Fix space assignment deprecations in init-scripts (#542)

Fixes the Groovy syntax in 2 init-scripts to avoid deprecation warnings.
The fix to the DV injection script is temporary, and will be replaced by
a fix in the upstream reference script.

Fixes #541

.github/actions/build-dist/action.yml

@@ -3,7 +3,7 @@ name: 'Build and upload distribution'
 runs:
   using: "composite"
   steps: 
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
       with:
         node-version: 20
         cache: npm
@@ -23,7 +23,7 @@ runs:
         cp -r sources/dist .
 
     - name: Upload distribution
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
         name: dist
         path: dist/

.github/actions/init-integ-test/action.yml

@@ -4,7 +4,7 @@ runs:
   using: "composite"
   steps: 
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         distribution: 'temurin'
         java-version: 11
@@ -17,7 +17,7 @@ runs:
     # Downloads a 'dist' directory artifact that was uploaded in an earlier 'build-dist' step
     - name: Download dist
       if: ${{ env.SKIP_DIST != 'true' && !env.ACT }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: dist
         path: dist/

.github/dependabot.yml

@@ -5,6 +5,7 @@ registries:
     url: https://plugins.gradle.org/m2
     username: dummy # Required by dependabot
     password: dummy # Required by dependabot
+
 updates:
   - package-ecosystem: "npm"
     directory: "/sources"
@@ -16,25 +17,12 @@ updates:
         - "*"
       
   - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    groups:
-      github-actions:
-        patterns:
-        - "*"
-  # github-actions with directory: "/" only monitors .github/workflows
-  # https://github.com/dependabot/dependabot-core/issues/6345
-  - package-ecosystem: "github-actions"
-    directory: "/.github/actions/build-dist"
-    schedule:
-      interval: "weekly"
-    groups:
-      github-actions:
-        patterns:
-          - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/.github/actions/init-integ-test"
+    # github-actions with directory: "/" only monitors .github/workflows
+    # https://github.com/dependabot/dependabot-core/issues/6345
+    directories:
+      - "/"
+      - "/.github/actions/build-dist"
+      - "/.github/actions/init-integ-test"
     schedule:
       interval: "weekly"
     groups:
@@ -43,44 +31,19 @@ updates:
           - "*"
 
   - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/gradle-plugin"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/groovy-dsl"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/java-toolchain"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/kotlin-dsl"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/no-wrapper"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: ".github/workflow-samples/no-wrapper-gradle-5"
-    registries:
-      - gradle-plugin-portal
-    schedule:
-      interval: "weekly"
-  - package-ecosystem: "gradle"
-    directory: "sources/test/init-scripts"
+    directories:
+      - ".github/workflow-samples/gradle-plugin"
+      - ".github/workflow-samples/groovy-dsl"
+      - ".github/workflow-samples/java-toolchain"
+      - ".github/workflow-samples/kotlin-dsl"
+      - ".github/workflow-samples/no-wrapper"
+      - ".github/workflow-samples/no-wrapper-gradle-5"
+      - "sources/test/init-scripts"
     registries:
       - gradle-plugin-portal
     schedule:
       interval: "weekly"
+    groups:
+      gradle:
+        patterns:
+          - "*"

.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/gradle-plugin/gradlew

@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/gradlew

@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/groovy-dsl/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.develocity" version "3.19.1"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.1"
 }
 
 develocity {

.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/java-toolchain/gradlew

@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/kotlin-dsl/build.gradle.kts

@@ -8,9 +8,9 @@ repositories {
 
 dependencies {
     api("org.apache.commons:commons-math3:3.6.1")
-    implementation("com.google.guava:guava:33.3.0-jre")
+    implementation("com.google.guava:guava:33.4.0-jre")
 
-    testImplementation("org.junit.jupiter:junit-jupiter:5.11.0")
+    testImplementation("org.junit.jupiter:junit-jupiter:5.11.4")
 }
 
 tasks.test {

.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/gradlew

@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/kotlin-dsl/settings.gradle.kts

@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.develocity") version "3.18.1"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.1"
+    id("com.gradle.develocity") version "3.19.1"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.1"
 }
 
 develocity {

.github/workflow-samples/no-wrapper-gradle-5/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1" 
+    id "com.gradle.develocity" version "3.19.1" 
 }
 
 develocity {

.github/workflow-samples/no-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
+    id "com.gradle.develocity" version "3.19.1"
 }
 
 develocity {

.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/non-executable-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
+    id "com.gradle.develocity" version "3.19.1"
 }
 
 develocity {

.github/workflows/ci-check-and-unit-test.yml

@@ -15,22 +15,43 @@ permissions:
 jobs:
   check-format-and-unit-test:
     runs-on: ubuntu-latest
+
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
       with:
         node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
+    - name: Setup Gradle
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+      env:
+        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
+      with:
+        gradle-version: "8.12.1"
+
+    - name: Install npm dependencies
+      run: |
+        npm clean-install
+      working-directory: sources
 
     - name: Check formatting and compile
       run: |
-        npm install
         npm run check
         npm run compile
       working-directory: sources
+      env:
+        NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
+        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
+
     - name: Run unit tests
       run: |
         npm test
       working-directory: sources
+      env:
+        NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
+        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'

.github/workflows/ci-check-no-dist-update.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
     - name: Get changed files
       id: changed-files
-      uses: tj-actions/changed-files@v45
+      uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
       with:
         files: |
           dist/**

.github/workflows/ci-codeql.yml

@@ -6,16 +6,15 @@ on:
     - 'main'
     - 'release/**'
     - 'dev/**' # Allow running Code QL on dev branches without a PR
-    paths-ignore:
-    - 'dist/**'
   pull_request:
     branches:
     - 'main'
-    paths-ignore:
-    - 'dist/**'
   schedule:
     - cron: '25 23 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -32,11 +31,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
       with:
         languages: ${{ matrix.language }}
         config: |
@@ -44,4 +43,4 @@ jobs:
           - sources/src
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6

.github/workflows/ci-combine-bot-prs.yml

@@ -0,0 +1,24 @@
+name: Combine Bot PRs
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  combine-wrapperbot-prs:
+    permissions:
+      contents: write
+      pull-requests: write
+      checks: read
+    if: github.repository == 'gradle/actions'
+    runs-on: ubuntu-latest
+    steps:
+      - name: combine-wrapperbot-prs
+        uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
+        with:
+          branch_prefix: wrapperbot
+          combine_branch_name: wrapperbot/combined-wrapper-updates
+          pr_title: 'Bump Gradle Wrappers'
+          ci_required: "false"

.github/workflows/ci-init-script-check.yml

@@ -14,19 +14,23 @@ on:
       - 'sources/test/init-scripts/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-init-scripts:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         distribution: temurin
         java-version: 11
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4 # Use a released version to avoid breakages
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
       env:
         ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
     - name: Run integration tests

.github/workflows/ci-integ-test-full.yml

@@ -3,16 +3,18 @@ name: CI-integ-test-full
 on:
   workflow_dispatch:
   push:
+    branches:
+    - 'main'
     paths:
     - 'dist/**'
 
-permissions:
-  contents: write
-
 concurrency:
   group: integ-test
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   caching-integ-tests:
     uses: ./.github/workflows/suite-integ-test-caching.yml
@@ -25,6 +27,8 @@ jobs:
     secrets: inherit
 
   other-integ-tests:
+    permissions:
+      contents: write
     uses: ./.github/workflows/suite-integ-test-other.yml
     concurrency:
       group: CI-integ-test-full

.github/workflows/ci-integ-test.yml

@@ -11,19 +11,19 @@ on:
     paths-ignore:
     - 'dist/**'
 
-permissions:
-  contents: write
-
 concurrency:
   group: integ-test
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       if: ${{ needs.determine-suite.outputs.suite != 'full' }}
       uses: ./.github/actions/build-dist
@@ -36,6 +36,8 @@ jobs:
     secrets: inherit
 
   other-integ-tests:
+    permissions:
+      contents: write
     needs: build-distribution
     uses: ./.github/workflows/suite-integ-test-other.yml
     with:

.github/workflows/ci-ossf-scorecard.yml

@@ -0,0 +1,57 @@
+name: CI-ossf-scorecard
+on:
+  schedule:
+    - cron: '0 5 * * 1'
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      - name: 'Run analysis'
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: 'Upload artifact'
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: 'Upload to code-scanning'
+        uses: github/codeql-action/upload-sarif@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
+        with:
+          sarif_file: results.sarif

.github/workflows/ci-update-dist.yml

@@ -5,36 +5,50 @@ on:
   push:
     branches: 
     - 'main'
+    - 'prerelease/**'
     - 'release/**'
     paths-ignore:
     - 'dist/**'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   update-dist:
+    # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
+    # it would erroneously update `dist` on their branch (and the pull request)
+    if: github.repository == 'gradle/actions'
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         token: ${{ secrets.BOT_GITHUB_TOKEN }}
 
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
       with:
         node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
 
-    - name: Build distribution
+    - name: Install npm dependencies
       run: |
         npm clean-install
+      working-directory: sources
+
+    - name: Build distribution
+      run: |
         npm run check
         npm run compile
       working-directory: sources
-    
+      env:
+        NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
+        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
+
     - name: Copy the generated sources/dist directory to the top-level dist
       run: |
         cp -r sources/dist .
@@ -43,10 +57,7 @@ jobs:
     # Important: The push event will not trigger any other workflows, see
     # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
     - name: Commit & push changes
-      # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
-      # it would erroneously update `dist` on their branch (and the pull request)
-      if: github.repository == 'gradle/actions'
-      uses: stefanzweifel/git-auto-commit-action@v5
+      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
       with:
         commit_message: '[bot] Update dist directory'
         file_pattern: dist

.github/workflows/ci-validate-wrappers.yml

@@ -0,0 +1,17 @@
+name: CI-validate-wrappers
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
+        with:
+          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

.github/workflows/demo-job-summary.yml

@@ -3,12 +3,15 @@ name: Demo Job Summary, for Gradle builds
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
@@ -17,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -59,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -79,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -100,7 +103,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/demo-pr-build-scan-comment.yml

@@ -4,23 +4,25 @@ on:
     types: [assigned, review_requested]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
   successful-build-with-always-comment:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -34,11 +36,13 @@ jobs:
       run: ./gradlew build --scan
 
   successful-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,11 +56,13 @@ jobs:
       run: ./gradlew build --scan
 
   failing-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-build-scan-publish.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   build-scan-publish:
     strategy:
@@ -27,15 +30,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -51,7 +49,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')   

.github/workflows/integ-test-cache-cleanup.yml

@@ -18,6 +18,9 @@ env:
   # Requires a fresh cache entry each run
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
 
+permissions:
+  contents: read
+
 jobs:
   cache-cleanup-full-build:
     strategy:
@@ -28,7 +31,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -51,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -74,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-caching-config.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   caching-config-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -58,7 +61,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -87,7 +90,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -101,7 +104,7 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -111,7 +114,7 @@ jobs:
     runs-on: ubuntu-latest # This test only runs on Ubuntu
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -125,7 +128,7 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -142,7 +145,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -166,7 +169,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-graph.yml

@@ -13,20 +13,20 @@ on:
         type: boolean
         default: false
 
-permissions:
-  contents: write
-
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
   dependency-graph-groovy-upload:
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -39,11 +39,13 @@ jobs:
       working-directory: .github/workflow-samples/groovy-dsl
 
   dependency-graph-groovy-submit:
+    permissions:
+      contents: write
     needs: [dependency-graph-groovy-upload]
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -55,10 +57,12 @@ jobs:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
 
   dependency-graph-kotlin-generate-and-submit:
+    permissions:
+      contents: write
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -71,10 +75,12 @@ jobs:
       working-directory: .github/workflow-samples/kotlin-dsl
 
   dependency-graph-multiple-builds:
+    permissions:
+      contents: write
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -112,10 +118,12 @@ jobs:
         fi
         
   dependency-graph-config-cache:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -145,3 +153,40 @@ jobs:
             ls -l dependency-graph-reports
             exit 1
         fi        
+
+  dependency-graph-generate-submit-and-upload:
+    permissions:
+      contents: write
+    runs-on: "ubuntu-latest"
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Initialize integ-test
+      uses: ./.github/actions/init-integ-test
+
+    - name: Setup Gradle for dependency-graph generate
+      uses: ./setup-gradle
+      with:
+        dependency-graph: generate-submit-and-upload
+    - name: Run gradle build
+      id: gradle-build
+      run: ./gradlew build
+      working-directory: .github/workflow-samples/groovy-dsl
+
+  dependency-graph-generate-submit-and-upload-check:
+    needs: [dependency-graph-generate-submit-and-upload]
+    runs-on: "ubuntu-latest"
+    steps:
+    - name: Download dependency-graph artifact
+      uses: actions/download-artifact@v4
+      with:
+        path: downloaded-dependency-graphs
+        pattern: dependency-graph_*dependency-graph-generate-submit-and-upload.json
+    - name: Check for downloaded dependency graphs
+      shell: bash
+      run: |
+        ls -A "${{ github.workspace }}/downloaded-dependency-graphs"
+        if [ -z "$(ls -A "${{ github.workspace }}/downloaded-dependency-graphs")" ]; then
+          echo "No dependency graph files found"
+          exit 1
+        fi

.github/workflows/integ-test-dependency-submission-failures.yml

@@ -18,12 +18,15 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
   dependency-submission-failures-failing-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,7 +55,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -83,7 +86,7 @@ jobs:
       contents: read
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-submission.yml

