Onboard Renovate for Develocity plugin and Gradle wrapper upgrades

Adds .github/renovate.json5 so this repo manages its own Develocity
Gradle plugin version (across the workflow YAML, build-scan.ts, the
setup-gradle docs, the sample settings.gradle / build.gradle files,
and the init-script test groovy files) and Gradle wrapper bumps in the
five sample directories that previously had wrappers maintained
externally.

Renovate is scoped narrowly via enabledManagers so it does not overlap
with the npm, github-actions, and Maven-coordinate Gradle updates that
Dependabot continues to handle through .github/dependabot.yml.

.github/renovate.json5

@@ -0,0 +1,78 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:recommended",
+    "github>gradle/renovate-agent//presets/dv-automerge-minor.json5",
+    ":disableDependencyDashboard",
+  ],
+  // Renovate is scoped narrowly here: only the Develocity Gradle plugin (custom regex)
+  // and the Gradle wrappers in selected sample directories.
+  // Everything else (npm, github-actions, Maven coordinates) is managed by Dependabot
+  // via .github/dependabot.yml.
+  enabledManagers: ["custom.regex", "gradle-wrapper"],
+  "gradle-wrapper": {
+    fileMatch: [
+      "^\\.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^\\.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper\\.properties$",
+      "^sources/test/init-scripts/gradle/wrapper/gradle-wrapper\\.properties$",
+    ],
+  },
+  customManagers: [
+    {
+      customType: "regex",
+      description: "Bump Develocity Gradle plugin references in files outside Dependabot's coverage",
+      fileMatch: [
+        "^\\.github/workflows/integ-test-inject-develocity\\.yml$",
+        "^sources/src/develocity/build-scan\\.ts$",
+        "^docs/setup-gradle\\.md$",
+        "(^|/)settings\\.gradle$",
+        "(^|/)settings\\.gradle\\.kts$",
+        "(^|/)build\\.gradle$",
+        "(^|/)build\\.gradle\\.kts$",
+        "^sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/BaseInitScriptTest\\.groovy$",
+        "^sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestBuildResultRecorder\\.groovy$",
+      ],
+      // Patterns capture any X.Y(.Z) version. The packageRules below filter to
+      // just the current 4.x line and skip the pinned 3.x legacy refs.
+      // When the plugin's major version changes, edit `matchCurrentVersion` and
+      // `allowedVersions` in the packageRules block below — no regex edits here.
+      matchStrings: [
+        "plugin-version:[^\\n]*'(?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)'",
+        "DEVELOCITY_PLUGIN_VERSION[^\\n]*'(?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)'",
+        "`v(?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)`\\s+of\\s+the\\s+\\[Develocity Gradle plugin",
+        "id\\s+['\"]com\\.gradle\\.develocity['\"]\\s+version\\s+['\"](?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)['\"]",
+        "id\\(['\"]com\\.gradle\\.develocity['\"]\\)\\s+version\\s+['\"](?<currentValue>\\d+\\.\\d+(?:\\.\\d+)?)['\"]",
+      ],
+      depNameTemplate: "com.gradle:develocity-gradle-plugin",
+      datasourceTemplate: "maven",
+      registryUrlTemplate: "https://plugins.gradle.org/m2",
+    },
+  ],
+  packageRules: [
+    {
+      // Skip the legacy 3.16.2 references that are intentionally pinned.
+      matchManagers: ["custom.regex"],
+      matchPackageNames: ["com.gradle:develocity-gradle-plugin"],
+      matchCurrentVersion: "<4.0.0",
+      enabled: false,
+    },
+    {
+      // Current 4.x line. To start tracking the next major (5.x), replace `5.0.0`
+      // with `6.0.0` in both fields below — no regex edits needed.
+      matchManagers: ["custom.regex"],
+      matchPackageNames: ["com.gradle:develocity-gradle-plugin"],
+      matchCurrentVersion: ">=4.0.0 <5.0.0",
+      allowedVersions: "<5.0.0",
+      groupName: "Develocity Gradle plugin",
+      groupSlug: "develocity-gradle-plugin",
+    },
+    {
+      matchManagers: ["gradle-wrapper"],
+      groupName: "Gradle wrappers",
+      groupSlug: "gradle-wrappers",
+    },
+  ],
+}

README.md

@@ -39,7 +39,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
     - name: Build with Gradle
       run: ./gradlew build
 ```
@@ -77,7 +77,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
 ```
 
 See the [full action documentation](docs/dependency-submission.md) for more advanced usage scenarios.
@@ -106,7 +106,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: gradle/actions/wrapper-validation@v5
+      - uses: gradle/actions/wrapper-validation@v6
 ```
 
 See the [full action documentation](docs/wrapper-validation.md) for more advanced usage scenarios.

dependency-submission/README.md

@@ -29,7 +29,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
 ```
 
