.github/actions/build-dist/action.yml

@@ -3,9 +3,9 @@ name: 'Build and upload distribution'
 runs:
   using: "composite"
   steps: 
-    - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+    - uses: actions/setup-node@v4
       with:
-        node-version: 24
+        node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
     - name: Build distribution
@@ -23,7 +23,7 @@ runs:
         cp -r sources/dist .
 
     - name: Upload distribution
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@v4
       with:
         name: dist
         path: dist/

.github/actions/init-integ-test/action.yml

@@ -1,19 +1,13 @@
 name: 'Initialize integ-test'
 
-inputs:
-  java-version:
-    description: 'Java version to use'
-    required: false
-    default: '17'
-
 runs:
   using: "composite"
   steps: 
     - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
-        java-version: ${{ inputs.java-version }}
+        java-version: 11
 
     - name: Configure environment
       shell: bash
@@ -23,7 +17,7 @@ runs:
     # Downloads a 'dist' directory artifact that was uploaded in an earlier 'build-dist' step
     - name: Download dist
       if: ${{ env.SKIP_DIST != 'true' && !env.ACT }}
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@v4
       with:
         name: dist
         path: dist/

.github/dependabot.yml

@@ -5,7 +5,6 @@ registries:
     url: https://plugins.gradle.org/m2
     username: dummy # Required by dependabot
     password: dummy # Required by dependabot
-
 updates:
   - package-ecosystem: "npm"
     directory: "/sources"
@@ -17,12 +16,25 @@ updates:
         - "*"
       
   - package-ecosystem: "github-actions"
-    # github-actions with directory: "/" only monitors .github/workflows
-    # https://github.com/dependabot/dependabot-core/issues/6345
-    directories:
-      - "/"
-      - "/.github/actions/build-dist"
-      - "/.github/actions/init-integ-test"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+        - "*"
+  # github-actions with directory: "/" only monitors .github/workflows
+  # https://github.com/dependabot/dependabot-core/issues/6345
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/build-dist"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/init-integ-test"
     schedule:
       interval: "weekly"
     groups:
@@ -31,19 +43,44 @@ updates:
           - "*"
 
   - package-ecosystem: "gradle"
-    directories:
-      - ".github/workflow-samples/gradle-plugin"
-      - ".github/workflow-samples/groovy-dsl"
-      - ".github/workflow-samples/java-toolchain"
-      - ".github/workflow-samples/kotlin-dsl"
-      - ".github/workflow-samples/no-wrapper"
-      - ".github/workflow-samples/no-wrapper-gradle-5"
-      - "sources/test/init-scripts"
+    directory: ".github/workflow-samples/gradle-plugin"
+    registries:
+      - gradle-plugin-portal
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gradle"
+    directory: ".github/workflow-samples/groovy-dsl"
+    registries:
+      - gradle-plugin-portal
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gradle"
+    directory: ".github/workflow-samples/java-toolchain"
+    registries:
+      - gradle-plugin-portal
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gradle"
+    directory: ".github/workflow-samples/kotlin-dsl"
+    registries:
+      - gradle-plugin-portal
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gradle"
+    directory: ".github/workflow-samples/no-wrapper"
+    registries:
+      - gradle-plugin-portal
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gradle"
+    directory: ".github/workflow-samples/no-wrapper-gradle-5"
+    registries:
+      - gradle-plugin-portal
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gradle"
+    directory: "sources/test/init-scripts"
     registries:
       - gradle-plugin-portal
     schedule:
       interval: "weekly"
-    groups:
-      gradle:
-        patterns:
-          - "*"

.github/workflow-samples/gradle-plugin/gradle/libs.versions.toml

@@ -1,2 +0,0 @@
-# This file was generated by the Gradle 'init' task.
-# https://docs.gradle.org/current/userguide/platforms.html#sub::toml-dependencies-format

.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=df67a32e86e3276d011735facb1535f64d0d88df84fa87521e90becc2d735444
-distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.0-bin.zip
+distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/gradle-plugin/gradlew

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright © 2015 the original authors.
+# Copyright © 2015-2021 the original authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -86,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -114,6 +115,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
 
 # Determine the Java command to use to start the JVM.
@@ -171,6 +173,7 @@ fi
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if "$cygwin" || "$msys" ; then
     APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
 
     JAVACMD=$( cygpath --unix "$JAVACMD" )
 
@@ -203,14 +206,15 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
-        -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
 # Stop when "xargs" is not available.

