{ steps.wrapper-validation.outputs.failed-wrapper }}
 
 runs:
-  using: 'node20'
-  main: 'dist/index.js'
+  using: "composite"
+  steps:
+    - name: Wrapper Validation
+      id: wrapper-validation
+      uses: gradle/actions/wrapper-validation@v3.5.0
+      with:
+        min-wrapper-count: ${{ inputs.min-wrapper-count }}
+        allow-snapshots: ${{ inputs.allow-snapshots }}
+        allow-checksums: ${{ inputs.allow-checksums }}
+      env:
+        GRADLE_ACTION_ID: gradle/wrapper-validation-action
 
 branding:
   icon: 'shield'

jest.config.js

@@ -1,8 +0,0 @@
-module.exports = {
-  clearMocks: true,
-  moduleFileExtensions: ['js', 'ts', 'json'],
-  testMatch: ['**/*.test.ts'],
-  preset: 'ts-jest',
-  verbose: true,
-  setupFilesAfterEnv: ['./jest.setup.js']
-}

jest.setup.js

@@ -1 +0,0 @@
-jest.setTimeout(10000) // in milliseconds

package.json

@@ -1,48 +0,0 @@
-{
-  "name": "wrapper-validation-action",
-  "version": "0.0.0",
-  "private": true,
-  "description": "Gradle Wrapper Validation Action",
-  "main": "lib/main.js",
-  "scripts": {
-    "build": "tsc",
-    "format": "prettier --write **/*.ts",
-    "format-check": "prettier --check **/*.ts",
-    "lint": "eslint src/**/*.ts",
-    "pack": "ncc build",
-    "test": "jest",
-    "all": "npm run build && npm run format && npm run lint && npm run pack && npm test"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/gradle/wrapper-validation-action.git"
-  },
-  "keywords": [
-    "actions",
-    "node",
-    "setup"
-  ],
-  "author": "Gradle Inc.",
-  "license": "MIT",
-  "dependencies": {
-    "@actions/core": "1.10.1",
-    "typed-rest-client": "1.8.11",
-    "unhomoglyph": "1.0.6"
-  },
-  "devDependencies": {
-    "@types/node": "16.18.38",
-    "@typescript-eslint/parser": "6.20.0",
-    "@vercel/ncc": "0.38.1",
-    "eslint": "8.56.0",
-    "eslint-plugin-github": "4.10.1",
-    "eslint-plugin-jest": "27.6.3",
-    "eslint-plugin-prettier": "5.1.3",
-    "glob-parent": "6.0.2",
-    "jest": "29.7.0",
-    "js-yaml": "4.1.0",
-    "nock": "13.5.1",
-    "prettier": "3.2.4",
-    "ts-jest": "29.1.2",
-    "typescript": "5.3.3"
-  }
-}

src/checksums.ts

@@ -1,40 +0,0 @@
-import * as httpm from 'typed-rest-client/HttpClient'
-
-const httpc = new httpm.HttpClient(
-  'gradle/wrapper-validation-action',
-  undefined,
-  {allowRetries: true, maxRetries: 3}
-)
-
-export async function fetchValidChecksums(
-  allowSnapshots: boolean
-): Promise<string[]> {
-  const all = await httpGetJsonArray('https://services.gradle.org/versions/all')
-  const withChecksum = all.filter(
-    entry =>
-      typeof entry === 'object' &&
-      entry != null &&
-      entry.hasOwnProperty('wrapperChecksumUrl')
-  )
-  const allowed = withChecksum.filter(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    (entry: any) => allowSnapshots || !entry.snapshot
-  )
-  const checksumUrls = allowed.map(
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    (entry: any) => entry.wrapperChecksumUrl as string
-  )
-  const checksums = await Promise.all(
-    checksumUrls.map(async (url: string) => httpGetText(url))
-  )
-  return [...new Set(checksums)]
-}
-
-async function httpGetJsonArray(url: string): Promise<unknown[]> {
-  return JSON.parse(await httpGetText(url))
-}
-
-async function httpGetText(url: string): Promise<string> {
-  const response = await httpc.get(url)
-  return await response.readBody()
-}

src/find.ts

@@ -1,27 +0,0 @@
-import * as util from 'util'
-import * as path from 'path'
-import * as fs from 'fs'
-import unhomoglyph from 'unhomoglyph'
-
-const readdir = util.promisify(fs.readdir)
-
-export async function findWrapperJars(baseDir: string): Promise<string[]> {
-  const files = await recursivelyListFiles(baseDir)
-  return files
-    .filter(file => unhomoglyph(file).endsWith('gradle-wrapper.jar'))
-    .map(wrapperJar => path.relative(baseDir, wrapperJar))
-    .sort((a, b) => a.localeCompare(b))
-}
-
-async function recursivelyListFiles(baseDir: string): Promise<string[]> {
-  const childrenNames = await readdir(baseDir)
-  const childrenPaths = await Promise.all(
-    childrenNames.map(async childName => {
-      const childPath = path.resolve(baseDir, childName)
-      return fs.lstatSync(childPath).isDirectory()
-        ? recursivelyListFiles(childPath)
-        : new Promise(resolve => resolve([childPath]))
-    })
-  )
-  return Array.prototype.concat(...childrenPaths)
-}

