Gradle Please Review Your Gradle Project Setup in the Android/ Folder

The recommended manner to execute whatsoever Gradle build is with the assist of the Gradle Wrapper (in short just "Wrapper"). The Wrapper is a script that invokes a declared version of Gradle, downloading information technology beforehand if necessary. Every bit a result, developers can get up and running with a Gradle project quickly without having to follow transmission installation processes saving your company fourth dimension and money.

Figure 1. The Wrapper workflow

In a nutshell you gain the following benefits:

• Standardizes a project on a given Gradle version, leading to more reliable and robust builds.

• Provisioning a new Gradle version to different users and execution environment (e.g. IDEs or Continuous Integration servers) is as uncomplicated as irresolute the Wrapper definition.

So how does information technology work? For a user there are typically three different workflows:

• You set up a new Gradle project and want to add the Wrapper to it.

• You want to run a project with the Wrapper that already provides it.

• You lot want to upgrade the Wrapper to a new version of Gradle.

The following sections explain each of these utilise cases in more detail.

Adding the Gradle Wrapper

Generating the Wrapper files requires an installed version of the Gradle runtime on your machine as described in Installation. Thankfully, generating the initial Wrapper files is a i-time procedure.

Every vanilla Gradle build comes with a congenital-in chore called wrapper. You'll be able to find the task listed nether the grouping "Build Setup tasks" when list the tasks. Executing the wrapper task generates the necessary Wrapper files in the projection directory.

Running the Wrapper task

$ gradle wrapper > Chore :wrapper  BUILD SUCCESSFUL in 0s 1 actionable job: one executed

To brand the Wrapper files bachelor to other developers and execution environments you'll need to bank check them into version control. All Wrapper files including the JAR file are very small in size. Adding the JAR file to version command is expected. Some organizations practise not allow projects to submit binary files to version control. At the moment there are no culling options to the approach.

The generated Wrapper properties file, gradle/wrapper/gradle-wrapper.properties, stores the data about the Gradle distribution.

• The server hosting the Gradle distribution.

• The type of Gradle distribution. Past default that's the -bin distribution containing only the runtime but no sample lawmaking and documentation.

• The Gradle version used for executing the build. By default the wrapper chore picks the exact same Gradle version that was used to generate the Wrapper files.

gradle/wrapper/gradle-wrapper.properties

                  distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.ii-bin.zip                

All of those aspects are configurable at the time of generating the Wrapper files with the assist of the post-obit command line options.

--gradle-version

The Gradle version used for downloading and executing the Wrapper.

--distribution-blazon

The Gradle distribution blazon used for the Wrapper. Available options are bin and all. The default value is bin.

--gradle-distribution-url

The full URL pointing to Gradle distribution Cypher file. Using this option makes --gradle-version and --distribution-type obsolete as the URL already contains this information. This option is extremely valuable if yous desire to host the Gradle distribution inside your company's network.

--gradle-distribution-sha256-sum

The SHA256 hash sum used for verifying the downloaded Gradle distribution.

Let'southward assume the following use case to illustrate the use of the control line options. Yous would similar to generate the Wrapper with version 7.iv.two and apply the -all distribution to enable your IDE to enable code-completion and being able to navigate to the Gradle source lawmaking. Those requirements are captured by the following command line execution:

Providing options to Wrapper task

$ gradle wrapper --gradle-version 7.4.2 --distribution-type all > Chore :wrapper  BUILD SUCCESSFUL in 0s ane actionable task: 1 executed

As a issue you tin find the desired information in the Wrapper properties file.

