Pin version in ci-combine-bot-prs.yml

Use latest DV plugin version in docs
Use latest dependency-graph plugin (#489 )
2025-11-26 17:09:10 +08:00 · 2024-12-17 18:26:12 -07:00 · 2024-12-17 18:13:21 -07:00 · 2024-12-17 18:10:51 -07:00 · 2024-12-18 01:00:47 +00:00 · 2024-12-17 17:59:42 -07:00
144 changed files with 371076 additions and 60346 deletions
--- a/.github/actions/build-dist/action.yml
+++ b/.github/actions/build-dist/action.yml
@@ -3,7 +3,7 @@ name: 'Build and upload distribution'
 runs:
  using: "composite"
  steps: 
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
      with:
        node-version: 20
        cache: npm
@@ -23,7 +23,7 @@ runs:
        cp -r sources/dist .
    - name: Upload distribution
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
      with:
        name: dist
        path: dist/
--- a/.github/actions/init-integ-test/action.yml
+++ b/.github/actions/init-integ-test/action.yml
@@ -4,15 +4,20 @@ runs:
  using: "composite"
  steps: 
    - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
      with:
        distribution: 'temurin'
        java-version: 11
    - name: Configure environment
      shell: bash
      run: |
        echo "ALLOWED_GRADLE_WRAPPER_CHECKSUMS=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" >> "$GITHUB_ENV"
    # Downloads a 'dist' directory artifact that was uploaded in an earlier 'build-dist' step
    - name: Download dist
      if: ${{ env.SKIP_DIST != 'true' && !env.ACT }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: dist
        path: dist/
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,6 +5,7 @@ registries:
    url: https://plugins.gradle.org/m2
    username: dummy # Required by dependabot
    password: dummy # Required by dependabot
 updates:
  - package-ecosystem: "npm"
    directory: "/sources"
@@ -16,25 +17,12 @@ updates:
        - "*"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
        - "*"
    # github-actions with directory: "/" only monitors .github/workflows
    # https://github.com/dependabot/dependabot-core/issues/6345
-  - package-ecosystem: "github-actions"
+    directories:
-    directory: "/.github/actions/build-dist"
+      - "/"
-    schedule:
+      - "/.github/actions/build-dist"
-      interval: "weekly"
+      - "/.github/actions/init-integ-test"
    groups:
      github-actions:
        patterns:
          - "*"
  - package-ecosystem: "github-actions"
    directory: "/.github/actions/init-integ-test"
    schedule:
      interval: "weekly"
    groups:
@@ -43,44 +31,19 @@ updates:
          - "*"
  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/gradle-plugin"
+    directories:
      - ".github/workflow-samples/gradle-plugin"
      - ".github/workflow-samples/groovy-dsl"
      - ".github/workflow-samples/java-toolchain"
      - ".github/workflow-samples/kotlin-dsl"
      - ".github/workflow-samples/no-wrapper"
      - ".github/workflow-samples/no-wrapper-gradle-5"
      - "sources/test/init-scripts"
    registries:
      - gradle-plugin-portal
    schedule:
-      interval: "daily"
+      interval: "weekly"
-  - package-ecosystem: "gradle"
+    groups:
-    directory: ".github/workflow-samples/groovy-dsl"
+      gradle:
-    registries:
+        patterns:
-      - gradle-plugin-portal
+          - "*"
    schedule:
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: ".github/workflow-samples/java-toolchain"
    registries:
      - gradle-plugin-portal
    schedule:
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: ".github/workflow-samples/kotlin-dsl"
    registries:
      - gradle-plugin-portal
    schedule:
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: ".github/workflow-samples/no-wrapper"
    registries:
      - gradle-plugin-portal
    schedule:
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: ".github/workflow-samples/no-wrapper-gradle-5"
    registries:
      - gradle-plugin-portal
    schedule:
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: "sources/test/init-scripts"
    registries:
      - gradle-plugin-portal
    schedule:
      interval: "daily"
--- a/.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.jar
+++ b/.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.jar
--- a/.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties
+++ b/.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=a4b4158601f8636cdeeab09bd76afb640030bb5b144aafe261a5e8af027dc612
+distributionSha256Sum=f397b287023acdba1e9f6fc5ea72d22dd63669d59ed4a289a29b1a76eee151c6
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
--- a/.github/workflow-samples/gradle-plugin/gradlew
+++ b/.github/workflow-samples/gradle-plugin/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
 ' "$PWD" ) || exit
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
--- a/.github/workflow-samples/gradle-plugin/gradlew.bat
+++ b/.github/workflow-samples/gradle-plugin/gradlew.bat
@@ -13,6 +13,8 @@
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@rem SPDX-License-Identifier: Apache-2.0
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@@ -43,11 +45,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
@@ -57,11 +59,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
--- a/.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.jar
+++ b/.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.jar
--- a/.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties
+++ b/.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=a4b4158601f8636cdeeab09bd76afb640030bb5b144aafe261a5e8af027dc612
+distributionSha256Sum=f397b287023acdba1e9f6fc5ea72d22dd63669d59ed4a289a29b1a76eee151c6
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
--- a/.github/workflow-samples/groovy-dsl/gradlew
+++ b/.github/workflow-samples/groovy-dsl/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
 ' "$PWD" ) || exit
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
--- a/.github/workflow-samples/groovy-dsl/gradlew.bat
+++ b/.github/workflow-samples/groovy-dsl/gradlew.bat
@@ -13,6 +13,8 @@
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@rem SPDX-License-Identifier: Apache-2.0
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@@ -43,11 +45,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
@@ -57,11 +59,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
--- a/.github/workflow-samples/groovy-dsl/settings.gradle
+++ b/.github/workflow-samples/groovy-dsl/settings.gradle
@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5"
+    id "com.gradle.develocity" version "3.19"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.2"
 }
 develocity {
--- a/.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.jar
+++ b/.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.jar
--- a/.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties
+++ b/.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=a4b4158601f8636cdeeab09bd76afb640030bb5b144aafe261a5e8af027dc612
+distributionSha256Sum=f397b287023acdba1e9f6fc5ea72d22dd63669d59ed4a289a29b1a76eee151c6
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
--- a/.github/workflow-samples/java-toolchain/gradlew
+++ b/.github/workflow-samples/java-toolchain/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
 ' "$PWD" ) || exit
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
--- a/.github/workflow-samples/java-toolchain/gradlew.bat
+++ b/.github/workflow-samples/java-toolchain/gradlew.bat
@@ -13,6 +13,8 @@
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@rem SPDX-License-Identifier: Apache-2.0
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@@ -43,11 +45,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
@@ -57,11 +59,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
--- a/.github/workflow-samples/kotlin-dsl/build.gradle.kts
+++ b/.github/workflow-samples/kotlin-dsl/build.gradle.kts
@@ -8,9 +8,9 @@ repositories {
 dependencies {
    api("org.apache.commons:commons-math3:3.6.1")
-    implementation("com.google.guava:guava:33.2.1-jre")
+    implementation("com.google.guava:guava:33.4.0-jre")
-    testImplementation("org.junit.jupiter:junit-jupiter:5.10.2")
+    testImplementation("org.junit.jupiter:junit-jupiter:5.11.4")
 }
 tasks.test {
--- a/.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.jar
+++ b/.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.jar
--- a/.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties
+++ b/.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=a4b4158601f8636cdeeab09bd76afb640030bb5b144aafe261a5e8af027dc612
+distributionSha256Sum=f397b287023acdba1e9f6fc5ea72d22dd63669d59ed4a289a29b1a76eee151c6
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
--- a/.github/workflow-samples/kotlin-dsl/gradlew
+++ b/.github/workflow-samples/kotlin-dsl/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
 ' "$PWD" ) || exit
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
--- a/.github/workflow-samples/kotlin-dsl/gradlew.bat
+++ b/.github/workflow-samples/kotlin-dsl/gradlew.bat
@@ -13,6 +13,8 @@
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@rem SPDX-License-Identifier: Apache-2.0
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@@ -43,11 +45,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
@@ -57,11 +59,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
--- a/.github/workflow-samples/kotlin-dsl/settings.gradle.kts
+++ b/.github/workflow-samples/kotlin-dsl/settings.gradle.kts
@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.develocity") version "3.17.5"
+    id("com.gradle.develocity") version "3.19"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.1"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2"
 }
 develocity {
--- a/.github/workflow-samples/no-wrapper-gradle-5/build.gradle
+++ b/.github/workflow-samples/no-wrapper-gradle-5/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5" 
+    id "com.gradle.develocity" version "3.19" 
 }
 develocity {
--- a/.github/workflow-samples/no-wrapper/settings.gradle
+++ b/.github/workflow-samples/no-wrapper/settings.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5"
+    id "com.gradle.develocity" version "3.19"
 }
 develocity {
--- a/.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.jar
+++ b/.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.jar
--- a/.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.properties
+++ b/.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.properties
@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=a4b4158601f8636cdeeab09bd76afb640030bb5b144aafe261a5e8af027dc612
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
--- a/.github/workflow-samples/non-executable-wrapper/gradlew
+++ b/.github/workflow-samples/non-executable-wrapper/gradlew
@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
 ' "$PWD" ) || exit
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
--- a/.github/workflow-samples/non-executable-wrapper/gradlew.bat
+++ b/.github/workflow-samples/non-executable-wrapper/gradlew.bat
@@ -13,6 +13,8 @@
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@rem SPDX-License-Identifier: Apache-2.0
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@@ -43,11 +45,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
@@ -57,11 +59,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto execute
-echo.
+echo. 1>&2
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
-echo.
+echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation.
+echo location of your Java installation. 1>&2
 goto fail
--- a/.github/workflow-samples/non-executable-wrapper/settings.gradle
+++ b/.github/workflow-samples/non-executable-wrapper/settings.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5"
+    id "com.gradle.develocity" version "3.19"
 }
 develocity {
--- a/.github/workflows/ci-check-and-unit-test.yml
+++ b/.github/workflows/ci-check-and-unit-test.yml
@@ -17,16 +17,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
      with:
        node-version: 20
        cache: npm
        cache-dependency-path: sources/package-lock.json
    - name: Setup Gradle
      # Use a released version to avoid breakages
      uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
      env:
        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
      with:
        gradle-version: "8.11.1"
    - name: Check formatting and compile
      run: |
-        npm install
+        npm clean-install
        npm run check
        npm run compile
      working-directory: sources
--- a/.github/workflows/ci-check-no-dist-update.yml
+++ b/.github/workflows/ci-check-no-dist-update.yml
@@ -15,13 +15,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
    - name: Get changed files
      id: changed-files
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 # v45.0.5
      with:
        files: |
          dist/**
--- a/.github/workflows/ci-codeql.yml
+++ b/.github/workflows/ci-codeql.yml
@@ -6,16 +6,15 @@ on:
    - 'main'
    - 'release/**'
    - 'dev/**' # Allow running Code QL on dev branches without a PR
    paths-ignore:
    - 'dist/**'
  pull_request:
    branches:
    - 'main'
    paths-ignore:
    - 'dist/**'
  schedule:
    - cron: '25 23 * * 2'
 permissions:
  contents: read
 jobs:
  analyze:
    name: Analyze
@@ -32,11 +31,11 @@ jobs:
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
      with:
        languages: ${{ matrix.language }}
        config: |
@@ -44,4 +43,4 @@ jobs:
          - sources/src
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
--- a/.github/workflows/ci-combine-bot-prs.yml
+++ b/.github/workflows/ci-combine-bot-prs.yml
@@ -0,0 +1,24 @@
 name: Combine Bot PRs
 on:
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  combine-wrapperbot-prs:
    permissions:
      contents: write
      pull-requests: write
      checks: read
    if: github.repository == 'gradle/actions'
    runs-on: ubuntu-latest
    steps:
      - name: combine-wrapperbot-prs
        uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
        with:
          branch_prefix: wrapperbot
          combine_branch_name: wrapperbot/combined-wrapper-updates
          pr_title: 'Bump Gradle Wrappers'
          ci_required: "false"
--- a/.github/workflows/ci-init-script-check.yml
+++ b/.github/workflows/ci-init-script-check.yml
@@ -14,19 +14,25 @@ on:
      - 'sources/test/init-scripts/**'
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  test-init-scripts:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
      with:
        distribution: temurin
        java-version: 11
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3 # Use a released version to avoid breakages
+      # Use a released version to avoid breakages
      uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
      env:
        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
    - name: Run integration tests
      working-directory: sources/test/init-scripts
      run: ./gradlew check
--- a/.github/workflows/ci-integ-test-full.yml
+++ b/.github/workflows/ci-integ-test-full.yml
@@ -0,0 +1,37 @@
 name: CI-integ-test-full
 on:
  workflow_dispatch:
  push:
    paths:
    - 'dist/**'
 concurrency:
  group: integ-test
  cancel-in-progress: false
 permissions:
  contents: read
 jobs:
  caching-integ-tests:
    uses: ./.github/workflows/suite-integ-test-caching.yml
    concurrency:
      group: CI-integ-test-full
      cancel-in-progress: false
    with:
      runner-os: '["ubuntu-latest", "windows-latest", "macos-latest"]'
      skip-dist: true
    secrets: inherit
  other-integ-tests:
    permissions:
      contents: write
    uses: ./.github/workflows/suite-integ-test-other.yml
    concurrency:
      group: CI-integ-test-full
      cancel-in-progress: false
    with:
      runner-os: '["ubuntu-latest", "windows-latest", "macos-latest"]'
      skip-dist: true
    secrets: inherit
--- a/.github/workflows/ci-integ-test.yml
+++ b/.github/workflows/ci-integ-test.yml
@@ -8,219 +8,38 @@ on:
    - 'main'
    - 'release/**'
    - 'dev/**' # Allow running tests on dev branches without a PR
    paths-ignore:
    - 'dist/**'
 concurrency:
-  group: integ-tests-${{ github.ref }}
+  group: integ-test
  cancel-in-progress: false
 permissions:
  contents: read
 jobs:
  determine-suite:
    runs-on: ubuntu-latest
    outputs:
      runner-os: ${{ steps.determine-suite.outputs.suite == 'quick' && '["ubuntu-latest"]' || '["ubuntu-latest", "windows-latest", "macos-latest"]' }}
      cache-key-prefix: '0' # TODO DAZ Try this again ${{ steps.determine-suite.outputs.suite == 'quick' && '0' || github.run_number }}
      suite: ${{ steps.determine-suite.outputs.suite }}
    steps:
    - name: Determine suite to run
      id: determine-suite
      run: |
        # Always run quick suite if we are not in the core `gradle/actions` repository
        # This reduces the load for developers working on 'main' on forks
        if [ "${{ github.repository }}" != "gradle/actions" ]; then
          echo "Not in core repository: suite=quick"
          echo "suite=quick" >> "$GITHUB_OUTPUT"
          exit 0
        fi
        # Run full suite for push trigger with "[bot] Update dist directory" commit message
        if [ "${{ github.event.head_commit.message }}" == "[bot] Update dist directory" ]; then
          echo "Bot commit to main branch: suite=full"
          echo "suite=full" >> "$GITHUB_OUTPUT"
          exit 0
        fi
        # Run quick suite for everything else
        echo "Everything else: suite=quick"
        echo "suite=quick" >> "$GITHUB_OUTPUT"
  build-distribution:
    needs: [determine-suite]
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build and upload distribution
      if: ${{ needs.determine-suite.outputs.suite != 'full' }}
      uses: ./.github/actions/build-dist
-  action-inputs:
+  caching-integ-tests:
-    needs: [determine-suite, build-distribution]
+    needs: build-distribution
-    uses: ./.github/workflows/integ-test-action-inputs.yml
+    uses: ./.github/workflows/suite-integ-test-caching.yml
    with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
+      skip-dist: false
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
+    secrets: inherit
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-  build-scan-publish:
+  other-integ-tests:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-build-scan-publish.yml
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  cache-cleanup:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-cache-cleanup.yml
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{github.run_number}}-' # Requires a fresh cache entry each run
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  caching-config:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-caching-config.yml
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  dependency-graph:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-dependency-graph.yml
    permissions:
      contents: write
    needs: build-distribution
    uses: ./.github/workflows/suite-integ-test-other.yml
    with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
+      skip-dist: false
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
+    secrets: inherit
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  dependency-submission:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-dependency-submission.yml
    permissions:
      contents: write
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  dependency-submission-failures:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-dependency-submission-failures.yml
    permissions:
      contents: write
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  execution-with-caching:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-execution-with-caching.yml
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  execution:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-execution.yml
    with:
      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  develocity-injection:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-inject-develocity.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
    secrets:
      DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_SOLUTIONS_ACCESS_TOKEN }}
  provision-gradle-versions:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-provision-gradle-versions.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  restore-configuration-cache:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-restore-configuration-cache.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
    secrets:
      GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
  restore-containerized-gradle-home:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-restore-containerized-gradle-home.yml
    with:
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  restore-custom-gradle-home:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-restore-custom-gradle-home.yml
    with:
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  restore-gradle-home:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-restore-gradle-home.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  restore-java-toolchain:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-restore-java-toolchain.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  sample-kotlin-dsl:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-sample-kotlin-dsl.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  sample-gradle-plugin:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-sample-gradle-plugin.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  toolchain-detection:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-detect-java-toolchains.yml
    with:
      runner-os: '["ubuntu-latest"]'
      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
  wrapper-validation:
    needs: [determine-suite, build-distribution]
    uses: ./.github/workflows/integ-test-wrapper-validation.yml
    with:
      runner-os: '["ubuntu-latest"]'
      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
--- a/.github/workflows/ci-ossf-scorecard.yml
+++ b/.github/workflows/ci-ossf-scorecard.yml
@@ -0,0 +1,57 @@
 name: CI-ossf-scorecard
 on:
  schedule:
    - cron: '0 5 * * 1'
  push:
    branches:
      - main
 permissions:
  contents: read
 jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      # Needed to publish results and get a badge (see publish_results below).
      id-token: write
    steps:
      - name: 'Checkout code'
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
          show-progress: false
      - name: 'Run analysis'
        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          # Public repositories:
          #   - Publish results to OpenSSF REST API for easy access by consumers
          #   - Allows the repository to include the Scorecard badge.
          #   - See https://github.com/ossf/scorecard-action#publishing-results.
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
          publish_results: true
      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
      - name: 'Upload artifact'
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      # Upload the results to GitHub's code scanning dashboard.