@@ -13,16 +13,18 @@ on:
         type: boolean
         default: false
 
-permissions:
-  contents: write
-
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
   dependency-submission-groovy-generate-and-upload:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -31,7 +33,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -45,6 +47,8 @@ jobs:
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
   dependency-submission-groovy-restore-cache:
+    permissions:
+      contents: write
     needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
       max-parallel: 1
@@ -54,7 +58,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -67,6 +71,8 @@ jobs:
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
   dependency-submission-groovy-download-and-submit:
+    permissions:
+      contents: write
     needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
       max-parallel: 1
@@ -76,7 +82,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -88,6 +94,8 @@ jobs:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
 
   dependency-submission-kotlin-generate-and-submit:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -96,7 +104,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -106,6 +114,8 @@ jobs:
         build-root-directory: .github/workflow-samples/kotlin-dsl
 
   dependency-submission-multiple-builds:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -114,7 +124,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -152,6 +162,8 @@ jobs:
         fi
 
   dependency-submission-multiple-builds-upload:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -160,7 +172,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -176,10 +188,12 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   dependency-submission-config-cache:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -211,6 +225,8 @@ jobs:
         fi
 
   dependency-submission-gradle-versions:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -224,7 +240,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -235,10 +251,12 @@ jobs:
         build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
 
   dependency-submission-with-setup-gradle:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -270,10 +288,12 @@ jobs:
         fi
 
   dependency-submission-with-includes-and-excludes:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -304,6 +324,8 @@ jobs:
 
 
   dependency-submission-custom-report-dir-submit:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -312,7 +334,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -339,10 +361,12 @@ jobs:
         fi
 
   dependency-submission-custom-report-dir-upload:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -355,11 +379,13 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   custom-report-dir-download-and-submit:
+    permissions:
+      contents: write
     needs: [dependency-submission-custom-report-dir-upload]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-detect-toolchains.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   # Test that pre-installed runner JDKs are detected
   detect-toolchains-pre-installed-jdks:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -57,17 +60,17 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java 20
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         distribution: 'temurin'
         java-version: 20
     - name: Setup Java 16
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         distribution: 'temurin'
         java-version: 16

.github/workflows/integ-test-inject-develocity.yml

@@ -20,38 +20,36 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   inject-develocity:
     env:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: https://ge.solutions-team.gradle.com
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.1'
       ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
     strategy:
       fail-fast: false
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.18.1]
+        plugin-version: [3.16.2, 3.19.1]
         include:
         - plugin-version: 3.16.2
           accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
-        - plugin-version: 3.18.1
+        - plugin-version: 3.19.1
           accessKeyEnv: DEVELOCITY_ACCESS_KEY
 
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -64,7 +62,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -78,24 +76,19 @@ jobs:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.1'
     strategy:
       fail-fast: false
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.18.1]
+        plugin-version: [3.16.2, 3.19.1]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -114,7 +107,7 @@ jobs:
         run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('No Build Scan detected')
@@ -124,7 +117,7 @@ jobs:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: 'https://localhost:3333/'
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.1'
       # Access key also set as an env var, we want to check it does not leak
       GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -133,19 +126,14 @@ jobs:
       matrix:
         gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.18.1 ]
+        plugin-version: [ 3.16.2, 3.19.1 ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
 
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -169,18 +157,13 @@ jobs:
       matrix:
         gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.18.1 ]
+        plugin-version: [ 3.16.2, 3.19.1 ]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -196,7 +179,7 @@ jobs:
         run: gradle help
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('No Build Scan detected')

.github/workflows/integ-test-provision-gradle-versions.yml

@@ -18,6 +18,9 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 
+permissions:
+  contents: read
+
 jobs:   
   # Tests for executing with different Gradle versions. 
   # Each build verifies that it is executed with the expected Gradle version.
@@ -30,7 +33,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -66,7 +69,7 @@ jobs:
       run: gradle help
     - name: Check current version output parameter
       if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
@@ -75,7 +78,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        gradle: ["8.10", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
+        gradle: ["8.13-milestone-2", "8.12", "8.12-rc-1", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
         os: ${{fromJSON(inputs.runner-os)}}
         include:
           - java-version: 11
@@ -92,12 +95,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         distribution: temurin
         java-version: ${{ matrix.java-version }}
@@ -109,7 +112,7 @@ jobs:
         gradle-version: ${{ matrix.gradle }}
     - name: Check output parameter
       if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -119,7 +122,7 @@ jobs:
       run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')    

.github/workflows/integ-test-restore-configuration-cache.yml

@@ -20,6 +20,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-cc-seed-build-groovy:
     env:
@@ -32,22 +35,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
@@ -65,22 +62,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false
         cache-cleanup: on-success
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -107,21 +98,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -148,15 +133,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle with no extracted cache entries restored
       uses: ./setup-gradle
       env: 
@@ -164,7 +144,6 @@ jobs:
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Check execute Gradle build with configuration cache enabled (but not restored)
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
@@ -180,22 +159,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'help' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle help --configuration-cache
@@ -213,21 +186,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'test' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle test --configuration-cache
@@ -246,21 +213,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'test' again with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/kotlin-dsl

.github/workflows/integ-test-restore-containerized-gradle-home.yml

@@ -14,13 +14,16 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-containerized-seed-build:
     runs-on: ubuntu-latest
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -39,7 +42,7 @@ jobs:
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-custom-gradle-home.yml

@@ -14,12 +14,15 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-custom-gradle-home-seed-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -41,7 +44,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -63,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-gradle-home.yml

@@ -18,6 +18,9 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
 
+permissions:
+  contents: read
+
 jobs:
   restore-gradle-home-seed-build:
     strategy:
@@ -28,7 +31,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -51,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -74,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -97,7 +100,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -122,7 +125,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-java-toolchain.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-java-toolchain-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -50,7 +53,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-gradle-plugin.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   sample-gradle-plugin-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -49,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-kotlin-dsl.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   sample-kotlin-dsl-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -49,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-wrapper-validation.yml

@@ -13,6 +13,9 @@ on:
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
 
+permissions:
+  contents: read
+
 jobs:
   wrapper-validation-setup-gradle:
     strategy:
@@ -22,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -45,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -74,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -107,7 +110,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -137,7 +140,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4 # Checkout the repository with no wrappers
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Checkout the repository with no wrappers
       with:
         sparse-checkout: |
           .github/actions

.github/workflows/suite-integ-test-caching.yml

@@ -10,6 +10,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   cache-cleanup:
     uses: ./.github/workflows/integ-test-cache-cleanup.yml

.github/workflows/suite-integ-test-other.yml

@@ -10,6 +10,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   build-scan-publish:
     uses: ./.github/workflows/integ-test-build-scan-publish.yml

.github/workflows/update-checksums-file.yml

@@ -7,20 +7,22 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-checksums:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Update checksums
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 20
           cache: npm
@@ -28,7 +30,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          npm install typed-rest-client@1.8.11 --no-save
+          npm clean-install typed-rest-client@1.8.11 --no-save
         working-directory: sources
 
       - name: Update checksums file
@@ -37,7 +39,7 @@ jobs:
 
       # If there are no changes, this action will not create a pull request
       - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           branch: bot/wrapper-checksums-update
           commit-message: Update known wrapper checksums

CONTRIBUTING.md

@@ -3,8 +3,9 @@
 The `build` script in the project root provides a convenient way to perform many local build tasks:
 1. `./build` will lint and compile typescript sources
 2. `./build all` will lint and compile typescript and run unit tests
-3. `./build init-scripts` will run the init-script integration tests
-4. `./build act <act-commands>` will run `act` after building local changes (see below)
+3. `./build install` will install npm packages followed by lint and compile
+4. `./build init-scripts` will run the init-script integration tests
+5. `./build act <act-commands>` will run `act` after building local changes (see below)
 
 ## Using `act` to run integ-test workflows locally
 

README.md

@@ -1,5 +1,7 @@
 # GitHub Actions for Gradle builds
 
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gradle/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/gradle/actions)
+
 This repository contains a set of GitHub Actions that are useful for building Gradle projects on GitHub.
 
 ## The `setup-gradle` action

build

@@ -2,14 +2,18 @@
 
 cd sources
 
+if [[ -f ~/.gradle/develocity/keys.properties ]]; then
+    export NODE_OPTIONS='-r @gradle/develocity-agent/preload'
+    export DEVELOCITY_URL=https://ge.solutions-team.gradle.com
+    export DEVELOCITY_ACCESS_KEY=$(paste -sd ';' ~/.gradle/develocity/keys.properties)
+fi
+
 case "$1" in
     all)
-        npm clean-install
         npm run all
         ;;
     act)
         # Build and copy outputs to the dist directory
-        npm install
         npm run build
         cd ..
         cp -r sources/dist .
@@ -18,18 +22,25 @@ case "$1" in
         # Revert the changes to the dist directory
         git checkout -- dist
         ;;
-    init-scripts)
-        cd test/init-scripts
-        ./gradlew check
-        ;;
     dist)
-        npm install
+        npm clean-install
         npm run build
         cd ..
         cp -r sources/dist .
         ;;
+    init-scripts)
+        cd test/init-scripts
+        ./gradlew check
+        ;;
+    install)
+        npm clean-install
+        npm run build
+        ;;
+    test)
+        shift
+        npm test -- $@
+        ;;
     *)
-        npm install
         npm run build
         ;;
 esac

dependency-submission/action.yml

@@ -96,17 +96,20 @@ inputs:
   # Dependency Graph configuration
   dependency-graph:
     description: |
-      Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
+      Specifies how the dependency-graph should be handled by this action. 
+      By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
       Valid values are:
-        'generate-and-submit' (default): Generates a dependency graph for the project and submits it in the same Job.
-        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact.
+        'generate-and-submit': Generates a dependency graph for the project and submits it in the same Job.
+        'generate-submit-and-upload (default)': As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
+        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
         'download-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.
 
+      Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
       The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
       where the workflow generating the dependency-graph cannot (or should not) be given the `contents: write` permissions
       required to submit via the Dependency Submission API.
     required: false
-    default: 'generate-and-submit'
+    default: 'generate-submit-and-upload'
 
   dependency-graph-report-dir:
     description: |
@@ -147,7 +150,6 @@ inputs:
   artifact-retention-days:
     description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
     required: false
-    default: 1
 
   # Build Scan configuration
   build-scan-publish:

docs/dependency-submission.md

@@ -103,6 +103,9 @@ In some cases, the default action configuration will not be sufficient, and addi
         # Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
         dependency-graph: generate-and-upload
 
+        # Change the number of days that workflow artifacts are retained. (Default is 30 days).
+        artifact-retention-days: 5
+
         # Specify the location where dependency graph files will be generated.
         dependency-graph-report-dir: custom-report-dir
 
@@ -118,6 +121,29 @@ The `GitHub Dependency Graph Gradle Plugin` can be further
 These will be automatically set by the `dependency-submission` action, but you may override these values 
 by setting them explicitly in your workflow file.
 
+### Reducing storage costs for saved dependency graph artifacts
+
+By default, the dependency graph that is generated is stored as a workflow artifact.
+To reduce storage costs for these artifacts, you can:
+
+1. Set the `artifact-retention-days`:
+
+```yaml
+    - name: Generate dependency graph but only store workflow artifacts for 1 day
+      uses: gradle/actions/dependency-submission@v4
+      with:
+        artifact-retention-days: 1 # Default is 30 days or as configured for repository
+```
+
+2. Disable storing dependency-graph artifacts using `generate-and-submit`
+
+```yaml
+    - name: Generate and submit dependency graph but do not store as workflow artifact
+      uses: gradle/actions/dependency-submission@v4
+      with:
+        dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
+```
+
 # Resolving a dependency vulnerability
 
 ## Finding the source of a dependency vulnerability
@@ -276,7 +302,7 @@ For example, if you want to exclude dependencies resolved by the `buildSrc` proj
       uses: gradle/actions/dependency-submission@v4
       with:
         # Exclude all dependencies that originate solely in the 'buildSrc' project
-        dependency-graph-exclude-projets: ':buildSrc'
+        dependency-graph-exclude-projects: ':buildSrc'
         # Exclude dependencies that are only resolved in test classpaths
         dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath'
 ```
@@ -295,12 +321,19 @@ The GitHub [dependency-review-action](https://github.com/actions/dependency-revi
 understand dependency changes (and the security impact of these changes) for a pull request,
 by comparing the dependency graph for the pull-request with that of the HEAD commit.
 
-Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
+Integrating the Dependency Review Action requires 2 changes to your workflows:
+
+#### 1. Add a `pull_request` trigger to your existing Dependency Submission workflow.
+
+In order to perform Dependency Review on a pull request, the dependency graph must be submitted for the pull request.
+To do this, simply add a `pull_request` trigger to your existing dependency submission workflow.
 
