More docs improvements

Instead of using 'dependency-graph-action' with some slightly better
values, we now use 'dependency-graph' as the parameter name with a subset
of the options available to 'setup-gradle'.

.github/workflow-samples/groovy-dsl/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.enterprise" version "3.16.1"
+    id "com.gradle.enterprise" version "3.16.2"
     id "com.gradle.common-custom-user-data-gradle-plugin" version "1.12.1"
 }
 

.github/workflow-samples/kotlin-dsl/settings.gradle.kts

@@ -1,5 +1,5 @@
 plugins {
-    id("com.gradle.enterprise") version "3.16.1"
+    id("com.gradle.enterprise") version "3.16.2"
     id("com.gradle.common-custom-user-data-gradle-plugin") version "1.12.1"
 }
 

.github/workflow-samples/no-wrapper-gradle-5/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.build-scan" version "3.16.1" 
+    id "com.gradle.build-scan" version "3.16.2" 
 }
 
 gradleEnterprise {

.github/workflow-samples/no-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.enterprise" version "3.16.1"
+    id "com.gradle.enterprise" version "3.16.2"
 }
 
 gradleEnterprise {

.github/workflows/ci-init-script-check.yml

@@ -20,7 +20,7 @@ jobs:
         distribution: temurin
         java-version: 8
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3-beta # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@v3 # Use a released version to avoid breakages
     - name: Run integration tests
       working-directory: sources/test/init-scripts
       run: ./gradlew check

.github/workflows/dependency-submission-save.yml

@@ -20,6 +20,6 @@ jobs:
       uses: ./dependency-submission
       with:
         build-root-directory: .github/workflow-samples/groovy-dsl
-        dependency-graph-action: generate-and-save
+        dependency-graph: generate-and-upload
       env:
         GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

.github/workflows/dependency-submission-submit.yml

@@ -20,4 +20,4 @@ jobs:
     - name: Download and submit dependency graph
       uses: ./dependency-submission
       with:
-        dependency-graph-action: retrieve-and-submit
+        dependency-graph: download-and-submit

.github/workflows/integ-test-inject-develocity.yml

@@ -25,9 +25,9 @@ jobs:
     env:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: https://ge.solutions-team.gradle.com
-      DEVELOCITY_PLUGIN_VERSION: 3.16.1
+      DEVELOCITY_PLUGIN_VERSION: 3.16.2
       DEVELOCITY_CCUD_PLUGIN_VERSION: 1.12.1
-      GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} # This env var has not (yet) been renamed/aliased in GE plugin 3.16.1
+      GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} # This env var has not (yet) been renamed/aliased in GE plugin 3.16.2
     strategy:
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]

.github/workflows/purge-old-workflow-runs.yml

@@ -1,28 +0,0 @@
-name: Purge old workflow runs
-on:
-  workflow_dispatch:
-    inputs:
-      days:
-        description: 'Purge runs older than days'
-        required: true
-        default: 30
-      minimum_runs:
-        description: 'The minimum runs to keep for each workflow.'
-        required: true
-        default: 6
-      delete_workflow_pattern:
-        description: 'The name of the workflow. if not set then it will target all workflows.'
-        required: false
-
-jobs:
-  del_runs:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Purge workflow runs
-        uses: Mattraks/delete-workflow-runs@v2
-        with:
-          token: ${{ github.token }}
-          repository: ${{ github.repository }}
-          retain_days: ${{ github.event.inputs.days }}
-          keep_minimum_runs: ${{ github.event.inputs.minimum_runs }}
-          delete_workflow_pattern: ${{ github.event.inputs.delete_workflow_pattern }}

.github/workflows/setup-gradle.yml

@@ -1,20 +0,0 @@
-name: Test setup-gradle
-
-on:
-  workflow_dispatch:
-  push:
-
-env:
-  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
-
-jobs:
-  test-setup-gradle:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout sources
-      uses: actions/checkout@v4
-    - name: Setup Gradle
-      uses: ./setup-gradle
-    - name: Build groovy-dsl project
-      working-directory: .github/workflow-samples/groovy-dsl
-      run: ./gradlew assemble

README.md

@@ -20,7 +20,7 @@ jobs:
     - name: Checkout sources
       uses: actions/checkout@v4
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
     - name: Build with Gradle
       run: ./gradlew build
 ```
@@ -51,7 +51,7 @@ jobs:
     - name: Checkout sources
       uses: actions/checkout@v4
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3-beta
+      uses: gradle/actions/dependency-submission@v3
 ```
 
 See the [full action documentation](dependency-submission/README.md) for more advanced usage scenarios.

dependency-submission/README.md

@@ -1,8 +1,17 @@
 # The `dependency-submission` action
 
-Generates and submits a dependency graph for a Gradle project. This action is designed to be used in a standalone workflow.
-The intention is to provide a simple, standardised way to enable Dependency Graph support for Gradle repositories,
-with a long-term goal of having this functionality enabled by default for Gradle projects on GitHub.
+The `gradle/actions/dependency-submission` action provides the simplest (and recommended) way to generate a 
+dependency graph for your project. This action will attempt to detect all dependencies used by your build
+without building and testing the project itself.
+
+The dependency graph snapshot is generated via integration with the [GitHub Dependency Graph Gradle Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin), and submitted to your repository via the 
+[GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission).
+The generated snapshot files can be submitted in the same job, or saved for submission in a subsequent job.
+
+The generated dependency graph includes all of the dependencies in your build, and is used by GitHub to generate 
+[Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) 
+for vulnerable dependencies, as well as to populate the 
+[Dependency Graph insights view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).
 