      - name: 'Upload to code-scanning'
        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
        with:
          sarif_file: results.sarif
--- a/.github/workflows/ci-update-dist.yml
+++ b/.github/workflows/ci-update-dist.yml
@@ -10,19 +10,24 @@ on:
    - 'dist/**'
 permissions:
-  contents: write
+  contents: read
 jobs:
  update-dist:
    # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
    # it would erroneously update `dist` on their branch (and the pull request)
    if: github.repository == 'gradle/actions'
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        token: ${{ secrets.BOT_GITHUB_TOKEN }}
    - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
      with:
        node-version: 20
        cache: npm
@@ -43,10 +48,7 @@ jobs:
    # Important: The push event will not trigger any other workflows, see
    # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
    - name: Commit & push changes
-      # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
+      uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
      # it would erroneously update `dist` on their branch (and the pull request)
      if: github.repository == 'gradle/actions'
      uses: stefanzweifel/git-auto-commit-action@v5
      with:
        commit_message: '[bot] Update dist directory'
        file_pattern: dist
--- a/.github/workflows/ci-validate-wrappers.yml
+++ b/.github/workflows/ci-validate-wrappers.yml
@@ -0,0 +1,17 @@
 name: CI-validate-wrappers
 on:
  push:
  pull_request:
 permissions:
  contents: read
 jobs:
  validation:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: gradle/actions/wrapper-validation@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1
        with:
          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
--- a/.github/workflows/demo-failure-cases.yml
+++ b/.github/workflows/demo-failure-cases.yml
@@ -1,62 +0,0 @@
 name: demo-failure-cases
 on:
  workflow_dispatch:
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Build and upload distribution
      uses: ./.github/actions/build-dist
  failing-build:
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Test build failure
      uses: ./setup-gradle
      continue-on-error: true
      with:
        build-root-directory: .github/workflow-samples/kotlin-dsl
        arguments: not-a-valid-task
  wrapper-missing:
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Test wrapper missing
      uses: ./setup-gradle
      continue-on-error: true
      with:
        build-root-directory: .github/workflow-samples/no-wrapper
        arguments: help
  bad-configuration:
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Test bad config value
      uses: ./setup-gradle
      continue-on-error: true
      with:
        build-root-directory: .github/workflow-samples/no-wrapper
        arguments: help
        cache-disabled: yes
--- a/.github/workflows/demo-job-summary.yml
+++ b/.github/workflows/demo-job-summary.yml
@@ -3,12 +3,15 @@ name: Demo Job Summary, for Gradle builds
 on:
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build and upload distribution
      uses: ./.github/actions/build-dist
@@ -17,12 +20,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false
        cache-cleanup: 'on-success'
    - name: Build kotlin-dsl project
      working-directory: .github/workflow-samples/kotlin-dsl
      run: ./gradlew assemble
@@ -56,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -76,7 +82,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -91,3 +97,20 @@ jobs:
    - name: Run build
      working-directory: .github/workflow-samples/groovy-dsl
      run: ./gradlew assemble
  cache-read-only:
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: true
    - name: Build kotlin-dsl project
      working-directory: .github/workflow-samples/kotlin-dsl
      run: ./gradlew assemble
--- a/.github/workflows/demo-pr-build-scan-comment.yml
+++ b/.github/workflows/demo-pr-build-scan-comment.yml
@@ -4,23 +4,25 @@ on:
    types: [assigned, review_requested]
 permissions:
-  pull-requests: write
+  contents: read
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build and upload distribution
      uses: ./.github/actions/build-dist
  successful-build-with-always-comment:
    permissions:
      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -34,11 +36,13 @@ jobs:
      run: ./gradlew build --scan
  successful-build-with-comment-on-failure:
    permissions:
      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -52,11 +56,13 @@ jobs:
      run: ./gradlew build --scan
  failing-build-with-comment-on-failure:
    permissions:
      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-action-inputs.yml
+++ b/.github/workflows/integ-test-action-inputs.yml
@@ -1,42 +0,0 @@
 name: Test action inputs
 on:
  workflow_call:
    inputs:
      cache-key-prefix:
        type: string
      runner-os:
        type: string
        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
      skip-dist:
        type: boolean
        default: false
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: action-inputs-${{ inputs.cache-key-prefix }}
 jobs:
  action-inputs:
    strategy:
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Invoke with multi-line arguments
      uses: ./setup-gradle
      with:
        build-root-directory: .github/workflow-samples/groovy-dsl
        arguments: |
            --configuration-cache
            --build-cache
            -DsystemProperty=FOO
            -PgradleProperty=BAR
            test
            jar
--- a/.github/workflows/integ-test-build-scan-publish.yml
+++ b/.github/workflows/integ-test-build-scan-publish.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -16,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
  build-scan-publish:
    strategy:
@@ -26,15 +30,10 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java
      uses: actions/setup-java@v4
      with:
        distribution: temurin
        java-version: 11
    - name: Setup Gradle
      id: setup-gradle
      uses: ./setup-gradle
@@ -50,7 +49,7 @@ jobs:
      run: gradle help
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')   
--- a/.github/workflows/integ-test-cache-cleanup.yml
+++ b/.github/workflows/integ-test-cache-cleanup.yml
@@ -5,27 +5,33 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
-  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}
+  # Requires a fresh cache entry each run
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
 permissions:
  contents: read
 jobs:
-  full-build:
+  cache-cleanup-full-build:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -35,19 +41,20 @@ jobs:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
    - name: Build with 3.1
      working-directory: sources/test/jest/resources/cache-cleanup
-      run: gradle --no-daemon --build-cache -Dcommons_math3_version="3.1" build
+      run: ./gradlew --no-daemon --build-cache -Dcommons_math3_version="3.1" build
  # Second build will use the cache from the first build, but cleanup should remove unused artifacts
-  assemble-build:
+  cache-cleanup-assemble-build:
-    needs: full-build
+    needs: cache-cleanup-full-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -55,21 +62,22 @@ jobs:
      uses: ./setup-gradle
      with:
        cache-read-only: false
-        gradle-home-cache-cleanup: true
+        cache-cleanup: 'on-success'
    - name: Build with 3.1.1
      working-directory: sources/test/jest/resources/cache-cleanup
-      run: gradle --no-daemon --build-cache -Dcommons_math3_version="3.1.1" build
+      run: ./gradlew --no-daemon --build-cache -Dcommons_math3_version="3.1.1" build
-  check-clean-cache:
+  cache-cleanup-check-clean-cache:
-    needs: assemble-build
+    needs: cache-cleanup-assemble-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -78,15 +86,22 @@ jobs:
      with:
        cache-read-only: true
    - name: Report Gradle User Home
-      run: du -hc ~/.gradle/caches/modules-2
+      shell: bash
      run: |
        du -hc $GRADLE_USER_HOME/caches/modules-2
        du -hc $GRADLE_USER_HOME/wrapper/dists
    - name: Verify cleaned cache
      shell: bash
      run: |
-        if [ ! -e ~/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.1.1 ]; then
+        if [ ! -e $GRADLE_USER_HOME/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.1.1 ]; then
          echo "::error ::Should find commons-math3 3.1.1 in cache"
          exit 1
        fi
-        if [ -e ~/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.1 ]; then
+        if [ -e $GRADLE_USER_HOME/caches/modules-2/files-2.1/org.apache.commons/commons-math3/3.1 ]; then
          echo "::error ::Should NOT find commons-math3 3.1 in cache"
          exit 1
        fi
        if [ ! -e $GRADLE_USER_HOME/wrapper/dists/gradle-8.0.2-bin ]; then
          echo "::error ::Should find gradle-8.0.2 in wrapper/dists"
          exit 1
        fi
--- a/.github/workflows/integ-test-caching-config.yml
+++ b/.github/workflows/integ-test-caching-config.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -16,16 +17,20 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build:
+  caching-config-seed-build:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -46,16 +51,17 @@ jobs:
      run: ./gradlew test
  # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  verify-build:
+  caching-config-verify-build:
-    needs: seed-build
+    needs: caching-config-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -75,15 +81,16 @@ jobs:
      run: ./gradlew test --offline
  # Test that build scans are captured when caching is explicitly disabled
-  cache-disabled:
+  caching-config-cache-disabled:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -97,17 +104,17 @@ jobs:
      run: ./gradlew help
    - name: Check Build Scan url is captured
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')
  # Test that build scans are captured when caching is disabled because Gradle User Home already exists
-  cache-disabled-pre-existing-gradle-home:
+  caching-config-cache-disabled-pre-existing-gradle-home:
    runs-on: ubuntu-latest # This test only runs on Ubuntu
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -121,23 +128,24 @@ jobs:
      run: ./gradlew help
    - name: Check Build Scan url is captured
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')
  # Test seed the cache with cache-write-only and verify with cache-read-only
-  seed-build-write-only:
+  caching-config-seed-write-only:
    env:
-      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}-write-only-
+      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-write-only-${{ inputs.cache-key-prefix }}
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -149,18 +157,19 @@ jobs:
      working-directory: .github/workflow-samples/groovy-dsl
      run: ./gradlew test
-  verify-write-only-build:
+  caching-config-verify-write-only:
    env:
-      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}-write-only-
+      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-write-only-${{ inputs.cache-key-prefix }}
-    needs: seed-build-write-only
+    needs: caching-config-seed-write-only
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-dependency-graph.yml
+++ b/.github/workflows/integ-test-dependency-graph.yml
@@ -5,31 +5,28 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
 permissions:
  contents: write
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 permissions:
  contents: read
 jobs:
-  groovy-generate:
+  dependency-graph-groovy-upload:
-    strategy:
+    runs-on: "ubuntu-latest"
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -41,12 +38,14 @@ jobs:
      run: ./gradlew build
      working-directory: .github/workflow-samples/groovy-dsl
-  groovy-submit:
+  dependency-graph-groovy-submit:
-    needs: [groovy-generate]
+    permissions:
      contents: write
    needs: [dependency-graph-groovy-upload]
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -54,16 +53,16 @@ jobs:
      uses: ./setup-gradle
      with:
        dependency-graph: download-and-submit
      env:
        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
-  kotlin-generate-and-submit:
+  dependency-graph-kotlin-generate-and-submit:
-    strategy:
+    permissions:
-      fail-fast: false
+      contents: write
-      matrix:
+    runs-on: "ubuntu-latest"
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -75,15 +74,13 @@ jobs:
      run: ./gradlew build
      working-directory: .github/workflow-samples/kotlin-dsl
-  multiple-builds:
+  dependency-graph-multiple-builds:
-    strategy:
+    permissions:
-      fail-fast: false
+      contents: write
-      matrix:
+    runs-on: "ubuntu-latest"
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -120,11 +117,13 @@ jobs:
            exit 1
        fi
-  config-cache:
+  dependency-graph-config-cache:
    permissions:
      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-dependency-submission-failures.yml
+++ b/.github/workflows/integ-test-dependency-submission-failures.yml
@@ -5,6 +5,7 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
        default: '["ubuntu-latest"]'
@@ -17,12 +18,15 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 permissions:
  contents: read
 jobs:
-  failing-build:
+  dependency-submission-failures-failing-build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -47,11 +51,11 @@ jobs:
            exit 1
        fi
-  unsupported-gradle-version:
+  dependency-submission-failures-unsupported-gradle-version:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -76,13 +80,13 @@ jobs:
            exit 1
        fi
-  insufficient-permissions:
+  dependency-submission-failures-insufficient-permissions:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-dependency-submission.yml
+++ b/.github/workflows/integ-test-dependency-submission.yml
@@ -5,31 +5,35 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
 permissions:
  contents: write
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 permissions:
  contents: read
 jobs:
-  groovy-generate-and-upload:
+  dependency-submission-groovy-generate-and-upload:
    permissions:
      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -42,16 +46,19 @@ jobs:
      env: 
        GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
-  groovy-restore-cache:
+  dependency-submission-groovy-restore-cache:
-    needs: [groovy-generate-and-upload]
+    permissions:
      contents: write
    needs: [dependency-submission-groovy-generate-and-upload]
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -63,16 +70,19 @@ jobs:
      env: 
        GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
-  groovy-download-and-submit:
+  dependency-submission-groovy-download-and-submit:
-    needs: [groovy-generate-and-upload]
+    permissions:
      contents: write
    needs: [dependency-submission-groovy-generate-and-upload]
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -80,16 +90,21 @@ jobs:
      uses: ./dependency-submission
      with:
        dependency-graph: download-and-submit
      env:
        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
-  kotlin-generate-and-submit:
+  dependency-submission-kotlin-generate-and-submit:
    permissions:
      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -98,15 +113,18 @@ jobs:
      with:
        build-root-directory: .github/workflow-samples/kotlin-dsl
-  multiple-builds:
+  dependency-submission-multiple-builds:
    permissions:
      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -143,15 +161,18 @@ jobs:
            exit 1
        fi
-  multiple-builds-upload:
+  dependency-submission-multiple-builds-upload:
    permissions:
      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -166,11 +187,13 @@ jobs:
        dependency-graph: generate-and-upload
        build-root-directory: .github/workflow-samples/groovy-dsl
-  config-cache:
+  dependency-submission-config-cache:
    permissions:
      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -201,7 +224,9 @@ jobs:
            exit 1
        fi
-  gradle-versions:
+  dependency-submission-gradle-versions:
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
@@ -215,7 +240,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -225,15 +250,13 @@ jobs:
        gradle-version: ${{ matrix.gradle }}
        build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
-  after-setup-gradle:
+  dependency-submission-with-setup-gradle:
-    strategy:
+    permissions:
-      fail-fast: false
+      contents: write
-      matrix:
+    runs-on: ubuntu-latest # Test is not compatible with Windows
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -244,16 +267,74 @@ jobs:
      uses: ./dependency-submission
      with:
        build-root-directory: .github/workflow-samples/groovy-dsl
    - name: Check and delete generated dependency graph
      shell: bash
      run: |
        if [ ! -e "${{ steps.dependency-submission.outputs.dependency-graph-file }}" ]; then
            echo "Did not find generated dependency graph files"
            exit 1
        fi
        rm ${{ steps.dependency-submission.outputs.dependency-graph-file }}*
    - name: Run Gradle build
      run: ./gradlew build
      working-directory: .github/workflow-samples/groovy-dsl
    - name: Check no dependency graph is generated
      shell: bash
      run: |
        if [ ! -z "$(ls -A dependency-graph-reports)" ]; then
            echo "Expected no dependency graph files to be generated"
            ls -l dependency-graph-reports
            exit 1
        fi
-  custom-report-dir-submit:
+  dependency-submission-with-includes-and-excludes:
    permissions:
      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Generate and submit dependencies
      id: dependency-submission
      uses: ./dependency-submission
      with:
        build-root-directory: .github/workflow-samples/groovy-dsl
        dependency-graph-exclude-projects: excluded-project
        dependency-graph-include-projects: included-project
        dependency-graph-exclude-configurations: excluded-configuration
        dependency-graph-include-configurations: included-configuration
    - name: Check generated dependency graph and env vars
      shell: bash
      run: |
        if [ ! -e "${{ steps.dependency-submission.outputs.dependency-graph-file }}" ]; then
            echo "Did not find generated dependency graph file"
            exit 1
        fi
        if [ "$DEPENDENCY_GRAPH_EXCLUDE_PROJECTS" != "excluded-project" ] || 
           [ "$DEPENDENCY_GRAPH_INCLUDE_PROJECTS" != "included-project" ] || 
           [ "$DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS" != "excluded-configuration" ] || 
           [ "$DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS" != "included-configuration" ]; then
            echo "Did not set expected environment variables"
            exit 1
        fi
  dependency-submission-custom-report-dir-submit:
    permissions:
      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -262,9 +343,8 @@ jobs:
      uses: ./dependency-submission
      with:
        dependency-graph: generate-and-submit
        dependency-graph-report-dir: '${{ github.workspace }}/custom/report-dir'
        build-root-directory: .github/workflow-samples/groovy-dsl
      env: 
        DEPENDENCY_GRAPH_REPORT_DIR: '${{ github.workspace }}/custom/report-dir'
    - name: Check generated dependency graphs
      shell: bash
      run: |
@@ -280,11 +360,13 @@ jobs:
          exit 1
        fi
-  custom-report-dir-upload:
+  dependency-submission-custom-report-dir-upload:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -293,16 +375,17 @@ jobs:
      uses: ./dependency-submission
      with:
        dependency-graph: generate-and-upload
        dependency-graph-report-dir: '${{ github.workspace }}/custom/report-dir'
        build-root-directory: .github/workflow-samples/groovy-dsl
      env: 
        DEPENDENCY_GRAPH_REPORT_DIR: '${{ github.workspace }}/custom/report-dir'
  custom-report-dir-download-and-submit:
-    needs: custom-report-dir-upload
+    permissions:
      contents: write
    needs: [dependency-submission-custom-report-dir-upload]
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -310,9 +393,11 @@ jobs:
      uses: ./dependency-submission
      with:
        dependency-graph: download-and-submit
        dependency-graph-report-dir: '${{ github.workspace }}/custom/report-dir'
        build-root-directory: .github/workflow-samples/groovy-dsl
      env: 
-        DEPENDENCY_GRAPH_REPORT_DIR: '${{ github.workspace }}/custom/report-dir'
+        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: custom-report-dir-upload # For testing, to avoid downloading artifacts from other worklfows
    - name: Check downloaded dependency graph
      shell: bash
      run: |
--- a/.github/workflows/integ-test-detect-java-toolchains.yml
+++ b/.github/workflows/integ-test-detect-java-toolchains.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -16,9 +17,12 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
  # Test that pre-installed runner JDKs are detected
-  pre-installed-toolchains:
+  detect-toolchains-pre-installed-jdks:
    strategy:
      fail-fast: false
      matrix:
@@ -26,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -48,7 +52,7 @@ jobs:
        grep -q 'Eclipse Temurin JDK 21' output.txt || (echo "::error::Did not detect preinstalled JDK 21" && exit 1)
  # Test that JDKs provisioned by setup-java are detected
-  setup-java-installed-toolchain:
+  detect-toolchains-setup-java-jdks:
    strategy:
      fail-fast: false
      matrix:
@@ -56,17 +60,17 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java 20
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
      with:
        distribution: 'temurin'
        java-version: 20
    - name: Setup Java 16
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
      with:
        distribution: 'temurin'
        java-version: 16
--- a/.github/workflows/integ-test-execution-with-caching.yml
+++ b/.github/workflows/integ-test-execution-with-caching.yml
@@ -1,60 +0,0 @@
 name: Test execution with caching
 on:
  workflow_call:
    inputs:
      cache-key-prefix:
        type: string
      runner-os:
        type: string
        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
      skip-dist:
        type: boolean
        default: false
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: execution-with-caching-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 jobs:
  seed-build:
    strategy:
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Execute Gradle build
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        build-root-directory: .github/workflow-samples/groovy-dsl
        arguments: test
  # Test that the gradle-user-home is restored
  verify-build:
    needs: seed-build
    strategy:
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Execute Gradle build
      uses: ./setup-gradle
      with:
        cache-read-only: true
        build-root-directory: .github/workflow-samples/groovy-dsl
        arguments: test --offline -DverifyCachedBuild=true
--- a/.github/workflows/integ-test-execution.yml
+++ b/.github/workflows/integ-test-execution.yml
@@ -1,102 +0,0 @@
 name: Test execution
 on:
  workflow_call:
    inputs:
      cache-key-prefix:
        type: string
      runner-os:
        type: string
        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
      skip-dist:
        type: boolean
        default: false
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: execution-${{ inputs.cache-key-prefix }}
 jobs:   