 See the [full action documentation](../docs/dependency-submission.md) for more advanced usage scenarios.

docs/dependency-submission.md

@@ -22,7 +22,7 @@ If you're confused by the behaviour you're seeing or have specific questions, pl
 > **Prefer a 100% Open Source (MIT) path?**
 > We also provide a **Basic Caching** provider as a thin wrapper over `actions/cache`. This provider is **free for all repositories** (public and private) and can be enabled at any time by setting `cache-provider: basic`.
 >
-> For a full breakdown of the components, usage tiers, and our **Safe Harbor** data privacy commitment, see our [Distribution & Licensing Guide](./DISTRIBUTION.md).
+> For a full breakdown of the components, usage tiers, and our **Safe Harbor** data privacy commitment, see our [Distribution & Licensing Guide](../DISTRIBUTION.md).
 
 ## General usage
 
@@ -52,7 +52,7 @@ jobs:
         java-version: 17
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
 ```
 
 ### Gradle execution
@@ -88,7 +88,7 @@ Three input parameters are required, one to enable publishing and two more to ac
 
 ```yaml
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
@@ -103,7 +103,7 @@ In some cases, the default action configuration will not be sufficient, and addi
 
 ```yaml
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         # Use a particular Gradle version instead of the configured wrapper.
         gradle-version: '8.6'
@@ -150,7 +150,7 @@ To reduce storage costs for these artifacts, you can:
 
 ```yaml
     - name: Generate dependency graph but only store workflow artifacts for 1 day
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         artifact-retention-days: 1 # Default is 30 days or as configured for repository
 ```
@@ -159,7 +159,7 @@ To reduce storage costs for these artifacts, you can:
 
 ```yaml
     - name: Generate and submit dependency graph but do not store as workflow artifact
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
 ```
@@ -319,7 +319,7 @@ For example, if you want to exclude dependencies resolved by the `buildSrc` proj
 
 ```yaml
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         # Exclude all dependencies that originate solely in the 'buildSrc' project
         dependency-graph-exclude-projects: ':buildSrc'
@@ -370,7 +370,7 @@ jobs:
         java-version: 17
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
 ```
 
 #### 2. Add a dedicated Dependency Review workflow
@@ -432,7 +432,7 @@ jobs:
         java-version: 17
 
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         dependency-graph: generate-and-upload
 ```
@@ -455,7 +455,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Download and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v6
       with:
         dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```

docs/deprecation-upgrade-guide.md

@@ -20,7 +20,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/setup-gradle@v5
+    uses: gradle/actions/setup-gradle@v6
 ```
 
 ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
@@ -40,7 +40,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/wrapper-validation@v5
+    uses: gradle/actions/wrapper-validation@v6
 ```
 
 ## Using the action to execute Gradle via the `arguments` parameter is deprecated
@@ -82,7 +82,7 @@ The exact syntax depends on whether or not your project is configured with the [
 
 ```
 - name: Setup Gradle
-  uses: gradle/actions/setup-gradle@v5
+  uses: gradle/actions/setup-gradle@v6
 
 - name: Assemble the project
   run: ./gradlew assemble
@@ -99,7 +99,7 @@ The exact syntax depends on whether or not your project is configured with the [
 
 ```
 - name: Setup Gradle for a non-wrapper project
-  uses: gradle/actions/setup-gradle@v5
+  uses: gradle/actions/setup-gradle@v6
   with:
     gradle-version: '8.11'
 

docs/setup-gradle.md

@@ -9,7 +9,7 @@ This GitHub Action can be used to configure Gradle for optimal execution on any
 > **Prefer a 100% Open Source (MIT) path?**
 > We also provide a **Basic Caching** provider as a thin wrapper over `actions/cache`. This provider is **free for all repositories** (public and private) and can be enabled at any time by setting `cache-provider: basic`.
 >
-> For a full breakdown of the components, usage tiers, and our **Safe Harbor** data privacy commitment, see our [Distribution & Licensing Guide](./DISTRIBUTION.md).
+> For a full breakdown of the components, usage tiers, and our **Safe Harbor** data privacy commitment, see our [Distribution & Licensing Guide](../DISTRIBUTION.md).
 
