actions/gradle
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-08-20 08:31:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Document dependency verification requirements

Browse Source 
Fixes #256
This commit is contained in:
Daz DeBoer 2024-07-19 19:24:12 -06:00 committed by GitHub
parent 1371d49f1d
commit 46308b920a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/setup-gradle.md
View File

@ -828,3 +828,21 @@ To publish to https://scans.gradle.com, you must specify in your workflow that y
- name: Run a Gradle build - a build scan will be published automatically - name: Run a Gradle build - a build scan will be published automatically
run: ./gradlew build run: ./gradlew build
``` ```
# Dependency verification
Develocity injection, Build Scan publishing and Dependency Graph generation all work by applying external plugins to your build.
If you project has [dependency verification enabled](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verification),
then you'll need to update your verification metadata to trust these plugins.
Each of the plugins is signed by Gradle, and you can simply add the following snippet to your `dependency-verificaton.xml` file:
```xml
<trusted-keys>
<trusted-key id="7B79ADD11F8A779FE90FD3D0893A028475557671">
<trusting group="com.gradle"/>
<trusting group="org.gradle"/>
</trusted-key>
</trusted-keys>
```