  # Tests for executing with different Gradle versions. 
  # Each build verifies that it is executed with the expected Gradle version.
  gradle-execution:
    strategy:
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
        include:
          - os: windows-latest
            script-suffix: '.bat'
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Test use defined Gradle version
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        gradle-version: 6.9
        build-root-directory: .github/workflow-samples/no-wrapper
        arguments: help -DgradleVersionCheck=6.9
    - name: Test use Gradle version alias
      uses: ./setup-gradle
      with:
        gradle-version: release-candidate
        build-root-directory: .github/workflow-samples/no-wrapper
        arguments: help
    - name: Test with non-executable wrapper
      uses: ./setup-gradle
      with:
        gradle-version: wrapper
        build-root-directory: .github/workflow-samples/non-executable-wrapper
        arguments: help
  gradle-versions:
    strategy:
      fail-fast: false
      matrix:
        gradle: [7.5.1, 6.9.2, 5.6.4, 4.10.3, 3.5.1]
        os: ${{fromJSON(inputs.runner-os)}}
        include:
          - java-version: 11
          - gradle: 5.6.4
            build-root-suffix: -gradle-5
          - gradle: 4.10.3
            build-root-suffix: -gradle-4
          - gradle: 3.5.1
            build-root-suffix: -gradle-4
            java-version: 8
        exclude:
          - os: macos-latest # Java 8 is not supported on macos-latest, so we cannot test Gradle 3.5.1
            gradle: 3.5.1
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
      uses: actions/checkout@v4
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java
      uses: actions/setup-java@v4
      with:
        distribution: temurin
        java-version: ${{ matrix.java-version }}
    - name: Run Gradle build
      uses: ./setup-gradle
      id: gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        gradle-version: ${{matrix.gradle}}
        build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
        arguments: help -DgradleVersionCheck=${{matrix.gradle}}
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
      uses: actions/github-script@v7
      with:
        script: |
          core.setFailed('No Build Scan detected')    
--- a/.github/workflows/integ-test-inject-develocity.yml
+++ b/.github/workflows/integ-test-inject-develocity.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -19,38 +20,36 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
  inject-develocity:
    env:
      DEVELOCITY_INJECTION_ENABLED: true
      DEVELOCITY_URL: https://ge.solutions-team.gradle.com
      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
      ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
    strategy:
      fail-fast: false
      matrix:
        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.17.4]
+        plugin-version: [3.16.2, 3.19]
        include:
        - plugin-version: 3.16.2
          accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
-        - plugin-version: 3.17.4
+        - plugin-version: 3.19
          accessKeyEnv: DEVELOCITY_ACCESS_KEY
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java
      uses: actions/setup-java@v4
      with:
        distribution: temurin
        java-version: 11
    - name: Setup Gradle
      id: setup-gradle
      uses: ./setup-gradle
@@ -63,7 +62,7 @@ jobs:
      run: gradle help
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')
@@ -77,24 +76,19 @@ jobs:
      DEVELOCITY_INJECTION_ENABLED: true
      DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
    strategy:
      fail-fast: false
      matrix:
        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.17.4]
+        plugin-version: [3.16.2, 3.19]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Initialize integ-test
        uses: ./.github/actions/init-integ-test
      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 8
      - name: Setup Gradle
        id: setup-gradle
        uses: ./setup-gradle
@@ -113,7 +107,7 @@ jobs:
        run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
      - name: Check Build Scan url
        if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            core.setFailed('No Build Scan detected')
@@ -123,7 +117,7 @@ jobs:
      DEVELOCITY_INJECTION_ENABLED: true
      DEVELOCITY_URL: 'https://localhost:3333/'
      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
      # Access key also set as an env var, we want to check it does not leak
      GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
      DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -132,19 +126,14 @@ jobs:
      matrix:
        gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.17.4 ]
+        plugin-version: [ 3.16.2, 3.19 ]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Initialize integ-test
        uses: ./.github/actions/init-integ-test
      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 8
      - name: Setup Gradle
        id: setup-gradle
        uses: ./setup-gradle
@@ -155,8 +144,8 @@ jobs:
        id: gradle
        working-directory: .github/workflow-samples/no-ge
        run: gradle help
-      - name: Check access key is blank (DEVELOCITY_ACCESS_KEY)
+      - name: Check access key is not blank (DEVELOCITY_ACCESS_KEY)
-        run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)"
+        run: "[ \"${DEVELOCITY_ACCESS_KEY}\" != \"\" ] || (echo 'using DEVELOCITY_ACCESS_KEY!'; exit 1)"
      - name: Check access key is not blank (GRADLE_ENTERPRISE_ACCESS_KEY)
        run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" != \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY is still supported in v3!'; exit 1)"
@@ -168,18 +157,13 @@ jobs:
      matrix:
        gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
        os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.17.4 ]
+        plugin-version: [ 3.16.2, 3.19 ]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Initialize integ-test
        uses: ./.github/actions/init-integ-test
      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 8
      - name: Setup Gradle
        id: setup-gradle
        uses: ./setup-gradle
@@ -195,7 +179,7 @@ jobs:
        run: gradle help
      - name: Check Build Scan url
        if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            core.setFailed('No Build Scan detected')
--- a/.github/workflows/integ-test-provision-gradle-versions.yml
+++ b/.github/workflows/integ-test-provision-gradle-versions.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -17,21 +18,22 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 permissions:
  contents: read
 jobs:   
  # Tests for executing with different Gradle versions. 
  # Each build verifies that it is executed with the expected Gradle version.
  provision-gradle:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
        include:
          - os: windows-latest
            script-suffix: '.bat'
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -62,18 +64,21 @@ jobs:
      uses: ./setup-gradle
      with:
        gradle-version: current
    - name: Test use current
      working-directory: .github/workflow-samples/no-wrapper
      run: gradle help
    - name: Check current version output parameter
      if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
-  gradle-versions:
+  provision-gradle-version:
    strategy:
      fail-fast: false
      matrix:
-        gradle: [7.3, 6.9, 5.6.4, 4.10.3, 3.5.1]
+        gradle: ["8.11.1", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
        os: ${{fromJSON(inputs.runner-os)}}
        include:
          - java-version: 11
@@ -90,12 +95,12 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
      with:
        distribution: temurin
        java-version: ${{ matrix.java-version }}
@@ -107,7 +112,7 @@ jobs:
        gradle-version: ${{ matrix.gradle }}
    - name: Check output parameter
      if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -117,7 +122,7 @@ jobs:
      run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
    - name: Check Build Scan url
      if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
          core.setFailed('No Build Scan detected')    
--- a/.github/workflows/integ-test-restore-configuration-cache.yml
+++ b/.github/workflows/integ-test-restore-configuration-cache.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -19,96 +20,123 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build-groovy:
+  restore-cc-seed-build-groovy:
    env:
      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java to ensure consistency
      uses: actions/setup-java@v4
      with:
        distribution: 'liberica'
        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        cache-write-only: true # Ensure we start with a clean cache entry
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
        gradle-version: 8.6
    - name: Groovy build with configuration-cache enabled
      working-directory: .github/workflow-samples/groovy-dsl
      run: gradle test --configuration-cache
-  verify-build-groovy:
+  restore-cc-verify-build-groovy:
    env:
      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
-    needs: seed-build-groovy
+      GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_1
    needs: restore-cc-seed-build-groovy
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
-    - name: Setup Java to ensure consistency
+    - name: Setup Gradle
-      uses: actions/setup-java@v4
+      uses: ./setup-gradle
      with:
-        distribution: 'liberica'
+        cache-read-only: false
-        java-version: 17
+        cache-cleanup: on-success
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
    - name: Groovy build with configuration-cache enabled
      id: execute
      working-directory: .github/workflow-samples/groovy-dsl
      run: gradle test --configuration-cache
    - name: Verify configuration-cache hit
      shell: bash
      run: |
        if [ -e ".github/workflow-samples/groovy-dsl/task-configured.txt" ]; then
            echo "Configuration cache was not used - task was configured unexpectedly"
            exit 1
        fi
  # Ensure that cache-cleanup doesn't remove all necessary files
  restore-cc-verify-no-cache-cleanup-groovy:
    env:
      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
      GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_2
    needs: restore-cc-verify-build-groovy
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: true
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
        gradle-version: 8.6
    - name: Groovy build with configuration-cache enabled
      id: execute
      working-directory: .github/workflow-samples/groovy-dsl
      run: gradle test --configuration-cache
-    - name: Check that configuration-cache was used
+    - name: Verify configuration-cache hit
-      uses: actions/github-script@v7
+      shell: bash
-      with:
+      run: |
-        script: |
+        if [ -e ".github/workflow-samples/groovy-dsl/task-configured.txt" ]; then
-          const fs = require('fs')
+            echo "Configuration cache was not used - task was configured unexpectedly"
-          if (fs.existsSync('.github/workflow-samples/groovy-dsl/task-configured.txt')) {
+            exit 1
-            core.setFailed('Configuration cache was not used - task was configured unexpectedly')
+        fi
          }
  # Check that the build can run when no extracted cache entries are restored
-  gradle-user-home-not-fully-restored:
+  restore-cc-gradle-user-home-not-fully-restored:
    env:
      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
-    needs: seed-build-groovy
+      GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_x
    needs: restore-cc-seed-build-groovy
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java to ensure consistency
      uses: actions/setup-java@v4
      with:
        distribution: 'liberica'
        java-version: 17
    - name: Setup Gradle with no extracted cache entries restored
      uses: ./setup-gradle
      env: 
@@ -116,107 +144,92 @@ jobs:
      with:
        cache-read-only: true
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
        gradle-version: 8.6
    - name: Check execute Gradle build with configuration cache enabled (but not restored)
      working-directory: .github/workflow-samples/groovy-dsl
      run: gradle test --configuration-cache
-  seed-build-kotlin:
+  restore-cc-seed-build-kotlin:
    env:
      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java to ensure consistency
      uses: actions/setup-java@v4
      with:
        distribution: 'liberica'
        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        cache-write-only: true # Ensure we start with a clean cache entry
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
        gradle-version: 8.6
    - name: Execute 'help' with configuration-cache enabled
      working-directory: .github/workflow-samples/kotlin-dsl
      run: gradle help --configuration-cache
-  modify-build-kotlin:
+  restore-cc-modify-build-kotlin:
    env:
-      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin-modified
+      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin
-    needs: seed-build-kotlin
+      GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_1
    needs: restore-cc-seed-build-kotlin
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java to ensure consistency
      uses: actions/setup-java@v4
      with:
        distribution: 'liberica'
        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: false # For testing, allow writing cache entries on non-default branches
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
        gradle-version: 8.6
    - name: Execute 'test' with configuration-cache enabled
      working-directory: .github/workflow-samples/kotlin-dsl
      run: gradle test --configuration-cache
  # Test restore configuration-cache from the third build invocation
-  verify-build-kotlin:
+  restore-cc-verify-build-kotlin:
    env:
-      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin-modified
+      GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin
-    needs: modify-build-kotlin
+      GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_2
    needs: restore-cc-modify-build-kotlin
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Setup Java to ensure consistency
      uses: actions/setup-java@v4
      with:
        distribution: 'liberica'
        java-version: 17
    - name: Setup Gradle
      uses: ./setup-gradle
      with:
        cache-read-only: true
        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
        gradle-version: 8.6
    - name: Execute 'test' again with configuration-cache enabled
      id: execute
      working-directory: .github/workflow-samples/kotlin-dsl
      run: gradle test --configuration-cache
-    - name: Check that configuration-cache was used
+    - name: Verify configuration-cache hit
-      uses: actions/github-script@v7
+      shell: bash
-      with:
+      run: |
-        script: |
+        if [ -e ".github/workflow-samples/kotlin-dsl/task-configured.txt" ]; then
-          const fs = require('fs')
+            echo "Configuration cache was not used - task was configured unexpectedly"
-          if (fs.existsSync('.github/workflow-samples/kotlin-dsl/task-configured.txt')) {
+            exit 1
-            core.setFailed('Configuration cache was not used - task was configured unexpectedly')
+        fi
          }
--- a/.github/workflows/integ-test-restore-containerized-gradle-home.yml
+++ b/.github/workflows/integ-test-restore-containerized-gradle-home.yml
@@ -5,6 +5,7 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      skip-dist:
        type: boolean
        default: false
@@ -13,13 +14,16 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build:
+  restore-containerized-seed-build:
    runs-on: ubuntu-latest
    container: fedora:latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -32,13 +36,13 @@ jobs:
      run: ./gradlew test
  # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  dependencies-cache:
+  restore-containerized-dependencies-cache:
-    needs: seed-build
+    needs: restore-containerized-seed-build
    runs-on: ubuntu-latest
    container: fedora:latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-restore-custom-gradle-home.yml
+++ b/.github/workflows/integ-test-restore-custom-gradle-home.yml
@@ -5,6 +5,7 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      skip-dist:
        type: boolean
        default: false
@@ -13,12 +14,15 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build:
+  restore-custom-gradle-home-seed-build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -35,12 +39,12 @@ jobs:
      run: ./gradlew test --info
  # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  dependencies-cache:
+  restore-custom-gradle-home-dependencies-cache:
-    needs: seed-build
+    needs: restore-custom-gradle-home-seed-build
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -57,12 +61,12 @@ jobs:
      run: ./gradlew test --offline --info
  # Test that the gradle-user-home cache will cache and restore local build-cache
-  build-cache:
+  restore-custom-gradle-home-build-cache:
-    needs: seed-build
+    needs: restore-custom-gradle-home-seed-build
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-restore-gradle-home.yml
+++ b/.github/workflows/integ-test-restore-gradle-home.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -17,16 +18,20 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
 permissions:
  contents: read
 jobs:
-  seed-build:
+  restore-gradle-home-seed-build:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -39,16 +44,17 @@ jobs:
      run: ./gradlew test
  # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  dependencies-cache:
+  restore-gradle-home-dependencies-cache:
-    needs: seed-build
+    needs: restore-gradle-home-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -61,16 +67,17 @@ jobs:
      run: ./gradlew test --offline
  # Test that the gradle-user-home cache will cache and restore local build-cache
-  build-cache:
+  restore-gradle-home-build-cache:
-    needs: seed-build
+    needs: restore-gradle-home-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -83,16 +90,17 @@ jobs:
      run: ./gradlew test -DverifyCachedBuild=true
  # Check that the build can run when Gradle User Home is not fully restored
-  no-extracted-cache-entries-restored:
+  restore-gradle-home-no-extracted-cache-entries-restored:
-    needs: seed-build
+    needs: restore-gradle-home-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -107,16 +115,17 @@ jobs:
