Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Co-authored-by: bot-githubaction <bot-githubaction@gradle.com>
Bumps the npm-dependencies group in /sources with 2 updates:
[@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)
and [ts-jest](https://github.com/kulshekhar/ts-jest).
Updates `@typescript-eslint/eslint-plugin` from 8.29.1 to 8.30.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/releases"><code>@typescript-eslint/eslint-plugin</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v8.30.1</h2>
<h2>8.30.1 (2025-04-14)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> fix mistake with eslintrc config
generation (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11072">#11072</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Kirk Waiblinger <a
href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
<h2>v8.30.0</h2>
<h2>8.30.0 (2025-04-14)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>eslint-plugin:</strong> [no-explicit-any] suggest to replace
keyof any with PropertyKey (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11032">#11032</a>)</li>
</ul>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> [promise-function-async] use a
different error message for functions with promise and non-promise types
(<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/10950">#10950</a>)</li>
<li><strong>typescript-estree:</strong> use token type of
<code>PrivateIdentifier</code> instead of <code>Identifier</code> for
private identifiers (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11023">#11023</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Dima Barabash <a
href="https://github.com/dbarabashh"><code>@dbarabashh</code></a></li>
<li>Ronen Amiel</li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md"><code>@typescript-eslint/eslint-plugin</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>8.30.1 (2025-04-14)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> fix mistake with eslintrc config
generation (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11072">#11072</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Kirk Waiblinger <a
href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
<h2>8.30.0 (2025-04-14)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>eslint-plugin:</strong> [no-explicit-any] suggest to replace
keyof any with PropertyKey (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11032">#11032</a>)</li>
</ul>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> [promise-function-async] use a
different error message for functions with promise and non-promise types
(<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/10950">#10950</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Dima Barabash <a
href="https://github.com/dbarabashh"><code>@dbarabashh</code></a></li>
<li>Ronen Amiel</li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9531492c70"><code>9531492</code></a>
chore(release): publish 8.30.1</li>
<li><a
href="152def7dba"><code>152def7</code></a>
fix(eslint-plugin): fix mistake with eslintrc config generation (<a
href="https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin/issues/11072">#11072</a>)</li>
<li><a
href="b3688be33b"><code>b3688be</code></a>
chore(release): publish 8.30.0</li>
<li><a
href="3ccd79c0a5"><code>3ccd79c</code></a>
feat(eslint-plugin): [no-explicit-any] suggest to replace keyof any with
Prop...</li>
<li><a
href="128d95b5da"><code>128d95b</code></a>
fix(eslint-plugin): [promise-function-async] use a different error
message fo...</li>
<li><a
href="69e2f6c0d3"><code>69e2f6c</code></a>
feat: support stringly-typed extends (<a
href="https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin/issues/10973">#10973</a>)</li>
<li>See full diff in <a
href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.30.1/packages/eslint-plugin">compare
view</a></li>
</ul>
</details>
<br />
Updates `ts-jest` from 29.3.1 to 29.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/releases">ts-jest's
releases</a>.</em></p>
<blockquote>
<h2>v29.3.2</h2>
<p>Please refer to <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">ts-jest's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.1...v29.3.2">29.3.2</a>
(2025-04-12)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>fix: transpile <code>js</code> files from <code>node_modules</code>
whenever Jest asks (<a
href="https://github.com/kulshekhar/ts-jest/commit/968370e">968370e</a>),
closes <a
href="https://redirect.github.com/kulshekhar/ts-jest/issues/4637">#4637</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1c6017171"><code>e1c6017</code></a>
chore(release): 29.3.2</li>
<li><a
href="968370e6ef"><code>968370e</code></a>
fix: transpile <code>js</code> files from <code>node_modules</code>
whenever Jest asks (<a
href="https://redirect.github.com/kulshekhar/ts-jest/issues/4791">#4791</a>)</li>
<li><a
href="ddfd81287a"><code>ddfd812</code></a>
build(deps): Update dependency lint-staged to ^15.5.1</li>
<li><a
href="efd5274bf6"><code>efd5274</code></a>
build: use faster mode to build/serve doc</li>
<li><a
href="ccd9a0e798"><code>ccd9a0e</code></a>
build: fix npm audit issue for <code>website</code></li>
<li><a
href="7e730d3056"><code>7e730d3</code></a>
docs: add Hybrid Node module doc about <code>Node16/NodeNext</code></li>
<li><a
href="39a1222326"><code>39a1222</code></a>
test: add dynamic import code test for
<code>transpile-module</code></li>
<li><a
href="5a21aca63a"><code>5a21aca</code></a>
build(deps): Update dependency eslint-config-prettier to ^10.1.2</li>
<li><a
href="e10053f4f5"><code>e10053f</code></a>
build(deps): Update dependency vite to ^6.2.6</li>
<li><a
href="a83170c492"><code>a83170c</code></a>
build(deps): Update ESLint packages to ^8.29.1</li>
<li>Additional commits viewable in <a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.1...v29.3.2">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gradle group with 1 update in the
/.github/workflow-samples/java-toolchain directory:
org.gradle.toolchains.foojay-resolver-convention.
Bumps the gradle group with 1 update in the
/.github/workflow-samples/kotlin-dsl directory:
[com.google.guava:guava](https://github.com/google/guava).
Updates `org.gradle.toolchains.foojay-resolver-convention` from 0.9.0 to
0.10.0
Updates `com.google.guava:guava` from 33.4.6-jre to 33.4.8-jre
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/guava/releases">com.google.guava:guava's
releases</a>.</em></p>
<blockquote>
<h2>33.4.8</h2>
<p>Guava 33.4.8 fixes a problem that we introduced while starting to
migrate <code>guava-android</code> off <code>Unsafe</code> in <a
href="https://github.com/google/guava/releases/tag/v33.4.7">33.4.7</a>.</p>
<p>Even if you're not upgrading from Guava 33.4.0 or earlier, still read
<a href="https://github.com/google/guava/releases/tag/v33.4.1">the
release notes for Guava 33.4.1</a>. Those release notes contain
information about the effects of Guava 33.4.5 and higher on the module
system.</p>
<h3>Maven</h3>
<pre lang="xml"><code><dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>33.4.8-jre</version>
<!-- or, for Android: -->
<version>33.4.8-android</version>
</dependency>
</code></pre>
<h3>Jar files</h3>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.8-jre/guava-33.4.8-jre.jar">33.4.8-jre.jar</a></li>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.8-android/guava-33.4.8-android.jar">33.4.8-android.jar</a></li>
</ul>
<p>Guava requires <a
href="https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies">one
runtime dependency</a>, which you can download here:</p>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.3/failureaccess-1.0.3.jar">failureaccess-1.0.3.jar</a></li>
</ul>
<h3>Javadoc</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.8-jre/api/docs/">33.4.8-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.8-android/api/docs/">33.4.8-android</a></li>
</ul>
<h3>JDiff</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.8-jre/api/diffs/">33.4.8-jre vs.
33.4.7-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.8-android/api/diffs/">33.4.8-android
vs. 33.4.7-android</a></li>
<li><a
href="https://guava.dev/releases/33.4.8-android/api/androiddiffs/">33.4.8-android
vs. 33.4.8-jre</a></li>
</ul>
<h3>Changelog</h3>
<ul>
<li><code>util.concurrent</code>: Removed our <code>VarHandle</code>
code from <code>guava-android</code>. While the code was never used at
runtime under Android, it was causing <a
href="https://redirect.github.com/google/guava/issues/7769">problems
under the Android Gradle Plugin</a> with a <code>minSdkVersion</code>
below 26. To continue to avoid <code>sun.misc.Unsafe</code> under the
JVM, <code>guava-android</code> will now always use
<code>AtomicReferenceFieldUpdater</code> when run there.
(75da92419a)</li>
</ul>
<h2>33.4.7</h2>
<p><strong>Prefer to upgrade straight to <a
href="https://github.com/google/guava/releases/tag/v33.4.8">33.4.8</a>:</strong>
33.4.7 <a
href="https://redirect.github.com/google/guava/issues/7769">breaks the
build of Android apps with a minSdkVersion below 26</a>. We will publish
a fixed version soon. This problem is fixed in 33.4.8.</p>
<p>Guava 33.4.7, like <a
href="https://github.com/google/guava/releases/tag/v33.4.6">33.4.6</a>,
fixes two problems that we introduced while modularizing Guava and
migrating off <code>Unsafe</code> in <a
href="https://github.com/google/guava/releases/tag/v33.4.5">33.4.5</a>.</p>
<p>Even if you're not upgrading from Guava 33.4.0 or earlier, still read
<a href="https://github.com/google/guava/releases/tag/v33.4.1">the
release notes for Guava 33.4.1</a>. Those release notes contain
information about the effects of Guava 33.4.5 and higher on the module
system.</p>
<h3>Maven</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/google/guava/commits">compare view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-dependencies group in /sources with 2 updates:
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
and [typescript](https://github.com/microsoft/TypeScript).
