Update to latest gradle master

[koppor]

⚠️ After merging, one needs to delete build-logic/build ⚠️

1. ./gradlew --stop
2. rm -rf build-logic/build
3. ./gradlew :jabgui:run

Related issues and pull requests

Updates to latest gradle/gradle#34227

Steps to test

• See CI passing
• ./gradlew :jabgui:run succeeds on windows

Checklist

• I own the copyright of the code submitted and I license it under the MIT license
• I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I added a screenshot in the PR description showing a library with a single entry with me as author and as title the issue number
• [/] I described the change in CHANGELOG.md in a way that can be understood by the average user (if change is visible to the user)
• [/] I checked the user documentation for up to dateness and submitted a pull request to our user documentation repository

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Update Gradle wrapper to latest jabref-2 distribution

✨ Enhancement

Walkthroughs

Description

• Update Gradle wrapper to latest jabref-2 distribution
• Maintains compatibility with Windows builds

Diagram

flowchart LR
  A["gradle-9.5.0-jabref-1"] -- "update to" --> B["gradle-9.5.0-jabref-2"]
  B -- "enables" --> C["Latest Gradle features"]

Loading

File Changes

1. gradle/wrapper/gradle-wrapper.properties Dependencies +1/-1

Update Gradle wrapper distribution version

• Updated distributionUrl from gradle-9.5.0-jabref-1 to gradle-9.5.0-jabref-2
• Ensures build system uses the latest JabRef-customized Gradle distribution

gradle/wrapper/gradle-wrapper.properties

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Unpinned wrapper distribution 🐞 Bug ⛨ Security

Description

The wrapper now downloads a new custom Gradle distribution (jabref-2) while URL validation is
disabled and no checksum is pinned, so a modified/compromised zip could be executed during
CI/developer builds without detection. This is a build-time supply-chain risk (potentially leading
to arbitrary code execution in the build environment).

Code

gradle/wrapper/gradle-wrapper.properties[R3-5]

+distributionUrl=https://files.jabref.org/gradle-9.5.0-jabref-2-bin.zip
networkTimeout=10000
validateDistributionUrl=false

Evidence

The wrapper is configured to download from a custom URL and explicitly disables distribution URL
validation; additionally, the properties file contains no checksum pinning for the distribution, so
integrity is not verified at the configuration level.

gradle/wrapper/gradle-wrapper.properties[1-7]
Best Practice: Gradle Wrapper documentation

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The Gradle wrapper downloads a custom Gradle distribution zip but does not pin a checksum and explicitly disables URL validation. This allows an altered distribution to be used without detection.

### Issue Context
The PR changed the `distributionUrl` to a new artifact (`jabref-2`). This is the right moment to also ensure integrity checks are in place for that new binary.

### Fix Focus Areas
- gradle/wrapper/gradle-wrapper.properties[1-7]

### Suggested changes
1. Add `distributionSha256Sum=<sha256-of-gradle-9.5.0-jabref-2-bin.zip>` to `gradle-wrapper.properties`.
2. Consider setting `validateDistributionUrl=true` if the custom distribution URL can pass Gradle’s validation rules; if not, document why it must remain `false` and rely on the pinned SHA-256 as the primary integrity control.
3. (Optional but recommended) Add a short note in contributing/build docs describing how the checksum is generated/verified when updating the wrapper distribution.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. Unpinned wrapper distribution 🐞 Bug ⛨ Security

The wrapper now downloads a new custom Gradle distribution (jabref-2) while URL validation is
disabled and no checksum is pinned, so a modified/compromised zip could be executed during
CI/developer builds without detection. This is a build-time supply-chain risk (potentially leading
to arbitrary code execution in the build environment).

Agent Prompt

### Issue description
The Gradle wrapper downloads a custom Gradle distribution zip but does not pin a checksum and explicitly disables URL validation. This allows an altered distribution to be used without detection.

### Issue Context
The PR changed the `distributionUrl` to a new artifact (`jabref-2`). This is the right moment to also ensure integrity checks are in place for that new binary.

### Fix Focus Areas
- gradle/wrapper/gradle-wrapper.properties[1-7]

### Suggested changes
1. Add `distributionSha256Sum=<sha256-of-gradle-9.5.0-jabref-2-bin.zip>` to `gradle-wrapper.properties`.
2. Consider setting `validateDistributionUrl=true` if the custom distribution URL can pass Gradle’s validation rules; if not, document why it must remain `false` and rely on the pinned SHA-256 as the primary integrity control.
3. (Optional but recommended) Add a short note in contributing/build docs describing how the checksum is generated/verified when updating the wrapper distribution.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[testlens-app]

✅ All tests passed ✅

🏷️ Commit: 6846f59
▶️ Tests: 10126 executed
⚪️ Checks: 67/67 completed

---

Learn more about TestLens at testlens.app.