 ## General usage
 
@@ -26,14 +35,14 @@ jobs:
     - name: Checkout sources
       uses: actions/checkout@v4
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3-beta
+      uses: gradle/actions/dependency-submission@v3
 ```
 
 ### Configuration parameters
 
 In some cases, the default action configuration will not be sufficient, and additional action parameters will need to be specified.
 
-See the example below for a summary, and the [Action Metadata file](../dependency-submission/action.yml) for a more detailed description of each input parameter.
+See the example below for a summary, and the [Action Metadata file](action.yml) for a more detailed description of each input parameter.
 
 ```yaml
 name: Dependency Submission with advanced config
@@ -50,7 +59,7 @@ jobs:
     - name: Checkout sources
       uses: actions/checkout@v4
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v3-beta
+      uses: gradle/actions/dependency-submission@v3
       with:
         # Use a particular Gradle version instead of the configured wrapper.
         gradle-version: 8.6-rc-2
@@ -62,10 +71,94 @@ jobs:
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 
         # Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
-        dependency-graph-action: generate-and-save
+        dependency-graph: generate-and-upload
 ```
 
-## Integrating the `dependency-review-action`
+## Limiting the scope of the dependency graph
+
+By default, the `dependency-submission` action attempts to detect all dependencies declared and used by your Gradle build.
+At times it may helpful to limit the dependencies reported to GitHub, to avoid security alerts for dependencies that 
+don't form a critical part of your product. For example, a vulnerability in the tool you use to generate documentation 
+may not be as important as a vulnerability in one of your runtime dependencies.
+
+The `dependency-submission` action provides a convenient mechanism to filter the projects and configurations that
+contribute to the dependency graph.
+
+> [!NOTE]
+> Ideally, all dependencies involved in building and testing a project will be extracted and reported in a dependency graph. 
+> These dependencies would be assigned to different scopes (eg development, runtime, testing) and the GitHub UI would make it easy to opt-in to security alerts for different dependency scopes.
+> However, this functionality does not yet exist.
+
+### Excluding certain Gradle projects from to the dependency graph
+
+If you do not want the dependency graph to include dependencies from every project in your build, 
+you can easily exclude certain projects from the dependency extraction process.
+
+To restrict which Gradle subprojects contribute to the report, specify which projects to exclude via a regular expression.
+You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_PROJECTS` environment variable or system property.
+
+Note that excluding a project in this way only removes dependencies that are _resolved_ as part of that project, and may
+not necessarily remove all dependencies _declared_ in that project. If another project depends on the excluded project
+then it may transitively resolve dependencies declared in the excluded project: these dependencies will still be included
+in the generated dependency graph.
+
+### Excluding certain Gradle configurations from to the dependency graph
+
+Similarly to Gradle projects, it is possible to exclude a set of configuration instances from dependency graph generation,
+so that dependencies resolved by those configurations are not included.
+
+To restrict which Gradle configurations contribute to the report, specify which configurations to exclude via a regular expression.
+You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS` environment variable or system property.
+
+Note that configuration exclusion applies to the configuration in which the dependency is _resolved_ which is not necessarily
+the configuration where the dependency is _declared_. For example if you decare a dependency as `implementation` in
+a Java project, that dependency will be resolved in `compileClasspath`, `runtimeClasspath` and possibly other configurations.
+
+### Example of project and configuration filtering
+
+For example, if you want to exclude dependencies in the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration:
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Generate and submit dependency graph
+      uses: gradle/actions/dependency-submission@v3
+      env:
+        DEPENDENCY_GRAPH_EXCLUDE_PROJECTS: ':buildSrc'
+        DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS: 'test(Compile|Runtime)Classpath'
+```
+
+### Other configuration options
+
+The [GitHub Dependency Graph Gradle Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin)
+has other filtering options that may be useful.
+ See [the docs](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#filtering-which-gradle-configurations-contribute-to-the-dependency-graph) for details.
+
+## Advance usage scenarios
+
+### Using a custom plugin repository
+
+By default, the action downloads the `github-dependency-graph-gradle-plugin` from the Gradle Plugin Portal (https://plugins.gradle.org). If your GitHub Actions environment does not have access to this URL, you can specify a custom plugin repository to use. 
+Do so by setting the `GRADLE_PLUGIN_REPOSITORY_URL` environment variable.
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Generate and submit dependency graph
+      uses: gradle/actions/dependency-submission@v3
+      env:
+        GRADLE_PLUGIN_REPOSITORY_URL: "https://gradle-plugins-proxy.mycorp.com"
+```
+
+### Integrating the `dependency-review-action`
 
 The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
 understand dependency changes (and the security impact of these changes) for a pull request,
@@ -88,7 +181,7 @@ jobs:
     - name: Checkout sources
       uses: actions/checkout@v4
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3-beta
+      uses: gradle/actions/dependency-submission@v3
   
   dependency-review:
     needs: dependency-submission
@@ -101,14 +194,14 @@ jobs:
 Note that the `dependency-submission` action submits the dependency graph at the completion of the workflow Job.
 For this reason, the `dependency-review-action` must be executed in a dependent job, and not as a subsequent step in the job that generates the dependency graph.
 
-## Usage with pull requests from public forked repositories
+### Usage with pull requests from public forked repositories
 
 This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
 This limitation is designed to prevent a malicious pull request from effecting repository changes.
 
 Because of this restriction, we require 2 separate workflows in order to generate and submit a dependency graph:
-1. The first workflow runs directly against the pull request sources and will `generate-and-save` the dependency graph.
-2. The second workflow is triggered on `workflow_run` of the first workflow, and will `retrieve-and-submit` the previously saved dependency graph.
+1. The first workflow runs directly against the pull request sources and will `generate-and-upload` the dependency graph.
+2. The second workflow is triggered on `workflow_run` of the first workflow, and will `download-and-submit` the previously saved dependency graph.
 
 ***Main workflow file***
 ```yaml
@@ -125,15 +218,15 @@ jobs:
     steps:
     - name: Checkout sources
       uses: actions/checkout@v4
-    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3-beta
+    - name: Generate and save dependency graph
+      uses: gradle/actions/dependency-submission@v3
       with:
-        dependency-graph-action: generate-and-save
+        dependency-graph: generate-and-upload
 ```
 
 ***Dependent workflow file***
 ```yaml
-name: Retrieve and submit dependency graph
+name: Download and submit dependency graph
 
