Co-authored-by: Christoph Atteneder <christoph.atteneder@gmail.com>
Co-authored-by: wiz <j@wiz.biz>
Co-authored-by: jmacxx <47253594+jmacxx@users.noreply.github.com>
Co-authored-by: Stephan Oeste <emzy@emzy.de>
Co-authored-by: Chris Beams <chris@beams.io>
Closes #184
Maybe it would be "nicer" to download the binaries with a gradle task utilising gradle tasks' inputs and outputs but that's for someone more skilled with gradle
* replace witness plugin with gradle builtin dependency checksum verification
I noticed that a recent dependency change didn't needed checksum change. It was because the witness plugin only checked the listed checksums, not all the dependencies. If the dependency was not on the list, the new checksum was not verified.
Gradle now has its own verification mechanism, see https://docs.gradle.org/current/userguide/dependency_verification.html
After a dependency is added or a version is changed, the checksums could be regenerated using the following command.
```
gradle --write-verification-metadata sha256 help
````
The help task is just used to discover as much as possible dependencies, and if subsequent builds fail with a verification error, you can re-execute generation with the appropriate tasks to "discover" more dependencies
I verified that all the checksums from the removed file are present in the new one.
jcenter repository (used only for gradle shadow plugin) is replaced with gradlePluginPortal. jcenter is shutting down anyway and the checksums for shadow plugin and its dependencies were not added automatically to the xml file for some reason.
* add javadoc and source as trusted artifacts
Co-authored-by: woodser <woodser@protonmail.com>
on jitpack versions can be built from git tags or commits. Tag 1.5 and commit 9b5ba2036b points to exactly the same code. Lets see if this change resolves the issues when version 2 versions 1.5 were cached somewhere with different checksums