      run: ./gradlew test
  # Test that a pre-existing gradle-user-home can be overwritten by the restored cache
-  pre-existing-gradle-home:
+  restore-gradle-home-pre-existing-gradle-home:
-    needs: seed-build
+    needs: restore-gradle-home-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-restore-java-toolchain.yml
+++ b/.github/workflows/integ-test-restore-java-toolchain.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -16,16 +17,20 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build:
+  restore-java-toolchain-seed-build:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -38,16 +43,17 @@ jobs:
      run: ./gradlew test --info
  # Test that the gradle-user-home cache will cache the toolchain, by running build with --offline
-  toolchain-cache:
+  restore-java-toolchain-verify-build:
-    needs: seed-build
+    needs: restore-java-toolchain-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-sample-gradle-plugin.yml
+++ b/.github/workflows/integ-test-sample-gradle-plugin.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -16,16 +17,20 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build:
+  sample-gradle-plugin-seed-build:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -37,16 +42,17 @@ jobs:
      working-directory: .github/workflow-samples/gradle-plugin
      run: ./gradlew build
-  verify-build:
+  sample-gradle-plugin-verify-build:
-    needs: seed-build
+    needs: sample-gradle-plugin-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-sample-kotlin-dsl.yml
+++ b/.github/workflows/integ-test-sample-kotlin-dsl.yml
@@ -5,9 +5,10 @@ on:
    inputs:
      cache-key-prefix:
        type: string
        default: '0'
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -16,16 +17,20 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
 permissions:
  contents: read
 jobs:
-  seed-build:
+  sample-kotlin-dsl-seed-build:
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -37,16 +42,17 @@ jobs:
      working-directory: .github/workflow-samples/kotlin-dsl
      run: ./gradlew build
-  verify-build:
+  sample-kotlin-dsl-verify-build:
-    needs: seed-build
+    needs: sample-kotlin-dsl-seed-build
    strategy:
      max-parallel: 1
      fail-fast: false
      matrix:
        os: ${{fromJSON(inputs.runner-os)}}
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
--- a/.github/workflows/integ-test-wrapper-validation.yml
+++ b/.github/workflows/integ-test-wrapper-validation.yml
@@ -5,7 +5,7 @@ on:
    inputs:
      runner-os:
        type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
@@ -13,8 +13,11 @@ on:
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
 permissions:
  contents: read
 jobs:
-  test-setup-gradle-validation:
+  wrapper-validation-setup-gradle:
    strategy:
      fail-fast: false
      matrix:
@@ -22,29 +25,30 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Run wrapper-validation-action
      id: setup-gradle
      uses: ./setup-gradle
-      with:
+      env:
-        validate-wrappers: true
+        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: ''
      continue-on-error: true
    - name: Check failure
      shell: bash
      run: |
        if [ "${{ steps.setup-gradle.outcome}}" != "failure" ] ; then
          echo "Expected validation to fail, but it didn't"
          exit 1
        fi
-  test-validation-success:
+  wrapper-validation-success:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -54,6 +58,7 @@ jobs:
      with:
        # to allow the invalid wrapper jar present in test data
        allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        min-wrapper-count: 10
    - name: Check outcome
      env:
@@ -61,17 +66,18 @@ jobs:
        # below to not accidentally inject code into shell script or break its syntax
        FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
        FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == '' }}
      shell: bash
      run: |
        if [ "$FAILED_WRAPPERS_MATCHES" != "true" ] ; then
          echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
          exit 1
        fi
-  test-validation-error:
+  wrapper-validation-error:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
@@ -88,6 +94,7 @@ jobs:
        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
        FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
        FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == 'sources/test/jest/wrapper-validation/data/invalid/gradle-wrapper.jar|sources/test/jest/wrapper-validation/data/invalid/gradlе-wrapper.jar' }}
      shell: bash
      run: |
        if [ "$VALIDATION_FAILED" != "true" ] ; then
          echo "Expected validation to fail, but it didn't"
@@ -98,3 +105,64 @@ jobs:
          echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
          exit 1
        fi
  wrapper-validation-minimum-wrapper-count:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Run wrapper-validation-action
      id: action-test
      uses: ./wrapper-validation
      with:
        # to allow the invalid wrapper jar present in test data
        allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        min-wrapper-count: 11
      # Expected to fail; validated below
      continue-on-error: true
    - name: Check outcome
      env:
        # Evaluate workflow expressions here as env variable values instead of inside shell script
        # below to not accidentally inject code into shell script or break its syntax
        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
      shell: bash
      run: |
        if [ "$VALIDATION_FAILED" != "true" ] ; then
          echo "Expected validation to fail, but it didn't"
          exit 1
        fi
  wrapper-validation-zero-wrappers:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Checkout the repository with no wrappers
      with:
        sparse-checkout: |
          .github/actions
          dist
          wrapper-validation
    - name: Initialize integ-test
      uses: ./.github/actions/init-integ-test
    - name: Run wrapper-validation-action
      id: action-test
      uses: ./wrapper-validation
      # Expected to fail; validated below
      continue-on-error: true
    - name: Check outcome
      env:
        # Evaluate workflow expressions here as env variable values instead of inside shell script
        # below to not accidentally inject code into shell script or break its syntax
        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
      shell: bash
      run: |
        if [ "$VALIDATION_FAILED" != "true" ] ; then
          echo "Expected validation to fail, but it didn't"
          exit 1
        fi
--- a/.github/workflows/suite-integ-test-caching.yml
+++ b/.github/workflows/suite-integ-test-caching.yml
@@ -0,0 +1,55 @@
 name: suite-integ-test-caching
 on:
  workflow_call:
    inputs:
      runner-os:
        type: string
        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
 permissions:
  contents: read
 jobs:
  cache-cleanup:
    uses: ./.github/workflows/integ-test-cache-cleanup.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  caching-config:
    uses: ./.github/workflows/integ-test-caching-config.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  restore-configuration-cache:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    uses: ./.github/workflows/integ-test-restore-configuration-cache.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
    secrets:
      GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
  restore-containerized-gradle-home:
    uses: ./.github/workflows/integ-test-restore-containerized-gradle-home.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
  restore-custom-gradle-home:
    uses: ./.github/workflows/integ-test-restore-custom-gradle-home.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
  restore-gradle-home:
    uses: ./.github/workflows/integ-test-restore-gradle-home.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
  restore-java-toolchain:
    uses: ./.github/workflows/integ-test-restore-java-toolchain.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
--- a/.github/workflows/suite-integ-test-other.yml
+++ b/.github/workflows/suite-integ-test-other.yml
@@ -0,0 +1,85 @@
 name: suite-integ-test-other
 on:
  workflow_call:
    inputs:
      runner-os:
        type: string
        default: '["ubuntu-latest"]'
      skip-dist:
        type: boolean
        default: false
 permissions:
  contents: read
 jobs:
  build-scan-publish:
    uses: ./.github/workflows/integ-test-build-scan-publish.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  dependency-graph:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    uses: ./.github/workflows/integ-test-dependency-graph.yml
    permissions:
      contents: write
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  dependency-submission:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    uses: ./.github/workflows/integ-test-dependency-submission.yml
    permissions:
      contents: write
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  dependency-submission-failures:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    uses: ./.github/workflows/integ-test-dependency-submission-failures.yml
    permissions:
      contents: write
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  develocity-injection:
    if: ${{ ! github.event.pull_request.head.repo.fork }}
    uses: ./.github/workflows/integ-test-inject-develocity.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
    secrets:
      DEVELOCITY_ACCESS_KEY: ${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}
  provision-gradle-versions:
    uses: ./.github/workflows/integ-test-provision-gradle-versions.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  sample-kotlin-dsl:
    uses: ./.github/workflows/integ-test-sample-kotlin-dsl.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  sample-gradle-plugin:
    uses: ./.github/workflows/integ-test-sample-gradle-plugin.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
  toolchain-detection:
    uses: ./.github/workflows/integ-test-detect-toolchains.yml
    with:
      skip-dist: ${{ inputs.skip-dist }}
  wrapper-validation:
    uses: ./.github/workflows/integ-test-wrapper-validation.yml
    with:
      runner-os: '${{ inputs.runner-os }}'
      skip-dist: ${{ inputs.skip-dist }}
--- a/.github/workflows/update-checksums-file.yml
+++ b/.github/workflows/update-checksums-file.yml
@@ -7,20 +7,22 @@ on:
  workflow_dispatch:
 permissions:
-  contents: write
+  contents: read
  pull-requests: write
 jobs:
  update-checksums:
    permissions:
      contents: write
      pull-requests: write
    name: Update checksums
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
        with:
          node-version: 20
          cache: npm
@@ -28,7 +30,7 @@ jobs:
      - name: Install dependencies
        run: |
-          npm install typed-rest-client@1.8.11 --no-save
+          npm clean-install typed-rest-client@1.8.11 --no-save
        working-directory: sources
      - name: Update checksums file
@@ -37,7 +39,7 @@ jobs:
      # If there are no changes, this action will not create a pull request
      - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: bot/wrapper-checksums-update
          commit-message: Update known wrapper checksums
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -3,23 +3,9 @@
 The `build` script in the project root provides a convenient way to perform many local build tasks:
 1. `./build` will lint and compile typescript sources
 2. `./build all` will lint and compile typescript and run unit tests
-3. `./build init-scripts` will run the init-script integration tests
+3. `./build install` will install npm packages followed by lint and compile
-4. `./build act <act-commands>` will run `act` after building local changes (see below)
+4. `./build init-scripts` will run the init-script integration tests
-
+5. `./build act <act-commands>` will run `act` after building local changes (see below)
 ## How to merge a Dependabot PR
 The "distribution" for a GitHub Action is checked into the repository itself. 
 In the case of these actions, the transpiled sources are committed to the `dist` directory. 
 Any production dependencies are inlined into the distribution. 
 So if a Dependabot PR updates a production dependency (or a dev dependency that changes the distribution, like the Typescript compiler), 
 then a manual step is required to rebuild the dist and commit.
 The simplest process to follow is:
 1. Checkout the dependabot branch locally eg: `git checkout dependabot/npm_and_yarn/actions/github-5.1.0`
 2. In the `sources` directory, run `npm install` to download NPM dependencies
 3. In the `sources` directory, run `npm run build` to regenerate the distribution
 4. Push the changes to the dependabot branch
 5. If/when the checks pass, you can merge the dependabot PR
 ## Using `act` to run integ-test workflows locally
@@ -36,7 +22,6 @@ Example running a single job:
 `./build act -W .github/workflows/integ-test-caching-config.yml -j cache-disabled-pre-existing-gradle-home`
 Known issues:
 - `integ-test-cache-cleanup.yml` fails because `gradle` is not installed on the runner. Should be fixed by #33.
 - `integ-test-detect-java-toolchains.yml` fails when running on a `linux/amd64` container, since the expected pre-installed JDKs are not present. Should be fixed by #89.
 - `act` is not yet compatible with `actions/upload-artifact@v4` (or related toolkit functions)
    - See https://github.com/nektos/act/pull/2224
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
 # GitHub Actions for Gradle builds
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gradle/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/gradle/actions)
 This repository contains a set of GitHub Actions that are useful for building Gradle projects on GitHub.
 ## The `setup-gradle` action
@@ -30,7 +32,7 @@ jobs:
        distribution: 'temurin'
        java-version: 17
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
    - name: Build with Gradle
      run: ./gradlew build
 ```
@@ -68,7 +70,7 @@ jobs:
        distribution: 'temurin'
        java-version: 17
    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 ```
 See the [full action documentation](docs/dependency-submission.md) for more advanced usage scenarios.
@@ -79,6 +81,9 @@ The `wrapper-validation` action validates the checksums of _all_ [Gradle Wrapper
 The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
 Starting with v4 the `setup-gradle` action will [perform wrapper validation](docs/setup-gradle.md#gradle-wrapper-validation) on each execution.
 If you are using `setup-gradle` in your workflows, it is unlikely that you will need to use the `wrapper-validation` action.
 ### Example workflow
 ```yaml
@@ -94,7 +99,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v3
+      - uses: gradle/actions/wrapper-validation@v4
 ```
 See the [full action documentation](docs/wrapper-validation.md) for more advanced usage scenarios.
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -5,58 +5,27 @@
 - Check that https://github.com/gradle/actions/actions is green for all workflows for the main branch.
  - This should include any workflows triggered by `[bot] Update dist directory`
 - Decide on the version number to use for the release. The action releases should follow semantic versioning.
-  - By default, a patch release is assumed (eg. `3.0.0` → `3.0.1`)
+  - By default, a patch release is assumed (eg. `4.0.0` → `4.0.1`)
-  - If new features have been added, bump the minor version (eg `3.1.1` → `3.2.0`)
+  - If new features have been added, bump the minor version (eg `4.1.1` → `4.2.0`)
-  - If a new major release is required, bump the major version (eg `3.1.1` → `4.0.0`)
+  - If a new major release is required, bump the major version (eg `4.1.1` → `5.0.0`)
  - Note: The gradle actions follow the GitHub Actions convention of including a .0 patch number for the first release of a minor version, unlike the Gradle convention which omits the trailing .0.
 ## Release gradle/actions
- Create a tag for the release. The tag should have the format `v3.1.0`
+- Create a tag for the release. The tag should have the format `v4.1.0`
-  - From CLI: `git tag v3.1.0 && git push --tags`
+  - From CLI: `git tag v4.1.0 && git push --tags`
 - Go to https://github.com/gradle/actions/releases and "Draft new release"
  - Use the newly created tag and copy the tag name exactly as the release title.
  - Craft release notes content based on issues closed, PRs merged and commits
  - Include a Full changelog link in the format https://github.com/gradle/actions/compare/v2.12.0...v3.0.0
 - Publish the release.
- Force push the `v3` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
+- Force push the `v4` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
-  - From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
+  - From CLI: `git tag -f -a -m "v4.0.0" v4 v4.0.0 && git push -f --tags`
  - Note that we set the commit message for the tag to the newly released version.
 ## Release gradle/gradle-build-action
 During the 3.x release series, we will continue to publish parallel releases of `gradle/gradle-build-action`. These releases will simply delegate to `gradle/actions/setup-gradle` with the same version.
 - Update the [gradle-build-action action.yml](https://github.com/gradle/gradle-build-action/blob/main/action.yml#L162) file to point to the newly released version of `gradle/actions/setup-gradle`.
 - Ensure that any parameters that have been added to the setup-gradle action are added to the gradle-build-action definition, and that these are passed on to setup-gradle.
 - Create and push a tag for the release.
  - From CLI: `git tag v3.1.0 && git push --tags`
 - Go to https://github.com/gradle/gradle-build-action/releases and "Draft new release"
  - Use the newly created tag and copy the tag name exactly as the release title.
  - In the release notes, point users to the gradle/actions release. Include a header informing users to switch to `gradle/actions/setup-gradle`.
 - Publish the release.
 - Force push the `v3` tag (or current major version) to point to the new release.
  - From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
 ## Release gradle/wrapper-validation-action
 During the 3.x release series, we will continue to publish parallel releases of `gradle/wrapper-validation-action`. These releases will simply delegate to `gradle/actions/wrapper-validation` with the same version.
 - Update the [wrapper-validation-action action.yml](https://github.com/gradle/wrapper-validation-action/blob/main/action.yml#L162) file to point to the newly released version of `gradle/actions/wrapper-validation`.