 on:
   workflow_run:
@@ -147,10 +240,10 @@ jobs:
   submit-dependency-graph:
     runs-on: ubuntu-latest
     steps:
-    - name: Retrieve and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3-beta
+    - name: Download and submit dependency graph
+      uses: gradle/actions/dependency-submission@v3
       with:
-        dependency-graph-action: retrieve-and-submit # Download saved dependency-graph and submit
+        dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```
 
 ### Integrating `dependency-review-action` for pull requests from public forked repositories
@@ -180,7 +273,7 @@ jobs:
         retry-on-snapshot-warnings-timeout: 600
 ```
 
-The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Retrieve and submit dependency graph` workflows (above) to complete.
+The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
 
 ## Gradle version compatibility
 
@@ -188,3 +281,5 @@ Dependency-graph generation is compatible with most versions of Gradle >= `5.2`,
 Gradle versions `5.2.1`, `5.6.4`, `6.0.1`, `6.9.4`, `7.1.1` and `7.6.3`, as well as all patched versions of Gradle 8.x.
 
 A known exception to this is that Gradle `7.0`, `7.0.1` and `7.0.2` are not supported.
+
+See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.

dependency-submission/action.yml

@@ -16,54 +16,61 @@ inputs:
       A suitable key can be generated with `openssl rand -base64 16`.
       Configuration-cache data will not be saved/restored without an encryption key being provided.
     required: false
-  dependency-graph-action:
+  dependency-graph:
     description: |
       Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
       Valid values are:
         'generate-and-submit' (default): Generates a dependency graph for the project and submits it in the same Job.
-        'generate-and-save': Generates a dependency graph for the project and saves it as a workflow artifact.
-        'retrieve-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.
+        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact.
+        'download-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.
 
       The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
       where the workflow generating the dependency-graph cannot (or should not) be given the `contents: write` permissions
       required to submit via the Dependency Submission API.
     required: false
     default: 'generate-and-submit'
+  additional-arguments:
+    description: |
+      Additional arguments to pass to Gradle. For example, `--no-configuration-cache --stacktrace`.
+    required: false
+
+  build-scan-publish:
+    description: |
+      Set to 'true' to automatically publish build results as a Build Scan on scans.gradle.com.
+      For publication to succeed without user input, you must also provide values for `build-scan-terms-of-service-url` and 'build-scan-terms-of-service-agree'.
+    required: false
+    default: false
+  build-scan-terms-of-service-url:
+    description: The URL to the Build Scan® terms of service. This input must be set to 'https://gradle.com/terms-of-service'.
+    required: false
+  build-scan-terms-of-service-agree:
+    description: Indicate that you agree to the Build Scan® terms of service. This input value must be "yes".
+    required: false
 
 runs:
   using: "composite"
   steps:
-    - name: Generate and submit dependency graph
-      if: ${{ inputs.dependency-graph-action == 'generate-and-submit' }}
-      uses: gradle/actions/setup-gradle@v3-beta
+    - name: Generate dependency graph
+      if: ${{ inputs.dependency-graph == 'generate-and-submit' || inputs.dependency-graph == 'generate-and-upload' }}
+      uses: gradle/actions/setup-gradle@v3
       with:
-        dependency-graph: 'generate-and-submit'
+        dependency-graph: ${{ inputs.dependency-graph }}
         dependency-graph-continue-on-failure: false
         gradle-version: ${{ inputs.gradle-version }}
         build-root-directory: ${{ inputs.build-root-directory }}
         cache-encryption-key: ${{ inputs.cache-encryption-key }}
+        build-scan-publish: ${{ inputs.build-scan-publish }}
+        build-scan-terms-of-service-url: ${{ inputs.build-scan-terms-of-service-url }}
+        build-scan-terms-of-service-agree: ${{ inputs.build-scan-terms-of-service-agree }}
+        artifact-retention-days: 1
         arguments: |
           --no-configure-on-demand
           --dependency-verification=off
-          --stacktrace
-          :ForceDependencyResolutionPlugin_resolveAllDependencies
-    - name: Generate and save dependency graph
-      if: ${{ inputs.dependency-graph-action == 'generate-and-save' }}
-      uses: gradle/actions/setup-gradle@v3-beta
-      with:
-        dependency-graph: generate-and-upload
-        dependency-graph-continue-on-failure: false
-        gradle-version: ${{ inputs.gradle-version }}
-        build-root-directory: ${{ inputs.build-root-directory }}
-        cache-encryption-key: ${{ inputs.cache-encryption-key }}
-        arguments: |
-          --no-configure-on-demand
-          --dependency-verification=off
-          --stacktrace
           :ForceDependencyResolutionPlugin_resolveAllDependencies
+          ${{ inputs.additional-arguments }}
     - name: Download and submit dependency graph
-      if: ${{ inputs.dependency-graph-action == 'retrieve-and-submit' }}
-      uses: gradle/actions/setup-gradle@v3-beta
+      if: ${{ inputs.dependency-graph == 'download-and-submit' }}
+      uses: gradle/actions/setup-gradle@v3
       with:
         dependency-graph: download-and-submit
         dependency-graph-continue-on-failure: false

dist/setup-gradle/main/index.js

@@ -138939,7 +138939,7 @@ const input_params_1 = __nccwpck_require__(23885);
 function setup() {
     if ((0, input_params_1.getBuildScanPublishEnabled)() && verifyTermsOfServiceAgreement()) {
         maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.16.1');
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.16.2');
         maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '1.12.1');
         maybeExportVariable('BUILD_SCAN_TERMS_OF_SERVICE_URL', (0, input_params_1.getBuildScanTermsOfServiceUrl)());
         maybeExportVariable('BUILD_SCAN_TERMS_OF_SERVICE_AGREE', (0, input_params_1.getBuildScanTermsOfServiceAgree)());
@@ -139179,7 +139179,7 @@ class GradleStateCache {
         }
     }
     readResourceFileAsString(...paths) {
-        const absolutePath = path_1.default.resolve(__dirname, '..', '..', 'sources', 'src', 'resources', ...paths);
+        const absolutePath = path_1.default.resolve(__dirname, '..', '..', '..', 'sources', 'src', 'resources', ...paths);
         return fs_1.default.readFileSync(absolutePath, 'utf8');
     }
     debugReportGradleUserHomeSize(label) {
@@ -141135,77 +141135,6 @@ function shouldAddJobSummary(option, buildResults) {
 }
 
 
-/***/ }),
-
-/***/ 70399:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.run = void 0;
