Bump @vercel/ncc in /sources in the npm-dependencies group

Bumps the npm-dependencies group in /sources with 1 update: [@vercel/ncc](https://github.com/vercel/ncc).


Updates `@vercel/ncc` from 0.38.2 to 0.38.3
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.2...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/actions/build-dist/action.yml

@@ -3,7 +3,7 @@ name: 'Build and upload distribution'
 runs:
   using: "composite"
   steps: 
-    - uses: actions/setup-node@v4
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
         cache: npm
@@ -23,7 +23,7 @@ runs:
         cp -r sources/dist .
 
     - name: Upload distribution
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: dist
         path: dist/

.github/actions/init-integ-test/action.yml

@@ -4,7 +4,7 @@ runs:
   using: "composite"
   steps: 
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: 'temurin'
         java-version: 11
@@ -17,7 +17,7 @@ runs:
     # Downloads a 'dist' directory artifact that was uploaded in an earlier 'build-dist' step
     - name: Download dist
       if: ${{ env.SKIP_DIST != 'true' && !env.ACT }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: dist
         path: dist/

.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.develocity" version "3.18.2"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.2"
 }
 
 develocity {

.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/settings.gradle.kts

@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.develocity") version "3.18.1"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.1"
+    id("com.gradle.develocity") version "3.18.2"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.2"
 }
 
 develocity {

.github/workflow-samples/no-wrapper-gradle-5/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1" 
+    id "com.gradle.develocity" version "3.18.2" 
 }
 
 develocity {

.github/workflow-samples/no-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
+    id "com.gradle.develocity" version "3.18.2"
 }
 
 develocity {

.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/non-executable-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
+    id "com.gradle.develocity" version "3.18.2"
 }
 
 develocity {

.github/workflows/ci-check-and-unit-test.yml

@@ -17,14 +17,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4 # Use a released version to avoid breakages
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@473878a77f1b98e2b5ac4af93489d1656a80a5ed # v4.2.0
       env:
         ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
       with:
@@ -32,7 +33,7 @@ jobs:
 
     - name: Check formatting and compile
       run: |
-        npm install
+        npm clean-install
         npm run check
         npm run compile
       working-directory: sources

.github/workflows/ci-check-no-dist-update.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
     - name: Get changed files
       id: changed-files
-      uses: tj-actions/changed-files@v45
+      uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf # v45.0.4
       with:
         files: |
           dist/**

.github/workflows/ci-codeql.yml

@@ -6,16 +6,15 @@ on:
     - 'main'
     - 'release/**'
     - 'dev/**' # Allow running Code QL on dev branches without a PR
-    paths-ignore:
-    - 'dist/**'
   pull_request:
     branches:
     - 'main'
-    paths-ignore:
-    - 'dist/**'
   schedule:
     - cron: '25 23 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -32,11 +31,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         languages: ${{ matrix.language }}
         config: |
@@ -44,4 +43,4 @@ jobs:
           - sources/src
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4

.github/workflows/ci-init-script-check.yml

@@ -14,19 +14,23 @@ on:
       - 'sources/test/init-scripts/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-init-scripts:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: temurin
         java-version: 11
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v4 # Use a released version to avoid breakages
+      # Use a released version to avoid breakages
+      uses: gradle/actions/setup-gradle@473878a77f1b98e2b5ac4af93489d1656a80a5ed # v4.2.0
       env:
         ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
     - name: Run integration tests

.github/workflows/ci-integ-test-full.yml

@@ -6,13 +6,13 @@ on:
     paths:
     - 'dist/**'
 
-permissions:
-  contents: write
-
 concurrency:
   group: integ-test
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   caching-integ-tests:
     uses: ./.github/workflows/suite-integ-test-caching.yml
@@ -25,6 +25,8 @@ jobs:
     secrets: inherit
 
   other-integ-tests:
+    permissions:
+      contents: write
     uses: ./.github/workflows/suite-integ-test-other.yml
     concurrency:
       group: CI-integ-test-full

.github/workflows/ci-integ-test.yml

@@ -11,19 +11,19 @@ on:
     paths-ignore:
     - 'dist/**'
 
-permissions:
-  contents: write
-
 concurrency:
   group: integ-test
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       if: ${{ needs.determine-suite.outputs.suite != 'full' }}
       uses: ./.github/actions/build-dist
@@ -36,6 +36,8 @@ jobs:
     secrets: inherit
 
   other-integ-tests:
+    permissions:
+      contents: write
     needs: build-distribution
     uses: ./.github/workflows/suite-integ-test-other.yml
     with:

.github/workflows/ci-ossf-scorecard.yml

@@ -0,0 +1,57 @@
+name: CI-ossf-scorecard
+on:
+  schedule:
+    - cron: '0 5 * * 1'
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      - name: 'Run analysis'
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: 'Upload artifact'
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: 'Upload to code-scanning'
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
+        with:
+          sarif_file: results.sarif

.github/workflows/ci-update-dist.yml

@@ -10,19 +10,24 @@ on:
     - 'dist/**'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   update-dist:
+    # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
+    # it would erroneously update `dist` on their branch (and the pull request)
+    if: github.repository == 'gradle/actions'
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         token: ${{ secrets.BOT_GITHUB_TOKEN }}
 
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
         cache: npm
@@ -43,10 +48,7 @@ jobs:
     # Important: The push event will not trigger any other workflows, see
     # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
     - name: Commit & push changes
-      # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
-      # it would erroneously update `dist` on their branch (and the pull request)
-      if: github.repository == 'gradle/actions'
-      uses: stefanzweifel/git-auto-commit-action@v5
+      uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
       with:
         commit_message: '[bot] Update dist directory'
         file_pattern: dist

.github/workflows/ci-validate-wrappers.yml

@@ -0,0 +1,17 @@
+name: CI-validate-wrappers
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validation:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: gradle/actions/wrapper-validation@473878a77f1b98e2b5ac4af93489d1656a80a5ed # v4.2.0
+        with:
+          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

.github/workflows/demo-job-summary.yml

@@ -3,12 +3,15 @@ name: Demo Job Summary, for Gradle builds
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
@@ -17,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -59,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -79,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -100,7 +103,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/demo-pr-build-scan-comment.yml

@@ -4,23 +4,25 @@ on:
     types: [assigned, review_requested]
 
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
   successful-build-with-always-comment:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -34,11 +36,13 @@ jobs:
       run: ./gradlew build --scan
 
   successful-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,11 +56,13 @@ jobs:
       run: ./gradlew build --scan
 
   failing-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-build-scan-publish.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   build-scan-publish:
     strategy:
@@ -27,15 +30,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -51,7 +49,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')   

.github/workflows/integ-test-cache-cleanup.yml

@@ -18,6 +18,9 @@ env:
   # Requires a fresh cache entry each run
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
 
+permissions:
+  contents: read
+
 jobs:
   cache-cleanup-full-build:
     strategy:
@@ -28,7 +31,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -51,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -74,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-caching-config.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   caching-config-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -58,7 +61,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -87,7 +90,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -101,7 +104,7 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -111,7 +114,7 @@ jobs:
     runs-on: ubuntu-latest # This test only runs on Ubuntu
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -125,7 +128,7 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -142,7 +145,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -166,7 +169,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-graph.yml