 ## Why use the `setup-gradle` action?
 
@@ -55,7 +55,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
 
     - name: Execute Gradle build
       run: ./gradlew build
@@ -68,7 +68,7 @@ Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid havi
 
 ```yaml
  - name: Setup Gradle 8.10
-   uses: gradle/actions/setup-gradle@v5
+   uses: gradle/actions/setup-gradle@v6
    with:
      gradle-version: '8.10' # Quotes required to prevent YAML converting to number
   - name: Build with Gradle 8.10
@@ -106,7 +106,7 @@ jobs:
         distribution: temurin
         java-version: 17
 
-    - uses: gradle/actions/setup-gradle@v5
+    - uses: gradle/actions/setup-gradle@v6
       id: setup-gradle
       with:
         gradle-version: release-candidate
@@ -135,8 +135,11 @@ You choose which provider to use via the `cache-provider` input:
 - **`basic`**: A fully open-source (MIT) caching implementation built on the standard GitHub Actions cache (`@actions/cache`). Uses the same caching strategy as `actions/setup-java` with `cache: gradle`. See [Basic Caching](#basic-caching) for details.
 
 ```yaml
-# Use the open-source basic cache provider
-cache-provider: basic
+    # Use the open-source basic cache provider
+    - uses: gradle/actions/setup-gradle@v6
+      id: setup-gradle
+      with:
+        cache-provider: basic
 ```
 
 ### Common cache configuration
@@ -538,7 +541,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         add-job-summary-as-pr-comment: 'on-failure' # Valid values are 'never' (default), 'always', and 'on-failure'
 
@@ -575,7 +578,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
 
     - name: Run build with Gradle wrapper
       run: ./gradlew build --scan
@@ -606,7 +609,7 @@ If you do not want wrapper-validation to occur automatically, you can disable it
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         validate-wrappers: false
 ```
@@ -618,7 +621,7 @@ These are not allowed by default.
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         validate-wrappers: true
         allow-snapshot-wrappers: true
@@ -683,7 +686,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         dependency-graph: generate-and-submit
     - name: Run the usual CI build (dependency-graph will be generated and submitted post-job)
@@ -710,7 +713,7 @@ graph cannot be generated or submitted. You can enable this behavior with the `d
 
 ```yaml
 # Ensure that the workflow Job will fail if the dependency graph cannot be submitted
-- uses: gradle/actions/setup-gradle@v5
+- uses: gradle/actions/setup-gradle@v6
   with:
     dependency-graph: generate-and-submit
     dependency-graph-continue-on-failure: false
@@ -735,7 +738,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         dependency-graph: generate-and-submit
     - name: Run a build, resolving the 'dependency-graph' plugin from the plugin portal proxy
@@ -765,7 +768,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         dependency-graph: generate-and-submit
     - name: Build the app, generating a graph of dependencies required
@@ -809,7 +812,7 @@ To publish to https://scans.gradle.com, you must specify in your workflow that y
 
 ```yaml
     - name: Setup Gradle to publish build scans
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: 'https://gradle.com/terms-of-service'
@@ -831,7 +834,7 @@ The short-lived access token will then be used wherever a Develocity access key
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }} # Long-lived access key, visiblility is restricted to this step.
 
@@ -849,7 +852,7 @@ To avoid this, use the `develocity-token-expiry` parameter to specify a differen
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
         develocity-token-expiry: '8' # The number of hours that the access token should remain valid (max 24).
@@ -871,7 +874,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
 
     # The build will automatically use a short-lived access token to authenticate with Develocity
     - name: Run a Gradle build that is configured to publish to Develocity.
@@ -903,7 +906,7 @@ Here's a minimal example:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         develocity-injection-enabled: true
         develocity-url: 'https://develocity.your-server.com'
@@ -920,7 +923,7 @@ In the likely scenario that your Develocity server requires authentication, you
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
 
@@ -971,7 +974,7 @@ Here's an example using the env vars:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
 
     - name: Run a Gradle build with Develocity injection enabled with environment variables
       run: ./gradlew build

docs/wrapper-validation.md

@@ -50,7 +50,7 @@ We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/
 Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
 
 ```yaml
-uses: gradle/actions/wrapper-validation@v5
+uses: gradle/actions/wrapper-validation@v6
 ```
 
 This action step should precede any step using `gradle/gradle-build-action` or `gradle/actions/setup-gradle`.
@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: gradle/actions/wrapper-validation@v5
+      - uses: gradle/actions/wrapper-validation@v6
 ```
 
 ## Contributing to an external GitHub Repository

setup-gradle/README.md

@@ -26,7 +26,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v6
     - name: Build with Gradle
       run: ./gradlew build
 ```

wrapper-validation/README.md

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: gradle/actions/wrapper-validation@v5
+      - uses: gradle/actions/wrapper-validation@v6
 ```
 
 See the [full action documentation](../docs/wrapper-validation.md) for more advanced usage scenarios.