-const core = __importStar(__nccwpck_require__(42186));
-const setupGradle = __importStar(__nccwpck_require__(18652));
-const execution = __importStar(__nccwpck_require__(23584));
-const provisioner = __importStar(__nccwpck_require__(32501));
-const layout = __importStar(__nccwpck_require__(28182));
-const params = __importStar(__nccwpck_require__(23885));
-function run() {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            yield setupGradle.setup();
-            const executable = yield provisioner.provisionGradle();
-            const args = params.getArguments();
-            if (args.length > 0) {
-                const buildRootDirectory = layout.buildRootDirectory();
-                yield execution.executeGradleBuild(executable, buildRootDirectory, args);
-            }
-        }
-        catch (error) {
-            core.setFailed(String(error));
-            if (error instanceof Error && error.stack) {
-                core.info(error.stack);
-            }
-        }
-        process.exit();
-    });
-}
-exports.run = run;
-run();
-
-
 /***/ }),
 
 /***/ 32501:
@@ -141602,6 +141531,77 @@ function determineUserHome() {
 }
 
 
+/***/ }),
+
+/***/ 4637:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.run = void 0;
+const core = __importStar(__nccwpck_require__(42186));
+const setupGradle = __importStar(__nccwpck_require__(18652));
+const execution = __importStar(__nccwpck_require__(23584));
+const provisioner = __importStar(__nccwpck_require__(32501));
+const layout = __importStar(__nccwpck_require__(28182));
+const params = __importStar(__nccwpck_require__(23885));
+function run() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            yield setupGradle.setup();
+            const executable = yield provisioner.provisionGradle();
+            const args = params.getArguments();
+            if (args.length > 0) {
+                const buildRootDirectory = layout.buildRootDirectory();
+                yield execution.executeGradleBuild(executable, buildRootDirectory, args);
+            }
+        }
+        catch (error) {
+            core.setFailed(String(error));
+            if (error instanceof Error && error.stack) {
+                core.info(error.stack);
+            }
+        }
+        process.exit();
+    });
+}
+exports.run = run;
+run();
+
+
 /***/ }),
 
 /***/ 22877:
@@ -141995,7 +141995,7 @@ module.exports = JSON.parse('[[[0,44],"disallowed_STD3_valid"],[[45,46],"valid"]
 /******/ 	// startup
 /******/ 	// Load entry module and return exports
 /******/ 	// This entry module is referenced by other modules so it can't be inlined
-/******/ 	var __webpack_exports__ = __nccwpck_require__(70399);
+/******/ 	var __webpack_exports__ = __nccwpck_require__(4637);
 /******/ 	module.exports = __webpack_exports__;
 /******/ 	
 /******/ })()

dist/setup-gradle/post/index.js

@@ -136392,7 +136392,7 @@ const input_params_1 = __nccwpck_require__(23885);
 function setup() {
     if ((0, input_params_1.getBuildScanPublishEnabled)() && verifyTermsOfServiceAgreement()) {
         maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.16.1');
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.16.2');
         maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '1.12.1');
         maybeExportVariable('BUILD_SCAN_TERMS_OF_SERVICE_URL', (0, input_params_1.getBuildScanTermsOfServiceUrl)());
         maybeExportVariable('BUILD_SCAN_TERMS_OF_SERVICE_AGREE', (0, input_params_1.getBuildScanTermsOfServiceAgree)());
@@ -136632,7 +136632,7 @@ class GradleStateCache {
         }
     }
     readResourceFileAsString(...paths) {
-        const absolutePath = path_1.default.resolve(__dirname, '..', '..', 'sources', 'src', 'resources', ...paths);
+        const absolutePath = path_1.default.resolve(__dirname, '..', '..', '..', 'sources', 'src', 'resources', ...paths);
         return fs_1.default.readFileSync(absolutePath, 'utf8');
     }
     debugReportGradleUserHomeSize(label) {
@@ -138456,77 +138456,6 @@ function shouldAddJobSummary(option, buildResults) {
 }
 
 
-/***/ }),
-
-/***/ 87051:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.run = void 0;
-const core = __importStar(__nccwpck_require__(42186));
-const setupGradle = __importStar(__nccwpck_require__(18652));
-const errors_1 = __nccwpck_require__(36976);
-process.on('uncaughtException', e => handleFailure(e));
-function run() {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            yield setupGradle.complete();
-        }
-        catch (error) {
-            if (error instanceof errors_1.PostActionJobFailure) {
-                core.setFailed(String(error));
-            }
-            else {
-                handleFailure(error);
-            }
-        }
-        process.exit();
-    });
-}
-exports.run = run;
-function handleFailure(error) {
-    core.warning(`Unhandled error in Gradle post-action - job will continue: ${error}`);
-    if (error instanceof Error && error.stack) {
-        core.info(error.stack);
-    }
-}
-run();
-
-
 /***/ }),
 
 /***/ 28182:
@@ -138699,6 +138628,77 @@ function determineUserHome() {
 }
 
 
+/***/ }),
+
+/***/ 88766:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.run = void 0;
+const core = __importStar(__nccwpck_require__(42186));
+const setupGradle = __importStar(__nccwpck_require__(18652));
+const errors_1 = __nccwpck_require__(36976);
+process.on('uncaughtException', e => handleFailure(e));
+function run() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            yield setupGradle.complete();
+        }
+        catch (error) {
+            if (error instanceof errors_1.PostActionJobFailure) {
+                core.setFailed(String(error));
+            }
+            else {
+                handleFailure(error);
+            }
+        }
+        process.exit();
+    });
+}
+exports.run = run;
+function handleFailure(error) {
+    core.warning(`Unhandled error in Gradle post-action - job will continue: ${error}`);
+    if (error instanceof Error && error.stack) {
+        core.info(error.stack);
+    }
+}
+run();
+
+
 /***/ }),
 
 /***/ 22877:
@@ -139092,7 +139092,7 @@ module.exports = JSON.parse('[[[0,44],"disallowed_STD3_valid"],[[45,46],"valid"]
 /******/ 	// startup
 /******/ 	// Load entry module and return exports
 /******/ 	// This entry module is referenced by other modules so it can't be inlined
-/******/ 	var __webpack_exports__ = __nccwpck_require__(87051);
+/******/ 	var __webpack_exports__ = __nccwpck_require__(88766);
 /******/ 	module.exports = __webpack_exports__;
 /******/ 	
 /******/ })()

setup-gradle/README.md

@@ -40,7 +40,7 @@ jobs:
         java-version: 11
         
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
     
     - name: Execute Gradle build
       run: ./gradlew build
@@ -52,7 +52,7 @@ The `setup-gradle` action can download and install a specified Gradle version, a
 Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid requiring downloading again later.
 
