Bump @vercel/ncc in /sources in the npm-dependencies group

Bumps the npm-dependencies group in /sources with 1 update: [@vercel/ncc](https://github.com/vercel/ncc).


Updates `@vercel/ncc` from 0.38.2 to 0.38.3
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.2...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/actions/build-dist/action.yml

@@ -3,7 +3,7 @@ name: 'Build and upload distribution'
 runs:
   using: "composite"
   steps: 
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
         cache: npm
@@ -23,7 +23,7 @@ runs:
         cp -r sources/dist .
 
     - name: Upload distribution
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: dist
         path: dist/

.github/actions/init-integ-test/action.yml

@@ -4,15 +4,20 @@ runs:
   using: "composite"
   steps: 
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: 'temurin'
         java-version: 11
 
+    - name: Configure environment
+      shell: bash
+      run: |
+        echo "ALLOWED_GRADLE_WRAPPER_CHECKSUMS=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" >> "$GITHUB_ENV"
+
     # Downloads a 'dist' directory artifact that was uploaded in an earlier 'build-dist' step
     - name: Download dist
       if: ${{ env.SKIP_DIST != 'true' && !env.ACT }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: dist
         path: dist/

.github/dependabot.yml

@@ -47,40 +47,40 @@ updates:
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: "gradle"
     directory: ".github/workflow-samples/groovy-dsl"
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: "gradle"
     directory: ".github/workflow-samples/java-toolchain"
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: "gradle"
     directory: ".github/workflow-samples/kotlin-dsl"
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: "gradle"
     directory: ".github/workflow-samples/no-wrapper"
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: "gradle"
     directory: ".github/workflow-samples/no-wrapper-gradle-5"
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: "gradle"
     directory: "sources/test/init-scripts"
     registries:
       - gradle-plugin-portal
     schedule:
-      interval: "daily"
+      interval: "weekly"

.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=d725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=d725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.develocity" version "3.18.2"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.2"
 }
 
 develocity {

.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=d725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/build.gradle.kts

@@ -8,9 +8,9 @@ repositories {
 
 dependencies {
     api("org.apache.commons:commons-math3:3.6.1")
-    implementation("com.google.guava:guava:33.2.1-jre")
+    implementation("com.google.guava:guava:33.3.1-jre")
 
-    testImplementation("org.junit.jupiter:junit-jupiter:5.10.3")
+    testImplementation("org.junit.jupiter:junit-jupiter:5.11.3")
 }
 
 tasks.test {

.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=d725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/settings.gradle.kts

@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.develocity") version "3.17.5"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.1"
+    id("com.gradle.develocity") version "3.18.2"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2"
 }
 
 develocity {

.github/workflow-samples/no-wrapper-gradle-5/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5" 
+    id "com.gradle.develocity" version "3.18.2" 
 }
 
 develocity {

.github/workflow-samples/no-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5"
+    id "com.gradle.develocity" version "3.18.2"
 }
 
 develocity {

.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=d725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/non-executable-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.17.5"
+    id "com.gradle.develocity" version "3.18.2"
 }
 
 develocity {

.github/workflows/ci-check-and-unit-test.yml

@@ -17,16 +17,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
+    - name: Setup Gradle
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@473878a77f1b98e2b5ac4af93489d1656a80a5ed # v4.2.0
+      env:
+        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
+      with:
+        gradle-version: "8.11"
 
     - name: Check formatting and compile
       run: |
-        npm install
+        npm clean-install
         npm run check
         npm run compile
       working-directory: sources

.github/workflows/ci-check-no-dist-update.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
     - name: Get changed files
       id: changed-files
-      uses: tj-actions/changed-files@v44
+      uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf # v45.0.4
       with:
         files: |
           dist/**

.github/workflows/ci-codeql.yml

@@ -6,16 +6,15 @@ on:
     - 'main'
     - 'release/**'
     - 'dev/**' # Allow running Code QL on dev branches without a PR
-    paths-ignore:
-    - 'dist/**'
   pull_request:
     branches:
     - 'main'
-    paths-ignore:
-    - 'dist/**'
   schedule:
     - cron: '25 23 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -32,11 +31,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         languages: ${{ matrix.language }}
         config: |
@@ -44,4 +43,4 @@ jobs:
           - sources/src
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4

.github/workflows/ci-init-script-check.yml

@@ -14,19 +14,25 @@ on:
       - 'sources/test/init-scripts/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-init-scripts:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: temurin
         java-version: 11
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3 # Use a released version to avoid breakages
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@473878a77f1b98e2b5ac4af93489d1656a80a5ed # v4.2.0
+      env:
+        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
     - name: Run integration tests
       working-directory: sources/test/init-scripts
       run: ./gradlew check

.github/workflows/ci-integ-test-full.yml

@@ -0,0 +1,37 @@
+name: CI-integ-test-full
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+    - 'dist/**'
+
+concurrency:
+  group: integ-test
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  caching-integ-tests:
+    uses: ./.github/workflows/suite-integ-test-caching.yml
+    concurrency:
+      group: CI-integ-test-full
+      cancel-in-progress: false
+    with:
+      runner-os: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+      skip-dist: true
+    secrets: inherit
+
+  other-integ-tests:
+    permissions:
+      contents: write
+    uses: ./.github/workflows/suite-integ-test-other.yml
+    concurrency:
+      group: CI-integ-test-full
+      cancel-in-progress: false
+    with:
+      runner-os: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+      skip-dist: true
+    secrets: inherit

.github/workflows/ci-integ-test.yml

@@ -8,195 +8,38 @@ on:
     - 'main'
     - 'release/**'
     - 'dev/**' # Allow running tests on dev branches without a PR
+    paths-ignore:
+    - 'dist/**'
 
 concurrency:
-  group: integ-tests-${{ github.ref }}
+  group: integ-test
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
-  determine-suite:
-    runs-on: ubuntu-latest
-    outputs:
-      runner-os: ${{ steps.determine-suite.outputs.suite == 'quick' && '["ubuntu-latest"]' || '["ubuntu-latest", "windows-latest", "macos-latest"]' }}
-      cache-key-prefix: '0' # TODO DAZ Try this again ${{ steps.determine-suite.outputs.suite == 'quick' && '0' || github.run_number }}
-      suite: ${{ steps.determine-suite.outputs.suite }}
-    steps:
-    - name: Determine suite to run
-      id: determine-suite
-      run: |
-        # Always run quick suite if we are not in the core `gradle/actions` repository
-        # This reduces the load for developers working on 'main' on forks
-        if [ "${{ github.repository }}" != "gradle/actions" ]; then
-          echo "Not in core repository: suite=quick"
-          echo "suite=quick" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        # Run full suite for push trigger with "[bot] Update dist directory" commit message
-        if [ "${{ github.event.head_commit.message }}" == "[bot] Update dist directory" ]; then
-          echo "Bot commit to main branch: suite=full"
-          echo "suite=full" >> "$GITHUB_OUTPUT"
-          exit 0
-        fi
-
-        # Run quick suite for everything else
-        echo "Everything else: suite=quick"
-        echo "suite=quick" >> "$GITHUB_OUTPUT"
-
   build-distribution:
-    needs: [determine-suite]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       if: ${{ needs.determine-suite.outputs.suite != 'full' }}
       uses: ./.github/actions/build-dist
 
-  build-scan-publish:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-build-scan-publish.yml
+  caching-integ-tests:
+    needs: build-distribution
+    uses: ./.github/workflows/suite-integ-test-caching.yml
     with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
+      skip-dist: false
+    secrets: inherit
 
-  cache-cleanup:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-cache-cleanup.yml
-    with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.suite}}-${{github.run_number}}-' # Requires a fresh cache entry each run
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  caching-config:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-caching-config.yml
-    with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  dependency-graph:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-dependency-graph.yml
+  other-integ-tests:
     permissions:
       contents: write
+    needs: build-distribution
+    uses: ./.github/workflows/suite-integ-test-other.yml
     with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  dependency-submission:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-dependency-submission.yml
-    permissions:
-      contents: write
-    with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  dependency-submission-failures:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-dependency-submission-failures.yml
-    permissions:
-      contents: write
-    with:
-      runner-os: '${{ needs.determine-suite.outputs.runner-os }}'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  develocity-injection:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-inject-develocity.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-    secrets:
-      DEVELOCITY_ACCESS_KEY: ${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}
-
-  provision-gradle-versions:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-provision-gradle-versions.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  restore-configuration-cache:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-restore-configuration-cache.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-    secrets:
-      GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-
-  restore-containerized-gradle-home:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-restore-containerized-gradle-home.yml
-    with:
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  restore-custom-gradle-home:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-restore-custom-gradle-home.yml
-    with:
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  restore-gradle-home:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-restore-gradle-home.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  restore-java-toolchain:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-restore-java-toolchain.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  sample-kotlin-dsl:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-sample-kotlin-dsl.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  sample-gradle-plugin:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-sample-gradle-plugin.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  toolchain-detection:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-detect-java-toolchains.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      cache-key-prefix: '${{ needs.determine-suite.outputs.cache-key-prefix }}-'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
-
-  wrapper-validation:
-    needs: [determine-suite, build-distribution]
-    uses: ./.github/workflows/integ-test-wrapper-validation.yml
-    with:
-      runner-os: '["ubuntu-latest"]'
-      skip-dist: ${{ needs.determine-suite.outputs.suite == 'full' }}
+      skip-dist: false
+    secrets: inherit

.github/workflows/ci-ossf-scorecard.yml

@@ -0,0 +1,57 @@
+name: CI-ossf-scorecard
+on:
+  schedule:
+    - cron: '0 5 * * 1'
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      - name: 'Run analysis'
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: 'Upload artifact'
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: 'Upload to code-scanning'
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
+        with:
+          sarif_file: results.sarif

.github/workflows/ci-update-dist.yml

@@ -10,19 +10,24 @@ on:
     - 'dist/**'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   update-dist:
+    # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
+    # it would erroneously update `dist` on their branch (and the pull request)
+    if: github.repository == 'gradle/actions'
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         token: ${{ secrets.BOT_GITHUB_TOKEN }}
 
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
         cache: npm
@@ -43,10 +48,7 @@ jobs:
     # Important: The push event will not trigger any other workflows, see
     # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
     - name: Commit & push changes
-      # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
-      # it would erroneously update `dist` on their branch (and the pull request)
-      if: github.repository == 'gradle/actions'
-      uses: stefanzweifel/git-auto-commit-action@v5
+      uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
       with:
         commit_message: '[bot] Update dist directory'
         file_pattern: dist

.github/workflows/ci-validate-wrappers.yml

@@ -0,0 +1,17 @@
+name: CI-validate-wrappers
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: gradle/actions/wrapper-validation@473878a77f1b98e2b5ac4af93489d1656a80a5ed # v4.2.0
+        with:
+          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

.github/workflows/demo-job-summary.yml

@@ -3,12 +3,15 @@ name: Demo Job Summary, for Gradle builds
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
@@ -17,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -59,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -79,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -94,3 +97,20 @@ jobs:
     - name: Run build
       working-directory: .github/workflow-samples/groovy-dsl
       run: ./gradlew assemble
+
+  cache-read-only:
+    needs: build-distribution
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Initialize integ-test
+      uses: ./.github/actions/init-integ-test
+
+    - name: Setup Gradle
+      uses: ./setup-gradle
+      with:
+        cache-read-only: true
+    - name: Build kotlin-dsl project
+      working-directory: .github/workflow-samples/kotlin-dsl
+      run: ./gradlew assemble

.github/workflows/demo-pr-build-scan-comment.yml

@@ -4,23 +4,25 @@ on:
     types: [assigned, review_requested]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
   successful-build-with-always-comment:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -34,11 +36,13 @@ jobs:
       run: ./gradlew build --scan
 
   successful-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,11 +56,13 @@ jobs:
       run: ./gradlew build --scan
 
   failing-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-build-scan-publish.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -16,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   build-scan-publish:
     strategy:
@@ -26,15 +30,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -50,7 +49,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')   

.github/workflows/integ-test-cache-cleanup.yml

@@ -5,27 +5,33 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
 
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
-  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}
+  # Requires a fresh cache entry each run
+  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
+
+permissions:
+  contents: read
 
 jobs:
-  full-build:
+  cache-cleanup-full-build:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -38,16 +44,17 @@ jobs:
       run: ./gradlew --no-daemon --build-cache -Dcommons_math3_version="3.1" build
 
   # Second build will use the cache from the first build, but cleanup should remove unused artifacts
-  assemble-build:
-    needs: full-build
+  cache-cleanup-assemble-build:
+    needs: cache-cleanup-full-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -60,16 +67,17 @@ jobs:
       working-directory: sources/test/jest/resources/cache-cleanup
       run: ./gradlew --no-daemon --build-cache -Dcommons_math3_version="3.1.1" build
 
-  check-clean-cache:
-    needs: assemble-build
+  cache-cleanup-check-clean-cache:
+    needs: cache-cleanup-assemble-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-caching-config.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -16,16 +17,20 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  caching-config-seed-build:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -46,16 +51,17 @@ jobs:
       run: ./gradlew test
 
   # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  verify-build:
-    needs: seed-build
+  caching-config-verify-build:
+    needs: caching-config-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -75,15 +81,16 @@ jobs:
       run: ./gradlew test --offline
 
   # Test that build scans are captured when caching is explicitly disabled
-  cache-disabled:
+  caching-config-cache-disabled:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -97,17 +104,17 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
 
   # Test that build scans are captured when caching is disabled because Gradle User Home already exists
-  cache-disabled-pre-existing-gradle-home:
+  caching-config-cache-disabled-pre-existing-gradle-home:
     runs-on: ubuntu-latest # This test only runs on Ubuntu
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -121,23 +128,24 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
 
   # Test seed the cache with cache-write-only and verify with cache-read-only
-  seed-build-write-only:
+  caching-config-seed-write-only:
     env:
-      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}-write-only-
+      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-write-only-${{ inputs.cache-key-prefix }}
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -149,18 +157,19 @@ jobs:
       working-directory: .github/workflow-samples/groovy-dsl
       run: ./gradlew test
 
-  verify-write-only-build:
+  caching-config-verify-write-only:
     env:
-      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}-write-only-
-    needs: seed-build-write-only
+      GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-write-only-${{ inputs.cache-key-prefix }}
+    needs: caching-config-seed-write-only
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-graph.yml

@@ -5,31 +5,28 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
 
-permissions:
-  contents: write
-
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
-  groovy-upload:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: ${{fromJSON(inputs.runner-os)}}
-    runs-on: ${{ matrix.os }}
+  dependency-graph-groovy-upload:
+    runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -41,12 +38,14 @@ jobs:
       run: ./gradlew build
       working-directory: .github/workflow-samples/groovy-dsl
 
-  groovy-submit:
-    needs: [groovy-upload]
+  dependency-graph-groovy-submit:
+    permissions:
+      contents: write
+    needs: [dependency-graph-groovy-upload]
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -57,15 +56,13 @@ jobs:
       env:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
 
-  kotlin-generate-and-submit:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: ${{fromJSON(inputs.runner-os)}}
-    runs-on: ${{ matrix.os }}
+  dependency-graph-kotlin-generate-and-submit:
+    permissions:
+      contents: write
+    runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -77,15 +74,13 @@ jobs:
       run: ./gradlew build
       working-directory: .github/workflow-samples/kotlin-dsl
 
-  multiple-builds:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: ${{fromJSON(inputs.runner-os)}}
-    runs-on: ${{ matrix.os }}
+  dependency-graph-multiple-builds:
+    permissions:
+      contents: write
+    runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -122,11 +117,13 @@ jobs:
             exit 1
         fi
         
-  config-cache:
+  dependency-graph-config-cache:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-submission-failures.yml

@@ -5,6 +5,7 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
         default: '["ubuntu-latest"]'
@@ -17,12 +18,15 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
-  failing-build:
+  dependency-submission-failures-failing-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -47,11 +51,11 @@ jobs:
             exit 1
         fi
 
-  unsupported-gradle-version:
+  dependency-submission-failures-unsupported-gradle-version:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -76,13 +80,13 @@ jobs:
             exit 1
         fi
 
-  insufficient-permissions:
+  dependency-submission-failures-insufficient-permissions:
     runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-submission.yml

@@ -5,31 +5,35 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
 
-permissions:
-  contents: write
-
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
-  groovy-generate-and-upload:
+  dependency-submission-groovy-generate-and-upload:
+    permissions:
+      contents: write
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -42,16 +46,19 @@ jobs:
       env: 
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
-  groovy-restore-cache:
-    needs: [groovy-generate-and-upload]
+  dependency-submission-groovy-restore-cache:
+    permissions:
+      contents: write
+    needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -63,16 +70,19 @@ jobs:
       env: 
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
-  groovy-download-and-submit:
-    needs: [groovy-generate-and-upload]
+  dependency-submission-groovy-download-and-submit:
+    permissions:
+      contents: write
+    needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -83,15 +93,18 @@ jobs:
       env:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
 
-  kotlin-generate-and-submit:
+  dependency-submission-kotlin-generate-and-submit:
+    permissions:
+      contents: write
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -100,15 +113,18 @@ jobs:
       with:
         build-root-directory: .github/workflow-samples/kotlin-dsl
 
-  multiple-builds:
+  dependency-submission-multiple-builds:
+    permissions:
+      contents: write
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -145,15 +161,18 @@ jobs:
             exit 1
         fi
 
-  multiple-builds-upload:
+  dependency-submission-multiple-builds-upload:
+    permissions:
+      contents: write
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -168,11 +187,13 @@ jobs:
         dependency-graph: generate-and-upload
         build-root-directory: .github/workflow-samples/groovy-dsl
 
-  config-cache:
+  dependency-submission-config-cache:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -203,7 +224,9 @@ jobs:
             exit 1
         fi
 
-  gradle-versions:
+  dependency-submission-gradle-versions:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -217,7 +240,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -227,11 +250,13 @@ jobs:
         gradle-version: ${{ matrix.gradle }}
         build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
 
-  with-setup-gradle:
+  dependency-submission-with-setup-gradle:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -262,11 +287,13 @@ jobs:
             exit 1
         fi
 
-  with-includes-and-excludes:
+  dependency-submission-with-includes-and-excludes:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -296,15 +323,18 @@ jobs:
         fi
 
 
-  custom-report-dir-submit:
+  dependency-submission-custom-report-dir-submit:
+    permissions:
+      contents: write
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -330,11 +360,13 @@ jobs:
           exit 1
         fi
 
-  custom-report-dir-upload:
+  dependency-submission-custom-report-dir-upload:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -347,11 +379,13 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   custom-report-dir-download-and-submit:
-    needs: custom-report-dir-upload
+    permissions:
+      contents: write
+    needs: [dependency-submission-custom-report-dir-upload]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-detect-toolchains.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -16,9 +17,12 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   # Test that pre-installed runner JDKs are detected
-  pre-installed-toolchains:
+  detect-toolchains-pre-installed-jdks:
     strategy:
       fail-fast: false
       matrix:
@@ -26,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -48,7 +52,7 @@ jobs:
         grep -q 'Eclipse Temurin JDK 21' output.txt || (echo "::error::Did not detect preinstalled JDK 21" && exit 1)
 
   # Test that JDKs provisioned by setup-java are detected
-  setup-java-installed-toolchain:
+  detect-toolchains-setup-java-jdks:
     strategy:
       fail-fast: false
       matrix:
@@ -56,17 +60,17 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java 20
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: 'temurin'
         java-version: 20
     - name: Setup Java 16
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: 'temurin'
         java-version: 16

.github/workflows/integ-test-inject-develocity.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -19,38 +20,36 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   inject-develocity:
     env:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: https://ge.solutions-team.gradle.com
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
       ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
     strategy:
       fail-fast: false
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.17.5]
+        plugin-version: [3.16.2, 3.18.2]
         include:
         - plugin-version: 3.16.2
           accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
-        - plugin-version: 3.17.5
+        - plugin-version: 3.18.2
           accessKeyEnv: DEVELOCITY_ACCESS_KEY
 
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -63,7 +62,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -77,24 +76,19 @@ jobs:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
     strategy:
       fail-fast: false
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.17.5]
+        plugin-version: [3.16.2, 3.18.2]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -113,7 +107,7 @@ jobs:
         run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('No Build Scan detected')
@@ -123,7 +117,7 @@ jobs:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: 'https://localhost:3333/'
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
       # Access key also set as an env var, we want to check it does not leak
       GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -132,19 +126,14 @@ jobs:
       matrix:
         gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.17.5 ]
+        plugin-version: [ 3.16.2, 3.18.2 ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
 
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -168,18 +157,13 @@ jobs:
       matrix:
         gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.17.5 ]
+        plugin-version: [ 3.16.2, 3.18.2 ]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -195,7 +179,7 @@ jobs:
         run: gradle help
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('No Build Scan detected')

.github/workflows/integ-test-provision-gradle-versions.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -17,18 +18,22 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 
+permissions:
+  contents: read
+
 jobs:   
   # Tests for executing with different Gradle versions. 
   # Each build verifies that it is executed with the expected Gradle version.
   provision-gradle:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -64,16 +69,16 @@ jobs:
       run: gradle help
     - name: Check current version output parameter
       if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
   
-  gradle-versions:
+  provision-gradle-version:
     strategy:
       fail-fast: false
       matrix:
-        gradle: [8.9, 8.8, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1] # 8.8 is the latest installed on windows runners
+        gradle: ["8.11", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
         os: ${{fromJSON(inputs.runner-os)}}
         include:
           - java-version: 11
@@ -90,12 +95,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: temurin
         java-version: ${{ matrix.java-version }}
@@ -107,7 +112,7 @@ jobs:
         gradle-version: ${{ matrix.gradle }}
     - name: Check output parameter
       if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -117,7 +122,7 @@ jobs:
       run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')    

.github/workflows/integ-test-restore-configuration-cache.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -19,65 +20,58 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build-groovy:
+  restore-cc-seed-build-groovy:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
 
-  verify-build-groovy:
+  restore-cc-verify-build-groovy:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_1
-    needs: seed-build-groovy
+    needs: restore-cc-seed-build-groovy
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false
         cache-cleanup: on-success
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -91,33 +85,28 @@ jobs:
         fi
 
   # Ensure that cache-cleanup doesn't remove all necessary files
-  verify-no-cache-cleanup-groovy:
+  restore-cc-verify-no-cache-cleanup-groovy:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_2
-    needs: verify-build-groovy
+    needs: restore-cc-verify-build-groovy
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -131,27 +120,23 @@ jobs:
         fi
 
   # Check that the build can run when no extracted cache entries are restored
-  gradle-user-home-not-fully-restored:
+  restore-cc-gradle-user-home-not-fully-restored:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-groovy
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_x
-    needs: seed-build-groovy
+    needs: restore-cc-seed-build-groovy
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle with no extracted cache entries restored
       uses: ./setup-gradle
       env: 
@@ -159,100 +144,84 @@ jobs:
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Check execute Gradle build with configuration cache enabled (but not restored)
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
 
-  seed-build-kotlin:
+  restore-cc-seed-build-kotlin:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'help' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle help --configuration-cache
 
-  modify-build-kotlin:
+  restore-cc-modify-build-kotlin:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_1
-    needs: seed-build-kotlin
+    needs: restore-cc-seed-build-kotlin
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'test' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle test --configuration-cache
 
   # Test restore configuration-cache from the third build invocation
-  verify-build-kotlin:
+  restore-cc-verify-build-kotlin:
     env:
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-cc-kotlin
       GRADLE_BUILD_ACTION_CACHE_KEY_JOB_EXECUTION: ${{github.sha}}_2
-    needs: modify-build-kotlin
+    needs: restore-cc-modify-build-kotlin
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'test' again with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/kotlin-dsl

.github/workflows/integ-test-restore-containerized-gradle-home.yml

@@ -5,6 +5,7 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       skip-dist:
         type: boolean
         default: false
@@ -13,13 +14,16 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  restore-containerized-seed-build:
     runs-on: ubuntu-latest
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -32,13 +36,13 @@ jobs:
       run: ./gradlew test
 
   # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  dependencies-cache:
-    needs: seed-build
+  restore-containerized-dependencies-cache:
+    needs: restore-containerized-seed-build
     runs-on: ubuntu-latest
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-custom-gradle-home.yml

@@ -5,6 +5,7 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       skip-dist:
         type: boolean
         default: false
@@ -13,12 +14,15 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  restore-custom-gradle-home-seed-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -35,12 +39,12 @@ jobs:
       run: ./gradlew test --info
 
   # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  dependencies-cache:
-    needs: seed-build
+  restore-custom-gradle-home-dependencies-cache:
+    needs: restore-custom-gradle-home-seed-build
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -57,12 +61,12 @@ jobs:
       run: ./gradlew test --offline --info
 
   # Test that the gradle-user-home cache will cache and restore local build-cache
-  build-cache:
-    needs: seed-build
+  restore-custom-gradle-home-build-cache:
+    needs: restore-custom-gradle-home-seed-build
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-gradle-home.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -17,16 +18,20 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  restore-gradle-home-seed-build:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -39,16 +44,17 @@ jobs:
       run: ./gradlew test
 
   # Test that the gradle-user-home cache will cache dependencies, by running build with --offline
-  dependencies-cache:
-    needs: seed-build
+  restore-gradle-home-dependencies-cache:
+    needs: restore-gradle-home-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -61,16 +67,17 @@ jobs:
       run: ./gradlew test --offline
 
   # Test that the gradle-user-home cache will cache and restore local build-cache
-  build-cache:
-    needs: seed-build
+  restore-gradle-home-build-cache:
+    needs: restore-gradle-home-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -83,16 +90,17 @@ jobs:
       run: ./gradlew test -DverifyCachedBuild=true
 