Instance: The generated distribution URL

                  distributionUrl=https\://services.gradle.org/distributions/gradle-seven.4.2-all.zilch                

Permit's have a look at the following projection layout to illustrate the expected Wrapper files:

                  . ├── a-subproject │   └── build.gradle ├── settings.gradle ├── gradle │   └── wrapper │       ├── gradle-wrapper.jar │       └── gradle-wrapper.properties ├── gradlew └── gradlew.bat                

                  . ├── a-subproject │   └── build.gradle.kts ├── settings.gradle.kts ├── gradle │   └── wrapper │       ├── gradle-wrapper.jar │       └── gradle-wrapper.backdrop ├── gradlew └── gradlew.bat                

A Gradle project typically provides a settings.gradle(.kts) file and one build.gradle(.kts) file for each subproject. The Wrapper files alive alongside in the gradle directory and the root directory of the project. The following list explains their purpose.

gradle-wrapper.jar

The Wrapper JAR file containing code for downloading the Gradle distribution.

gradle-wrapper.properties

A properties file responsible for configuring the Wrapper runtime behavior e.g. the Gradle version uniform with this version. Note that more generic settings, similar configuring the Wrapper to use a proxy, demand to go into a different file.

gradlew, gradlew.bat

A beat out script and a Windows batch script for executing the build with the Wrapper.

You can become ahead and execute the build with the Wrapper without having to install the Gradle runtime. If the projection you are working on does not contain those Wrapper files then you'll need to generate them.

Using the Gradle Wrapper

It is recommended to always execute a build with the Wrapper to ensure a reliable, controlled and standardized execution of the build. Using the Wrapper looks almost exactly like running the build with a Gradle installation. Depending on the operating organisation you either run gradlew or gradlew.bat instead of the gradle command. The post-obit console output demonstrate the use of the Wrapper on a Windows machine for a Coffee-based projection.

Executing the build with the Wrapper batch file

$ gradlew.bat build Downloading https://services.gradle.org/distributions/gradle-5.0-all.zip ..................................................................................... Unzipping C:\Documents and Settings\Claudia\.gradle\wrapper\dists\gradle-5.0-all\ac27o8rbd0ic8ih41or9l32mv\gradle-5.0-all.zippo to C:\Documents and Settings\Claudia\.gradle\wrapper\dists\gradle-five.0-al\ac27o8rbd0ic8ih41or9l32mv Set executable permissions for: C:\Documents and Settings\Claudia\.gradle\wrapper\dists\gradle-5.0-all\ac27o8rbd0ic8ih41or9l32mv\gradle-5.0\bin\gradle  BUILD SUCCESSFUL in 12s 1 actionable task: 1 executed

In case the Gradle distribution is non bachelor on the machine, the Wrapper will download information technology and store in the local file system. Whatever subsequent build invocation is going to reuse the existing local distribution as long equally the distribution URL in the Gradle properties doesn't change.

The Wrapper shell script and batch file reside in the root directory of a unmarried or multi-projection Gradle build. You will need to reference the correct path to those files in example you want to execute the build from a subproject directory e.one thousand. ../../gradlew tasks.

Upgrading the Gradle Wrapper

Projects will typically want to keep up with the times and upgrade their Gradle version to benefit from new features and improvements. Ane way to upgrade the Gradle version is manually change the distributionUrl property in the Wrapper'southward gradle-wrapper.backdrop file. The better and recommended pick is to run the wrapper task and provide the target Gradle version equally described in Adding the Gradle Wrapper. Using the wrapper task ensures that any optimizations made to the Wrapper shell script or batch file with that specific Gradle version are applied to the project. As usual, you should commit the changes to the Wrapper files to version control.

Note that running the wrapper job once volition update gradle-wrapper.backdrop only, but leave the wrapper itself in gradle-wrapper.jar untouched. This is usually fine as new versions of Gradle can be run fifty-fifty with ancient wrapper files. If you nevertheless desire all the wrapper files to exist completely upwardly-to-date, you'll need to run the wrapper task a second time.

Use the Gradle wrapper task to generate the wrapper, specifying a version. The default is the electric current version. Once you lot have upgraded the wrapper, you tin can cheque that it'due south the version yous expect past executing ./gradlew --version.