Updates `@types/node` from 20.17.28 to 20.17.30
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
Updates `typescript` from 5.8.2 to 5.8.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/microsoft/TypeScript/releases">typescript's
releases</a>.</em></p>
<blockquote>
<h2>TypeScript 5.8.3</h2>
<p>For release notes, check out the <a
href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-8/">release
announcement</a>.</p>
<ul>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.0%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.0 (Beta)</a>.</li>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.1%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.1 (RC)</a>.</li>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.2%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.2 (Stable)</a>.</li>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.3%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.3 (Stable)</a>.</li>
</ul>
<p>Downloads are available on:</p>
<ul>
<li><a href="https://www.npmjs.com/package/typescript">npm</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="83dc0bb2ed"><code>83dc0bb</code></a>
Convert release publishing inputs into parameters (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61523">#61523</a>)</li>
<li><a
href="ba663f6ac2"><code>ba663f6</code></a>
Exclude completions of binding pattern variable initializers (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/52723">#52723</a>)</li>
<li><a
href="7205eda454"><code>7205eda</code></a>
Bump github/codeql-action from 3.28.12 to 3.28.13 in the github-actions
group...</li>
<li><a
href="89c572ca0c"><code>89c572c</code></a>
Fixed a symbol display crash on expando members write locations (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/55478">#55478</a>)</li>
<li><a
href="7b26d2eba5"><code>7b26d2e</code></a>
Fix incorrect name in new release pipeline (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61514">#61514</a>)</li>
<li><a
href="c7a559eeae"><code>c7a559e</code></a>
Add new release publisher yaml (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61491">#61491</a>)</li>
<li><a
href="29e6d6689d"><code>29e6d66</code></a>
Fix <code>lib.includes('dom')</code> check in
<code>containerSeemsToBeEmptyDomElement</code> (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61481">#61481</a>)</li>
<li><a
href="19b777260b"><code>19b7772</code></a>
Bump the github-actions group with 4 updates (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61474">#61474</a>)</li>
<li><a
href="4dc677b292"><code>4dc677b</code></a>
Fix errors on type assertions in erasableSyntaxOnly (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61452">#61452</a>)</li>
<li><a
href="ee3dd7264b"><code>ee3dd72</code></a>
fix(60908): Unexpected "'Type' is declared but its value is never
read." erro...</li>
<li>Additional commits viewable in <a
href="https://github.com/microsoft/TypeScript/compare/v5.8.2...v5.8.3">compare
view</a></li>
</ul>
</details>
<br />
<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>
| Dependency Name | Ignore Conditions |
| --- | --- |
| @types/node | [>= 22.a, < 23] |
</details>
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the github-actions group with 2 updates in the / directory:
[tj-actions/changed-files](https://github.com/tj-actions/changed-files)
and [github/codeql-action](https://github.com/github/codeql-action).
Updates `tj-actions/changed-files` from 46.0.3 to 46.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tj-actions/changed-files/releases">tj-actions/changed-files's
releases</a>.</em></p>
<blockquote>
<h2>v46.0.4</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgraded to v46.0.3 by <a
href="https://github.com/github-actions"><code>@github-actions</code></a>
in <a
href="https://redirect.github.com/tj-actions/changed-files/pull/2506">tj-actions/changed-files#2506</a></li>
<li>docs: update readme by <a
href="https://github.com/jackton1"><code>@jackton1</code></a> in <a
href="https://redirect.github.com/tj-actions/changed-files/pull/2508">tj-actions/changed-files#2508</a></li>
<li>fix: bug modified_keys and changed_key outputs not set when no
changes detected by <a
href="https://github.com/jackton1"><code>@jackton1</code></a> in <a
href="https://redirect.github.com/tj-actions/changed-files/pull/2509">tj-actions/changed-files#2509</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tj-actions/changed-files/compare/v46...v46.0.4">https://github.com/tj-actions/changed-files/compare/v46...v46.0.4</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tj-actions/changed-files/blob/main/HISTORY.md">tj-actions/changed-files's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h1><a
href="https://github.com/tj-actions/changed-files/compare/v46.0.3...v46.0.4">46.0.4</a>
- (2025-04-03)</h1>
<h2><!-- raw HTML omitted -->🐛 Bug Fixes</h2>
<ul>
<li>Bug modified_keys and changed_key outputs not set when no changes
detected (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2509">#2509</a>)
(<a
href="6cb76d07be">6cb76d0</a>)
- (Tonye Jack)</li>
</ul>
<h2><!-- raw HTML omitted -->📚 Documentation</h2>
<ul>
<li>Update readme (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2508">#2508</a>)
(<a
href="b74df86ccb">b74df86</a>)
- (Tonye Jack)</li>
</ul>
<h2><!-- raw HTML omitted -->⬆️ Upgrades</h2>
<ul>
<li>Upgraded to v46.0.3 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2506">#2506</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted -->
Co-authored-by: Tonye Jack <a
href="mailto:jtonye@ymail.com">jtonye@ymail.com</a> (<a
href="27ae6b33ea">27ae6b3</a>)
- (github-actions[bot])</p>
<h1><a
href="https://github.com/tj-actions/changed-files/compare/v46.0.2...v46.0.3">46.0.3</a>
- (2025-03-23)</h1>
<h2><!-- raw HTML omitted -->🔄 Update</h2>
<ul>
<li>Updated README.md (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2501">#2501</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted --> (<a
href="41e0de576a">41e0de5</a>)
- (github-actions[bot])</p>
<ul>
<li>Updated README.md (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2499">#2499</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted --> (<a
href="945787811a">9457878</a>)
- (github-actions[bot])</p>
<h2><!-- raw HTML omitted -->📚 Documentation</h2>
<ul>
<li>Remove warning (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2504">#2504</a>)
(<a
href="8132356842">8132356</a>)
- (Tonye Jack)</li>
</ul>
<h2><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h2>
<ul>
<li><strong>deps:</strong> Bump test/demo from <code>5dfac2e</code> to
<code>c6bd3b3</code> (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2505">#2505</a>)
(<a
href="823fcebdb3">823fceb</a>)
- (dependabot[bot])</li>
<li>Pin github actions (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2503">#2503</a>)
(<a
href="7a369a7175">7a369a7</a>)
- (Tonye Jack)</li>
<li><strong>deps-dev:</strong> Bump <code>@types/node</code> from
22.13.10 to 22.13.11 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2502">#2502</a>)
(<a
href="9468856c22">9468856</a>)
- (dependabot[bot])</li>
</ul>
<h2><!-- raw HTML omitted -->⬆️ Upgrades</h2>
<ul>
<li>Upgraded to v46.0.2 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2500">#2500</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted -->
Co-authored-by: Tonye Jack <a
href="mailto:jtonye@ymail.com">jtonye@ymail.com</a> (<a
href="401c7227d1">401c722</a>)
- (github-actions[bot])</p>
<h1><a
href="https://github.com/tj-actions/changed-files/compare/v46.0.1...v46.0.2">46.0.2</a>
- (2025-03-22)</h1>
<h2><!-- raw HTML omitted -->🐛 Bug Fixes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6cb76d07be"><code>6cb76d0</code></a>
fix: bug modified_keys and changed_key outputs not set when no changes
detect...</li>
<li><a
href="b74df86ccb"><code>b74df86</code></a>
docs: update readme (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2508">#2508</a>)</li>
<li><a
href="27ae6b33ea"><code>27ae6b3</code></a>
Upgraded to v46.0.3 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2506">#2506</a>)</li>
<li>See full diff in <a
href="823fcebdb3...6cb76d07be">compare
view</a></li>
</ul>
</details>
<br />
Updates `github/codeql-action` from 3.28.13 to 3.28.15
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.28.15</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.28.15 - 07 Apr 2025</h2>
<ul>
<li>Fix bug where the action would fail if it tried to produce a debug
artifact with more than 65535 files. <a
href="https://redirect.github.com/github/codeql-action/pull/2842">#2842</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.28.15/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.28.14</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.28.14 - 07 Apr 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.21.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2838">#2838</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.28.14/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.28.15 - 07 Apr 2025</h2>
<ul>
<li>Fix bug where the action would fail if it tried to produce a debug
artifact with more than 65535 files. <a
href="https://redirect.github.com/github/codeql-action/pull/2842">#2842</a></li>
</ul>
<h2>3.28.14 - 07 Apr 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.21.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2838">#2838</a></li>
</ul>
<h2>3.28.13 - 24 Mar 2025</h2>
<p>No user facing changes.</p>
<h2>3.28.12 - 19 Mar 2025</h2>
<ul>
<li>Dependency caching should now cache more dependencies for Java
<code>build-mode: none</code> extractions. This should speed up
workflows and avoid inconsistent alerts in some cases.</li>
<li>Update default CodeQL bundle version to 2.20.7. <a
href="https://redirect.github.com/github/codeql-action/pull/2810">#2810</a></li>
</ul>
<h2>3.28.11 - 07 Mar 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.20.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2793">#2793</a></li>
</ul>
<h2>3.28.10 - 21 Feb 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.20.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2772">#2772</a></li>
<li>Address an issue where the CodeQL Bundle would occasionally fail to
decompress on macOS. <a
href="https://redirect.github.com/github/codeql-action/pull/2768">#2768</a></li>
</ul>
<h2>3.28.9 - 07 Feb 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.20.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2753">#2753</a></li>
</ul>
<h2>3.28.8 - 29 Jan 2025</h2>
<ul>
<li>Enable support for Kotlin 2.1.10 when running with CodeQL CLI
v2.20.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2744">#2744</a></li>
</ul>
<h2>3.28.7 - 29 Jan 2025</h2>
<p>No user facing changes.</p>
<h2>3.28.6 - 27 Jan 2025</h2>
<ul>
<li>Re-enable debug artifact upload for CLI versions 2.20.3 or greater.
<a
href="https://redirect.github.com/github/codeql-action/pull/2726">#2726</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="45775bd823"><code>45775bd</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2854">#2854</a>
from github/update-v3.28.15-a35ae8c38</li>
<li><a
href="dd78aab407"><code>dd78aab</code></a>
Update CHANGELOG.md with bug fix details</li>
<li><a
href="e40af59174"><code>e40af59</code></a>
Update changelog for v3.28.15</li>
<li><a
href="a35ae8c380"><code>a35ae8c</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2843">#2843</a>
from github/cklin/diff-informed-compat</li>
<li><a
href="bb59df6c17"><code>bb59df6</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2842">#2842</a>
from github/henrymercer/zip64</li>
<li><a
href="4b508f5964"><code>4b508f5</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2845">#2845</a>
from github/mergeback/v3.28.14-to-main-fc7e4a0f</li>
<li><a
href="ca00afb5f1"><code>ca00afb</code></a>
Update checked-in dependencies</li>
<li><a
href="2969c78ce0"><code>2969c78</code></a>
Update changelog and version after v3.28.14</li>
<li><a
href="fc7e4a0fa0"><code>fc7e4a0</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2844">#2844</a>
from github/update-v3.28.14-362ef4ce2</li>
<li><a
href="be0175c800"><code>be0175c</code></a>
Update changelog for v3.28.14</li>
<li>Additional commits viewable in <a
href="1b549b9259...45775bd823">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gradle group with 1 update in the
/.github/workflow-samples/groovy-dsl directory:
com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 1 update in the
/.github/workflow-samples/kotlin-dsl directory:
com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 2 updates in the /sources/test/init-scripts
directory: com.gradle.common-custom-user-data-gradle-plugin and
[com.fasterxml.jackson.dataformat:jackson-dataformat-smile](https://github.com/FasterXML/jackson-dataformats-binary).