 ```yaml
- - uses: gradle/actions/setup-gradle@v3-beta
+ - uses: gradle/actions/setup-gradle@v3
    with:
      gradle-version: 6.5
 ```
@@ -87,7 +87,7 @@ jobs:
       with:
         distribution: temurin
         java-version: 11
-    - uses: gradle/actions/setup-gradle@v3-beta
+    - uses: gradle/actions/setup-gradle@v3
       id: setup-gradle
       with:
         gradle-version: release-candidate
@@ -176,7 +176,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: gradle/actions/setup-gradle@v3-beta
+    - uses: gradle/actions/setup-gradle@v3
       with:
         gradle-version: 8.6-rc-1
         cache-encryption-key: ${{ secrets.GradleEncryptionKey }}
@@ -400,7 +400,7 @@ jobs:
     - name: Checkout project sources
       uses: actions/checkout@v4
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
       with:
         add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure'
     - run: ./gradlew build --scan
@@ -432,7 +432,7 @@ jobs:
     - name: Checkout project sources
       uses: actions/checkout@v4
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
     - name: Run build with Gradle wrapper
       run: ./gradlew build --scan
     - name: Upload build reports
@@ -459,7 +459,15 @@ You can use The `setup-gradle` action on GitHub Enterprise Server, and benefit f
 - Save/restore of Gradle User Home (requires GHES v3.5+ : GitHub Actions cache was introduced in GHES 3.5)
 - Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step.
 
-# GitHub Dependency Graph support
+## GitHub Dependency Graph support
+
+> [!IMPORTANT]
+> The simplest (and recommended) way to generate a dependency graph is via a separate workflow 
+> using `gradle/actions/dependency-submission`. This action will attempt to detect all dependencies used by your build
+> without building and testing the project itself.
+>
+> See the [dependency-submission documentation](../dependency-submission/README.md) for up-to-date documentation.
+
 
 The `setup-gradle` action has support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).
 
@@ -467,7 +475,7 @@ The dependency graph snapshot is generated via integration with the [GitHub Depe
 
 The generated dependency graph snapshot reports all of the dependencies that were resolved during a build execution, and is used by GitHub to generate [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) for vulnerable dependencies, as well as to populate the [Dependency Graph insights view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).
 
-## Enable Dependency Graph generation for a workflow
+### Basic usage
  
 You enable GitHub Dependency Graph support by setting the `dependency-graph` action parameter. Valid values are:
 
@@ -494,7 +502,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
       with:
         dependency-graph: generate-and-submit
     - name: Run the usual CI build (dependency-graph will be generated and submitted post-job)
@@ -521,7 +529,7 @@ graph cannot be generated or submitted. You can enable this behaviour with the `
 