.github/workflow-samples/gradle-plugin/gradlew.bat

@@ -70,10 +70,11 @@ goto fail
 :execute
 @rem Setup the command line
 
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

.github/workflow-samples/gradle-plugin/plugin/build.gradle

@@ -0,0 +1,60 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * This generated file contains a sample Gradle plugin project to get you started.
+ * For more details take a look at the Writing Custom Plugins chapter in the Gradle
+ * User Manual available at https://docs.gradle.org/7.3/userguide/custom_plugins.html
+ * This project uses @Incubating APIs which are subject to change.
+ */
+
+plugins {
+    // Apply the Java Gradle plugin development plugin to add support for developing Gradle plugins
+    id 'java-gradle-plugin'
+}
+
+repositories {
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
+}
+
+testing {
+    suites {
+        // Configure the built-in test suite
+        test {
+            // Use JUnit Jupiter test framework
+            useJUnitJupiter('5.7.2')
+        }
+
+        // Create a new test suite
+        functionalTest(JvmTestSuite) {
+            dependencies {
+                // functionalTest test suite depends on the production code in tests
+                implementation(project(':plugin'))
+            }
+
+            targets {
+                all {
+                    // This test suite should run after the built-in test suite has run its tests
+                    testTask.configure { shouldRunAfter(test) } 
+                }
+            }
+        }
+    }
+}
+
+gradlePlugin {
+    // Define the plugin
+    plugins {
+        greeting {
+            id = 'org.example.gradle.plugin.greeting'
+            implementationClass = 'org.example.gradle.plugin.GradlePluginPlugin'
+        }
+    }
+}
+
+gradlePlugin.testSourceSets(sourceSets.functionalTest)
+
+tasks.named('check') {
+    // Include functionalTest as part of the check lifecycle
+    dependsOn(testing.suites.functionalTest)
+}

.github/workflow-samples/gradle-plugin/plugin/build.gradle.kts

@@ -1,40 +0,0 @@
-plugins {
-    `java-gradle-plugin`
-}
-
-repositories {
-    mavenCentral()
-}
-
-testing {
-    suites {
-        val test by getting(JvmTestSuite::class) {
-            useJUnitJupiter()
-        }
-
-        val functionalTest by registering(JvmTestSuite::class) {
-            dependencies {
-                implementation(project())
-            }
-
-            targets {
-                all {
-                    testTask.configure { shouldRunAfter(test) } 
-                }
-            }
-        }
-    }
-}
-
-gradlePlugin {
-    val greeting by plugins.creating {
-        id = "org.example.greeting"
-        implementationClass = "org.example.GradlePluginPlugin"
-    }
-}
-
-gradlePlugin.testSourceSets.add(sourceSets["functionalTest"])
-
-tasks.named<Task>("check") {
-    dependsOn(testing.suites.named("functionalTest"))
-}

.github/workflow-samples/gradle-plugin/plugin/src/functionalTest/java/org/example/gradle/plugin/GradlePluginPluginFunctionalTest.java

@@ -1,7 +1,7 @@
 /*
- * This source file was generated by the Gradle 'init' task
+ * This Java source file was generated by the Gradle 'init' task.
  */
-package org.example;
+package org.example.gradle.plugin;
 
 import java.io.File;
 import java.io.IOException;
@@ -15,7 +15,7 @@ import org.junit.jupiter.api.io.TempDir;
 import static org.junit.jupiter.api.Assertions.*;
 
 /**
- * A simple functional test for the 'org.example.greeting' plugin.
+ * A simple functional test for the 'org.example.gradle.plugin.greeting' plugin.
  */
 class GradlePluginPluginFunctionalTest {
     @TempDir
@@ -29,23 +29,24 @@ class GradlePluginPluginFunctionalTest {
         return new File(projectDir, "settings.gradle");
     }
 
-    @Test void canRunTask() throws IOException {
+    @Test void canRunTaskWithGradle691() throws IOException {
         writeString(getSettingsFile(), "");
         writeString(getBuildFile(),
             "plugins {" +
-            "  id('org.example.greeting')" +
+            "  id('org.example.gradle.plugin.greeting')" +
             "}");
 