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to
2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to
2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to
2.2.1
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-smile` from
2.18.2 to 2.18.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="acc383b238"><code>acc383b</code></a>
[maven-release-plugin] prepare release
jackson-dataformats-binary-2.18.3</li>
<li><a
href="5184301b79"><code>5184301</code></a>
Prep for 2.18.3</li>
<li><a
href="a390dde5ff"><code>a390dde</code></a>
Fix release notes</li>
<li><a
href="2576b3901c"><code>2576b39</code></a>
Merge branch '2.17' into 2.18</li>
<li><a
href="509c39c497"><code>509c39c</code></a>
Add release notes for <a
href="https://redirect.github.com/FasterXML/jackson-dataformats-binary/issues/541">#541</a></li>
<li><a
href="aae1b3714a"><code>aae1b37</code></a>
SmileParser getValueAsString() issue with JsonToken.FIELD_NAME (<a
href="https://redirect.github.com/FasterXML/jackson-dataformats-binary/issues/540">#540</a>)</li>
<li><a
href="b7a257507d"><code>b7a2575</code></a>
Move test for <a
href="https://redirect.github.com/FasterXML/jackson-dataformats-binary/issues/75">#75</a>
from failing to non-failing</li>
<li><a
href="de5efeef12"><code>de5efee</code></a>
Back to snapshot deps</li>
<li><a
href="1f27842342"><code>1f27842</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li>See full diff in <a
href="https://github.com/FasterXML/jackson-dataformats-binary/compare/jackson-dataformats-binary-2.18.2...jackson-dataformats-binary-2.18.3">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Bumps the npm-dependencies group in /sources with 2 updates:
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
and [ts-jest](https://github.com/kulshekhar/ts-jest).
Updates `@types/node` from 20.17.27 to 20.17.28
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
Updates `ts-jest` from 29.3.0 to 29.3.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/releases">ts-jest's
releases</a>.</em></p>
<blockquote>
<h2>v29.3.1</h2>
<p>Please refer to <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">ts-jest's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.0...v29.3.1">29.3.1</a>
(2025-03-31)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>fix: allow <code>isolatedModules</code> mode to have
<code>ts.Program</code> under <code>Node16/Next</code> (<a
href="https://github.com/kulshekhar/ts-jest/commit/25157eb">25157eb</a>)</li>
<li>fix: improve message for <code>isolatedModules</code> of
<code>ts-jest</code> config (<a
href="https://github.com/kulshekhar/ts-jest/commit/547eb6f">547eb6f</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7738269b23"><code>7738269</code></a>
chore(release): 29.3.1</li>
<li><a
href="04a12d73ab"><code>04a12d7</code></a>
test: improve <code>examples</code> folder</li>
<li><a
href="547eb6f811"><code>547eb6f</code></a>
fix: improve message for <code>isolatedModules</code> of
<code>ts-jest</code> config</li>
<li><a
href="0c3465fe26"><code>0c3465f</code></a>
docs: indicate clearer about <code>isolatedModules</code>
deprecation</li>
<li><a
href="25157eb124"><code>25157eb</code></a>
fix: allow <code>isolatedModules</code> mode to have Program under
<code>Node16/Next</code></li>
<li><a
href="cc1f630b98"><code>cc1f630</code></a>
build(deps): Update dependency <code>@types/node</code> to
v20.17.28</li>
<li><a
href="66bde83d25"><code>66bde83</code></a>
build(deps): Update dependency <code>@types/semver</code> to
^7.7.0</li>
<li><a
href="a4275caf18"><code>a4275ca</code></a>
Remove --no-audit</li>
<li><a
href="38cacd360d"><code>38cacd3</code></a>
Add NPM cache</li>
<li><a
href="36e3883310"><code>36e3883</code></a>
build(deps): Update dependency <code>@formatjs/ts-transformer</code> to
^3.13.34</li>
<li>Additional commits viewable in <a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.0...v29.3.1">compare
view</a></li>
</ul>
</details>
<br />
<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>
| Dependency Name | Ignore Conditions |
| --- | --- |
| @types/node | [>= 22.a, < 23] |
</details>
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gradle group with 1 update in the /.github/workflow-samples/groovy-dsl directory: com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 1 update in the /.github/workflow-samples/kotlin-dsl directory: com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 2 updates in the /sources/test/init-scripts directory: com.gradle.common-custom-user-data-gradle-plugin and [com.fasterxml.jackson.dataformat:jackson-dataformat-smile](https://github.com/FasterXML/jackson-dataformats-binary).
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to 2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to 2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to 2.2.1
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-smile` from 2.18.2 to 2.18.3
- [Commits](https://github.com/FasterXML/jackson-dataformats-binary/compare/jackson-dataformats-binary-2.18.2...jackson-dataformats-binary-2.18.3)
---
updated-dependencies:
- dependency-name: com.gradle.common-custom-user-data-gradle-plugin
dependency-version: 2.2.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: gradle
- dependency-name: com.gradle.common-custom-user-data-gradle-plugin
dependency-version: 2.2.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: gradle
- dependency-name: com.gradle.common-custom-user-data-gradle-plugin
dependency-version: 2.2.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: gradle
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-smile
dependency-version: 2.18.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: gradle
...
Signed-off-by: dependabot[bot] <support@github.com>
Bumps the gradle group with 1 update in the
/.github/workflow-samples/kotlin-dsl directory:
[com.google.guava:guava](https://github.com/google/guava).
Updates `com.google.guava:guava` from 33.4.5-jre to 33.4.6-jre
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/guava/releases">com.google.guava:guava's
releases</a>.</em></p>
<blockquote>
<h2>33.4.6</h2>
<p>Guava 33.4.6 fixes two problems that we introduced while modularizing
Guava in <a
href="https://github.com/google/guava/releases/tag/v33.4.5">33.4.5</a>.</p>
<p>Even if you're not upgrading from Guava 33.4.0 or earlier, still read
<a href="https://github.com/google/guava/releases/tag/v33.4.1">the
release notes for Guava 33.4.1</a>. Those release notes contain
information about Guava 33.4.5 and 33.4.6's effect on the module
system.</p>
<h3>Maven</h3>
<pre lang="xml"><code><dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>33.4.6-jre</version>
<!-- or, for Android: -->
<version>33.4.6-android</version>
</dependency>
</code></pre>
<h3>Jar files</h3>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.6-jre/guava-33.4.6-jre.jar">33.4.6-jre.jar</a></li>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.6-android/guava-33.4.6-android.jar">33.4.6-android.jar</a></li>
</ul>
<p>Guava requires <a
href="https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies">one
runtime dependency</a>, which you can download here:</p>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.3/failureaccess-1.0.3.jar">failureaccess-1.0.3.jar</a></li>
</ul>
<h3>Javadoc</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.6-jre/api/docs/">33.4.6-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.6-android/api/docs/">33.4.6-android</a></li>
</ul>
<h3>JDiff</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.6-jre/api/diffs/">33.4.6-jre vs.
33.4.5-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.6-android/api/diffs/">33.4.6-android
vs. 33.4.5-android</a></li>
<li><a
href="https://guava.dev/releases/33.4.6-android/api/androiddiffs/">33.4.6-android
vs. 33.4.6-jre</a></li>
</ul>
<h3>Changelog</h3>
<ul>
<li>Removed the extra copy of each class from the Guava jar. The extra
copies were an accidental addition from the modularization work in <a
href="https://github.com/google/guava/releases/tag/v33.4.5">Guava
33.4.5</a>. (40485b93ce)</li>
<li>Fixed annotation-related warnings when using Guava in modular
builds. The most common such warning is <code>Cannot find annotation
method 'value()' in type 'DoNotMock': ...</code>. (7e15ab3566)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/google/guava/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The request for a short lived access token fails if the server
certificate is self signed and `develocity-allow-untrusted-server` is
set to true.
I wasn't sure how to write a test for this since nock does not seem to
support mocking a ssl error response.
By inspecting a greater range of build operations for failure, the Job
summary will correctly reflect the build outcome in more circumstances.
Note that we now use the old 'buildFinished' mechanism for all Gradle
versions < `7.0`, instead of using the BuildService mechanism for all
Gradle versions from `6.6`. This avoids needing to deal with
inconsistent build operations present in Gradle versions `[6.6, 7.0)`.
Fixes#415
Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Fixes the Groovy syntax in 2 init-scripts to avoid deprecation warnings.
The fix to the DV injection script is temporary, and will be replaced by
a fix in the upstream reference script.
Fixes#541
Due to an issue with dependency-review-action (https://github.com/gradle/actions/issues/482),
the setup described in the documentation can result in duplicate
dependencies being added to the dependency graph.
To avoid this, we now recommend using a common `dependency-submission`
workflow for both pushes to `main` and pull requests.
The `dependency-review` workflow runs on any `pull_request` but will wait
for the `dependency-submission` to complete.
This setup works for both the standard setup, and for the advanced setup for
pull requests from repository forks.
# Combined PRs ➡️📦⬅️✅ The following pull requests have been successfully combined on this
PR:
- Closes#534 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/kotlin-dsl
- Closes#533 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/java-toolchain
- Closes#532 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/groovy-dsl
- Closes#531 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/gradle-plugin
- Closes#530 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/sources/test/init-scripts
> This PR was created by the
[`github/combine-prs`](https://github.com/github/combine-prs) action
---------
Signed-off-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The cache-cleanup operation works by executing Gradle on a dummy project
and a custom init-script. The version of Gradle used should be at least
as high as the newest version used to run a build.