@@ -13,20 +13,20 @@ on:
         type: boolean
         default: false
 
-permissions:
-  contents: write
-
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
   dependency-graph-groovy-upload:
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -39,11 +39,13 @@ jobs:
       working-directory: .github/workflow-samples/groovy-dsl
 
   dependency-graph-groovy-submit:
+    permissions:
+      contents: write
     needs: [dependency-graph-groovy-upload]
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -55,10 +57,12 @@ jobs:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
 
   dependency-graph-kotlin-generate-and-submit:
+    permissions:
+      contents: write
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -71,10 +75,12 @@ jobs:
       working-directory: .github/workflow-samples/kotlin-dsl
 
   dependency-graph-multiple-builds:
+    permissions:
+      contents: write
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -112,10 +118,12 @@ jobs:
         fi
         
   dependency-graph-config-cache:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-submission-failures.yml

@@ -18,12 +18,15 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
   dependency-submission-failures-failing-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,7 +55,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -83,7 +86,7 @@ jobs:
       contents: read
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-submission.yml

@@ -13,16 +13,18 @@ on:
         type: boolean
         default: false
 
-permissions:
-  contents: write
-
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
+permissions:
+  contents: read
+
 jobs:
   dependency-submission-groovy-generate-and-upload:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -31,7 +33,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -45,6 +47,8 @@ jobs:
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
   dependency-submission-groovy-restore-cache:
+    permissions:
+      contents: write
     needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
       max-parallel: 1
@@ -54,7 +58,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -67,6 +71,8 @@ jobs:
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
   dependency-submission-groovy-download-and-submit:
+    permissions:
+      contents: write
     needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
       max-parallel: 1
@@ -76,7 +82,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -88,6 +94,8 @@ jobs:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
 
   dependency-submission-kotlin-generate-and-submit:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -96,7 +104,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -106,6 +114,8 @@ jobs:
         build-root-directory: .github/workflow-samples/kotlin-dsl
 
   dependency-submission-multiple-builds:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -114,7 +124,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -152,6 +162,8 @@ jobs:
         fi
 
   dependency-submission-multiple-builds-upload:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -160,7 +172,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -176,10 +188,12 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   dependency-submission-config-cache:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -211,6 +225,8 @@ jobs:
         fi
 
   dependency-submission-gradle-versions:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -224,7 +240,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -235,10 +251,12 @@ jobs:
         build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
 
   dependency-submission-with-setup-gradle:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -270,10 +288,12 @@ jobs:
         fi
 
   dependency-submission-with-includes-and-excludes:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -304,6 +324,8 @@ jobs:
 
 
   dependency-submission-custom-report-dir-submit:
+    permissions:
+      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -312,7 +334,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -339,10 +361,12 @@ jobs:
         fi
 
   dependency-submission-custom-report-dir-upload:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -355,11 +379,13 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   custom-report-dir-download-and-submit:
+    permissions:
+      contents: write
     needs: [dependency-submission-custom-report-dir-upload]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-detect-toolchains.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   # Test that pre-installed runner JDKs are detected
   detect-toolchains-pre-installed-jdks:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -57,17 +60,17 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java 20
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: 'temurin'
         java-version: 20
     - name: Setup Java 16
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: 'temurin'
         java-version: 16

.github/workflows/integ-test-inject-develocity.yml

@@ -20,38 +20,36 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   inject-develocity:
     env:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: https://ge.solutions-team.gradle.com
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
       ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
     strategy:
       fail-fast: false
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.18.1]
+        plugin-version: [3.16.2, 3.18.2]
         include:
         - plugin-version: 3.16.2
           accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
-        - plugin-version: 3.18.1
+        - plugin-version: 3.18.2
           accessKeyEnv: DEVELOCITY_ACCESS_KEY
 
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java
-      uses: actions/setup-java@v4
-      with:
-        distribution: temurin
-        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -64,7 +62,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -78,24 +76,19 @@ jobs:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
     strategy:
       fail-fast: false
       matrix:
         gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [3.16.2, 3.18.1]
+        plugin-version: [3.16.2, 3.18.2]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -114,7 +107,7 @@ jobs:
         run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('No Build Scan detected')
@@ -124,7 +117,7 @@ jobs:
       DEVELOCITY_INJECTION_ENABLED: true
       DEVELOCITY_URL: 'https://localhost:3333/'
       DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0.2'
       # Access key also set as an env var, we want to check it does not leak
       GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -133,19 +126,14 @@ jobs:
       matrix:
         gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.18.1 ]
+        plugin-version: [ 3.16.2, 3.18.2 ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
 
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -169,18 +157,13 @@ jobs:
       matrix:
         gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ 3.16.2, 3.18.1 ]
+        plugin-version: [ 3.16.2, 3.18.2 ]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -196,7 +179,7 @@ jobs:
         run: gradle help
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             core.setFailed('No Build Scan detected')

.github/workflows/integ-test-provision-gradle-versions.yml

@@ -18,6 +18,9 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 
+permissions:
+  contents: read
+
 jobs:   
   # Tests for executing with different Gradle versions. 
   # Each build verifies that it is executed with the expected Gradle version.
@@ -30,7 +33,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -66,7 +69,7 @@ jobs:
       run: gradle help
     - name: Check current version output parameter
       if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
@@ -75,7 +78,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        gradle: ["8.10", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
+        gradle: ["8.11", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
         os: ${{fromJSON(inputs.runner-os)}}
         include:
           - java-version: 11
@@ -92,12 +95,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
       with:
         distribution: temurin
         java-version: ${{ matrix.java-version }}
@@ -109,7 +112,7 @@ jobs:
         gradle-version: ${{ matrix.gradle }}
     - name: Check output parameter
       if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -119,7 +122,7 @@ jobs:
       run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@v7
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
           core.setFailed('No Build Scan detected')    

.github/workflows/integ-test-restore-configuration-cache.yml

@@ -20,6 +20,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-cc-seed-build-groovy:
     env:
@@ -32,22 +35,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
@@ -65,22 +62,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false
         cache-cleanup: on-success
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -107,21 +98,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -148,15 +133,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle with no extracted cache entries restored
       uses: ./setup-gradle
       env: 
@@ -164,7 +144,6 @@ jobs:
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Check execute Gradle build with configuration cache enabled (but not restored)
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
@@ -180,22 +159,16 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'help' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle help --configuration-cache
@@ -213,21 +186,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'test' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle test --configuration-cache
@@ -246,21 +213,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java to ensure consistency
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'liberica'
-        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-        gradle-version: 8.6
     - name: Execute 'test' again with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/kotlin-dsl

.github/workflows/integ-test-restore-containerized-gradle-home.yml

@@ -14,13 +14,16 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-containerized-seed-build:
     runs-on: ubuntu-latest
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -39,7 +42,7 @@ jobs:
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-custom-gradle-home.yml

