build: drop Gradle dependency verification (repairs main)#34
Merged
Conversation
Removes gradle/verification-metadata.xml (added in #30). With Dependabot auto-merging patch/minor Gradle bumps, the checksum metadata would have to be regenerated automatically from whatever was just downloaded and then approved unattended — which notarizes the artifact rather than vetting it. That provides no protection against a malicious dependency *release* (the actual threat, which dependency-review-action covers via the advisory DB) while breaking the build on every bump: a bump updates the version catalog but cannot update the checksum file, so verification fails. This also repairs main: an auto-merged gradle bump (#33: aws-sdk 2.46.5, flyway 12.8.1) had drifted from the pinned 2.46.4/12.8.0 checksums, failing verification for ~50 artifacts on every PR (including the npm-only #32). Kept: SHA-pinned Actions, wrapper distributionSha256Sum + wrapper-validation (pins the Gradle distribution itself, no Dependabot conflict), dependency-review, scoped auto-merge, signed releases. Threat model updated to record the rationale. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
mainis currently broken. PR #33 (auto-merged Dependabot gradle group) bumpedaws-sdk→2.46.5andflyway→12.8.1in the version catalog, but Dependabot cannot regenerate theverification-metadata.xmladded in #30. So the catalog and the pinned checksums drifted, and dependency verification now fails for ~50 artifacts on every PR built frommain— including the npm-only #32, whosebuildcheck fails on Gradle verification it never touched.Decision: drop Gradle dependency verification
With Dependabot auto-merging patch/minor Gradle bumps, keeping verification would require auto-regenerating the checksums from whatever was just downloaded and approving it unattended. That notarizes the artifact rather than vetting it — no protection against a malicious dependency release (the real threat) — while breaking the build on every bump. The value of checksum pinning comes from a human reviewing the pin; automated approval removes that tripwire.
The threat it was meant to address is better served by what we keep.
Changes
gradle/verification-metadata.xml.docs/threat-model.md"Supply chain" section with the rationale and revised residual-risk note.Kept from #30 (the low-maintenance, on-threat controls)
distributionSha256Sum+wrapper-validation(pins the Gradle distribution itself — no Dependabot conflict)dependency-review-action(advisory-DB gate — answers "is this update known-bad?")Validation
./gradlew testClasses --refresh-dependencies→BUILD SUCCESSFUL, zero verification failures; aws-sdk 2.46.5 / flyway 12.8.1 resolve cleanly.Follow-ups (repo settings — not in this PR)
mainrequiring thebuildcheck.mainis currently unprotected, which is how build(deps): Bump the dev-dependencies group with 4 updates #33 merged with a red build. Required checks would have prevented this.@dependabot rebase) — it will then go green.🤖 Generated with Claude Code