         // Run the build
         GradleRunner runner = GradleRunner.create();
         runner.forwardOutput();
+        runner.withGradleVersion("6.9.1");
         runner.withPluginClasspath();
         runner.withArguments("greeting");
         runner.withProjectDir(projectDir);
         BuildResult result = runner.build();
 
         // Verify the result
-        assertTrue(result.getOutput().contains("Hello from plugin 'org.example.greeting'"));
+        assertTrue(result.getOutput().contains("Hello from plugin 'org.example.gradle.plugin.greeting'"));
     }
 
     private void writeString(File file, String string) throws IOException {

.github/workflow-samples/gradle-plugin/plugin/src/main/java/org/example/gradle/plugin/GradlePluginPlugin.java

@@ -1,7 +1,7 @@
 /*
- * This source file was generated by the Gradle 'init' task
+ * This Java source file was generated by the Gradle 'init' task.
  */
-package org.example;
+package org.example.gradle.plugin;
 
 import org.gradle.api.Project;
 import org.gradle.api.Plugin;
@@ -13,7 +13,7 @@ public class GradlePluginPlugin implements Plugin<Project> {
     public void apply(Project project) {
         // Register a task
         project.getTasks().register("greeting", task -> {
-            task.doLast(s -> System.out.println("Hello from plugin 'org.example.greeting'"));
+            task.doLast(s -> System.out.println("Hello from plugin 'org.example.gradle.plugin.greeting'"));
         });
     }
 }

.github/workflow-samples/gradle-plugin/plugin/src/test/java/org/example/gradle/plugin/GradlePluginPluginTest.java

@@ -1,7 +1,7 @@
 /*
- * This source file was generated by the Gradle 'init' task
+ * This Java source file was generated by the Gradle 'init' task.
  */
-package org.example;
+package org.example.gradle.plugin;
 
 import org.gradle.testfixtures.ProjectBuilder;
 import org.gradle.api.Project;
@@ -9,13 +9,13 @@ import org.junit.jupiter.api.Test;
 import static org.junit.jupiter.api.Assertions.*;
 
 /**
- * A simple unit test for the 'org.example.greeting' plugin.
+ * A simple unit test for the 'org.example.gradle.plugin.greeting' plugin.
  */
 class GradlePluginPluginTest {
     @Test void pluginRegistersATask() {
         // Create a test project and apply the plugin
         Project project = ProjectBuilder.builder().build();
-        project.getPlugins().apply("org.example.greeting");
+        project.getPlugins().apply("org.example.gradle.plugin.greeting");
 
         // Verify the result
         assertNotNull(project.getTasks().findByName("greeting"));

.github/workflow-samples/gradle-plugin/settings.gradle

@@ -0,0 +1,12 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * The settings file is used to specify which projects to include in your build.
+ *
+ * Detailed information about configuring a multi-project build in Gradle can be found
+ * in the user manual at https://docs.gradle.org/7.3/userguide/multi_project_builds.html
+ * This project uses @Incubating APIs which are subject to change.
+ */
+
+rootProject.name = 'gradle-plugin'
+include('plugin')

.github/workflow-samples/gradle-plugin/settings.gradle.kts

@@ -1,2 +0,0 @@
-rootProject.name = "gradle-plugin-2"
-include("plugin")

.github/workflow-samples/groovy-dsl/build.gradle

@@ -6,12 +6,8 @@ repositories {
     mavenCentral()
 }
 
-testing {
-    suites {
-        test {
-            useJUnit()
-        }
-    }
+dependencies {
+    testImplementation('junit:junit:4.13.2')
 }
 
 tasks.named("test").configure {

.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=df67a32e86e3276d011735facb1535f64d0d88df84fa87521e90becc2d735444
-distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.0-bin.zip
+distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/gradlew

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright © 2015 the original authors.
+# Copyright © 2015-2021 the original authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -86,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -114,6 +115,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
 
 # Determine the Java command to use to start the JVM.
@@ -171,6 +173,7 @@ fi
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if "$cygwin" || "$msys" ; then
     APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
 
     JAVACMD=$( cygpath --unix "$JAVACMD" )
 
@@ -203,14 +206,15 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
-        -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
 # Stop when "xargs" is not available.