@@ -14,12 +14,15 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-custom-gradle-home-seed-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -41,7 +44,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -63,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-gradle-home.yml

@@ -18,6 +18,9 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
 
+permissions:
+  contents: read
+
 jobs:
   restore-gradle-home-seed-build:
     strategy:
@@ -28,7 +31,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -51,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -74,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -97,7 +100,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -122,7 +125,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-java-toolchain.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   restore-java-toolchain-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -50,7 +53,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-gradle-plugin.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   sample-gradle-plugin-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -49,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-kotlin-dsl.yml

@@ -17,6 +17,9 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
 
+permissions:
+  contents: read
+
 jobs:
   sample-kotlin-dsl-seed-build:
     strategy:
@@ -27,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -49,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-wrapper-validation.yml

@@ -13,6 +13,9 @@ on:
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
 
+permissions:
+  contents: read
+
 jobs:
   wrapper-validation-setup-gradle:
     strategy:
@@ -22,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -45,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -74,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -107,7 +110,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -137,7 +140,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v4 # Checkout the repository with no wrappers
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Checkout the repository with no wrappers
       with:
         sparse-checkout: |
           .github/actions

.github/workflows/suite-integ-test-caching.yml

@@ -10,6 +10,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   cache-cleanup:
     uses: ./.github/workflows/integ-test-cache-cleanup.yml

.github/workflows/suite-integ-test-other.yml

@@ -10,6 +10,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   build-scan-publish:
     uses: ./.github/workflows/integ-test-build-scan-publish.yml

.github/workflows/update-checksums-file.yml

@@ -7,20 +7,22 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-checksums:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Update checksums
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
           cache: npm
@@ -28,7 +30,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          npm install typed-rest-client@1.8.11 --no-save
+          npm clean-install typed-rest-client@1.8.11 --no-save
         working-directory: sources
 
       - name: Update checksums file
@@ -37,7 +39,7 @@ jobs:
 
       # If there are no changes, this action will not create a pull request
       - name: Create or update pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           branch: bot/wrapper-checksums-update
           commit-message: Update known wrapper checksums

CONTRIBUTING.md

@@ -3,8 +3,9 @@
 The `build` script in the project root provides a convenient way to perform many local build tasks:
 1. `./build` will lint and compile typescript sources
 2. `./build all` will lint and compile typescript and run unit tests
-3. `./build init-scripts` will run the init-script integration tests
-4. `./build act <act-commands>` will run `act` after building local changes (see below)
+3. `./build install` will install npm packages followed by lint and compile
+4. `./build init-scripts` will run the init-script integration tests
+5. `./build act <act-commands>` will run `act` after building local changes (see below)
 
 ## Using `act` to run integ-test workflows locally
 

README.md

@@ -1,5 +1,7 @@
 # GitHub Actions for Gradle builds
 
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gradle/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/gradle/actions)
+
 This repository contains a set of GitHub Actions that are useful for building Gradle projects on GitHub.
 
 ## The `setup-gradle` action

build

@@ -4,12 +4,10 @@ cd sources
 
 case "$1" in
     all)
-        npm clean-install
         npm run all
         ;;
     act)
         # Build and copy outputs to the dist directory
-        npm install
         npm run build
         cd ..
         cp -r sources/dist .
@@ -18,18 +16,21 @@ case "$1" in
         # Revert the changes to the dist directory
         git checkout -- dist
         ;;
-    init-scripts)
-        cd test/init-scripts
-        ./gradlew check
-        ;;
     dist)
-        npm install
+        npm clean-install
         npm run build
         cd ..
         cp -r sources/dist .
         ;;
+    init-scripts)
+        cd test/init-scripts
+        ./gradlew check
+        ;;
+    install)
+        npm clean-install
+        npm run build
+        ;;
     *)
-        npm install
         npm run build
         ;;
 esac

dist/dependency-submission/main/index.js

@@ -181402,22 +181402,23 @@ const short_lived_token_1 = __nccwpck_require__(7325);
 async function setup(config) {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle');
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions');
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.1');
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0');
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
-    }
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled());
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_ALLOW_UNTRUSTED_SERVER', config.getDevelocityAllowUntrustedServer());
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints());
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion());
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword());
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.2');
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0.2');
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
+    }
     return (0, short_lived_token_1.setupToken)(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry());
 }
 function maybeExportVariable(variableName, value) {
@@ -182455,7 +182456,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.KNOWN_CHECKSUMS = exports.WrapperChecksums = void 0;
 exports.fetchUnknownChecksums = fetchUnknownChecksums;
-exports.addDistributionSnapshotChecksums = addDistributionSnapshotChecksums;
 const httpm = __importStar(__nccwpck_require__(96184));
 const cheerio = __importStar(__nccwpck_require__(36962));
 const wrapper_checksums_json_1 = __importDefault(__nccwpck_require__(46629));
@@ -182489,14 +182489,16 @@ async function fetchUnknownChecksums(allowSnapshots, knownChecksums) {
     const withChecksum = all.filter(entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl'));
     const allowed = withChecksum.filter((entry) => allowSnapshots || !entry.snapshot);
     const notKnown = allowed.filter((entry) => !knownChecksums.versions.has(entry.version));
-    const checksumUrls = notKnown.map((entry) => entry.wrapperChecksumUrl);
+    const checksumUrls = notKnown.map((entry) => [entry.version, entry.wrapperChecksumUrl]);
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls);
+        await addDistributionSnapshotChecksumUrls(checksumUrls);
     }
-    const checksums = await Promise.all(checksumUrls.map(async (url) => {
-        return httpGetText(url);
+    const wrapperChecksums = new WrapperChecksums();
+    await Promise.all(checksumUrls.map(async ([version, url]) => {
+        const checksum = await httpGetText(url);
+        wrapperChecksums.add(version, checksum);
     }));
-    return new Set(checksums);
+    return wrapperChecksums;
 }
 async function httpGetJsonArray(url) {
     return JSON.parse(await httpGetText(url));
@@ -182505,13 +182507,16 @@ async function httpGetText(url) {
     const response = await httpc.get(url);
     return await response.readBody();
 }
-async function addDistributionSnapshotChecksums(checksumUrls) {
+async function addDistributionSnapshotChecksumUrls(checksumUrls) {
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/');
     const $ = cheerio.load(indexPage);
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]');
     wrapperChecksumLinks.each((index, element) => {
         const url = $(element).attr('href');
-        checksumUrls.push(`https://services.gradle.org${url}`);
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1];
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`]);
+        }
     });
 }
 