   # Check that the build can run when Gradle User Home is not fully restored
-  no-extracted-cache-entries-restored:
-    needs: seed-build
+  restore-gradle-home-no-extracted-cache-entries-restored:
+    needs: restore-gradle-home-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -107,16 +115,17 @@ jobs:
       run: ./gradlew test
 
   # Test that a pre-existing gradle-user-home can be overwritten by the restored cache
-  pre-existing-gradle-home:
-    needs: seed-build
+  restore-gradle-home-pre-existing-gradle-home:
+    needs: restore-gradle-home-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-java-toolchain.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -16,16 +17,20 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  restore-java-toolchain-seed-build:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -38,16 +43,17 @@ jobs:
       run: ./gradlew test --info
 
   # Test that the gradle-user-home cache will cache the toolchain, by running build with --offline
-  toolchain-cache:
-    needs: seed-build
+  restore-java-toolchain-verify-build:
+    needs: restore-java-toolchain-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-gradle-plugin.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -16,16 +17,20 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  sample-gradle-plugin-seed-build:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -37,16 +42,17 @@ jobs:
       working-directory: .github/workflow-samples/gradle-plugin
       run: ./gradlew build
 
-  verify-build:
-    needs: seed-build
+  sample-gradle-plugin-verify-build:
+    needs: sample-gradle-plugin-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-kotlin-dsl.yml

@@ -5,9 +5,10 @@ on:
     inputs:
       cache-key-prefix:
         type: string
+        default: '0'
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -16,16 +17,20 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
-  seed-build:
+  sample-kotlin-dsl-seed-build:
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -37,16 +42,17 @@ jobs:
       working-directory: .github/workflow-samples/kotlin-dsl
       run: ./gradlew build
 
-  verify-build:
-    needs: seed-build
+  sample-kotlin-dsl-verify-build:
+    needs: sample-kotlin-dsl-seed-build
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-wrapper-validation.yml

@@ -5,7 +5,7 @@ on:
     inputs:
       runner-os:
         type: string
-        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+        default: '["ubuntu-latest"]'
       skip-dist:
         type: boolean
         default: false
@@ -13,8 +13,11 @@ on:
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
 
+permissions:
+  contents: read
+
 jobs:
-  test-setup-gradle-validation:
+  wrapper-validation-setup-gradle:
     strategy:
       fail-fast: false
       matrix:
@@ -22,29 +25,30 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Run wrapper-validation-action
       id: setup-gradle
       uses: ./setup-gradle
-      with:
-        validate-wrappers: true
+      env:
+        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: ''
       continue-on-error: true
 
     - name: Check failure
+      shell: bash
       run: |
         if [ "${{ steps.setup-gradle.outcome}}" != "failure" ] ; then
           echo "Expected validation to fail, but it didn't"
           exit 1
         fi
 
-  test-validation-success:
+  wrapper-validation-success:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -54,6 +58,7 @@ jobs:
       with:
         # to allow the invalid wrapper jar present in test data
         allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+        min-wrapper-count: 10
 
     - name: Check outcome
       env:
@@ -61,17 +66,18 @@ jobs:
         # below to not accidentally inject code into shell script or break its syntax
         FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
         FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == '' }}
+      shell: bash
       run: |
         if [ "$FAILED_WRAPPERS_MATCHES" != "true" ] ; then
           echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
           exit 1
         fi
 
-  test-validation-error:
+  wrapper-validation-error:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -88,6 +94,7 @@ jobs:
         VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
         FAILED_WRAPPERS: ${{ steps.action-test.outputs.failed-wrapper }}
         FAILED_WRAPPERS_MATCHES: ${{ steps.action-test.outputs.failed-wrapper == 'sources/test/jest/wrapper-validation/data/invalid/gradle-wrapper.jar|sources/test/jest/wrapper-validation/data/invalid/gradlе-wrapper.jar' }}
+      shell: bash
       run: |
         if [ "$VALIDATION_FAILED" != "true" ] ; then
           echo "Expected validation to fail, but it didn't"
@@ -98,3 +105,64 @@ jobs:
           echo "'outputs.failed-wrapper' has unexpected content: $FAILED_WRAPPERS"
           exit 1
         fi
+
+  wrapper-validation-minimum-wrapper-count:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Initialize integ-test
+      uses: ./.github/actions/init-integ-test
+
+    - name: Run wrapper-validation-action
+      id: action-test
+      uses: ./wrapper-validation
+      with:
+        # to allow the invalid wrapper jar present in test data
+        allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+        min-wrapper-count: 11
+      # Expected to fail; validated below
+      continue-on-error: true
+
+    - name: Check outcome
+      env:
+        # Evaluate workflow expressions here as env variable values instead of inside shell script
+        # below to not accidentally inject code into shell script or break its syntax
+        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
+      shell: bash
+      run: |
+        if [ "$VALIDATION_FAILED" != "true" ] ; then
+          echo "Expected validation to fail, but it didn't"
+          exit 1
+        fi
+
+  wrapper-validation-zero-wrappers:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Checkout the repository with no wrappers
+      with:
+        sparse-checkout: |
+          .github/actions
+          dist
+          wrapper-validation
+    - name: Initialize integ-test
+      uses: ./.github/actions/init-integ-test
+
+    - name: Run wrapper-validation-action
+      id: action-test
+      uses: ./wrapper-validation
+      # Expected to fail; validated below
+      continue-on-error: true
+
+    - name: Check outcome
+      env:
+        # Evaluate workflow expressions here as env variable values instead of inside shell script
+        # below to not accidentally inject code into shell script or break its syntax
+        VALIDATION_FAILED: ${{ steps.action-test.outcome == 'failure' }}
+      shell: bash
+      run: |
+        if [ "$VALIDATION_FAILED" != "true" ] ; then
+          echo "Expected validation to fail, but it didn't"
+          exit 1
+        fi

.github/workflows/suite-integ-test-caching.yml

@@ -0,0 +1,55 @@
+name: suite-integ-test-caching
+
+on:
+  workflow_call:
+    inputs:
+      runner-os:
+        type: string
+        default: '["ubuntu-latest"]'
+      skip-dist:
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  cache-cleanup:
+    uses: ./.github/workflows/integ-test-cache-cleanup.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  caching-config:
+    uses: ./.github/workflows/integ-test-caching-config.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  restore-configuration-cache:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    uses: ./.github/workflows/integ-test-restore-configuration-cache.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}
+    secrets:
+      GRADLE_ENCRYPTION_KEY: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+
+  restore-containerized-gradle-home:
+    uses: ./.github/workflows/integ-test-restore-containerized-gradle-home.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}
+
+  restore-custom-gradle-home:
+    uses: ./.github/workflows/integ-test-restore-custom-gradle-home.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}
+
+  restore-gradle-home:
+    uses: ./.github/workflows/integ-test-restore-gradle-home.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}
+
+  restore-java-toolchain:
+    uses: ./.github/workflows/integ-test-restore-java-toolchain.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}

.github/workflows/suite-integ-test-other.yml

@@ -0,0 +1,85 @@
+name: suite-integ-test-other
+
+on:
+  workflow_call:
+    inputs:
+      runner-os:
+        type: string
+        default: '["ubuntu-latest"]'
+      skip-dist:
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  build-scan-publish:
+    uses: ./.github/workflows/integ-test-build-scan-publish.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  dependency-graph:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    uses: ./.github/workflows/integ-test-dependency-graph.yml
+    permissions:
+      contents: write
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  dependency-submission:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    uses: ./.github/workflows/integ-test-dependency-submission.yml
+    permissions:
+      contents: write
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  dependency-submission-failures:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    uses: ./.github/workflows/integ-test-dependency-submission-failures.yml
+    permissions:
+      contents: write
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  develocity-injection:
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
+    uses: ./.github/workflows/integ-test-inject-develocity.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}
+    secrets:
+      DEVELOCITY_ACCESS_KEY: ${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}
+
+  provision-gradle-versions:
+    uses: ./.github/workflows/integ-test-provision-gradle-versions.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  sample-kotlin-dsl:
+    uses: ./.github/workflows/integ-test-sample-kotlin-dsl.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  sample-gradle-plugin:
+    uses: ./.github/workflows/integ-test-sample-gradle-plugin.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}
+
+  toolchain-detection:
+    uses: ./.github/workflows/integ-test-detect-toolchains.yml
+    with:
+      skip-dist: ${{ inputs.skip-dist }}
+
+  wrapper-validation:
+    uses: ./.github/workflows/integ-test-wrapper-validation.yml
+    with:
+      runner-os: '${{ inputs.runner-os }}'
+      skip-dist: ${{ inputs.skip-dist }}

.github/workflows/update-checksums-file.yml

@@ -7,20 +7,22 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-checksums:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Update checksums
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
           cache: npm
@@ -28,7 +30,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          npm install typed-rest-client@1.8.11 --no-save
+          npm clean-install typed-rest-client@1.8.11 --no-save
         working-directory: sources
 
       - name: Update checksums file
@@ -37,7 +39,7 @@ jobs:
 
       # If there are no changes, this action will not create a pull request
       - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           branch: bot/wrapper-checksums-update
           commit-message: Update known wrapper checksums

CONTRIBUTING.md

@@ -3,8 +3,9 @@
 The `build` script in the project root provides a convenient way to perform many local build tasks:
 1. `./build` will lint and compile typescript sources
 2. `./build all` will lint and compile typescript and run unit tests
-3. `./build init-scripts` will run the init-script integration tests
-4. `./build act <act-commands>` will run `act` after building local changes (see below)
+3. `./build install` will install npm packages followed by lint and compile
+4. `./build init-scripts` will run the init-script integration tests
+5. `./build act <act-commands>` will run `act` after building local changes (see below)
 
 ## Using `act` to run integ-test workflows locally
 

README.md

@@ -1,5 +1,7 @@
 # GitHub Actions for Gradle builds
 
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gradle/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/gradle/actions)
+
 This repository contains a set of GitHub Actions that are useful for building Gradle projects on GitHub.
 
 ## The `setup-gradle` action
@@ -30,7 +32,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
     - name: Build with Gradle
       run: ./gradlew build
 ```
@@ -68,7 +70,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 ```
 
 See the [full action documentation](docs/dependency-submission.md) for more advanced usage scenarios.
@@ -79,6 +81,9 @@ The `wrapper-validation` action validates the checksums of _all_ [Gradle Wrapper
 
 The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
 
+Starting with v4 the `setup-gradle` action will [perform wrapper validation](docs/setup-gradle.md#gradle-wrapper-validation) on each execution.
+If you are using `setup-gradle` in your workflows, it is unlikely that you will need to use the `wrapper-validation` action.
+
 ### Example workflow
 