src/hash.ts

@@ -1,18 +0,0 @@
-import * as crypto from 'crypto'
-import * as fs from 'fs'
-
-export async function sha256File(path: string): Promise<string> {
-  return new Promise((resolve, reject) => {
-    const hash = crypto.createHash('sha256')
-    const stream = fs.createReadStream(path)
-    stream.on('data', data => hash.update(data))
-    stream.on('end', () => {
-      stream.destroy()
-      resolve(hash.digest('hex'))
-    })
-    stream.on('error', error => {
-      stream.destroy()
-      reject(error)
-    })
-  })
-}

src/main.ts

@@ -1,36 +0,0 @@
-import * as path from 'path'
-import * as core from '@actions/core'
-
-import * as validate from './validate'
-
-export async function run(): Promise<void> {
-  try {
-    const result = await validate.findInvalidWrapperJars(
-      path.resolve('.'),
-      +core.getInput('min-wrapper-count'),
-      core.getInput('allow-snapshots') === 'true',
-      core.getInput('allow-checksums').split(',')
-    )
-    if (result.isValid()) {
-      core.info(result.toDisplayString())
-    } else {
-      core.setFailed(
-        `Gradle Wrapper Validation Failed!\n  See https://github.com/gradle/wrapper-validation-action#reporting-failures\n${result.toDisplayString()}`
-      )
-      if (result.invalid.length > 0) {
-        core.setOutput(
-          'failed-wrapper',
-          `${result.invalid.map(w => w.path).join('|')}`
-        )
-      }
-    }
-  } catch (error) {
-    if (error instanceof Error) {
-      core.setFailed(error.message)
-    } else {
-      core.setFailed(`Unknown object was thrown: ${error}`)
-    }
-  }
-}
-
-run()

src/validate.ts

@@ -1,86 +0,0 @@
-import * as find from './find'
-import * as checksums from './checksums'
-import * as hash from './hash'
-
-export async function findInvalidWrapperJars(
-  gitRepoRoot: string,
-  minWrapperCount: number,
-  allowSnapshots: boolean,
-  allowChecksums: string[]
-): Promise<ValidationResult> {
-  const wrapperJars = await find.findWrapperJars(gitRepoRoot)
-  const result = new ValidationResult([], [])
-  if (wrapperJars.length < minWrapperCount) {
-    result.errors.push(
-      `Expected to find at least ${minWrapperCount} Gradle Wrapper JARs but got only ${wrapperJars.length}`
-    )
-  }
-  if (wrapperJars.length > 0) {
-    const validChecksums = await checksums.fetchValidChecksums(allowSnapshots)
-    validChecksums.push(...allowChecksums)
-    for (const wrapperJar of wrapperJars) {
-      const sha = await hash.sha256File(wrapperJar)
-      if (!validChecksums.includes(sha)) {
-        result.invalid.push(new WrapperJar(wrapperJar, sha))
-      } else {
-        result.valid.push(new WrapperJar(wrapperJar, sha))
-      }
-    }
-  }
-  return result
-}
-
-export class ValidationResult {
-  valid: WrapperJar[]
-  invalid: WrapperJar[]
-  errors: string[] = []
-
-  constructor(valid: WrapperJar[], invalid: WrapperJar[]) {
-    this.valid = valid
-    this.invalid = invalid
-  }
-
-  isValid(): boolean {
-    return this.invalid.length === 0 && this.errors.length === 0
-  }
-
-  toDisplayString(): string {
-    let displayString = ''
-    if (this.invalid.length > 0) {
-      displayString += `✗ Found unknown Gradle Wrapper JAR files:\n${ValidationResult.toDisplayList(
-        this.invalid
-      )}`
-    }
-    if (this.errors.length > 0) {
-      if (displayString.length > 0) displayString += '\n'
-      displayString += `✗ Other validation errors:\n  ${this.errors.join(
-        `\n  `
-      )}`
-    }
-    if (this.valid.length > 0) {
-      if (displayString.length > 0) displayString += '\n'
-      displayString += `✓ Found known Gradle Wrapper JAR files:\n${ValidationResult.toDisplayList(
-        this.valid
-      )}`
-    }
-    return displayString
-  }
-
-  private static toDisplayList(wrapperJars: WrapperJar[]): string {
-    return `  ${wrapperJars.map(wj => wj.toDisplayString()).join(`\n  `)}`
-  }
-}
-
-export class WrapperJar {
-  path: string
-  checksum: string
-
-  constructor(path: string, checksum: string) {
-    this.path = path
-    this.checksum = checksum
-  }
-
-  toDisplayString(): string {
-    return `${this.checksum} ${this.path}`
-  }
-}

tsconfig.json

@@ -1,12 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2021",                       /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
-    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
-    "outDir": "./lib",                        /* Redirect output structure to the directory. */
-    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
-    "strict": true,                           /* Enable all strict type-checking options. */
-    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
-    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
-  },
-  "exclude": ["node_modules", "**/*.test.ts"]
-}