@@ -182567,9 +182572,16 @@ async function recursivelyListFiles(baseDir) {
     const childrenNames = await readdir(baseDir);
     const childrenPaths = await Promise.all(childrenNames.map(async (childName) => {
         const childPath = path.resolve(baseDir, childName);
-        return fs.lstatSync(childPath).isDirectory()
-            ? recursivelyListFiles(childPath)
-            : new Promise(resolve => resolve([childPath]));
+        const stat = fs.lstatSync(childPath, { throwIfNoEntry: false });
+        if (stat === undefined) {
+            return [];
+        }
+        else if (stat.isDirectory()) {
+            return recursivelyListFiles(childPath);
+        }
+        else {
+            return new Promise(resolve => resolve([childPath]));
+        }
     }));
     return Array.prototype.concat(...childrenPaths);
 }
@@ -182683,7 +182695,7 @@ async function findInvalidWrapperJars(gitRepoRoot, allowSnapshots, allowedChecks
             result.fetchedChecksums = true;
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums);
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar);
                 }
                 else {

dist/dependency-submission/post/index.js

@@ -134730,22 +134730,23 @@ const short_lived_token_1 = __nccwpck_require__(7325);
 async function setup(config) {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle');
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions');
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.1');
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0');
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
-    }
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled());
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_ALLOW_UNTRUSTED_SERVER', config.getDevelocityAllowUntrustedServer());
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints());
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion());
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword());
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.2');
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0.2');
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
+    }
     return (0, short_lived_token_1.setupToken)(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry());
 }
 function maybeExportVariable(variableName, value) {
@@ -135783,7 +135784,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.KNOWN_CHECKSUMS = exports.WrapperChecksums = void 0;
 exports.fetchUnknownChecksums = fetchUnknownChecksums;
-exports.addDistributionSnapshotChecksums = addDistributionSnapshotChecksums;
 const httpm = __importStar(__nccwpck_require__(96184));
 const cheerio = __importStar(__nccwpck_require__(36962));
 const wrapper_checksums_json_1 = __importDefault(__nccwpck_require__(46629));
@@ -135817,14 +135817,16 @@ async function fetchUnknownChecksums(allowSnapshots, knownChecksums) {
     const withChecksum = all.filter(entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl'));
     const allowed = withChecksum.filter((entry) => allowSnapshots || !entry.snapshot);
     const notKnown = allowed.filter((entry) => !knownChecksums.versions.has(entry.version));
-    const checksumUrls = notKnown.map((entry) => entry.wrapperChecksumUrl);
+    const checksumUrls = notKnown.map((entry) => [entry.version, entry.wrapperChecksumUrl]);
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls);
+        await addDistributionSnapshotChecksumUrls(checksumUrls);
     }
-    const checksums = await Promise.all(checksumUrls.map(async (url) => {
-        return httpGetText(url);
+    const wrapperChecksums = new WrapperChecksums();
+    await Promise.all(checksumUrls.map(async ([version, url]) => {
+        const checksum = await httpGetText(url);
+        wrapperChecksums.add(version, checksum);
     }));
-    return new Set(checksums);
+    return wrapperChecksums;
 }
 async function httpGetJsonArray(url) {
     return JSON.parse(await httpGetText(url));
@@ -135833,13 +135835,16 @@ async function httpGetText(url) {
     const response = await httpc.get(url);
     return await response.readBody();
 }
-async function addDistributionSnapshotChecksums(checksumUrls) {
+async function addDistributionSnapshotChecksumUrls(checksumUrls) {
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/');
     const $ = cheerio.load(indexPage);
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]');
     wrapperChecksumLinks.each((index, element) => {
         const url = $(element).attr('href');
-        checksumUrls.push(`https://services.gradle.org${url}`);
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1];
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`]);
+        }
     });
 }
 
@@ -135895,9 +135900,16 @@ async function recursivelyListFiles(baseDir) {
     const childrenNames = await readdir(baseDir);
     const childrenPaths = await Promise.all(childrenNames.map(async (childName) => {
         const childPath = path.resolve(baseDir, childName);
-        return fs.lstatSync(childPath).isDirectory()
-            ? recursivelyListFiles(childPath)
-            : new Promise(resolve => resolve([childPath]));
+        const stat = fs.lstatSync(childPath, { throwIfNoEntry: false });
+        if (stat === undefined) {
+            return [];
+        }
+        else if (stat.isDirectory()) {
+            return recursivelyListFiles(childPath);
+        }
+        else {
+            return new Promise(resolve => resolve([childPath]));
+        }
     }));
     return Array.prototype.concat(...childrenPaths);
 }
@@ -136011,7 +136023,7 @@ async function findInvalidWrapperJars(gitRepoRoot, allowSnapshots, allowedChecks
             result.fetchedChecksums = true;
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums);
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar);
                 }
                 else {

dist/setup-gradle/main/index.js

@@ -181387,22 +181387,23 @@ const short_lived_token_1 = __nccwpck_require__(7325);
 async function setup(config) {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle');
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions');
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.1');
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0');
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
-    }
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled());
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_ALLOW_UNTRUSTED_SERVER', config.getDevelocityAllowUntrustedServer());
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints());
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion());
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword());
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.2');
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0.2');
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
+    }
     return (0, short_lived_token_1.setupToken)(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry());
 }
 function maybeExportVariable(variableName, value) {
@@ -182440,7 +182441,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.KNOWN_CHECKSUMS = exports.WrapperChecksums = void 0;
 exports.fetchUnknownChecksums = fetchUnknownChecksums;
-exports.addDistributionSnapshotChecksums = addDistributionSnapshotChecksums;
 const httpm = __importStar(__nccwpck_require__(96184));
 const cheerio = __importStar(__nccwpck_require__(36962));
 const wrapper_checksums_json_1 = __importDefault(__nccwpck_require__(46629));
@@ -182474,14 +182474,16 @@ async function fetchUnknownChecksums(allowSnapshots, knownChecksums) {
     const withChecksum = all.filter(entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl'));
     const allowed = withChecksum.filter((entry) => allowSnapshots || !entry.snapshot);
     const notKnown = allowed.filter((entry) => !knownChecksums.versions.has(entry.version));
-    const checksumUrls = notKnown.map((entry) => entry.wrapperChecksumUrl);
+    const checksumUrls = notKnown.map((entry) => [entry.version, entry.wrapperChecksumUrl]);
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls);
+        await addDistributionSnapshotChecksumUrls(checksumUrls);
     }
-    const checksums = await Promise.all(checksumUrls.map(async (url) => {
-        return httpGetText(url);
+    const wrapperChecksums = new WrapperChecksums();
+    await Promise.all(checksumUrls.map(async ([version, url]) => {
+        const checksum = await httpGetText(url);
+        wrapperChecksums.add(version, checksum);
     }));
-    return new Set(checksums);
+    return wrapperChecksums;
 }
 async function httpGetJsonArray(url) {
     return JSON.parse(await httpGetText(url));
@@ -182490,13 +182492,16 @@ async function httpGetText(url) {
     const response = await httpc.get(url);
     return await response.readBody();
 }
-async function addDistributionSnapshotChecksums(checksumUrls) {
+async function addDistributionSnapshotChecksumUrls(checksumUrls) {
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/');
     const $ = cheerio.load(indexPage);
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]');
     wrapperChecksumLinks.each((index, element) => {
         const url = $(element).attr('href');
-        checksumUrls.push(`https://services.gradle.org${url}`);
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1];
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`]);
+        }
     });
 }
 