 ```yaml
-name: Dependency review for pull requests
+name: Dependency Submission
 
 on:
+  push:
+    branches: [ 'main' ]
   pull_request:
 
 permissions:
@@ -318,11 +351,37 @@ jobs:
 
     - name: Generate and submit dependency graph
       uses: gradle/actions/dependency-submission@v4
-
-    - name: Perform dependency review
-      uses: actions/dependency-review-action@v4
 ```
 
+#### 2. Add a dedicated Dependency Review workflow
+
+The Dependency Review workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
+submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
+
+Here's an example of a separate "Dependency Review" workflow that will wait up to 10 minutes for dependency submission to complete.
+
+```yaml
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Dependency Review'
+      uses: actions/dependency-review-action@v4
+      with:
+        retry-on-snapshot-warnings: true
+        retry-on-snapshot-warnings-timeout: 600
+```
+
+The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the modified dependency-submission workflow to complete.
+
 ## Usage with pull requests from public forked repositories
 
 This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
@@ -381,36 +440,6 @@ jobs:
         dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```
 
-### Integrating `dependency-review-action` for pull requests from public forked repositories
-
-To integrate the `dependency-review-action` into the pull request workflows above, a third workflow file is required.
-This workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
-submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
-
-Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the above PR check workflow to complete.
-
-```yaml
-name: dependency-review
-
-on:
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    steps:
-    - name: 'Dependency Review'
-      uses: actions/dependency-review-action@v4
-      with:
-        retry-on-snapshot-warnings: true
-        retry-on-snapshot-warnings-timeout: 600
-```
-
-The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
-
 # Gradle version compatibility
 
 Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against 

docs/deprecation-upgrade-guide.md

@@ -101,7 +101,7 @@ The exact syntax depends on whether or not your project is configured with the [
 - name: Setup Gradle for a non-wrapper project
   uses: gradle/actions/setup-gradle@v4
   with:
-    gradle-version: "8.10"
+    gradle-version: "8.11"
 
 - name: Assemble the project
   run: gradle assemble

docs/setup-gradle.md

@@ -127,6 +127,8 @@ cache-disabled: true
 
 By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
 Jobs on other branches will read entries from the cache but will not write updated entries.
+
+This setup is designed around [GitHub imposed restrictions on cache access](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) and should work well in most scenarios.
 See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.
 
 In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
@@ -196,6 +198,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
 in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
 secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
 
+> [!IMPORTANT]
+> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
+
 To benefit from configuration caching in your GitHub Actions workflow, you must:
 - Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
 - Enable the configuration cache for your build.
@@ -216,11 +221,14 @@ jobs:
     - uses: gradle/actions/setup-gradle@v4
       with:
         gradle-version: 8.6
-        cache-encryption-key: ${{ secrets.GradleEncryptionKey }}
+        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
     - run: gradle build --configuration-cache
 ```
 
-> [!IMPORTANT]
+Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
+This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
+
+> [!NOTE]
 > The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
 > This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
 > This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@@ -430,6 +438,15 @@ so that a Job Summary is never generated, or so that a Job Summary is only gener
 add-job-summary: 'on-failure' # Valid values are 'always' (default), 'never', and 'on-failure'
 ```
 
+### Excluding specific Gradle builds from Job Summary
+
+The Job Summary works by installing an init-script in Gradle User Home which will record details of any Gradle execution during the workflow.
+This means that any Gradle excecution sharing the same Gradle User Home will show up in the Job Summary, which may include Gradle executions 
+run as part of integration testing.
+
+To avoid having these test builds show up in the Job Summary, add the `GRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true` environment variable
+to the process that executes Gradle. This will stop the init-script from collecting any build results.
+
 ### Adding Job Summary as a Pull Request comment
 
 It is sometimes more convenient to view the results of a GitHub Actions Job directly from the Pull Request that triggered
@@ -502,7 +519,7 @@ jobs:
       if: always()
       with:
         name: build-reports
-        path: build/reports/
+        path: **/build/reports/
 ```
 
 ### Use of custom init-scripts in Gradle User Home
@@ -710,20 +727,6 @@ A known exception to this is that Gradle `7.0`, `7.0.1`, and `7.0.2` are not sup
 
 See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
 
-### Reducing storage costs for saved dependency graph artifacts
-
-When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact.
-By default, these artifacts are retained for 30 days (or as configured for the repository).
-To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number.
-
-```yaml
-    - name: Generate dependency graph, but only retain artifact for one day
-      uses: gradle/actions/setup-gradle@v4
-      with:
-        dependency-graph: generate
-        artifact-retention-days: 1
-```
-
 # Develocity Build Scan® integration
 
 Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
@@ -841,7 +844,7 @@ Here's a minimal example:
       run: ./gradlew build
 ```
 
-This configuration will automatically apply `v3.18.1` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.19.1` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
 
 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
@@ -907,8 +910,8 @@ Here's an example using the env vars:
         DEVELOCITY_INJECTION_ENABLED: true
         DEVELOCITY_URL: https://develocity.your-server.com
         DEVELOCITY_ENFORCE_URL: true
-        DEVELOCITY_PLUGIN_VERSION: "3.18.1"
-        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.0.2"
+        DEVELOCITY_PLUGIN_VERSION: "3.19"
+        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.1"
 ```
 
 # Dependency verification

docs/wrapper-validation.md

@@ -102,7 +102,8 @@ A wrapper jar can fail validation for a few reasons:
 1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
    or `allow-snapshot-wrappers` to `true`.
 2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
-3. The wrapper jar was not published by Gradle, and could be compromised.
+3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
+4. The wrapper jar was not published by Gradle, and could be compromised.
 
 If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
@@ -113,6 +114,17 @@ Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable beca
 - If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
 - If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
 
+#### Wrapper Jar stored with Git LFS
+If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
+restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
+
+```
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          lfs: true  # gradle-wrapper.jar verification will fail without this
+```
+
 ## Resources
 
 To learn more about verifying the Gradle Wrapper JAR locally, see our

setup-gradle/action.yml

@@ -80,7 +80,7 @@ inputs:
   dependency-graph:
     description: |
       Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
-      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', and 'download-and-submit'.
+      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-submit-and-upload', 'generate-and-upload', and 'download-and-submit'.
     required: false
     default: 'disabled'
 

sources/.tool-versions

@@ -1,3 +1,3 @@
 # Configuration file for asdf version manager
 nodejs 20.10.0
-gradle 8.10
+gradle 8.12.1

sources/package.json

@@ -32,40 +32,41 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "2.1.9",
-    "@actions/cache": "3.2.4",
-    "@actions/core": "1.10.1",
+    "@actions/artifact": "2.2.1",
+    "@actions/cache": "4.0.0",
+    "@actions/core": "1.11.1",
     "@actions/exec": "1.1.1",
     "@actions/github": "6.0.0",
     "@actions/glob": "0.5.0",
     "@actions/http-client": "2.2.3",
-    "@actions/tool-cache": "2.0.1",
-    "@octokit/rest": "21.0.2",
-    "@octokit/webhooks-types": "7.5.1",
+    "@actions/tool-cache": "2.0.2",
+    "@octokit/rest": "21.1.0",
+    "@octokit/webhooks-types": "7.6.1",
     "cheerio": "^1.0.0",
     "semver": "7.6.3",
     "string-argv": "0.3.2",
-    "typed-rest-client": "2.0.2",
+    "typed-rest-client": "2.1.0",
     "unhomoglyph": "1.0.6",
-    "which": "4.0.0"
+    "which": "5.0.0"
   },
   "devDependencies": {
-    "@types/jest": "29.5.13",
-    "@types/node": "20.16.5",
+    "@gradle/develocity-agent": "https://develocity-npm-pkgs.gradle.com/gradle-develocity-agent-0.9.0.tgz",
+    "@types/jest": "29.5.14",
+    "@types/node": "20.17.16",
     "@types/unzipper": "0.10.10",
     "@types/which": "3.0.4",
     "@typescript-eslint/parser": "7.18.0",
-    "@vercel/ncc": "0.38.1",
-    "eslint": "8.57.0",
-    "eslint-plugin-github": "5.0.2",
-    "eslint-plugin-jest": "28.8.3",
+    "@vercel/ncc": "0.38.3",
+    "eslint": "8.57.1",
+    "eslint-plugin-github": "5.1.6",
+    "eslint-plugin-jest": "28.11.0",
     "jest": "29.7.0",
     "js-yaml": "4.1.0",
-    "nock": "13.5.5",
+    "nock": "13.5.6",
     "npm-run-all": "4.1.5",
     "patch-package": "8.0.0",
-    "prettier": "3.3.3",
+    "prettier": "3.4.2",
     "ts-jest": "29.2.5",
-    "typescript": "5.6.2"
+    "typescript": "5.7.3"
   }
 }

sources/patches/@actions+cache+3.2.4.patch

@@ -1,113 +0,0 @@
-diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
-index 4658366..b796e58 100644
---- a/node_modules/@actions/cache/lib/cache.d.ts
-+++ b/node_modules/@actions/cache/lib/cache.d.ts
-@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
-  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
-  * @returns string returns the key for the cache hit, otherwise returns undefined
-  */
--export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
-+export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
- /**
-  * Saves a list of files with the specified key
-  *
-@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
-  * @param options cache upload options
-  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
-  */
--export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
-+export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
-+
-+// PATCHED: Add `CacheEntry` as return type for save/restore functions
-+// This allows us to track and report on cache entry sizes.
-+export declare class CacheEntry {
-+    key: string;
-+    size?: number;
-+    constructor(key: string, size?: number);
-+}
-diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
-index 9d636aa..a176bd7 100644
---- a/node_modules/@actions/cache/lib/cache.js
-+++ b/node_modules/@actions/cache/lib/cache.js
-@@ -127,18 +127,21 @@ function restoreCache(paths, primaryKey, restoreKeys, options, enableCrossOsArch
-             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
-             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
-             core.info('Cache restored successfully');
--            return cacheEntry.cacheKey;
--        }
--        catch (error) {
--            const typedError = error;
--            if (typedError.name === ValidationError.name) {
--                throw error;
--            }
--            else {
--                // Supress all non-validation cache related errors because caching should be optional
--                core.warning(`Failed to restore: ${error.message}`);
--            }
-+
-+            // PATCHED - Return more inforamtion about restored entry
-+            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
-         }
-+        // PATCHED - propagate errors
-+        // catch (error) {
-+        //     const typedError = error;
-+        //     if (typedError.name === ValidationError.name) {
-+        //         throw error;
-+        //     }
-+        //     else {
-+        //         // Supress all non-validation cache related errors because caching should be optional
-+        //         core.warning(`Failed to restore: ${error.message}`);
-+        //     }
-+        // }
-         finally {
-             // Try to delete the archive to save space
-             try {
-@@ -206,19 +209,23 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
-             }
-             core.debug(`Saving Cache (ID: ${cacheId})`);
-             yield cacheHttpClient.saveCache(cacheId, archivePath, options);
-+
-+            // PATCHED - Return more inforamtion about saved entry
-+            return new CacheEntry(key, archiveFileSize);
-         }
--        catch (error) {
--            const typedError = error;
--            if (typedError.name === ValidationError.name) {
--                throw error;
--            }
--            else if (typedError.name === ReserveCacheError.name) {
--                core.info(`Failed to save: ${typedError.message}`);
--            }
--            else {
--                core.warning(`Failed to save: ${typedError.message}`);
--            }
--        }
-+        // PATCHED - propagate errors
-+        // catch (error) {
-+        //     const typedError = error;
-+        //     if (typedError.name === ValidationError.name) {
-+        //         throw error;
-+        //     }
-+        //     else if (typedError.name === ReserveCacheError.name) {
-+        //         core.info(`Failed to save: ${typedError.message}`);
-+        //     }
-+        //     else {
-+        //         core.warning(`Failed to save: ${typedError.message}`);
-+        //     }
-+        // }
-         finally {
-             // Try to delete the archive to save space
-             try {
-@@ -232,4 +239,11 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
-     });
- }
- exports.saveCache = saveCache;
-+class CacheEntry {
-+    constructor(key, size) {
-+        this.key = key;
-+        this.size = size;
-+    }
-+}
-+exports.CacheEntry = CacheEntry;
- //# sourceMappingURL=cache.js.map
-\ No newline at end of file