 ```yaml
@@ -94,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v3
+      - uses: gradle/actions/wrapper-validation@v4
 ```
 
 See the [full action documentation](docs/wrapper-validation.md) for more advanced usage scenarios.

RELEASING.md

@@ -5,58 +5,27 @@
 - Check that https://github.com/gradle/actions/actions is green for all workflows for the main branch.
   - This should include any workflows triggered by `[bot] Update dist directory`
 - Decide on the version number to use for the release. The action releases should follow semantic versioning.
-  - By default, a patch release is assumed (eg. `3.0.0` → `3.0.1`)
-  - If new features have been added, bump the minor version (eg `3.1.1` → `3.2.0`)
-  - If a new major release is required, bump the major version (eg `3.1.1` → `4.0.0`)
+  - By default, a patch release is assumed (eg. `4.0.0` → `4.0.1`)
+  - If new features have been added, bump the minor version (eg `4.1.1` → `4.2.0`)
+  - If a new major release is required, bump the major version (eg `4.1.1` → `5.0.0`)
   - Note: The gradle actions follow the GitHub Actions convention of including a .0 patch number for the first release of a minor version, unlike the Gradle convention which omits the trailing .0.
 
 ## Release gradle/actions
-- Create a tag for the release. The tag should have the format `v3.1.0`
-  - From CLI: `git tag v3.1.0 && git push --tags`
+- Create a tag for the release. The tag should have the format `v4.1.0`
+  - From CLI: `git tag v4.1.0 && git push --tags`
 - Go to https://github.com/gradle/actions/releases and "Draft new release"
   - Use the newly created tag and copy the tag name exactly as the release title.
   - Craft release notes content based on issues closed, PRs merged and commits
   - Include a Full changelog link in the format https://github.com/gradle/actions/compare/v2.12.0...v3.0.0
 - Publish the release.
-- Force push the `v3` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
-  - From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
+- Force push the `v4` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
+  - From CLI: `git tag -f -a -m "v4.0.0" v4 v4.0.0 && git push -f --tags`
   - Note that we set the commit message for the tag to the newly released version.
 
-## Release gradle/gradle-build-action
-
-During the 3.x release series, we will continue to publish parallel releases of `gradle/gradle-build-action`. These releases will simply delegate to `gradle/actions/setup-gradle` with the same version.
-
-- Update the [gradle-build-action action.yml](https://github.com/gradle/gradle-build-action/blob/main/action.yml#L162) file to point to the newly released version of `gradle/actions/setup-gradle`.
-- Ensure that any parameters that have been added to the setup-gradle action are added to the gradle-build-action definition, and that these are passed on to setup-gradle.
-- Create and push a tag for the release.
-  - From CLI: `git tag v3.1.0 && git push --tags`
-- Go to https://github.com/gradle/gradle-build-action/releases and "Draft new release"
-  - Use the newly created tag and copy the tag name exactly as the release title.
-  - In the release notes, point users to the gradle/actions release. Include a header informing users to switch to `gradle/actions/setup-gradle`.
-- Publish the release.
-- Force push the `v3` tag (or current major version) to point to the new release.
-  - From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
-
-## Release gradle/wrapper-validation-action
-
-During the 3.x release series, we will continue to publish parallel releases of `gradle/wrapper-validation-action`. These releases will simply delegate to `gradle/actions/wrapper-validation` with the same version.
-
-- Update the [wrapper-validation-action action.yml](https://github.com/gradle/wrapper-validation-action/blob/main/action.yml#L162) file to point to the newly released version of `gradle/actions/wrapper-validation`.
-- Ensure that any parameters that have been added to the `wrapper-validation` action (if any) are added to the action definition, and that these are passed on to setup-gradle.
-- Create and push a tag for the release.
-  - From CLI: `git tag v3.1.0 && git push --tags`
-- Go to https://github.com/gradle/wrapper-validation-action/releases and "Draft new release"
-  - Use the newly created tag and copy the tag name exactly as the release title.
-  - In the release notes, point users to the gradle/actions release. Include a header informing users to switch to `gradle/actions/wrapper-validation`.
-- Publish the release.
-- Force push the `v3` tag (or current major version) to point to the new release.
-  - From CLI: `git tag -f -a -m "v3.0.0" v3 v3.0.0 && git push -f --tags`
-
 ## Post release steps
 
 Submit PRs to update the GitHub starter workflow. Starter workflows contain content that should reference the Git hash of the current gradle/actions release:
-https://github.com/actions/starter-workflows has [gradle](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml) and [gradle-publish](https://github.com/actions/starter-workflows/blob/main/ci/gradle-publish.yml): see [the v2.1.4 update PR](https://github.com/actions/starter-workflows/pull/1489) for an example.
+https://github.com/actions/starter-workflows has [gradle](https://github.com/actions/starter-workflows/blob/main/ci/gradle.yml) and [gradle-publish](https://github.com/actions/starter-workflows/blob/main/ci/gradle-publish.yml): see [the v4.0.0 update PR](https://github.com/actions/starter-workflows/pull/2468) for an example.
 
 Submit PRs to update the GitHub documentation. The documentation contains content that should reference the Git hash of the current gradle/actions release:
-https://github.com/github/docs has [building-and-testing-java-with-gradle](https://github.com/github/docs/blob/main/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md) and [publishing-java-packages-with-gradle](https://github.com/github/docs/blob/main/content/actions/publishing-packages/publishing-java-packages-with-gradle.md) : see [the v2.1.4 update PR](https://github.com/github/docs/pull/16392) for an example.
-
+https://github.com/github/docs has [building-and-testing-java-with-gradle](https://github.com/github/docs/blob/main/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md) and [publishing-java-packages-with-gradle](https://github.com/github/docs/blob/main/content/actions/publishing-packages/publishing-java-packages-with-gradle.md) : see [the v4.0.0 update PR](https://github.com/github/docs/pull/34239) for an example.

build

@@ -4,12 +4,10 @@ cd sources
 
 case "$1" in
     all)
-        npm clean-install
         npm run all
         ;;
     act)
         # Build and copy outputs to the dist directory
-        npm install
         npm run build
         cd ..
         cp -r sources/dist .
@@ -18,18 +16,21 @@ case "$1" in
         # Revert the changes to the dist directory
         git checkout -- dist
         ;;
-    init-scripts)
-        cd test/init-scripts
-        ./gradlew check
-        ;;
     dist)
-        npm install
+        npm clean-install
         npm run build
         cd ..
         cp -r sources/dist .
         ;;
+    init-scripts)
+        cd test/init-scripts
+        ./gradlew check
+        ;;
+    install)
+        npm clean-install
+        npm run build
+        ;;
     *)
-        npm install
         npm run build
         ;;
 esac

dependency-submission/README.md

@@ -29,7 +29,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 ```
 
 See the [full action documentation](../docs/dependency-submission.md) for more advanced usage scenarios.

dependency-submission/action.yml

@@ -60,7 +60,8 @@ inputs:
   cache-cleanup:
     description: |
       Specifies if the action should attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
-      By default, no cleanup is performed. It can be configured to run every time, or only when all Gradle builds succeed for the Job. 
+      By default ('on-success'), cleanup is performed when all Gradle builds succeed for the Job. 
+      This behaviour can be disabled ('never'), or configured to always run irrespective of the build outcome ('always').
       Valid values are 'never', 'on-success' and 'always'.
     required: false
     default: 'on-success'
@@ -172,6 +173,21 @@ inputs:
     description: The Develocity short-lived access tokens expiry in hours. Default is 2 hours.
     required: false
 
+  # Wrapper validation configuration
+  validate-wrappers:
+    description: |
+      When 'true' the action will automatically validate all wrapper jars found in the repository.
+      If the wrapper checksums are not valid, the action will fail.
+    required: false
+    default: false
+
+  allow-snapshot-wrappers:
+    description: |
+      When 'true', wrapper validation will include the checksums of snapshot wrapper jars. 
+      Use this if you are running with nightly or snapshot versions of the Gradle wrapper.
+    required: false
+    default: false
+
   # DEPRECATED ACTION INPUTS
 
   # EXPERIMENTAL ACTION INPUTS

docs/dependency-submission.md

@@ -43,7 +43,7 @@ jobs:
         java-version: 17
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 ```
 
 ### Gradle execution
@@ -68,7 +68,7 @@ Three input parameters are required, one to enable publishing and two more to ac
 
 ```yaml
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
@@ -83,7 +83,7 @@ In some cases, the default action configuration will not be sufficient, and addi
 
 ```yaml
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
       with:
         # Use a particular Gradle version instead of the configured wrapper.
         gradle-version: 8.6
@@ -273,7 +273,7 @@ For example, if you want to exclude dependencies resolved by the `buildSrc` proj
 
 ```yaml
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
       with:
         # Exclude all dependencies that originate solely in the 'buildSrc' project
         dependency-graph-exclude-projets: ':buildSrc'
@@ -317,10 +317,10 @@ jobs:
         java-version: 17
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
 
     - name: Perform dependency review
-      uses: actions/dependency-review-action@v3
+      uses: actions/dependency-review-action@v4
 ```
 
 ## Usage with pull requests from public forked repositories
@@ -353,7 +353,7 @@ jobs:
         java-version: 17
 
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
       with:
         dependency-graph: generate-and-upload
 ```
@@ -376,7 +376,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Download and submit dependency graph
-      uses: gradle/actions/dependency-submission@v3
+      uses: gradle/actions/dependency-submission@v4
       with:
         dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```
@@ -403,7 +403,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: 'Dependency Review'
-      uses: actions/dependency-review-action@v3
+      uses: actions/dependency-review-action@v4
       with:
         retry-on-snapshot-warnings: true
         retry-on-snapshot-warnings-timeout: 600

docs/deprecation-upgrade-guide.md

@@ -20,7 +20,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/setup-gradle@v3
+    uses: gradle/actions/setup-gradle@v4
 ```
 
 ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
@@ -40,7 +40,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/wrapper-validation@v3
+    uses: gradle/actions/wrapper-validation@v4
 ```
 
 ## Using the action to execute Gradle via the `arguments` parameter is deprecated
@@ -82,7 +82,7 @@ The exact syntax depends on whether or not your project is configured with the [
 
 ```
 - name: Setup Gradle
-  uses: gradle/actions/setup-gradle@v3
+  uses: gradle/actions/setup-gradle@v4
 
 - name: Assemble the project
   run: ./gradlew assemble
@@ -99,9 +99,9 @@ The exact syntax depends on whether or not your project is configured with the [
 
 ```
 - name: Setup Gradle for a non-wrapper project
-  uses: gradle/actions/setup-gradle@v3
+  uses: gradle/actions/setup-gradle@v4
   with:
-    gradle-version: 8.9
+    gradle-version: "8.11"
 
 - name: Assemble the project
   run: gradle assemble

docs/setup-gradle.md

@@ -45,7 +45,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
 
     - name: Execute Gradle build
       run: ./gradlew build
@@ -57,11 +57,11 @@ The `setup-gradle` action can download and install a specified Gradle version, a
 Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid having to download them again later.
 
 ```yaml
- - name: Setup Gradle 8.5
-   uses: gradle/actions/setup-gradle@v3
+ - name: Setup Gradle 8.10
+   uses: gradle/actions/setup-gradle@v4
    with:
-     gradle-version: 8.5
-  - name: Build with Gradle 8.5
+     gradle-version: "8.10" # Quotes required to prevent YAML converting to number
+  - name: Build with Gradle 8.10
     run: gradle build
 ```
 
@@ -96,7 +96,7 @@ jobs:
         distribution: temurin
         java-version: 17
 
-    - uses: gradle/actions/setup-gradle@v3
+    - uses: gradle/actions/setup-gradle@v4
       id: setup-gradle
       with:
         gradle-version: release-candidate
@@ -196,6 +196,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
 in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
 secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
 
+> [!IMPORTANT]
+> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
+
 To benefit from configuration caching in your GitHub Actions workflow, you must:
 - Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
 - Enable the configuration cache for your build.
@@ -213,14 +216,17 @@ jobs:
         distribution: temurin
         java-version: 17
 
-    - uses: gradle/actions/setup-gradle@v3
+    - uses: gradle/actions/setup-gradle@v4
       with:
         gradle-version: 8.6
         cache-encryption-key: ${{ secrets.GradleEncryptionKey }}
     - run: gradle build --configuration-cache
 ```
 
-> [!IMPORTANT]
+Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
+This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
+
+> [!NOTE]
 > The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
 > This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
 > This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@@ -455,7 +461,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure'
 
@@ -492,17 +498,17 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
 
     - name: Run build with Gradle wrapper
       run: ./gradlew build --scan
 
     - name: Upload build reports
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: always()
       with:
         name: build-reports
-        path: build/reports/
+        path: **/build/reports/
 ```
 
 ### Use of custom init-scripts in Gradle User Home
@@ -515,14 +521,30 @@ Since Gradle applies init scripts in alphabetical order, one way to ensure this
 
 ## Gradle Wrapper validation
 
-Instead of using the [wrapper-validation action](./wrapper-validation.md) separately, you can enable
-wrapper validation directly in your Setup Gradle step.
+By default, this action will perform the same wrapper validation as is performed by the dedicated 
+[wrapper-validation action](./wrapper-validation.md). 
+This means that invalid wrapper jars will be automatically detected when using `setup-gradle`. 
+
+If you do not want wrapper-validation to occur automatically, you can disable it:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        validate-wrappers: false
+```
+
+If your repository uses snapshot versions of the Gradle wrapper, such as nightly builds, then you'll need to 
+explicitly allow snapshot wrappers in wrapper validation.
+These are not allowed by default.
+
+
+```yaml
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@v4
       with:
         validate-wrappers: true
+        allow-snapshot-wrappers: true
 ```
 
 If you need more advanced configuration, then you're advised to continue using a separate workflow step
@@ -584,7 +606,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate-and-submit
     - name: Run the usual CI build (dependency-graph will be generated and submitted post-job)
@@ -611,7 +633,7 @@ graph cannot be generated or submitted. You can enable this behavior with the `d
 
 ```yaml
 # Ensure that the workflow Job will fail if the dependency graph cannot be submitted
-- uses: gradle/actions/setup-gradle@v3
+- uses: gradle/actions/setup-gradle@v4
   with:
     dependency-graph: generate-and-submit
     dependency-graph-continue-on-failure: false
@@ -636,7 +658,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate-and-submit
     - name: Run a build, resolving the 'dependency-graph' plugin from the plugin portal proxy
@@ -666,7 +688,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate-and-submit
     - name: Build the app, generating a graph of dependencies required
@@ -702,20 +724,112 @@ To reduce storage costs for these artifacts, you can set the `artifact-retention
 
 ```yaml
     - name: Generate dependency graph, but only retain artifact for one day
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate
         artifact-retention-days: 1
 ```
 