@@ -182552,9 +182557,16 @@ async function recursivelyListFiles(baseDir) {
     const childrenNames = await readdir(baseDir);
     const childrenPaths = await Promise.all(childrenNames.map(async (childName) => {
         const childPath = path.resolve(baseDir, childName);
-        return fs.lstatSync(childPath).isDirectory()
-            ? recursivelyListFiles(childPath)
-            : new Promise(resolve => resolve([childPath]));
+        const stat = fs.lstatSync(childPath, { throwIfNoEntry: false });
+        if (stat === undefined) {
+            return [];
+        }
+        else if (stat.isDirectory()) {
+            return recursivelyListFiles(childPath);
+        }
+        else {
+            return new Promise(resolve => resolve([childPath]));
+        }
     }));
     return Array.prototype.concat(...childrenPaths);
 }
@@ -182668,7 +182680,7 @@ async function findInvalidWrapperJars(gitRepoRoot, allowSnapshots, allowedChecks
             result.fetchedChecksums = true;
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums);
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar);
                 }
                 else {

dist/setup-gradle/post/index.js

@@ -181382,22 +181382,23 @@ const short_lived_token_1 = __nccwpck_require__(7325);
 async function setup(config) {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle');
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions');
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.1');
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0');
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
-    }
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled());
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_ALLOW_UNTRUSTED_SERVER', config.getDevelocityAllowUntrustedServer());
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints());
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl());
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion());
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername());
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword());
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true');
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.2');
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0.2');
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl());
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree());
+    }
     return (0, short_lived_token_1.setupToken)(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry());
 }
 function maybeExportVariable(variableName, value) {
@@ -182435,7 +182436,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.KNOWN_CHECKSUMS = exports.WrapperChecksums = void 0;
 exports.fetchUnknownChecksums = fetchUnknownChecksums;
-exports.addDistributionSnapshotChecksums = addDistributionSnapshotChecksums;
 const httpm = __importStar(__nccwpck_require__(96184));
 const cheerio = __importStar(__nccwpck_require__(36962));
 const wrapper_checksums_json_1 = __importDefault(__nccwpck_require__(46629));
@@ -182469,14 +182469,16 @@ async function fetchUnknownChecksums(allowSnapshots, knownChecksums) {
     const withChecksum = all.filter(entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl'));
     const allowed = withChecksum.filter((entry) => allowSnapshots || !entry.snapshot);
     const notKnown = allowed.filter((entry) => !knownChecksums.versions.has(entry.version));
-    const checksumUrls = notKnown.map((entry) => entry.wrapperChecksumUrl);
+    const checksumUrls = notKnown.map((entry) => [entry.version, entry.wrapperChecksumUrl]);
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls);
+        await addDistributionSnapshotChecksumUrls(checksumUrls);
     }
-    const checksums = await Promise.all(checksumUrls.map(async (url) => {
-        return httpGetText(url);
+    const wrapperChecksums = new WrapperChecksums();
+    await Promise.all(checksumUrls.map(async ([version, url]) => {
+        const checksum = await httpGetText(url);
+        wrapperChecksums.add(version, checksum);
     }));
-    return new Set(checksums);
+    return wrapperChecksums;
 }
 async function httpGetJsonArray(url) {
     return JSON.parse(await httpGetText(url));
@@ -182485,13 +182487,16 @@ async function httpGetText(url) {
     const response = await httpc.get(url);
     return await response.readBody();
 }
-async function addDistributionSnapshotChecksums(checksumUrls) {
+async function addDistributionSnapshotChecksumUrls(checksumUrls) {
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/');
     const $ = cheerio.load(indexPage);
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]');
     wrapperChecksumLinks.each((index, element) => {
         const url = $(element).attr('href');
-        checksumUrls.push(`https://services.gradle.org${url}`);
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1];
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`]);
+        }
     });
 }
 
@@ -182547,9 +182552,16 @@ async function recursivelyListFiles(baseDir) {
     const childrenNames = await readdir(baseDir);
     const childrenPaths = await Promise.all(childrenNames.map(async (childName) => {
         const childPath = path.resolve(baseDir, childName);
-        return fs.lstatSync(childPath).isDirectory()
-            ? recursivelyListFiles(childPath)
-            : new Promise(resolve => resolve([childPath]));
+        const stat = fs.lstatSync(childPath, { throwIfNoEntry: false });
+        if (stat === undefined) {
+            return [];
+        }
+        else if (stat.isDirectory()) {
+            return recursivelyListFiles(childPath);
+        }
+        else {
+            return new Promise(resolve => resolve([childPath]));
+        }
     }));
     return Array.prototype.concat(...childrenPaths);
 }
@@ -182663,7 +182675,7 @@ async function findInvalidWrapperJars(gitRepoRoot, allowSnapshots, allowedChecks
             result.fetchedChecksums = true;
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums);
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar);
                 }
                 else {

dist/wrapper-validation/main/index.js

@@ -126806,7 +126806,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.KNOWN_CHECKSUMS = exports.WrapperChecksums = void 0;
 exports.fetchUnknownChecksums = fetchUnknownChecksums;
-exports.addDistributionSnapshotChecksums = addDistributionSnapshotChecksums;
 const httpm = __importStar(__nccwpck_require__(96184));
 const cheerio = __importStar(__nccwpck_require__(36962));
 const wrapper_checksums_json_1 = __importDefault(__nccwpck_require__(46629));
@@ -126840,14 +126839,16 @@ async function fetchUnknownChecksums(allowSnapshots, knownChecksums) {
     const withChecksum = all.filter(entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl'));
     const allowed = withChecksum.filter((entry) => allowSnapshots || !entry.snapshot);
     const notKnown = allowed.filter((entry) => !knownChecksums.versions.has(entry.version));
-    const checksumUrls = notKnown.map((entry) => entry.wrapperChecksumUrl);
+    const checksumUrls = notKnown.map((entry) => [entry.version, entry.wrapperChecksumUrl]);
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls);
+        await addDistributionSnapshotChecksumUrls(checksumUrls);
     }
-    const checksums = await Promise.all(checksumUrls.map(async (url) => {
-        return httpGetText(url);
+    const wrapperChecksums = new WrapperChecksums();
+    await Promise.all(checksumUrls.map(async ([version, url]) => {
+        const checksum = await httpGetText(url);
+        wrapperChecksums.add(version, checksum);
     }));
-    return new Set(checksums);
+    return wrapperChecksums;
 }
 async function httpGetJsonArray(url) {
     return JSON.parse(await httpGetText(url));
@@ -126856,13 +126857,16 @@ async function httpGetText(url) {
     const response = await httpc.get(url);
     return await response.readBody();
 }
-async function addDistributionSnapshotChecksums(checksumUrls) {
+async function addDistributionSnapshotChecksumUrls(checksumUrls) {
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/');
     const $ = cheerio.load(indexPage);
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]');
     wrapperChecksumLinks.each((index, element) => {
         const url = $(element).attr('href');
-        checksumUrls.push(`https://services.gradle.org${url}`);
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1];
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`]);
+        }
     });
 }
 