 - Ensure that any parameters that have been added to the `wrapper-validation` action (if any) are added to the action definition, and that these are passed on to setup-gradle.
 - Create and push a tag for the release.
  - From CLI: `git tag v3.1.0 && git push --tags`
 - Go to https://github.com/gradle/wrapper-validation-action/releases and "Draft new release"
  - Use the newly created tag and copy the tag name exactly as the release title.
  - In the release notes, point users to the gradle/actions release. Include a header informing users to switch to `gradle/actions/wrapper-validation`.
 - Publish the release.
 - Force push the `v3` tag (or current major version) to point to the new release.
  - From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
 ## Post release steps
 Submit PRs to update the GitHub starter workflow. Starter workflows contain content that should reference the Git hash of the current gradle/actions release:
-https://github.com/actions/starter-workflows has [gradle](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml) and [gradle-publish](https://github.com/actions/starter-workflows/blob/main/ci/gradle-publish.yml): see [the v2.1.4 update PR](https://github.com/actions/starter-workflows/pull/1489) for an example.
+https://github.com/actions/starter-workflows has [gradle](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml) and [gradle-publish](https://github.com/actions/starter-workflows/blob/main/ci/gradle-publish.yml): see [the v4.0.0 update PR](https://github.com/actions/starter-workflows/pull/2468) for an example.
 Submit PRs to update the GitHub documentation. The documentation contains content that should reference the Git hash of the current gradle/actions release:
-https://github.com/github/docs has [building-and-testing-java-with-gradle](https://github.com/github/docs/blob/main/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md) and [publishing-java-packages-with-gradle](https://github.com/github/docs/blob/main/content/actions/publishing-packages/publishing-java-packages-with-gradle.md) : see [the v2.1.4 update PR](https://github.com/github/docs/pull/16392) for an example.
+https://github.com/github/docs has [building-and-testing-java-with-gradle](https://github.com/github/docs/blob/main/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md) and [publishing-java-packages-with-gradle](https://github.com/github/docs/blob/main/content/actions/publishing-packages/publishing-java-packages-with-gradle.md) : see [the v4.0.0 update PR](https://github.com/github/docs/pull/34239) for an example.
--- a/17
+++ b/17
@@ -4,12 +4,10 @@ cd sources
 case "$1" in
    all)
        npm clean-install
        npm run all
        ;;
    act)
        # Build and copy outputs to the dist directory
        npm install
        npm run build
        cd ..
        cp -r sources/dist .
@@ -18,18 +16,21 @@ case "$1" in
        # Revert the changes to the dist directory
        git checkout -- dist
        ;;
    init-scripts)
        cd test/init-scripts
        ./gradlew check
        ;;
    dist)
-        npm install
+        npm clean-install
        npm run build
        cd ..
        cp -r sources/dist .
        ;;
    init-scripts)
        cd test/init-scripts
        ./gradlew check
        ;;
    install)
        npm clean-install
        npm run build
        ;;
    *)
        npm install
        npm run build
        ;;
 esac
--- a/dependency-submission/README.md
+++ b/dependency-submission/README.md
@@ -29,7 +29,7 @@ jobs:
        distribution: 'temurin'
        java-version: 17
    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 ```
 See the [full action documentation](../docs/dependency-submission.md) for more advanced usage scenarios.
--- a/dependency-submission/action.yml
+++ b/dependency-submission/action.yml
@@ -57,6 +57,20 @@ inputs:
      Configuration-cache data will not be saved/restored without an encryption key being provided.
    required: false
  cache-cleanup:
    description: |
      Specifies if the action should attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
      By default ('on-success'), cleanup is performed when all Gradle builds succeed for the Job. 
      This behaviour can be disabled ('never'), or configured to always run irrespective of the build outcome ('always').
      Valid values are 'never', 'on-success' and 'always'.
    required: false
    default: 'on-success'
  gradle-home-cache-cleanup:
    description: When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
    required: false
    deprecation-message: This input has been superceded by the 'cache-cleanup' input parameter.
  gradle-home-cache-includes:
    description: Paths within Gradle User Home to cache.
    required: false
@@ -68,11 +82,6 @@ inputs:
    description: Paths within Gradle User Home to exclude from cache.
    required: false
  gradle-home-cache-cleanup:
    description: When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
    required: false
    default: false
  # Job summary configuration
  add-job-summary:
    description: Specifies when a Job Summary should be inluded in the action results. Valid values are 'never', 'always' (default), and 'on-failure'.
@@ -99,11 +108,42 @@ inputs:
    required: false
    default: 'generate-and-submit'
  dependency-graph-report-dir:
    description: |
      Specifies where the dependency graph report will be generated. 
      Paths can relative or absolute. Relative paths are resolved relative to the workspace directory.
    required: false
    default: 'dependency-graph-reports'
  dependency-graph-continue-on-failure:
    description: When 'false' a failure to generate or submit a dependency graph will fail the Step or Job. When 'true' a warning will be emitted but no failure will result.
    required: false
    default: false
  dependency-graph-exclude-projects:
    description: |
      Gradle projects that should be excluded from dependency graph (regular expression).
      When set, any matching project will be excluded.
    required: false
  dependency-graph-include-projects:
    description: |
      Gradle projects that should be included in dependency graph (regular expression). 
      When set, only matching projects will be included.
    required: false
  dependency-graph-exclude-configurations:
    description: |
      Gradle configurations that should be included in dependency graph (regular expression). 
      When set, anymatching configurations will be excluded.
    required: false
  dependency-graph-include-configurations:
    description: |
      Gradle configurations that should be included in dependency graph (regular expression). 
      When set, only matching configurations will be included.
    required: false
  artifact-retention-days:
    description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
    required: false
@@ -133,22 +173,22 @@ inputs:
    description: The Develocity short-lived access tokens expiry in hours. Default is 2 hours.
    required: false
  # Wrapper validation configuration
  validate-wrappers:
    description: |
      When 'true' the action will automatically validate all wrapper jars found in the repository.
      If the wrapper checksums are not valid, the action will fail.
    required: false
    default: false
  allow-snapshot-wrappers:
    description: |
      When 'true', wrapper validation will include the checksums of snapshot wrapper jars. 
      Use this if you are running with nightly or snapshot versions of the Gradle wrapper.
    required: false
    default: false
  # DEPRECATED ACTION INPUTS
  build-scan-terms-of-service-url:
    description: The URL to the Build Scan® terms of use. This input must be set to 'https://gradle.com/terms-of-service'.
    required: false
    deprecation-message: The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-url' instead.
  build-scan-terms-of-service-agree:
    description: Indicate that you agree to the Build Scan® terms of use. This input value must be "yes".
    required: false
    deprecation-message: The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-agree' instead.
  generate-job-summary:
    description: When 'false', no Job Summary will be generated for the Job.
    required: false
    default: true
    deprecation-message: Superceded by the new 'add-job-summary' and 'add-job-summary-as-pr-comment' parameters.
  # EXPERIMENTAL ACTION INPUTS
  # The following action properties allow fine-grained tweaking of the action caching behaviour.
--- a/dist/dependency-submission/main/index.js
+++ b/dist/dependency-submission/main/index.js
--- a/dist/dependency-submission/main/index.js.map
+++ b/dist/dependency-submission/main/index.js.map
--- a/dist/dependency-submission/post/index.js
+++ b/dist/dependency-submission/post/index.js
--- a/dist/dependency-submission/post/index.js.map
+++ b/dist/dependency-submission/post/index.js.map
--- a/dist/setup-gradle/main/index.js
+++ b/dist/setup-gradle/main/index.js
--- a/dist/setup-gradle/main/index.js.map
+++ b/dist/setup-gradle/main/index.js.map
--- a/dist/setup-gradle/post/index.js
+++ b/dist/setup-gradle/post/index.js
--- a/dist/setup-gradle/post/index.js.map
+++ b/dist/setup-gradle/post/index.js.map
--- a/dist/wrapper-validation/main/index.js
+++ b/dist/wrapper-validation/main/index.js
--- a/dist/wrapper-validation/main/index.js.map
+++ b/dist/wrapper-validation/main/index.js.map
--- a/docs/dependency-submission.md
+++ b/docs/dependency-submission.md
@@ -13,7 +13,7 @@ The generated dependency graph includes all of the dependencies in your build, a
 for vulnerable dependencies, as well as to populate the 
 [Dependency Graph insights view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).
-If your confused by the behaviour you're seeing or have specific questions, please check out [the FAQ](dependency-submission-faq.md) before raising an issue.
+If you're confused by the behaviour you're seeing or have specific questions, please check out [the FAQ](dependency-submission-faq.md) before raising an issue.
 ## General usage
@@ -43,7 +43,7 @@ jobs:
        java-version: 17
    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 ```
 ### Gradle execution
@@ -68,7 +68,7 @@ Three input parameters are required, one to enable publishing and two more to ac
 ```yaml
    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
      with:
        build-scan-publish: true
        build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
@@ -83,7 +83,7 @@ In some cases, the default action configuration will not be sufficient, and addi
 ```yaml
    - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
      with:
        # Use a particular Gradle version instead of the configured wrapper.
        gradle-version: 8.6
@@ -102,6 +102,13 @@ In some cases, the default action configuration will not be sufficient, and addi
        # Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
        dependency-graph: generate-and-upload
        # Specify the location where dependency graph files will be generated.
        dependency-graph-report-dir: custom-report-dir
        # By default, failure to generate a dependency graph will cause the workflow to fail
        dependency-graph-continue-on-failure: true
 ```
 See the [Action Metadata file](../dependency-submission/action.yml) for a more detailed description of each input parameter.
@@ -235,26 +242,26 @@ contribute to the dependency graph.
 > These dependencies would be assigned to different scopes (eg development, runtime, testing) and the GitHub UI would make it easy to opt-in to security alerts for different dependency scopes.
 > However, this functionality does not yet exist.
-### Excluding certain Gradle projects from the dependency graph
+### Selecting Gradle projects that will contribute to the dependency graph
 If you do not want the dependency graph to include dependencies from every project in your build, 
-you can easily exclude certain projects from the dependency extraction process.
+you can easily exclude or include certain projects from the dependency extraction process.
-To restrict which Gradle subprojects contribute to the report, specify which projects to exclude via a regular expression.
+To restrict which Gradle subprojects contribute to the report, specify which projects to exclude or include via a regular expression.
-You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_PROJECTS` environment variable or system property.
+You can use the `dependency-graph-exclude-projects` and `dependency-graph-include-projects` input parameters for this purpose.
 Note that excluding a project in this way only removes dependencies that are _resolved_ as part of that project, and may
 not necessarily remove all dependencies _declared_ in that project. If another project depends on the excluded project
 then it may transitively resolve dependencies declared in the excluded project: these dependencies will still be included
 in the generated dependency graph.
-### Excluding certain Gradle configurations from the dependency graph
+### Selecting Gradle configurations that will contribute to the dependency graph
-Similarly to Gradle projects, it is possible to exclude a set of configuration instances from dependency graph generation,
+Similarly to Gradle projects, it is possible to exclude or include a set of dependency configurations from dependency graph generation,
-so that dependencies resolved by those configurations are not included.
+so that only dependencies resolved by the included configurations are reported.
-To restrict which Gradle configurations contribute to the report, specify which configurations to exclude via a regular expression.
+To restrict which Gradle configurations contribute to the report, specify which configurations to exclude or include via a regular expression.
-You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS` environment variable or system property.
+You can use the `dependency-graph-exclude-configurations` and `dependency-graph-include-configurations` input parameters for this purpose.
 Note that configuration exclusion applies to the configuration in which the dependency is _resolved_ which is not necessarily
 the configuration where the dependency is _declared_. For example if you decare a dependency as `implementation` in
@@ -262,24 +269,18 @@ a Java project, that dependency will be resolved in `compileClasspath`, `runtime
 ### Example of project and configuration filtering
-For example, if you want to exclude dependencies in the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration:
+For example, if you want to exclude dependencies resolved by the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration:
 ```yaml
    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
-      env:
+      with:
        # Exclude all dependencies that originate solely in the 'buildSrc' project
-        DEPENDENCY_GRAPH_EXCLUDE_PROJECTS: ':buildSrc'
+        dependency-graph-exclude-projects: ':buildSrc'
        # Exclude dependencies that are only resolved in test classpaths
-        DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS: '.*[Tt]est(Compile|Runtime)Classpath'
+        dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath'
 ```
 ### Other filtering options
 The [GitHub Dependency Graph Gradle Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin)
 has other filtering options that may be useful.
 See [the docs](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#filtering-which-gradle-configurations-contribute-to-the-dependency-graph) for details.
 # Advance usage scenarios
 ## Using a custom plugin repository
@@ -316,10 +317,10 @@ jobs:
        java-version: 17
    - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
    - name: Perform dependency review
-      uses: actions/dependency-review-action@v3
+      uses: actions/dependency-review-action@v4
 ```
 ## Usage with pull requests from public forked repositories
@@ -352,7 +353,7 @@ jobs:
        java-version: 17
    - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
      with:
        dependency-graph: generate-and-upload
 ```
@@ -375,7 +376,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Download and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
      with:
        dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```
@@ -402,7 +403,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: 'Dependency Review'
-      uses: actions/dependency-review-action@v3
+      uses: actions/dependency-review-action@v4
      with:
        retry-on-snapshot-warnings: true
        retry-on-snapshot-warnings-timeout: 600
@@ -418,3 +419,10 @@ Gradle versions `5.2.1`, `5.6.4`, `6.0.1`, `6.9.4`, `7.1.1` and `7.6.3`, as well
 A known exception to this is that Gradle `7.0`, `7.0.1` and `7.0.2` are not supported.
 See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
 # Additional references
 - Dependency Submission Demo repository: https://github.com/gradle/github-dependency-submission-demo
 - GitHub Dependency Graph Gradle Plugin: https://github.com/gradle/github-dependency-graph-gradle-plugin
 - Webinar - Gradle at Scale with GitHub and GitHub Actions at Allegro: https://www.youtube.com/watch?v=gV94I28FPos
--- a/docs/deprecation-upgrade-guide.md
+++ b/docs/deprecation-upgrade-guide.md
@@ -20,7 +20,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/setup-gradle@v3
+    uses: gradle/actions/setup-gradle@v4
 ```
 ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
@@ -40,7 +40,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/wrapper-validation@v3
+    uses: gradle/actions/wrapper-validation@v4
 ```
 ## Using the action to execute Gradle via the `arguments` parameter is deprecated
@@ -82,7 +82,7 @@ The exact syntax depends on whether or not your project is configured with the [
 ```
 - name: Setup Gradle
-  uses: gradle/actions/setup-gradle@v3
+  uses: gradle/actions/setup-gradle@v4
 - name: Assemble the project
  run: ./gradlew assemble
@@ -99,9 +99,9 @@ The exact syntax depends on whether or not your project is configured with the [
 ```
 - name: Setup Gradle for a non-wrapper project
-  uses: gradle/actions/setup-gradle@v3
+  uses: gradle/actions/setup-gradle@v4
  with:
-    gradle-version: 8.8
+    gradle-version: "8.11"
 - name: Assemble the project
  run: gradle assemble
@@ -148,3 +148,15 @@ These deprecated build-scan parameters are scheduled to be removed in `setup-gra
 Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1.
 In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens.
 If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible.
 ## The `gradle-home-cache-cleanup` input parameter has been replaced by `cache-cleanup`
 In versions of the action prior to `v4`, the boolean `gradle-home-cache-cleanup` parameter allows users to opt-in 
 to cache cleanup, removing unused files in Gradle User Home prior to saving to the cache.
 With `v4`, cache-cleanup is enabled by default, and controlled by the `cache-cleanup` input parameter.
 To remove this deprecation:
 - If you are using `gradle-home-cache-cleanup: true` in your workflow, you can remove this option as this is now enabled by default.
 - If you want cache-cleanup to run even when a Gradle build fails, then add the `cache-cleanup: always` input.
 - If cache-cleanup is causing problems with your workflow, you can disable it with `cache-cleanup: never`.
--- a/docs/setup-gradle.md
+++ b/docs/setup-gradle.md
@@ -45,7 +45,7 @@ jobs:
        java-version: 17
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
    - name: Execute Gradle build
      run: ./gradlew build
@@ -57,11 +57,11 @@ The `setup-gradle` action can download and install a specified Gradle version, a
 Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid having to download them again later.
 ```yaml
- - name: Setup Gradle 8.5
+ - name: Setup Gradle 8.10
-   uses: gradle/actions/setup-gradle@v3
+   uses: gradle/actions/setup-gradle@v4
   with:
-     gradle-version: 8.5
+     gradle-version: "8.10" # Quotes required to prevent YAML converting to number
-  - name: Build with Gradle 8.5
+  - name: Build with Gradle 8.10
    run: gradle build
 ```
@@ -96,7 +96,7 @@ jobs:
        distribution: temurin
        java-version: 17
-    - uses: gradle/actions/setup-gradle@v3
+    - uses: gradle/actions/setup-gradle@v4
      id: setup-gradle
      with:
        gradle-version: release-candidate
@@ -127,6 +127,8 @@ cache-disabled: true
 By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
 Jobs on other branches will read entries from the cache but will not write updated entries.
