Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Co-authored-by: bot-githubaction <bot-githubaction@gradle.com>
Bumps the npm-dependencies group in /sources with 2 updates:
[@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)
and [ts-jest](https://github.com/kulshekhar/ts-jest).
Updates `@typescript-eslint/eslint-plugin` from 8.29.1 to 8.30.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/releases"><code>@typescript-eslint/eslint-plugin</code>'s
releases</a>.</em></p>
<blockquote>
<h2>v8.30.1</h2>
<h2>8.30.1 (2025-04-14)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> fix mistake with eslintrc config
generation (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11072">#11072</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Kirk Waiblinger <a
href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
<h2>v8.30.0</h2>
<h2>8.30.0 (2025-04-14)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>eslint-plugin:</strong> [no-explicit-any] suggest to replace
keyof any with PropertyKey (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11032">#11032</a>)</li>
</ul>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> [promise-function-async] use a
different error message for functions with promise and non-promise types
(<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/10950">#10950</a>)</li>
<li><strong>typescript-estree:</strong> use token type of
<code>PrivateIdentifier</code> instead of <code>Identifier</code> for
private identifiers (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11023">#11023</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Dima Barabash <a
href="https://github.com/dbarabashh"><code>@dbarabashh</code></a></li>
<li>Ronen Amiel</li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md"><code>@typescript-eslint/eslint-plugin</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>8.30.1 (2025-04-14)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> fix mistake with eslintrc config
generation (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11072">#11072</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Kirk Waiblinger <a
href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
<h2>8.30.0 (2025-04-14)</h2>
<h3>🚀 Features</h3>
<ul>
<li><strong>eslint-plugin:</strong> [no-explicit-any] suggest to replace
keyof any with PropertyKey (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11032">#11032</a>)</li>
</ul>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> [promise-function-async] use a
different error message for functions with promise and non-promise types
(<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/10950">#10950</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Dima Barabash <a
href="https://github.com/dbarabashh"><code>@dbarabashh</code></a></li>
<li>Ronen Amiel</li>
</ul>
<p>You can read about our <a
href="https://main--typescript-eslint.netlify.app/users/versioning">versioning
strategy</a> and <a
href="https://main--typescript-eslint.netlify.app/users/releases">releases</a>
on our website.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9531492c70"><code>9531492</code></a>
chore(release): publish 8.30.1</li>
<li><a
href="152def7dba"><code>152def7</code></a>
fix(eslint-plugin): fix mistake with eslintrc config generation (<a
href="https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin/issues/11072">#11072</a>)</li>
<li><a
href="b3688be33b"><code>b3688be</code></a>
chore(release): publish 8.30.0</li>
<li><a
href="3ccd79c0a5"><code>3ccd79c</code></a>
feat(eslint-plugin): [no-explicit-any] suggest to replace keyof any with
Prop...</li>
<li><a
href="128d95b5da"><code>128d95b</code></a>
fix(eslint-plugin): [promise-function-async] use a different error
message fo...</li>
<li><a
href="69e2f6c0d3"><code>69e2f6c</code></a>
feat: support stringly-typed extends (<a
href="https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin/issues/10973">#10973</a>)</li>
<li>See full diff in <a
href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.30.1/packages/eslint-plugin">compare
view</a></li>
</ul>
</details>
<br />
Updates `ts-jest` from 29.3.1 to 29.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/releases">ts-jest's
releases</a>.</em></p>
<blockquote>
<h2>v29.3.2</h2>
<p>Please refer to <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">ts-jest's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.1...v29.3.2">29.3.2</a>
(2025-04-12)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>fix: transpile <code>js</code> files from <code>node_modules</code>
whenever Jest asks (<a
href="https://github.com/kulshekhar/ts-jest/commit/968370e">968370e</a>),
closes <a
href="https://redirect.github.com/kulshekhar/ts-jest/issues/4637">#4637</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1c6017171"><code>e1c6017</code></a>
chore(release): 29.3.2</li>
<li><a
href="968370e6ef"><code>968370e</code></a>
fix: transpile <code>js</code> files from <code>node_modules</code>
whenever Jest asks (<a
href="https://redirect.github.com/kulshekhar/ts-jest/issues/4791">#4791</a>)</li>
<li><a
href="ddfd81287a"><code>ddfd812</code></a>
build(deps): Update dependency lint-staged to ^15.5.1</li>
<li><a
href="efd5274bf6"><code>efd5274</code></a>
build: use faster mode to build/serve doc</li>
<li><a
href="ccd9a0e798"><code>ccd9a0e</code></a>
build: fix npm audit issue for <code>website</code></li>
<li><a
href="7e730d3056"><code>7e730d3</code></a>
docs: add Hybrid Node module doc about <code>Node16/NodeNext</code></li>
<li><a
href="39a1222326"><code>39a1222</code></a>
test: add dynamic import code test for
<code>transpile-module</code></li>
<li><a
href="5a21aca63a"><code>5a21aca</code></a>
build(deps): Update dependency eslint-config-prettier to ^10.1.2</li>
<li><a
href="e10053f4f5"><code>e10053f</code></a>
build(deps): Update dependency vite to ^6.2.6</li>
<li><a
href="a83170c492"><code>a83170c</code></a>
build(deps): Update ESLint packages to ^8.29.1</li>
<li>Additional commits viewable in <a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.1...v29.3.2">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gradle group with 1 update in the
/.github/workflow-samples/java-toolchain directory:
org.gradle.toolchains.foojay-resolver-convention.
Bumps the gradle group with 1 update in the
/.github/workflow-samples/kotlin-dsl directory:
[com.google.guava:guava](https://github.com/google/guava).
Updates `org.gradle.toolchains.foojay-resolver-convention` from 0.9.0 to
0.10.0
Updates `com.google.guava:guava` from 33.4.6-jre to 33.4.8-jre
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/guava/releases">com.google.guava:guava's
releases</a>.</em></p>
<blockquote>
<h2>33.4.8</h2>
<p>Guava 33.4.8 fixes a problem that we introduced while starting to
migrate <code>guava-android</code> off <code>Unsafe</code> in <a
href="https://github.com/google/guava/releases/tag/v33.4.7">33.4.7</a>.</p>
<p>Even if you're not upgrading from Guava 33.4.0 or earlier, still read
<a href="https://github.com/google/guava/releases/tag/v33.4.1">the
release notes for Guava 33.4.1</a>. Those release notes contain
information about the effects of Guava 33.4.5 and higher on the module
system.</p>
<h3>Maven</h3>
<pre lang="xml"><code><dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>33.4.8-jre</version>
<!-- or, for Android: -->
<version>33.4.8-android</version>
</dependency>
</code></pre>
<h3>Jar files</h3>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.8-jre/guava-33.4.8-jre.jar">33.4.8-jre.jar</a></li>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.8-android/guava-33.4.8-android.jar">33.4.8-android.jar</a></li>
</ul>
<p>Guava requires <a
href="https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies">one
runtime dependency</a>, which you can download here:</p>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.3/failureaccess-1.0.3.jar">failureaccess-1.0.3.jar</a></li>
</ul>
<h3>Javadoc</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.8-jre/api/docs/">33.4.8-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.8-android/api/docs/">33.4.8-android</a></li>
</ul>
<h3>JDiff</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.8-jre/api/diffs/">33.4.8-jre vs.
33.4.7-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.8-android/api/diffs/">33.4.8-android
vs. 33.4.7-android</a></li>
<li><a
href="https://guava.dev/releases/33.4.8-android/api/androiddiffs/">33.4.8-android
vs. 33.4.8-jre</a></li>
</ul>
<h3>Changelog</h3>
<ul>
<li><code>util.concurrent</code>: Removed our <code>VarHandle</code>
code from <code>guava-android</code>. While the code was never used at
runtime under Android, it was causing <a
href="https://redirect.github.com/google/guava/issues/7769">problems
under the Android Gradle Plugin</a> with a <code>minSdkVersion</code>
below 26. To continue to avoid <code>sun.misc.Unsafe</code> under the
JVM, <code>guava-android</code> will now always use
<code>AtomicReferenceFieldUpdater</code> when run there.
(75da92419a)</li>
</ul>
<h2>33.4.7</h2>
<p><strong>Prefer to upgrade straight to <a
href="https://github.com/google/guava/releases/tag/v33.4.8">33.4.8</a>:</strong>
33.4.7 <a
href="https://redirect.github.com/google/guava/issues/7769">breaks the
build of Android apps with a minSdkVersion below 26</a>. We will publish
a fixed version soon. This problem is fixed in 33.4.8.</p>
<p>Guava 33.4.7, like <a
href="https://github.com/google/guava/releases/tag/v33.4.6">33.4.6</a>,
fixes two problems that we introduced while modularizing Guava and
migrating off <code>Unsafe</code> in <a
href="https://github.com/google/guava/releases/tag/v33.4.5">33.4.5</a>.</p>
<p>Even if you're not upgrading from Guava 33.4.0 or earlier, still read
<a href="https://github.com/google/guava/releases/tag/v33.4.1">the
release notes for Guava 33.4.1</a>. Those release notes contain
information about the effects of Guava 33.4.5 and higher on the module
system.</p>
<h3>Maven</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/google/guava/commits">compare view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-dependencies group in /sources with 2 updates:
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
and [typescript](https://github.com/microsoft/TypeScript).
Updates `@types/node` from 20.17.28 to 20.17.30
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
Updates `typescript` from 5.8.2 to 5.8.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/microsoft/TypeScript/releases">typescript's
releases</a>.</em></p>
<blockquote>
<h2>TypeScript 5.8.3</h2>
<p>For release notes, check out the <a
href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-8/">release
announcement</a>.</p>
<ul>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.0%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.0 (Beta)</a>.</li>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.1%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.1 (RC)</a>.</li>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.2%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.2 (Stable)</a>.</li>
<li><a
href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.8.3%22+is%3Aclosed+">fixed
issues query for Typescript 5.8.3 (Stable)</a>.</li>
</ul>
<p>Downloads are available on:</p>
<ul>
<li><a href="https://www.npmjs.com/package/typescript">npm</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="83dc0bb2ed"><code>83dc0bb</code></a>
Convert release publishing inputs into parameters (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61523">#61523</a>)</li>
<li><a
href="ba663f6ac2"><code>ba663f6</code></a>
Exclude completions of binding pattern variable initializers (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/52723">#52723</a>)</li>
<li><a
href="7205eda454"><code>7205eda</code></a>
Bump github/codeql-action from 3.28.12 to 3.28.13 in the github-actions
group...</li>
<li><a
href="89c572ca0c"><code>89c572c</code></a>
Fixed a symbol display crash on expando members write locations (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/55478">#55478</a>)</li>
<li><a
href="7b26d2eba5"><code>7b26d2e</code></a>
Fix incorrect name in new release pipeline (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61514">#61514</a>)</li>
<li><a
href="c7a559eeae"><code>c7a559e</code></a>
Add new release publisher yaml (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61491">#61491</a>)</li>
<li><a
href="29e6d6689d"><code>29e6d66</code></a>
Fix <code>lib.includes('dom')</code> check in
<code>containerSeemsToBeEmptyDomElement</code> (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61481">#61481</a>)</li>
<li><a
href="19b777260b"><code>19b7772</code></a>
Bump the github-actions group with 4 updates (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61474">#61474</a>)</li>
<li><a
href="4dc677b292"><code>4dc677b</code></a>
Fix errors on type assertions in erasableSyntaxOnly (<a
href="https://redirect.github.com/microsoft/TypeScript/issues/61452">#61452</a>)</li>
<li><a
href="ee3dd7264b"><code>ee3dd72</code></a>
fix(60908): Unexpected "'Type' is declared but its value is never
read." erro...</li>
<li>Additional commits viewable in <a
href="https://github.com/microsoft/TypeScript/compare/v5.8.2...v5.8.3">compare
view</a></li>
</ul>
</details>
<br />
<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>
| Dependency Name | Ignore Conditions |
| --- | --- |
| @types/node | [>= 22.a, < 23] |
</details>
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the github-actions group with 2 updates in the / directory:
[tj-actions/changed-files](https://github.com/tj-actions/changed-files)
and [github/codeql-action](https://github.com/github/codeql-action).
Updates `tj-actions/changed-files` from 46.0.3 to 46.0.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tj-actions/changed-files/releases">tj-actions/changed-files's
releases</a>.</em></p>
<blockquote>
<h2>v46.0.4</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgraded to v46.0.3 by <a
href="https://github.com/github-actions"><code>@github-actions</code></a>
in <a
href="https://redirect.github.com/tj-actions/changed-files/pull/2506">tj-actions/changed-files#2506</a></li>
<li>docs: update readme by <a
href="https://github.com/jackton1"><code>@jackton1</code></a> in <a
href="https://redirect.github.com/tj-actions/changed-files/pull/2508">tj-actions/changed-files#2508</a></li>
<li>fix: bug modified_keys and changed_key outputs not set when no
changes detected by <a
href="https://github.com/jackton1"><code>@jackton1</code></a> in <a
href="https://redirect.github.com/tj-actions/changed-files/pull/2509">tj-actions/changed-files#2509</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tj-actions/changed-files/compare/v46...v46.0.4">https://github.com/tj-actions/changed-files/compare/v46...v46.0.4</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tj-actions/changed-files/blob/main/HISTORY.md">tj-actions/changed-files's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h1><a
href="https://github.com/tj-actions/changed-files/compare/v46.0.3...v46.0.4">46.0.4</a>
- (2025-04-03)</h1>
<h2><!-- raw HTML omitted -->🐛 Bug Fixes</h2>
<ul>
<li>Bug modified_keys and changed_key outputs not set when no changes
detected (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2509">#2509</a>)
(<a
href="6cb76d07be">6cb76d0</a>)
- (Tonye Jack)</li>
</ul>
<h2><!-- raw HTML omitted -->📚 Documentation</h2>
<ul>
<li>Update readme (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2508">#2508</a>)
(<a
href="b74df86ccb">b74df86</a>)
- (Tonye Jack)</li>
</ul>
<h2><!-- raw HTML omitted -->⬆️ Upgrades</h2>
<ul>
<li>Upgraded to v46.0.3 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2506">#2506</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted -->
Co-authored-by: Tonye Jack <a
href="mailto:jtonye@ymail.com">jtonye@ymail.com</a> (<a
href="27ae6b33ea">27ae6b3</a>)
- (github-actions[bot])</p>
<h1><a
href="https://github.com/tj-actions/changed-files/compare/v46.0.2...v46.0.3">46.0.3</a>
- (2025-03-23)</h1>
<h2><!-- raw HTML omitted -->🔄 Update</h2>
<ul>
<li>Updated README.md (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2501">#2501</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted --> (<a
href="41e0de576a">41e0de5</a>)
- (github-actions[bot])</p>
<ul>
<li>Updated README.md (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2499">#2499</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted --> (<a
href="945787811a">9457878</a>)
- (github-actions[bot])</p>
<h2><!-- raw HTML omitted -->📚 Documentation</h2>
<ul>
<li>Remove warning (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2504">#2504</a>)
(<a
href="8132356842">8132356</a>)
- (Tonye Jack)</li>
</ul>
<h2><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h2>
<ul>
<li><strong>deps:</strong> Bump test/demo from <code>5dfac2e</code> to
<code>c6bd3b3</code> (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2505">#2505</a>)
(<a
href="823fcebdb3">823fceb</a>)
- (dependabot[bot])</li>
<li>Pin github actions (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2503">#2503</a>)
(<a
href="7a369a7175">7a369a7</a>)
- (Tonye Jack)</li>
<li><strong>deps-dev:</strong> Bump <code>@types/node</code> from
22.13.10 to 22.13.11 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2502">#2502</a>)
(<a
href="9468856c22">9468856</a>)
- (dependabot[bot])</li>
</ul>
<h2><!-- raw HTML omitted -->⬆️ Upgrades</h2>
<ul>
<li>Upgraded to v46.0.2 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2500">#2500</a>)</li>
</ul>
<p>Co-authored-by: github-actions[bot] <!-- raw HTML omitted -->
Co-authored-by: Tonye Jack <a
href="mailto:jtonye@ymail.com">jtonye@ymail.com</a> (<a
href="401c7227d1">401c722</a>)
- (github-actions[bot])</p>
<h1><a
href="https://github.com/tj-actions/changed-files/compare/v46.0.1...v46.0.2">46.0.2</a>
- (2025-03-22)</h1>
<h2><!-- raw HTML omitted -->🐛 Bug Fixes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6cb76d07be"><code>6cb76d0</code></a>
fix: bug modified_keys and changed_key outputs not set when no changes
detect...</li>
<li><a
href="b74df86ccb"><code>b74df86</code></a>
docs: update readme (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2508">#2508</a>)</li>
<li><a
href="27ae6b33ea"><code>27ae6b3</code></a>
Upgraded to v46.0.3 (<a
href="https://redirect.github.com/tj-actions/changed-files/issues/2506">#2506</a>)</li>
<li>See full diff in <a
href="823fcebdb3...6cb76d07be">compare
view</a></li>
</ul>
</details>
<br />
Updates `github/codeql-action` from 3.28.13 to 3.28.15
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.28.15</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.28.15 - 07 Apr 2025</h2>
<ul>
<li>Fix bug where the action would fail if it tried to produce a debug
artifact with more than 65535 files. <a
href="https://redirect.github.com/github/codeql-action/pull/2842">#2842</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.28.15/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.28.14</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>3.28.14 - 07 Apr 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.21.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2838">#2838</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.28.14/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.28.15 - 07 Apr 2025</h2>
<ul>
<li>Fix bug where the action would fail if it tried to produce a debug
artifact with more than 65535 files. <a
href="https://redirect.github.com/github/codeql-action/pull/2842">#2842</a></li>
</ul>
<h2>3.28.14 - 07 Apr 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.21.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2838">#2838</a></li>
</ul>
<h2>3.28.13 - 24 Mar 2025</h2>
<p>No user facing changes.</p>
<h2>3.28.12 - 19 Mar 2025</h2>
<ul>
<li>Dependency caching should now cache more dependencies for Java
<code>build-mode: none</code> extractions. This should speed up
workflows and avoid inconsistent alerts in some cases.</li>
<li>Update default CodeQL bundle version to 2.20.7. <a
href="https://redirect.github.com/github/codeql-action/pull/2810">#2810</a></li>
</ul>
<h2>3.28.11 - 07 Mar 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.20.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2793">#2793</a></li>
</ul>
<h2>3.28.10 - 21 Feb 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.20.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2772">#2772</a></li>
<li>Address an issue where the CodeQL Bundle would occasionally fail to
decompress on macOS. <a
href="https://redirect.github.com/github/codeql-action/pull/2768">#2768</a></li>
</ul>
<h2>3.28.9 - 07 Feb 2025</h2>
<ul>
<li>Update default CodeQL bundle version to 2.20.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2753">#2753</a></li>
</ul>
<h2>3.28.8 - 29 Jan 2025</h2>
<ul>
<li>Enable support for Kotlin 2.1.10 when running with CodeQL CLI
v2.20.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2744">#2744</a></li>
</ul>
<h2>3.28.7 - 29 Jan 2025</h2>
<p>No user facing changes.</p>
<h2>3.28.6 - 27 Jan 2025</h2>
<ul>
<li>Re-enable debug artifact upload for CLI versions 2.20.3 or greater.
<a
href="https://redirect.github.com/github/codeql-action/pull/2726">#2726</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="45775bd823"><code>45775bd</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2854">#2854</a>
from github/update-v3.28.15-a35ae8c38</li>
<li><a
href="dd78aab407"><code>dd78aab</code></a>
Update CHANGELOG.md with bug fix details</li>
<li><a
href="e40af59174"><code>e40af59</code></a>
Update changelog for v3.28.15</li>
<li><a
href="a35ae8c380"><code>a35ae8c</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2843">#2843</a>
from github/cklin/diff-informed-compat</li>
<li><a
href="bb59df6c17"><code>bb59df6</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2842">#2842</a>
from github/henrymercer/zip64</li>
<li><a
href="4b508f5964"><code>4b508f5</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2845">#2845</a>
from github/mergeback/v3.28.14-to-main-fc7e4a0f</li>
<li><a
href="ca00afb5f1"><code>ca00afb</code></a>
Update checked-in dependencies</li>
<li><a
href="2969c78ce0"><code>2969c78</code></a>
Update changelog and version after v3.28.14</li>
<li><a
href="fc7e4a0fa0"><code>fc7e4a0</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2844">#2844</a>
from github/update-v3.28.14-362ef4ce2</li>
<li><a
href="be0175c800"><code>be0175c</code></a>
Update changelog for v3.28.14</li>
<li>Additional commits viewable in <a
href="1b549b9259...45775bd823">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gradle group with 1 update in the
/.github/workflow-samples/groovy-dsl directory:
com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 1 update in the
/.github/workflow-samples/kotlin-dsl directory:
com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 2 updates in the /sources/test/init-scripts
directory: com.gradle.common-custom-user-data-gradle-plugin and
[com.fasterxml.jackson.dataformat:jackson-dataformat-smile](https://github.com/FasterXML/jackson-dataformats-binary).
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to
2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to
2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to
2.2.1
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-smile` from
2.18.2 to 2.18.3
<details>
<summary>Commits</summary>
<ul>
<li><a
href="acc383b238"><code>acc383b</code></a>
[maven-release-plugin] prepare release
jackson-dataformats-binary-2.18.3</li>
<li><a
href="5184301b79"><code>5184301</code></a>
Prep for 2.18.3</li>
<li><a
href="a390dde5ff"><code>a390dde</code></a>
Fix release notes</li>
<li><a
href="2576b3901c"><code>2576b39</code></a>
Merge branch '2.17' into 2.18</li>
<li><a
href="509c39c497"><code>509c39c</code></a>
Add release notes for <a
href="https://redirect.github.com/FasterXML/jackson-dataformats-binary/issues/541">#541</a></li>
<li><a
href="aae1b3714a"><code>aae1b37</code></a>
SmileParser getValueAsString() issue with JsonToken.FIELD_NAME (<a
href="https://redirect.github.com/FasterXML/jackson-dataformats-binary/issues/540">#540</a>)</li>
<li><a
href="b7a257507d"><code>b7a2575</code></a>
Move test for <a
href="https://redirect.github.com/FasterXML/jackson-dataformats-binary/issues/75">#75</a>
from failing to non-failing</li>
<li><a
href="de5efeef12"><code>de5efee</code></a>
Back to snapshot deps</li>
<li><a
href="1f27842342"><code>1f27842</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li>See full diff in <a
href="https://github.com/FasterXML/jackson-dataformats-binary/compare/jackson-dataformats-binary-2.18.2...jackson-dataformats-binary-2.18.3">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Bumps the npm-dependencies group in /sources with 2 updates:
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
and [ts-jest](https://github.com/kulshekhar/ts-jest).
