Add Gradle distribution verification to project

[asos-edgeorge]

Proposed Changes

It's a security best practice to verify the Gradle distribution used within the project to protect against a supply-chain-style attack. These have been observed in the wild previously and are easily mitigated through the use of the distributionSha256Sum Gradle property ¹

This PR adds the expected Gradle distro verification for Gradle Wrapper 7.6 by calling the gradlew wrapper task as follows:

./gradlew wrapper --gradle-version=7.6 --distribution-type=bin --gradle-distribution-sha256-sum=7ba68c54029790ab444b39d7e293d3236b2632631fb5f2e012bb28b4ff669e4b

The checksums for Gradle distributions are available via Gradle's website² and the above can be verified.

Important

Post-merging, whenever the Gradle version is updated, the above command should be repeated with the checksum for the new version

Testing

Verified the project builds correctly and downloads Gradle Wrapper with the expected checksum

Footnotes

1. https://www.spght.dev/articles/23-07-2023/gradle-security ↩

2. https://gradle.org/release-checksums/ ↩

[bartekpacia]

Thanks for the contribution!

Let's also use this GitHub action for added safety. Done.