sources/patches/@actions+cache+4.0.0.patch

@@ -0,0 +1,183 @@
+diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
+index ef0928b..4e2f570 100644
+--- a/node_modules/@actions/cache/lib/cache.d.ts
++++ b/node_modules/@actions/cache/lib/cache.d.ts
+@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
+  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
+  * @returns string returns the key for the cache hit, otherwise returns undefined
+  */
+-export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
++export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
+ /**
+  * Saves a list of files with the specified key
+  *
+@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
+  * @param options cache upload options
+  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
+  */
+-export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
++export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
++
++// PATCHED: Add `CacheEntry` as return type for save/restore functions
++// This allows us to track and report on cache entry sizes.
++export declare class CacheEntry {
++    key: string;
++    size?: number;
++    constructor(key: string, size?: number);
++}
+\ No newline at end of file
+diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
+index 45201b6..2654e4b 100644
+--- a/node_modules/@actions/cache/lib/cache.js
++++ b/node_modules/@actions/cache/lib/cache.js
+@@ -154,18 +154,21 @@ function restoreCacheV1(paths, primaryKey, restoreKeys, options, enableCrossOsAr
+             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
+             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
+             core.info('Cache restored successfully');
+-            return cacheEntry.cacheKey;
+-        }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else {
+-                // Supress all non-validation cache related errors because caching should be optional
+-                core.warning(`Failed to restore: ${error.message}`);
+-            }
++
++            // PATCHED - Include size of restored entry
++            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
+         }
++            // PATCHED - propagate errors
++            // catch (error) {
++            //     const typedError = error;
++            //     if (typedError.name === ValidationError.name) {
++            //         throw error;
++            //     }
++            //     else {
++            //         // Supress all non-validation cache related errors because caching should be optional
++            //         core.warning(`Failed to restore: ${error.message}`);
++            //     }
++            // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -232,18 +235,21 @@ function restoreCacheV2(paths, primaryKey, restoreKeys, options, enableCrossOsAr
+             }
+             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
+             core.info('Cache restored successfully');
+-            return response.matchedKey;
+-        }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else {
+-                // Supress all non-validation cache related errors because caching should be optional
+-                core.warning(`Failed to restore: ${error.message}`);
+-            }
++
++            // PATCHED - Include size of restored entry
++            return new CacheEntry(response.matchedKey, archiveFileSize);;
+         }
++            // PATCHED - propagate errors
++            // catch (error) {
++            //     const typedError = error;
++            //     if (typedError.name === ValidationError.name) {
++            //         throw error;
++            //     }
++            //     else {
++            //         // Supress all non-validation cache related errors because caching should be optional
++            //         core.warning(`Failed to restore: ${error.message}`);
++            //     }
++            // }
+         finally {
+             try {
+                 if (archivePath) {
+@@ -334,19 +340,23 @@ function saveCacheV1(paths, key, options, enableCrossOsArchive = false) {
+             }
+             core.debug(`Saving Cache (ID: ${cacheId})`);
+             yield cacheHttpClient.saveCache(cacheId, archivePath, '', options);
++
++            // PATCHED - Include size of saved entry
++            return new CacheEntry(key, archiveFileSize);
+         }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else if (typedError.name === ReserveCacheError.name) {
+-                core.info(`Failed to save: ${typedError.message}`);
+-            }
+-            else {
+-                core.warning(`Failed to save: ${typedError.message}`);
+-            }
+-        }
++            // PATCHED - propagate errors
++            // catch (error) {
++            //     const typedError = error;
++            //     if (typedError.name === ValidationError.name) {
++            //         throw error;
++            //     }
++            //     else if (typedError.name === ReserveCacheError.name) {
++            //         core.info(`Failed to save: ${typedError.message}`);
++            //     }
++            //     else {
++            //         core.warning(`Failed to save: ${typedError.message}`);
++            //     }
++            // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -422,19 +432,23 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
+                 throw new Error(`Unable to finalize cache with key ${key}, another job may be finalizing this cache.`);
+             }
+             cacheId = parseInt(finalizeResponse.entryId);
++
++            // PATCHED - Include size of saved entry
++            return new CacheEntry(key, archiveFileSize);
+         }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else if (typedError.name === ReserveCacheError.name) {
+-                core.info(`Failed to save: ${typedError.message}`);
+-            }
+-            else {
+-                core.warning(`Failed to save: ${typedError.message}`);
+-            }
+-        }
++            // PATCHED - propagate errors
++            // catch (error) {
++            //     const typedError = error;
++            //     if (typedError.name === ValidationError.name) {
++            //         throw error;
++            //     }
++            //     else if (typedError.name === ReserveCacheError.name) {
++            //         core.info(`Failed to save: ${typedError.message}`);
++            //     }
++            //     else {
++            //         core.warning(`Failed to save: ${typedError.message}`);
++            //     }
++            // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -447,4 +461,11 @@ function saveCacheV2(paths, key, options, enableCrossOsArchive = false) {
+         return cacheId;
+     });
+ }
++// PATCHED - CacheEntry class
++class CacheEntry {
++    constructor(key, size) {
++        this.key = key;
++        this.size = size;
++    }
++}
+ //# sourceMappingURL=cache.js.map
+\ No newline at end of file

sources/src/build-results.ts

@@ -1,5 +1,6 @@
 import * as fs from 'fs'
 import * as path from 'path'
+import {versionIsAtLeast} from './execution/gradle'
 
 export interface BuildResult {
     get rootProjectName(): string
@@ -32,6 +33,18 @@ export class BuildResults {
         const allHomes = this.results.map(buildResult => buildResult.gradleHomeDir)
         return Array.from(new Set(allHomes))
     }
+
+    highestGradleVersion(): string | null {
+        if (this.results.length === 0) {
+            return null
+        }
+        return this.results
+            .map(result => result.gradleVersion)
+            .reduce((maxVersion: string, currentVersion: string) => {
+                if (!maxVersion) return currentVersion
+                return versionIsAtLeast(currentVersion, maxVersion) ? currentVersion : maxVersion
+            })
+    }
 }
 
 export function loadBuildResults(): BuildResults {

sources/src/caching/cache-cleaner.ts

@@ -4,6 +4,9 @@ import * as exec from '@actions/exec'
 import fs from 'fs'
 import path from 'path'
 import * as provisioner from '../execution/provision'
+import {BuildResult, BuildResults} from '../build-results'
+import {versionIsAtLeast} from '../execution/gradle'
+import {gradleWrapperScript} from '../execution/gradlew'
 
 export class CacheCleaner {
     private readonly gradleUserHome: string
@@ -21,13 +24,51 @@ export class CacheCleaner {
         return timestamp
     }
 
-    async forceCleanup(): Promise<void> {
+    async forceCleanup(buildResults: BuildResults): Promise<void> {
+        const executable = await this.gradleExecutableForCleanup(buildResults)
         const cleanTimestamp = core.getState('clean-timestamp')
-        await this.forceCleanupFilesOlderThan(cleanTimestamp)
+        await this.forceCleanupFilesOlderThan(cleanTimestamp, executable)
+    }
+
+    /**
+     * Attempt to use the newest Gradle version that was used to run a build, at least 8.11.
+     *
+     * This will avoid the need to provision a Gradle version for the cleanup when not necessary.
+     */
+    private async gradleExecutableForCleanup(buildResults: BuildResults): Promise<string> {
+        const preferredVersion = buildResults.highestGradleVersion()
+        if (preferredVersion && versionIsAtLeast(preferredVersion, '8.11')) {
+            try {
+                const wrapperScripts = buildResults.results
+                    .map(result => this.findGradleWrapperScript(result))
+                    .filter(Boolean) as string[]
+
+                return await provisioner.provisionGradleWithVersionAtLeast(preferredVersion, wrapperScripts)
+            } catch (e) {
+                // Ignore the case where the preferred version cannot be located in https://services.gradle.org/versions/all.
+                // This can happen for snapshot Gradle versions.
+                core.info(
+                    `Failed to provision Gradle ${preferredVersion} for cache cleanup. Falling back to default version.`
+                )
+            }
+        }
+
+        // Fallback to the minimum version required for cache-cleanup
+        return await provisioner.provisionGradleWithVersionAtLeast('8.11')
+    }
+
+    private findGradleWrapperScript(result: BuildResult): string | null {
+        try {
+            const wrapperScript = gradleWrapperScript(result.rootProjectDir)
+            return path.resolve(result.rootProjectDir, wrapperScript)
+        } catch (error) {
+            core.debug(`No Gradle Wrapper found for ${result.rootProjectName}: ${error}`)
+            return null
+        }
     }
 
     // Visible for testing
-    async forceCleanupFilesOlderThan(cleanTimestamp: string): Promise<void> {
+    async forceCleanupFilesOlderThan(cleanTimestamp: string, executable: string): Promise<void> {
         // Run a dummy Gradle build to trigger cache cleanup
         const cleanupProjectDir = path.resolve(this.tmpDir, 'dummy-cleanup-project')
         fs.mkdirSync(cleanupProjectDir, {recursive: true})
@@ -44,20 +85,17 @@ export class CacheCleaner {
                 settings.caches {
                     cleanup = Cleanup.ALWAYS
             
-                    releasedWrappers.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    snapshotWrappers.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    downloadedResources.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    createdResources.removeUnusedEntriesOlderThan.set(cleanupTime)
-                    buildCache.removeUnusedEntriesOlderThan.set(cleanupTime)
+                    releasedWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    snapshotWrappers.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    downloadedResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    createdResources.setRemoveUnusedEntriesOlderThan(cleanupTime)
+                    buildCache.setRemoveUnusedEntriesOlderThan(cleanupTime)
                 }
             }
             `
         )
         fs.writeFileSync(path.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}')
 
-        // Gradle >= 8.9 required for cache cleanup
-        const executable = await provisioner.provisionGradleAtLeast('8.9')
-
         await core.group('Executing Gradle to clean up caches', async () => {
             core.info(`Cleaning up caches last used before ${cleanTimestamp}`)
             await this.executeCleanupBuild(executable, cleanupProjectDir)
@@ -75,14 +113,12 @@ export class CacheCleaner {
             '--no-scan',
             '--build-cache',
             '-DGITHUB_DEPENDENCY_GRAPH_ENABLED=false',
+            '-DGRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true',
             'noop'
         ]
 
-        const result = await exec.getExecOutput(executable, args, {
-            cwd: cleanupProjectDir,
-            silent: true
+        await exec.exec(executable, args, {
+            cwd: cleanupProjectDir
         })
-
-        core.info(result.stdout)
     }
 }

sources/src/caching/cache-reporting.ts

@@ -4,7 +4,7 @@ export const DEFAULT_CACHE_ENABLED_REASON = `[Cache was enabled](https://github.
 
 export const DEFAULT_READONLY_REASON = `[Cache was read-only](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-read-only). By default, the action will only write to the cache for Jobs running on the default branch.`
 
-export const DEFAULT_DISABLED_REASON = `[Cache was disabled](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#disabling-caching) via action confiugration. Gradle User Home was not restored from or saved to the cache.`
+export const DEFAULT_DISABLED_REASON = `[Cache was disabled](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#disabling-caching) via action configuration. Gradle User Home was not restored from or saved to the cache.`
 
 export const DEFAULT_WRITEONLY_REASON = `[Cache was set to write-only](https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#using-the-cache-write-only) via action configuration. Gradle User Home was not restored from cache.`
 
@@ -110,10 +110,12 @@ export class CacheEntryListener {
     requestedRestoreKeys: string[] | undefined
     restoredKey: string | undefined
     restoredSize: number | undefined
+    restoredTime: number | undefined
     notRestored: string | undefined
 
     savedKey: string | undefined
     savedSize: number | undefined
+    savedTime: number | undefined
     notSaved: string | undefined
 
     constructor(entryName: string) {
@@ -130,9 +132,10 @@ export class CacheEntryListener {
         return this
     }
 
-    markRestored(key: string, size: number | undefined): CacheEntryListener {
+    markRestored(key: string, size: number | undefined, time: number): CacheEntryListener {
         this.restoredKey = key
         this.restoredSize = size
+        this.restoredTime = time
         return this
     }
 
@@ -141,9 +144,10 @@ export class CacheEntryListener {
         return this
     }
 
-    markSaved(key: string, size: number | undefined): CacheEntryListener {
+    markSaved(key: string, size: number | undefined, time: number): CacheEntryListener {
         this.savedKey = key
         this.savedSize = size
+        this.savedTime = time
         return this
     }
 
@@ -182,14 +186,16 @@ ${renderEntryTable(entries)}
 function renderEntryTable(entries: CacheEntryListener[]): string {
     return `
 <table>
-    <tr><td></td><th>Count</th><th>Total Size (Mb)</th></tr>
+    <tr><td></td><th>Count</th><th>Total Size (Mb)</th><th>Total Time (ms)</tr>
     <tr><td>Entries Restored</td>
         <td>${getCount(entries, e => e.restoredSize)}</td>
         <td>${getSize(entries, e => e.restoredSize)}</td>
+        <td>${getTime(entries, e => e.restoredTime)}</td>
     </tr>
     <tr><td>Entries Saved</td>
         <td>${getCount(entries, e => e.savedSize)}</td>
         <td>${getSize(entries, e => e.savedSize)}</td>
+        <td>${getTime(entries, e => e.savedTime)}</td>
     </tr>
 </table>
     `
@@ -202,9 +208,11 @@ function renderEntryDetails(listener: CacheListener): string {
     Requested Key : ${entry.requestedKey ?? ''}
     Restored  Key : ${entry.restoredKey ?? ''}
               Size: ${formatSize(entry.restoredSize)}
+              Time: ${formatTime(entry.restoredTime)}
               ${getRestoredMessage(entry, listener.cacheWriteOnly)}
     Saved     Key : ${entry.savedKey ?? ''}
               Size: ${formatSize(entry.savedSize)}
+              Time: ${formatTime(entry.savedTime)}
               ${getSavedMessage(entry, listener.cacheReadOnly)}
 `
         )
@@ -264,9 +272,23 @@ function getSize(
     return Math.round(bytes / (1024 * 1024))
 }
 