Updates `@types/node` from 20.17.27 to 20.17.28
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
Updates `ts-jest` from 29.3.0 to 29.3.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/releases">ts-jest's
releases</a>.</em></p>
<blockquote>
<h2>v29.3.1</h2>
<p>Please refer to <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md">ts-jest's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.0...v29.3.1">29.3.1</a>
(2025-03-31)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>fix: allow <code>isolatedModules</code> mode to have
<code>ts.Program</code> under <code>Node16/Next</code> (<a
href="https://github.com/kulshekhar/ts-jest/commit/25157eb">25157eb</a>)</li>
<li>fix: improve message for <code>isolatedModules</code> of
<code>ts-jest</code> config (<a
href="https://github.com/kulshekhar/ts-jest/commit/547eb6f">547eb6f</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7738269b23"><code>7738269</code></a>
chore(release): 29.3.1</li>
<li><a
href="04a12d73ab"><code>04a12d7</code></a>
test: improve <code>examples</code> folder</li>
<li><a
href="547eb6f811"><code>547eb6f</code></a>
fix: improve message for <code>isolatedModules</code> of
<code>ts-jest</code> config</li>
<li><a
href="0c3465fe26"><code>0c3465f</code></a>
docs: indicate clearer about <code>isolatedModules</code>
deprecation</li>
<li><a
href="25157eb124"><code>25157eb</code></a>
fix: allow <code>isolatedModules</code> mode to have Program under
<code>Node16/Next</code></li>
<li><a
href="cc1f630b98"><code>cc1f630</code></a>
build(deps): Update dependency <code>@types/node</code> to
v20.17.28</li>
<li><a
href="66bde83d25"><code>66bde83</code></a>
build(deps): Update dependency <code>@types/semver</code> to
^7.7.0</li>
<li><a
href="a4275caf18"><code>a4275ca</code></a>
Remove --no-audit</li>
<li><a
href="38cacd360d"><code>38cacd3</code></a>
Add NPM cache</li>
<li><a
href="36e3883310"><code>36e3883</code></a>
build(deps): Update dependency <code>@formatjs/ts-transformer</code> to
^3.13.34</li>
<li>Additional commits viewable in <a
href="https://github.com/kulshekhar/ts-jest/compare/v29.3.0...v29.3.1">compare
view</a></li>
</ul>
</details>
<br />
<details>
<summary>Most Recent Ignore Conditions Applied to This Pull
Request</summary>
| Dependency Name | Ignore Conditions |
| --- | --- |
| @types/node | [>= 22.a, < 23] |
</details>
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gradle group with 1 update in the /.github/workflow-samples/groovy-dsl directory: com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 1 update in the /.github/workflow-samples/kotlin-dsl directory: com.gradle.common-custom-user-data-gradle-plugin.
Bumps the gradle group with 2 updates in the /sources/test/init-scripts directory: com.gradle.common-custom-user-data-gradle-plugin and [com.fasterxml.jackson.dataformat:jackson-dataformat-smile](https://github.com/FasterXML/jackson-dataformats-binary).
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to 2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to 2.2.1
Updates `com.gradle.common-custom-user-data-gradle-plugin` from 2.1 to 2.2.1
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-smile` from 2.18.2 to 2.18.3
- [Commits](https://github.com/FasterXML/jackson-dataformats-binary/compare/jackson-dataformats-binary-2.18.2...jackson-dataformats-binary-2.18.3)
---
updated-dependencies:
- dependency-name: com.gradle.common-custom-user-data-gradle-plugin
dependency-version: 2.2.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: gradle
- dependency-name: com.gradle.common-custom-user-data-gradle-plugin
dependency-version: 2.2.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: gradle
- dependency-name: com.gradle.common-custom-user-data-gradle-plugin
dependency-version: 2.2.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: gradle
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-smile
dependency-version: 2.18.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: gradle
...
Signed-off-by: dependabot[bot] <support@github.com>
Bumps the gradle group with 1 update in the
/.github/workflow-samples/kotlin-dsl directory:
[com.google.guava:guava](https://github.com/google/guava).
Updates `com.google.guava:guava` from 33.4.5-jre to 33.4.6-jre
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/google/guava/releases">com.google.guava:guava's
releases</a>.</em></p>
<blockquote>
<h2>33.4.6</h2>
<p>Guava 33.4.6 fixes two problems that we introduced while modularizing
Guava in <a
href="https://github.com/google/guava/releases/tag/v33.4.5">33.4.5</a>.</p>
<p>Even if you're not upgrading from Guava 33.4.0 or earlier, still read
<a href="https://github.com/google/guava/releases/tag/v33.4.1">the
release notes for Guava 33.4.1</a>. Those release notes contain
information about Guava 33.4.5 and 33.4.6's effect on the module
system.</p>
<h3>Maven</h3>
<pre lang="xml"><code><dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>33.4.6-jre</version>
<!-- or, for Android: -->
<version>33.4.6-android</version>
</dependency>
</code></pre>
<h3>Jar files</h3>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.6-jre/guava-33.4.6-jre.jar">33.4.6-jre.jar</a></li>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/guava/33.4.6-android/guava-33.4.6-android.jar">33.4.6-android.jar</a></li>
</ul>
<p>Guava requires <a
href="https://github.com/google/guava/wiki/UseGuavaInYourBuild#what-about-guavas-own-dependencies">one
runtime dependency</a>, which you can download here:</p>
<ul>
<li><a
href="https://repo1.maven.org/maven2/com/google/guava/failureaccess/1.0.3/failureaccess-1.0.3.jar">failureaccess-1.0.3.jar</a></li>
</ul>
<h3>Javadoc</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.6-jre/api/docs/">33.4.6-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.6-android/api/docs/">33.4.6-android</a></li>
</ul>
<h3>JDiff</h3>
<ul>
<li><a
href="https://guava.dev/releases/33.4.6-jre/api/diffs/">33.4.6-jre vs.
33.4.5-jre</a></li>
<li><a
href="https://guava.dev/releases/33.4.6-android/api/diffs/">33.4.6-android
vs. 33.4.5-android</a></li>
<li><a
href="https://guava.dev/releases/33.4.6-android/api/androiddiffs/">33.4.6-android
vs. 33.4.6-jre</a></li>
</ul>
<h3>Changelog</h3>
<ul>
<li>Removed the extra copy of each class from the Guava jar. The extra
copies were an accidental addition from the modularization work in <a
href="https://github.com/google/guava/releases/tag/v33.4.5">Guava
33.4.5</a>. (40485b93ce)</li>
<li>Fixed annotation-related warnings when using Guava in modular
builds. The most common such warning is <code>Cannot find annotation
method 'value()' in type 'DoNotMock': ...</code>. (7e15ab3566)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/google/guava/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The request for a short lived access token fails if the server
certificate is self signed and `develocity-allow-untrusted-server` is
set to true.
I wasn't sure how to write a test for this since nock does not seem to
support mocking a ssl error response.
By inspecting a greater range of build operations for failure, the Job
summary will correctly reflect the build outcome in more circumstances.
Note that we now use the old 'buildFinished' mechanism for all Gradle
versions < `7.0`, instead of using the BuildService mechanism for all
Gradle versions from `6.6`. This avoids needing to deal with
inconsistent build operations present in Gradle versions `[6.6, 7.0)`.
Fixes#415
Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Fixes the Groovy syntax in 2 init-scripts to avoid deprecation warnings.
The fix to the DV injection script is temporary, and will be replaced by
a fix in the upstream reference script.
