chore: harden Gradle dependency reproducibility

feat: enable Gradle dependency locking for all configurations feat: enforce strict lock-state usage in the build feat: centralize repository declaration in settings.gradle feat: enable strict Gradle dependency verification via gradle.properties feat: add committed dependency lock state and verification metadata fix: defer mockito agent resolution to test execution phase for locked builds ci: validate reproducibility inputs before workflow builds ci: include lock and verification inputs in workflow change detection docs: establish explicit dependency update workflow for locks and verification metadata
2026-04-15 22:33:48 +02:00
parent 2288852300
commit 558707d78e
10 changed files with 1830 additions and 6 deletions
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -11,6 +11,9 @@ on:
      - 'src/main/**'
      - 'src/jmh/**'
      - 'build.gradle'
+      - 'gradle.properties'
+      - 'gradle.lockfile'
+      - 'settings.gradle'
      - 'gradle/**'
      - 'gradlew'
      - 'gradlew.bat'
@@ -38,6 +41,14 @@ jobs:
      - name: Make Gradle executable
        run: chmod +x ./gradlew

+      - name: Verify reproducibility inputs
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f gradle.lockfile
+          test -f gradle.properties
+          test -f gradle/verification-metadata.xml
+
      - name: Run JMH benchmarks
        run: ./gradlew clean jmh --no-daemon

--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,6 +42,14 @@ jobs:
      - name: Set up Gradle caching and instrumentation
        uses: gradle/actions/setup-gradle@v4

+      - name: Verify reproducibility inputs
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f gradle.lockfile
+          test -f gradle.properties
+          test -f gradle/verification-metadata.xml
+
      - name: Execute build, tests, PMD, coverage, Javadoc, distribution packaging, and SBOM generation
        run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom

@@ -140,6 +148,14 @@ jobs:
      - name: Set up Gradle caching and instrumentation
        uses: gradle/actions/setup-gradle@v4

+      - name: Verify reproducibility inputs
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f gradle.lockfile
+          test -f gradle.properties
+          test -f gradle/verification-metadata.xml
+
      - name: Build release distribution and SBOM
        run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom

--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -9,6 +9,8 @@ on:
      - 'src/test/**'
      - 'src/jmh/**'
      - 'build.gradle'
+      - 'gradle.properties'
+      - 'gradle.lockfile'
      - 'settings.gradle'
      - 'gradle/**'
      - 'dependency-suppression.xml'
@@ -46,6 +48,14 @@ jobs:

      - name: Set up Gradle caching and instrumentation
        uses: gradle/actions/setup-gradle@v4
+		 
+      - name: Verify reproducibility inputs
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f gradle.lockfile
+          test -f gradle.properties
+          test -f gradle/verification-metadata.xml

      - name: Build reports for publication
        run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport pitest jmh cyclonedxBom