+function getTime(
+    cacheEntries: CacheEntryListener[],
+    predicate: (value: CacheEntryListener) => number | undefined
+): number {
+    return cacheEntries.map(e => predicate(e) ?? 0).reduce((p, v) => p + v, 0)
+}
+
 function formatSize(bytes: number | undefined): string {
     if (bytes === undefined || bytes === 0) {
         return ''
     }
     return `${Math.round(bytes / (1024 * 1024))} MB (${bytes} B)`
 }
+
+function formatTime(ms: number | undefined): string {
+    if (ms === undefined || ms === 0) {
+        return ''
+    }
+    return `${ms} ms`
+}

sources/src/caching/cache-utils.ts

@@ -38,13 +38,16 @@ export async function restoreCache(
 ): Promise<cache.CacheEntry | undefined> {
     listener.markRequested(cacheKey, cacheRestoreKeys)
     try {
+        const startTime = Date.now()
         // Only override the read timeout if the SEGMENT_DOWNLOAD_TIMEOUT_MINS env var has NOT been set
         const cacheRestoreOptions = process.env[SEGMENT_DOWNLOAD_TIMEOUT_VAR]
             ? {}
             : {segmentTimeoutInMs: SEGMENT_DOWNLOAD_TIMEOUT_DEFAULT}
         const restoredEntry = await cache.restoreCache(cachePath, cacheKey, cacheRestoreKeys, cacheRestoreOptions)
         if (restoredEntry !== undefined) {
-            listener.markRestored(restoredEntry.key, restoredEntry.size)
+            const restoreTime = Date.now() - startTime
+            listener.markRestored(restoredEntry.key, restoredEntry.size, restoreTime)
+            core.info(`Restored cache entry with key ${cacheKey} to ${cachePath.join()} in ${restoreTime}ms`)
         }
         return restoredEntry
     } catch (error) {
@@ -56,8 +59,11 @@ export async function restoreCache(
 
 export async function saveCache(cachePath: string[], cacheKey: string, listener: CacheEntryListener): Promise<void> {
     try {
+        const startTime = Date.now()
         const savedEntry = await cache.saveCache(cachePath, cacheKey)
-        listener.markSaved(savedEntry.key, savedEntry.size)
+        const saveTime = Date.now() - startTime
+        listener.markSaved(savedEntry.key, savedEntry.size, saveTime)
+        core.info(`Saved cache entry with key ${cacheKey} from ${cachePath.join()} in ${saveTime}ms`)
     } catch (error) {
         if (error instanceof cache.ReserveCacheError) {
             listener.markAlreadyExists(cacheKey)

sources/src/caching/caches.ts

@@ -102,7 +102,7 @@ export async function save(
             cacheListener.setCacheCleanupDisabled(CLEANUP_DISABLED_DUE_TO_CONFIG_CACHE_HIT)
         } else if (cacheConfig.shouldPerformCacheCleanup(buildResults.anyFailed())) {
             cacheListener.setCacheCleanupEnabled()
-            await performCacheCleanup(gradleUserHome)
+            await performCacheCleanup(gradleUserHome, buildResults)
         } else {
             core.info('Not performing cache-cleanup due to build failure')
             cacheListener.setCacheCleanupDisabled(CLEANUP_DISABLED_DUE_TO_FAILURE)
@@ -114,10 +114,10 @@ export async function save(
     })
 }
 
-async function performCacheCleanup(gradleUserHome: string): Promise<void> {
+async function performCacheCleanup(gradleUserHome: string, buildResults: BuildResults): Promise<void> {
     const cacheCleaner = new CacheCleaner(gradleUserHome, process.env['RUNNER_TEMP']!)
     try {
-        await cacheCleaner.forceCleanup()
+        await cacheCleaner.forceCleanup(buildResults)
     } catch (e) {
         core.warning(`Cache cleanup failed. Will continue. ${String(e)}`)
     }

sources/src/caching/gradle-home-extry-extractor.ts

@@ -132,9 +132,8 @@ abstract class AbstractEntryExtractor {
         pattern: string,
         listener: CacheEntryListener
     ): Promise<ExtractedCacheEntry> {
-        const restoredEntry = await restoreCache([pattern], cacheKey, [], listener)
+        const restoredEntry = await restoreCache(pattern.split('\n'), cacheKey, [], listener)
         if (restoredEntry) {
-            core.info(`Restored ${artifactType} with key ${cacheKey} to ${pattern}`)
             return new ExtractedCacheEntry(artifactType, pattern, cacheKey)
         } else {
             core.info(`Did not restore ${artifactType} with key ${cacheKey} to ${pattern}`)
@@ -232,8 +231,7 @@ abstract class AbstractEntryExtractor {
             cacheDebug(`No change to previously restored ${artifactType}. Not saving.`)
             entryListener.markNotSaved('contents unchanged')
         } else {
-            core.info(`Caching ${artifactType} with path '${pattern}' and cache key: ${cacheKey}`)
-            await saveCache([pattern], cacheKey, entryListener)
+            await saveCache(pattern.split('\n'), cacheKey, entryListener)
         }
 
         for (const file of matchingFiles) {

sources/src/caching/gradle-user-home-cache.ts

@@ -60,7 +60,8 @@ export class GradleUserHomeCache {
     restoreKeys:[${cacheKey.restoreKeys}]`
         )
 
-        const cacheResult = await restoreCache(this.getCachePath(), cacheKey.key, cacheKey.restoreKeys, entryListener)
+        const cachePath = this.getCachePath()
+        const cacheResult = await restoreCache(cachePath, cacheKey.key, cacheKey.restoreKeys, entryListener)
         if (!cacheResult) {
             core.info(`${this.cacheDescription} cache not found. Will initialize empty.`)
             return
@@ -68,8 +69,6 @@ export class GradleUserHomeCache {
 
         core.saveState(RESTORED_CACHE_KEY_KEY, cacheResult.key)
 
-        core.info(`Restored ${this.cacheDescription} from cache key: ${cacheResult.key}`)
-
         try {
             await this.afterRestore(listener)
         } catch (error) {
@@ -120,10 +119,8 @@ export class GradleUserHomeCache {
             return
         }
 
-        core.info(`Caching ${this.cacheDescription} with cache key: ${cacheKey}`)
         const cachePath = this.getCachePath()
         await saveCache(cachePath, cacheKey, gradleHomeEntryListener)
-
         return
     }
 

sources/src/caching/gradle-user-home-utils.ts

@@ -13,34 +13,37 @@ export function readResourceFileAsString(...paths: string[]): string {
  * @VisibleForTesting
  */
 export function getPredefinedToolchains(): string | null {
-    const javaHomeEnvs: string[] = []
-    for (const javaHomeEnvsKey in process.env) {
-        if (javaHomeEnvsKey.startsWith('JAVA_HOME_')) {
-            javaHomeEnvs.push(javaHomeEnvsKey)
-        }
-    }
+    // Get the version and path for each JAVA_HOME env var
+    const javaHomeEnvs = Object.entries(process.env)
+        .filter(([key]) => key.startsWith('JAVA_HOME_') && process.env[key])
+        .map(([key, value]) => ({
+            jdkVersion: key.match(/JAVA_HOME_(\d+)_/)?.[1] ?? null,
+            jdkPath: value as string
+        }))
+        .filter(env => env.jdkVersion !== null)
+
     if (javaHomeEnvs.length === 0) {
         return null
     }
+
     // language=XML
-    let toolchainsXml = `<?xml version="1.0" encoding="UTF-8"?>
+    return `<?xml version="1.0" encoding="UTF-8"?>
 <toolchains>
 <!-- JDK Toolchains installed by default on GitHub-hosted runners -->
-`
-    for (const javaHomeEnv of javaHomeEnvs) {
-        const version = javaHomeEnv.match(/JAVA_HOME_(\d+)_/)?.[1]!
-        toolchainsXml += `  <toolchain>
+${javaHomeEnvs
+    .map(
+        ({jdkVersion, jdkPath}) => `  <toolchain>
     <type>jdk</type>
     <provides>
-      <version>${version}</version>
+      <version>${jdkVersion}</version>
     </provides>
     <configuration>
-      <jdkHome>\${env.${javaHomeEnv}}</jdkHome>
+      <jdkHome>${jdkPath}</jdkHome>
     </configuration>
-  </toolchain>\n`
-    }
-    toolchainsXml += `</toolchains>\n`
-    return toolchainsXml
+  </toolchain>`
+    )
+    .join('\n')}
+</toolchains>\n`
 }
 
 export function mergeToolchainContent(existingToolchainContent: string, preInstalledToolchains: string): string {

sources/src/configuration.ts

@@ -20,13 +20,15 @@ export class DependencyGraphConfig {
                 return DependencyGraphOption.Generate
             case 'generate-and-submit':
                 return DependencyGraphOption.GenerateAndSubmit
+            case 'generate-submit-and-upload':
+                return DependencyGraphOption.GenerateSubmitAndUpload
             case 'generate-and-upload':
                 return DependencyGraphOption.GenerateAndUpload
             case 'download-and-submit':
                 return DependencyGraphOption.DownloadAndSubmit
         }
         throw TypeError(
-            `The value '${val}' is not valid for 'dependency-graph'. Valid values are: [disabled, generate, generate-and-submit, generate-and-upload, download-and-submit]. The default value is 'disabled'.`
+            `The value '${val}' is not valid for 'dependency-graph'. Valid values are: [disabled, generate, generate-and-submit, generate-submit-and-upload, generate-and-upload, download-and-submit].`
         )
     }
 
@@ -96,6 +98,7 @@ export enum DependencyGraphOption {
     Disabled = 'disabled',
     Generate = 'generate',
     GenerateAndSubmit = 'generate-and-submit',
+    GenerateSubmitAndUpload = 'generate-submit-and-upload',
     GenerateAndUpload = 'generate-and-upload',
     DownloadAndSubmit = 'download-and-submit'
 }

sources/src/dependency-graph.ts

@@ -60,7 +60,10 @@ export async function complete(config: DependencyGraphConfig): Promise<void> {
             case DependencyGraphOption.DownloadAndSubmit: // Performed in setup
                 return
             case DependencyGraphOption.GenerateAndSubmit:
-                await findAndSubmitDependencyGraphs(config)
+                await findAndSubmitDependencyGraphs(config, false)
+                return
+            case DependencyGraphOption.GenerateSubmitAndUpload:
+                await findAndSubmitDependencyGraphs(config, true)
                 return
             case DependencyGraphOption.GenerateAndUpload:
                 await findAndUploadDependencyGraphs(config)
@@ -83,7 +86,7 @@ async function downloadAndSubmitDependencyGraphs(config: DependencyGraphConfig):
     }
 }
 
-async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig): Promise<void> {
+async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig, uploadAfterSubmit: boolean): Promise<void> {
     if (isRunningInActEnvironment()) {
         core.info('Dependency graph not supported in the ACT environment.')
         return
@@ -100,6 +103,10 @@ async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig): Pro
         }
         throw e
     }
+
+    if (uploadAfterSubmit) {
+        await uploadDependencyGraphs(dependencyGraphFiles, config)
+    }
 }
 
 async function findAndUploadDependencyGraphs(config: DependencyGraphConfig): Promise<void> {

sources/src/develocity/build-scan.ts

@@ -5,13 +5,6 @@ import {setupToken} from './short-lived-token'
 export async function setup(config: BuildScanConfig): Promise<void> {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle')
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions')
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.1')
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0')
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl())
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
-    }
 
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled())
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl())
@@ -19,10 +12,22 @@ export async function setup(config: BuildScanConfig): Promise<void> {
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints())
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl())
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion())
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword())
 
+    // If build-scan-publish is enabled, ensure the environment variables are set
+    // The DEVELOCITY_PLUGIN_VERSION and DEVELOCITY_CCUD_PLUGIN_VERSION are set to the latest versions
+    // except if they are defined in the configuration
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.19.1')
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.1')
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl())
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
+    }
+
     return setupToken(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry())
 }
 

sources/src/execution/gradle.ts

@@ -35,29 +35,54 @@ async function executeGradleBuild(executable: string | undefined, root: string,
 }
 
 export function versionIsAtLeast(actualVersion: string, requiredVersion: string): boolean {
-    const splitVersion = actualVersion.split('-')
-    const coreVersion = splitVersion[0]
-    const prerelease = splitVersion.length > 1
-
-    const actualSemver = semver.coerce(coreVersion)!
-    const comparisonSemver = semver.coerce(requiredVersion)!
-
-    if (prerelease) {
-        return semver.gt(actualSemver, comparisonSemver)
-    } else {
-        return semver.gte(actualSemver, comparisonSemver)
+    if (actualVersion === requiredVersion) {
+        return true
     }
+
+    const actual = new GradleVersion(actualVersion)
+    const required = new GradleVersion(requiredVersion)
+
+    const actualSemver = semver.coerce(actual.versionPart)!
+    const comparisonSemver = semver.coerce(required.versionPart)!
+
+    if (semver.gt(actualSemver, comparisonSemver)) {
+        return true // Actual version is greater than comparison. So it's at least as new.
+    }
+    if (semver.lt(actualSemver, comparisonSemver)) {
+        return false // Actual version is less than comparison. So it's not as new.
+    }
+
+    // Actual and required version numbers are equal, so compare the other parts
+
+    if (actual.snapshotPart || required.snapshotPart) {
+        if (actual.snapshotPart && !required.snapshotPart && !required.stagePart) {
+            return false // Actual has a snapshot, but required is a plain version. Required is newer.
+        }
+        if (required.snapshotPart && !actual.snapshotPart && !actual.stagePart) {
+            return true // Required has a snapshot, but actual is a plain version. Actual is newer.
+        }
+
+        return false // Cannot compare case where both versions have a snapshot or stage
+    }
+
+    if (actual.stagePart) {
+        if (required.stagePart) {
+            return actual.stagePart >= required.stagePart // Compare stages for newer
+        }
+
+        return false // Actual has a stage, but required does not. So required is always newer.
+    }
+
+    return true // Actual has no stage part or snapshot part, so it cannot be older than required.
 }
 
-export async function findGradleVersionOnPath(): Promise<GradleExecutable | undefined> {
-    const gradleExecutable = await which('gradle', {nothrow: true})
-    if (gradleExecutable) {
-        const output = await exec.getExecOutput(gradleExecutable, ['-v'], {silent: true})
-        const version = parseGradleVersionFromOutput(output.stdout)
-        return version ? new GradleExecutable(version, gradleExecutable) : undefined
-    }
+export async function findGradleExecutableOnPath(): Promise<string | null> {
+    return await which('gradle', {nothrow: true})
+}
 
-    return undefined
+export async function determineGradleVersion(gradleExecutable: string): Promise<string | undefined> {
+    const output = await exec.getExecOutput(gradleExecutable, ['-v'], {silent: true})
+    return parseGradleVersionFromOutput(output.stdout)
 }
 
 export function parseGradleVersionFromOutput(output: string): string | undefined {
@@ -66,9 +91,21 @@ export function parseGradleVersionFromOutput(output: string): string | undefined
     return versionString
 }
 