-# Develocity plugin injection
+# Develocity Build Scan® integration
 
-The `setup-gradle` action provides support for injecting and configuring the Develocity Gradle plugin into any Gradle build, without any modification to the project sources.
-This is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
+Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
+detailed report of the execution of the build, including which tasks were executed and the results of any test execution.
+
+The `setup-gradle` plugin provides a number of features to enable and enhance publishing Build Scans® to a Develocity instance.
+
+## Publishing to scans.gradle.com
+
+If you don't have a a private Develocity instance, you can easily publish Build Scans to the 
+free, public Develocity instance (https://scans.gradle.com).
+
+To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use).
+
+```yaml
+    - name: Setup Gradle to publish build scans
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        build-scan-publish: true
+        build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
+        build-scan-terms-of-use-agree: "yes"
+
+    - name: Run a Gradle build - a build scan will be published automatically
+      run: ./gradlew build
+```
+
+## Managing Develocity access keys
+
+Develocity access keys are long-lived, creating risks if they are leaked. To mitigate this risk this, 
+the `setup-gradle` action can automatically attempt to obtain a [short-lived access token](https://docs.gradle.com/develocity/gradle-plugin/current/#short_lived_access_tokens)
+to use when authenticating with Develocity. 
+The short-lived access token will then be used wherever a Develocity access key is required.
+
+```yaml
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }} # Long-lived access key, visiblility is restricted to this step.
+
+    # Subsequent steps will automatically use a short-lived access token to authenticate with Develocity
+    - name: Run a Gradle build that is configured to publish to Develocity.
+      run: ./gradlew build
+```
+
+### Increasing the expiry time for Develocity access tokens
+
+By default, a short-lived Develocity access token will be valid for 2 hours from the time it is generated. If your workflows take longer than
+2 hours to complete, you may see failure to publish Build Scans due to access token expiry.
+
+To avoid this, use the `develocity-token-expiry` parameter to specify a different token expiry in hours.
+
+```yaml
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
+        develocity-token-expiry: 8 # The number of hours that the access token should remain valid (max 24).
+```
+
+### Develocity access key supplied as environment variable
+
+The preferred mechanism is to supply the long-lived Develocity access key directly to `setup-gradle` via 
+the `develocity-access-key` input variable. However, the action will also detect an access key configured as an environment variable,
+such as `DEVELOCITY_ACCESS_KEY` or `GRADLE_ENTERPRISE_ACCESS_KEY`. In this case, the environment variable value will be replaced by 
+a short-lived access token, thus hiding the long-lived access key from subsequent steps.
+
+```yaml
+env:
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
+
+jobs:
+  build-with-gradle:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@v4
+
+    # The build will automatically use a short-lived access token to authenticate with Develocity
+    - name: Run a Gradle build that is configured to publish to Develocity.
+      run: ./gradlew build
+```
+
+### Failure to obtain a short-lived access token
+
+If a short-lived token cannot be retrieved (for example, if the Develocity server version is lower than `2024.1`):
+ - If the access key is provided via `develocity-access-key`, then no access token is set and authentication with Develocity will not succeed.
+ - If the access key is provided via an environment variable, a warning will be logged and the environment variable will be left as-is. 
+   This can result in long-lived access keys being unintentionally exposed to other workflow steps.
+For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
+
+## Develocity plugin injection
+
+The `setup-gradle` action provides support for transparently injecting and configuring the Develocity Gradle plugin into any Gradle build, 
+without any modification to the project sources. This allows Build Scans to be published for a repository without any changes to the project sources.
+
+Develocity injection is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
 
 The same auto-injection behavior is available for the Common Custom User Data Gradle plugin, which enriches any build scans published with additional useful information.
 
-## Enabling Develocity injection
+### Enabling Develocity injection
 
 To enable Develocity injection for your build, you must provide the required configuration via inputs.
 
@@ -723,7 +837,7 @@ Here's a minimal example:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         develocity-injection-enabled: true
         develocity-url: https://develocity.your-server.com
@@ -733,14 +847,14 @@ Here's a minimal example:
       run: ./gradlew build
 ```
 
-This configuration will automatically apply `v3.17.5` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.18.2` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
 
 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
 
@@ -754,14 +868,7 @@ In the likely scenario that your Develocity server requires authentication, you
 
 This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable.
 
-### Short-lived access tokens
-Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them.
-If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`):
- - if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning
- - otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
-For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
-
-## Configuring Develocity injection
+### Configuring Develocity injection
 
 The `init-script` supports several additional configuration parameters that you may find useful. All configuration options (required and optional) are detailed below:
 
@@ -798,33 +905,16 @@ Here's an example using the env vars:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
 
     - name: Run a Gradle build with Develocity injection enabled with environment variables
       run: ./gradlew build
       env:
         DEVELOCITY_INJECTION_ENABLED: true
         DEVELOCITY_URL: https://develocity.your-server.com
-        DEVELOCITY_PLUGIN_VERSION: 3.17.5
-```
-
-## Publishing to scans.gradle.com
-
-Develocity injection is designed to enable the publishing of build scans to a Develocity instance,
-but is also useful for publishing to the public Build Scans instance (https://scans.gradle.com).
-
-To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use).
-
-```yaml
-    - name: Setup Gradle to publish build scans
-      uses: gradle/actions/setup-gradle@v3
-      with:
-        build-scan-publish: true
-        build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
-        build-scan-terms-of-use-agree: "yes"
-
-    - name: Run a Gradle build - a build scan will be published automatically
-      run: ./gradlew build
+        DEVELOCITY_ENFORCE_URL: true
+        DEVELOCITY_PLUGIN_VERSION: "3.18.1"
+        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.0.2"
 ```
 
 # Dependency verification

docs/wrapper-validation.md

@@ -4,6 +4,12 @@ This action validates the checksums of _all_ [Gradle Wrapper](https://docs.gradl
 
 The action should be run in the root of the repository, as it will recursively search for any files named `gradle-wrapper.jar`.
 
+> [!NOTE]
+> Starting with v4 the `setup-gradle` action will automatically [perform wrapper validation](../docs/setup-gradle.md#gradle-wrapper-validation)
+> on each execution.
+> 
+> If you are using `setup-gradle` in your workflows, it is unlikely that you will need to use the `wrapper-validation` action.
+
 ## The Gradle Wrapper Problem in Open Source
 
 The `gradle-wrapper.jar` is a binary blob of executable code that is checked into nearly
@@ -44,7 +50,7 @@ We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/
 Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
 
 ```yaml
-uses: gradle/actions/wrapper-validation@v3
+uses: gradle/actions/wrapper-validation@v4
 ```
 
 This action step should precede any step using `gradle/gradle-build-action` or `gradle/actions/setup-gradle`.
@@ -67,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v3
+      - uses: gradle/actions/wrapper-validation@v4
 ```
 
 ## Contributing to an external GitHub Repository
@@ -90,18 +96,22 @@ We recommend the message commit contents of:
 
 From there, you can easily follow the rest of the prompts to create a Pull Request against the project.
 
-## Reporting Failures
+## Validation Failures
 
-If this GitHub action fails because a `gradle-wrapper.jar` doesn't match one of our published SHA-256 checksums,
+A wrapper jar can fail validation for a few reasons:
+1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
+   or `allow-snapshot-wrappers` to `true`.
+2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
+3. The wrapper jar was not published by Gradle, and could be compromised.
+
+If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
 
-**Note:** `gradle-wrapper.jar` generated by Gradle 3.3 to 4.0 are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. You should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
+#### Unverifiable Wrapper Jars
+Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable because those files were dynamically generated by Gradle in a non-reproducible way. It's not possible to verify the `gradle-wrapper.jar` for those versions are legitimate using a hash comparison. If you have a validation failure, you should try to determine if the `gradle-wrapper.jar` was generated by one of these versions before running the build.
 
-If the Gradle version in `gradle-wrapper.properties` is out of this range, you may need to regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. If you need to use a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
-
-If you're curious and want to explore what the differences are between the `gradle-wrapper.jar` in your possession
-and one of our valid release, you can compare them using this online utility: [diffoscope](https://try.diffoscope.org/).
-Regardless of what you find, we still kindly request that you reach out to us and let us know.
+- If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
+- If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
 
 ## Resources
 

setup-gradle/README.md

@@ -26,7 +26,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v3
+      uses: gradle/actions/setup-gradle@v4
     - name: Build with Gradle
       run: ./gradlew build
 ```

setup-gradle/action.yml

@@ -43,7 +43,8 @@ inputs:
   cache-cleanup:
     description: |
       Specifies if the action should attempt to remove any stale/unused entries from the Gradle User Home prior to saving to the GitHub Actions cache.
-      By default, no cleanup is performed. It can be configured to run every time, or only when all Gradle builds succeed for the Job. 
+      By default ('on-success'), cleanup is performed when all Gradle builds succeed for the Job. 
+      This behaviour can be disabled ('never'), or configured to always run irrespective of the build outcome ('always').
       Valid values are 'never', 'on-success' and 'always'.
     required: false
     default: 'on-success'
@@ -190,9 +191,16 @@ inputs:
   # Wrapper validation configuration
   validate-wrappers:
     description: |
-      When 'true', the action will perform the 'wrapper-validation' action automatically.
+      When 'true' (the default) the action will automatically validate all wrapper jars found in the repository.
       If the wrapper checksums are not valid, the action will fail.
     required: false
+    default: true
+
+  allow-snapshot-wrappers:
+    description: |
+      When 'true', wrapper validation will include the checksums of snapshot wrapper jars. 
+      Use this if you are running with nightly or snapshot versions of the Gradle wrapper.
+    required: false
     default: false
 
   # DEPRECATED ACTION INPUTS

sources/.tool-versions

@@ -1,3 +1,3 @@
 # Configuration file for asdf version manager
 nodejs 20.10.0
-gradle 8.9
+gradle 8.11

sources/package.json

@@ -32,40 +32,40 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "2.1.4",
-    "@actions/cache": "3.2.4",
-    "@actions/core": "1.10.1",
+    "@actions/artifact": "2.1.11",
+    "@actions/cache": "3.3.0",
+    "@actions/core": "1.11.1",
     "@actions/exec": "1.1.1",
     "@actions/github": "6.0.0",
-    "@actions/glob": "0.4.0",
-    "@actions/http-client": "2.2.1",
+    "@actions/glob": "0.5.0",
+    "@actions/http-client": "2.2.3",
     "@actions/tool-cache": "2.0.1",
-    "@octokit/rest": "20.1.0",
-    "@octokit/webhooks-types": "7.5.0",
-    "semver": "7.6.0",
+    "@octokit/rest": "21.0.2",
+    "@octokit/webhooks-types": "7.6.1",
+    "cheerio": "^1.0.0",
+    "semver": "7.6.3",
     "string-argv": "0.3.2",
-    "typed-rest-client": "1.8.11",
+    "typed-rest-client": "2.1.0",
     "unhomoglyph": "1.0.6",
-    "which": "4.0.0"
+    "which": "5.0.0"
   },
   "devDependencies": {
-    "@types/jest": "29.5.12",
-    "@types/node": "20.12.4",
-    "@types/unzipper": "0.10.9",
+    "@types/jest": "29.5.14",
+    "@types/node": "20.17.6",
+    "@types/unzipper": "0.10.10",
     "@types/which": "3.0.4",
-    "@typescript-eslint/parser": "7.5.0",
-    "@vercel/ncc": "0.38.1",
-    "eslint": "8.57.0",
-    "eslint-plugin-github": "4.10.2",
-    "eslint-plugin-jest": "27.9.0",
-    "eslint-plugin-prettier": "5.1.3",
+    "@typescript-eslint/parser": "7.18.0",
+    "@vercel/ncc": "0.38.3",
+    "eslint": "8.57.1",
+    "eslint-plugin-github": "5.0.2",
+    "eslint-plugin-jest": "28.9.0",
     "jest": "29.7.0",
     "js-yaml": "4.1.0",
-    "nock": "13.5.4",
+    "nock": "13.5.6",
     "npm-run-all": "4.1.5",
     "patch-package": "8.0.0",
-    "prettier": "3.2.5",
-    "ts-jest": "29.1.2",
-    "typescript": "5.4.3"
+    "prettier": "3.3.3",
+    "ts-jest": "29.2.5",
+    "typescript": "5.6.3"
   }
 }

sources/src/actions/dependency-submission/main.ts

@@ -10,7 +10,8 @@ import {
     DependencyGraphConfig,
     DependencyGraphOption,
     GradleExecutionConfig,
-    setActionId
+    setActionId,
+    WrapperValidationConfig
 } from '../../configuration'
 import {saveDeprecationState} from '../../deprecation-collector'
 import {handleMainActionError} from '../../errors'
@@ -23,7 +24,7 @@ export async function run(): Promise<void> {
         setActionId('gradle/actions/dependency-submission')
 
         // Configure Gradle environment (Gradle User Home)
-        await setupGradle.setup(new CacheConfig(), new BuildScanConfig())
+        await setupGradle.setup(new CacheConfig(), new BuildScanConfig(), new WrapperValidationConfig())
 
         // Capture the enabled state of dependency-graph
         const originallyEnabled = process.env['GITHUB_DEPENDENCY_GRAPH_ENABLED']

sources/src/actions/setup-gradle/main.ts

@@ -6,7 +6,7 @@ import {
     CacheConfig,
     DependencyGraphConfig,
     GradleExecutionConfig,
-    doValidateWrappers,
+    WrapperValidationConfig,
     getActionId,
     setActionId
 } from '../../configuration'
@@ -26,13 +26,8 @@ export async function run(): Promise<void> {
 
         setActionId('gradle/actions/setup-gradle')
 