Previously, if the Gradle version on PATH didn't meet this requirement,
the action would download and install the required Gradle version.
With this PR, the action will now use an existing Gradle wrapper
distribution if it meets the requirement. This avoids unnecessary
downloads of Gradle versions that are already present on the runner.
The logic is:
- Determine the newest version of Gradle that was executed during the
Job. This is the 'minimum version' for cache cleanup.
- Inspect the Gradle version on PATH and any detected wrapper scripts to
see if they meet the 'minimum version'.
- The first executable that is found to meet the requirements will be
used for cache-cleanup.
- If no executable is found that meets the requirements, attempt to
provision Gradle with the 'minimum version'.
Fixes#515
The cache-cleanup operation works by executing Gradle on a dummy project
and a custom init-script. The init-script requires at least Gradle 8.11
to work.
Ideally, the version of Gradle used for cleanup should be no older than
the newest one that wrote entries to Gradle User Home. If an older
Gradle version is used for cache-cleanup, it will not remove entries
written specifically for newer versions.
With this change, we now attempt to ensure that cache-cleanup is run
with the best Gradle version available. We inspect the Gradle version on
PATH to see if it is new enough, otherwise we will provision a Gradle
version equal to the newest one that ran in the Job.
The logic is:
- Determine the newest version of Gradle that was executed during the
Job. This is the 'minimum version' for cache cleanup.
- Inspect the Gradle version on PATH (if any) to see if it is equal to
or newer than the 'minimum version'.
- If the version Gradle on PATH is new enough, use that version for
cache-cleanup.
- If not, attempt to provision Gradle with the 'minimum version'.
Fixes#436
This change primarily impacts test projects and documentation. The only
material impact is that CCUD 2.1 will now be auto-applied when
publishing Build Scans automatically with `build-scan-publish: true`.
(Develocity injection does not hard-code any CCUD version)
Diagnosing unexpected dependencies in the GitHub Dependency Graph can
be difficult. In order to aid with diagnosis, the `dependency-submission`
action will now save each dependency-graph file as a workflow artifact.
If this is undesirable, the prior behaviour can be restored by explicitly setting
`dependency-graph: generate-and-submit`.
Fixes#519
The Gradle build used to perform cache-cleanup will run in the context of init-scripts
provided by the action, including those that collect build-results.
In some circumstances this can lead to unexpected results, such as saving configuration-cache
entries for cache cleanup executions.
With this change, build results will not be captured for cache-cleanup builds.
Previously we were relying on Gradle to substitute JDK environment variables
in toolchains.xml. With this change, the actual path to the JDK is encoded instead.
This should avoid issues where Gradle is not able to successfully resolve the
envioronment variable.
# Combined PRs ➡️📦⬅️✅ The following pull requests have been successfully combined on this
PR:
- Closes#498 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/kotlin-dsl
- Closes#497 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/java-toolchain
- Closes#496 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/groovy-dsl
- Closes#495 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/gradle-plugin
- Closes#494 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/sources/test/init-scripts
> This PR was created by the
[`github/combine-prs`](https://github.com/github/combine-prs) action
---------
Signed-off-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: daz <daz@gradle.com>
Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Co-authored-by: bigdaz <179734+bigdaz@users.noreply.github.com>
Bumps the gradle group with 1 update in the /sources/test/init-scripts
directory:
[com.fasterxml.jackson.dataformat:jackson-dataformat-smile](https://github.com/FasterXML/jackson-dataformats-binary).
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-smile` from
2.18.1 to 2.18.2
<details>
<summary>Commits</summary>
<ul>
<li><a
href="147bc6024b"><code>147bc60</code></a>
[maven-release-plugin] prepare release
jackson-dataformats-binary-2.18.2</li>
<li><a
href="92648ab980"><code>92648ab</code></a>
Prep for 2.18.2</li>
<li><a
href="d31d695767"><code>d31d695</code></a>
Merge branch '2.17' into 2.18</li>
<li><a
href="a7232c691a"><code>a7232c6</code></a>
Back to snapshot dep</li>
<li><a
href="b362d85402"><code>b362d85</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li><a
href="d817f53ab6"><code>d817f53</code></a>
[maven-release-plugin] prepare release
jackson-dataformats-binary-2.17.3</li>
<li><a
href="d88c088671"><code>d88c088</code></a>
Prep for 2.17.3</li>
<li><a
href="fa5abd6573"><code>fa5abd6</code></a>
Back to snapshot dep</li>
<li><a
href="d048e2fd91"><code>d048e2f</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li>See full diff in <a
href="https://github.com/FasterXML/jackson-dataformats-binary/compare/jackson-dataformats-binary-2.18.1...jackson-dataformats-binary-2.18.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Co-authored-by: bigdaz <179734+bigdaz@users.noreply.github.com>
The build-result-capture.init.gradle script was making some assumptions about
extensions and plugin application that do not apply with the newest GE plugin.
Fixes#449
This test was originally starting with an empty set of checksums,
leading to the download of a checksum for every released and snapshot
version. This resulted in in sporadic test failures.
We now start with a known set of checksums and ensure that those that
are missing are downloaded. This involved some refactoring and
improvement in the way snapshot checksums are processed.
Although we run `setup-gradle` with all/most wrapper files, this global
workflow will ensure that all wrapper files in the repo are valid.
(This should help with the OSSF scorecard)
The cache-cleanup API has changed, so the init-script that worked with
Gradle 8.9 no longer works with 8.11.
We now provision and use Gradle 8.11 for cache cleanup.
This provides a band-aid fix for #417 but that issue will still impact
any build configured to run with Gradle > 8.11
This test assumed that at least one 'snapshot' wrapper checksum was unique,
and not contained in the set of wrapper checksums for released distributions.
This is no longer the case, so the assumption has been modified.
Instead of always installing and using the latest Gradle version for
cache cleanup, we now require at least Gradle 8.9.
This avoids downloading and installing Gradle if the version on PATH is
sufficient to perform cache cleanup.
The most common case for validation will be that the wrapper jars are unchanged
from a previous workflow run. In this case, we cache the validated wrapper
checksums to minimise the work required on a subsequent run.
Fixes#172
- Add deprecation warning for `gradle-home-cache-cleanup`
- Change default for `dependency-submission` to `cache-cleanup: on-success`
- Update documentation for changed default
Previously, including RUNNER_OS was enough to prevent leaking incompatible
content between Gradle User Homes. With the introduction of macos-14,
we now need to differentiate between different runner architectures as well.
Fixes#138
Adds new 'cache-cleanup' parameter with 3 settings: 'never', 'on-success' and 'always'.
This gives users more control over whether cache cleanup should occur.
Fixes#71
The checksum values for most wrapper versions are hard-coded into the
action. These known checksum values are first used for validation: only
if none of the known values work do we download checksums.
Previously, we blindly downloaded all of the checksum values in this
case: we now only download the checksums for versions that are not in
our "known" set.
Fixes#171
- Check that https://github.com/gradle/actions/actions is green for all workflows for the main branch.
- Check that https://github.com/gradle/actions/actions is green for all workflows for the main branch.
- This should include any workflows triggered by `[bot] Update dist directory`
- This should include any workflows triggered by `[bot] Update dist directory`
- Decide on the version number to use for the release. The action releases should follow semantic versioning.
- Decide on the version number to use for the release. The action releases should follow semantic versioning.
- By default, a patch release is assumed (eg. `3.0.0` → `3.0.1`)
- By default, a patch release is assumed (eg. `4.0.0` → `4.0.1`)
- If new features have been added, bump the minor version (eg `3.1.1` → `3.2.0`)
- If new features have been added, bump the minor version (eg `4.1.1` → `4.2.0`)
- If a new major release is required, bump the major version (eg `3.1.1` → `4.0.0`)
- If a new major release is required, bump the major version (eg `4.1.1` → `5.0.0`)
- Note: The gradle actions follow the GitHub Actions convention of including a .0 patch number for the first release of a minor version, unlike the Gradle convention which omits the trailing .0.
- Note: The gradle actions follow the GitHub Actions convention of including a .0 patch number for the first release of a minor version, unlike the Gradle convention which omits the trailing .0.
## Release gradle/actions
## Release gradle/actions
- Create a tag for the release. The tag should have the format `v3.1.0`
- Create a tag for the release. The tag should have the format `v4.1.0`
- From CLI: `git tag v3.1.0 && git push --tags`
- From CLI: `git tag -s -m "v4.1.0" v4.1.0 && git push --tags`
- Note that we sign the tag and set the commit message for the tag to the newly released version.
- Go to https://github.com/gradle/actions/releases and "Draft new release"
- Go to https://github.com/gradle/actions/releases and "Draft new release"
- Use the newly created tag and copy the tag name exactly as the release title.
- Use the newly created tag and copy the tag name exactly as the release title.
- Craft release notes content based on issues closed, PRs merged and commits
- Craft release notes content based on issues closed, PRs merged and commits
- Include a Full changelog link in the format https://github.com/gradle/actions/compare/v2.12.0...v3.0.0
- Include a Full changelog link in the format https://github.com/gradle/actions/compare/v2.12.0...v3.0.0
- Publish the release.
- Publish the release.
- Force push the `v3` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
- Force push the `v4` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
- From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
- From CLI: `git tag -f -s -a -m "v4.0.0" v4 v4.0.0 && git push -f --tags`
- Note that we set the commit message for the tag to the newly released version.
- Note that we sign the tag and set the commit message for the tag to the newly released version.
## Release gradle/gradle-build-action
During the 3.x release series, we will continue to publish parallel releases of `gradle/gradle-build-action`. These releases will simply delegate to `gradle/actions/setup-gradle` with the same version.
- Update the [gradle-build-action action.yml](https://github.com/gradle/gradle-build-action/blob/main/action.yml#L162) file to point to the newly released version of `gradle/actions/setup-gradle`.