-class GradleExecutable {
-    constructor(
-        readonly version: string,
-        readonly executable: string
-    ) {}
+class GradleVersion {
+    static PATTERN = /((\d+)(\.\d+)+)(-([a-z]+)-(\w+))?(-(SNAPSHOT|\d{14}([-+]\d{4})?))?/
+
+    versionPart: string
+    stagePart: string
+    snapshotPart: string
+
+    constructor(readonly version: string) {
+        const matcher = GradleVersion.PATTERN.exec(version)
+        if (!matcher) {
+            throw new Error(`'${version}' is not a valid Gradle version string (examples: '1.0', '1.0-rc-1')`)
+        }
+
+        this.versionPart = matcher[1]
+        this.stagePart = matcher[4]
+        this.snapshotPart = matcher[7]
+    }
 }

sources/src/execution/provision.ts

@@ -6,7 +6,7 @@ import * as core from '@actions/core'
 import * as cache from '@actions/cache'
 import * as toolCache from '@actions/tool-cache'
 
-import {findGradleVersionOnPath, versionIsAtLeast} from './gradle'
+import {determineGradleVersion, findGradleExecutableOnPath, versionIsAtLeast} from './gradle'
 import * as gradlew from './gradlew'
 import {handleCacheFailure} from '../caching/cache-utils'
 import {CacheConfig} from '../configuration'
@@ -25,16 +25,6 @@ export async function provisionGradle(gradleVersion: string): Promise<string | u
     return undefined
 }
 
-/**
- * Ensure that the Gradle version on PATH is no older than the specified version.
- * If the version on PATH is older, install the specified version and add it to the PATH.
- * @return Installed Gradle executable or undefined if no version configured.
- */
-export async function provisionGradleAtLeast(gradleVersion: string): Promise<string> {
-    const installedVersion = await installGradleVersionAtLeast(await gradleRelease(gradleVersion))
-    return addToPath(installedVersion)
-}
-
 async function addToPath(executable: string): Promise<string> {
     core.addPath(path.dirname(executable))
     return executable
@@ -88,7 +78,7 @@ async function gradleReleaseNightly(): Promise<GradleVersionInfo> {
 async function gradleRelease(version: string): Promise<GradleVersionInfo> {
     const versionInfo = await findGradleVersionDeclaration(version)
     if (!versionInfo) {
-        throw new Error(`Gradle version ${version} does not exists`)
+        throw new Error(`Gradle version ${version} does not exist`)
     }
     return versionInfo
 }
@@ -106,27 +96,44 @@ async function findGradleVersionDeclaration(version: string): Promise<GradleVers
 
 async function installGradleVersion(versionInfo: GradleVersionInfo): Promise<string> {
     return core.group(`Provision Gradle ${versionInfo.version}`, async () => {
-        const gradleOnPath = await findGradleVersionOnPath()
-        if (gradleOnPath?.version === versionInfo.version) {
-            core.info(`Gradle version ${versionInfo.version} is already available on PATH. Not installing.`)
-            return gradleOnPath.executable
+        const gradleOnPath = await findGradleExecutableOnPath()
+        if (gradleOnPath) {
+            const gradleOnPathVersion = await determineGradleVersion(gradleOnPath)
+            if (gradleOnPathVersion === versionInfo.version) {
+                core.info(`Gradle version ${versionInfo.version} is already available on PATH. Not installing.`)
+                return gradleOnPath
+            }
         }
 
         return locateGradleAndDownloadIfRequired(versionInfo)
     })
 }
 
-async function installGradleVersionAtLeast(versionInfo: GradleVersionInfo): Promise<string> {
-    return core.group(`Provision Gradle >= ${versionInfo.version}`, async () => {
-        const gradleOnPath = await findGradleVersionOnPath()
-        if (gradleOnPath && versionIsAtLeast(gradleOnPath.version, versionInfo.version)) {
-            core.info(
-                `Gradle version ${gradleOnPath.version} is available on PATH and >= ${versionInfo.version}. Not installing.`
-            )
-            return gradleOnPath.executable
+/**
+ * Find (or install) a Gradle executable that meets the specified version requirement.
+ * The Gradle version on PATH and all candidates are first checked for version compatibility.
+ * If no existing Gradle version meets the requirement, the required version is installed.
+ * @return Gradle executable with at least the required version.
+ */
+export async function provisionGradleWithVersionAtLeast(
+    minimumVersion: string,
+    candidates: string[] = []
+): Promise<string> {
+    const gradleOnPath = await findGradleExecutableOnPath()
+    const allCandidates = gradleOnPath ? [gradleOnPath, ...candidates] : candidates
+
+    return core.group(`Provision Gradle >= ${minimumVersion}`, async () => {
+        for (const candidate of allCandidates) {
+            const candidateVersion = await determineGradleVersion(candidate)
+            if (candidateVersion && versionIsAtLeast(candidateVersion, minimumVersion)) {
+                core.info(
+                    `Gradle version ${candidateVersion} is available at ${candidate} and >= ${minimumVersion}. Not installing.`
+                )
+                return candidate
+            }
         }
 
-        return locateGradleAndDownloadIfRequired(versionInfo)
+        return locateGradleAndDownloadIfRequired(await gradleRelease(minimumVersion))
     })
 }
 

sources/src/resources/init-scripts/gradle-actions.build-result-capture-service.plugin.groovy

@@ -6,6 +6,7 @@ import org.gradle.api.internal.tasks.execution.*
 import org.gradle.execution.*
 import org.gradle.internal.build.event.BuildEventListenerRegistryInternal
 import org.gradle.util.GradleVersion
+import org.slf4j.LoggerFactory
 
 settingsEvaluated { settings ->
     def projectTracker = gradle.sharedServices.registerIfAbsent("gradle-action-buildResultsRecorder", BuildResultsRecorder, { spec ->
@@ -20,6 +21,7 @@ settingsEvaluated { settings ->
 }
 
 abstract class BuildResultsRecorder implements BuildService<BuildResultsRecorder.Params>, BuildOperationListener, AutoCloseable {
+    private final logger = LoggerFactory.getLogger("gradle/actions")
     private boolean buildFailed = false
     private boolean configCacheHit = true
     interface Params extends BuildServiceParameters {
@@ -69,6 +71,7 @@ abstract class BuildResultsRecorder implements BuildService<BuildResultsRecorder
             buildResultsDir.mkdirs()
             def buildResultsFile = new File(buildResultsDir, githubActionStep + getParameters().getInvocationId().get() + ".json")
             if (!buildResultsFile.exists()) {
+                logger.lifecycle("gradle/actions: Writing build results to ${buildResultsFile}")
                 buildResultsFile << groovy.json.JsonOutput.toJson(buildResults)
             }
         } catch (Exception e) {

sources/src/resources/init-scripts/gradle-actions.build-result-capture.init.gradle

@@ -2,7 +2,9 @@
  * Capture information for each executed Gradle build to display in the job summary.
  */
 import org.gradle.util.GradleVersion
+import org.slf4j.LoggerFactory
 
+def SKIP_BUILD_CAPTURE = "GRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE"
 def BUILD_SCAN_PLUGIN_ID = "com.gradle.build-scan"
 def BUILD_SCAN_EXTENSION = "buildScan"
 def DEVELOCITY_PLUGIN_ID = "com.gradle.develocity"
@@ -10,6 +12,11 @@ def DEVELOCITY_EXTENSION = "develocity"
 def GE_PLUGIN_ID = "com.gradle.enterprise"
 def GE_EXTENSION = "gradleEnterprise"
 
+if (System.properties[SKIP_BUILD_CAPTURE] ?: System.getenv(SKIP_BUILD_CAPTURE)) {
+    logger.lifecycle("gradle/actions: Not capturing build results")
+    return
+}
+
 // Only run against root build. Do not run against included builds.
 def isTopLevelBuild = gradle.getParent() == null
 if (isTopLevelBuild) {
@@ -32,15 +39,19 @@ if (isTopLevelBuild) {
 
         // Use the Develocity plugin to also capture build scan links, when available
         settingsEvaluated { settings ->
-            settings.pluginManager.withPlugin(GE_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (!settings.extensions.findByName(DEVELOCITY_EXTENSION)) {
+            def captureBuildScanLink = {
+                // Prefer the 'develocity' extension, if available
+                if (settings.extensions.findByName(DEVELOCITY_EXTENSION)) {
+                    captureUsingBuildScanPublished(settings.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                } else {
                     captureUsingBuildScanPublished(settings.extensions[GE_EXTENSION].buildScan, invocationId, resultsWriter)
                 }
             }
-
+            settings.pluginManager.withPlugin(GE_PLUGIN_ID, captureBuildScanLink)
             settings.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                captureUsingBuildScanPublished(settings.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                // Develocity plugin applies GE plugin: avoid duplicate call
+                if (settings.pluginManager.hasPlugin(GE_PLUGIN_ID)) return
+                captureBuildScanLink()
             }
         }
     } else if (atLeastGradle3) {
@@ -48,15 +59,21 @@ if (isTopLevelBuild) {
             // By default, use 'buildFinished' to capture build results
             captureUsingBuildFinished(gradle, invocationId, resultsWriter)
 
-            gradle.rootProject.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (!gradle.rootProject.extensions.findByName(DEVELOCITY_EXTENSION)) {
+            def captureBuildScanLink = {
+                // Prefer the 'develocity' extension, if available
+                if (gradle.rootProject.extensions.findByName(DEVELOCITY_EXTENSION)) {
+                    captureUsingBuildScanPublished(gradle.rootProject.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                } else {
                     captureUsingBuildScanPublished(gradle.rootProject.extensions[BUILD_SCAN_EXTENSION], invocationId, resultsWriter)
                 }
             }
 
+            gradle.rootProject.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID, captureBuildScanLink)
+
             gradle.rootProject.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                captureUsingBuildScanPublished(gradle.rootProject.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                // Develocity plugin applies Build Scan plugin: avoid duplicate call
+                if (gradle.rootProject.pluginManager.hasPlugin(BUILD_SCAN_PLUGIN_ID)) return
+                captureBuildScanLink()
             }
         }
     }
@@ -69,7 +86,6 @@ def captureUsingBuildService(invocationId) {
 
 void captureUsingBuildFinished(gradle, String invocationId, ResultsWriter resultsWriter) {
     gradle.buildFinished { result ->
-        println "Got buildFinished: ${result}"
         def buildResults = [
             rootProjectName: rootProject.name,
             rootProjectDir: rootProject.projectDir.absolutePath,
@@ -114,6 +130,8 @@ void captureUsingBuildScanPublished(buildScanExtension, String invocationId, Res
 }
 
 class ResultsWriter {
+    private final logger = LoggerFactory.getLogger("gradle/actions")
+
     void writeToResultsFile(String subDir, String invocationId, def content) {
         def runnerTempDir = System.getProperty("RUNNER_TEMP") ?: System.getenv("RUNNER_TEMP")
         def githubActionStep = System.getProperty("GITHUB_ACTION") ?: System.getenv("GITHUB_ACTION")
@@ -126,6 +144,7 @@ class ResultsWriter {
             buildResultsDir.mkdirs()
             def buildResultsFile = new File(buildResultsDir, githubActionStep + invocationId + ".json")
             if (!buildResultsFile.exists()) {
+                logger.lifecycle("gradle/actions: Writing build results to ${buildResultsFile}")
                 buildResultsFile << groovy.json.JsonOutput.toJson(content)
             }
         } catch (Exception e) {

sources/src/resources/init-scripts/gradle-actions.github-dependency-graph-gradle-plugin-apply.groovy

@@ -6,17 +6,17 @@ buildscript {
   def pluginRepositoryUrl = getInputParam('gradle.plugin-repository.url') ?: 'https://plugins.gradle.org/m2'
   def pluginRepositoryUsername = getInputParam('gradle.plugin-repository.username')
   def pluginRepositoryPassword = getInputParam('gradle.plugin-repository.password')
-  def dependencyGraphPluginVersion = getInputParam('dependency-graph-plugin.version') ?: '1.3.1'
+  def dependencyGraphPluginVersion = getInputParam('dependency-graph-plugin.version') ?: '1.3.2'
 
   logger.lifecycle("Resolving dependency graph plugin ${dependencyGraphPluginVersion} from plugin repository: ${pluginRepositoryUrl}")
   repositories {
     maven { 
-      url pluginRepositoryUrl 
+      url = pluginRepositoryUrl
       if (pluginRepositoryUsername && pluginRepositoryPassword) {
         logger.lifecycle("Applying credentials for plugin repository: ${pluginRepositoryUrl}")
         credentials {
-          username(pluginRepositoryUsername)
-          password(pluginRepositoryPassword)
+          username = pluginRepositoryUsername
+          password = pluginRepositoryPassword
         }
         authentication {
           basic(BasicAuthentication)

sources/src/resources/init-scripts/gradle-actions.inject-develocity.init.gradle

@@ -1,6 +1,6 @@
 /*
  * Initscript for injection of Develocity into Gradle builds.
- * Version: v1.0
+ * Version: v1.1
  */
 
 import org.gradle.util.GradleVersion
@@ -12,29 +12,29 @@ initscript {
         return
     }
 
-    def getInputParam = { String name ->
+    def getInputParam = { Gradle gradle, String name ->
         def ENV_VAR_PREFIX = ''
         def envVarName = ENV_VAR_PREFIX + name.toUpperCase().replace('.', '_').replace('-', '_')
-        return System.getProperty(name) ?: System.getenv(envVarName)
+        return gradle.startParameter.systemPropertiesArgs[name] ?: System.getProperty(name) ?: System.getenv(envVarName)
     }
 
