mirror/plugin-hub
1
0
Fork 0
mirror of https://github.com/runelite/plugin-hub.git synced 2025-12-23 22:48:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

package: use a central verification-metadata file

Browse Source 
This lets us have better control over which dependencies are verified,
as changes to runelite-client's dependencies cause all Hub plugins with
pinned deps to fail, as the new transitive deps aren't pinned. Moving
this file into this repo not only lets us update it in these situations,
but also means individual plugin authors don't need to touch Gradle's
verification and all of it's associated pains. This also allows plugins
to pull a dependency that another plugin pulls already with no extra
work.
This commit is contained in:
Max Weber
2021-02-25 12:02:08 -07:00
parent 3b07b1ec1d
commit 531a9a8554
11 changed files with 713 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@@ -118,29 +118,6 @@ will not merge it__.
We require any dependencies that are not a transitive dependency of runelite-client to
be have their cryptographic hash verified during the build to prevent [supply chain attacks](https://en.wikipedia.org/wiki/Supply_chain_attack) and ensure build reproducability.
To do this we rely on [Gradle's dependency verification](https://docs.gradle.org/nightly/userguide/dependency_verification.html).
Create `gradle/verification-metadata.xml` with the following contents
```xml
<?xml version="1.0" encoding="UTF-8"?>
<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd">
<configuration>
<verify-metadata>true</verify-metadata>
<verify-signatures>false</verify-signatures>
<trusted-artifacts>
<trust group="net.runelite"/>
<trust group="net.runelite.gluegen"/>
<trust group="net.runelite.jocl"/>
<trust group="net.runelite.jogl"/>
<trust group="net.runelite.pushingpixels"/>
</trusted-artifacts>
</configuration>
</verification-metadata>
```
And finally run:
```
./gradlew --write-verification-metadata sha256
```
Then commit the files to your repository. You will have to run this final command anytime you
add/remove/update dependencies that are not part of RuneLite.
To add a new dependency, add it to the `thirdParty` configuration in [`package/verification-template/build.gradle`](https://github.com/runelite/plugin-hub/blob/master/package/verification-template/build.gradle),
then run `../gradlew --write-verification-metadata sha256` to update the metadata file. A maintainer must then verify
the dependencies manually before your pull request will be merged.