- Ensure that any parameters that have been added to the setup-gradle action are added to the gradle-build-action definition, and that these are passed on to setup-gradle.
- Create and push a tag for the release.
- From CLI: `git tag v3.1.0 && git push --tags`
- Go to https://github.com/gradle/gradle-build-action/releases and "Draft new release"
- Use the newly created tag and copy the tag name exactly as the release title.
- In the release notes, point users to the gradle/actions release. Include a header informing users to switch to `gradle/actions/setup-gradle`.
- Publish the release.
- Force push the `v3` tag (or current major version) to point to the new release.
- From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
## Release gradle/wrapper-validation-action
During the 3.x release series, we will continue to publish parallel releases of `gradle/wrapper-validation-action`. These releases will simply delegate to `gradle/actions/wrapper-validation` with the same version.
- Update the [wrapper-validation-action action.yml](https://github.com/gradle/wrapper-validation-action/blob/main/action.yml#L162) file to point to the newly released version of `gradle/actions/wrapper-validation`.
- Ensure that any parameters that have been added to the `wrapper-validation` action (if any) are added to the action definition, and that these are passed on to setup-gradle.
- Create and push a tag for the release.
- From CLI: `git tag v3.1.0 && git push --tags`
- Go to https://github.com/gradle/wrapper-validation-action/releases and "Draft new release"
- Use the newly created tag and copy the tag name exactly as the release title.
- In the release notes, point users to the gradle/actions release. Include a header informing users to switch to `gradle/actions/wrapper-validation`.
- Publish the release.
- Force push the `v3` tag (or current major version) to point to the new release.
- From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
## Post release steps
## Post release steps
Submit PRs to update the GitHub starter workflow. Starter workflows contain content that should reference the Git hash of the current gradle/actions release:
Submit PRs to update the GitHub starter workflow. Starter workflows contain content that should reference the Git hash of the current gradle/actions release:
https://github.com/actions/starter-workflows has [gradle](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml) and [gradle-publish](https://github.com/actions/starter-workflows/blob/main/ci/gradle-publish.yml): see [the v2.1.4 update PR](https://github.com/actions/starter-workflows/pull/1489) for an example.
https://github.com/actions/starter-workflows has [gradle](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml) and [gradle-publish](https://github.com/actions/starter-workflows/blob/main/ci/gradle-publish.yml): see [the v4.0.0 update PR](https://github.com/actions/starter-workflows/pull/2468) for an example.
Submit PRs to update the GitHub documentation. The documentation contains content that should reference the Git hash of the current gradle/actions release:
Submit PRs to update the GitHub documentation. The documentation contains content that should reference the Git hash of the current gradle/actions release:
https://github.com/github/docs has [building-and-testing-java-with-gradle](https://github.com/github/docs/blob/main/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md) and [publishing-java-packages-with-gradle](https://github.com/github/docs/blob/main/content/actions/publishing-packages/publishing-java-packages-with-gradle.md) : see [the v2.1.4 update PR](https://github.com/github/docs/pull/16392) for an example.
https://github.com/github/docs has [building-and-testing-java-with-gradle](https://github.com/github/docs/blob/main/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md) and [publishing-java-packages-with-gradle](https://github.com/github/docs/blob/main/content/actions/publishing-packages/publishing-java-packages-with-gradle.md) : see [the v4.0.0 update PR](https://github.com/github/docs/pull/34239) for an example.
Configuration-cache data will not be saved/restored without an encryption key being provided.
Configuration-cache data will not be saved/restored without an encryption key being provided.
required:false
required:false
cache-cleanup:
description:|
Specifies if the action should attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
By default ('on-success'), cleanup is performed when all Gradle builds succeed for the Job.
This behaviour can be disabled ('never'), or configured to always run irrespective of the build outcome ('always').
Valid values are 'never', 'on-success' and 'always'.
required:false
default:'on-success'
gradle-home-cache-cleanup:
description:When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
required:false
deprecation-message:This input has been superceded by the 'cache-cleanup' input parameter.
gradle-home-cache-includes:
gradle-home-cache-includes:
description:Paths within Gradle User Home to cache.
description:Paths within Gradle User Home to cache.
required:false
required:false
@ -68,11 +82,6 @@ inputs:
description:Paths within Gradle User Home to exclude from cache.
description:Paths within Gradle User Home to exclude from cache.
required:false
required:false
gradle-home-cache-cleanup:
description:When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
required:false
default:false
# Job summary configuration
# Job summary configuration
add-job-summary:
add-job-summary:
description:Specifies when a Job Summary should be inluded in the action results. Valid values are 'never', 'always' (default), and 'on-failure'.
description:Specifies when a Job Summary should be inluded in the action results. Valid values are 'never', 'always' (default), and 'on-failure'.
@ -87,27 +96,60 @@ inputs:
# Dependency Graph configuration
# Dependency Graph configuration
dependency-graph:
dependency-graph:
description:|
description:|
Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
Specifies how the dependency-graph should be handled by this action.
By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
Valid values are:
Valid values are:
'generate-and-submit' (default):Generates a dependency graph for the project and submits it in the same Job.
'generate-and-submit':Generates a dependency graph for the project and submits it in the same Job.
'generate-and-upload':Generates a dependency graph for the project and saves it as a workflow artifact.
'generate-submit-and-upload (default)':As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
'generate-and-upload':Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
'download-and-submit':Retrieves a previously saved dependency-graph and submits it to the repository.
'download-and-submit':Retrieves a previously saved dependency-graph and submits it to the repository.
Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
where the workflow generating the dependency-graph cannot (or should not) be given the `contents:write` permissions
where the workflow generating the dependency-graph cannot (or should not) be given the `contents:write` permissions
required to submit via the Dependency Submission API.
required to submit via the Dependency Submission API.
required:false
required:false
default:'generate-and-submit'
default:'generate-submit-and-upload'
dependency-graph-report-dir:
description:|
Specifies where the dependency graph report will be generated.
Paths can relative or absolute. Relative paths are resolved relative to the workspace directory.
required:false
default:'dependency-graph-reports'
dependency-graph-continue-on-failure:
dependency-graph-continue-on-failure:
description:When 'false' a failure to generate or submit a dependency graph will fail the Step or Job. When 'true' a warning will be emitted but no failure will result.
description:When 'false' a failure to generate or submit a dependency graph will fail the Step or Job. When 'true' a warning will be emitted but no failure will result.
required:false
required:false
default:false
default:false
dependency-graph-exclude-projects:
description:|
Gradle projects that should be excluded from dependency graph (regular expression).
When set, any matching project will be excluded.
required:false
dependency-graph-include-projects:
description:|
Gradle projects that should be included in dependency graph (regular expression).
When set, only matching projects will be included.
required:false
dependency-graph-exclude-configurations:
description:|
Gradle configurations that should be included in dependency graph (regular expression).
When set, anymatching configurations will be excluded.
required:false
dependency-graph-include-configurations:
description:|
Gradle configurations that should be included in dependency graph (regular expression).
When set, only matching configurations will be included.
required:false
artifact-retention-days:
artifact-retention-days:
description:Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
description:Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
required:false
required:false
default:1
# Build Scan configuration
# Build Scan configuration
build-scan-publish:
build-scan-publish:
@ -133,22 +175,22 @@ inputs:
description:The Develocity short-lived access tokens expiry in hours. Default is 2 hours.
description:The Develocity short-lived access tokens expiry in hours. Default is 2 hours.
required:false
required:false
# Wrapper validation configuration
validate-wrappers:
description:|
When 'true' the action will automatically validate all wrapper jars found in the repository.
If the wrapper checksums are not valid, the action will fail.
required:false
default:false
allow-snapshot-wrappers:
description:|
When 'true', wrapper validation will include the checksums of snapshot wrapper jars.
Use this if you are running with nightly or snapshot versions of the Gradle wrapper.
required:false
default:false
# DEPRECATED ACTION INPUTS
# DEPRECATED ACTION INPUTS
build-scan-terms-of-service-url:
description:The URL to the Build Scan® terms of use. This input must be set to 'https://gradle.com/terms-of-service'.
required:false
deprecation-message:The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-url' instead.
build-scan-terms-of-service-agree:
description:Indicate that you agree to the Build Scan® terms of use. This input value must be "yes".
required:false
deprecation-message:The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-agree' instead.
generate-job-summary:
description:When 'false', no Job Summary will be generated for the Job.
required:false
default:true
deprecation-message:Superceded by the new 'add-job-summary' and 'add-job-summary-as-pr-comment' parameters.
# EXPERIMENTAL ACTION INPUTS
# EXPERIMENTAL ACTION INPUTS
# The following action properties allow fine-grained tweaking of the action caching behaviour.
# The following action properties allow fine-grained tweaking of the action caching behaviour.
@ -83,10 +83,10 @@ In some cases, the default action configuration will not be sufficient, and addi
```yaml
```yaml
- name: Generate and save dependency graph
- name: Generate and save dependency graph
uses: gradle/actions/dependency-submission@v3
uses: gradle/actions/dependency-submission@v4
with:
with:
# Use a particular Gradle version instead of the configured wrapper.
# Use a particular Gradle version instead of the configured wrapper.
gradle-version: 8.6
gradle-version: '8.6'
# The gradle project is not in the root of the repository.
# The gradle project is not in the root of the repository.
build-root-directory: my-gradle-project
build-root-directory: my-gradle-project
@ -102,6 +102,16 @@ In some cases, the default action configuration will not be sufficient, and addi
# Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
# Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
dependency-graph: generate-and-upload
dependency-graph: generate-and-upload
# Change the number of days that workflow artifacts are retained. (Default is 30 days).
artifact-retention-days: 5
# Specify the location where dependency graph files will be generated.
dependency-graph-report-dir: custom-report-dir
# By default, failure to generate a dependency graph will cause the workflow to fail
dependency-graph-continue-on-failure: true
```
```
See the [Action Metadata file](../dependency-submission/action.yml) for a more detailed description of each input parameter.
See the [Action Metadata file](../dependency-submission/action.yml) for a more detailed description of each input parameter.
@ -111,6 +121,29 @@ The `GitHub Dependency Graph Gradle Plugin` can be further
These will be automatically set by the `dependency-submission` action, but you may override these values
These will be automatically set by the `dependency-submission` action, but you may override these values
by setting them explicitly in your workflow file.
by setting them explicitly in your workflow file.
### Reducing storage costs for saved dependency graph artifacts
By default, the dependency graph that is generated is stored as a workflow artifact.
To reduce storage costs for these artifacts, you can:
1. Set the `artifact-retention-days`:
```yaml
- name: Generate dependency graph but only store workflow artifacts for 1 day
uses: gradle/actions/dependency-submission@v4
with:
artifact-retention-days: 1 # Default is 30 days or as configured for repository
```
2. Disable storing dependency-graph artifacts using `generate-and-submit`
```yaml
- name: Generate and submit dependency graph but do not store as workflow artifact
uses: gradle/actions/dependency-submission@v4
with:
dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
```
# Resolving a dependency vulnerability
# Resolving a dependency vulnerability
## Finding the source of a dependency vulnerability
## Finding the source of a dependency vulnerability
@ -235,26 +268,26 @@ contribute to the dependency graph.
> These dependencies would be assigned to different scopes (eg development, runtime, testing) and the GitHub UI would make it easy to opt-in to security alerts for different dependency scopes.
> These dependencies would be assigned to different scopes (eg development, runtime, testing) and the GitHub UI would make it easy to opt-in to security alerts for different dependency scopes.
> However, this functionality does not yet exist.
> However, this functionality does not yet exist.
### Excluding certain Gradle projects from the dependency graph
### Selecting Gradle projects that will contribute to the dependency graph
If you do not want the dependency graph to include dependencies from every project in your build,
If you do not want the dependency graph to include dependencies from every project in your build,
you can easily exclude certain projects from the dependency extraction process.
you can easily exclude or include certain projects from the dependency extraction process.
To restrict which Gradle subprojects contribute to the report, specify which projects to exclude via a regular expression.
To restrict which Gradle subprojects contribute to the report, specify which projects to exclude or include via a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_PROJECTS` environment variable or system property.
You can use the `dependency-graph-exclude-projects` and `dependency-graph-include-projects` input parameters for this purpose.
Note that excluding a project in this way only removes dependencies that are _resolved_ as part of that project, and may
Note that excluding a project in this way only removes dependencies that are _resolved_ as part of that project, and may
not necessarily remove all dependencies _declared_ in that project. If another project depends on the excluded project
not necessarily remove all dependencies _declared_ in that project. If another project depends on the excluded project
then it may transitively resolve dependencies declared in the excluded project: these dependencies will still be included
then it may transitively resolve dependencies declared in the excluded project: these dependencies will still be included
in the generated dependency graph.
in the generated dependency graph.
### Excluding certain Gradle configurations from the dependency graph
### Selecting Gradle configurations that will contribute to the dependency graph
Similarly to Gradle projects, it is possible to exclude a set of configuration instances from dependency graph generation,
Similarly to Gradle projects, it is possible to exclude or include a set of dependency configurations from dependency graph generation,
so that dependencies resolved by those configurations are not included.
so that only dependencies resolved by the included configurations are reported.
To restrict which Gradle configurations contribute to the report, specify which configurations to exclude via a regular expression.
To restrict which Gradle configurations contribute to the report, specify which configurations to exclude or include via a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS` environment variable or system property.
You can use the `dependency-graph-exclude-configurations` and `dependency-graph-include-configurations` input parameters for this purpose.
Note that configuration exclusion applies to the configuration in which the dependency is _resolved_ which is not necessarily
Note that configuration exclusion applies to the configuration in which the dependency is _resolved_ which is not necessarily
the configuration where the dependency is _declared_. For example if you decare a dependency as `implementation` in
the configuration where the dependency is _declared_. For example if you decare a dependency as `implementation` in
@ -262,24 +295,18 @@ a Java project, that dependency will be resolved in `compileClasspath`, `runtime
### Example of project and configuration filtering
### Example of project and configuration filtering
For example, if you want to exclude dependencies in the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration:
For example, if you want to exclude dependencies resolved by the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration:
```yaml
```yaml
- name: Generate and submit dependency graph
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
uses: gradle/actions/dependency-submission@v4
env:
with:
# Exclude all dependencies that originate solely in the 'buildSrc' project
# Exclude all dependencies that originate solely in the 'buildSrc' project
DEPENDENCY_GRAPH_EXCLUDE_PROJECTS: ':buildSrc'
dependency-graph-exclude-projects: ':buildSrc'
# Exclude dependencies that are only resolved in test classpaths
# Exclude dependencies that are only resolved in test classpaths
The [GitHub Dependency Graph Gradle Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin)
has other filtering options that may be useful.
See [the docs](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#filtering-which-gradle-configurations-contribute-to-the-dependency-graph) for details.
# Advance usage scenarios
# Advance usage scenarios
## Using a custom plugin repository
## Using a custom plugin repository
@ -294,12 +321,19 @@ The GitHub [dependency-review-action](https://github.com/actions/dependency-revi
understand dependency changes (and the security impact of these changes) for a pull request,
understand dependency changes (and the security impact of these changes) for a pull request,
by comparing the dependency graph for the pull-request with that of the HEAD commit.
by comparing the dependency graph for the pull-request with that of the HEAD commit.
Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
Integrating the Dependency Review Action requires 2 changes to your workflows:
#### 1. Add a `pull_request` trigger to your existing Dependency Submission workflow.
In order to perform Dependency Review on a pull request, the dependency graph must be submitted for the pull request.
To do this, simply add a `pull_request` trigger to your existing dependency submission workflow.
```yaml
```yaml
name: Dependency review for pull requests
name: Dependency Submission
on:
on:
push:
branches: [ 'main' ]
pull_request:
pull_request:
permissions:
permissions:
@ -316,12 +350,38 @@ jobs:
java-version: 17
java-version: 17
- name: Generate and submit dependency graph
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
uses: gradle/actions/dependency-submission@v4
- name: Perform dependency review
uses: actions/dependency-review-action@v3
```
```
#### 2. Add a dedicated Dependency Review workflow
The Dependency Review workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
Here's an example of a separate "Dependency Review" workflow that will wait up to 10 minutes for dependency submission to complete.
```yaml
name: Dependency Review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
```
The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the modified dependency-submission workflow to complete.
## Usage with pull requests from public forked repositories
## Usage with pull requests from public forked repositories
This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
@ -352,7 +412,7 @@ jobs:
java-version: 17
java-version: 17
- name: Generate and save dependency graph
- name: Generate and save dependency graph
uses: gradle/actions/dependency-submission@v3
uses: gradle/actions/dependency-submission@v4
with:
with:
dependency-graph: generate-and-upload
dependency-graph: generate-and-upload
```
```
@ -375,41 +435,11 @@ jobs:
runs-on: ubuntu-latest
runs-on: ubuntu-latest
steps:
steps:
- name: Download and submit dependency graph
- name: Download and submit dependency graph
uses: gradle/actions/dependency-submission@v3
uses: gradle/actions/dependency-submission@v4
with:
with:
dependency-graph: download-and-submit # Download saved dependency-graph and submit
dependency-graph: download-and-submit # Download saved dependency-graph and submit
```
```
### Integrating `dependency-review-action` for pull requests from public forked repositories
To integrate the `dependency-review-action` into the pull request workflows above, a third workflow file is required.
This workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the above PR check workflow to complete.
```yaml
name: dependency-review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
```
The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
# Gradle version compatibility
# Gradle version compatibility
Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against
Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against
@ -418,3 +448,10 @@ Gradle versions `5.2.1`, `5.6.4`, `6.0.1`, `6.9.4`, `7.1.1` and `7.6.3`, as well
A known exception to this is that Gradle `7.0`, `7.0.1` and `7.0.2` are not supported.
A known exception to this is that Gradle `7.0`, `7.0.1` and `7.0.2` are not supported.
See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
@ -20,7 +20,7 @@ To convert your workflows, simply replace:
```
```
with
with
```
```
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
```
```
## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
@ -40,7 +40,7 @@ To convert your workflows, simply replace:
```
```
with
with
```
```
uses: gradle/actions/wrapper-validation@v3
uses: gradle/actions/wrapper-validation@v4
```
```
## Using the action to execute Gradle via the `arguments` parameter is deprecated
## Using the action to execute Gradle via the `arguments` parameter is deprecated
@ -82,7 +82,7 @@ The exact syntax depends on whether or not your project is configured with the [
```
```
- name: Setup Gradle
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
- name: Assemble the project
- name: Assemble the project
run: ./gradlew assemble
run: ./gradlew assemble
@ -99,9 +99,9 @@ The exact syntax depends on whether or not your project is configured with the [
```
```
- name: Setup Gradle for a non-wrapper project
- name: Setup Gradle for a non-wrapper project
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
with:
with:
gradle-version: 8.9
gradle-version: '8.11'
- name: Assemble the project
- name: Assemble the project
run: gradle assemble
run: gradle assemble
@ -148,3 +148,15 @@ These deprecated build-scan parameters are scheduled to be removed in `setup-gra
Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1.
Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1.
In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens.
In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens.
If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible.
If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible.
## The `gradle-home-cache-cleanup` input parameter has been replaced by `cache-cleanup`
In versions of the action prior to `v4`, the boolean `gradle-home-cache-cleanup` parameter allows users to opt-in
to cache cleanup, removing unused files in Gradle User Home prior to saving to the cache.
With `v4`, cache-cleanup is enabled by default, and controlled by the `cache-cleanup` input parameter.
To remove this deprecation:
- If you are using `gradle-home-cache-cleanup: true` in your workflow, you can remove this option as this is now enabled by default.
- If you want cache-cleanup to run even when a Gradle build fails, then add the `cache-cleanup: always` input.
- If cache-cleanup is causing problems with your workflow, you can disable it with `cache-cleanup: never`.
