chore: harden Gradle dependency reproducibility

feat: enable Gradle dependency locking for all configurations feat: enforce strict lock-state usage in the build feat: centralize repository declaration in settings.gradle feat: enable strict Gradle dependency verification via gradle.properties feat: add committed dependency lock state and verification metadata fix: defer mockito agent resolution to test execution phase for locked builds ci: validate reproducibility inputs before workflow builds ci: include lock and verification inputs in workflow change detection docs: establish explicit dependency update workflow for locks and verification metadata
2026-04-15 22:33:48 +02:00
parent 2288852300
commit 558707d78e
10 changed files with 1830 additions and 6 deletions
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -1,3 +1,23 @@
+#
+# After changing dependency versions:
+#
+# run:
+#     ./gradlew --write-locks classes testClasses jmh distZip cyclonedxBom
+#
+# if needed, refresh verification metadata:
+#     ./gradlew --write-verification-metadata sha256 test jmh distZip cyclonedxBom
+#
+# (optional - for Eclipse IDE)
+# insert trusted-artifacts into gradle/verification-metadata.xml/verification-metadata/configuration:
+#     <trusted-artifacts>
+#       <trust file=".*-javadoc[.]jar" regex="true"/>
+#       <trust file=".*-sources[.]jar" regex="true"/>
+#     </trusted-artifacts>
+#
+# commit:
+#     gradle.lockfile
+#     gradle/verification-metadata.xml
+#
 [versions]
 junit = "5.14.3"
 mockito = "5.23.0"
@@ -9,4 +29,3 @@ junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher

 mockito-core = { module = "org.mockito:mockito-core", version.ref = "mockito" }
 mockito-junit-jupiter = { module = "org.mockito:mockito-junit-jupiter", version.ref = "mockito" }
-
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml