Bump the github-actions group across 2 directories with 2 updates

Bumps the github-actions group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Bumps the github-actions group with 1 update in the /.github/actions/build-dist directory: [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `github/codeql-action` from 3.28.11 to 3.28.13 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/6bb031afdd8eb862ea3fc1848194185e076637e5...1b549b9259bda1cb5ddde3b41741a82a2d15a841) Updates `actions/upload-artifact` from 4.6.1 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1...ea165f8d65b6e75b540449e92b4886f43607fa02) Updates `actions/upload-artifact` from 4.6.1 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1...ea165f8d65b6e75b540449e92b4886f43607fa02) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory (#580 )
2026-06-01 01:21:58 +00:00 · 2025-03-25 16:28:20 -06:00 · 2025-03-25 16:26:03 -06:00 · 2025-03-25 22:25:09 +00:00 · 2025-03-25 16:23:51 -06:00 · 2025-03-25 16:14:52 -06:00
134 changed files with 53063 additions and 34054 deletions
@@ -3,7 +3,7 @@ name: 'Build and upload distribution'
 runs:
  using: "composite"
  steps: 
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
      with:
        node-version: 20
        cache: npm
@@ -23,7 +23,7 @@ runs:
        cp -r sources/dist .

    - name: Upload distribution
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: dist
        path: dist/
@@ -4,7 +4,7 @@ runs:
  using: "composite"
  steps: 
    - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
      with:
        distribution: 'temurin'
        java-version: 11
@@ -17,7 +17,7 @@ runs:
    # Downloads a 'dist' directory artifact that was uploaded in an earlier 'build-dist' step
    - name: Download dist
      if: ${{ env.SKIP_DIST != 'true' && !env.ACT }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: dist
        path: dist/
@@ -5,6 +5,7 @@ registries:
    url: https://plugins.gradle.org/m2
    username: dummy # Required by dependabot
    password: dummy # Required by dependabot
+
 updates:
  - package-ecosystem: "npm"
    directory: "/sources"
@@ -16,25 +17,12 @@ updates:
        - "*"
      
  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    groups:
-      github-actions:
-        patterns:
-        - "*"
-  # github-actions with directory: "/" only monitors .github/workflows
-  # https://github.com/dependabot/dependabot-core/issues/6345
-  - package-ecosystem: "github-actions"
-    directory: "/.github/actions/build-dist"
-    schedule:
-      interval: "weekly"
-    groups:
-      github-actions:
-        patterns:
-          - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/.github/actions/init-integ-test"
+    # github-actions with directory: "/" only monitors .github/workflows
+    # https://github.com/dependabot/dependabot-core/issues/6345
+    directories:
+      - "/"
+      - "/.github/actions/build-dist"
+      - "/.github/actions/init-integ-test"
    schedule:
      interval: "weekly"
    groups:
@@ -43,44 +31,19 @@ updates:
          - "*"

  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/gradle-plugin"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/groovy-dsl"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/java-toolchain"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/kotlin-dsl"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/no-wrapper"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/no-wrapper-gradle-5"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: "sources/test/init-scripts"
+    directories:
+      - ".github/workflow-samples/gradle-plugin"
+      - ".github/workflow-samples/groovy-dsl"
+      - ".github/workflow-samples/java-toolchain"
+      - ".github/workflow-samples/kotlin-dsl"
+      - ".github/workflow-samples/no-wrapper"
+      - ".github/workflow-samples/no-wrapper-gradle-5"
+      - "sources/test/init-scripts"
    registries:
      - gradle-plugin-portal
    schedule:
      interval: "weekly"
+    groups:
+      gradle:
+        patterns:
+          - "*"
@@ -0,0 +1,2 @@
+# This file was generated by the Gradle 'init' task.
+# https://docs.gradle.org/current/userguide/platforms.html#sub::toml-dependencies-format
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=20f1b1176237254a6fc204d8434196fa11a4cfb387567519c61556e8710aed78
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit

 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -206,7 +205,7 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'

 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
@@ -1,60 +0,0 @@
-/*
- * This file was generated by the Gradle 'init' task.
- *
- * This generated file contains a sample Gradle plugin project to get you started.
- * For more details take a look at the Writing Custom Plugins chapter in the Gradle
- * User Manual available at https://docs.gradle.org/7.3/userguide/custom_plugins.html
- * This project uses @Incubating APIs which are subject to change.
- */
-
-plugins {
-    // Apply the Java Gradle plugin development plugin to add support for developing Gradle plugins
-    id 'java-gradle-plugin'
-}
-
-repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
-}
-
-testing {
-    suites {
-        // Configure the built-in test suite
-        test {
-            // Use JUnit Jupiter test framework
-            useJUnitJupiter('5.7.2')
-        }
-
-        // Create a new test suite
-        functionalTest(JvmTestSuite) {
-            dependencies {
-                // functionalTest test suite depends on the production code in tests
-                implementation(project(':plugin'))
-            }
-
-            targets {
-                all {
-                    // This test suite should run after the built-in test suite has run its tests
-                    testTask.configure { shouldRunAfter(test) } 
-                }
-            }
-        }
-    }
-}
-
-gradlePlugin {
-    // Define the plugin
-    plugins {
-        greeting {
-            id = 'org.example.gradle.plugin.greeting'
-            implementationClass = 'org.example.gradle.plugin.GradlePluginPlugin'
-        }
-    }
-}
-
-gradlePlugin.testSourceSets(sourceSets.functionalTest)
-
-tasks.named('check') {
-    // Include functionalTest as part of the check lifecycle
-    dependsOn(testing.suites.functionalTest)
-}
@@ -0,0 +1,40 @@
+plugins {
+    `java-gradle-plugin`
+}
+
+repositories {
+    mavenCentral()
+}
+
+testing {
+    suites {
+        val test by getting(JvmTestSuite::class) {
+            useJUnitJupiter()
+        }
+
+        val functionalTest by registering(JvmTestSuite::class) {
+            dependencies {
+                implementation(project())
+            }
+
+            targets {
+                all {
+                    testTask.configure { shouldRunAfter(test) } 
+                }
+            }
+        }
+    }
+}
+
+gradlePlugin {
+    val greeting by plugins.creating {
+        id = "org.example.greeting"
+        implementationClass = "org.example.GradlePluginPlugin"
+    }
+}
+
+gradlePlugin.testSourceSets.add(sourceSets["functionalTest"])
+
+tasks.named<Task>("check") {
+    dependsOn(testing.suites.named("functionalTest"))
+}
@@ -1,7 +1,7 @@
 /*
- * This Java source file was generated by the Gradle 'init' task.
+ * This source file was generated by the Gradle 'init' task
 */
-package org.example.gradle.plugin;
+package org.example;

 import java.io.File;
 import java.io.IOException;
@@ -15,7 +15,7 @@ import org.junit.jupiter.api.io.TempDir;
 import static org.junit.jupiter.api.Assertions.*;

 /**
- * A simple functional test for the 'org.example.gradle.plugin.greeting' plugin.
+ * A simple functional test for the 'org.example.greeting' plugin.
 */
 class GradlePluginPluginFunctionalTest {
    @TempDir
@@ -29,24 +29,23 @@ class GradlePluginPluginFunctionalTest {
        return new File(projectDir, "settings.gradle");
    }

-    @Test void canRunTaskWithGradle691() throws IOException {
+    @Test void canRunTask() throws IOException {
        writeString(getSettingsFile(), "");
        writeString(getBuildFile(),
            "plugins {" +
-            "  id('org.example.gradle.plugin.greeting')" +
+            "  id('org.example.greeting')" +
            "}");

        // Run the build
        GradleRunner runner = GradleRunner.create();
        runner.forwardOutput();
-        runner.withGradleVersion("6.9.1");
        runner.withPluginClasspath();
        runner.withArguments("greeting");
        runner.withProjectDir(projectDir);
        BuildResult result = runner.build();

        // Verify the result
-        assertTrue(result.getOutput().contains("Hello from plugin 'org.example.gradle.plugin.greeting'"));
+        assertTrue(result.getOutput().contains("Hello from plugin 'org.example.greeting'"));
    }

    private void writeString(File file, String string) throws IOException {
@@ -1,7 +1,7 @@
 /*
- * This Java source file was generated by the Gradle 'init' task.
+ * This source file was generated by the Gradle 'init' task
 */
-package org.example.gradle.plugin;
+package org.example;

 import org.gradle.api.Project;
 import org.gradle.api.Plugin;
@@ -13,7 +13,7 @@ public class GradlePluginPlugin implements Plugin<Project> {
    public void apply(Project project) {
        // Register a task
        project.getTasks().register("greeting", task -> {
-            task.doLast(s -> System.out.println("Hello from plugin 'org.example.gradle.plugin.greeting'"));
+            task.doLast(s -> System.out.println("Hello from plugin 'org.example.greeting'"));
        });
    }
 }
@@ -1,7 +1,7 @@
 /*
- * This Java source file was generated by the Gradle 'init' task.
+ * This source file was generated by the Gradle 'init' task
 */
-package org.example.gradle.plugin;
+package org.example;

 import org.gradle.testfixtures.ProjectBuilder;
 import org.gradle.api.Project;
@@ -9,13 +9,13 @@ import org.junit.jupiter.api.Test;
 import static org.junit.jupiter.api.Assertions.*;

 /**
- * A simple unit test for the 'org.example.gradle.plugin.greeting' plugin.
+ * A simple unit test for the 'org.example.greeting' plugin.
 */
 class GradlePluginPluginTest {
    @Test void pluginRegistersATask() {
        // Create a test project and apply the plugin
        Project project = ProjectBuilder.builder().build();
-        project.getPlugins().apply("org.example.gradle.plugin.greeting");
+        project.getPlugins().apply("org.example.greeting");

        // Verify the result
        assertNotNull(project.getTasks().findByName("greeting"));
@@ -1,12 +0,0 @@
-/*
- * This file was generated by the Gradle 'init' task.
- *
- * The settings file is used to specify which projects to include in your build.
- *
- * Detailed information about configuring a multi-project build in Gradle can be found
- * in the user manual at https://docs.gradle.org/7.3/userguide/multi_project_builds.html
- * This project uses @Incubating APIs which are subject to change.
- */
-
-rootProject.name = 'gradle-plugin'
-include('plugin')
@@ -0,0 +1,2 @@
+rootProject.name = "gradle-plugin-2"
+include("plugin")
@@ -6,8 +6,12 @@ repositories {
    mavenCentral()
 }

-dependencies {
-    testImplementation('junit:junit:4.13.2')
+testing {
+    suites {
+        test {
+            useJUnit()
+        }
+    }
 }

 tasks.named("test").configure {
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=20f1b1176237254a6fc204d8434196fa11a4cfb387567519c61556e8710aed78
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit

 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -206,7 +205,7 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'

 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.18"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.develocity" version "3.19.2"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.1"
 }

 develocity {
@@ -1,5 +1,5 @@
 plugins {
-    id 'java'
+    java
 }

 java {
@@ -12,6 +12,10 @@ repositories {
    mavenCentral()
 }

-dependencies {
-    testImplementation('junit:junit:4.13.2')
-}
+testing {
+    suites {
+        val test by getting(JvmTestSuite::class) {
+            useJUnit()
+        }
+    }
+}
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=20f1b1176237254a6fc204d8434196fa11a4cfb387567519c61556e8710aed78
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit

 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -206,7 +205,7 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'

 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
@@ -1,5 +0,0 @@
-plugins {
-    id("org.gradle.toolchains.foojay-resolver-convention") version("0.7.0")
-}
-
-rootProject.name = 'basic'
@@ -0,0 +1,6 @@
+plugins {
+    // Apply the foojay-resolver plugin to allow automatic download of JDKs
+    id("org.gradle.toolchains.foojay-resolver-convention") version "0.9.0"
+}
+
+rootProject.name = "java-toolchains"
@@ -8,13 +8,15 @@ repositories {

 dependencies {
    api("org.apache.commons:commons-math3:3.6.1")
-    implementation("com.google.guava:guava:33.3.0-jre")
-
-    testImplementation("org.junit.jupiter:junit-jupiter:5.11.0")
+    implementation("com.google.guava:guava:33.4.6-jre")
 }

-tasks.test {
-    useJUnitPlatform()
+testing {
+    suites { 
+       val test by getting(JvmTestSuite::class) { 
+            useJUnitJupiter() 
+        }
+    }
 }

 tasks.named("test").configure {
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=20f1b1176237254a6fc204d8434196fa11a4cfb387567519c61556e8710aed78
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit

 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -206,7 +205,7 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'

 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.develocity") version "3.18"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.1"
+    id("com.gradle.develocity") version "3.19.2"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1"
 }

 develocity {
@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18" 
+    id "com.gradle.develocity" version "3.19.2" 
 }

 develocity {
@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18"
+    id "com.gradle.develocity" version "3.19.2"
 }

 develocity {
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18"
+    id "com.gradle.develocity" version "3.19.2"
 }

 develocity {
@@ -15,22 +15,43 @@ permissions:
 jobs:
  check-format-and-unit-test:
    runs-on: ubuntu-latest
+
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
      with:
        node-version: 20
        cache: npm
        cache-dependency-path: sources/package-lock.json
+    - name: Setup Gradle
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+      env:
+        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
+      with:
+        gradle-version: "8.13"
+
+    - name: Install npm dependencies
+      run: |
+        npm clean-install
+      working-directory: sources

    - name: Check formatting and compile
      run: |
-        npm install
        npm run check
        npm run compile
      working-directory: sources
+      env:
+        NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
+        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
+
    - name: Run unit tests
      run: |
        npm test
      working-directory: sources
+      env:
+        NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
+        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
@@ -15,13 +15,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0

    - name: Get changed files
      id: changed-files
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
      with:
        files: |
          dist/**
@@ -6,16 +6,15 @@ on:
    - 'main'
    - 'release/**'
    - 'dev/**' # Allow running Code QL on dev branches without a PR
-    paths-ignore:
-    - 'dist/**'
  pull_request:
    branches:
    - 'main'
-    paths-ignore:
-    - 'dist/**'
  schedule:
    - cron: '25 23 * * 2'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
@@ -32,11 +31,11 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
      with:
        languages: ${{ matrix.language }}
        config: |
@@ -44,4 +43,4 @@ jobs:
          - sources/src

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
@@ -0,0 +1,24 @@
+name: Combine Bot PRs
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  combine-wrapperbot-prs:
+    permissions:
+      contents: write
+      pull-requests: write
+      checks: read
+    if: github.repository == 'gradle/actions'
+    runs-on: ubuntu-latest
+    steps:
+      - name: combine-wrapperbot-prs
+        uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
+        with:
+          branch_prefix: wrapperbot
+          combine_branch_name: wrapperbot/combined-wrapper-updates
+          pr_title: 'Bump Gradle Wrappers'
+          ci_required: "false"
@@ -14,19 +14,23 @@ on:
      - 'sources/test/init-scripts/**'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  test-init-scripts:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
      with:
        distribution: temurin
        java-version: 11
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4 # Use a released version to avoid breakages
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
      env:
        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
    - name: Run integration tests
@@ -3,16 +3,18 @@ name: CI-integ-test-full
 on:
  workflow_dispatch:
  push:
+    branches:
+    - 'main'
    paths:
    - 'dist/**'

-permissions:
-  contents: write
-
 concurrency:
  group: integ-test
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  caching-integ-tests:
    uses: ./.github/workflows/suite-integ-test-caching.yml
@@ -25,6 +27,8 @@ jobs:
    secrets: inherit

  other-integ-tests:
+    permissions:
+      contents: write
    uses: ./.github/workflows/suite-integ-test-other.yml
    concurrency:
      group: CI-integ-test-full
@@ -11,19 +11,19 @@ on:
    paths-ignore:
    - 'dist/**'

-permissions:
-  contents: write
-
 concurrency:
  group: integ-test
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build and upload distribution
      if: ${{ needs.determine-suite.outputs.suite != 'full' }}
      uses: ./.github/actions/build-dist
@@ -36,6 +36,8 @@ jobs:
    secrets: inherit

  other-integ-tests:
+    permissions:
+      contents: write
    needs: build-distribution
    uses: ./.github/workflows/suite-integ-test-other.yml
    with:
@@ -0,0 +1,57 @@
+name: CI-ossf-scorecard
+on:
+  schedule:
+    - cron: '0 5 * * 1'
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      - name: 'Run analysis'
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: 'Upload artifact'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: 'Upload to code-scanning'
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
+        with:
+          sarif_file: results.sarif
@@ -5,36 +5,50 @@ on:
  push:
    branches: 
    - 'main'
+    - 'prerelease/**'
    - 'release/**'
    paths-ignore:
    - 'dist/**'

 permissions:
-  contents: write
+  contents: read

 jobs:
  update-dist:
+    # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
+    # it would erroneously update `dist` on their branch (and the pull request)
+    if: github.repository == 'gradle/actions'
+    permissions:
+      contents: write
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        token: ${{ secrets.BOT_GITHUB_TOKEN }}

    - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
      with:
        node-version: 20
        cache: npm
        cache-dependency-path: sources/package-lock.json

-    - name: Build distribution
+    - name: Install npm dependencies
      run: |
        npm clean-install
+      working-directory: sources
+
+    - name: Build distribution
+      run: |
        npm run check
        npm run compile
      working-directory: sources
-    
+      env:
+        NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
+        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
+
    - name: Copy the generated sources/dist directory to the top-level dist
      run: |
        cp -r sources/dist .
@@ -43,10 +57,8 @@ jobs:
    # Important: The push event will not trigger any other workflows, see
    # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
    - name: Commit & push changes
-      # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
-      # it would erroneously update `dist` on their branch (and the pull request)
-      if: github.repository == 'gradle/actions'
-      uses: stefanzweifel/git-auto-commit-action@v5
+      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
      with:
+        commit_author: Bot Githubaction <bot-githubaction@gradle.com>
        commit_message: '[bot] Update dist directory'
        file_pattern: dist
@@ -0,0 +1,17 @@
+name: CI-validate-wrappers
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: gradle/actions/wrapper-validation@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+        with:
+          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
@@ -3,12 +3,15 @@ name: Demo Job Summary, for Gradle builds
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build and upload distribution
      uses: ./.github/actions/build-dist

@@ -17,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -59,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -79,7 +82,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -94,3 +97,20 @@ jobs:
    - name: Run build
      working-directory: .github/workflow-samples/groovy-dsl
      run: ./gradlew assemble
+
+  cache-read-only:
+    needs: build-distribution
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Initialize integ-test
+      uses: ./.github/actions/init-integ-test
+
+    - name: Setup Gradle
+      uses: ./setup-gradle
+      with:
+        cache-read-only: true
+    - name: Build kotlin-dsl project
+      working-directory: .github/workflow-samples/kotlin-dsl
+      run: ./gradlew assemble
@@ -4,23 +4,25 @@ on:
    types: [assigned, review_requested]

 permissions:
-  pull-requests: write
+  contents: read

 jobs:
  build-distribution:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build and upload distribution
      uses: ./.github/actions/build-dist

  successful-build-with-always-comment:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -34,11 +36,13 @@ jobs:
      run: ./gradlew build --scan

  successful-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -52,11 +56,13 @@ jobs:
      run: ./gradlew build --scan

  failing-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  build-scan-publish:
    strategy:
@@ -27,15 +30,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
    - name: Setup Gradle
      id: setup-gradle
      uses: ./setup-gradle
@@ -51,7 +49,7 @@ jobs:
      run: gradle help
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')   
@@ -18,6 +18,9 @@ env:
  # Requires a fresh cache entry each run
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}