@ -57,11 +57,11 @@ The `setup-gradle` action can download and install a specified Gradle version, a
Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid having to download them again later.
Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid having to download them again later.
```yaml
```yaml
- name: Setup Gradle 8.5
- name: Setup Gradle 8.10
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
with:
with:
gradle-version: 8.5
gradle-version: '8.10' # Quotes required to prevent YAML converting to number
- name: Build with Gradle 8.5
- name: Build with Gradle 8.10
run: gradle build
run: gradle build
```
```
@ -96,7 +96,7 @@ jobs:
distribution: temurin
distribution: temurin
java-version: 17
java-version: 17
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
id: setup-gradle
id: setup-gradle
with:
with:
gradle-version: release-candidate
gradle-version: release-candidate
@ -127,6 +127,8 @@ cache-disabled: true
By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
Jobs on other branches will read entries from the cache but will not write updated entries.
Jobs on other branches will read entries from the cache but will not write updated entries.
This setup is designed around [GitHub imposed restrictions on cache access](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) and should work well in most scenarios.
See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.
See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.
In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
@ -153,9 +155,32 @@ In certain circumstances it may be desirable to start with a clean Gradle User H
cache-write-only: true
cache-write-only: true
```
```
### Configuring cache cleanup
The Gradle User Home directory tends to grow over time. When you switch to a new Gradle wrapper version
or upgrade a dependency version the old files are not automatically and immediately removed.
While this can make sense in a local environment, in a GitHub Actions environment
it can lead to ever-larger Gradle User Home cache entries being saved and restored.
To avoid this situation, the `setup-gradle` and `dependency-submission` actions will perform "cache-cleanup",
purging any unused files from the Gradle User Home before saving it to the GitHub Actions cache.
Cache cleanup will attempt to remove any files that are initially restored to the Gradle User Home directory
but that are not used used by Gradle during the GitHub Actions Workflow.
If a Gradle build fails when running the Job, then it is possible that some required files and dependencies
will not be touched during the Job. To prevent these files from being purged, the default behavior is for
cache cleanup to run only when all Gradle builds in the Job are successful.
Gradle Home cache cleanup is enabled by default, and can be controlled by the `cache-cleanup` parameter as follows:
- `cache-cleanup: always`: Always run cache cleanup, even when a Gradle build fails in the Job.
- `cache-cleanup: on-success` (default): Run cache cleanup when the Job contains no failing Gradle builds.
- `cache-cleanup: never`: Disable cache cleanup for the Job.
Cache cleanup will never run when the cache is configured as read-only or disabled.
### Overwriting an existing Gradle User Home
### Overwriting an existing Gradle User Home
When the action detects that the Gradle User Home caches directory already exists (`~/.gradle/caches`), then by default it will not overwrite the existing content of this directory.
When the action detects that the Gradle User Home caches directory already exists (`$GRADLE_USER_HOME/caches`), then by default it will not overwrite the existing content of this directory.
This can occur when a prior action initializes this directory, or when using a self-hosted runner that retains this directory between uses.
This can occur when a prior action initializes this directory, or when using a self-hosted runner that retains this directory between uses.
In this case, the Job Summary will display a message like:
In this case, the Job Summary will display a message like:
@ -173,6 +198,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
> [!IMPORTANT]
> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
To benefit from configuration caching in your GitHub Actions workflow, you must:
To benefit from configuration caching in your GitHub Actions workflow, you must:
- Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
- Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
> [!NOTE]
> The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
> The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
> This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
> This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
> This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
> This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@ -356,20 +387,6 @@ gradle-home-cache-excludes: |
You can specify any number of fixed paths or patterns to include or exclude.
You can specify any number of fixed paths or patterns to include or exclude.
File pattern support is documented at https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#patterns-to-match-file-paths.
File pattern support is documented at https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#patterns-to-match-file-paths.
### Remove unused files from Gradle User Home before saving to the cache
The Gradle User Home directory tends to grow over time. When you switch to a new Gradle wrapper version or upgrade a dependency version
the old files are not automatically and immediately removed. While this can make sense in a local environment, in a GitHub Actions environment
it can lead to ever-larger Gradle User Home cache entries being saved and restored.
To avoid this situation, The `setup-gradle` action supports the `gradle-home-cache-cleanup` parameter.
When enabled, this feature will attempt to delete any files in the Gradle User Home that were not used by Gradle during the GitHub Actions Workflow, before saving the Gradle User Home to the GitHub Actions cache.
Gradle Home cache cleanup is considered experimental and is disabled by default. You can enable this feature for the action as follows:
```yaml
gradle-home-cache-cleanup: true
```
### Disable local build-cache when remote build-cache is available
### Disable local build-cache when remote build-cache is available
If you have a remote build-cache available for your build, then it is recommended to do the following:
If you have a remote build-cache available for your build, then it is recommended to do the following:
@ -421,6 +438,15 @@ so that a Job Summary is never generated, or so that a Job Summary is only gener
add-job-summary: 'on-failure' # Valid values are 'always' (default), 'never', and 'on-failure'
add-job-summary: 'on-failure' # Valid values are 'always' (default), 'never', and 'on-failure'
```
```
### Excluding specific Gradle builds from Job Summary
The Job Summary works by installing an init-script in Gradle User Home which will record details of any Gradle execution during the workflow.
This means that any Gradle excecution sharing the same Gradle User Home will show up in the Job Summary, which may include Gradle executions
run as part of integration testing.
To avoid having these test builds show up in the Job Summary, add the `GRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true` environment variable
to the process that executes Gradle. This will stop the init-script from collecting any build results.
### Adding Job Summary as a Pull Request comment
### Adding Job Summary as a Pull Request comment
It is sometimes more convenient to view the results of a GitHub Actions Job directly from the Pull Request that triggered
It is sometimes more convenient to view the results of a GitHub Actions Job directly from the Pull Request that triggered
@ -446,9 +472,9 @@ jobs:
java-version: 17
java-version: 17
- name: Setup Gradle
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
with:
with:
add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure'
add-job-summary-as-pr-comment: 'on-failure' # Valid values are 'never' (default), 'always', and 'on-failure'
- run: ./gradlew build --scan
- run: ./gradlew build --scan
```
```
@ -483,17 +509,17 @@ jobs:
java-version: 17
java-version: 17
- name: Setup Gradle
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
- name: Run build with Gradle wrapper
- name: Run build with Gradle wrapper
run: ./gradlew build --scan
run: ./gradlew build --scan
- name: Upload build reports
- name: Upload build reports
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
if: always()
if: always()
with:
with:
name: build-reports
name: build-reports
path: build/reports/
path: **/build/reports/
```
```
### Use of custom init-scripts in Gradle User Home
### Use of custom init-scripts in Gradle User Home
@ -506,14 +532,30 @@ Since Gradle applies init scripts in alphabetical order, one way to ensure this
## Gradle Wrapper validation
## Gradle Wrapper validation
Instead of using the [wrapper-validation action](./wrapper-validation.md) separately, you can enable
By default, this action will perform the same wrapper validation as is performed by the dedicated
wrapper validation directly in your Setup Gradle step.
# Set the following variables if your custom plugin repository requires authentication
# Set the following variables if your custom plugin repository requires authentication
# GRADLE_PLUGIN_REPOSITORY_USERNAME: "username"
# GRADLE_PLUGIN_REPOSITORY_USERNAME: "username"
@ -657,7 +699,7 @@ jobs:
java-version: 17
java-version: 17
- name: Setup Gradle to generate and submit dependency graphs
- name: Setup Gradle to generate and submit dependency graphs
uses: gradle/actions/setup-gradle@v3
uses: gradle/actions/setup-gradle@v4
with:
with:
dependency-graph: generate-and-submit
dependency-graph: generate-and-submit
- name: Build the app, generating a graph of dependencies required
- name: Build the app, generating a graph of dependencies required
@ -685,28 +727,106 @@ A known exception to this is that Gradle `7.0`, `7.0.1`, and `7.0.2` are not sup
See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
### Reducing storage costs for saved dependency graph artifacts
# Develocity Build Scan® integration
When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact.
Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
By default, these artifacts are retained for 30 days (or as configured for the repository).
detailed report of the execution of the build, including which tasks were executed and the results of any test execution.
To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number.
The `setup-gradle` plugin provides a number of features to enable and enhance publishing Build Scans® to a Develocity instance.
## Publishing to scans.gradle.com
If you don't have a a private Develocity instance, you can easily publish Build Scans to the
free, public Develocity instance (https://scans.gradle.com).
To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use).
```yaml
```yaml
- name: Generate dependency graph, but only retain artifact for one day
- name: Run a Gradle build - a build scan will be published automatically
run: ./gradlew build
```
```
# Develocity plugin injection
## Managing Develocity access keys
The `setup-gradle` action provides support for injecting and configuring the Develocity Gradle plugin into any Gradle build, without any modification to the project sources.
Develocity access keys are long-lived, creating risks if they are leaked. To mitigate this risk this,
This is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
the `setup-gradle` action can automatically attempt to obtain a [short-lived access token](https://docs.gradle.com/develocity/gradle-plugin/current/#short_lived_access_tokens)
to use when authenticating with Develocity.
The short-lived access token will then be used wherever a Develocity access key is required.
```yaml
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
with:
develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }} # Long-lived access key, visiblility is restricted to this step.
# Subsequent steps will automatically use a short-lived access token to authenticate with Develocity
- name: Run a Gradle build that is configured to publish to Develocity.
run: ./gradlew build
```
### Increasing the expiry time for Develocity access tokens
By default, a short-lived Develocity access token will be valid for 2 hours from the time it is generated. If your workflows take longer than
2 hours to complete, you may see failure to publish Build Scans due to access token expiry.
To avoid this, use the `develocity-token-expiry` parameter to specify a different token expiry in hours.
# The build will automatically use a short-lived access token to authenticate with Develocity
- name: Run a Gradle build that is configured to publish to Develocity.
run: ./gradlew build
```
### Failure to obtain a short-lived access token
If a short-lived token cannot be retrieved (for example, if the Develocity server version is lower than `2024.1`):
- If the access key is provided via `develocity-access-key`, then no access token is set and authentication with Develocity will not succeed.
