chore: harden Gradle dependency reproducibility

feat: enable Gradle dependency locking for all configurations feat: enforce strict lock-state usage in the build feat: centralize repository declaration in settings.gradle feat: enable strict Gradle dependency verification via gradle.properties feat: add committed dependency lock state and verification metadata fix: defer mockito agent resolution to test execution phase for locked builds ci: validate reproducibility inputs before workflow builds ci: include lock and verification inputs in workflow change detection docs: establish explicit dependency update workflow for locks and verification metadata
2026-04-15 22:33:48 +02:00
parent 2288852300
commit 558707d78e
10 changed files with 1830 additions and 6 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,6 +42,14 @@ jobs:
      - name: Set up Gradle caching and instrumentation
        uses: gradle/actions/setup-gradle@v4

+      - name: Verify reproducibility inputs
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f gradle.lockfile
+          test -f gradle.properties
+          test -f gradle/verification-metadata.xml
+
      - name: Execute build, tests, PMD, coverage, Javadoc, distribution packaging, and SBOM generation
        run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom

@@ -140,6 +148,14 @@ jobs:
      - name: Set up Gradle caching and instrumentation
        uses: gradle/actions/setup-gradle@v4

+      - name: Verify reproducibility inputs
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f gradle.lockfile
+          test -f gradle.properties
+          test -f gradle/verification-metadata.xml
+
      - name: Build release distribution and SBOM
        run: ./gradlew --no-daemon clean build pmdMain javadoc jacocoTestReport distZip cyclonedxBom