-    def requestedInitScriptName = getInputParam('develocity.injection.init-script-name')
+    def requestedInitScriptName = getInputParam(gradle, 'develocity.injection.init-script-name')
     def initScriptName = buildscript.sourceFile.name
     if (requestedInitScriptName != initScriptName) {
         return
     }
 
     // Plugin loading is only required for Develocity injection. Abort early if not enabled.
-    def develocityInjectionEnabled = Boolean.parseBoolean(getInputParam("develocity.injection-enabled"))
+    def develocityInjectionEnabled = Boolean.parseBoolean(getInputParam(gradle, "develocity.injection-enabled"))
     if (!develocityInjectionEnabled) {
         return
     }
 
-    def pluginRepositoryUrl = getInputParam('gradle.plugin-repository.url')
-    def pluginRepositoryUsername = getInputParam('gradle.plugin-repository.username')
-    def pluginRepositoryPassword = getInputParam('gradle.plugin-repository.password')
-    def develocityPluginVersion = getInputParam('develocity.plugin.version')
-    def ccudPluginVersion = getInputParam('develocity.ccud-plugin.version')
+    def pluginRepositoryUrl = getInputParam(gradle, 'gradle.plugin-repository.url')
+    def pluginRepositoryUsername = getInputParam(gradle, 'gradle.plugin-repository.username')
+    def pluginRepositoryPassword = getInputParam(gradle, 'gradle.plugin-repository.password')
+    def develocityPluginVersion = getInputParam(gradle, 'develocity.plugin.version')
+    def ccudPluginVersion = getInputParam(gradle, 'develocity.ccud-plugin.version')
 
     def atLeastGradle5 = GradleVersion.current() >= GradleVersion.version('5.0')
     def atLeastGradle4 = GradleVersion.current() >= GradleVersion.version('4.0')
@@ -45,12 +45,12 @@ initscript {
 
         repositories {
             maven {
-                url pluginRepositoryUrl
+                url = pluginRepositoryUrl
                 if (pluginRepositoryUsername && pluginRepositoryPassword) {
                     logger.lifecycle("Using credentials for plugin repository")
                     credentials {
-                        username(pluginRepositoryUsername)
-                        password(pluginRepositoryPassword)
+                        username = pluginRepositoryUsername
+                        password = pluginRepositoryPassword
                     }
                     authentication {
                         basic(BasicAuthentication)
@@ -79,10 +79,10 @@ initscript {
     }
 }
 
-static getInputParam(String name) {
+static getInputParam(Gradle gradle, String name) {
     def ENV_VAR_PREFIX = ''
     def envVarName = ENV_VAR_PREFIX + name.toUpperCase().replace('.', '_').replace('-', '_')
-    return System.getProperty(name) ?: System.getenv(envVarName)
+    return gradle.startParameter.systemPropertiesArgs[name] ?: System.getProperty(name) ?: System.getenv(envVarName)
 }
 
 def isTopLevelBuild = !gradle.parent
@@ -90,14 +90,14 @@ if (!isTopLevelBuild) {
     return
 }
 
-def requestedInitScriptName = getInputParam('develocity.injection.init-script-name')
+def requestedInitScriptName = getInputParam(gradle, 'develocity.injection.init-script-name')
 def initScriptName = buildscript.sourceFile.name
 if (requestedInitScriptName != initScriptName) {
     logger.quiet("Ignoring init script '${initScriptName}' as requested name '${requestedInitScriptName}' does not match")
     return
 }
 
-def develocityInjectionEnabled = Boolean.parseBoolean(getInputParam("develocity.injection-enabled"))
+def develocityInjectionEnabled = Boolean.parseBoolean(getInputParam(gradle, "develocity.injection-enabled"))
 if (develocityInjectionEnabled) {
     enableDevelocityInjection()
 }
@@ -123,16 +123,16 @@ void enableDevelocityInjection() {
     def CCUD_PLUGIN_ID = 'com.gradle.common-custom-user-data-gradle-plugin'
     def CCUD_PLUGIN_CLASS = 'com.gradle.CommonCustomUserDataGradlePlugin'
 
-    def develocityUrl = getInputParam('develocity.url')
-    def develocityAllowUntrustedServer = Boolean.parseBoolean(getInputParam('develocity.allow-untrusted-server'))
-    def develocityEnforceUrl = Boolean.parseBoolean(getInputParam('develocity.enforce-url'))
-    def buildScanUploadInBackground = Boolean.parseBoolean(getInputParam('develocity.build-scan.upload-in-background'))
-    def develocityCaptureFileFingerprints = getInputParam('develocity.capture-file-fingerprints') ? Boolean.parseBoolean(getInputParam('develocity.capture-file-fingerprints')) : true
-    def develocityPluginVersion = getInputParam('develocity.plugin.version')
-    def ccudPluginVersion = getInputParam('develocity.ccud-plugin.version')
-    def buildScanTermsOfUseUrl = getInputParam('develocity.terms-of-use.url')
-    def buildScanTermsOfUseAgree = getInputParam('develocity.terms-of-use.agree')
-    def ciAutoInjectionCustomValueValue = getInputParam('develocity.auto-injection.custom-value')
+    def develocityUrl = getInputParam(gradle, 'develocity.url')
+    def develocityAllowUntrustedServer = Boolean.parseBoolean(getInputParam(gradle, 'develocity.allow-untrusted-server'))
+    def develocityEnforceUrl = Boolean.parseBoolean(getInputParam(gradle, 'develocity.enforce-url'))
+    def buildScanUploadInBackground = Boolean.parseBoolean(getInputParam(gradle, 'develocity.build-scan.upload-in-background'))
+    def develocityCaptureFileFingerprints = getInputParam(gradle, 'develocity.capture-file-fingerprints') ? Boolean.parseBoolean(getInputParam(gradle, 'develocity.capture-file-fingerprints')) : true
+    def develocityPluginVersion = getInputParam(gradle, 'develocity.plugin.version')
+    def ccudPluginVersion = getInputParam(gradle, 'develocity.ccud-plugin.version')
+    def buildScanTermsOfUseUrl = getInputParam(gradle, 'develocity.terms-of-use.url')
+    def buildScanTermsOfUseAgree = getInputParam(gradle, 'develocity.terms-of-use.agree')
+    def ciAutoInjectionCustomValueValue = getInputParam(gradle, 'develocity.auto-injection.custom-value')
 
     def atLeastGradle5 = GradleVersion.current() >= GradleVersion.version('5.0')
     def atLeastGradle4 = GradleVersion.current() >= GradleVersion.version('4.0')
@@ -145,6 +145,14 @@ void enableDevelocityInjection() {
         return geValue instanceof Closure<?> ? geValue() : geValue
     }
 
+    def printEnforcingDevelocityUrl = {
+        logger.lifecycle("Enforcing Develocity: $develocityUrl, allowUntrustedServer: $develocityAllowUntrustedServer")
+    }
+
+    def printAcceptingGradleTermsOfUse = {
+        logger.lifecycle("Accepting Gradle Terms of Use: $buildScanTermsOfUseUrl")
+    }
+
     // finish early if configuration parameters passed in via system properties are not valid/supported
     if (ccudPluginVersion && isNotAtLeast(ccudPluginVersion, '1.7')) {
         logger.warn("Common Custom User Data Gradle plugin must be at least 1.7. Configured version is $ccudPluginVersion.")
@@ -163,8 +171,8 @@ void enableDevelocityInjection() {
                     }
                     if (!scanPluginComponent) {
                         def pluginClass = dvOrGe(DEVELOCITY_PLUGIN_CLASS, BUILD_SCAN_PLUGIN_CLASS)
-                        logger.lifecycle("Applying $pluginClass via init script")
-                        applyPluginExternally(pluginManager, pluginClass)
+                        def pluginVersion = atLeastGradle5 ? develocityPluginVersion : "1.16"
+                        applyPluginExternally(pluginManager, pluginClass, pluginVersion)
                         def rootExtension = dvOrGe(
                             { develocity },
                             { buildScan }
@@ -196,48 +204,52 @@ void enableDevelocityInjection() {
                             }
                         }
                     }
+                }
 
-                    if (develocityUrl && develocityEnforceUrl) {
-                        logger.lifecycle("Enforcing Develocity: $develocityUrl, allowUntrustedServer: $develocityAllowUntrustedServer, captureFileFingerprints: $develocityCaptureFileFingerprints")
-                    }
-
-                    pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID) {
-                        // Only execute if develocity plugin isn't applied.
-                        if (gradle.rootProject.extensions.findByName("develocity")) return
-                        afterEvaluate {
-                            if (develocityUrl && develocityEnforceUrl) {
-                                buildScan.server = develocityUrl
-                                buildScan.allowUntrustedServer = develocityAllowUntrustedServer
-                            }
-                        }
-
-                        if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
-                            buildScan.termsOfServiceUrl = buildScanTermsOfUseUrl
-                            buildScan.termsOfServiceAgree = buildScanTermsOfUseAgree
-                        }
-                    }
-
-                    pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
+                eachDevelocityProjectExtension(project,
+                    { develocity ->
                         afterEvaluate {
                             if (develocityUrl && develocityEnforceUrl) {
+                                printEnforcingDevelocityUrl()
                                 develocity.server = develocityUrl
                                 develocity.allowUntrustedServer = develocityAllowUntrustedServer
                             }
                         }
 
                         if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
+                            printAcceptingGradleTermsOfUse()
                             develocity.buildScan.termsOfUseUrl = buildScanTermsOfUseUrl
                             develocity.buildScan.termsOfUseAgree = buildScanTermsOfUseAgree
                         }
+                    },
+                    { buildScan ->
+                        afterEvaluate {
+                            if (develocityUrl && develocityEnforceUrl) {
+                                printEnforcingDevelocityUrl()
+                                buildScan.server = develocityUrl
+                                buildScan.allowUntrustedServer = develocityAllowUntrustedServer
+                            }
+                        }
+
+                        if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
+                            printAcceptingGradleTermsOfUse()
+                            if (buildScan.metaClass.respondsTo(buildScan, 'setTermsOfServiceUrl', String)) {
+                                buildScan.termsOfServiceUrl = buildScanTermsOfUseUrl
+                                buildScan.termsOfServiceAgree = buildScanTermsOfUseAgree
+                            } else {
+                                buildScan.licenseAgreementUrl = buildScanTermsOfUseUrl
+                                buildScan.licenseAgree = buildScanTermsOfUseAgree
+                            }
+                        }
                     }
-                }
+                )
 
                 if (ccudPluginVersion && atLeastGradle4) {
                     def ccudPluginComponent = resolutionResult.allComponents.find {
                         it.moduleVersion.with { group == "com.gradle" && name == "common-custom-user-data-gradle-plugin" }
                     }
                     if (!ccudPluginComponent) {
-                        logger.lifecycle("Applying $CCUD_PLUGIN_CLASS via init script")
+                        logger.lifecycle("Applying $CCUD_PLUGIN_CLASS with version $ccudPluginVersion via init script")
                         pluginManager.apply(initscript.classLoader.loadClass(CCUD_PLUGIN_CLASS))
                     }
                 }
@@ -248,13 +260,18 @@ void enableDevelocityInjection() {
             if (develocityPluginVersion) {
                 if (!settings.pluginManager.hasPlugin(GRADLE_ENTERPRISE_PLUGIN_ID) && !settings.pluginManager.hasPlugin(DEVELOCITY_PLUGIN_ID)) {
                     def pluginClass = dvOrGe(DEVELOCITY_PLUGIN_CLASS, GRADLE_ENTERPRISE_PLUGIN_CLASS)
-                    logger.lifecycle("Applying $pluginClass via init script")
-                    applyPluginExternally(settings.pluginManager, pluginClass)
+                    applyPluginExternally(settings.pluginManager, pluginClass, develocityPluginVersion)
                     if (develocityUrl) {
                         logger.lifecycle("Connection to Develocity: $develocityUrl, allowUntrustedServer: $develocityAllowUntrustedServer, captureFileFingerprints: $develocityCaptureFileFingerprints")
                         eachDevelocitySettingsExtension(settings) { ext ->
-                            ext.server = develocityUrl
-                            ext.allowUntrustedServer = develocityAllowUntrustedServer
+                            // server and allowUntrustedServer must be configured via buildScan extension for gradle-enterprise-plugin 3.1.1 and earlier
+                            if (ext.metaClass.respondsTo(ext, 'getServer')) {
+                                ext.server = develocityUrl
+                                ext.allowUntrustedServer = develocityAllowUntrustedServer
+                            } else {
+                                ext.buildScan.server = develocityUrl
+                                ext.buildScan.allowUntrustedServer = develocityAllowUntrustedServer
+                            }
                         }
                     }
 
@@ -281,40 +298,46 @@ void enableDevelocityInjection() {
                         }
                     )
                 }
+            }
 
-                if (develocityUrl && develocityEnforceUrl) {
-                    logger.lifecycle("Enforcing Develocity: $develocityUrl, allowUntrustedServer: $develocityAllowUntrustedServer, captureFileFingerprints: $develocityCaptureFileFingerprints")
-                }
+            eachDevelocitySettingsExtension(settings,
+                { develocity ->
+                    if (develocityUrl && develocityEnforceUrl) {
+                        printEnforcingDevelocityUrl()
+                        develocity.server = develocityUrl
+                        develocity.allowUntrustedServer = develocityAllowUntrustedServer
+                    }
 