 ```yaml
 # Ensure that the workflow Job will fail if the dependency graph cannot be submitted
-- uses: gradle/actions/setup-gradle@v3-beta
+- uses: gradle/actions/setup-gradle@v3
   with:
     dependency-graph: generate-and-submit
     dependency-graph-continue-on-failure: false
@@ -539,7 +547,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
       with:
         dependency-graph: generate-and-submit
     - name: Run a build, resolving the 'dependency-graph' plugin from the plugin portal proxy
@@ -548,65 +556,6 @@ jobs:
         GRADLE_PLUGIN_REPOSITORY_URL: "https://gradle-plugins-proxy.mycorp.com"
 ```
 
-### Integrating the `dependency-review-action`
-
-The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
-understand dependency changes (and the security impact of these changes) for a pull request.
-For the `dependency-review-action` to succeed, it must run _after_ the dependency graph has been submitted for a PR.
-
-When using `generate-and-submit`, dependency graph files are submitted at the end of the job, after all steps have been
-executed. For this reason, the `dependency-review-action` must be executed in a dependent job,
-and not as a subsequent step in the job that generates the dependency graph.
-
-Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
-
-```yaml
-name: PR check
-
-on:
-  pull_request:
-  
-permissions:
-  contents: write
-  # Note that this permission will not be available if the PR is from a forked repository
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
-      with:
-        dependency-graph: generate-and-submit
-    - name: Run a build and generate the dependency graph which will be submitted post-job
-      run: ./gradlew build
-
-  dependency-review:
-    needs: build
-    runs-on: ubuntu-latest
-    - name: Perform dependency review
-      uses: actions/dependency-review-action@v4
-```
-
-See [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows) for a more complex
-(and less functional) example that will work for pull requests submitted from forked repositories.
-
-## Limiting the scope of the dependency graph
-
-At times it is helpful to limit the dependencies reported to GitHub, in order to security alerts for dependencies that don't form a critical part of your product.
-For example, a vulnerability in the tool you use to generate documentation is unlikely to be as important as a vulnerability in one of your runtime dependencies.
-
-There are a number of techniques you can employ to limit the scope of the generated dependency graph:
-- [Don't generate a dependency graph for all Gradle executions](#choosing-which-gradle-invocations-will-generate-a-dependency-graph)
-- [For a Gradle execution, filter which Gradle projects and configurations will contribute dependencies](#filtering-which-gradle-configurations-contribute-to-the-dependency-graph)
-- [Use a separate workflow that only resolves the required dependencies](#use-a-dedicated-workflow-for-dependency-graph-generation)
-
-> [!NOTE]
-> Ideally, all dependencies involved in building and testing a project will be extracted and reported in a dependency graph. 
-> These dependencies would be assigned to different scopes (eg development, runtime, testing) and the GitHub UI would make it easy to opt-in to security alerts for different dependency scopes.
-> However, this functionality does not yet exist.
-
 ### Choosing which Gradle invocations will generate a dependency graph
 
 Once you enable the dependency graph support for a workflow job (via the `dependency-graph` parameter), dependencies will be collected and reported for all subsequent Gradle invocations.
@@ -619,7 +568,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
       with:
         dependency-graph: generate-and-submit
     - name: Build the app, generating a graph of dependencies required
@@ -632,162 +581,22 @@ jobs:
 
 ### Filtering which Gradle Configurations contribute to the dependency graph
 
-If you do not want the dependency graph to include every dependency configuration in every project in your build, you can limit the
-dependency extraction to a subset of these.
+If you do not want the dependency graph to include every dependency configuration in every project in your build, 
+you can limit the dependency extraction to a subset of these.
 
-To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
-You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property.
+See the documentation for [dependency-submission](../dependency-submission/README.md) and the
+[GitHub Dependency Graph Gradle Plugin](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#filtering-which-gradle-configurations-contribute-to-the-dependency-graph) for details.
 
-To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
-You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property.
+### Gradle version compatibility
 
-For example, if you want to exclude dependencies in the `buildSrc` project, and only report on dependencies from the `runtimeClasspath` configuration,
-you would use the following configuration:
+Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against 
+Gradle versions `5.2.1`, `5.6.4`, `6.0.1`, `6.9.4`, `7.1.1` and `7.6.3`, as well as all patched versions of Gradle 8.x.
 
-```yaml
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
-      with:
-        dependency-graph: generate-and-submit
-    - name: Run a build, generating the dependency graph from any resolved 'runtimeClasspath' configurations
-      run: ./gradlew build
-      env:
-        DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!buildSrc).*"
-        DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: runtimeClasspath
-```
+A known exception to this is that Gradle `7.0`, `7.0.1` and `7.0.2` are not supported.
 
-### Use a dedicated workflow for dependency graph generation
+See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
 
