def "warns if trying to generate only insecure #checksums checksums"() {
        when:
        writeVerificationMetadata(checksums)
        succeeds ':help'

        then:
        output.contains "You chose to generate ${message} checksums but they are all considered insecure. You should consider adding at least one of sha256 or sha512 or pgp."

        where:
        checksums   | message
        "md5"       | "md5"

                }
            }
        """
        repoB.createBranch('release')
        repoB.checkout('release')
        repoB.commit('version 1.2')
        repoB.createLightWeightTag('1.2')
        repoC.createBranch('release')
        repoC.checkout('release')
        repoC.commit('version 1.2')
        repoC.createLightWeightTag('1.2')
        createDirs("a", "b")

            whenVerbose """Dependency verification failed for configuration ':compileClasspath':
  - On artifact foo-1.0.jar (org:foo:1.0) in repository 'maven': expected a 'sha256' checksum of 'invalid' but was '${getChecksum(foo, "sha256")}'

This can indicate that a dependency has been compromised. Please carefully verify the checksums."""
        }

----

[[sec:checksum-verification]]
== Verifying dependency checksums

Checksum verification allows you to ensure the integrity of an artifact.
This is the simplest thing that Gradle can do for you to make sure that the artifacts you use are un-tampered.

Gradle supports MD5, SHA1, SHA-256 and SHA-512 checksums.
However, only SHA-256 and SHA-512 checksums are considered secure nowadays.

=== Adding the checksum for an artifact

     - opened
     - synchronize

permissions: {}

jobs:
  check_pr_commits:
    permissions:
      contents: read
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up JDK 11
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '11'

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
        # We must fetch at least the immediate parents so that if this is
        # a pull request then we can checkout the head.
        fetch-depth: 2

    # If this run was triggered by a pull request event, then checkout
    # the head of the pull request instead of the merge commit.

git add another.txt
git commit -a -m 'another'
git tag v2.0.2

at 2018-04-17T16:16:52-04:00
git checkout master
git branch v3
git checkout v3
mkdir v3/sub/dir
echo 'v3/sub/dir/file'
cp stdout v3/sub/dir/file.txt
git add v3
git commit -a -m 'add v3/sub/dir/file.txt'

at 2018-04-17T22:23:00-04:00
git checkout master
git tag -a v1.2.4-annotated -m 'v1.2.4-annotated'

git show-ref --tags --heads
cmp stdout .git-refs

        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      # Checkout must run before the caching key is computed using the `hashFiles` method

    - name: Cache Gradle Modules
      uses: actions/cache@v4
      with:
        path: |

# https://golang.org/issue/46141: 'go mod tidy' for a Go 1.17 module should by
# default preserve enough checksums for the module to be used by Go 1.16.
#
# We don't have a copy of Go 1.16 handy, but we can simulate it by editing the
# 'go' version in the go.mod file to 1.16, without actually updating the
# requirements to match.

[short] skip

env MODFMT='{{with .Module}}{{.Path}} {{.Version}}{{end}}'

git add LICENSE README.md
git commit -m 'initial commit'
git branch -m master

git checkout --detach HEAD

at 2018-02-19T18:10:06-05:00
mkdir pkg
echo 'package p // pkg/p.go'
cp stdout pkg/p.go
git add pkg/p.go
git commit -m 'add pkg/p.go'
git tag v0.0.0
git tag v1.0.0
git tag mytag

git checkout --detach HEAD

at 2018-02-19T18:14:23-05:00
mkdir v2