-                eachDevelocitySettingsExtension(settings,
-                    { develocity ->
-                        if (develocityUrl && develocityEnforceUrl) {
-                            develocity.server = develocityUrl
-                            develocity.allowUntrustedServer = develocityAllowUntrustedServer
-                        }
-
-                        if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
-                            develocity.buildScan.termsOfUseUrl = buildScanTermsOfUseUrl
-                            develocity.buildScan.termsOfUseAgree = buildScanTermsOfUseAgree
-                        }
-                    },
-                    { gradleEnterprise ->
-                        if (develocityUrl && develocityEnforceUrl) {
+                    if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
+                        printAcceptingGradleTermsOfUse()
+                        develocity.buildScan.termsOfUseUrl = buildScanTermsOfUseUrl
+                        develocity.buildScan.termsOfUseAgree = buildScanTermsOfUseAgree
+                    }
+                },
+                { gradleEnterprise ->
+                    if (develocityUrl && develocityEnforceUrl) {
+                        printEnforcingDevelocityUrl()
+                        // server and allowUntrustedServer must be configured via buildScan extension for gradle-enterprise-plugin 3.1.1 and earlier
+                        if (gradleEnterprise.metaClass.respondsTo(gradleEnterprise, 'getServer')) {
                             gradleEnterprise.server = develocityUrl
                             gradleEnterprise.allowUntrustedServer = develocityAllowUntrustedServer
-                        }
-
-                        if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
-                            gradleEnterprise.buildScan.termsOfServiceUrl = buildScanTermsOfUseUrl
-                            gradleEnterprise.buildScan.termsOfServiceAgree = buildScanTermsOfUseAgree
+                        } else {
+                            gradleEnterprise.buildScan.server = develocityUrl
+                            gradleEnterprise.buildScan.allowUntrustedServer = develocityAllowUntrustedServer
                         }
                     }
-                )
-            }
+
+                    if (buildScanTermsOfUseUrl && buildScanTermsOfUseAgree) {
+                        printAcceptingGradleTermsOfUse()
+                        gradleEnterprise.buildScan.termsOfServiceUrl = buildScanTermsOfUseUrl
+                        gradleEnterprise.buildScan.termsOfServiceAgree = buildScanTermsOfUseAgree
+                    }
+                }
+            )
 
             if (ccudPluginVersion) {
                 if (!settings.pluginManager.hasPlugin(CCUD_PLUGIN_ID)) {
-                    logger.lifecycle("Applying $CCUD_PLUGIN_CLASS via init script")
+                    logger.lifecycle("Applying $CCUD_PLUGIN_CLASS with version $ccudPluginVersion via init script")
                     settings.pluginManager.apply(initscript.classLoader.loadClass(CCUD_PLUGIN_CLASS))
                 }
             }
@@ -322,7 +345,9 @@ void enableDevelocityInjection() {
     }
 }
 
-void applyPluginExternally(def pluginManager, String pluginClassName) {
+void applyPluginExternally(def pluginManager, String pluginClassName, String pluginVersion) {
+    logger.lifecycle("Applying $pluginClassName with version $pluginVersion via init script")
+
     def externallyApplied = 'develocity.externally-applied'
     def externallyAppliedDeprecated = 'gradle.enterprise.externally-applied'
     def oldValue = System.getProperty(externallyApplied)
@@ -367,6 +392,32 @@ static def eachDevelocitySettingsExtension(def settings, def dvAction, def geAct
     }
 }
 
+/**
+ * Apply the `dvAction` to the 'develocity' extension.
+ * If no 'develocity' extension is found, apply the `bsAction` to the 'buildScan' extension.
+ * (The develocity plugin creates both extensions, and we want to prefer configuring 'develocity').
+ */
+static def eachDevelocityProjectExtension(def project, def dvAction, def bsAction = dvAction) {
+    def BUILD_SCAN_PLUGIN_ID = 'com.gradle.build-scan'
+    def DEVELOCITY_PLUGIN_ID = 'com.gradle.develocity'
+
+    def configureDvOrBsExtension = {
+        if (project.extensions.findByName("develocity")) {
+            dvAction(project.develocity)
+        } else {
+            bsAction(project.buildScan)
+        }
+    }
+
+    project.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID, configureDvOrBsExtension)
+
+    project.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
+        // Proper extension will be configured by the build-scan callback.
+        if (project.pluginManager.hasPlugin(BUILD_SCAN_PLUGIN_ID)) return
+        configureDvOrBsExtension()
+    }
+}
+
 static boolean isAtLeast(String versionUnderTest, String referenceVersion) {
     GradleVersion.version(versionUnderTest) >= GradleVersion.version(referenceVersion)
 }
@@ -376,21 +427,13 @@ static boolean isNotAtLeast(String versionUnderTest, String referenceVersion) {
 }
 
 void enableBuildScanLinkCapture(BuildScanCollector collector) {
-    def BUILD_SCAN_PLUGIN_ID = 'com.gradle.build-scan'
-    def DEVELOCITY_PLUGIN_ID = 'com.gradle.develocity'
-
     // Conditionally apply and configure the Develocity plugin
     if (GradleVersion.current() < GradleVersion.version('6.0')) {
         rootProject {
-            pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (gradle.rootProject.extensions.findByName("develocity")) return
-                buildScanPublishedAction(buildScan, collector)
-            }
-
-            pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                buildScanPublishedAction(develocity.buildScan, collector)
-            }
+            eachDevelocityProjectExtension(project,
+                { develocity -> buildScanPublishedAction(develocity.buildScan, collector) },
+                { buildScan  -> buildScanPublishedAction(buildScan, collector) }
+            )
         }
     } else {
         gradle.settingsEvaluated { settings ->

sources/src/wrapper-validation/checksums.ts

@@ -1,5 +1,6 @@
 import * as httpm from 'typed-rest-client/HttpClient'
 import * as cheerio from 'cheerio'
+import * as core from '@actions/core'
 
 import fileWrapperChecksums from './wrapper-checksums.json'
 
@@ -38,7 +39,7 @@ export const KNOWN_CHECKSUMS = loadKnownChecksums()
 export async function fetchUnknownChecksums(
     allowSnapshots: boolean,
     knownChecksums: WrapperChecksums
-): Promise<Set<string>> {
+): Promise<WrapperChecksums> {
     const all = await httpGetJsonArray('https://services.gradle.org/versions/all')
     const withChecksum = all.filter(
         entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl')
@@ -51,20 +52,16 @@ export async function fetchUnknownChecksums(
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         (entry: any) => !knownChecksums.versions.has(entry.version)
     )
-    const checksumUrls = notKnown.map(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        (entry: any) => entry.wrapperChecksumUrl as string
-    )
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const checksumUrls = notKnown.map((entry: any) => [entry.version, entry.wrapperChecksumUrl] as [string, string])
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls)
+        await addDistributionSnapshotChecksumUrls(checksumUrls)
     }
-    const checksums = await Promise.all(
-        checksumUrls.map(async (url: string) => {
-            // console.log(`Fetching checksum from ${url}`)
-            return httpGetText(url)
-        })
-    )
-    return new Set(checksums)
+
+    const wrapperChecksums = new WrapperChecksums()
+    await fetchAndStoreChecksums(checksumUrls, wrapperChecksums)
+    return wrapperChecksums
 }
 
 async function httpGetJsonArray(url: string): Promise<unknown[]> {
@@ -76,21 +73,37 @@ async function httpGetText(url: string): Promise<string> {
     return await response.readBody()
 }
 
-// Public for testing
-export async function addDistributionSnapshotChecksums(checksumUrls: string[]): Promise<void> {
-    // Load the index page of the distribution snapshot repository
+async function addDistributionSnapshotChecksumUrls(checksumUrls: [string, string][]): Promise<void> {
+    // Load the index page of the distribution snapshot repository into cheerio
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/')
-
-    // // Extract all wrapper checksum from the index page. These end in -wrapper.jar.sha256
-    // // Load the HTML into cheerio
     const $ = cheerio.load(indexPage)
 
     // // Find all links ending with '-wrapper.jar.sha256'
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]')
-
-    // build the absolute URL for each wrapper checksum
     wrapperChecksumLinks.each((index, element) => {
-        const url = $(element).attr('href')
-        checksumUrls.push(`https://services.gradle.org${url}`)
+        const url = $(element).attr('href')!
+
+        // Extract the version from the url
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1]
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`])
+        }
     })
 }
+
+async function fetchAndStoreChecksums(
+    checksumUrls: [string, string][],
+    wrapperChecksums: WrapperChecksums
+): Promise<void> {
+    const batchSize = 10
+    for (let i = 0; i < checksumUrls.length; i += batchSize) {
+        const batch = checksumUrls.slice(i, i + batchSize)
+        await Promise.all(
+            batch.map(async ([version, url]) => {
+                const checksum = await httpGetText(url)
+                wrapperChecksums.add(version, checksum)
+            })
+        )
+        core.info(`Fetched ${i + batch.length} of ${checksumUrls.length} checksums`)
+    }
+}

sources/src/wrapper-validation/find.ts

@@ -18,9 +18,14 @@ async function recursivelyListFiles(baseDir: string): Promise<string[]> {
     const childrenPaths = await Promise.all(
         childrenNames.map(async childName => {
             const childPath = path.resolve(baseDir, childName)
-            return fs.lstatSync(childPath).isDirectory()
-                ? recursivelyListFiles(childPath)
-                : new Promise(resolve => resolve([childPath]))
+            const stat = fs.lstatSync(childPath, {throwIfNoEntry: false})
+            if (stat === undefined) {
+                return []
+            } else if (stat.isDirectory()) {
+                return recursivelyListFiles(childPath)
+            } else {
+                return new Promise(resolve => resolve([childPath]))
+            }
         })
     )
     return Array.prototype.concat(...childrenPaths)

sources/src/wrapper-validation/validate.ts

@@ -33,7 +33,7 @@ export async function findInvalidWrapperJars(
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums)
 
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar)
                 } else {
                     result.valid.push(wrapperJar)

sources/src/wrapper-validation/wrapper-checksums.json

@@ -1,4 +1,72 @@
 [
+  {
+    "version": "8.12.1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.13-milestone-3",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.12.1-milestone-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.13-milestone-2",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.13-milestone-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.12",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.12-rc-2",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.12-rc-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11.1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-rc-3",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-rc-2",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-rc-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.11-milestone-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10.2",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10.2-milestone-1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
+  {
+    "version": "8.10.1",
+    "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"
+  },
   {
     "version": "8.10",
     "checksum": "2db75c40782f5e8ba1fc278a5574bab070adccb2d21ca5a6e5ed840888448046"

sources/test/init-scripts/build.gradle

@@ -20,7 +20,7 @@ dependencies {
     testImplementation ('io.ratpack:ratpack-groovy-test:1.9.0') {
         exclude group: 'org.codehaus.groovy', module: 'groovy-all'
     }
-    testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.17.2'
+    testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.18.2'
 }
 
 test {

sources/test/init-scripts/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

sources/test/init-scripts/gradlew

@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

sources/test/init-scripts/gradlew.bat

@@ -1,94 +1,94 @@
-@rem
-@rem Copyright 2015 the original author or authors.
-@rem
-@rem Licensed under the Apache License, Version 2.0 (the "License");
-@rem you may not use this file except in compliance with the License.
-@rem You may obtain a copy of the License at
-@rem
-@rem      https://www.apache.org/licenses/LICENSE-2.0
-@rem
-@rem Unless required by applicable law or agreed to in writing, software
-@rem distributed under the License is distributed on an "AS IS" BASIS,
-@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-@rem See the License for the specific language governing permissions and
-@rem limitations under the License.
-@rem
-@rem SPDX-License-Identifier: Apache-2.0
-@rem
-
-@if "%DEBUG%"=="" @echo off
-@rem ##########################################################################
-@rem
-@rem  Gradle startup script for Windows
-@rem
-@rem ##########################################################################
-
-@rem Set local scope for the variables with windows NT shell
-if "%OS%"=="Windows_NT" setlocal
-
-set DIRNAME=%~dp0
-if "%DIRNAME%"=="" set DIRNAME=.
-@rem This is normally unused
-set APP_BASE_NAME=%~n0
-set APP_HOME=%DIRNAME%
-
-@rem Resolve any "." and ".." in APP_HOME to make it shorter.
-for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
-
-@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
-
-@rem Find java.exe
-if defined JAVA_HOME goto findJavaFromJavaHome
-
-set JAVA_EXE=java.exe
-%JAVA_EXE% -version >NUL 2>&1
-if %ERRORLEVEL% equ 0 goto execute
-
-echo. 1>&2
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
-echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation. 1>&2
-
-goto fail
-
-:findJavaFromJavaHome
-set JAVA_HOME=%JAVA_HOME:"=%
-set JAVA_EXE=%JAVA_HOME%/bin/java.exe
-
-if exist "%JAVA_EXE%" goto execute
-
-echo. 1>&2
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
-echo. 1>&2
-echo Please set the JAVA_HOME variable in your environment to match the 1>&2
-echo location of your Java installation. 1>&2
-
-goto fail
-
-:execute
-@rem Setup the command line
-
-set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
-
-
-@rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
-
-:end
-@rem End local scope for the variables with windows NT shell
-if %ERRORLEVEL% equ 0 goto mainEnd
-
-:fail
-rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
-rem the _cmd.exe /c_ return code!
-set EXIT_CODE=%ERRORLEVEL%
-if %EXIT_CODE% equ 0 set EXIT_CODE=1
-if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
-exit /b %EXIT_CODE%
-
-:mainEnd
-if "%OS%"=="Windows_NT" endlocal
-
-:omega
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

sources/test/init-scripts/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.develocity" version "3.19.1"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.1"
 }
 
 develocity {