@@ -126918,9 +126922,16 @@ async function recursivelyListFiles(baseDir) {
     const childrenNames = await readdir(baseDir);
     const childrenPaths = await Promise.all(childrenNames.map(async (childName) => {
         const childPath = path.resolve(baseDir, childName);
-        return fs.lstatSync(childPath).isDirectory()
-            ? recursivelyListFiles(childPath)
-            : new Promise(resolve => resolve([childPath]));
+        const stat = fs.lstatSync(childPath, { throwIfNoEntry: false });
+        if (stat === undefined) {
+            return [];
+        }
+        else if (stat.isDirectory()) {
+            return recursivelyListFiles(childPath);
+        }
+        else {
+            return new Promise(resolve => resolve([childPath]));
+        }
     }));
     return Array.prototype.concat(...childrenPaths);
 }
@@ -127034,7 +127045,7 @@ async function findInvalidWrapperJars(gitRepoRoot, allowSnapshots, allowedChecks
             result.fetchedChecksums = true;
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums);
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar);
                 }
                 else {

docs/deprecation-upgrade-guide.md

@@ -101,7 +101,7 @@ The exact syntax depends on whether or not your project is configured with the [
 - name: Setup Gradle for a non-wrapper project
   uses: gradle/actions/setup-gradle@v4
   with:
-    gradle-version: "8.10"
+    gradle-version: "8.11"
 
 - name: Assemble the project
   run: gradle assemble

docs/setup-gradle.md

@@ -196,6 +196,9 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
 in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
 secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
 
+> [!IMPORTANT]
+> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
+
 To benefit from configuration caching in your GitHub Actions workflow, you must:
 - Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
 - Enable the configuration cache for your build.
@@ -220,7 +223,10 @@ jobs:
     - run: gradle build --configuration-cache
 ```
 
-> [!IMPORTANT]
+Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
+This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
+
+> [!NOTE]
 > The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
 > This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
 > This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@@ -841,7 +847,7 @@ Here's a minimal example:
       run: ./gradlew build
 ```
 
-This configuration will automatically apply `v3.18.1` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.18.2` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
 
 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:

sources/package-lock.json

@@ -33,7 +33,7 @@
         "@types/unzipper": "0.10.10",
         "@types/which": "3.0.4",
         "@typescript-eslint/parser": "7.18.0",
-        "@vercel/ncc": "0.38.2",
+        "@vercel/ncc": "0.38.3",
         "eslint": "8.57.1",
         "eslint-plugin-github": "5.0.2",
         "eslint-plugin-jest": "28.9.0",
@@ -3050,9 +3050,9 @@
       "dev": true
     },
     "node_modules/@vercel/ncc": {
-      "version": "0.38.2",
-      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.2.tgz",
-      "integrity": "sha512-3yel3jaxUg9pHBv4+KeC9qlbdZPug+UMtUOlhvpDYCMSgcNSrS2Hv1LoqMsOV7hf2lYscx+BESfJOIla1WsmMQ==",
+      "version": "0.38.3",
+      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.3.tgz",
+      "integrity": "sha512-rnK6hJBS6mwc+Bkab+PGPs9OiS0i/3kdTO+CkI8V0/VrW3vmz7O2Pxjw/owOlmo6PKEIxRSeZKv/kuL9itnpYA==",
       "dev": true,
       "bin": {
         "ncc": "dist/ncc/cli.js"
@@ -12138,9 +12138,9 @@
       "dev": true
     },
     "@vercel/ncc": {
-      "version": "0.38.2",
-      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.2.tgz",
-      "integrity": "sha512-3yel3jaxUg9pHBv4+KeC9qlbdZPug+UMtUOlhvpDYCMSgcNSrS2Hv1LoqMsOV7hf2lYscx+BESfJOIla1WsmMQ==",
+      "version": "0.38.3",
+      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.3.tgz",
+      "integrity": "sha512-rnK6hJBS6mwc+Bkab+PGPs9OiS0i/3kdTO+CkI8V0/VrW3vmz7O2Pxjw/owOlmo6PKEIxRSeZKv/kuL9itnpYA==",
       "dev": true
     },
     "@yarnpkg/lockfile": {

sources/package.json

@@ -55,7 +55,7 @@
     "@types/unzipper": "0.10.10",
     "@types/which": "3.0.4",
     "@typescript-eslint/parser": "7.18.0",
-    "@vercel/ncc": "0.38.2",
+    "@vercel/ncc": "0.38.3",
     "eslint": "8.57.1",
     "eslint-plugin-github": "5.0.2",
     "eslint-plugin-jest": "28.9.0",

sources/src/develocity/build-scan.ts

@@ -5,13 +5,6 @@ import {setupToken} from './short-lived-token'
 export async function setup(config: BuildScanConfig): Promise<void> {
     maybeExportVariable('DEVELOCITY_INJECTION_INIT_SCRIPT_NAME', 'gradle-actions.inject-develocity.init.gradle')
     maybeExportVariable('DEVELOCITY_AUTO_INJECTION_CUSTOM_VALUE', 'gradle-actions')
-    if (config.getBuildScanPublishEnabled()) {
-        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
-        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.1')
-        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0')
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl())
-        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
-    }
 
     maybeExportVariableNotEmpty('DEVELOCITY_INJECTION_ENABLED', config.getDevelocityInjectionEnabled())
     maybeExportVariableNotEmpty('DEVELOCITY_URL', config.getDevelocityUrl())
@@ -19,10 +12,22 @@ export async function setup(config: BuildScanConfig): Promise<void> {
     maybeExportVariableNotEmpty('DEVELOCITY_CAPTURE_FILE_FINGERPRINTS', config.getDevelocityCaptureFileFingerprints())
     maybeExportVariableNotEmpty('DEVELOCITY_ENFORCE_URL', config.getDevelocityEnforceUrl())
     maybeExportVariableNotEmpty('DEVELOCITY_PLUGIN_VERSION', config.getDevelocityPluginVersion())
+    maybeExportVariableNotEmpty('DEVELOCITY_CCUD_PLUGIN_VERSION', config.getDevelocityCcudPluginVersion())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_URL', config.getGradlePluginRepositoryUrl())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_USERNAME', config.getGradlePluginRepositoryUsername())
     maybeExportVariableNotEmpty('GRADLE_PLUGIN_REPOSITORY_PASSWORD', config.getGradlePluginRepositoryPassword())
 
+    // If build-scan-publish is enabled, ensure the environment variables are set
+    // The DEVELOCITY_PLUGIN_VERSION and DEVELOCITY_CCUD_PLUGIN_VERSION are set to the latest versions
+    // except if they are defined in the configuration
+    if (config.getBuildScanPublishEnabled()) {
+        maybeExportVariable('DEVELOCITY_INJECTION_ENABLED', 'true')
+        maybeExportVariable('DEVELOCITY_PLUGIN_VERSION', '3.18.2')
+        maybeExportVariable('DEVELOCITY_CCUD_PLUGIN_VERSION', '2.0.2')
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl())
+        maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
+    }
+
     return setupToken(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry())
 }
 

sources/src/resources/init-scripts/gradle-actions.build-result-capture.init.gradle