-        // Check for invalid wrapper JARs if requested
-        if (doValidateWrappers()) {
-            await setupGradle.checkNoInvalidWrapperJars()
-        }
-
         // Configure Gradle environment (Gradle User Home)
-        await setupGradle.setup(new CacheConfig(), new BuildScanConfig())
+        await setupGradle.setup(new CacheConfig(), new BuildScanConfig(), new WrapperValidationConfig())
 
         // Configure the dependency graph submission
         await dependencyGraph.setup(new DependencyGraphConfig())

sources/src/actions/wrapper-validation/main.ts

@@ -18,15 +18,23 @@ export async function run(): Promise<void> {
 
         const result = await validate.findInvalidWrapperJars(
             path.resolve('.'),
-            +core.getInput('min-wrapper-count'),
             core.getInput('allow-snapshots') === 'true',
             core.getInput('allow-checksums').split(',')
         )
         if (result.isValid()) {
             core.info(result.toDisplayString())
+
+            const minWrapperCount = +core.getInput('min-wrapper-count')
+            if (result.valid.length < minWrapperCount) {
+                const message =
+                    result.valid.length === 0
+                        ? 'Wrapper validation failed: no Gradle Wrapper jars found. Did you forget to checkout the repository?'
+                        : `Wrapper validation failed: expected at least ${minWrapperCount} Gradle Wrapper jars, but found ${result.valid.length}.`
+                core.setFailed(message)
+            }
         } else {
             core.setFailed(
-                `Gradle Wrapper Validation Failed!\n  See https://github.com/gradle/actions/blob/main/docs/wrapper-validation.md#reporting-failures\n${result.toDisplayString()}`
+                `At least one Gradle Wrapper Jar failed validation!\n  See https://github.com/gradle/actions/blob/main/docs/wrapper-validation.md#validation-failures\n${result.toDisplayString()}`
             )
             if (result.invalid.length > 0) {
                 core.setOutput('failed-wrapper', `${result.invalid.map(w => w.path).join('|')}`)

sources/src/caching/cache-cleaner.ts

@@ -1,7 +1,9 @@
 import * as core from '@actions/core'
+import * as exec from '@actions/exec'
+
 import fs from 'fs'
 import path from 'path'
-import {provisionAndMaybeExecute} from '../execution/gradle'
+import * as provisioner from '../execution/provision'
 
 export class CacheCleaner {
     private readonly gradleUserHome: string
@@ -24,9 +26,8 @@ export class CacheCleaner {
         await this.forceCleanupFilesOlderThan(cleanTimestamp)
     }
 
+    // Visible for testing
     async forceCleanupFilesOlderThan(cleanTimestamp: string): Promise<void> {
-        core.info(`Cleaning up caches before ${cleanTimestamp}`)
-
         // Run a dummy Gradle build to trigger cache cleanup
         const cleanupProjectDir = path.resolve(this.tmpDir, 'dummy-cleanup-project')
         fs.mkdirSync(cleanupProjectDir, {recursive: true})
@@ -43,18 +44,29 @@ export class CacheCleaner {
                 settings.caches {
                     cleanup = Cleanup.ALWAYS
             
-                    releasedWrappers.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    snapshotWrappers.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    downloadedResources.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    createdResources.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    buildCache.removeUnusedEntriesOlderThan.set(cleanupTime)
+                    releasedWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    snapshotWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    downloadedResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    createdResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    buildCache.setRemoveUnusedEntriesOlderThan(cleanupTime)
                 }
             }
             `
         )
         fs.writeFileSync(path.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}')
 
-        await provisionAndMaybeExecute('current', cleanupProjectDir, [
+        // Gradle >= 8.11 required for cache cleanup
+        // TODO: This is ineffective: we should be using the newest version of Gradle that ran a build, or a newer version if it's available on PATH.
+        const executable = await provisioner.provisionGradleAtLeast('8.11')
+
+        await core.group('Executing Gradle to clean up caches', async () => {
+            core.info(`Cleaning up caches last used before ${cleanTimestamp}`)
+            await this.executeCleanupBuild(executable, cleanupProjectDir)
+        })
+    }
+
+    private async executeCleanupBuild(executable: string, cleanupProjectDir: string): Promise<void> {
+        const args = [
             '-g',
             this.gradleUserHome,
             '-I',
@@ -65,6 +77,10 @@ export class CacheCleaner {
             '--build-cache',
             '-DGITHUB_DEPENDENCY_GRAPH_ENABLED=false',
             'noop'
-        ])
+        ]
+
+        await exec.exec(executable, args, {
+            cwd: cleanupProjectDir
+        })
     }
 }

sources/src/caching/cache-reporting.ts

@@ -110,10 +110,12 @@ export class CacheEntryListener {
     requestedRestoreKeys: string[] | undefined
     restoredKey: string | undefined
     restoredSize: number | undefined
+    restoredTime: number | undefined
     notRestored: string | undefined
 
     savedKey: string | undefined
     savedSize: number | undefined
+    savedTime: number | undefined
     notSaved: string | undefined
 
     constructor(entryName: string) {
@@ -130,9 +132,10 @@ export class CacheEntryListener {
         return this
     }
 
-    markRestored(key: string, size: number | undefined): CacheEntryListener {
+    markRestored(key: string, size: number | undefined, time: number): CacheEntryListener {
         this.restoredKey = key
         this.restoredSize = size
+        this.restoredTime = time
         return this
     }
 
@@ -141,9 +144,10 @@ export class CacheEntryListener {
         return this
     }
 
-    markSaved(key: string, size: number | undefined): CacheEntryListener {
+    markSaved(key: string, size: number | undefined, time: number): CacheEntryListener {
         this.savedKey = key
         this.savedSize = size
+        this.savedTime = time
         return this
     }
 
@@ -182,14 +186,16 @@ ${renderEntryTable(entries)}
 function renderEntryTable(entries: CacheEntryListener[]): string {
     return `
 <table>
-    <tr><td></td><th>Count</th><th>Total Size (Mb)</th></tr>
+    <tr><td></td><th>Count</th><th>Total Size (Mb)</th><th>Total Time (ms)</tr>
     <tr><td>Entries Restored</td>
         <td>${getCount(entries, e => e.restoredSize)}</td>
         <td>${getSize(entries, e => e.restoredSize)}</td>
+        <td>${getTime(entries, e => e.restoredTime)}</td>
     </tr>
     <tr><td>Entries Saved</td>
         <td>${getCount(entries, e => e.savedSize)}</td>
         <td>${getSize(entries, e => e.savedSize)}</td>
+        <td>${getTime(entries, e => e.savedTime)}</td>
     </tr>
 </table>
     `
@@ -202,9 +208,11 @@ function renderEntryDetails(listener: CacheListener): string {
     Requested Key : ${entry.requestedKey ?? ''}
     Restored  Key : ${entry.restoredKey ?? ''}
               Size: ${formatSize(entry.restoredSize)}
+              Time: ${formatTime(entry.restoredTime)}
               ${getRestoredMessage(entry, listener.cacheWriteOnly)}
     Saved     Key : ${entry.savedKey ?? ''}
               Size: ${formatSize(entry.savedSize)}
+              Time: ${formatTime(entry.savedTime)}
               ${getSavedMessage(entry, listener.cacheReadOnly)}
 `
         )
@@ -264,9 +272,23 @@ function getSize(
     return Math.round(bytes / (1024 * 1024))
 }
 
+function getTime(
+    cacheEntries: CacheEntryListener[],
+    predicate: (value: CacheEntryListener) => number | undefined
+): number {
+    return cacheEntries.map(e => predicate(e) ?? 0).reduce((p, v) => p + v, 0)
+}
+
 function formatSize(bytes: number | undefined): string {
     if (bytes === undefined || bytes === 0) {
         return ''
     }
     return `${Math.round(bytes / (1024 * 1024))} MB (${bytes} B)`
 }
+
+function formatTime(ms: number | undefined): string {
+    if (ms === undefined || ms === 0) {
+        return ''
+    }
+    return `${ms} ms`
+}

sources/src/caching/cache-utils.ts

@@ -38,13 +38,16 @@ export async function restoreCache(
 ): Promise<cache.CacheEntry | undefined> {
     listener.markRequested(cacheKey, cacheRestoreKeys)
     try {
+        const startTime = Date.now()
         // Only override the read timeout if the SEGMENT_DOWNLOAD_TIMEOUT_MINS env var has NOT been set
         const cacheRestoreOptions = process.env[SEGMENT_DOWNLOAD_TIMEOUT_VAR]
             ? {}
             : {segmentTimeoutInMs: SEGMENT_DOWNLOAD_TIMEOUT_DEFAULT}
         const restoredEntry = await cache.restoreCache(cachePath, cacheKey, cacheRestoreKeys, cacheRestoreOptions)
         if (restoredEntry !== undefined) {
-            listener.markRestored(restoredEntry.key, restoredEntry.size)
+            const restoreTime = Date.now() - startTime
+            listener.markRestored(restoredEntry.key, restoredEntry.size, restoreTime)
+            core.info(`Restored cache entry with key ${cacheKey} to ${cachePath.join()} in ${restoreTime}ms`)
         }
         return restoredEntry
     } catch (error) {
@@ -56,8 +59,11 @@ export async function restoreCache(
 
 export async function saveCache(cachePath: string[], cacheKey: string, listener: CacheEntryListener): Promise<void> {
     try {
+        const startTime = Date.now()
         const savedEntry = await cache.saveCache(cachePath, cacheKey)
-        listener.markSaved(savedEntry.key, savedEntry.size)
+        const saveTime = Date.now() - startTime
+        listener.markSaved(savedEntry.key, savedEntry.size, saveTime)
+        core.info(`Saved cache entry with key ${cacheKey} from ${cachePath.join()} in ${saveTime}ms`)
     } catch (error) {
         if (error instanceof cache.ReserveCacheError) {
             listener.markAlreadyExists(cacheKey)

sources/src/caching/caches.ts

@@ -92,7 +92,9 @@ export async function save(
         return
     }
 
-    await daemonController.stopAllDaemons()
+    await core.group('Stopping Gradle daemons', async () => {
+        await daemonController.stopAllDaemons()
+    })
 
     if (cacheConfig.isCacheCleanupEnabled()) {
         if (buildResults.anyConfigCacheHit()) {
@@ -113,7 +115,6 @@ export async function save(
 }
 
 async function performCacheCleanup(gradleUserHome: string): Promise<void> {
-    core.info('Forcing cache cleanup.')
     const cacheCleaner = new CacheCleaner(gradleUserHome, process.env['RUNNER_TEMP']!)
     try {
         await cacheCleaner.forceCleanup()

sources/src/caching/gradle-home-extry-extractor.ts

@@ -2,15 +2,14 @@ import path from 'path'
 import fs from 'fs'
 import * as core from '@actions/core'
 import * as glob from '@actions/glob'
-import * as semver from 'semver'
 
-import {META_FILE_DIR} from './gradle-user-home-cache'
 import {CacheEntryListener, CacheListener} from './cache-reporting'
 import {cacheDebug, hashFileNames, isCacheDebuggingEnabled, restoreCache, saveCache, tryDelete} from './cache-utils'
 
 import {BuildResult, loadBuildResults} from '../build-results'
-import {CacheConfig} from '../configuration'
+import {CacheConfig, ACTION_METADATA_DIR} from '../configuration'
 import {getCacheKeyBase} from './cache-key'
+import {versionIsAtLeast} from '../execution/gradle'
 
 const SKIP_RESTORE_VAR = 'GRADLE_BUILD_ACTION_SKIP_RESTORE'
 const CACHE_PROTOCOL_VERSION = 'v1'
@@ -133,9 +132,8 @@ abstract class AbstractEntryExtractor {
         pattern: string,
         listener: CacheEntryListener
     ): Promise<ExtractedCacheEntry> {
-        const restoredEntry = await restoreCache([pattern], cacheKey, [], listener)
+        const restoredEntry = await restoreCache(pattern.split('\n'), cacheKey, [], listener)
         if (restoredEntry) {
-            core.info(`Restored ${artifactType} with key ${cacheKey} to ${pattern}`)
             return new ExtractedCacheEntry(artifactType, pattern, cacheKey)
         } else {
             core.info(`Did not restore ${artifactType} with key ${cacheKey} to ${pattern}`)
@@ -233,8 +231,7 @@ abstract class AbstractEntryExtractor {
             cacheDebug(`No change to previously restored ${artifactType}. Not saving.`)
             entryListener.markNotSaved('contents unchanged')
         } else {
-            core.info(`Caching ${artifactType} with path '${pattern}' and cache key: ${cacheKey}`)
-            await saveCache([pattern], cacheKey, entryListener)
+            await saveCache(pattern.split('\n'), cacheKey, entryListener)
         }
 
         for (const file of matchingFiles) {
@@ -298,7 +295,7 @@ abstract class AbstractEntryExtractor {
     }
 
     private getCacheMetadataFile(): string {
-        const actionMetadataDirectory = path.resolve(this.gradleUserHome, META_FILE_DIR)
+        const actionMetadataDirectory = path.resolve(this.gradleUserHome, ACTION_METADATA_DIR)
         fs.mkdirSync(actionMetadataDirectory, {recursive: true})
 
         return path.resolve(actionMetadataDirectory, `${this.extractorName}-entry-metadata.json`)
@@ -435,8 +432,7 @@ export class ConfigurationCacheEntryExtractor extends AbstractEntryExtractor {
             // If any associated build result used Gradle < 8.6, then mark it as not cacheable
             if (
                 pathResults.find(result => {
-                    const gradleVersion = semver.coerce(result.gradleVersion)
-                    return gradleVersion && semver.lt(gradleVersion, '8.6.0')
+                    return !versionIsAtLeast(result.gradleVersion, '8.6.0')
                 })
             ) {
                 core.info(

sources/src/caching/gradle-user-home-cache.ts

@@ -7,14 +7,12 @@ import fs from 'fs'
 import {generateCacheKey} from './cache-key'
 import {CacheListener} from './cache-reporting'
 import {saveCache, restoreCache, cacheDebug, isCacheDebuggingEnabled, tryDelete} from './cache-utils'
-import {CacheConfig} from '../configuration'
+import {CacheConfig, ACTION_METADATA_DIR} from '../configuration'
 import {GradleHomeEntryExtractor, ConfigurationCacheEntryExtractor} from './gradle-home-extry-extractor'
 import {getPredefinedToolchains, mergeToolchainContent, readResourceFileAsString} from './gradle-user-home-utils'
 
 const RESTORED_CACHE_KEY_KEY = 'restored-cache-key'
 