+permissions:
+  contents: read
+
 jobs:
  cache-cleanup-full-build:
    strategy:
@@ -28,7 +31,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -74,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  caching-config-seed-build:
    strategy:
@@ -27,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -58,7 +61,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -87,7 +90,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -101,7 +104,7 @@ jobs:
      run: ./gradlew help
    - name: Check Build Scan url is captured
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -111,7 +114,7 @@ jobs:
    runs-on: ubuntu-latest # This test only runs on Ubuntu
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -125,7 +128,7 @@ jobs:
      run: ./gradlew help
    - name: Check Build Scan url is captured
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -142,7 +145,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -166,7 +169,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -13,20 +13,20 @@ on:
        type: boolean
        default: false

-permissions:
-  contents: write
-
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

+permissions:
+  contents: read
+
 jobs:
  dependency-graph-groovy-upload:
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -39,11 +39,13 @@ jobs:
      working-directory: .github/workflow-samples/groovy-dsl

  dependency-graph-groovy-submit:
+    permissions:
+      contents: write
    needs: [dependency-graph-groovy-upload]
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -55,10 +57,12 @@ jobs:
        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload

  dependency-graph-kotlin-generate-and-submit:
+    permissions:
+      contents: write
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -71,10 +75,12 @@ jobs:
      working-directory: .github/workflow-samples/kotlin-dsl

  dependency-graph-multiple-builds:
+    permissions:
+      contents: write
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -112,10 +118,12 @@ jobs:
        fi
        
  dependency-graph-config-cache:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -145,3 +153,40 @@ jobs:
            ls -l dependency-graph-reports
            exit 1
        fi        
+
+  dependency-graph-generate-submit-and-upload:
+    permissions:
+      contents: write
+    runs-on: "ubuntu-latest"
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Initialize integ-test
+      uses: ./.github/actions/init-integ-test
+
+    - name: Setup Gradle for dependency-graph generate
+      uses: ./setup-gradle
+      with:
+        dependency-graph: generate-submit-and-upload
+    - name: Run gradle build
+      id: gradle-build
+      run: ./gradlew build
+      working-directory: .github/workflow-samples/groovy-dsl
+
+  dependency-graph-generate-submit-and-upload-check:
+    needs: [dependency-graph-generate-submit-and-upload]
+    runs-on: "ubuntu-latest"
+    steps:
+    - name: Download dependency-graph artifact
+      uses: actions/download-artifact@v4
+      with:
+        path: downloaded-dependency-graphs
+        pattern: dependency-graph_*dependency-graph-generate-submit-and-upload.json
+    - name: Check for downloaded dependency graphs
+      shell: bash
+      run: |
+        ls -A "${{ github.workspace }}/downloaded-dependency-graphs"
+        if [ -z "$(ls -A "${{ github.workspace }}/downloaded-dependency-graphs")" ]; then
+          echo "No dependency graph files found"
+          exit 1
+        fi
@@ -18,12 +18,15 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

+permissions:
+  contents: read
+
 jobs:
  dependency-submission-failures-failing-build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -52,7 +55,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -83,7 +86,7 @@ jobs:
      contents: read
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -13,16 +13,18 @@ on:
        type: boolean
        default: false

-permissions:
-  contents: write
-
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

+permissions:
+  contents: read
+
 jobs:
  dependency-submission-groovy-generate-and-upload:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@@ -31,7 +33,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -45,6 +47,8 @@ jobs:
        GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission

  dependency-submission-groovy-restore-cache:
+    permissions:
+      contents: write
    needs: [dependency-submission-groovy-generate-and-upload]
    strategy:
      max-parallel: 1
@@ -54,7 +58,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -67,6 +71,8 @@ jobs:
        GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission

  dependency-submission-groovy-download-and-submit:
+    permissions:
+      contents: write
    needs: [dependency-submission-groovy-generate-and-upload]
    strategy:
      max-parallel: 1
@@ -76,7 +82,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -88,6 +94,8 @@ jobs:
        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}

  dependency-submission-kotlin-generate-and-submit:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@@ -96,7 +104,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -106,6 +114,8 @@ jobs:
        build-root-directory: .github/workflow-samples/kotlin-dsl

  dependency-submission-multiple-builds:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@@ -114,7 +124,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -152,6 +162,8 @@ jobs:
        fi

  dependency-submission-multiple-builds-upload:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@@ -160,7 +172,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -176,10 +188,12 @@ jobs:
        build-root-directory: .github/workflow-samples/groovy-dsl

  dependency-submission-config-cache:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -211,6 +225,8 @@ jobs:
        fi

  dependency-submission-gradle-versions:
+    permissions:
+      contents: write
    strategy:
      fail-fast: false
      matrix:
@@ -224,7 +240,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -235,10 +251,12 @@ jobs:
        build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}

  dependency-submission-with-setup-gradle:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -270,10 +288,12 @@ jobs:
        fi

  dependency-submission-with-includes-and-excludes:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -304,6 +324,8 @@ jobs:


  dependency-submission-custom-report-dir-submit:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@@ -312,7 +334,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -339,10 +361,12 @@ jobs:
        fi

  dependency-submission-custom-report-dir-upload:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -355,11 +379,13 @@ jobs:
        build-root-directory: .github/workflow-samples/groovy-dsl

  custom-report-dir-download-and-submit:
+    permissions:
+      contents: write
    needs: [dependency-submission-custom-report-dir-upload]
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  # Test that pre-installed runner JDKs are detected
  detect-toolchains-pre-installed-jdks:
@@ -27,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -57,17 +60,17 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

    - name: Setup Java 20
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
      with:
        distribution: 'temurin'
        java-version: 20
    - name: Setup Java 16
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
      with:
        distribution: 'temurin'
        java-version: 16
@@ -20,38 +20,36 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  inject-develocity:
    env:
      DEVELOCITY_INJECTION_ENABLED: true
      DEVELOCITY_URL: https://ge.solutions-team.gradle.com
      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.1'
      ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
    strategy:
      fail-fast: false
      matrix:
        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.18]
+        plugin-version: [3.16.2, 3.19.2]
        include:
        - plugin-version: 3.16.2
          accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
-        - plugin-version: 3.18
+        - plugin-version: 3.19.2
          accessKeyEnv: DEVELOCITY_ACCESS_KEY

    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
    - name: Setup Gradle
      id: setup-gradle
      uses: ./setup-gradle
@@ -64,7 +62,7 @@ jobs:
      run: gradle help
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -78,24 +76,19 @@ jobs:
      DEVELOCITY_INJECTION_ENABLED: true
      DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.1'
    strategy:
      fail-fast: false
      matrix:
        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.18]
+        plugin-version: [3.16.2, 3.19.2]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Initialize integ-test
        uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
      - name: Setup Gradle
        id: setup-gradle
        uses: ./setup-gradle
@@ -114,7 +107,7 @@ jobs:
        run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
      - name: Check Build Scan url
        if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            core.setFailed('No Build Scan detected')
@@ -124,7 +117,7 @@ jobs:
      DEVELOCITY_INJECTION_ENABLED: true
      DEVELOCITY_URL: 'https://localhost:3333/'
      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.1'
      # Access key also set as an env var, we want to check it does not leak
      GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -133,19 +126,14 @@ jobs:
      matrix:
        gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.18 ]
+        plugin-version: [ 3.16.2, 3.19.2 ]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Initialize integ-test
        uses: ./.github/actions/init-integ-test

-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
      - name: Setup Gradle
        id: setup-gradle
        uses: ./setup-gradle
@@ -169,18 +157,13 @@ jobs:
      matrix:
        gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.18 ]
+        plugin-version: [ 3.16.2, 3.19.2 ]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Initialize integ-test
        uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
      - name: Setup Gradle
        id: setup-gradle
        uses: ./setup-gradle
@@ -196,7 +179,7 @@ jobs:
        run: gradle help
      - name: Check Build Scan url
        if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            core.setFailed('No Build Scan detected')
@@ -18,6 +18,9 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true

+permissions:
+  contents: read
+
 jobs:   
  # Tests for executing with different Gradle versions. 
  # Each build verifies that it is executed with the expected Gradle version.
@@ -30,7 +33,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -66,7 +69,7 @@ jobs:
      run: gradle help
    - name: Check current version output parameter
      if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
@@ -75,7 +78,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        gradle: ["8.10", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
+        gradle: ["8.13", "8.12", "8.12-rc-1", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
        os: ${{fromJSON(inputs.runner-os)}}
        include:
          - java-version: 11
@@ -92,12 +95,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

    - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
      with:
        distribution: temurin
        java-version: ${{ matrix.java-version }}
@@ -109,7 +112,7 @@ jobs:
        gradle-version: ${{ matrix.gradle }}
    - name: Check output parameter
      if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -119,7 +122,7 @@ jobs:
      run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')    
@@ -20,6 +20,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-cc-seed-build-groovy:
    env:
@@ -32,22 +35,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        cache-write-only: true # Ensure we start with a clean cache entry
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Groovy build with configuration-cache enabled
      working-directory: .github/workflow-samples/groovy-dsl
      run: gradle test --configuration-cache
@@ -65,22 +62,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false
        cache-cleanup: on-success
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Groovy build with configuration-cache enabled
      id: execute
      working-directory: .github/workflow-samples/groovy-dsl
@@ -107,21 +98,15 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: true
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Groovy build with configuration-cache enabled
      id: execute
      working-directory: .github/workflow-samples/groovy-dsl
@@ -148,15 +133,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle with no extracted cache entries restored
      uses: ./setup-gradle
      env: 
@@ -164,7 +144,6 @@ jobs:
      with:
        cache-read-only: true
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Check execute Gradle build with configuration cache enabled (but not restored)
      working-directory: .github/workflow-samples/groovy-dsl
      run: gradle test --configuration-cache
@@ -180,22 +159,16 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        cache-write-only: true # Ensure we start with a clean cache entry
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Execute 'help' with configuration-cache enabled
      working-directory: .github/workflow-samples/kotlin-dsl
      run: gradle help --configuration-cache
@@ -213,21 +186,15 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Execute 'test' with configuration-cache enabled
      working-directory: .github/workflow-samples/kotlin-dsl
      run: gradle test --configuration-cache
@@ -246,21 +213,15 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: true
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
    - name: Execute 'test' again with configuration-cache enabled
      id: execute
      working-directory: .github/workflow-samples/kotlin-dsl
@@ -14,13 +14,16 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-containerized-seed-build:
    runs-on: ubuntu-latest
    container: fedora:latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -39,7 +42,7 @@ jobs:
    container: fedora:latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -14,12 +14,15 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-custom-gradle-home-seed-build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -41,7 +44,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -63,7 +66,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -18,6 +18,9 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home

+permissions:
+  contents: read
+
 jobs:
  restore-gradle-home-seed-build:
    strategy:
@@ -28,7 +31,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -51,7 +54,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -74,7 +77,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -97,7 +100,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -122,7 +125,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-java-toolchain-seed-build:
    strategy:
@@ -27,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -50,7 +53,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  sample-gradle-plugin-seed-build:
    strategy:
@@ -27,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  sample-kotlin-dsl-seed-build:
    strategy:
@@ -27,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -49,7 +52,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -13,6 +13,9 @@ on:
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}

+permissions:
+  contents: read
+
 jobs:
  wrapper-validation-setup-gradle:
    strategy:
@@ -22,7 +25,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -45,7 +48,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -74,7 +77,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -107,7 +110,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test

@@ -137,7 +140,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4 # Checkout the repository with no wrappers
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Checkout the repository with no wrappers
      with:
        sparse-checkout: |
          .github/actions
@@ -10,6 +10,9 @@ on:
        type: boolean
        default: false

+permissions:
+  contents: read
+
 jobs:
  cache-cleanup:
    uses: ./.github/workflows/integ-test-cache-cleanup.yml
@@ -10,6 +10,9 @@ on:
        type: boolean
        default: false

+permissions:
+  contents: read
+
 jobs:
  build-scan-publish:
    uses: ./.github/workflows/integ-test-build-scan-publish.yml
@@ -7,20 +7,22 @@ on:
  workflow_dispatch:

 permissions:
-  contents: write
-  pull-requests: write
+  contents: read

 jobs:
  update-checksums:
+    permissions:
+      contents: write
+      pull-requests: write
    name: Update checksums
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
        with:
          node-version: 20
          cache: npm
@@ -28,7 +30,7 @@ jobs:

      - name: Install dependencies
        run: |
-          npm install typed-rest-client@1.8.11 --no-save
+          npm clean-install typed-rest-client@1.8.11 --no-save
        working-directory: sources

      - name: Update checksums file
@@ -37,9 +39,10 @@ jobs:

      # If there are no changes, this action will not create a pull request
      - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          branch: bot/wrapper-checksums-update
+          author: Bot Githubaction <bot-githubaction@gradle.com>
          commit-message: Update known wrapper checksums
          title: Update known wrapper checksums
          # Note: Unfortunately this action cannot trigger the regular workflows for the PR automatically, see
@@ -3,8 +3,9 @@
 The `build` script in the project root provides a convenient way to perform many local build tasks:
 1. `./build` will lint and compile typescript sources
 2. `./build all` will lint and compile typescript and run unit tests
-3. `./build init-scripts` will run the init-script integration tests
-4. `./build act <act-commands>` will run `act` after building local changes (see below)
+3. `./build install` will install npm packages followed by lint and compile
+4. `./build init-scripts` will run the init-script integration tests
+5. `./build act <act-commands>` will run `act` after building local changes (see below)

 ## Using `act` to run integ-test workflows locally

@@ -1,5 +1,7 @@
 # GitHub Actions for Gradle builds

+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gradle/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/gradle/actions)
+
 This repository contains a set of GitHub Actions that are useful for building Gradle projects on GitHub.

 ## The `setup-gradle` action
@@ -2,14 +2,18 @@

 cd sources

+if [[ -f ~/.gradle/develocity/keys.properties ]]; then
+    export NODE_OPTIONS='-r @gradle/develocity-agent/preload'
+    export DEVELOCITY_URL=https://ge.solutions-team.gradle.com
+    export DEVELOCITY_ACCESS_KEY=$(paste -sd ';' ~/.gradle/develocity/keys.properties)
+fi
+
 case "$1" in
    all)
-        npm clean-install
        npm run all
        ;;
    act)
        # Build and copy outputs to the dist directory
-        npm install
        npm run build
        cd ..
        cp -r sources/dist .
@@ -18,18 +22,25 @@ case "$1" in
        # Revert the changes to the dist directory
        git checkout -- dist
        ;;
-    init-scripts)
-        cd test/init-scripts
-        ./gradlew check
-        ;;
    dist)
-        npm install
+        npm clean-install
        npm run build
        cd ..
        cp -r sources/dist .
        ;;
+    init-scripts)
+        cd test/init-scripts
+        ./gradlew check
+        ;;
+    install)
+        npm clean-install
+        npm run build
+        ;;
+    test)
+        shift
+        npm test -- $@
+        ;;
    *)
-        npm install
        npm run build
        ;;
 esac
@@ -96,17 +96,20 @@ inputs:
  # Dependency Graph configuration
  dependency-graph:
    description: |
-      Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
+      Specifies how the dependency-graph should be handled by this action. 
+      By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
      Valid values are:
-        'generate-and-submit' (default): Generates a dependency graph for the project and submits it in the same Job.
-        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact.
+        'generate-and-submit': Generates a dependency graph for the project and submits it in the same Job.
+        'generate-submit-and-upload (default)': As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
+        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
        'download-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.

+      Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
      The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
      where the workflow generating the dependency-graph cannot (or should not) be given the `contents: write` permissions
      required to submit via the Dependency Submission API.
    required: false
-    default: 'generate-and-submit'
+    default: 'generate-submit-and-upload'

  dependency-graph-report-dir:
    description: |
@@ -147,7 +150,6 @@ inputs:
  artifact-retention-days:
    description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
    required: false
-    default: 1

  # Build Scan configuration
  build-scan-publish:
@@ -103,6 +103,9 @@ In some cases, the default action configuration will not be sufficient, and addi
        # Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
        dependency-graph: generate-and-upload

+        # Change the number of days that workflow artifacts are retained. (Default is 30 days).
+        artifact-retention-days: 5
+
        # Specify the location where dependency graph files will be generated.
        dependency-graph-report-dir: custom-report-dir

@@ -118,6 +121,29 @@ The `GitHub Dependency Graph Gradle Plugin` can be further
 These will be automatically set by the `dependency-submission` action, but you may override these values 
 by setting them explicitly in your workflow file.

+### Reducing storage costs for saved dependency graph artifacts
+
+By default, the dependency graph that is generated is stored as a workflow artifact.
+To reduce storage costs for these artifacts, you can:
+
+1. Set the `artifact-retention-days`:
+
+```yaml
+    - name: Generate dependency graph but only store workflow artifacts for 1 day
+      uses: gradle/actions/dependency-submission@v4
+      with:
+        artifact-retention-days: 1 # Default is 30 days or as configured for repository
+```
+
+2. Disable storing dependency-graph artifacts using `generate-and-submit`
+
+```yaml
+    - name: Generate and submit dependency graph but do not store as workflow artifact
+      uses: gradle/actions/dependency-submission@v4
+      with:
+        dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
+```
+
 # Resolving a dependency vulnerability

 ## Finding the source of a dependency vulnerability
@@ -276,7 +302,7 @@ For example, if you want to exclude dependencies resolved by the `buildSrc` proj
      uses: gradle/actions/dependency-submission@v4
      with:
        # Exclude all dependencies that originate solely in the 'buildSrc' project
-        dependency-graph-exclude-projets: ':buildSrc'
+        dependency-graph-exclude-projects: ':buildSrc'
        # Exclude dependencies that are only resolved in test classpaths
        dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath'
 ```
@@ -295,12 +321,19 @@ The GitHub [dependency-review-action](https://github.com/actions/dependency-revi
 understand dependency changes (and the security impact of these changes) for a pull request,
 by comparing the dependency graph for the pull-request with that of the HEAD commit.

-Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
+Integrating the Dependency Review Action requires 2 changes to your workflows:
+
+#### 1. Add a `pull_request` trigger to your existing Dependency Submission workflow.
+
+In order to perform Dependency Review on a pull request, the dependency graph must be submitted for the pull request.
+To do this, simply add a `pull_request` trigger to your existing dependency submission workflow.

