Use patched Gradle version

[koppor]

User description

Follow-up to #15021

We still need gradle/gradle#34227 on Windows.

I also added a check for Windows if Gradle update bot comes around.

Steps to test

gradlew :jabgui:run works on your machine

Mandatory checks

• I own the copyright of the code submitted and I license it under the MIT license
• I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I described the change in CHANGELOG.md in a way that is understandable for the average user (if change is visible to the user)
• [/] I checked the user documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request updating file(s) in https://github.com/JabRef/user-documentation/tree/main/en.

---

PR Type

Enhancement, Other

---

Description

• Use JabRef's patched Gradle 9.5.0 version from custom repository

• Disable automatic Gradle wrapper updates via workflow

• Enable Java toolchain auto-download in Gradle configuration

• Run Windows tests on Gradle update PRs for validation

---

Diagram Walkthrough

flowchart LR
  A["Gradle 9.3.1"] -->|"Update to patched version"| B["Gradle 9.5.0-jabref-1"]
  B -->|"Custom distribution URL"| C["files.jabref.org"]
  D["Gradle Wrapper Update"] -->|"Disable auto-update"| E["Manual control"]
  E -->|"Enable on PR"| F["Windows test validation"]
  G["Gradle Properties"] -->|"Enable auto-download"| H["Java Toolchains"]

Loading

File Walkthrough

	Relevant files
Configuration changes	tests-code.yml Enable Windows tests on Gradle updates                                      .github/workflows/tests-code.yml Modified Windows test job condition to run on Gradle Wrapper update PRs Added check for pull requests with title starting with 'Update Gradle Wrapper' Reformatted conditional logic for better readability +7/-1      update-gradle-wrapper.yml Disable automatic Gradle wrapper updates                                  .github/workflows/update-gradle-wrapper.yml Disabled automatic Gradle wrapper update action with if: false Added reference comment to PR Use patched Gradle version #15034 explaining the change +2/-0      gradle.properties Enable Java toolchain auto-download                                            gradle.properties Added Java toolchain auto-download configuration Enables automatic downloading of Java installations for Gradle builds +3/-0
Dependencies	gradle-wrapper.properties Update to patched Gradle 9.5.0 version                                      gradle/wrapper/gradle-wrapper.properties Updated Gradle version from 9.3.1 to 9.5.0-jabref-1 Changed distribution URL to custom JabRef repository Removed SHA256 checksum validation Disabled distribution URL validation +2/-3

---

[koppor]

OMG - auto download did not working - sorry @ThiloteE - after this PR is merged, you should really have less issues with gradlew on your machine - no gg.cmd any more (maybe ^^)

   > Cannot find a Java installation on your machine (Windows 10 10.0 amd64) matching: {languageVersion=25, vendor=Amazon Corretto, implementation=vendor-specific, nativeImageCapable=false}. No matching toolchain could be found in the configured toolchain download repositories.

[koppor]

Hotfix, therefore automerge.

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Supply chain vulnerability Description: Using a custom Gradle distribution from files.jabref.org with disabled URL validation and no SHA256 checksum verification creates a supply chain security risk, as the distribution integrity cannot be verified and could be tampered with. gradle-wrapper.properties [3-5] Referred Code distributionUrl=https://files.jabref.org/gradle-9.5.0-jabref-1-bin.zip networkTimeout=10000 validateDistributionUrl=false
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Typo in comment: Comment contains typo 'Tollchains' instead of 'Toolchains', reducing code clarity and professionalism. Referred Code # Tweak Java Tollchains org.gradle.java.installations.auto-download=true Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Disabled distribution validation: Distribution URL validation and SHA256 checksum verification are disabled, potentially allowing man-in-the-middle attacks or compromised distribution downloads. Referred Code distributionUrl=https://files.jabref.org/gradle-9.5.0-jabref-1-bin.zip networkTimeout=10000 validateDistributionUrl=false Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Reinstate checksum for build security Reinstate the distributionSha256Sum and set validateDistributionUrl to true in gradle-wrapper.properties to mitigate a significant security vulnerability and prevent potential supply-chain attacks. gradle/wrapper/gradle-wrapper.properties [3-5] -distributionSha256Sum=b266d5ff6b90eada6dc3b20cb090e3731302e553a27c5d3e4df1f0d76beaff06 -distributionUrl=https\://services.gradle.org/distributions/gradle-9.3.1-bin.zip +distributionSha256Sum=<YOUR-SHA-256-CHECKSUM-HERE> +distributionUrl=https://files.jabref.org/gradle-9.5.0-jabref-1-bin.zip networkTimeout=10000 validateDistributionUrl=true [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability introduced by removing the distribution checksum and disabling URL validation, which could expose the build process to supply-chain attacks.	High
Learned best practice	Fix typo in comment Correct the spelling of "Tollchains" to "Toolchains" in the comment to maintain professional documentation standards. gradle.properties [22-23] -# Tweak Java Tollchains +# Tweak Java Toolchains org.gradle.java.installations.auto-download=true Apply / Chat Suggestion importance[1-10]: 5 __ Why: Relevant best practice - Fix typographical errors in comments, documentation, changelog entries, and user-facing strings to maintain professionalism and clarity.	Low
More