 This setup is designed around [GitHub imposed restrictions on cache access](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) and should work well in most scenarios.
 See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.
 In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
@@ -153,9 +155,32 @@ In certain circumstances it may be desirable to start with a clean Gradle User H
 cache-write-only: true
 ```
 ### Configuring cache cleanup
 The Gradle User Home directory tends to grow over time. When you switch to a new Gradle wrapper version 
 or upgrade a dependency version the old files are not automatically and immediately removed. 
 While this can make sense in a local environment, in a GitHub Actions environment
 it can lead to ever-larger Gradle User Home cache entries being saved and restored.
 To avoid this situation, the `setup-gradle` and `dependency-submission` actions will perform "cache-cleanup", 
 purging any unused files from the Gradle User Home before saving it to the GitHub Actions cache. 
 Cache cleanup will attempt to remove any files that are initially restored to the Gradle User Home directory 
 but that are not used used by Gradle during the GitHub Actions Workflow.
 If a Gradle build fails when running the Job, then it is possible that some required files and dependencies 
 will not be touched during the Job. To prevent these files from being purged, the default behavior is for 
 cache cleanup to run only when all Gradle builds in the Job are successful.
 Gradle Home cache cleanup is enabled by default, and can be controlled by the `cache-cleanup` parameter as follows:
 - `cache-cleanup: always`: Always run cache cleanup, even when a Gradle build fails in the Job.
 - `cache-cleanup: on-success` (default): Run cache cleanup when the Job contains no failing Gradle builds.
 - `cache-cleanup: never`: Disable cache cleanup for the Job.
 Cache cleanup will never run when the cache is configured as read-only or disabled.
 ### Overwriting an existing Gradle User Home
-When the action detects that the Gradle User Home caches directory already exists (`~/.gradle/caches`), then by default it will not overwrite the existing content of this directory.
+When the action detects that the Gradle User Home caches directory already exists (`$GRADLE_USER_HOME/caches`), then by default it will not overwrite the existing content of this directory.
 This can occur when a prior action initializes this directory, or when using a self-hosted runner that retains this directory between uses.
 In this case, the Job Summary will display a message like:
@@ -173,6 +198,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
 in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
 secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
 > [!IMPORTANT]
 > To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
 To benefit from configuration caching in your GitHub Actions workflow, you must:
 - Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
 - Enable the configuration cache for your build.
@@ -190,14 +218,17 @@ jobs:
        distribution: temurin
        java-version: 17
-    - uses: gradle/actions/setup-gradle@v3
+    - uses: gradle/actions/setup-gradle@v4
      with:
        gradle-version: 8.6
        cache-encryption-key: ${{ secrets.GradleEncryptionKey }}
    - run: gradle build --configuration-cache
 ```
-> [!IMPORTANT]
+Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
 This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
 > [!NOTE]
 > The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
 > This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
 > This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@@ -218,7 +249,7 @@ Using either of these mechanisms may interfere with the caching provided by this
 The GitHub Actions cache has some properties that present problems for efficient caching of the Gradle User Home.
 - Immutable entries: once a cache entry is written for a key, it cannot be overwritten or changed.
- Branch scope: cache entries written for a Git branch are not visible from actions running against different branches. Entries written for the default branch are visible to all. https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
+- Branch scope: cache entries written for a Git branch are not visible from actions running against different branches or tags. Entries written for the default branch are visible to all. https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
 - Restore keys: if no exact match is found, a set of partial keys can be provided that will match by cache key prefix. https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key
 Each of these properties has influenced the design and implementation of the caching in `setup-gradle`, as described below.
@@ -316,8 +347,8 @@ Some techniques can be used to avoid/mitigate this issue:
 ### Select which branches should write to the cache
-GitHub cache entries are not shared between builds on different branches.
+GitHub cache entries are not shared between builds on different branches or tags.
-Workflow runs can restore caches created in either the current branch or the default branch (usually main).
+Workflow runs can _only_ restore caches created in either the same branch or the default branch (usually `main`).
 This means that each branch will have its own Gradle User Home cache scope, and will not benefit from cache entries written for other (non-default) branches.
 By default, The `setup-gradle` action will only _write_ to the cache for builds run on the default (`master`/`main`) branch.
@@ -356,20 +387,6 @@ gradle-home-cache-excludes: |
 You can specify any number of fixed paths or patterns to include or exclude.
 File pattern support is documented at https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#patterns-to-match-file-paths.
 ### Remove unused files from Gradle User Home before saving to the cache
 The Gradle User Home directory tends to grow over time. When you switch to a new Gradle wrapper version or upgrade a dependency version
 the old files are not automatically and immediately removed. While this can make sense in a local environment, in a GitHub Actions environment
 it can lead to ever-larger Gradle User Home cache entries being saved and restored.
 To avoid this situation, The `setup-gradle` action supports the `gradle-home-cache-cleanup` parameter.
 When enabled, this feature will attempt to delete any files in the Gradle User Home that were not used by Gradle during the GitHub Actions Workflow, before saving the Gradle User Home to the GitHub Actions cache.
 Gradle Home cache cleanup is considered experimental and is disabled by default.  You can enable this feature for the action as follows:
 ```yaml
 gradle-home-cache-cleanup: true
 ```
 ### Disable local build-cache when remote build-cache is available
 If you have a remote build-cache available for your build, then it is recommended to do the following:
@@ -446,7 +463,7 @@ jobs:
        java-version: 17
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure'
@@ -483,17 +500,17 @@ jobs:
        java-version: 17
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
    - name: Run build with Gradle wrapper
      run: ./gradlew build --scan
    - name: Upload build reports
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: build-reports
-        path: build/reports/
+        path: **/build/reports/
 ```
 ### Use of custom init-scripts in Gradle User Home
@@ -506,14 +523,30 @@ Since Gradle applies init scripts in alphabetical order, one way to ensure this
 ## Gradle Wrapper validation
-Instead of using the [wrapper-validation action](./wrapper-validation.md) separately, you can enable
+By default, this action will perform the same wrapper validation as is performed by the dedicated 
-wrapper validation directly in your Setup Gradle step.
+[wrapper-validation action](./wrapper-validation.md). 
 This means that invalid wrapper jars will be automatically detected when using `setup-gradle`. 
 If you do not want wrapper-validation to occur automatically, you can disable it:
 ```yaml
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        validate-wrappers: false
 ```
 If your repository uses snapshot versions of the Gradle wrapper, such as nightly builds, then you'll need to 
 explicitly allow snapshot wrappers in wrapper validation.
 These are not allowed by default.
 ```yaml
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@v4
      with:
        validate-wrappers: true
        allow-snapshot-wrappers: true
 ```
 If you need more advanced configuration, then you're advised to continue using a separate workflow step
@@ -575,7 +608,7 @@ jobs:
        java-version: 17
    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        dependency-graph: generate-and-submit
    - name: Run the usual CI build (dependency-graph will be generated and submitted post-job)
@@ -602,7 +635,7 @@ graph cannot be generated or submitted. You can enable this behavior with the `d
 ```yaml
 # Ensure that the workflow Job will fail if the dependency graph cannot be submitted
- uses: gradle/actions/setup-gradle@v3
+- uses: gradle/actions/setup-gradle@v4
  with:
    dependency-graph: generate-and-submit
    dependency-graph-continue-on-failure: false
@@ -627,7 +660,7 @@ jobs:
        java-version: 17
    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        dependency-graph: generate-and-submit
    - name: Run a build, resolving the 'dependency-graph' plugin from the plugin portal proxy
@@ -657,7 +690,7 @@ jobs:
        java-version: 17
    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        dependency-graph: generate-and-submit
    - name: Build the app, generating a graph of dependencies required
@@ -693,20 +726,112 @@ To reduce storage costs for these artifacts, you can set the `artifact-retention
 ```yaml
    - name: Generate dependency graph, but only retain artifact for one day
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        dependency-graph: generate
        artifact-retention-days: 1
 ```
-# Develocity plugin injection
+# Develocity Build Scan® integration
-The `setup-gradle` action provides support for injecting and configuring the Develocity Gradle plugin into any Gradle build, without any modification to the project sources.
+Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
-This is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
+detailed report of the execution of the build, including which tasks were executed and the results of any test execution.
 The `setup-gradle` plugin provides a number of features to enable and enhance publishing Build Scans® to a Develocity instance.
 ## Publishing to scans.gradle.com
 If you don't have a a private Develocity instance, you can easily publish Build Scans to the 
 free, public Develocity instance (https://scans.gradle.com).
 To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use).
 ```yaml
    - name: Setup Gradle to publish build scans
      uses: gradle/actions/setup-gradle@v4
      with:
        build-scan-publish: true
        build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
        build-scan-terms-of-use-agree: "yes"
    - name: Run a Gradle build - a build scan will be published automatically
      run: ./gradlew build
 ```
 ## Managing Develocity access keys
 Develocity access keys are long-lived, creating risks if they are leaked. To mitigate this risk this, 
 the `setup-gradle` action can automatically attempt to obtain a [short-lived access token](https://docs.gradle.com/develocity/gradle-plugin/current/#short_lived_access_tokens)
 to use when authenticating with Develocity. 
 The short-lived access token will then be used wherever a Develocity access key is required.
 ```yaml
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@v4
      with:
        develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }} # Long-lived access key, visiblility is restricted to this step.
    # Subsequent steps will automatically use a short-lived access token to authenticate with Develocity
    - name: Run a Gradle build that is configured to publish to Develocity.
      run: ./gradlew build
 ```
 ### Increasing the expiry time for Develocity access tokens
 By default, a short-lived Develocity access token will be valid for 2 hours from the time it is generated. If your workflows take longer than
 2 hours to complete, you may see failure to publish Build Scans due to access token expiry.
 To avoid this, use the `develocity-token-expiry` parameter to specify a different token expiry in hours.
 ```yaml
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@v4
      with:
        develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
        develocity-token-expiry: 8 # The number of hours that the access token should remain valid (max 24).
 ```
 ### Develocity access key supplied as environment variable
 The preferred mechanism is to supply the long-lived Develocity access key directly to `setup-gradle` via 
 the `develocity-access-key` input variable. However, the action will also detect an access key configured as an environment variable,
 such as `DEVELOCITY_ACCESS_KEY` or `GRADLE_ENTERPRISE_ACCESS_KEY`. In this case, the environment variable value will be replaced by 
 a short-lived access token, thus hiding the long-lived access key from subsequent steps.
 ```yaml
 env:
  DEVELOCITY_ACCESS_KEY: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
 jobs:
  build-with-gradle:
    runs-on: ubuntu-latest
    steps:
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@v4
    # The build will automatically use a short-lived access token to authenticate with Develocity
    - name: Run a Gradle build that is configured to publish to Develocity.
      run: ./gradlew build
 ```
 ### Failure to obtain a short-lived access token
 If a short-lived token cannot be retrieved (for example, if the Develocity server version is lower than `2024.1`):
 - If the access key is provided via `develocity-access-key`, then no access token is set and authentication with Develocity will not succeed.
 - If the access key is provided via an environment variable, a warning will be logged and the environment variable will be left as-is. 
   This can result in long-lived access keys being unintentionally exposed to other workflow steps.
 For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
 ## Develocity plugin injection
 The `setup-gradle` action provides support for transparently injecting and configuring the Develocity Gradle plugin into any Gradle build, 
 without any modification to the project sources. This allows Build Scans to be published for a repository without any changes to the project sources.
 Develocity injection is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
 The same auto-injection behavior is available for the Common Custom User Data Gradle plugin, which enriches any build scans published with additional useful information.
-## Enabling Develocity injection
+### Enabling Develocity injection
 To enable Develocity injection for your build, you must provide the required configuration via inputs.
@@ -714,7 +839,7 @@ Here's a minimal example:
 ```yaml
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        develocity-injection-enabled: true
        develocity-url: https://develocity.your-server.com
@@ -724,14 +849,14 @@ Here's a minimal example:
      run: ./gradlew build
 ```
-This configuration will automatically apply `v3.17.5` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.19` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
 ```yaml
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
      with:
        develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
@@ -745,14 +870,7 @@ In the likely scenario that your Develocity server requires authentication, you
 This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable.
-### Short-lived access tokens
+### Configuring Develocity injection
 Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them.
 If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`):
 - if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning
 - otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
 For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
 ## Configuring Develocity injection
 The `init-script` supports several additional configuration parameters that you may find useful. All configuration options (required and optional) are detailed below:
@@ -789,31 +907,32 @@ Here's an example using the env vars:
 ```yaml
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
    - name: Run a Gradle build with Develocity injection enabled with environment variables
      run: ./gradlew build
      env:
        DEVELOCITY_INJECTION_ENABLED: true
        DEVELOCITY_URL: https://develocity.your-server.com
-        DEVELOCITY_PLUGIN_VERSION: 3.17.5
+        DEVELOCITY_ENFORCE_URL: true
        DEVELOCITY_PLUGIN_VERSION: "3.19"
        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.0.2"
 ```
-## Publishing to scans.gradle.com
+# Dependency verification
-Develocity injection is designed to enable the publishing of build scans to a Develocity instance,
+Develocity injection, Build Scan publishing and Dependency Graph generation all work by applying external plugins to your build.
-but is also useful for publishing to the public Build Scans instance (https://scans.gradle.com).
+If you project has [dependency verification enabled](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verification), 
 then you'll need to update your verification metadata to trust these plugins.
-To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use).
+Each of the plugins is signed by Gradle, and you can simply add the following snippet to your `dependency-verificaton.xml` file:
-```yaml
+```xml
-    - name: Setup Gradle to publish build scans
+<trusted-keys>
-      uses: gradle/actions/setup-gradle@v3
+   <trusted-key id="7B79ADD11F8A779FE90FD3D0893A028475557671">
-      with:
+      <trusting group="com.gradle"/>
-        build-scan-publish: true
+      <trusting group="org.gradle"/>
-        build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
+   </trusted-key>
-        build-scan-terms-of-use-agree: "yes"
+</trusted-keys>
    - name: Run a Gradle build - a build scan will be published automatically
      run: ./gradlew build
 ```
--- a/docs/wrapper-validation.md
+++ b/docs/wrapper-validation.md
@@ -4,6 +4,12 @@ This action validates the checksums of _all_ [Gradle Wrapper](https://docs.gradl
 The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
 > [!NOTE]
 > Starting with v4 the `setup-gradle` action will automatically [perform wrapper validation](../docs/setup-gradle.md#gradle-wrapper-validation)
 > on each execution.
 > 
 > If you are using `setup-gradle` in your workflows, it is unlikely that you will need to use the `wrapper-validation` action.
 ## The Gradle Wrapper Problem in Open Source
 The `gradle-wrapper.jar` is a binary blob of executable code that is checked into nearly
@@ -44,7 +50,7 @@ We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/
 Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
 ```yaml
-uses: gradle/actions/wrapper-validation@v3
+uses: gradle/actions/wrapper-validation@v4
 ```
 This action step should precede any step using `gradle/gradle-build-action` or `gradle/actions/setup-gradle`.
@@ -67,7 +73,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v3
+      - uses: gradle/actions/wrapper-validation@v4
 ```
 ## Contributing to an external GitHub Repository
@@ -90,18 +96,34 @@ We recommend the message commit contents of:
 From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
-## Reporting Failures
+## Validation Failures
-If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
+A wrapper jar can fail validation for a few reasons:
 1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
   or `allow-snapshot-wrappers` to `true`.
 2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
 3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
 4. The wrapper jar was not published by Gradle, and could be compromised.
 If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
-**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
+#### Unverifiable Wrapper Jars
 Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. If you have a validation failure, you should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
-If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
+- If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
 - If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
-If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
+#### Wrapper Jar stored with Git LFS
-and one of our valid release, you can compare them using this online utility: [diffoscope](https://try.diffoscope.org/).
+If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
-Regardless of what you find, we still kindly request that you reach out to us and let us know.
+restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
 ```
    steps:
      - uses: actions/checkout@v4
        with:
          lfs: true  # gradle-wrapper.jar verification will fail without this
 ```
 ## Resources
--- a/setup-gradle/README.md
+++ b/setup-gradle/README.md
@@ -26,7 +26,7 @@ jobs:
        distribution: 'temurin'
        java-version: 17
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
    - name: Build with Gradle
      run: ./gradlew build
 ```
--- a/setup-gradle/action.yml
+++ b/setup-gradle/action.yml
@@ -40,6 +40,20 @@ inputs:
      Configuration-cache data will not be saved/restored without an encryption key being provided.
    required: false
  cache-cleanup:
    description: |
      Specifies if the action should attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
      By default ('on-success'), cleanup is performed when all Gradle builds succeed for the Job. 
      This behaviour can be disabled ('never'), or configured to always run irrespective of the build outcome ('always').