-export const META_FILE_DIR = '.setup-gradle'
-
 export class GradleUserHomeCache {
     private readonly cacheName = 'home'
     private readonly cacheDescription = 'Gradle User Home'
@@ -62,7 +60,8 @@ export class GradleUserHomeCache {
     restoreKeys:[${cacheKey.restoreKeys}]`
         )
 
-        const cacheResult = await restoreCache(this.getCachePath(), cacheKey.key, cacheKey.restoreKeys, entryListener)
+        const cachePath = this.getCachePath()
+        const cacheResult = await restoreCache(cachePath, cacheKey.key, cacheKey.restoreKeys, entryListener)
         if (!cacheResult) {
             core.info(`${this.cacheDescription} cache not found. Will initialize empty.`)
             return
@@ -70,8 +69,6 @@ export class GradleUserHomeCache {
 
         core.saveState(RESTORED_CACHE_KEY_KEY, cacheResult.key)
 
-        core.info(`Restored ${this.cacheDescription} from cache key: ${cacheResult.key}`)
-
         try {
             await this.afterRestore(listener)
         } catch (error) {
@@ -122,10 +119,8 @@ export class GradleUserHomeCache {
             return
         }
 
-        core.info(`Caching ${this.cacheDescription} with cache key: ${cacheKey}`)
         const cachePath = this.getCachePath()
         await saveCache(cachePath, cacheKey, gradleHomeEntryListener)
-
         return
     }
 
@@ -172,7 +167,7 @@ export class GradleUserHomeCache {
      */
     protected getCachePath(): string[] {
         const rawPaths: string[] = this.cacheConfig.getCacheIncludes()
-        rawPaths.push(META_FILE_DIR)
+        rawPaths.push(ACTION_METADATA_DIR)
         const resolvedPaths = rawPaths.map(x => this.resolveCachePath(x))
         cacheDebug(`Using cache paths: ${resolvedPaths}`)
         return resolvedPaths
@@ -188,7 +183,7 @@ export class GradleUserHomeCache {
 
     private initializeGradleUserHome(): void {
         // Create a directory for storing action metadata
-        const actionCacheDir = path.resolve(this.gradleUserHome, META_FILE_DIR)
+        const actionCacheDir = path.resolve(this.gradleUserHome, ACTION_METADATA_DIR)
         fs.mkdirSync(actionCacheDir, {recursive: true})
 
         this.copyInitScripts()

sources/src/configuration.ts

@@ -8,6 +8,8 @@ import path from 'path'
 
 const ACTION_ID_VAR = 'GRADLE_ACTION_ID'
 
+export const ACTION_METADATA_DIR = '.setup-gradle'
+
 export class DependencyGraphConfig {
     getDependencyGraphOption(): DependencyGraphOption {
         const val = core.getInput('dependency-graph')
@@ -357,8 +359,14 @@ export class GradleExecutionConfig {
     }
 }
 
-export function doValidateWrappers(): boolean {
-    return getBooleanInput('validate-wrappers')
+export class WrapperValidationConfig {
+    doValidateWrappers(): boolean {
+        return getBooleanInput('validate-wrappers')
+    }
+
+    allowSnapshotWrappers(): boolean {
+        return getBooleanInput('allow-snapshot-wrappers')
+    }
 }
 
 // Internal parameters

sources/src/daemon-controller.ts

@@ -12,8 +12,6 @@ export class DaemonController {
     }
 
     async stopAllDaemons(): Promise<void> {
-        core.info('Stopping all Gradle daemons before saving Gradle User Home state')
-
         const executions: Promise<number>[] = []
         const args = ['--stop']
 

sources/src/deprecation-collector.ts

@@ -25,7 +25,7 @@ export function recordDeprecation(message: string): void {
 
 export function failOnUseOfRemovedFeature(removalMessage: string, deprecationMessage: string = removalMessage): void {
     const deprecation = new Deprecation(deprecationMessage)
-    const errorMessage = `${removalMessage}. See ${deprecation.getDocumentationLink()}`
+    const errorMessage = `${removalMessage}.\nSee ${deprecation.getDocumentationLink()}`
     recordedErrors.push(errorMessage)
     core.setFailed(errorMessage)
 }

sources/src/develocity/build-scan.ts

@@ -5,13 +5,6 @@ import {setupToken} from './short-lived-token'
 export async function setup(config: BuildScanConfig): Promise<void> {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle')
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions')
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.17.5')
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0')
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl())
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
-    }
 
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled())
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl())
@@ -19,10 +12,22 @@ export async function setup(config: BuildScanConfig): Promise<void> {
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints())
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl())
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion())
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword())
 
+    // If build-scan-publish is enabled, ensure the environment variables are set
+    // The DEVELOCITY_PLUGIN_VERSION and DEVELOCITY_CCUD_PLUGIN_VERSION are set to the latest versions
+    // except if they are defined in the configuration
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.2')
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0.2')
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl())
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
+    }
+
     return setupToken(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry())
 }
 

sources/src/develocity/short-lived-token.ts

@@ -72,7 +72,7 @@ class ShortLivedTokenClient {
     retryInterval = 1000
 
     async fetchToken(serverUrl: string, accessKey: HostnameAccessKey, expiry: string): Promise<HostnameAccessKey> {
-        const queryParams = expiry ? `?expiresInHours${expiry}` : ''
+        const queryParams = expiry ? `?expiresInHours=${expiry}` : ''
         const sanitizedServerUrl = !serverUrl.endsWith('/') ? `${serverUrl}/` : serverUrl
         const headers = {
             'Content-Type': 'application/json',

sources/src/execution/gradle.ts

@@ -1,6 +1,8 @@
 import * as core from '@actions/core'
 import * as exec from '@actions/exec'
 
+import which from 'which'
+import * as semver from 'semver'
 import * as provisioner from './provision'
 import * as gradlew from './gradlew'
 
@@ -31,3 +33,42 @@ async function executeGradleBuild(executable: string | undefined, root: string,
         core.setFailed(`Gradle build failed: see console output for details`)
     }
 }
+
+export function versionIsAtLeast(actualVersion: string, requiredVersion: string): boolean {
+    const splitVersion = actualVersion.split('-')
+    const coreVersion = splitVersion[0]
+    const prerelease = splitVersion.length > 1
+
+    const actualSemver = semver.coerce(coreVersion)!
+    const comparisonSemver = semver.coerce(requiredVersion)!
+
+    if (prerelease) {
+        return semver.gt(actualSemver, comparisonSemver)
+    } else {
+        return semver.gte(actualSemver, comparisonSemver)
+    }
+}
+
+export async function findGradleVersionOnPath(): Promise<GradleExecutable | undefined> {
+    const gradleExecutable = await which('gradle', {nothrow: true})
+    if (gradleExecutable) {
+        const output = await exec.getExecOutput(gradleExecutable, ['-v'], {silent: true})
+        const version = parseGradleVersionFromOutput(output.stdout)
+        return version ? new GradleExecutable(version, gradleExecutable) : undefined
+    }
+
+    return undefined
+}
+
+export function parseGradleVersionFromOutput(output: string): string | undefined {
+    const regex = /Gradle (\d+\.\d+(\.\d+)?(-.*)?)/
+    const versionString = output.match(regex)?.[1]
+    return versionString
+}
+
+class GradleExecutable {
+    constructor(
+        readonly version: string,
+        readonly executable: string
+    ) {}
+}

sources/src/execution/provision.ts

@@ -1,13 +1,12 @@
 import * as fs from 'fs'
 import * as os from 'os'
 import * as path from 'path'
-import which from 'which'
 import * as httpm from '@actions/http-client'
 import * as core from '@actions/core'
 import * as cache from '@actions/cache'
-import * as exec from '@actions/exec'
 import * as toolCache from '@actions/tool-cache'
 
+import {findGradleVersionOnPath, versionIsAtLeast} from './gradle'
 import * as gradlew from './gradlew'
 import {handleCacheFailure} from '../caching/cache-utils'
 import {CacheConfig} from '../configuration'
@@ -26,6 +25,16 @@ export async function provisionGradle(gradleVersion: string): Promise<string | u
     return undefined
 }
 
+/**
+ * Ensure that the Gradle version on PATH is no older than the specified version.
+ * If the version on PATH is older, install the specified version and add it to the PATH.
+ * @return Installed Gradle executable or undefined if no version configured.
+ */
+export async function provisionGradleAtLeast(gradleVersion: string): Promise<string> {
+    const installedVersion = await installGradleVersionAtLeast(await gradleRelease(gradleVersion))
+    return addToPath(installedVersion)
+}
+
 async function addToPath(executable: string): Promise<string> {
     core.addPath(path.dirname(executable))
     return executable
@@ -51,7 +60,7 @@ async function resolveGradleVersion(version: string): Promise<GradleVersionInfo>
         case 'release-nightly':
             return gradleReleaseNightly()
         default:
-            return gradle(version)
+            return gradleRelease(version)
     }
 }
 
@@ -76,7 +85,7 @@ async function gradleReleaseNightly(): Promise<GradleVersionInfo> {
     return await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/release-nightly`)
 }
 
-async function gradle(version: string): Promise<GradleVersionInfo> {
+async function gradleRelease(version: string): Promise<GradleVersionInfo> {
     const versionInfo = await findGradleVersionDeclaration(version)
     if (!versionInfo) {
         throw new Error(`Gradle version ${version} does not exists`)
@@ -97,10 +106,24 @@ async function findGradleVersionDeclaration(version: string): Promise<GradleVers
 
 async function installGradleVersion(versionInfo: GradleVersionInfo): Promise<string> {
     return core.group(`Provision Gradle ${versionInfo.version}`, async () => {
-        const preInstalledGradle = await findGradleVersionOnPath(versionInfo)
-        if (preInstalledGradle !== undefined) {
+        const gradleOnPath = await findGradleVersionOnPath()
+        if (gradleOnPath?.version === versionInfo.version) {
             core.info(`Gradle version ${versionInfo.version} is already available on PATH. Not installing.`)
-            return preInstalledGradle
+            return gradleOnPath.executable
+        }
+
+        return locateGradleAndDownloadIfRequired(versionInfo)
+    })
+}
+
+async function installGradleVersionAtLeast(versionInfo: GradleVersionInfo): Promise<string> {
+    return core.group(`Provision Gradle >= ${versionInfo.version}`, async () => {
+        const gradleOnPath = await findGradleVersionOnPath()
+        if (gradleOnPath && versionIsAtLeast(gradleOnPath.version, versionInfo.version)) {
+            core.info(
+                `Gradle version ${gradleOnPath.version} is available on PATH and >= ${versionInfo.version}. Not installing.`
+            )
+            return gradleOnPath.executable
         }
 
         return locateGradleAndDownloadIfRequired(versionInfo)
@@ -192,15 +215,3 @@ interface GradleVersionInfo {
     version: string
     downloadUrl: string
 }
-
-async function findGradleVersionOnPath(versionInfo: GradleVersionInfo): Promise<string | undefined> {
-    const gradleExecutable = await which('gradle', {nothrow: true})
-    if (gradleExecutable) {
-        const output = await exec.getExecOutput(gradleExecutable, ['-v'], {silent: true})
-        if (output.stdout.includes(`Gradle ${versionInfo.version}`)) {
-            return gradleExecutable
-        }
-    }
-
-    return undefined
-}

sources/src/job-summary.ts

@@ -43,7 +43,7 @@ export async function generateJobSummary(
 async function addPRComment(jobSummary: string): Promise<void> {
     const context = github.context
     if (context.payload.pull_request == null) {
-        core.info('No pull_request trigger: not adding PR comment')
+        core.info('No pull_request trigger detected: not adding PR comment')
         return
     }
 

sources/src/resources/init-scripts/gradle-actions.build-result-capture.init.gradle