-Instead of generating a dependency graph from your existing CI workflow, it's possible to create a separate dedicated workflow (or Job) that is intended for generating a dependency graph.
-Such a workflow will still need to execute Gradle, but can do so in a way that is targeted at resolving the specific dependencies required.
-
-For example, the following workflow will report those dependencies that are resolved in order to build the `distributionZip` for the `my-app` project. Test dependencies and other dependencies not required by the `distributionZip` will not be included.
-
-```yaml
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
-      with:
-        dependency-graph: generate-and-submit
-    - name: Build the distribution Zip for `my-app`
-      run: ./gradlew :my-app:distributionZip
-```
-
-Note that the above example will also include any `buildSrc` dependencies, dependencies resolved when configuring your Gradle build or dependencies resolved while applying plugin. All of these dependencies are resolved in the process of running the `distributionZip` task, and thus will form part of the generated dependency graph.
-
-If this isn't desirable, you will still need to use the filtering mechanism described above.
-
-## Dependency Graphs for pull request workflows
-
-This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes. 
-
-Because of this restriction, it is not possible to `generate-and-submit` a dependency graph generated for a pull-request that comes from a repository fork. In order to do so, 2 workflows will be required:
-1. The first workflow runs directly against the pull request sources and will generate the dependency graph snapshot.
-2. The second workflow is triggered on `workflow_run` of the first workflow, and will submit the previously saved dependency snapshots.
-
-Note: when `download-and-submit` is used in a workflow triggered via [workflow_run](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run), the action will download snapshots saved in the triggering workflow.
-
-***Main workflow file***
-```yaml
-name: run-build-and-generate-dependency-snapshot
-
-on:
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3-beta
-      with:
-        dependency-graph: generate-and-upload # Generate graphs and save as workflow artifacts
-    - name: Run a build, generating the dependency graph snapshot which will be submitted
-      run: ./gradlew build
-```
-
-***Dependent workflow file***
-```yaml
-name: submit-dependency-snapshot
-
-on:
-  workflow_run:
-    workflows: ['run-build-and-generate-dependency-snapshot']
-    types: [completed]
-
-permissions:
-  contents: write
-
-jobs:
-  submit-dependency-graph:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Retrieve dependency graph artifact and submit
-      uses: gradle/actions/setup-gradle@v3-beta
-      with:
-        dependency-graph: download-and-submit # Download saved workflow artifacts and submit
-```
-
-### Integrating `dependency-review-action` for pull request workflows
-
-The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
-understand dependency changes (and the security impact of these changes) for a pull request.
-
-To integrate the `dependency-review-action` into the pull request workflows above, a separate workflow should be added.
-This workflow will be triggered directly on `pull_request`, but will need to wait until the dependency graph results are
-submitted before the dependency review can complete. How long to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
-
-Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the PR check workflow to complete.
-
-```yaml
-name: dependency-review
-on:
-  pull_request:
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    steps:
-    - name: 'Dependency Review'
-      uses: actions/dependency-review-action@v4
-      with:
-        retry-on-snapshot-warnings: true
-        retry-on-snapshot-warnings-timeout: 600
-```
-
-The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `run-build-and-generate-dependency-snapshot` and `submit-dependency-snapshot` workflows (above) to complete.
-
-## Gradle version compatibility
-
-The GitHub Dependency Graph plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against 
-Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.
-
-The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
-limited to Gradle "8.1.0" and later:
-- With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated.
-- With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled.
-
-To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
-configuration-cache disabled.
-
-## Reducing storage costs for saved dependency graph artifacts
+### Reducing storage costs for saved dependency graph artifacts
 
 When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact. 
 By default, these artifacts are retained for a period of 30 days (or as configured for the repository).
@@ -796,14 +605,12 @@ To reduce storage costs for these artifacts, you can set the `artifact-retention
 ```yaml
     steps:
     - name: Generate dependency graph, but only retain artifact for one day
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
       with:
         dependency-graph: generate
         artifact-retention-days: 1
 ```
 
-
-
 # Develocity plugin injection
 
 The `setup-gradle` action provides support for injecting and configuring the Develocity Gradle plugin into any Gradle build, without any modification to the project sources.
@@ -823,7 +630,7 @@ name: Run build with Develocity injection
 env:
   DEVELOCITY_INJECTION_ENABLED: true
   DEVELOCITY_URL: https://develocity.your-server.com
-  DEVELOCITY_PLUGIN_VERSION: 3.16.1
+  DEVELOCITY_PLUGIN_VERSION: 3.16.2
 
 jobs:
   build:
@@ -831,12 +638,12 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
     - name: Run a Gradle build with Develocity injection enabled
       run: ./gradlew build
 ```
 