Example: Upgrading the Wrapper version

$ ./gradlew wrapper --gradle-version 7.4.2  BUILD SUCCESSFUL in 4s 1 actionable task: one executed

Customizing the Gradle Wrapper

Near users of Gradle are happy with the default runtime behavior of the Wrapper. However, organizational policies, security constraints or personal preferences might require you to dive deeper into customizing the Wrapper. Thankfully, the built-in wrapper task exposes numerous options to bend the runtime behavior to your needs. Almost configuration options are exposed by the underlying task type Wrapper.

Allow's presume you grew tired of defining the -all distribution type on the command line every time you upgrade the Wrapper. You can salvage yourself some keyboard strokes by re-configuring the wrapper chore.

Example one. Customizing the Wrapper job

build.gradle

                      tasks.named('wrapper') {     distributionType = Wrapper.DistributionType.ALL }                    

build.gradle.kts

                      tasks.wrapper {     distributionType = Wrapper.DistributionType.ALL }                    

With the configuration in identify running ./gradlew wrapper --gradle-version 7.4.2 is enough to produce a distributionUrl value in the Wrapper properties file that will request the -all distribution.

The generated distribution URL

distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.two-all.zip

Check out the API documentation for more detail descriptions of the bachelor configuration options. You lot tin can as well find various samples for configuring the Wrapper in the Gradle distribution.

Authenticated Gradle distribution download

The Gradle Wrapper tin download Gradle distributions from servers using HTTP Basic Authentication. This enables y'all to host the Gradle distribution on a private protected server. You can specify a username and password in two different ways depending on your use example: as system backdrop or directly embedded in the distributionUrl. Credentials in organisation properties take precedence over the ones embedded in distributionUrl.

Security Warning HTTP Basic Authentication should only exist used with HTTPS URLs and not plain HTTP ones. With Basic Hallmark, the user credentials are sent in clear text.

Using system properties can exist done in the .gradle/gradle.properties file in the user'south home directory, or by other means, run across Gradle Configuration Properties.

Specifying the HTTP Basic Hallmark credentials using system properties

                    systemProp.gradle.wrapperUser=username systemProp.gradle.wrapperPassword=countersign                  

Embedding credentials in the distributionUrl in the gradle/wrapper/gradle-wrapper.properties file also works. Please note that this file is to be committed into your source control organization. Shared credentials embedded in distributionUrl should but be used in a controlled environment.

Specifying the HTTP Bones Authentication credentials in distributionUrl

distributionUrl=https://username:password@somehost/path/to/gradle-distribution.zero

This can be used in conjunction with a proxy, authenticated or not. See Accessing the web via a proxy for more information on how to configure the Wrapper to apply a proxy.

Verification of downloaded Gradle distributions

The Gradle Wrapper allows for verification of the downloaded Gradle distribution via SHA-256 hash sum comparison. This increases security confronting targeted attacks past preventing a man-in-the-heart attacker from tampering with the downloaded Gradle distribution.

To enable this characteristic, download the .sha256 file associated with the Gradle distribution you want to verify.

Configuring checksum verification

Add together the downloaded hash sum to gradle-wrapper.properties using the distributionSha256Sum property or use --gradle-distribution-sha256-sum on the command-line.

Configuring SHA-256 checksum verification

                      distributionSha256Sum=371cb9fbebbe9880d147f59bab36d61eee122854ef8c9ee1ecf12b82368bcf10                    

Gradle will written report a build failure in example the configured checksum does not match the checksum constitute on the server for hosting the distribution. Checksum Verification is but performed if the configured Wrapper distribution hasn't been downloaded yet.

Verifying the integrity of the Gradle Wrapper JAR

The Wrapper JAR is a binary file that will exist executed on the computers of developers and build servers. As with all such files, you should exist sure that it'due south trustworthy before executing it. Since the Wrapper JAR is usually checked into a project'due south version control system, there is the potential for a malicious actor to replace the original JAR with a modified ane past submitting a pull request that seemingly only upgrades the Gradle version.

To verify the integrity of the Wrapper JAR, Gradle has created a GitHub Activeness that automatically checks Wrapper JARs in pull requests against a list of known skillful checksums. Gradle also publishes the checksums of all releases (except for version 3.3 to iv.0.two, which did not generate reproducible JARs), then y'all can manually verify the integrity of the Wrapper JAR.