 ```yaml
-name: Dependency review for pull requests
+name: Dependency Submission

 on:
+  push:
+    branches: [ 'main' ]
  pull_request:

 permissions:
@@ -318,11 +351,37 @@ jobs:

    - name: Generate and submit dependency graph
      uses: gradle/actions/dependency-submission@v4
-
-    - name: Perform dependency review
-      uses: actions/dependency-review-action@v4
 ```

+#### 2. Add a dedicated Dependency Review workflow
+
+The Dependency Review workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
+submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
+
+Here's an example of a separate "Dependency Review" workflow that will wait up to 10 minutes for dependency submission to complete.
+
+```yaml
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Dependency Review'
+      uses: actions/dependency-review-action@v4
+      with:
+        retry-on-snapshot-warnings: true
+        retry-on-snapshot-warnings-timeout: 600
+```
+
+The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the modified dependency-submission workflow to complete.
+
 ## Usage with pull requests from public forked repositories

 This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
@@ -381,36 +440,6 @@ jobs:
        dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```

-### Integrating `dependency-review-action` for pull requests from public forked repositories
-
-To integrate the `dependency-review-action` into the pull request workflows above, a third workflow file is required.
-This workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
-submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
-
-Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the above PR check workflow to complete.
-
-```yaml
-name: dependency-review
-
-on:
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    steps:
-    - name: 'Dependency Review'
-      uses: actions/dependency-review-action@v4
-      with:
-        retry-on-snapshot-warnings: true
-        retry-on-snapshot-warnings-timeout: 600
-```
-
-The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
-
 # Gradle version compatibility

 Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against 
@@ -101,7 +101,7 @@ The exact syntax depends on whether or not your project is configured with the [
 - name: Setup Gradle for a non-wrapper project
  uses: gradle/actions/setup-gradle@v4
  with:
-    gradle-version: "8.10"
+    gradle-version: "8.11"

 - name: Assemble the project
  run: gradle assemble
@@ -127,6 +127,8 @@ cache-disabled: true

 By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
 Jobs on other branches will read entries from the cache but will not write updated entries.
+
+This setup is designed around [GitHub imposed restrictions on cache access](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) and should work well in most scenarios.
 See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.

 In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
@@ -196,6 +198,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
 in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
 secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.

+> [!IMPORTANT]
+> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
+
 To benefit from configuration caching in your GitHub Actions workflow, you must:
 - Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
 - Enable the configuration cache for your build.
@@ -216,11 +221,14 @@ jobs:
    - uses: gradle/actions/setup-gradle@v4
      with:
        gradle-version: 8.6
-        cache-encryption-key: ${{ secrets.GradleEncryptionKey }}
+        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
    - run: gradle build --configuration-cache
 ```

-> [!IMPORTANT]
+Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
+This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
+
+> [!NOTE]
 > The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
 > This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
 > This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@@ -430,6 +438,15 @@ so that a Job Summary is never generated, or so that a Job Summary is only gener
 add-job-summary: 'on-failure' # Valid values are 'always' (default), 'never', and 'on-failure'
 ```

+### Excluding specific Gradle builds from Job Summary
+
+The Job Summary works by installing an init-script in Gradle User Home which will record details of any Gradle execution during the workflow.
+This means that any Gradle excecution sharing the same Gradle User Home will show up in the Job Summary, which may include Gradle executions 
+run as part of integration testing.
+
+To avoid having these test builds show up in the Job Summary, add the `GRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true` environment variable
+to the process that executes Gradle. This will stop the init-script from collecting any build results.
+
 ### Adding Job Summary as a Pull Request comment

 It is sometimes more convenient to view the results of a GitHub Actions Job directly from the Pull Request that triggered
@@ -502,7 +519,7 @@ jobs:
      if: always()
      with:
        name: build-reports
-        path: build/reports/
+        path: **/build/reports/
 ```

 ### Use of custom init-scripts in Gradle User Home
@@ -710,20 +727,6 @@ A known exception to this is that Gradle `7.0`, `7.0.1`, and `7.0.2` are not sup

 See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.

-### Reducing storage costs for saved dependency graph artifacts
-
-When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact.
-By default, these artifacts are retained for 30 days (or as configured for the repository).
-To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number.
-
-```yaml
-    - name: Generate dependency graph, but only retain artifact for one day
-      uses: gradle/actions/setup-gradle@v4
-      with:
-        dependency-graph: generate
-        artifact-retention-days: 1
-```
-
 # Develocity Build Scan® integration

 Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
@@ -753,7 +756,8 @@ To publish to https://scans.gradle.com, you must specify in your workflow that y
 ## Managing Develocity access keys

 Develocity access keys are long-lived, creating risks if they are leaked. To mitigate this risk this, 
-the `setup-gradle` action can automatically attempt to obtain a short-lived access token to authenticate with Develocity. 
+the `setup-gradle` action can automatically attempt to obtain a [short-lived access token](https://docs.gradle.com/develocity/gradle-plugin/current/#short_lived_access_tokens)
+to use when authenticating with Develocity. 
 The short-lived access token will then be used wherever a Develocity access key is required.

 ```yaml
@@ -767,6 +771,21 @@ The short-lived access token will then be used wherever a Develocity access key
      run: ./gradlew build
 ```

+### Increasing the expiry time for Develocity access tokens
+
+By default, a short-lived Develocity access token will be valid for 2 hours from the time it is generated. If your workflows take longer than
+2 hours to complete, you may see failure to publish Build Scans due to access token expiry.
+
+To avoid this, use the `develocity-token-expiry` parameter to specify a different token expiry in hours.
+
+```yaml
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
+        develocity-token-expiry: 8 # The number of hours that the access token should remain valid (max 24).
+```
+
 ### Develocity access key supplied as environment variable

 The preferred mechanism is to supply the long-lived Develocity access key directly to `setup-gradle` via 
@@ -825,7 +844,7 @@ Here's a minimal example:
      run: ./gradlew build
 ```

-This configuration will automatically apply `v3.18` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.19.2` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.

 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
@@ -891,8 +910,8 @@ Here's an example using the env vars:
        DEVELOCITY_INJECTION_ENABLED: true
        DEVELOCITY_URL: https://develocity.your-server.com
        DEVELOCITY_ENFORCE_URL: true
-        DEVELOCITY_PLUGIN_VERSION: "3.18"
-        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.0.2"
+        DEVELOCITY_PLUGIN_VERSION: "3.19"
+        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.1"
 ```

 # Dependency verification
@@ -102,7 +102,8 @@ A wrapper jar can fail validation for a few reasons:
 1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
   or `allow-snapshot-wrappers` to `true`.
 2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
-3. The wrapper jar was not published by Gradle, and could be compromised.
+3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
+4. The wrapper jar was not published by Gradle, and could be compromised.

 If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
@@ -113,6 +114,17 @@ Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable beca
 - If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
 - If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.

+#### Wrapper Jar stored with Git LFS
+If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
+restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
+
+```
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true  # gradle-wrapper.jar verification will fail without this
+```
+
 ## Resources

 To learn more about verifying the Gradle Wrapper JAR locally, see our
@@ -80,7 +80,7 @@ inputs:
  dependency-graph:
    description: |
      Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
-      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', and 'download-and-submit'.
+      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-submit-and-upload', 'generate-and-upload', and 'download-and-submit'.
    required: false
    default: 'disabled'

@@ -1,3 +1,3 @@
 # Configuration file for asdf version manager
 nodejs 20.10.0
-gradle 8.10
+gradle 8.13
@@ -32,40 +32,41 @@
  ],
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "2.1.9",
-    "@actions/cache": "3.2.4",
-    "@actions/core": "1.10.1",
+    "@actions/artifact": "2.3.2",
+    "@actions/cache": "4.0.3",
+    "@actions/core": "1.11.1",
    "@actions/exec": "1.1.1",
    "@actions/github": "6.0.0",
    "@actions/glob": "0.5.0",
-    "@actions/http-client": "2.2.2",
-    "@actions/tool-cache": "2.0.1",
-    "@octokit/rest": "21.0.2",
-    "@octokit/webhooks-types": "7.5.1",
+    "@actions/http-client": "2.2.3",
+    "@actions/tool-cache": "2.0.2",
+    "@octokit/rest": "21.1.1",
+    "@octokit/webhooks-types": "7.6.1",
    "cheerio": "^1.0.0",
-    "semver": "7.6.3",
+    "semver": "7.7.1",
    "string-argv": "0.3.2",
-    "typed-rest-client": "2.0.2",
+    "typed-rest-client": "2.1.0",
    "unhomoglyph": "1.0.6",
-    "which": "4.0.0"
+    "which": "5.0.0"
  },
  "devDependencies": {
-    "@types/jest": "29.5.12",
-    "@types/node": "20.16.1",
-    "@types/unzipper": "0.10.10",
+    "@gradle/develocity-agent": "https://develocity-npm-pkgs.gradle.com/gradle-develocity-agent-0.9.0.tgz",
+    "@types/jest": "29.5.14",
+    "@types/node": "20.17.27",
+    "@types/unzipper": "0.10.11",
    "@types/which": "3.0.4",
    "@typescript-eslint/parser": "7.18.0",
-    "@vercel/ncc": "0.38.1",
-    "eslint": "8.57.0",
-    "eslint-plugin-github": "5.0.1",
-    "eslint-plugin-jest": "28.8.0",
+    "@vercel/ncc": "0.38.3",
+    "eslint": "8.57.1",
+    "eslint-plugin-github": "5.1.8",
+    "eslint-plugin-jest": "28.11.0",
    "jest": "29.7.0",
    "js-yaml": "4.1.0",
-    "nock": "13.5.4",
+    "nock": "13.5.6",
    "npm-run-all": "4.1.5",
    "patch-package": "8.0.0",
-    "prettier": "3.3.3",
-    "ts-jest": "29.2.4",
-    "typescript": "5.5.4"
+    "prettier": "3.5.3",
+    "ts-jest": "29.3.0",
+    "typescript": "5.8.2"
  }
 }
@@ -1,113 +0,0 @@
-diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
-index 4658366..b796e58 100644
--- a/node_modules/@actions/cache/lib/cache.d.ts
-+++ b/node_modules/@actions/cache/lib/cache.d.ts
-@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
-  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
-  * @returns string returns the key for the cache hit, otherwise returns undefined
-  */
-export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
-+export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
- /**
-  * Saves a list of files with the specified key
-  *
-@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
-  * @param options cache upload options
-  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
-  */
-export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
-+export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
-+
-+// PATCHED: Add `CacheEntry` as return type for save/restore functions
-+// This allows us to track and report on cache entry sizes.
-+export declare class CacheEntry {
-+    key: string;
-+    size?: number;
-+    constructor(key: string, size?: number);
-+}
-diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
-index 9d636aa..a176bd7 100644
--- a/node_modules/@actions/cache/lib/cache.js
-+++ b/node_modules/@actions/cache/lib/cache.js
-@@ -127,18 +127,21 @@ function restoreCache(paths, primaryKey, restoreKeys, options, enableCrossOsArch
-             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
-             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
-             core.info('Cache restored successfully');
-            return cacheEntry.cacheKey;
-        }
-        catch (error) {
-            const typedError = error;
-            if (typedError.name === ValidationError.name) {
-                throw error;
-            }
-            else {
-                // Supress all non-validation cache related errors because caching should be optional
-                core.warning(`Failed to restore: ${error.message}`);
-            }
-+
-+            // PATCHED - Return more inforamtion about restored entry
-+            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
-         }
-+        // PATCHED - propagate errors
-+        // catch (error) {
-+        //     const typedError = error;
-+        //     if (typedError.name === ValidationError.name) {
-+        //         throw error;
-+        //     }
-+        //     else {
-+        //         // Supress all non-validation cache related errors because caching should be optional
-+        //         core.warning(`Failed to restore: ${error.message}`);
-+        //     }
-+        // }
-         finally {
-             // Try to delete the archive to save space
-             try {
-@@ -206,19 +209,23 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
-             }
-             core.debug(`Saving Cache (ID: ${cacheId})`);
-             yield cacheHttpClient.saveCache(cacheId, archivePath, options);
-+
-+            // PATCHED - Return more inforamtion about saved entry
-+            return new CacheEntry(key, archiveFileSize);
-         }
-        catch (error) {
-            const typedError = error;
-            if (typedError.name === ValidationError.name) {
-                throw error;
-            }
-            else if (typedError.name === ReserveCacheError.name) {
-                core.info(`Failed to save: ${typedError.message}`);
-            }
-            else {
-                core.warning(`Failed to save: ${typedError.message}`);
-            }
-        }
-+        // PATCHED - propagate errors
-+        // catch (error) {
-+        //     const typedError = error;
-+        //     if (typedError.name === ValidationError.name) {
-+        //         throw error;
-+        //     }
-+        //     else if (typedError.name === ReserveCacheError.name) {
-+        //         core.info(`Failed to save: ${typedError.message}`);
-+        //     }
-+        //     else {
-+        //         core.warning(`Failed to save: ${typedError.message}`);
-+        //     }
-+        // }
-         finally {
-             // Try to delete the archive to save space
-             try {
-@@ -232,4 +239,11 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
-     });
- }
- exports.saveCache = saveCache;
-+class CacheEntry {
-+    constructor(key, size) {
-+        this.key = key;
-+        this.size = size;
-+    }
-+}
-+exports.CacheEntry = CacheEntry;
- //# sourceMappingURL=cache.js.map
-\ No newline at end of file
@@ -0,0 +1,183 @@
+diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
+index ef0928b..4e2f570 100644
+--- a/node_modules/@actions/cache/lib/cache.d.ts
+++ b/node_modules/@actions/cache/lib/cache.d.ts
+@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
+  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
+  * @returns string returns the key for the cache hit, otherwise returns undefined
+  */
+-export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
+export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
+ /**
+  * Saves a list of files with the specified key
+  *
+@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
+  * @param options cache upload options
+  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
+  */
+-export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
+export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
+
+// PATCHED: Add `CacheEntry` as return type for save/restore functions
+// This allows us to track and report on cache entry sizes.
+export declare class CacheEntry {
+    key: string;
+    size?: number;
+    constructor(key: string, size?: number);
+}
+\ No newline at end of file
+diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
+index e9e45c9..336733b 100644
+--- a/node_modules/@actions/cache/lib/cache.js
+++ b/node_modules/@actions/cache/lib/cache.js
+@@ -154,18 +154,21 @@ function restoreCacheV1(paths, primaryKey, restoreKeys, options, enableCrossOsAr
+             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
+             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
+             core.info('Cache restored successfully');
+-            return cacheEntry.cacheKey;
+-        }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else {
+-                // Supress all non-validation cache related errors because caching should be optional
+-                core.warning(`Failed to restore: ${error.message}`);
+-            }
+
+            // PATCHED - Include size of restored entry
+            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
+         }
+            // PATCHED - propagate errors
+            // catch (error) {
+            //     const typedError = error;
+            //     if (typedError.name === ValidationError.name) {
+            //         throw error;
+            //     }
+            //     else {
+            //         // Supress all non-validation cache related errors because caching should be optional
+            //         core.warning(`Failed to restore: ${error.message}`);
+            //     }
+            // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -232,18 +235,21 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
+             }
+             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
+             core.info('Cache restored successfully');
+-            return response.matchedKey;
+-        }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else {
+-                // Supress all non-validation cache related errors because caching should be optional
+-                core.warning(`Failed to restore: ${error.message}`);
+-            }
+
+            // PATCHED - Include size of restored entry
+            return new CacheEntry(response.matchedKey, archiveFileSize);;
+         }
+            // PATCHED - propagate errors
+            // catch (error) {
+            //     const typedError = error;
+            //     if (typedError.name === ValidationError.name) {
+            //         throw error;
+            //     }
+            //     else {
+            //         // Supress all non-validation cache related errors because caching should be optional
+            //         core.warning(`Failed to restore: ${error.message}`);
+            //     }
+            // }
+         finally {
+             try {
+                 if (archivePath) {
+@@ -334,19 +340,23 @@ function saveCacheV1(paths, key, options, enableCrossOsArchive = false) {
+             }
+             core.debug(`Saving Cache (ID: ${cacheId})`);
+             yield cacheHttpClient.saveCache(cacheId, archivePath, '', options);
+
+            // PATCHED - Include size of saved entry
+            return new CacheEntry(key, archiveFileSize);
+         }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else if (typedError.name === ReserveCacheError.name) {
+-                core.info(`Failed to save: ${typedError.message}`);
+-            }
+-            else {
+-                core.warning(`Failed to save: ${typedError.message}`);
+-            }
+-        }
+            // PATCHED - propagate errors
+            // catch (error) {
+            //     const typedError = error;
+            //     if (typedError.name === ValidationError.name) {
+            //         throw error;
+            //     }
+            //     else if (typedError.name === ReserveCacheError.name) {
+            //         core.info(`Failed to save: ${typedError.message}`);
+            //     }
+            //     else {
+            //         core.warning(`Failed to save: ${typedError.message}`);
+            //     }
+            // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -430,19 +440,23 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
+                 throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`);
+             }
+             cacheId = parseInt(finalizeResponse.entryId);
+
+            // PATCHED - Include size of saved entry
+            return new CacheEntry(key, archiveFileSize);
+         }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else if (typedError.name === ReserveCacheError.name) {
+-                core.info(`Failed to save: ${typedError.message}`);
+-            }
+-            else {
+-                core.warning(`Failed to save: ${typedError.message}`);
+-            }
+-        }
+            // PATCHED - propagate errors
+            // catch (error) {
+            //     const typedError = error;
+            //     if (typedError.name === ValidationError.name) {
+            //         throw error;
+            //     }
+            //     else if (typedError.name === ReserveCacheError.name) {
+            //         core.info(`Failed to save: ${typedError.message}`);
+            //     }
+            //     else {
+            //         core.warning(`Failed to save: ${typedError.message}`);
+            //     }
+            // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -455,4 +469,11 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
+         return cacheId;
+     });
+ }
+// PATCHED - CacheEntry class
+class CacheEntry {
+    constructor(key, size) {
+        this.key = key;
+        this.size = size;
+    }
+}
+ //# sourceMappingURL=cache.js.map
+\ No newline at end of file
@@ -1,5 +1,6 @@
 import * as fs from 'fs'
 import * as path from 'path'
+import {versionIsAtLeast} from './execution/gradle'

 export interface BuildResult {
    get rootProjectName(): string
@@ -32,6 +33,18 @@ export class BuildResults {
        const allHomes = this.results.map(buildResult => buildResult.gradleHomeDir)
        return Array.from(new Set(allHomes))
    }
+
+    highestGradleVersion(): string | null {
+        if (this.results.length === 0) {
+            return null
+        }
+        return this.results
+            .map(result => result.gradleVersion)
+            .reduce((maxVersion: string, currentVersion: string) => {
+                if (!maxVersion) return currentVersion
+                return versionIsAtLeast(currentVersion, maxVersion) ? currentVersion : maxVersion
+            })
+    }
 }

 export function loadBuildResults(): BuildResults {
@@ -4,6 +4,9 @@ import * as exec from '@actions/exec'
 import fs from 'fs'
 import path from 'path'
 import * as provisioner from '../execution/provision'
+import {BuildResult, BuildResults} from '../build-results'
+import {versionIsAtLeast} from '../execution/gradle'
+import {gradleWrapperScript} from '../execution/gradlew'

 export class CacheCleaner {
    private readonly gradleUserHome: string
@@ -21,13 +24,51 @@ export class CacheCleaner {
        return timestamp
    }