      Valid values are 'never', 'on-success' and 'always'.
    required: false
    default: 'on-success'
  gradle-home-cache-cleanup:
    description: When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
    required: false
    deprecation-message: This input has been superceded by the 'cache-cleanup' input parameter.
  gradle-home-cache-includes:
    description: Paths within Gradle User Home to cache.
    required: false
@@ -51,11 +65,6 @@ inputs:
    description: Paths within Gradle User Home to exclude from cache.
    required: false
  gradle-home-cache-cleanup:
    description: When 'true', the action will attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
    required: false
    default: false
  # Job summary configuration
  add-job-summary:
    description: Specifies when a Job Summary should be inluded in the action results. Valid values are 'never', 'always' (default), and 'on-failure'.
@@ -71,15 +80,46 @@ inputs:
  dependency-graph:
    description: |
      Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
-      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', 'download-and-submit' and 'clear'.
+      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', and 'download-and-submit'.
    required: false
    default: 'disabled'
  dependency-graph-report-dir:
    description: |
      Specifies where the dependency graph report will be generated. 
      Paths can relative or absolute. Relative paths are resolved relative to the workspace directory.
    required: false
    default: 'dependency-graph-reports'
  dependency-graph-continue-on-failure:
    description: When 'false' a failure to generate or submit a dependency graph will fail the Step or Job. When 'true' a warning will be emitted but no failure will result.
    required: false
    default: true
  dependency-graph-exclude-projects:
    description: |
      Gradle projects that should be excluded from dependency graph (regular expression).
      When set, any matching project will be excluded.
    required: false
  dependency-graph-include-projects:
    description: |
      Gradle projects that should be included in dependency graph (regular expression). 
      When set, only matching projects will be included.
    required: false
  dependency-graph-exclude-configurations:
    description: |
      Gradle configurations that should be included in dependency graph (regular expression). 
      When set, anymatching configurations will be excluded.
    required: false
  dependency-graph-include-configurations:
    description: |
      Gradle configurations that should be included in dependency graph (regular expression). 
      When set, only matching configurations will be included.
    required: false
  artifact-retention-days:
    description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
    required: false
@@ -151,37 +191,23 @@ inputs:
  # Wrapper validation configuration
  validate-wrappers:
    description: |
-      When 'true', the action will perform the 'wrapper-validation' action automatically.
+      When 'true' (the default) the action will automatically validate all wrapper jars found in the repository.
      If the wrapper checksums are not valid, the action will fail.
    required: false
    default: true
  allow-snapshot-wrappers:
    description: |
      When 'true', wrapper validation will include the checksums of snapshot wrapper jars. 
      Use this if you are running with nightly or snapshot versions of the Gradle wrapper.
    required: false
    default: false
  # DEPRECATED ACTION INPUTS
  build-scan-terms-of-service-url:
    description: The URL to the Build Scan® terms of use. This input must be set to 'https://gradle.com/terms-of-service'.
    required: false
    deprecation-message: The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-url' instead.
  build-scan-terms-of-service-agree:
    description: Indicate that you agree to the Build Scan® terms of use. This input value must be "yes".
    required: false
    deprecation-message: The input has been renamed to align with the Develocity API. Use 'build-scan-terms-of-use-agree' instead.
  generate-job-summary:
    description: When 'false', no Job Summary will be generated for the Job.
    required: false
    default: true
    deprecation-message: Superceded by the new 'add-job-summary' and 'add-job-summary-as-pr-comment' parameters.
  arguments:
    description: Gradle command line arguments (supports multi-line input)
    required: false
-    deprecation-message: Using the action to execute Gradle directly is deprecated in favor of using the action to setup Gradle, and executing Gradle in a subsequent Step.
+    deprecation-message: This parameter has been deprecated and removed. It is only left here to allow for better reporting to assist users to migrate.
  build-root-directory:
    description: Path to the root directory of the build. Default is the root of the GitHub workspace.
    required: false
    deprecation-message: Using the action to execute Gradle directly is deprecated in favor of using the action to setup Gradle, and executing Gradle in a subsequent Step.
  # EXPERIMENTAL ACTION INPUTS
  # The following action properties allow fine-grained tweaking of the action caching behaviour.
--- a/sources/.tool-versions
+++ b/sources/.tool-versions
@@ -1,3 +1,3 @@
 # Configuration file for asdf version manager
 nodejs 20.10.0
-gradle 8.8
+gradle 8.11.1
--- a/sources/package-lock.json
+++ b/sources/package-lock.json
--- a/sources/package.json
+++ b/sources/package.json
@@ -8,11 +8,11 @@
    "prettier-write": "prettier --write 'src/**/*.ts'",
    "prettier-check": "prettier --check 'src/**/*.ts'",
    "lint": "eslint 'src/**/*.ts'",
-    "compile-dependency-submission-main": "ncc build src/dependency-submission/main.ts --out dist/dependency-submission/main --source-map --no-source-map-register",
+    "compile-dependency-submission-main": "ncc build src/actions/dependency-submission/main.ts --out dist/dependency-submission/main --source-map --no-source-map-register",
-    "compile-dependency-submission-post": "ncc build src/dependency-submission/post.ts --out dist/dependency-submission/post --source-map --no-source-map-register",
+    "compile-dependency-submission-post": "ncc build src/actions/dependency-submission/post.ts --out dist/dependency-submission/post --source-map --no-source-map-register",
-    "compile-setup-gradle-main": "ncc build src/setup-gradle/main.ts --out dist/setup-gradle/main --source-map --no-source-map-register",
+    "compile-setup-gradle-main": "ncc build src/actions/setup-gradle/main.ts --out dist/setup-gradle/main --source-map --no-source-map-register",
-    "compile-setup-gradle-post": "ncc build src/setup-gradle/post.ts --out dist/setup-gradle/post --source-map --no-source-map-register",
+    "compile-setup-gradle-post": "ncc build src/actions/setup-gradle/post.ts --out dist/setup-gradle/post --source-map --no-source-map-register",
-    "compile-wrapper-validation-main": "ncc build src/wrapper-validation/main.ts --out dist/wrapper-validation/main --source-map --no-source-map-register",
+    "compile-wrapper-validation-main": "ncc build src/actions/wrapper-validation/main.ts --out dist/wrapper-validation/main --source-map --no-source-map-register",
    "compile": "npm-run-all --parallel compile-*",
    "check": "npm-run-all --parallel prettier-check lint",
    "format": "npm-run-all --parallel prettier-write lint",
@@ -32,38 +32,40 @@
  ],
  "license": "MIT",
  "dependencies": {
-    "@actions/artifact": "2.1.4",
+    "@actions/artifact": "2.1.11",
-    "@actions/cache": "3.2.4",
+    "@actions/cache": "4.0.0",
-    "@actions/core": "1.10.1",
+    "@actions/core": "1.11.1",
    "@actions/exec": "1.1.1",
    "@actions/github": "6.0.0",
-    "@actions/glob": "0.4.0",
+    "@actions/glob": "0.5.0",
-    "@actions/http-client": "2.2.1",
+    "@actions/http-client": "2.2.3",
    "@actions/tool-cache": "2.0.1",
-    "@octokit/rest": "20.1.0",
+    "@octokit/rest": "21.0.2",
-    "@octokit/webhooks-types": "7.5.0",
+    "@octokit/webhooks-types": "7.6.1",
-    "semver": "7.6.0",
+    "cheerio": "^1.0.0",
    "semver": "7.6.3",
    "string-argv": "0.3.2",
-    "typed-rest-client": "1.8.11",
+    "typed-rest-client": "2.1.0",
-    "unhomoglyph": "1.0.6"
+    "unhomoglyph": "1.0.6",
    "which": "5.0.0"
  },
  "devDependencies": {
-    "@types/jest": "29.5.12",
+    "@types/jest": "29.5.14",
-    "@types/node": "20.12.4",
+    "@types/node": "20.17.10",
-    "@types/unzipper": "0.10.9",
+    "@types/unzipper": "0.10.10",
-    "@typescript-eslint/parser": "7.5.0",
+    "@types/which": "3.0.4",
-    "@vercel/ncc": "0.38.1",
+    "@typescript-eslint/parser": "7.18.0",
-    "eslint": "8.57.0",
+    "@vercel/ncc": "0.38.3",
-    "eslint-plugin-github": "4.10.2",
+    "eslint": "8.57.1",
-    "eslint-plugin-jest": "27.9.0",
+    "eslint-plugin-github": "5.1.4",
-    "eslint-plugin-prettier": "5.1.3",
+    "eslint-plugin-jest": "28.9.0",
    "jest": "29.7.0",
    "js-yaml": "4.1.0",
    "nock": "13.5.6",
    "npm-run-all": "4.1.5",
    "patch-package": "8.0.0",
-    "prettier": "3.2.5",
+    "prettier": "3.4.2",
-    "ts-jest": "29.1.2",
+    "ts-jest": "29.2.5",
-    "typescript": "5.4.3",
+    "typescript": "5.7.2"
    "nock": "13.5.4"
  }
 }
--- a/sources/patches/@actions+cache+3.2.4.patch
+++ b/sources/patches/@actions+cache+3.2.4.patch
@@ -1,113 +0,0 @@
 diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
 index 4658366..b796e58 100644
 --- a/node_modules/@actions/cache/lib/cache.d.ts
 +++ b/node_modules/@actions/cache/lib/cache.d.ts
@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
  * @returns string returns the key for the cache hit, otherwise returns undefined
  */
 -export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
 +export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
 /**
  * Saves a list of files with the specified key
  *
@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
  * @param options cache upload options
  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
  */
 -export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
 +export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
 +
 +// PATCHED: Add `CacheEntry` as return type for save/restore functions
 +// This allows us to track and report on cache entry sizes.
 +export declare class CacheEntry {
 +    key: string;
 +    size?: number;
 +    constructor(key: string, size?: number);
 +}
 diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
 index 9d636aa..a176bd7 100644
 --- a/node_modules/@actions/cache/lib/cache.js
 +++ b/node_modules/@actions/cache/lib/cache.js
@@ -127,18 +127,21 @@ function restoreCache(paths, primaryKey, restoreKeys, options, enableCrossOsArch
             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
             core.info('Cache restored successfully');
 -            return cacheEntry.cacheKey;
 -        }
 -        catch (error) {
 -            const typedError = error;
 -            if (typedError.name === ValidationError.name) {
 -                throw error;
 -            }
 -            else {
 -                // Supress all non-validation cache related errors because caching should be optional
 -                core.warning(`Failed to restore: ${error.message}`);
 -            }
 +
 +            // PATCHED - Return more inforamtion about restored entry
 +            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
         }
 +        // PATCHED - propagate errors
 +        // catch (error) {
 +        //     const typedError = error;
 +        //     if (typedError.name === ValidationError.name) {
 +        //         throw error;
 +        //     }
 +        //     else {
 +        //         // Supress all non-validation cache related errors because caching should be optional
 +        //         core.warning(`Failed to restore: ${error.message}`);
 +        //     }
 +        // }
         finally {
             // Try to delete the archive to save space
             try {
@@ -206,19 +209,23 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
             }
             core.debug(`Saving Cache (ID: ${cacheId})`);
             yield cacheHttpClient.saveCache(cacheId, archivePath, options);
 +
 +            // PATCHED - Return more inforamtion about saved entry
 +            return new CacheEntry(key, archiveFileSize);
         }
 -        catch (error) {
 -            const typedError = error;
 -            if (typedError.name === ValidationError.name) {
 -                throw error;
 -            }
 -            else if (typedError.name === ReserveCacheError.name) {
 -                core.info(`Failed to save: ${typedError.message}`);
 -            }
 -            else {
 -                core.warning(`Failed to save: ${typedError.message}`);
 -            }
 -        }
 +        // PATCHED - propagate errors
 +        // catch (error) {
 +        //     const typedError = error;
 +        //     if (typedError.name === ValidationError.name) {
 +        //         throw error;
 +        //     }
 +        //     else if (typedError.name === ReserveCacheError.name) {
 +        //         core.info(`Failed to save: ${typedError.message}`);
 +        //     }
 +        //     else {
 +        //         core.warning(`Failed to save: ${typedError.message}`);
 +        //     }
 +        // }
         finally {
             // Try to delete the archive to save space
             try {
@@ -232,4 +239,11 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
     });
 }
 exports.saveCache = saveCache;
 +class CacheEntry {
 +    constructor(key, size) {
 +        this.key = key;
 +        this.size = size;
 +    }
 +}
 +exports.CacheEntry = CacheEntry;
 //# sourceMappingURL=cache.js.map
 \ No newline at end of file
--- a/sources/patches/@actions+cache+4.0.0.patch
+++ b/sources/patches/@actions+cache+4.0.0.patch
@@ -0,0 +1,183 @@
 diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
 index ef0928b..4e2f570 100644
 --- a/node_modules/@actions/cache/lib/cache.d.ts
 +++ b/node_modules/@actions/cache/lib/cache.d.ts
@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
  * @returns string returns the key for the cache hit, otherwise returns undefined
  */
 -export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
 +export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
 /**
  * Saves a list of files with the specified key
  *
@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
  * @param options cache upload options
  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
  */
 -export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
 +export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
 +
 +// PATCHED: Add `CacheEntry` as return type for save/restore functions
 +// This allows us to track and report on cache entry sizes.
 +export declare class CacheEntry {
 +    key: string;
 +    size?: number;
 +    constructor(key: string, size?: number);
 +}
 \ No newline at end of file
 diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
 index 45201b6..2654e4b 100644
 --- a/node_modules/@actions/cache/lib/cache.js
 +++ b/node_modules/@actions/cache/lib/cache.js
@@ -154,18 +154,21 @@ function restoreCacheV1(paths, primaryKey, restoreKeys, options, enableCrossOsAr
             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
             core.info('Cache restored successfully');
 -            return cacheEntry.cacheKey;
 -        }
 -        catch (error) {
 -            const typedError = error;
 -            if (typedError.name === ValidationError.name) {
 -                throw error;
 -            }
 -            else {
 -                // Supress all non-validation cache related errors because caching should be optional
 -                core.warning(`Failed to restore: ${error.message}`);
 -            }
 +
 +            // PATCHED - Include size of restored entry
 +            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
         }
 +            // PATCHED - propagate errors
 +            // catch (error) {
 +            //     const typedError = error;
 +            //     if (typedError.name === ValidationError.name) {
 +            //         throw error;
 +            //     }
 +            //     else {
 +            //         // Supress all non-validation cache related errors because caching should be optional
 +            //         core.warning(`Failed to restore: ${error.message}`);
 +            //     }
 +            // }
         finally {
             // Try to delete the archive to save space
             try {
@@ -232,18 +235,21 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
             }
             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
             core.info('Cache restored successfully');
 -            return response.matchedKey;
 -        }
 -        catch (error) {
 -            const typedError = error;
 -            if (typedError.name === ValidationError.name) {
 -                throw error;
 -            }
 -            else {
 -                // Supress all non-validation cache related errors because caching should be optional
 -                core.warning(`Failed to restore: ${error.message}`);
 -            }
 +
 +            // PATCHED - Include size of restored entry
 +            return new CacheEntry(response.matchedKey, archiveFileSize);;
         }
 +            // PATCHED - propagate errors
 +            // catch (error) {
 +            //     const typedError = error;
 +            //     if (typedError.name === ValidationError.name) {
 +            //         throw error;
 +            //     }
 +            //     else {
 +            //         // Supress all non-validation cache related errors because caching should be optional
 +            //         core.warning(`Failed to restore: ${error.message}`);
 +            //     }
 +            // }
         finally {
             try {
                 if (archivePath) {
@@ -334,19 +340,23 @@ function saveCacheV1(paths, key, options, enableCrossOsArchive = false) {
             }
             core.debug(`Saving Cache (ID: ${cacheId})`);
             yield cacheHttpClient.saveCache(cacheId, archivePath, '', options);
 +
 +            // PATCHED - Include size of saved entry
 +            return new CacheEntry(key, archiveFileSize);
         }
 -        catch (error) {
 -            const typedError = error;
 -            if (typedError.name === ValidationError.name) {
 -                throw error;
 -            }
 -            else if (typedError.name === ReserveCacheError.name) {
 -                core.info(`Failed to save: ${typedError.message}`);
 -            }
 -            else {
 -                core.warning(`Failed to save: ${typedError.message}`);
 -            }
 -        }
 +            // PATCHED - propagate errors
 +            // catch (error) {
 +            //     const typedError = error;
 +            //     if (typedError.name === ValidationError.name) {
 +            //         throw error;
 +            //     }
 +            //     else if (typedError.name === ReserveCacheError.name) {
 +            //         core.info(`Failed to save: ${typedError.message}`);
 +            //     }
 +            //     else {
 +            //         core.warning(`Failed to save: ${typedError.message}`);
 +            //     }
 +            // }
         finally {
             // Try to delete the archive to save space
             try {
@@ -422,19 +432,23 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
                 throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`);
             }
             cacheId = parseInt(finalizeResponse.entryId);
 +
 +            // PATCHED - Include size of saved entry
 +            return new CacheEntry(key, archiveFileSize);
         }
 -        catch (error) {
 -            const typedError = error;
 -            if (typedError.name === ValidationError.name) {
 -                throw error;
 -            }
 -            else if (typedError.name === ReserveCacheError.name) {
 -                core.info(`Failed to save: ${typedError.message}`);
 -            }
 -            else {
 -                core.warning(`Failed to save: ${typedError.message}`);
 -            }
 -        }
 +            // PATCHED - propagate errors
 +            // catch (error) {
 +            //     const typedError = error;
 +            //     if (typedError.name === ValidationError.name) {
 +            //         throw error;
 +            //     }
 +            //     else if (typedError.name === ReserveCacheError.name) {
 +            //         core.info(`Failed to save: ${typedError.message}`);
 +            //     }
 +            //     else {
 +            //         core.warning(`Failed to save: ${typedError.message}`);
 +            //     }
 +            // }
         finally {
             // Try to delete the archive to save space
             try {
@@ -447,4 +461,11 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
         return cacheId;
     });
 }
 +// PATCHED - CacheEntry class
 +class CacheEntry {
 +    constructor(key, size) {
 +        this.key = key;
 +        this.size = size;
 +    }
 +}
 //# sourceMappingURL=cache.js.map
 \ No newline at end of file
--- a/sources/src/actions/dependency-submission/main.ts
+++ b/sources/src/actions/dependency-submission/main.ts
@@ -1,6 +1,7 @@
-import * as setupGradle from '../setup-gradle'
+import * as core from '@actions/core'
-import * as gradle from '../execution/gradle'
+import * as setupGradle from '../../setup-gradle'
-import * as dependencyGraph from '../dependency-graph'
+import * as gradle from '../../execution/gradle'
 import * as dependencyGraph from '../../dependency-graph'
 import {parseArgsStringToArgv} from 'string-argv'
 import {
@@ -9,10 +10,11 @@ import {
    DependencyGraphConfig,
    DependencyGraphOption,
    GradleExecutionConfig,
-    setActionId
+    setActionId,
-} from '../configuration'
+    WrapperValidationConfig
-import {saveDeprecationState} from '../deprecation-collector'
+} from '../../configuration'
-import {handleMainActionError} from '../errors'
+import {saveDeprecationState} from '../../deprecation-collector'
 import {handleMainActionError} from '../../errors'
 /**
 * The main entry point for the action, called by Github Actions for the step.