Automatically verifying the Gradle Wrapper JAR on GitHub

The GitHub Action is released separately from Gradle, so please check its documentation for how to apply it to your project.

Manually verifying the Gradle Wrapper JAR

You can manually verify the checksum of the Wrapper JAR to ensure that it has non been tampered with by running the post-obit commands on one of the major operating systems:

Manually verifying the checksum of the Wrapper JAR on Linux

                    $ cd gradle/wrapper $ curl --location --output gradle-wrapper.jar.sha256 \        https://services.gradle.org/distributions/gradle-vii.four.2-wrapper.jar.sha256 $ echo "  gradle-wrapper.jar" >> gradle-wrapper.jar.sha256 $ sha256sum --bank check gradle-wrapper.jar.sha256 gradle-wrapper.jar: OK                  

Manually verifying the checksum of the Wrapper JAR on macOS

                    $ cd gradle/wrapper $ curlicue --location --output gradle-wrapper.jar.sha256 \        https://services.gradle.org/distributions/gradle-7.4.2-wrapper.jar.sha256 $ echo "  gradle-wrapper.jar" >> gradle-wrapper.jar.sha256 $ shasum --cheque gradle-wrapper.jar.sha256 gradle-wrapper.jar: OK                  

Manually verifying the checksum of the Wrapper JAR on Windows (using PowerShell)

                    > $expected = Invoke-RestMethod -Uri https://services.gradle.org/distributions/gradle-7.four.2-wrapper.jar.sha256 > $actual = (Go-FileHash gradle\wrapper\gradle-wrapper.jar -Algorithm SHA256).Hash.ToLower() > @{$true = 'OK: Checksum match'; $false = "ERROR: Checksum mismatch!`nExpected: $expected`nActual:   $bodily"}[$actual -eq $expected] OK: Checksum match                  

Troubleshooting a checksum mismatch

If the checksum does non match the 1 you expected, chances are the wrapper task wasn't executed with the upgraded Gradle distribution. Thus, you should first bank check whether the actual checksum matches the one of a dissimilar Gradle version. Here are the commands you can run on the major operating systems to generate the bodily checksum of the Wrapper JAR:

Generating the bodily checksum of the Wrapper JAR on Linux

                    $ sha256sum gradle/wrapper/gradle-wrapper.jar d81e0f23ade952b35e55333dd5f1821585e887c6d24305aeea2fbc8dad564b95  gradle/wrapper/gradle-wrapper.jar                  

Generating the actual checksum of the Wrapper JAR on macOS

                    $ shasum --algorithm=256 gradle/wrapper/gradle-wrapper.jar d81e0f23ade952b35e55333dd5f1821585e887c6d24305aeea2fbc8dad564b95  gradle/wrapper/gradle-wrapper.jar                  

Generating the bodily checksum of the Wrapper JAR on Windows (using PowerShell)

                    > (Get-FileHash gradle\wrapper\gradle-wrapper.jar -Algorithm SHA256).Hash.ToLower() d81e0f23ade952b35e55333dd5f1821585e887c6d24305aeea2fbc8dad564b95                  

Once you know the actual checksum, bank check whether it'due south listed on https://gradle.org/release-checksums/. If it is listed, you have verified the integrity of the Wrapper JAR. If the version of Gradle that generated the Wrapper JAR doesn't match the version in gradle/wrapper/gradle-wrapper.backdrop, it'southward prophylactic to run the wrapper task again to update the Wrapper JAR.

If the checksum is not listed on the page, the Wrapper JAR might be from a milestone, release candidate, or nightly build or may accept been generated by Gradle 3.3 to 4.0.2. You should endeavor to find out how it was generated merely care for it every bit untrustworthy until proven otherwise. If you call up the Wrapper JAR was compromised, please allow the Gradle team know by sending an email to security@gradle.com.

reymondtorepto.blogspot.com

Source: https://docs.gradle.org/current/userguide/gradle_wrapper.html

Share this post