From 7e9d4c27d1c5345f8ce2022da7470f4f8058ee17 Mon Sep 17 00:00:00 2001
From: Weimin Yu <weiminyu@google.com>
Date: Tue, 30 Dec 2025 21:08:04 +0000
Subject: [PATCH] Use downloaded Gradle distribution on Cloud Build (#2918)

This way we get around the http url and no longer needs public access on
the GCS bucket.
---
 release/cloudbuild-dev-resource.yaml |  3 +++
 release/cloudbuild-kythe.yaml        |  1 +
 release/cloudbuild-nomulus.yaml      |  3 +++
 release/cloudbuild-proxy.yaml        |  3 +++
 release/cloudbuild-release.yaml      |  1 -
 release/install_gradle.sh            | 32 ++++++++++++++++++++++++++++
 6 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100755 release/install_gradle.sh

diff --git a/release/cloudbuild-dev-resource.yaml b/release/cloudbuild-dev-resource.yaml
index d3dedfe13..fa31e8494 100644
--- a/release/cloudbuild-dev-resource.yaml
+++ b/release/cloudbuild-dev-resource.yaml
@@ -9,6 +9,9 @@
 # To trigger a build automatically, follow the instructions below and add a trigger:
 # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
 steps:
+# Download saved Gradle distribution from GCS and install it.
+- name: 'gcr.io/${PROJECT_ID}/builder:live'
+  entrypoint: ./release/install_gradle.sh
 # Compile javadoc
 - name: 'gcr.io/${PROJECT_ID}/builder:live'
   entrypoint: /bin/bash
diff --git a/release/cloudbuild-kythe.yaml b/release/cloudbuild-kythe.yaml
index 91ecd2f7d..14a6b7428 100644
--- a/release/cloudbuild-kythe.yaml
+++ b/release/cloudbuild-kythe.yaml
@@ -41,6 +41,7 @@ steps:
     export KYTHE_OUTPUT_DIRECTORY="$${PWD}/kythe_output"
     mkdir -p $${KYTHE_OUTPUT_DIRECTORY}
     mkdir -p $${KYTHE_OUTPUT_DIRECTORY}/merged
+    ./release/install_gradle.sh
     ./gradlew clean testClasses \
       -Dno_werror=true -PenableCrossReferencing=true
 # Merge kzip files
diff --git a/release/cloudbuild-nomulus.yaml b/release/cloudbuild-nomulus.yaml
index b3cdc6436..723cc8a1b 100644
--- a/release/cloudbuild-nomulus.yaml
+++ b/release/cloudbuild-nomulus.yaml
@@ -7,6 +7,9 @@ steps:
 # Create a directory to store the artifacts
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args: ['mkdir', 'nomulus']
+# Download saved Gradle distribution from GCS and install it.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: ./release/install_gradle.sh
 # Run tests
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   # Set home for Gradle caches. Must be consistent with last step below
diff --git a/release/cloudbuild-proxy.yaml b/release/cloudbuild-proxy.yaml
index 5a5a3055b..f628d2a11 100644
--- a/release/cloudbuild-proxy.yaml
+++ b/release/cloudbuild-proxy.yaml
@@ -7,6 +7,9 @@
 # To trigger a build automatically, follow the instructions below and add a trigger:
 # https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
 steps:
+# Download saved Gradle distribution from GCS and install it.
+- name: 'gcr.io/${PROJECT_ID}/builder:latest'
+  entrypoint: ./release/install_gradle.sh
 # Build the proxy docker image.
 - name: 'gcr.io/${PROJECT_ID}/builder:latest'
   args:
diff --git a/release/cloudbuild-release.yaml b/release/cloudbuild-release.yaml
index 48cc9746b..e1f9a7592 100644
--- a/release/cloudbuild-release.yaml
+++ b/release/cloudbuild-release.yaml
@@ -265,7 +265,6 @@ steps:
       fi
     else
       gcloud storage cp $gradle_bin gs://${gcs_loc}/
-      gcloud storage objects update --predefined-acl=publicRead gs://${gcs_loc}/${gradle_bin}
     fi
     rm ${gradle_bin}
     sed -i s%services.gradle.org/distributions%storage.googleapis.com/${gcs_loc}% \
diff --git a/release/install_gradle.sh b/release/install_gradle.sh
new file mode 100755
index 000000000..92f3ecb77
--- /dev/null
+++ b/release/install_gradle.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Copyright 2019 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This script should be invoked from the Gradle root. It downloads the
+# gradle distribution saved on GCS, and sets Gradle's distribution URL
+# to the local copy. This is necessary since when accessing a GCS bucket
+# using http, the bucket must have public access, which is forbidden by
+# our policy.
+
+set -e
+
+gradle_url=$(grep distributionUrl gradle/wrapper/gradle-wrapper.properties \
+  | awk -F = '{print $2}' | sed 's/\\//g')
+gradle_bin=$(basename $gradle_url)
+gcs_loc="domain-registry-maven-repository/gradle"
+
+gcloud storage cp "gs://${gcs_loc}/${gradle_bin}" .
+local_url="file\\\://${PWD}/${gradle_bin}"
+sed -i "s#distributionUrl=.*#distributionUrl=${local_url}#" \
+  gradle/wrapper/gradle-wrapper.properties