@@ -32,15 +32,19 @@ if (isTopLevelBuild) {
 
         // Use the Develocity plugin to also capture build scan links, when available
         settingsEvaluated { settings ->
-            settings.pluginManager.withPlugin(GE_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (!settings.extensions.findByName(DEVELOCITY_EXTENSION)) {
+            def captureBuildScanLink = {
+                // Prefer the 'develocity' extension, if available
+                if (settings.extensions.findByName(DEVELOCITY_EXTENSION)) {
+                    captureUsingBuildScanPublished(settings.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                } else {
                     captureUsingBuildScanPublished(settings.extensions[GE_EXTENSION].buildScan, invocationId, resultsWriter)
                 }
             }
-
+            settings.pluginManager.withPlugin(GE_PLUGIN_ID, captureBuildScanLink)
             settings.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                captureUsingBuildScanPublished(settings.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                // Develocity plugin applies GE plugin: avoid duplicate call
+                if (settings.pluginManager.hasPlugin(GE_PLUGIN_ID)) return
+                captureBuildScanLink()
             }
         }
     } else if (atLeastGradle3) {
@@ -48,15 +52,21 @@ if (isTopLevelBuild) {
             // By default, use 'buildFinished' to capture build results
             captureUsingBuildFinished(gradle, invocationId, resultsWriter)
 
-            gradle.rootProject.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (!gradle.rootProject.extensions.findByName(DEVELOCITY_EXTENSION)) {
+            def captureBuildScanLink = {
+                // Prefer the 'develocity' extension, if available
+                if (gradle.rootProject.extensions.findByName(DEVELOCITY_EXTENSION)) {
+                    captureUsingBuildScanPublished(gradle.rootProject.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                } else {
                     captureUsingBuildScanPublished(gradle.rootProject.extensions[BUILD_SCAN_EXTENSION], invocationId, resultsWriter)
                 }
             }
 
+            gradle.rootProject.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID, captureBuildScanLink)
+
             gradle.rootProject.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                captureUsingBuildScanPublished(gradle.rootProject.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                // Develocity plugin applies Build Scan plugin: avoid duplicate call
+                if (gradle.rootProject.pluginManager.hasPlugin(BUILD_SCAN_PLUGIN_ID)) return
+                captureBuildScanLink()
             }
         }
     }

sources/src/setup-gradle.ts

@@ -10,16 +10,25 @@ import * as buildScan from './develocity/build-scan'
 import {loadBuildResults, markBuildResultsProcessed} from './build-results'
 import {CacheListener, generateCachingReport} from './caching/cache-reporting'
 import {DaemonController} from './daemon-controller'
-import {BuildScanConfig, CacheConfig, SummaryConfig, getWorkspaceDirectory} from './configuration'
-import {findInvalidWrapperJars} from './wrapper-validation/validate'
-import {JobFailure} from './errors'
+import {
+    BuildScanConfig,
+    CacheConfig,
+    SummaryConfig,
+    WrapperValidationConfig,
+    getWorkspaceDirectory
+} from './configuration'
+import * as wrapperValidator from './wrapper-validation/wrapper-validator'
 
 const GRADLE_SETUP_VAR = 'GRADLE_BUILD_ACTION_SETUP_COMPLETED'
 const USER_HOME = 'USER_HOME'
 const GRADLE_USER_HOME = 'GRADLE_USER_HOME'
 const CACHE_LISTENER = 'CACHE_LISTENER'
 
-export async function setup(cacheConfig: CacheConfig, buildScanConfig: BuildScanConfig): Promise<boolean> {
+export async function setup(
+    cacheConfig: CacheConfig,
+    buildScanConfig: BuildScanConfig,
+    wrapperValidationConfig: WrapperValidationConfig
+): Promise<boolean> {
     const userHome = await determineUserHome()
     const gradleUserHome = await determineGradleUserHome()
 
@@ -42,6 +51,8 @@ export async function setup(cacheConfig: CacheConfig, buildScanConfig: BuildScan
 
     core.saveState(CACHE_LISTENER, cacheListener.stringify())
 
+    await wrapperValidator.validateWrappers(wrapperValidationConfig, getWorkspaceDirectory(), gradleUserHome)
+
     await buildScan.setup(buildScanConfig)
 
     return true
@@ -116,16 +127,3 @@ async function determineUserHome(): Promise<string> {
     core.debug(`Determined user.home from java -version output: '${userHome}'`)
     return userHome
 }
-
-export async function checkNoInvalidWrapperJars(rootDir = getWorkspaceDirectory()): Promise<void> {
-    const allowedChecksums = process.env['ALLOWED_GRADLE_WRAPPER_CHECKSUMS']?.split(',') || []
-    const result = await findInvalidWrapperJars(rootDir, 1, false, allowedChecksums)
-    if (result.isValid()) {
-        core.info(result.toDisplayString())
-    } else {
-        core.info(result.toDisplayString())
-        throw new JobFailure(
-            `Gradle Wrapper Validation Failed!\n  See https://github.com/gradle/actions/blob/main/docs/wrapper-validation.md#reporting-failures\n${result.toDisplayString()}`
-        )
-    }
-}

sources/src/wrapper-validation/cache.ts

@@ -0,0 +1,26 @@
+import fs from 'fs'
+import path from 'path'
+import {ACTION_METADATA_DIR} from '../configuration'
+
+export class ChecksumCache {
+    private readonly cacheFile: string
+
+    constructor(gradleUserHome: string) {
+        this.cacheFile = path.resolve(gradleUserHome, ACTION_METADATA_DIR, 'valid-wrappers.json')
+    }
+
+    load(): string[] {
+        // Load previously validated checksums saved in Gradle User Home
+        if (fs.existsSync(this.cacheFile)) {
+            return JSON.parse(fs.readFileSync(this.cacheFile, 'utf-8'))
+        }
+        return []
+    }
+
+    save(checksums: string[]): void {
+        const uniqueChecksums = [...new Set(checksums)]
+        // Save validated checksums to Gradle User Home
+        fs.mkdirSync(path.dirname(this.cacheFile), {recursive: true})
+        fs.writeFileSync(this.cacheFile, JSON.stringify(uniqueChecksums))
+    }
+}

sources/src/wrapper-validation/checksums.ts

@@ -1,4 +1,5 @@
 import * as httpm from 'typed-rest-client/HttpClient'
+import * as cheerio from 'cheerio'
 
 import fileWrapperChecksums from './wrapper-checksums.json'
 
@@ -37,7 +38,7 @@ export const KNOWN_CHECKSUMS = loadKnownChecksums()
 export async function fetchUnknownChecksums(
     allowSnapshots: boolean,
     knownChecksums: WrapperChecksums
-): Promise<Set<string>> {
+): Promise<WrapperChecksums> {
     const all = await httpGetJsonArray('https://services.gradle.org/versions/all')
     const withChecksum = all.filter(
         entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl')
@@ -50,12 +51,21 @@ export async function fetchUnknownChecksums(
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         (entry: any) => !knownChecksums.versions.has(entry.version)
     )
-    const checksumUrls = notKnown.map(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        (entry: any) => entry.wrapperChecksumUrl as string
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const checksumUrls = notKnown.map((entry: any) => [entry.version, entry.wrapperChecksumUrl] as [string, string])
+    if (allowSnapshots) {
+        await addDistributionSnapshotChecksumUrls(checksumUrls)
+    }
+
+    const wrapperChecksums = new WrapperChecksums()
+    await Promise.all(
+        checksumUrls.map(async ([version, url]) => {
+            const checksum = await httpGetText(url)
+            wrapperChecksums.add(version, checksum)
+        })
     )
-    const checksums = await Promise.all(checksumUrls.map(async (url: string) => httpGetText(url)))
-    return new Set(checksums)
+    return wrapperChecksums
 }
 
 async function httpGetJsonArray(url: string): Promise<unknown[]> {
@@ -66,3 +76,21 @@ async function httpGetText(url: string): Promise<string> {
     const response = await httpc.get(url)
     return await response.readBody()
 }
+
+async function addDistributionSnapshotChecksumUrls(checksumUrls: [string, string][]): Promise<void> {
+    // Load the index page of the distribution snapshot repository into cheerio
+    const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/')
+    const $ = cheerio.load(indexPage)
+
+    // // Find all links ending with '-wrapper.jar.sha256'
+    const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]')
+    wrapperChecksumLinks.each((index, element) => {
+        const url = $(element).attr('href')!
+
+        // Extract the version from the url
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1]
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`])
+        }
+    })
+}

sources/src/wrapper-validation/find.ts

@@ -18,9 +18,14 @@ async function recursivelyListFiles(baseDir: string): Promise<string[]> {
     const childrenPaths = await Promise.all(
         childrenNames.map(async childName => {
             const childPath = path.resolve(baseDir, childName)
-            return fs.lstatSync(childPath).isDirectory()
-                ? recursivelyListFiles(childPath)
-                : new Promise(resolve => resolve([childPath]))
+            const stat = fs.lstatSync(childPath, {throwIfNoEntry: false})
+            if (stat === undefined) {
+                return []
+            } else if (stat.isDirectory()) {
+                return recursivelyListFiles(childPath)
+            } else {
+                return new Promise(resolve => resolve([childPath]))
+            }
         })
     )
     return Array.prototype.concat(...childrenPaths)

sources/src/wrapper-validation/validate.ts

@@ -5,23 +5,22 @@ import {resolve} from 'path'
 
 export async function findInvalidWrapperJars(
     gitRepoRoot: string,
-    minWrapperCount: number,
     allowSnapshots: boolean,
     allowedChecksums: string[],
+    previouslyValidatedChecksums: string[] = [],
     knownValidChecksums: checksums.WrapperChecksums = checksums.KNOWN_CHECKSUMS
 ): Promise<ValidationResult> {
     const wrapperJars = await find.findWrapperJars(gitRepoRoot)
     const result = new ValidationResult([], [])
-    if (wrapperJars.length < minWrapperCount) {
-        result.errors.push(
-            `Expected to find at least ${minWrapperCount} Gradle Wrapper JARs but got only ${wrapperJars.length}`
-        )
-    }
     if (wrapperJars.length > 0) {
         const notYetValidatedWrappers = []
         for (const wrapperJar of wrapperJars) {
             const sha = await hash.sha256File(resolve(gitRepoRoot, wrapperJar))
-            if (allowedChecksums.includes(sha) || knownValidChecksums.checksums.has(sha)) {
+            if (
+                allowedChecksums.includes(sha) ||
+                previouslyValidatedChecksums.includes(sha) ||
+                knownValidChecksums.checksums.has(sha)
+            ) {
                 result.valid.push(new WrapperJar(wrapperJar, sha))
             } else {
                 notYetValidatedWrappers.push(new WrapperJar(wrapperJar, sha))
@@ -34,7 +33,7 @@ export async function findInvalidWrapperJars(
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums)
 
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar)
                 } else {
                     result.valid.push(wrapperJar)
@@ -49,7 +48,6 @@ export class ValidationResult {
     valid: WrapperJar[]
     invalid: WrapperJar[]
     fetchedChecksums = false
-    errors: string[] = []
 
     constructor(valid: WrapperJar[], invalid: WrapperJar[]) {
         this.valid = valid
@@ -57,7 +55,7 @@ export class ValidationResult {
     }
 
     isValid(): boolean {
-        return this.invalid.length === 0 && this.errors.length === 0
+        return this.invalid.length === 0
     }
 
     toDisplayString(): string {
@@ -67,10 +65,6 @@ export class ValidationResult {
                 this.invalid
             )}`
         }
-        if (this.errors.length > 0) {
-            if (displayString.length > 0) displayString += '\n'
-            displayString += `✗ Other validation errors:\n  ${this.errors.join(`\n  `)}`
-        }
         if (this.valid.length > 0) {
             if (displayString.length > 0) displayString += '\n'
             displayString += `✓ Found known Gradle Wrapper JAR files:\n${ValidationResult.toDisplayList(this.valid)}`

sources/src/wrapper-validation/wrapper-checksums.json

@@ -1,4 +1,44 @@
 [
+  {
+    "version": "8.11",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-rc-3",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-rc-2",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-rc-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-milestone-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10.2",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10.2-milestone-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10.1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10-rc-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
   {
     "version": "8.9",
     "checksum": "498495120a03b9a6ab5d155f5de3c8f0d986a449153702fb80fc80e134484f17"