- If the access key is provided via an environment variable, a warning will be logged and the environment variable will be left as-is.
This can result in long-lived access keys being unintentionally exposed to other workflow steps.
For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
## Develocity plugin injection
The `setup-gradle` action provides support for transparently injecting and configuring the Develocity Gradle plugin into any Gradle build,
without any modification to the project sources. This allows Build Scans to be published for a repository without any changes to the project sources.
Develocity injection is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
The same auto-injection behavior is available for the Common Custom User Data Gradle plugin, which enriches any build scans published with additional useful information.
The same auto-injection behavior is available for the Common Custom User Data Gradle plugin, which enriches any build scans published with additional useful information.
## Enabling Develocity injection
### Enabling Develocity injection
To enable Develocity injection for your build, you must provide the required configuration via inputs.
To enable Develocity injection for your build, you must provide the required configuration via inputs.
- name: Run a Gradle build with Develocity injection enabled
- name: Run a Gradle build with Develocity injection enabled
run: ./gradlew build
run: ./gradlew build
```
```
This configuration will automatically apply `v3.17.5` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
This configuration will automatically apply `v4.0` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable.
This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable.
### Short-lived access tokens
### Configuring Develocity injection
Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them.
If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`):
- if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning
- otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
## Configuring Develocity injection
The `init-script` supports several additional configuration parameters that you may find useful. All configuration options (required and optional) are detailed below:
The `init-script` supports several additional configuration parameters that you may find useful. All configuration options (required and optional) are detailed below:
| develocity-url | :white_check_mark: | the URL of the Develocity server |
| develocity-url | :white_check_mark: | the URL of the Develocity server |
| develocity-allow-untrusted-server | | allow communication with an untrusted server; set to _true_ if your Develocity instance is using a self-signed certificate |
| develocity-allow-untrusted-server | | allow communication with an untrusted server; set to _true_ if your Develocity instance is using a self-signed certificate |
@ -771,49 +884,50 @@ The `init-script` supports several additional configuration parameters that you
The input parameters can be expressed as environment variables following the relationships outlined in the table below:
The input parameters can be expressed as environment variables following the relationships outlined in the table below:
Develocity injection is designed to enable the publishing of build scans to a Develocity instance,
Develocity injection, Build Scan publishing and Dependency Graph generation all work by applying external plugins to your build.
but is also useful for publishing to the public Build Scans instance (https://scans.gradle.com).
If you project has [dependency verification enabled](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verification),
then you'll need to update your verification metadata to trust these plugins.
To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use).
Each of the plugins is signed by Gradle, and you can simply add the following snippet to your `dependency-verificaton.xml` file:
@ -4,6 +4,12 @@ This action validates the checksums of _all_ [Gradle Wrapper](https://docs.gradl
The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
> [!NOTE]
> Starting with v4 the `setup-gradle` action will automatically [perform wrapper validation](../docs/setup-gradle.md#gradle-wrapper-validation)
> on each execution.
>
> If you are using `setup-gradle` in your workflows, it is unlikely that you will need to use the `wrapper-validation` action.
## The Gradle Wrapper Problem in Open Source
## The Gradle Wrapper Problem in Open Source
The `gradle-wrapper.jar` is a binary blob of executable code that is checked into nearly
The `gradle-wrapper.jar` is a binary blob of executable code that is checked into nearly
@ -44,7 +50,7 @@ We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/
Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
```yaml
```yaml
uses: gradle/actions/wrapper-validation@v3
uses: gradle/actions/wrapper-validation@v4
```
```
This action step should precede any step using `gradle/gradle-build-action` or `gradle/actions/setup-gradle`.
This action step should precede any step using `gradle/gradle-build-action` or `gradle/actions/setup-gradle`.
@ -67,7 +73,7 @@ jobs:
runs-on: ubuntu-latest
runs-on: ubuntu-latest
steps:
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
- uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/wrapper-validation@v4
```
```
## Contributing to an external GitHub Repository
## Contributing to an external GitHub Repository
@ -90,18 +96,34 @@ We recommend the message commit contents of:
From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
## Reporting Failures
## Validation Failures
If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
A wrapper jar can fail validation for a few reasons:
1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
or `allow-snapshot-wrappers` to `true`.
2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
4. The wrapper jar was not published by Gradle, and could be compromised.
If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
#### Unverifiable Wrapper Jars
Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. If you have a validation failure, you should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
- If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
- If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
#### Wrapper Jar stored with Git LFS
and one of our valid release, you can compare them using this online utility: [diffoscope](https://try.diffoscope.org/).
If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
Regardless of what you find, we still kindly request that you reach out to us and let us know.
restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
```
steps:
- uses: actions/checkout@v4
with:
lfs: true # gradle-wrapper.jar verification will fail without this
Configuration-cache data will not be saved/restored without an encryption key being provided.
Configuration-cache data will not be saved/restored without an encryption key being provided.
required:false
required:false
cache-cleanup:
description:|
Specifies if the action should attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
By default ('on-success'), cleanup is performed when all Gradle builds succeed for the Job.
This behaviour can be disabled ('never'), or configured to always run irrespective of the build outcome ('always').
Valid values are 'never', 'on-success' and 'always'.
required:false
default:'on-success'
gradle-home-cache-cleanup:
description:When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
required:false
deprecation-message:This input has been superceded by the 'cache-cleanup' input parameter.
gradle-home-cache-includes:
gradle-home-cache-includes:
description:Paths within Gradle User Home to cache.
description:Paths within Gradle User Home to cache.
required:false
required:false
@ -51,11 +65,6 @@ inputs:
description:Paths within Gradle User Home to exclude from cache.
description:Paths within Gradle User Home to exclude from cache.
required:false
required:false
gradle-home-cache-cleanup:
description:When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
required:false
default:false
# Job summary configuration
# Job summary configuration
add-job-summary:
add-job-summary:
description:Specifies when a Job Summary should be inluded in the action results. Valid values are 'never', 'always' (default), and 'on-failure'.
description:Specifies when a Job Summary should be inluded in the action results. Valid values are 'never', 'always' (default), and 'on-failure'.
@ -71,15 +80,46 @@ inputs:
dependency-graph:
dependency-graph:
description:|
description:|
Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', 'download-and-submit' and 'clear'.
Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-submit-and-upload', 'generate-and-upload', and 'download-and-submit'.
required:false
required:false
default:'disabled'
default:'disabled'
dependency-graph-report-dir:
description:|
Specifies where the dependency graph report will be generated.
Paths can relative or absolute. Relative paths are resolved relative to the workspace directory.
required:false
default:'dependency-graph-reports'
dependency-graph-continue-on-failure:
dependency-graph-continue-on-failure:
description:When 'false' a failure to generate or submit a dependency graph will fail the Step or Job. When 'true' a warning will be emitted but no failure will result.
description:When 'false' a failure to generate or submit a dependency graph will fail the Step or Job. When 'true' a warning will be emitted but no failure will result.
required:false
required:false
default:true
default:true
dependency-graph-exclude-projects:
description:|
Gradle projects that should be excluded from dependency graph (regular expression).
When set, any matching project will be excluded.
required:false
dependency-graph-include-projects:
description:|
Gradle projects that should be included in dependency graph (regular expression).
When set, only matching projects will be included.
required:false
dependency-graph-exclude-configurations:
description:|
Gradle configurations that should be included in dependency graph (regular expression).
When set, anymatching configurations will be excluded.
required:false
dependency-graph-include-configurations:
description:|
Gradle configurations that should be included in dependency graph (regular expression).
When set, only matching configurations will be included.
required:false
artifact-retention-days:
artifact-retention-days:
description:Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
description:Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
required:false
required:false
@ -151,37 +191,23 @@ inputs:
# Wrapper validation configuration
# Wrapper validation configuration
validate-wrappers:
validate-wrappers:
description:|
description:|
When 'true', the action will perform the 'wrapper-validation' action automatically.
When 'true' (the default) the action will automatically validate all wrapper jars found in the repository.
If the wrapper checksums are not valid, the action will fail.
If the wrapper checksums are not valid, the action will fail.
required:false
required:false
default:true
allow-snapshot-wrappers:
description:|
When 'true', wrapper validation will include the checksums of snapshot wrapper jars.
Use this if you are running with nightly or snapshot versions of the Gradle wrapper.
required:false
default:false
default:false
# DEPRECATED ACTION INPUTS
# DEPRECATED ACTION INPUTS
build-scan-terms-of-service-url:
description:The URL to the Build Scan® terms of use. This input must be set to 'https://gradle.com/terms-of-service'.
required:false
deprecation-message:The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-url' instead.
build-scan-terms-of-service-agree:
description:Indicate that you agree to the Build Scan® terms of use. This input value must be "yes".
required:false
deprecation-message:The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-agree' instead.
generate-job-summary:
description:When 'false', no Job Summary will be generated for the Job.
required:false
default:true
deprecation-message:Superceded by the new 'add-job-summary' and 'add-job-summary-as-pr-comment' parameters.
arguments:
arguments:
description:Gradle command line arguments (supports multi-line input)
description:Gradle command line arguments (supports multi-line input)
required:false
required:false
deprecation-message:Using the action to execute Gradle directly is deprecated in favor of using the action to setup Gradle, and executing Gradle in a subsequent Step.
deprecation-message:This parameter has been deprecated and removed. It is only left here to allow for better reporting to assist users to migrate.
build-root-directory:
description:Path to the root directory of the build. Default is the root of the GitHub workspace.
required:false
deprecation-message:Using the action to execute Gradle directly is deprecated in favor of using the action to setup Gradle, and executing Gradle in a subsequent Step.
# EXPERIMENTAL ACTION INPUTS
# EXPERIMENTAL ACTION INPUTS
# The following action properties allow fine-grained tweaking of the action caching behaviour.
# The following action properties allow fine-grained tweaking of the action caching behaviour.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