Fixes#541
Due to an issue with dependency-review-action (https://github.com/gradle/actions/issues/482),
the setup described in the documentation can result in duplicate
dependencies being added to the dependency graph.
To avoid this, we now recommend using a common `dependency-submission`
workflow for both pushes to `main` and pull requests.
The `dependency-review` workflow runs on any `pull_request` but will wait
for the `dependency-submission` to complete.
This setup works for both the standard setup, and for the advanced setup for
pull requests from repository forks.
# Combined PRs ➡️📦⬅️✅ The following pull requests have been successfully combined on this
PR:
- Closes#534 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/kotlin-dsl
- Closes#533 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/java-toolchain
- Closes#532 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/groovy-dsl
- Closes#531 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/.github/workflow-samples/gradle-plugin
- Closes#530 Bump Gradle Wrapper from 8.12 to 8.12.1 in
/sources/test/init-scripts
> This PR was created by the
[`github/combine-prs`](https://github.com/github/combine-prs) action
---------
Signed-off-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
The cache-cleanup operation works by executing Gradle on a dummy project
and a custom init-script. The version of Gradle used should be at least
as high as the newest version used to run a build.
Previously, if the Gradle version on PATH didn't meet this requirement,
the action would download and install the required Gradle version.
With this PR, the action will now use an existing Gradle wrapper
distribution if it meets the requirement. This avoids unnecessary
downloads of Gradle versions that are already present on the runner.
The logic is:
- Determine the newest version of Gradle that was executed during the
Job. This is the 'minimum version' for cache cleanup.
- Inspect the Gradle version on PATH and any detected wrapper scripts to
see if they meet the 'minimum version'.
- The first executable that is found to meet the requirements will be
used for cache-cleanup.
- If no executable is found that meets the requirements, attempt to
provision Gradle with the 'minimum version'.
Fixes#515
The cache-cleanup operation works by executing Gradle on a dummy project
and a custom init-script. The init-script requires at least Gradle 8.11
to work.
Ideally, the version of Gradle used for cleanup should be no older than
the newest one that wrote entries to Gradle User Home. If an older
Gradle version is used for cache-cleanup, it will not remove entries
written specifically for newer versions.
With this change, we now attempt to ensure that cache-cleanup is run
with the best Gradle version available. We inspect the Gradle version on
PATH to see if it is new enough, otherwise we will provision a Gradle
version equal to the newest one that ran in the Job.
The logic is:
- Determine the newest version of Gradle that was executed during the
Job. This is the 'minimum version' for cache cleanup.
- Inspect the Gradle version on PATH (if any) to see if it is equal to
or newer than the 'minimum version'.
- If the version Gradle on PATH is new enough, use that version for
cache-cleanup.
- If not, attempt to provision Gradle with the 'minimum version'.
Fixes#436
This change primarily impacts test projects and documentation. The only
material impact is that CCUD 2.1 will now be auto-applied when
publishing Build Scans automatically with `build-scan-publish: true`.
(Develocity injection does not hard-code any CCUD version)
Diagnosing unexpected dependencies in the GitHub Dependency Graph can
be difficult. In order to aid with diagnosis, the `dependency-submission`
action will now save each dependency-graph file as a workflow artifact.
If this is undesirable, the prior behaviour can be restored by explicitly setting
`dependency-graph: generate-and-submit`.
Fixes#519
The Gradle build used to perform cache-cleanup will run in the context of init-scripts
provided by the action, including those that collect build-results.
In some circumstances this can lead to unexpected results, such as saving configuration-cache
entries for cache cleanup executions.
With this change, build results will not be captured for cache-cleanup builds.
Previously we were relying on Gradle to substitute JDK environment variables
in toolchains.xml. With this change, the actual path to the JDK is encoded instead.
This should avoid issues where Gradle is not able to successfully resolve the
envioronment variable.
# Combined PRs ➡️📦⬅️✅ The following pull requests have been successfully combined on this
PR:
- Closes#498 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/kotlin-dsl
- Closes#497 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/java-toolchain
- Closes#496 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/groovy-dsl
- Closes#495 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/.github/workflow-samples/gradle-plugin
- Closes#494 Bump Gradle Wrapper from 8.11.1 to 8.12 in
/sources/test/init-scripts
> This PR was created by the
[`github/combine-prs`](https://github.com/github/combine-prs) action
---------
Signed-off-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: bot-githubaction <bot-githubaction@gradle.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: daz <daz@gradle.com>
Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Co-authored-by: bigdaz <179734+bigdaz@users.noreply.github.com>
Bumps the gradle group with 1 update in the /sources/test/init-scripts
directory:
[com.fasterxml.jackson.dataformat:jackson-dataformat-smile](https://github.com/FasterXML/jackson-dataformats-binary).
Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-smile` from
2.18.1 to 2.18.2
<details>
<summary>Commits</summary>
<ul>
<li><a
href="147bc6024b"><code>147bc60</code></a>
[maven-release-plugin] prepare release
jackson-dataformats-binary-2.18.2</li>
<li><a
href="92648ab980"><code>92648ab</code></a>
Prep for 2.18.2</li>
<li><a
href="d31d695767"><code>d31d695</code></a>
Merge branch '2.17' into 2.18</li>
<li><a
href="a7232c691a"><code>a7232c6</code></a>
Back to snapshot dep</li>
<li><a
href="b362d85402"><code>b362d85</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li><a
href="d817f53ab6"><code>d817f53</code></a>
[maven-release-plugin] prepare release
jackson-dataformats-binary-2.17.3</li>
<li><a
href="d88c088671"><code>d88c088</code></a>
Prep for 2.17.3</li>
<li><a
href="fa5abd6573"><code>fa5abd6</code></a>
Back to snapshot dep</li>
<li><a
href="d048e2fd91"><code>d048e2f</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li>See full diff in <a
href="https://github.com/FasterXML/jackson-dataformats-binary/compare/jackson-dataformats-binary-2.18.1...jackson-dataformats-binary-2.18.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Automatically generated pull request to update the known wrapper
checksums.
In case of conflicts, manually run the workflow from the [Actions
tab](https://github.com/gradle/actions/actions/workflows/update-checksums-file.yml),
the changes will then be force-pushed onto this pull request branch.