@@ -22,7 +24,10 @@ export async function run(): Promise<void> {
        setActionId('gradle/actions/dependency-submission')
        // Configure Gradle environment (Gradle User Home)
-        await setupGradle.setup(new CacheConfig(), new BuildScanConfig())
+        await setupGradle.setup(new CacheConfig(), new BuildScanConfig(), new WrapperValidationConfig())
        // Capture the enabled state of dependency-graph
        const originallyEnabled = process.env['GITHUB_DEPENDENCY_GRAPH_ENABLED']
        // Configure the dependency graph submission
        const config = new DependencyGraphConfig()
@@ -53,6 +58,9 @@ export async function run(): Promise<void> {
        await dependencyGraph.complete(config)
        // Reset the enabled state of dependency graph
        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', originallyEnabled)
        saveDeprecationState()
    } catch (error) {
        handleMainActionError(error)
--- a/sources/src/actions/dependency-submission/post.ts
+++ b/sources/src/actions/dependency-submission/post.ts
@@ -1,7 +1,7 @@
-import * as setupGradle from '../setup-gradle'
+import * as setupGradle from '../../setup-gradle'
-import {CacheConfig, SummaryConfig} from '../configuration'
+import {CacheConfig, SummaryConfig} from '../../configuration'
-import {handlePostActionError} from '../errors'
+import {handlePostActionError} from '../../errors'
 // Catch and log any unhandled exceptions.  These exceptions can leak out of the uploadChunk method in
 // @actions/toolkit when a failed upload closes the file descriptor causing any in-process reads to
--- a/sources/src/actions/setup-gradle/main.ts
+++ b/sources/src/actions/setup-gradle/main.ts
@@ -1,17 +1,17 @@
-import * as setupGradle from '../setup-gradle'
+import * as setupGradle from '../../setup-gradle'
-import * as gradle from '../execution/gradle'
+import * as provisioner from '../../execution/provision'
-import * as dependencyGraph from '../dependency-graph'
+import * as dependencyGraph from '../../dependency-graph'
 import {
    BuildScanConfig,
    CacheConfig,
    DependencyGraphConfig,
    GradleExecutionConfig,
-    doValidateWrappers,
+    WrapperValidationConfig,
    getActionId,
    setActionId
-} from '../configuration'
+} from '../../configuration'
-import {recordDeprecation, saveDeprecationState} from '../deprecation-collector'
+import {failOnUseOfRemovedFeature, saveDeprecationState} from '../../deprecation-collector'
-import {handleMainActionError} from '../errors'
+import {handleMainActionError} from '../../errors'
 /**
 * The main entry point for the action, called by Github Actions for the step.
@@ -19,30 +19,22 @@ import {handleMainActionError} from '../errors'
 export async function run(): Promise<void> {
    try {
        if (getActionId() === 'gradle/gradle-build-action') {
-            recordDeprecation(
+            failOnUseOfRemovedFeature(
                'The action `gradle/gradle-build-action` has been replaced by `gradle/actions/setup-gradle`'
            )
        } else {
            setActionId('gradle/actions/setup-gradle')
        }
-        // Check for invalid wrapper JARs if requested
+        setActionId('gradle/actions/setup-gradle')
        if (doValidateWrappers()) {
            await setupGradle.checkNoInvalidWrapperJars()
        }
        // Configure Gradle environment (Gradle User Home)
-        await setupGradle.setup(new CacheConfig(), new BuildScanConfig())
+        await setupGradle.setup(new CacheConfig(), new BuildScanConfig(), new WrapperValidationConfig())
        // Configure the dependency graph submission
        await dependencyGraph.setup(new DependencyGraphConfig())
        const config = new GradleExecutionConfig()
-        await gradle.provisionAndMaybeExecute(
+        config.verifyNoArguments()
-            config.getGradleVersion(),
+        await provisioner.provisionGradle(config.getGradleVersion())
            config.getBuildRootDirectory(),
            config.getArguments()
        )
        saveDeprecationState()
    } catch (error) {
--- a/sources/src/actions/setup-gradle/post.ts
+++ b/sources/src/actions/setup-gradle/post.ts
@@ -1,9 +1,9 @@
-import * as setupGradle from '../setup-gradle'
+import * as setupGradle from '../../setup-gradle'
-import * as dependencyGraph from '../dependency-graph'
+import * as dependencyGraph from '../../dependency-graph'
-import {CacheConfig, DependencyGraphConfig, SummaryConfig} from '../configuration'
+import {CacheConfig, DependencyGraphConfig, SummaryConfig} from '../../configuration'
-import {handlePostActionError} from '../errors'
+import {handlePostActionError} from '../../errors'
-import {emitDeprecationWarnings, restoreDeprecationState} from '../deprecation-collector'
+import {emitDeprecationWarnings, restoreDeprecationState} from '../../deprecation-collector'
 // Catch and log any unhandled exceptions.  These exceptions can leak out of the uploadChunk method in
 // @actions/toolkit when a failed upload closes the file descriptor causing any in-process reads to
--- a/sources/src/actions/wrapper-validation/main.ts
+++ b/sources/src/actions/wrapper-validation/main.ts
@@ -0,0 +1,50 @@
 import * as path from 'path'
 import * as core from '@actions/core'
 import * as validate from '../../wrapper-validation/validate'
 import {getActionId, setActionId} from '../../configuration'
 import {failOnUseOfRemovedFeature, emitDeprecationWarnings} from '../../deprecation-collector'
 import {handleMainActionError} from '../../errors'
 export async function run(): Promise<void> {
    try {
        if (getActionId() === 'gradle/wrapper-validation-action') {
            failOnUseOfRemovedFeature(
                'The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`'
            )
        }
        setActionId('gradle/actions/wrapper-validation')
        const result = await validate.findInvalidWrapperJars(
            path.resolve('.'),
            core.getInput('allow-snapshots') === 'true',
            core.getInput('allow-checksums').split(',')
        )
        if (result.isValid()) {
            core.info(result.toDisplayString())
            const minWrapperCount = +core.getInput('min-wrapper-count')
            if (result.valid.length < minWrapperCount) {
                const message =
                    result.valid.length === 0
                        ? 'Wrapper validation failed: no Gradle Wrapper jars found. Did you forget to checkout the repository?'
                        : `Wrapper validation failed: expected at least ${minWrapperCount} Gradle Wrapper jars, but found ${result.valid.length}.`
                core.setFailed(message)
            }
        } else {
            core.setFailed(
                `At least one Gradle Wrapper Jar failed validation!\n  See https://github.com/gradle/actions/blob/main/docs/wrapper-validation.md#validation-failures\n${result.toDisplayString()}`
            )
            if (result.invalid.length > 0) {
                core.setOutput('failed-wrapper', `${result.invalid.map(w => w.path).join('|')}`)
            }
        }
        emitDeprecationWarnings(false)
    } catch (error) {
        handleMainActionError(error)
    }
 }
 run()
--- a/sources/src/build-results.ts
+++ b/sources/src/build-results.ts
@@ -8,15 +8,40 @@ export interface BuildResult {
    get gradleVersion(): string
    get gradleHomeDir(): string
    get buildFailed(): boolean
    get configCacheHit(): boolean
    get buildScanUri(): string
    get buildScanFailed(): boolean
 }
-export function loadBuildResults(): BuildResult[] {
+export class BuildResults {
-    return getUnprocessedResults().map(filePath => {
+    results: BuildResult[]
    constructor(results: BuildResult[]) {
        this.results = results
    }
    anyFailed(): boolean {
        return this.results.some(result => result.buildFailed)
    }
    anyConfigCacheHit(): boolean {
        return this.results.some(result => result.configCacheHit)
    }
    uniqueGradleHomes(): string[] {
        const allHomes = this.results.map(buildResult => buildResult.gradleHomeDir)
        return Array.from(new Set(allHomes))
    }
 }
 export function loadBuildResults(): BuildResults {
    const results = getUnprocessedResults().map(filePath => {
        const content = fs.readFileSync(filePath, 'utf8')
-        return JSON.parse(content) as BuildResult
+        const buildResult = JSON.parse(content) as BuildResult
        addScanResults(filePath, buildResult)
        return buildResult
    })
    return new BuildResults(results)
 }
 export function markBuildResultsProcessed(): void {
@@ -24,7 +49,7 @@ export function markBuildResultsProcessed(): void {
 }
 function getUnprocessedResults(): string[] {
-    const buildResultsDir = path.resolve(process.env['RUNNER_TEMP']!, '.build-results')
+    const buildResultsDir = path.resolve(process.env['RUNNER_TEMP']!, '.gradle-actions', 'build-results')
    if (!fs.existsSync(buildResultsDir)) {
        return []
    }
@@ -39,6 +64,22 @@ function getUnprocessedResults(): string[] {
        })
 }
 function addScanResults(buildResultsFile: string, buildResult: BuildResult): void {
    const buildScansDir = path.resolve(process.env['RUNNER_TEMP']!, '.gradle-actions', 'build-scans')
    if (!fs.existsSync(buildScansDir)) {
        return
    }
    const buildScanResults = path.resolve(buildScansDir, path.basename(buildResultsFile))
    if (fs.existsSync(buildScanResults)) {
        const content = fs.readFileSync(buildScanResults, 'utf8')
        const scanResults = JSON.parse(content)
        Object.assign(buildResult, scanResults)
    }
    return
 }
 function isProcessed(resultFile: string): boolean {
    const markerFile = `${resultFile}.processed`
    return fs.existsSync(markerFile)
--- a/sources/src/caching/cache-cleaner.ts
+++ b/sources/src/caching/cache-cleaner.ts
@@ -1,8 +1,9 @@
 import * as core from '@actions/core'
 import * as exec from '@actions/exec'
-import * as glob from '@actions/glob'
+
 import fs from 'fs'
 import path from 'path'
 import * as provisioner from '../execution/provision'
 export class CacheCleaner {
    private readonly gradleUserHome: string
@@ -13,26 +14,20 @@ export class CacheCleaner {
        this.tmpDir = tmpDir
    }
-    async prepare(): Promise<void> {
+    async prepare(): Promise<string> {
-        // Reset the file-access journal so that files appear not to have been used recently
+        // Save the current timestamp
-        fs.rmSync(path.resolve(this.gradleUserHome, 'caches/journal-1'), {recursive: true, force: true})
+        const timestamp = Date.now().toString()
-        fs.mkdirSync(path.resolve(this.gradleUserHome, 'caches/journal-1'), {recursive: true})
+        core.saveState('clean-timestamp', timestamp)
-        fs.writeFileSync(
+        return timestamp
            path.resolve(this.gradleUserHome, 'caches/journal-1/file-access.properties'),
            'inceptionTimestamp=0'
        )
        // Set the modification time of all files to the past: this timestamp is used when there is no matching entry in the journal
        await this.ageAllFiles()
        // Touch all 'gc' files so that cache cleanup won't run immediately.
        await this.touchAllFiles('gc.properties')
    }
    async forceCleanup(): Promise<void> {
-        // Age all 'gc' files so that cache cleanup will run immediately.
+        const cleanTimestamp = core.getState('clean-timestamp')
-        await this.ageAllFiles('gc.properties')
+        await this.forceCleanupFilesOlderThan(cleanTimestamp)
    }
    // Visible for testing
    async forceCleanupFilesOlderThan(cleanTimestamp: string): Promise<void> {
        // Run a dummy Gradle build to trigger cache cleanup
        const cleanupProjectDir = path.resolve(this.tmpDir, 'dummy-cleanup-project')
        fs.mkdirSync(cleanupProjectDir, {recursive: true})
@@ -40,30 +35,52 @@ export class CacheCleaner {
            path.resolve(cleanupProjectDir, 'settings.gradle'),
            'rootProject.name = "dummy-cleanup-project"'
        )
        fs.writeFileSync(
            path.resolve(cleanupProjectDir, 'init.gradle'),
            `
            beforeSettings { settings ->
                def cleanupTime = ${cleanTimestamp}
                settings.caches {
                    cleanup = Cleanup.ALWAYS
                    releasedWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
                    snapshotWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
                    downloadedResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
                    createdResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
                    buildCache.setRemoveUnusedEntriesOlderThan(cleanupTime)
                }
            }
            `
        )
        fs.writeFileSync(path.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}')
-        const gradleCommand = `gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet -DGITHUB_DEPENDENCY_GRAPH_ENABLED=false noop`
+        // Gradle >= 8.11 required for cache cleanup
-        await exec.exec(gradleCommand, [], {
+        // TODO: This is ineffective: we should be using the newest version of Gradle that ran a build, or a newer version if it's available on PATH.
        const executable = await provisioner.provisionGradleAtLeast('8.11.1')
        await core.group('Executing Gradle to clean up caches', async () => {
            core.info(`Cleaning up caches last used before ${cleanTimestamp}`)
            await this.executeCleanupBuild(executable, cleanupProjectDir)
        })
    }
    private async executeCleanupBuild(executable: string, cleanupProjectDir: string): Promise<void> {
        const args = [
            '-g',
            this.gradleUserHome,
            '-I',
            'init.gradle',
            '--info',
            '--no-daemon',
            '--no-scan',
            '--build-cache',
            '-DGITHUB_DEPENDENCY_GRAPH_ENABLED=false',
            'noop'
        ]
        await exec.exec(executable, args, {
            cwd: cleanupProjectDir
        })
    }
    private async ageAllFiles(fileName = '*'): Promise<void> {
        core.debug(`Aging all files in Gradle User Home with name ${fileName}`)
        await this.setUtimes(`${this.gradleUserHome}/**/${fileName}`, new Date(0))
    }
    private async touchAllFiles(fileName = '*'): Promise<void> {
        core.debug(`Touching all files in Gradle User Home with name ${fileName}`)
        await this.setUtimes(`${this.gradleUserHome}/**/${fileName}`, new Date())
    }
    private async setUtimes(pattern: string, timestamp: Date): Promise<void> {
        const globber = await glob.create(pattern, {
            implicitDescendants: false
        })
        for await (const file of globber.globGenerator()) {
            fs.utimesSync(file, timestamp, timestamp)
        }
    }
 }
--- a/sources/src/caching/cache-key.ts
+++ b/sources/src/caching/cache-key.ts
@@ -73,7 +73,8 @@ export function getCacheKeyBase(cacheName: string, cacheProtocolVersion: string)
 function getCacheKeyEnvironment(): string {
    const runnerOs = process.env['RUNNER_OS'] || ''
-    return process.env[CACHE_KEY_OS_VAR] || runnerOs
+    const runnerArch = process.env['RUNNER_ARCH'] || ''
    return process.env[CACHE_KEY_OS_VAR] || `${runnerOs}-${runnerArch}`
 }
 function getCacheKeyJob(): string {
--- a/Show More
+++ b/Show More