@@ -32,15 +32,19 @@ if (isTopLevelBuild) {
 
         // Use the Develocity plugin to also capture build scan links, when available
         settingsEvaluated { settings ->
-            settings.pluginManager.withPlugin(GE_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (!settings.extensions.findByName(DEVELOCITY_EXTENSION)) {
+            def captureBuildScanLink = {
+                // Prefer the 'develocity' extension, if available
+                if (settings.extensions.findByName(DEVELOCITY_EXTENSION)) {
+                    captureUsingBuildScanPublished(settings.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                } else {
                     captureUsingBuildScanPublished(settings.extensions[GE_EXTENSION].buildScan, invocationId, resultsWriter)
                 }
             }
-
+            settings.pluginManager.withPlugin(GE_PLUGIN_ID, captureBuildScanLink)
             settings.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                captureUsingBuildScanPublished(settings.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                // Develocity plugin applies GE plugin: avoid duplicate call
+                if (settings.pluginManager.hasPlugin(GE_PLUGIN_ID)) return
+                captureBuildScanLink()
             }
         }
     } else if (atLeastGradle3) {
@@ -48,15 +52,21 @@ if (isTopLevelBuild) {
             // By default, use 'buildFinished' to capture build results
             captureUsingBuildFinished(gradle, invocationId, resultsWriter)
 
-            gradle.rootProject.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID) {
-                // Only execute if develocity plugin isn't applied.
-                if (!gradle.rootProject.extensions.findByName(DEVELOCITY_EXTENSION)) {
+            def captureBuildScanLink = {
+                // Prefer the 'develocity' extension, if available
+                if (gradle.rootProject.extensions.findByName(DEVELOCITY_EXTENSION)) {
+                    captureUsingBuildScanPublished(gradle.rootProject.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                } else {
                     captureUsingBuildScanPublished(gradle.rootProject.extensions[BUILD_SCAN_EXTENSION], invocationId, resultsWriter)
                 }
             }
 
+            gradle.rootProject.pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID, captureBuildScanLink)
+
             gradle.rootProject.pluginManager.withPlugin(DEVELOCITY_PLUGIN_ID) {
-                captureUsingBuildScanPublished(gradle.rootProject.extensions[DEVELOCITY_EXTENSION].buildScan, invocationId, resultsWriter)
+                // Develocity plugin applies Build Scan plugin: avoid duplicate call
+                if (gradle.rootProject.pluginManager.hasPlugin(BUILD_SCAN_PLUGIN_ID)) return
+                captureBuildScanLink()
             }
         }
     }

sources/src/wrapper-validation/checksums.ts

@@ -38,7 +38,7 @@ export const KNOWN_CHECKSUMS = loadKnownChecksums()
 export async function fetchUnknownChecksums(
     allowSnapshots: boolean,
     knownChecksums: WrapperChecksums
-): Promise<Set<string>> {
+): Promise<WrapperChecksums> {
     const all = await httpGetJsonArray('https://services.gradle.org/versions/all')
     const withChecksum = all.filter(
         entry => typeof entry === 'object' && entry != null && entry.hasOwnProperty('wrapperChecksumUrl')
@@ -51,20 +51,21 @@ export async function fetchUnknownChecksums(
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         (entry: any) => !knownChecksums.versions.has(entry.version)
     )
-    const checksumUrls = notKnown.map(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        (entry: any) => entry.wrapperChecksumUrl as string
-    )
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const checksumUrls = notKnown.map((entry: any) => [entry.version, entry.wrapperChecksumUrl] as [string, string])
     if (allowSnapshots) {
-        await addDistributionSnapshotChecksums(checksumUrls)
+        await addDistributionSnapshotChecksumUrls(checksumUrls)
     }
-    const checksums = await Promise.all(
-        checksumUrls.map(async (url: string) => {
-            // console.log(`Fetching checksum from ${url}`)
-            return httpGetText(url)
+
+    const wrapperChecksums = new WrapperChecksums()
+    await Promise.all(
+        checksumUrls.map(async ([version, url]) => {
+            const checksum = await httpGetText(url)
+            wrapperChecksums.add(version, checksum)
         })
     )
-    return new Set(checksums)
+    return wrapperChecksums
 }
 
 async function httpGetJsonArray(url: string): Promise<unknown[]> {
@@ -76,21 +77,20 @@ async function httpGetText(url: string): Promise<string> {
     return await response.readBody()
 }
 
-// Public for testing
-export async function addDistributionSnapshotChecksums(checksumUrls: string[]): Promise<void> {
-    // Load the index page of the distribution snapshot repository
+async function addDistributionSnapshotChecksumUrls(checksumUrls: [string, string][]): Promise<void> {
+    // Load the index page of the distribution snapshot repository into cheerio
     const indexPage = await httpGetText('https://services.gradle.org/distributions-snapshots/')
-
-    // // Extract all wrapper checksum from the index page. These end in -wrapper.jar.sha256
-    // // Load the HTML into cheerio
     const $ = cheerio.load(indexPage)
 
     // // Find all links ending with '-wrapper.jar.sha256'
     const wrapperChecksumLinks = $('a[href$="-wrapper.jar.sha256"]')
-
-    // build the absolute URL for each wrapper checksum
     wrapperChecksumLinks.each((index, element) => {
-        const url = $(element).attr('href')
-        checksumUrls.push(`https://services.gradle.org${url}`)
+        const url = $(element).attr('href')!
+
+        // Extract the version from the url
+        const version = url.match(/\/distributions-snapshots\/gradle-(.*?)-wrapper\.jar\.sha256/)?.[1]
+        if (version) {
+            checksumUrls.push([version, `https://services.gradle.org${url}`])
+        }
     })
 }

sources/src/wrapper-validation/find.ts

@@ -18,9 +18,14 @@ async function recursivelyListFiles(baseDir: string): Promise<string[]> {
     const childrenPaths = await Promise.all(
         childrenNames.map(async childName => {
             const childPath = path.resolve(baseDir, childName)
-            return fs.lstatSync(childPath).isDirectory()
-                ? recursivelyListFiles(childPath)
-                : new Promise(resolve => resolve([childPath]))
+            const stat = fs.lstatSync(childPath, {throwIfNoEntry: false})
+            if (stat === undefined) {
+                return []
+            } else if (stat.isDirectory()) {
+                return recursivelyListFiles(childPath)
+            } else {
+                return new Promise(resolve => resolve([childPath]))
+            }
         })
     )
     return Array.prototype.concat(...childrenPaths)

sources/src/wrapper-validation/validate.ts

@@ -33,7 +33,7 @@ export async function findInvalidWrapperJars(
             const fetchedValidChecksums = await checksums.fetchUnknownChecksums(allowSnapshots, knownValidChecksums)
 