Do not manually update the pull request branch; those changes might get
overwritten.
> [!IMPORTANT]
> GitHub workflows have not been executed for this pull request yet.
Before merging, close and then directly reopen this pull request to
trigger the workflows.
Co-authored-by: bigdaz <179734+bigdaz@users.noreply.github.com>
The build-result-capture.init.gradle script was making some assumptions about
extensions and plugin application that do not apply with the newest GE plugin.
Fixes#449
This test was originally starting with an empty set of checksums,
leading to the download of a checksum for every released and snapshot
version. This resulted in in sporadic test failures.
We now start with a known set of checksums and ensure that those that
are missing are downloaded. This involved some refactoring and
improvement in the way snapshot checksums are processed.
Although we run `setup-gradle` with all/most wrapper files, this global
workflow will ensure that all wrapper files in the repo are valid.
(This should help with the OSSF scorecard)
The cache-cleanup API has changed, so the init-script that worked with
Gradle 8.9 no longer works with 8.11.
We now provision and use Gradle 8.11 for cache cleanup.
This provides a band-aid fix for #417 but that issue will still impact
any build configured to run with Gradle > 8.11
This test assumed that at least one 'snapshot' wrapper checksum was unique,
and not contained in the set of wrapper checksums for released distributions.
This is no longer the case, so the assumption has been modified.
Instead of always installing and using the latest Gradle version for
cache cleanup, we now require at least Gradle 8.9.
This avoids downloading and installing Gradle if the version on PATH is
sufficient to perform cache cleanup.
- Create a tag for the release. The tag should have the format `v4.1.0`
- From CLI: `git tag v4.1.0 && git push --tags`
- From CLI: `git tag -s -m "v4.1.0" v4.1.0 && git push --tags`
- Note that we sign the tag and set the commit message for the tag to the newly released version.
- Go to https://github.com/gradle/actions/releases and "Draft new release"
- Use the newly created tag and copy the tag name exactly as the release title.
- Craft release notes content based on issues closed, PRs merged and commits
- Include a Full changelog link in the format https://github.com/gradle/actions/compare/v2.12.0...v3.0.0
- Publish the release.
- Force push the `v4` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
- From CLI: `git tag -f -a -m "v4.0.0" v4 v4.0.0 && git push -f --tags`
- Note that we set the commit message for the tag to the newly released version.
- From CLI: `git tag -f -s -a -m "v4.0.0" v4 v4.0.0 && git push -f --tags`
- Note that we sign the tag and set the commit message for the tag to the newly released version.
Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
Specifies how the dependency-graph should be handled by this action.
By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
Valid values are:
'generate-and-submit' (default):Generates a dependency graph for the project and submits it in the same Job.
'generate-and-upload':Generates a dependency graph for the project and saves it as a workflow artifact.
'generate-and-submit':Generates a dependency graph for the project and submits it in the same Job.
'generate-submit-and-upload (default)':As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
'generate-and-upload':Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
'download-and-submit':Retrieves a previously saved dependency-graph and submits it to the repository.
Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
where the workflow generating the dependency-graph cannot (or should not) be given the `contents:write` permissions
required to submit via the Dependency Submission API.
required:false
default:'generate-and-submit'
default:'generate-submit-and-upload'
dependency-graph-report-dir:
description:|
@ -147,7 +150,6 @@ inputs:
artifact-retention-days:
description:Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
@ -295,12 +321,19 @@ The GitHub [dependency-review-action](https://github.com/actions/dependency-revi
understand dependency changes (and the security impact of these changes) for a pull request,
by comparing the dependency graph for the pull-request with that of the HEAD commit.
Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
Integrating the Dependency Review Action requires 2 changes to your workflows:
#### 1. Add a `pull_request` trigger to your existing Dependency Submission workflow.
In order to perform Dependency Review on a pull request, the dependency graph must be submitted for the pull request.
To do this, simply add a `pull_request` trigger to your existing dependency submission workflow.
```yaml
name: Dependency review for pull requests
name: Dependency Submission
on:
push:
branches: [ 'main' ]
pull_request:
permissions:
@ -318,11 +351,37 @@ jobs:
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v4
- name: Perform dependency review
uses: actions/dependency-review-action@v4
```
#### 2. Add a dedicated Dependency Review workflow
The Dependency Review workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
Here's an example of a separate "Dependency Review" workflow that will wait up to 10 minutes for dependency submission to complete.
```yaml
name: Dependency Review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
```
The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the modified dependency-submission workflow to complete.
## Usage with pull requests from public forked repositories
This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
@ -381,36 +440,6 @@ jobs:
dependency-graph: download-and-submit # Download saved dependency-graph and submit
```
### Integrating `dependency-review-action` for pull requests from public forked repositories
To integrate the `dependency-review-action` into the pull request workflows above, a third workflow file is required.
This workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the above PR check workflow to complete.
```yaml
name: dependency-review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
```
The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
# Gradle version compatibility
Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against
@ -60,7 +60,7 @@ Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid havi
- name: Setup Gradle 8.10
uses: gradle/actions/setup-gradle@v4
with:
gradle-version: "8.10" # Quotes required to prevent YAML converting to number
gradle-version: '8.10' # Quotes required to prevent YAML converting to number
- name: Build with Gradle 8.10
run: gradle build
```
@ -127,6 +127,8 @@ cache-disabled: true
By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
Jobs on other branches will read entries from the cache but will not write updated entries.
This setup is designed around [GitHub imposed restrictions on cache access](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) and should work well in most scenarios.
See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.
In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
@ -196,6 +198,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
> [!IMPORTANT]
> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
To benefit from configuration caching in your GitHub Actions workflow, you must:
- Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
> [!NOTE]
> The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
> This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
> This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@ -430,6 +438,15 @@ so that a Job Summary is never generated, or so that a Job Summary is only gener
add-job-summary: 'on-failure' # Valid values are 'always' (default), 'never', and 'on-failure'
```
### Excluding specific Gradle builds from Job Summary
The Job Summary works by installing an init-script in Gradle User Home which will record details of any Gradle execution during the workflow.
This means that any Gradle excecution sharing the same Gradle User Home will show up in the Job Summary, which may include Gradle executions
run as part of integration testing.