-    async forceCleanup(): Promise<void> {
+    async forceCleanup(buildResults: BuildResults): Promise<void> {
+        const executable = await this.gradleExecutableForCleanup(buildResults)
        const cleanTimestamp = core.getState('clean-timestamp')
-        await this.forceCleanupFilesOlderThan(cleanTimestamp)
+        await this.forceCleanupFilesOlderThan(cleanTimestamp, executable)
+    }
+
+    /**
+     * Attempt to use the newest Gradle version that was used to run a build, at least 8.11.
+     *
+     * This will avoid the need to provision a Gradle version for the cleanup when not necessary.
+     */
+    private async gradleExecutableForCleanup(buildResults: BuildResults): Promise<string> {
+        const preferredVersion = buildResults.highestGradleVersion()
+        if (preferredVersion && versionIsAtLeast(preferredVersion, '8.11')) {
+            try {
+                const wrapperScripts = buildResults.results
+                    .map(result => this.findGradleWrapperScript(result))
+                    .filter(Boolean) as string[]
+
+                return await provisioner.provisionGradleWithVersionAtLeast(preferredVersion, wrapperScripts)
+            } catch (e) {
+                // Ignore the case where the preferred version cannot be located in https://services.gradle.org/versions/all.
+                // This can happen for snapshot Gradle versions.
+                core.info(
+                    `Failed to provision Gradle ${preferredVersion} for cache cleanup. Falling back to default version.`
+                )
+            }
+        }
+
+        // Fallback to the minimum version required for cache-cleanup
+        return await provisioner.provisionGradleWithVersionAtLeast('8.11')
+    }
+
+    private findGradleWrapperScript(result: BuildResult): string | null {
+        try {
+            const wrapperScript = gradleWrapperScript(result.rootProjectDir)
+            return path.resolve(result.rootProjectDir, wrapperScript)
+        } catch (error) {
+            core.debug(`No Gradle Wrapper found for ${result.rootProjectName}: ${error}`)
+            return null
+        }
    }

    // Visible for testing
-    async forceCleanupFilesOlderThan(cleanTimestamp: string): Promise<void> {
+    async forceCleanupFilesOlderThan(cleanTimestamp: string, executable: string): Promise<void> {
        // Run a dummy Gradle build to trigger cache cleanup
        const cleanupProjectDir = path.resolve(this.tmpDir, 'dummy-cleanup-project')
        fs.mkdirSync(cleanupProjectDir, {recursive: true})
@@ -44,22 +85,20 @@ export class CacheCleaner {
                settings.caches {
                    cleanup = Cleanup.ALWAYS
            
-                    releasedWrappers.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    snapshotWrappers.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    downloadedResources.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    createdResources.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    buildCache.removeUnusedEntriesOlderThan.set(cleanupTime)
+                    releasedWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    snapshotWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    downloadedResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    createdResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    buildCache.setRemoveUnusedEntriesOlderThan(cleanupTime)
                }
            }
            `
        )
        fs.writeFileSync(path.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}')

-        const executable = await provisioner.provisionGradle('current')
-
        await core.group('Executing Gradle to clean up caches', async () => {
            core.info(`Cleaning up caches last used before ${cleanTimestamp}`)
-            await this.executeCleanupBuild(executable!, cleanupProjectDir)
+            await this.executeCleanupBuild(executable, cleanupProjectDir)
        })
    }

@@ -74,14 +113,12 @@ export class CacheCleaner {
            '--no-scan',
            '--build-cache',
            '-DGITHUB_DEPENDENCY_GRAPH_ENABLED=false',
+            '-DGRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true',
            'noop'
        ]

-        const result = await exec.getExecOutput(executable, args, {
-            cwd: cleanupProjectDir,
-            silent: true
+        await exec.exec(executable, args, {
+            cwd: cleanupProjectDir
        })
-
-        core.info(result.stdout)
    }
 }
@@ -4,7 +4,7 @@ export const DEFAULT_CACHE_ENABLED_REASON = `[Cache was enabled](https://github.

 export const DEFAULT_READONLY_REASON = `[Cache was read-only](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-read-only). By default, the action will only write to the cache for Jobs running on the default branch.`

-export const DEFAULT_DISABLED_REASON = `[Cache was disabled](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#disabling-caching) via action confiugration. Gradle User Home was not restored from or saved to the cache.`
+export const DEFAULT_DISABLED_REASON = `[Cache was disabled](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#disabling-caching) via action configuration. Gradle User Home was not restored from or saved to the cache.`

 export const DEFAULT_WRITEONLY_REASON = `[Cache was set to write-only](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-write-only) via action configuration. Gradle User Home was not restored from cache.`

@@ -110,10 +110,12 @@ export class CacheEntryListener {
    requestedRestoreKeys: string[] | undefined
    restoredKey: string | undefined
    restoredSize: number | undefined
+    restoredTime: number | undefined
    notRestored: string | undefined

    savedKey: string | undefined
    savedSize: number | undefined
+    savedTime: number | undefined
    notSaved: string | undefined

    constructor(entryName: string) {
@@ -130,9 +132,10 @@ export class CacheEntryListener {
        return this
    }

-    markRestored(key: string, size: number | undefined): CacheEntryListener {
+    markRestored(key: string, size: number | undefined, time: number): CacheEntryListener {
        this.restoredKey = key
        this.restoredSize = size
+        this.restoredTime = time
        return this
    }

@@ -141,9 +144,10 @@ export class CacheEntryListener {
        return this
    }

-    markSaved(key: string, size: number | undefined): CacheEntryListener {
+    markSaved(key: string, size: number | undefined, time: number): CacheEntryListener {
        this.savedKey = key
        this.savedSize = size
+        this.savedTime = time
        return this
    }

@@ -182,14 +186,16 @@ ${renderEntryTable(entries)}
 function renderEntryTable(entries: CacheEntryListener[]): string {
    return `
 <table>
-    <tr><td></td><th>Count</th><th>Total Size (Mb)</th></tr>
+    <tr><td></td><th>Count</th><th>Total Size (Mb)</th><th>Total Time (ms)</tr>
    <tr><td>Entries Restored</td>
        <td>${getCount(entries, e => e.restoredSize)}</td>
        <td>${getSize(entries, e => e.restoredSize)}</td>
+        <td>${getTime(entries, e => e.restoredTime)}</td>
    </tr>
    <tr><td>Entries Saved</td>
        <td>${getCount(entries, e => e.savedSize)}</td>
        <td>${getSize(entries, e => e.savedSize)}</td>
+        <td>${getTime(entries, e => e.savedTime)}</td>
    </tr>
 </table>
    `
@@ -202,9 +208,11 @@ function renderEntryDetails(listener: CacheListener): string {
    Requested Key : ${entry.requestedKey ?? ''}
    Restored  Key : ${entry.restoredKey ?? ''}
              Size: ${formatSize(entry.restoredSize)}
+              Time: ${formatTime(entry.restoredTime)}
              ${getRestoredMessage(entry, listener.cacheWriteOnly)}
    Saved     Key : ${entry.savedKey ?? ''}
              Size: ${formatSize(entry.savedSize)}
+              Time: ${formatTime(entry.savedTime)}
              ${getSavedMessage(entry, listener.cacheReadOnly)}
 `
        )
@@ -264,9 +272,23 @@ function getSize(
    return Math.round(bytes / (1024 * 1024))
 }

+function getTime(
+    cacheEntries: CacheEntryListener[],
+    predicate: (value: CacheEntryListener) => number | undefined
+): number {
+    return cacheEntries.map(e => predicate(e) ?? 0).reduce((p, v) => p + v, 0)
+}
+
 function formatSize(bytes: number | undefined): string {
    if (bytes === undefined || bytes === 0) {
        return ''
    }
    return `${Math.round(bytes / (1024 * 1024))} MB (${bytes} B)`
 }
+
+function formatTime(ms: number | undefined): string {
+    if (ms === undefined || ms === 0) {
+        return ''
+    }
+    return `${ms} ms`
+}
@@ -38,13 +38,16 @@ export async function restoreCache(
 ): Promise<cache.CacheEntry | undefined> {
    listener.markRequested(cacheKey, cacheRestoreKeys)
    try {
+        const startTime = Date.now()
        // Only override the read timeout if the SEGMENT_DOWNLOAD_TIMEOUT_MINS env var has NOT been set
        const cacheRestoreOptions = process.env[SEGMENT_DOWNLOAD_TIMEOUT_VAR]
            ? {}
            : {segmentTimeoutInMs: SEGMENT_DOWNLOAD_TIMEOUT_DEFAULT}
        const restoredEntry = await cache.restoreCache(cachePath, cacheKey, cacheRestoreKeys, cacheRestoreOptions)
        if (restoredEntry !== undefined) {
-            listener.markRestored(restoredEntry.key, restoredEntry.size)
+            const restoreTime = Date.now() - startTime
+            listener.markRestored(restoredEntry.key, restoredEntry.size, restoreTime)
+            core.info(`Restored cache entry with key ${cacheKey} to ${cachePath.join()} in ${restoreTime}ms`)
        }
        return restoredEntry
    } catch (error) {
@@ -56,8 +59,11 @@ export async function restoreCache(

 export async function saveCache(cachePath: string[], cacheKey: string, listener: CacheEntryListener): Promise<void> {
    try {
+        const startTime = Date.now()
        const savedEntry = await cache.saveCache(cachePath, cacheKey)
-        listener.markSaved(savedEntry.key, savedEntry.size)
+        const saveTime = Date.now() - startTime
+        listener.markSaved(savedEntry.key, savedEntry.size, saveTime)
+        core.info(`Saved cache entry with key ${cacheKey} from ${cachePath.join()} in ${saveTime}ms`)
    } catch (error) {
        if (error instanceof cache.ReserveCacheError) {
            listener.markAlreadyExists(cacheKey)
@@ -102,7 +102,7 @@ export async function save(
            cacheListener.setCacheCleanupDisabled(CLEANUP_DISABLED_DUE_TO_CONFIG_CACHE_HIT)
        } else if (cacheConfig.shouldPerformCacheCleanup(buildResults.anyFailed())) {
            cacheListener.setCacheCleanupEnabled()
-            await performCacheCleanup(gradleUserHome)
+            await performCacheCleanup(gradleUserHome, buildResults)
        } else {
            core.info('Not performing cache-cleanup due to build failure')
            cacheListener.setCacheCleanupDisabled(CLEANUP_DISABLED_DUE_TO_FAILURE)
@@ -114,10 +114,10 @@ export async function save(
    })
 }