             for (const wrapperJar of notYetValidatedWrappers) {
-                if (!fetchedValidChecksums.has(wrapperJar.checksum)) {
+                if (!fetchedValidChecksums.checksums.has(wrapperJar.checksum)) {
                     result.invalid.push(wrapperJar)
                 } else {
                     result.valid.push(wrapperJar)

sources/test/init-scripts/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "3.18.1"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
+    id "com.gradle.develocity" version "3.18.2"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.2"
 }
 
 develocity {

sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/BaseInitScriptTest.groovy

@@ -16,8 +16,8 @@ import java.nio.file.Files
 import java.util.zip.GZIPOutputStream
 
 class BaseInitScriptTest extends Specification {
-    static final String DEVELOCITY_PLUGIN_VERSION = '3.18.1'
-    static final String CCUD_PLUGIN_VERSION = '2.0.1'
+    static final String DEVELOCITY_PLUGIN_VERSION = '3.18.2'
+    static final String CCUD_PLUGIN_VERSION = '2.0.2'
 
     static final TestGradleVersion GRADLE_3_X = new TestGradleVersion(GradleVersion.version('3.5.1'), 7, 9)
     static final TestGradleVersion GRADLE_4_X = new TestGradleVersion(GradleVersion.version('4.10.3'), 7, 10)
@@ -28,7 +28,7 @@ class BaseInitScriptTest extends Specification {
     static final TestGradleVersion GRADLE_7_1 = new TestGradleVersion(GradleVersion.version('7.1.1'), 8, 16)
     static final TestGradleVersion GRADLE_7_X = new TestGradleVersion(GradleVersion.version('7.6.2'), 8, 19)
     static final TestGradleVersion GRADLE_8_0 = new TestGradleVersion(GradleVersion.version('8.0.2'), 8, 19)
-    static final TestGradleVersion GRADLE_8_X = new TestGradleVersion(GradleVersion.version('8.10'), 8, 23)
+    static final TestGradleVersion GRADLE_8_X = new TestGradleVersion(GradleVersion.version('8.11'), 8, 23)
 
     static final List<TestGradleVersion> ALL_VERSIONS = [
         GRADLE_3_X, // First version where TestKit supports environment variables

sources/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestBuildResultRecorder.groovy

@@ -196,7 +196,7 @@ class TestBuildResultRecorder extends BaseInitScriptTest {
         when:
         settingsFile.text = """
             plugins {
-                id 'com.gradle.develocity' version '3.18.1' apply(false)
+                id 'com.gradle.develocity' version '3.18.2' apply(false)
             }
             gradle.settingsEvaluated {
                 apply plugin: 'com.gradle.develocity'

sources/test/jest/wrapper-validation/checksums.test.ts

@@ -4,6 +4,22 @@ import {afterEach, describe, expect, test, jest} from '@jest/globals'
 
 jest.setTimeout(30000)
 
+const CHECKSUM_8_1 = 'ed2c26eba7cfb93cc2b7785d05e534f07b5b48b5e7fc941921cd098628abca58'
+
+function knownChecksumsWithout8_1(): checksums.WrapperChecksums {
+  const knownChecksums = new checksums.WrapperChecksums()
+  // iterate over all known checksums and add them to the knownChecksums object
+  for (const [checksum, versions] of checksums.KNOWN_CHECKSUMS.checksums) {
+    if (checksum !== CHECKSUM_8_1) {
+      for (const version of versions) {
+        knownChecksums.add(version, checksum)
+      }
+    }
+  }
+  return knownChecksums
+}
+
+
 test('has loaded hardcoded wrapper jars checksums', async () => {
   // Sanity check that generated checksums file is not empty and was properly imported
   expect(checksums.KNOWN_CHECKSUMS.checksums.size).toBeGreaterThan(10)
@@ -20,33 +36,23 @@ test('has loaded hardcoded wrapper jars checksums', async () => {
   ).toEqual(new Set(['6.0-rc-1', '6.0-rc-2', '6.0-rc-3', '6.0', '6.0.1']))
 })
 
-test('fetches wrapper jars checksums', async () => {
-  const validChecksums = await checksums.fetchUnknownChecksums(false, new checksums.WrapperChecksums)
-  expect(validChecksums.size).toBeGreaterThan(10)
-  // Verify that checksum of arbitrary version is contained
-  expect(
-    validChecksums.has(
-      // Checksum for version 6.0
-      '28b330c20a9a73881dfe9702df78d4d78bf72368e8906c70080ab6932462fe9e'
-    )
-  ).toBe(true)
+test('fetches wrapper jar checksums that are missing from hardcoded set', async () => {
+  const unknownChecksums = await checksums.fetchUnknownChecksums(false, knownChecksumsWithout8_1())
+
+  expect(unknownChecksums.checksums.size).toEqual(1)
+  expect(unknownChecksums.checksums.has(CHECKSUM_8_1)).toBe(true)
+  expect(unknownChecksums.checksums.get(CHECKSUM_8_1)).toEqual(new Set(['8.1-rc-1', '8.1-rc-2', '8.1-rc-3', '8.1-rc-4', '8.1', '8.1.1']))
 })
 
 test('fetches wrapper jar checksums for snapshots', async () => {
-  const nonSnapshotChecksums = await checksums.fetchUnknownChecksums(false, new checksums.WrapperChecksums)
-  const validChecksums = await checksums.fetchUnknownChecksums(true, new checksums.WrapperChecksums)
+  const knownChecksums = knownChecksumsWithout8_1()
+  const nonSnapshotChecksums = await checksums.fetchUnknownChecksums(false, knownChecksums)
+  const allValidChecksums = await checksums.fetchUnknownChecksums(true, knownChecksums)
 
-  // Expect that at least one snapshot checksum is different from the non-snapshot checksums
-  expect(nonSnapshotChecksums.size).toBeGreaterThan(10)
-  expect(validChecksums.size).toBeGreaterThanOrEqual(nonSnapshotChecksums.size)
-})
-
-test('fetches all wrapper checksum URLS for snapshots', async () => {
-  const checksumUrls: string[] = []
-  await checksums.addDistributionSnapshotChecksums(checksumUrls)
-
-  expect(checksumUrls.length).toBeGreaterThan(100) // May only be a few unique checksums
-  console.log(checksumUrls)
+  // Should always be many more snapshot versions
+  expect(allValidChecksums.versions.size - nonSnapshotChecksums.versions.size).toBeGreaterThan(20)
+  // May not be any unique snapshot checksums
+  expect(allValidChecksums.checksums.size).toBeGreaterThanOrEqual(nonSnapshotChecksums.checksums.size)
 })
 
 describe('retry', () => {
@@ -65,7 +71,7 @@ describe('retry', () => {
         })
 
       const validChecksums = await checksums.fetchUnknownChecksums(false, new checksums.WrapperChecksums)
-      expect(validChecksums.size).toBeGreaterThan(10)
+      expect(validChecksums.checksums.size).toBeGreaterThan(10)
       nock.isDone()
     })
   })