To avoid having these test builds show up in the Job Summary, add the `GRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true` environment variable
to the process that executes Gradle. This will stop the init-script from collecting any build results.
### Adding Job Summary as a Pull Request comment
It is sometimes more convenient to view the results of a GitHub Actions Job directly from the Pull Request that triggered
@ -457,7 +474,7 @@ jobs:
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
with:
add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure'
add-job-summary-as-pr-comment: 'on-failure' # Valid values are 'never' (default), 'always', and 'on-failure'
- run: ./gradlew build --scan
```
@ -502,7 +519,7 @@ jobs:
if: always()
with:
name: build-reports
path: build/reports/
path: **/build/reports/
```
### Use of custom init-scripts in Gradle User Home
@ -658,7 +675,7 @@ jobs:
- name: Run a build, resolving the 'dependency-graph' plugin from the plugin portal proxy
# Set the following variables if your custom plugin repository requires authentication
# GRADLE_PLUGIN_REPOSITORY_USERNAME: "username"
@ -710,20 +727,6 @@ A known exception to this is that Gradle `7.0`, `7.0.1`, and `7.0.2` are not sup
See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
### Reducing storage costs for saved dependency graph artifacts
When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact.
By default, these artifacts are retained for 30 days (or as configured for the repository).
To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number.
```yaml
- name: Generate dependency graph, but only retain artifact for one day
uses: gradle/actions/setup-gradle@v4
with:
dependency-graph: generate
artifact-retention-days: 1
```
# Develocity Build Scan® integration
Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
@ -743,8 +746,8 @@ To publish to https://scans.gradle.com, you must specify in your workflow that y
- name: Run a Gradle build - a build scan will be published automatically
run: ./gradlew build
@ -753,7 +756,8 @@ To publish to https://scans.gradle.com, you must specify in your workflow that y
## Managing Develocity access keys
Develocity access keys are long-lived, creating risks if they are leaked. To mitigate this risk this,
the `setup-gradle` action can automatically attempt to obtain a short-lived access token to authenticate with Develocity.
the `setup-gradle` action can automatically attempt to obtain a [short-lived access token](https://docs.gradle.com/develocity/gradle-plugin/current/#short_lived_access_tokens)
to use when authenticating with Develocity.
The short-lived access token will then be used wherever a Develocity access key is required.
```yaml
@ -767,6 +771,21 @@ The short-lived access token will then be used wherever a Develocity access key
run: ./gradlew build
```
### Increasing the expiry time for Develocity access tokens
By default, a short-lived Develocity access token will be valid for 2 hours from the time it is generated. If your workflows take longer than
2 hours to complete, you may see failure to publish Build Scans due to access token expiry.
To avoid this, use the `develocity-token-expiry` parameter to specify a different token expiry in hours.
- name: Run a Gradle build with Develocity injection enabled
run: ./gradlew build
```
This configuration will automatically apply `v3.18` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
This configuration will automatically apply `v4.0` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
@ -838,10 +857,10 @@ In the likely scenario that your Develocity server requires authentication, you
- name: Run a Gradle build with Develocity injection enabled
This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable.
@ -851,7 +870,7 @@ This access key will be used during the action execution to get a short-lived to
The `init-script` supports several additional configuration parameters that you may find useful. All configuration options (required and optional) are detailed below:
| develocity-url | :white_check_mark: | the URL of the Develocity server |
| develocity-allow-untrusted-server | | allow communication with an untrusted server; set to _true_ if your Develocity instance is using a self-signed certificate |
@ -865,18 +884,18 @@ The `init-script` supports several additional configuration parameters that you
The input parameters can be expressed as environment variables following the relationships outlined in the table below:
@ -102,7 +102,8 @@ A wrapper jar can fail validation for a few reasons:
1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
or `allow-snapshot-wrappers` to `true`.
2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
3. The wrapper jar was not published by Gradle, and could be compromised.
3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
4. The wrapper jar was not published by Gradle, and could be compromised.
If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
@ -113,6 +114,17 @@ Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable beca
- If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
- If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
#### Wrapper Jar stored with Git LFS
If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
```
steps:
- uses: actions/checkout@v4
with:
lfs: true # gradle-wrapper.jar verification will fail without this
```
## Resources
To learn more about verifying the Gradle Wrapper JAR locally, see our
- console.error(`AZURE_LOG_LEVEL set to unknown log level '${logLevelFromEnv}'; logging is not enabled. Acceptable values: ${AZURE_LOG_LEVELS.join(", ")}.`);
+ console.error(`AZURE_LOG_LEVEL set to unknown log level; logging is not enabled. Acceptable values: ${AZURE_LOG_LEVELS.join(", ")}.`);
- console.error(`AZURE_LOG_LEVEL set to unknown log level '${logLevelFromEnv}'; logging is not enabled. Acceptable values: ${AZURE_LOG_LEVELS.join(", ")}.`);
+ console.error(`AZURE_LOG_LEVEL set to unknown log level; logging is not enabled. Acceptable values: ${AZURE_LOG_LEVELS.join(", ")}.`);
exportconstDEFAULT_READONLY_REASON=`[Cache was read-only](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-read-only). By default, the action will only write to the cache for Jobs running on the default branch.`
exportconstDEFAULT_DISABLED_REASON=`[Cache was disabled](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#disabling-caching) via action confiugration. Gradle User Home was not restored from or saved to the cache.`
exportconstDEFAULT_DISABLED_REASON=`[Cache was disabled](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#disabling-caching) via action configuration. Gradle User Home was not restored from or saved to the cache.`
exportconstDEFAULT_WRITEONLY_REASON=`[Cache was set to write-only](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-write-only) via action configuration. Gradle User Home was not restored from cache.`
@ -110,10 +110,12 @@ export class CacheEntryListener {
requestedRestoreKeys: string[]|undefined
restoredKey: string|undefined
restoredSize: number|undefined
restoredTime: number|undefined
notRestored: string|undefined
savedKey: string|undefined
savedSize: number|undefined
savedTime: number|undefined
notSaved: string|undefined
constructor(entryName: string){
@ -130,9 +132,10 @@ export class CacheEntryListener {
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