-This configuration will automatically apply `v3.16.1` of the [Develocity Gradle plugin](https://docs.gradle.com/enterprise/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.16.2` of the [Develocity Gradle plugin](https://docs.gradle.com/enterprise/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
 
 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to configure an addition environment variable
@@ -872,7 +679,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Setup Gradle to publish build scans
-      uses: gradle/actions/setup-gradle@v3-beta
+      uses: gradle/actions/setup-gradle@v3
       with:
         build-scan-publish: true
         build-scan-terms-of-service-url: "https://gradle.com/terms-of-service"

setup-gradle/action.yml

@@ -1,4 +1,4 @@
-name: "Gradle Build Action"
+name: 'Setup Gradle'
 description: 'Configures Gradle for GitHub actions, caching state and generating a dependency graph via Dependency Submission.'
 
 # https://help.github.com/en/articles/metadata-syntax-for-github-actions
@@ -143,8 +143,8 @@ outputs:
 
 runs:
   using: 'node20'
-  main: '../dist/main/index.js'
-  post: '../dist/post/index.js'
+  main: '../dist/setup-gradle/main/index.js'
+  post: '../dist/setup-gradle/post/index.js'
 
 branding:
   icon: 'box'

sources/build

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+cd sources
+npm run build

sources/build-and-test

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+cd sources
+npm run all

sources/package.json

@@ -8,8 +8,8 @@
     "format": "prettier --write **/*.ts",
     "format-check": "prettier --check **/*.ts",
     "lint": "eslint src/**/*.ts",
-    "compile-main": "ncc build src/main.ts --out ../dist/main --source-map --no-source-map-register",
-    "compile-post": "ncc build src/post.ts --out ../dist/post --source-map --no-source-map-register",
+    "compile-setup-gradle-main": "ncc build src/setup-gradle/main.ts --out ../dist/setup-gradle/main --source-map --no-source-map-register",
+    "compile-setup-gradle-post": "ncc build src/setup-gradle/post.ts --out ../dist/setup-gradle/post --source-map --no-source-map-register",
     "compile": "npm-run-all --parallel compile-*",
     "check": "npm-run-all --parallel format lint",
     "test": "jest",

sources/src/build-scan.ts

@@ -8,7 +8,7 @@ import {
 export function setup(): void {
     if (getBuildScanPublishEnabled() && verifyTermsOfServiceAgreement()) {
         maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.16.1')
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.16.2')
         maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '1.12.1')
         maybeExportVariable('BUILD_SCAN_TERMS_OF_SERVICE_URL', getBuildScanTermsOfServiceUrl())
         maybeExportVariable('BUILD_SCAN_TERMS_OF_SERVICE_AGREE', getBuildScanTermsOfServiceAgree())

sources/src/cache-base.ts

@@ -233,9 +233,10 @@ export class GradleStateCache {
         }
     }
 
+    // TODO:DAZ Move this to a utility class
     private readResourceFileAsString(...paths: string[]): string {
         // Resolving relative to __dirname will allow node to find the resource at runtime
-        const absolutePath = path.resolve(__dirname, '..', '..', 'sources', 'src', 'resources', ...paths)
+        const absolutePath = path.resolve(__dirname, '..', '..', '..', 'sources', 'src', 'resources', ...paths)
         return fs.readFileSync(absolutePath, 'utf8')
     }
 

sources/src/resources/init-scripts/gradle-actions.github-dependency-graph-gradle-plugin-apply.groovy

@@ -4,12 +4,13 @@ buildscript {
       return System.getProperty(name) ?: System.getenv(envVarName)
   }
   def pluginRepositoryUrl = getInputParam('gradle.plugin-repository.url') ?: 'https://plugins.gradle.org/m2'
+  def dependencyGraphPluginVersion = getInputParam('dependency-graph-plugin.version') ?: '1.2.0'
 
   repositories {
     maven { url pluginRepositoryUrl }
   }
   dependencies {
-    classpath "org.gradle:github-dependency-graph-gradle-plugin:1.1.1"
+    classpath "org.gradle:github-dependency-graph-gradle-plugin:${dependencyGraphPluginVersion}"
   }
 }
 apply plugin: org.gradle.github.GitHubDependencyGraphPlugin

sources/src/setup-gradle/main.ts

@@ -1,10 +1,10 @@
 import * as core from '@actions/core'
 
-import * as setupGradle from './setup-gradle'
-import * as execution from './execution'
-import * as provisioner from './provision'
-import * as layout from './repository-layout'
-import * as params from './input-params'
+import * as setupGradle from '../setup-gradle'
+import * as execution from '../execution'
+import * as provisioner from '../provision'
+import * as layout from '../repository-layout'
+import * as params from '../input-params'
 
 /**
  * The main entry point for the action, called by Github Actions for the step.

sources/src/setup-gradle/post.ts

@@ -1,6 +1,6 @@
 import * as core from '@actions/core'
-import * as setupGradle from './setup-gradle'
-import {PostActionJobFailure} from './errors'
+import * as setupGradle from '../setup-gradle'
+import {PostActionJobFailure} from '../errors'
 
 // Catch and log any unhandled exceptions.  These exceptions can leak out of the uploadChunk method in
 // @actions/toolkit when a failed upload closes the file descriptor causing any in-process reads to

sources/test/init-scripts/build.gradle

@@ -20,7 +20,7 @@ dependencies {
     testImplementation ('io.ratpack:ratpack-groovy-test:1.9.0') {
         exclude group: 'org.codehaus.groovy', module: 'groovy-all'
     }
-    testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.16.0'
+    testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.16.1'
 }
 
 test {

sources/test/init-scripts/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.enterprise" version "3.16.1"
+    id "com.gradle.enterprise" version "3.16.2"
     id "com.gradle.common-custom-user-data-gradle-plugin" version "1.12.1"
 }
 

sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/BaseInitScriptTest.groovy

@@ -16,7 +16,7 @@ import java.nio.file.Files
 import java.util.zip.GZIPOutputStream
 
 class BaseInitScriptTest extends Specification {
-    static final String DEVELOCITY_PLUGIN_VERSION = '3.16.1'
+    static final String DEVELOCITY_PLUGIN_VERSION = '3.16.2'
     static final String CCUD_PLUGIN_VERSION = '1.12.1'
 
     static final TestGradleVersion GRADLE_3_X = new TestGradleVersion(GradleVersion.version('3.5.1'), 7, 9)

sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestBuildResultRecorder.groovy

@@ -171,7 +171,7 @@ class TestBuildResultRecorder extends BaseInitScriptTest {
         when:
         settingsFile.text = """
             plugins {
-                id 'com.gradle.enterprise' version '3.16.1' apply(false)
+                id 'com.gradle.enterprise' version '3.16.2' apply(false)
             }
             gradle.settingsEvaluated {
                 apply plugin: 'com.gradle.enterprise'

sources/tsconfig.json

@@ -59,5 +59,6 @@
     // "experimentalDecorators": true,        /* Enables experimental support for ES7 decorators. */
     // "emitDecoratorMetadata": true,         /* Enables experimental support for emitting type metadata for decorators. */
   },
+  "include": ["src/**/*.ts"],
   "exclude": ["node_modules", "**/*.test.ts"]
 }