-async function performCacheCleanup(gradleUserHome: string): Promise<void> {
+async function performCacheCleanup(gradleUserHome: string, buildResults: BuildResults): Promise<void> {
    const cacheCleaner = new CacheCleaner(gradleUserHome, process.env['RUNNER_TEMP']!)
    try {
-        await cacheCleaner.forceCleanup()
+        await cacheCleaner.forceCleanup(buildResults)
    } catch (e) {
        core.warning(`Cache cleanup failed. Will continue. ${String(e)}`)
    }
@@ -2,7 +2,6 @@ import path from 'path'
 import fs from 'fs'
 import * as core from '@actions/core'
 import * as glob from '@actions/glob'
-import * as semver from 'semver'

 import {CacheEntryListener, CacheListener} from './cache-reporting'
 import {cacheDebug, hashFileNames, isCacheDebuggingEnabled, restoreCache, saveCache, tryDelete} from './cache-utils'
@@ -10,6 +9,7 @@ import {cacheDebug, hashFileNames, isCacheDebuggingEnabled, restoreCache, saveCa
 import {BuildResult, loadBuildResults} from '../build-results'
 import {CacheConfig, ACTION_METADATA_DIR} from '../configuration'
 import {getCacheKeyBase} from './cache-key'
+import {versionIsAtLeast} from '../execution/gradle'

 const SKIP_RESTORE_VAR = 'GRADLE_BUILD_ACTION_SKIP_RESTORE'
 const CACHE_PROTOCOL_VERSION = 'v1'
@@ -132,9 +132,8 @@ abstract class AbstractEntryExtractor {
        pattern: string,
        listener: CacheEntryListener
    ): Promise<ExtractedCacheEntry> {
-        const restoredEntry = await restoreCache([pattern], cacheKey, [], listener)
+        const restoredEntry = await restoreCache(pattern.split('\n'), cacheKey, [], listener)
        if (restoredEntry) {
-            core.info(`Restored ${artifactType} with key ${cacheKey} to ${pattern}`)
            return new ExtractedCacheEntry(artifactType, pattern, cacheKey)
        } else {
            core.info(`Did not restore ${artifactType} with key ${cacheKey} to ${pattern}`)
@@ -232,8 +231,7 @@ abstract class AbstractEntryExtractor {
            cacheDebug(`No change to previously restored ${artifactType}. Not saving.`)
            entryListener.markNotSaved('contents unchanged')
        } else {
-            core.info(`Caching ${artifactType} with path '${pattern}' and cache key: ${cacheKey}`)
-            await saveCache([pattern], cacheKey, entryListener)
+            await saveCache(pattern.split('\n'), cacheKey, entryListener)
        }

        for (const file of matchingFiles) {
@@ -434,8 +432,7 @@ export class ConfigurationCacheEntryExtractor extends AbstractEntryExtractor {
            // If any associated build result used Gradle < 8.6, then mark it as not cacheable
            if (
                pathResults.find(result => {
-                    const gradleVersion = semver.coerce(result.gradleVersion)
-                    return gradleVersion && semver.lt(gradleVersion, '8.6.0')
+                    return !versionIsAtLeast(result.gradleVersion, '8.6.0')
                })
            ) {
                core.info(
@@ -60,7 +60,8 @@ export class GradleUserHomeCache {
    restoreKeys:[${cacheKey.restoreKeys}]`
        )

-        const cacheResult = await restoreCache(this.getCachePath(), cacheKey.key, cacheKey.restoreKeys, entryListener)
+        const cachePath = this.getCachePath()
+        const cacheResult = await restoreCache(cachePath, cacheKey.key, cacheKey.restoreKeys, entryListener)
        if (!cacheResult) {
            core.info(`${this.cacheDescription} cache not found. Will initialize empty.`)
            return
@@ -68,8 +69,6 @@ export class GradleUserHomeCache {

        core.saveState(RESTORED_CACHE_KEY_KEY, cacheResult.key)

-        core.info(`Restored ${this.cacheDescription} from cache key: ${cacheResult.key}`)
-
        try {
            await this.afterRestore(listener)
        } catch (error) {
@@ -120,10 +119,8 @@ export class GradleUserHomeCache {
            return
        }

-        core.info(`Caching ${this.cacheDescription} with cache key: ${cacheKey}`)
        const cachePath = this.getCachePath()
        await saveCache(cachePath, cacheKey, gradleHomeEntryListener)
-
        return
    }

@@ -13,34 +13,37 @@ export function readResourceFileAsString(...paths: string[]): string {
 * @VisibleForTesting
 */
 export function getPredefinedToolchains(): string | null {
-    const javaHomeEnvs: string[] = []
-    for (const javaHomeEnvsKey in process.env) {
-        if (javaHomeEnvsKey.startsWith('JAVA_HOME_')) {
-            javaHomeEnvs.push(javaHomeEnvsKey)
-        }
-    }
+    // Get the version and path for each JAVA_HOME env var
+    const javaHomeEnvs = Object.entries(process.env)
+        .filter(([key]) => key.startsWith('JAVA_HOME_') && process.env[key])
+        .map(([key, value]) => ({
+            jdkVersion: key.match(/JAVA_HOME_(\d+)_/)?.[1] ?? null,
+            jdkPath: value as string
+        }))
+        .filter(env => env.jdkVersion !== null)
+
    if (javaHomeEnvs.length === 0) {
        return null
    }
+
    // language=XML
-    let toolchainsXml = `<?xml version="1.0" encoding="UTF-8"?>
+    return `<?xml version="1.0" encoding="UTF-8"?>
 <toolchains>
 <!-- JDK Toolchains installed by default on GitHub-hosted runners -->
-`
-    for (const javaHomeEnv of javaHomeEnvs) {
-        const version = javaHomeEnv.match(/JAVA_HOME_(\d+)_/)?.[1]!
-        toolchainsXml += `  <toolchain>
+${javaHomeEnvs
+    .map(
+        ({jdkVersion, jdkPath}) => `  <toolchain>
    <type>jdk</type>
    <provides>
-      <version>${version}</version>
+      <version>${jdkVersion}</version>
    </provides>
    <configuration>
-      <jdkHome>\${env.${javaHomeEnv}}</jdkHome>
+      <jdkHome>${jdkPath}</jdkHome>
    </configuration>
-  </toolchain>\n`
-    }
-    toolchainsXml += `</toolchains>\n`
-    return toolchainsXml
+  </toolchain>`
+    )
+    .join('\n')}
+</toolchains>\n`
 }

 export function mergeToolchainContent(existingToolchainContent: string, preInstalledToolchains: string): string {
@@ -20,13 +20,15 @@ export class DependencyGraphConfig {
                return DependencyGraphOption.Generate
            case 'generate-and-submit':
                return DependencyGraphOption.GenerateAndSubmit
+            case 'generate-submit-and-upload':
+                return DependencyGraphOption.GenerateSubmitAndUpload
            case 'generate-and-upload':
                return DependencyGraphOption.GenerateAndUpload
            case 'download-and-submit':
                return DependencyGraphOption.DownloadAndSubmit
        }
        throw TypeError(
-            `The value '${val}' is not valid for 'dependency-graph'. Valid values are: [disabled, generate, generate-and-submit, generate-and-upload, download-and-submit]. The default value is 'disabled'.`
+            `The value '${val}' is not valid for 'dependency-graph'. Valid values are: [disabled, generate, generate-and-submit, generate-submit-and-upload, generate-and-upload, download-and-submit].`
        )
    }

@@ -96,6 +98,7 @@ export enum DependencyGraphOption {
    Disabled = 'disabled',
    Generate = 'generate',
    GenerateAndSubmit = 'generate-and-submit',
+    GenerateSubmitAndUpload = 'generate-submit-and-upload',
    GenerateAndUpload = 'generate-and-upload',
    DownloadAndSubmit = 'download-and-submit'
 }
@@ -60,7 +60,10 @@ export async function complete(config: DependencyGraphConfig): Promise<void> {
            case DependencyGraphOption.DownloadAndSubmit: // Performed in setup
                return
            case DependencyGraphOption.GenerateAndSubmit:
-                await findAndSubmitDependencyGraphs(config)
+                await findAndSubmitDependencyGraphs(config, false)
+                return
+            case DependencyGraphOption.GenerateSubmitAndUpload:
+                await findAndSubmitDependencyGraphs(config, true)
                return
            case DependencyGraphOption.GenerateAndUpload:
                await findAndUploadDependencyGraphs(config)
@@ -83,7 +86,7 @@ async function downloadAndSubmitDependencyGraphs(config: DependencyGraphConfig):
    }
 }

-async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig): Promise<void> {
+async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig, uploadAfterSubmit: boolean): Promise<void> {
    if (isRunningInActEnvironment()) {
        core.info('Dependency graph not supported in the ACT environment.')
        return
@@ -100,6 +103,10 @@ async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig): Pro
        }
        throw e
    }
+
+    if (uploadAfterSubmit) {
+        await uploadDependencyGraphs(dependencyGraphFiles, config)
+    }
 }

 async function findAndUploadDependencyGraphs(config: DependencyGraphConfig): Promise<void> {
--- a/Show More
+++ b/Show More