.github/workflow-samples/groovy-dsl/gradlew.bat

@@ -70,10 +70,11 @@ goto fail
 :execute
 @rem Setup the command line
 
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

.github/workflow-samples/groovy-dsl/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.develocity" version "4.2.2"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.4.0"
+    id "com.gradle.develocity" version "3.18.1"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "2.0.1"
 }
 
 develocity {

.github/workflow-samples/java-toolchain/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    java
+    id 'java'
 }
 
 java {
@@ -12,10 +12,6 @@ repositories {
     mavenCentral()
 }
 
-testing {
-    suites {
-        val test by getting(JvmTestSuite::class) {
-            useJUnit()
-        }
-    }
-}
+dependencies {
+    testImplementation('junit:junit:4.13.2')
+}

.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=df67a32e86e3276d011735facb1535f64d0d88df84fa87521e90becc2d735444
-distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.0-bin.zip
+distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/java-toolchain/gradlew

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright © 2015 the original authors.
+# Copyright © 2015-2021 the original authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -86,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -114,6 +115,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
 
 # Determine the Java command to use to start the JVM.
@@ -171,6 +173,7 @@ fi
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if "$cygwin" || "$msys" ; then
     APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
 
     JAVACMD=$( cygpath --unix "$JAVACMD" )
 
@@ -203,14 +206,15 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
-        -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
 # Stop when "xargs" is not available.

.github/workflow-samples/java-toolchain/gradlew.bat

@@ -70,10 +70,11 @@ goto fail
 :execute
 @rem Setup the command line
 
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

.github/workflow-samples/java-toolchain/settings.gradle

@@ -0,0 +1,5 @@
+plugins {
+    id("org.gradle.toolchains.foojay-resolver-convention") version("0.7.0")
+}
+
+rootProject.name = 'basic'

.github/workflow-samples/java-toolchain/settings.gradle.kts

@@ -1,6 +0,0 @@
-plugins {
-    // Apply the foojay-resolver plugin to allow automatic download of JDKs
-    id("org.gradle.toolchains.foojay-resolver-convention") version "1.0.0"
-}
-
-rootProject.name = "java-toolchains"

.github/workflow-samples/kotlin-dsl/build.gradle.kts

@@ -8,15 +8,13 @@ repositories {
 
 dependencies {
     api("org.apache.commons:commons-math3:3.6.1")
-    implementation("com.google.guava:guava:33.5.0-jre")
+    implementation("com.google.guava:guava:33.3.0-jre")
+
+    testImplementation("org.junit.jupiter:junit-jupiter:5.11.0")
 }
 
-testing {
-    suites { 
-       val test by getting(JvmTestSuite::class) { 
-            useJUnitJupiter() 
-        }
-    }
+tasks.test {
+    useJUnitPlatform()
 }
 
 tasks.named("test").configure {

.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=df67a32e86e3276d011735facb1535f64d0d88df84fa87521e90becc2d735444
-distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.0-bin.zip
+distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/gradlew

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright © 2015 the original authors.
+# Copyright © 2015-2021 the original authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -86,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -114,6 +115,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
 
 # Determine the Java command to use to start the JVM.
@@ -171,6 +173,7 @@ fi
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if "$cygwin" || "$msys" ; then
     APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
 
     JAVACMD=$( cygpath --unix "$JAVACMD" )
 
@@ -203,14 +206,15 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
-        -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
 # Stop when "xargs" is not available.

.github/workflow-samples/kotlin-dsl/gradlew.bat

@@ -70,10 +70,11 @@ goto fail
 :execute
 @rem Setup the command line
 
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

.github/workflow-samples/kotlin-dsl/settings.gradle.kts

@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.develocity") version "4.2.2"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.4.0"
+    id("com.gradle.develocity") version "3.18.1"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "2.0.1"
 }
 
 develocity {

.github/workflow-samples/no-wrapper-gradle-5/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "4.2.2" 
+    id "com.gradle.develocity" version "3.18.1" 
 }
 
 develocity {

.github/workflow-samples/no-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "4.2.2"
+    id "com.gradle.develocity" version "3.18.1"
 }
 
 develocity {

.github/workflow-samples/non-executable-wrapper/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=57dafb5c2622c6cc08b993c85b7c06956a2f53536432a30ead46166dbca0f1e9
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.11-bin.zip
+distributionSha256Sum=5b9c5eb3f9fc2c94abaea57d90bd78747ca117ddbbf96c859d3741181a12bf2a
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/non-executable-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.develocity" version "4.2.2"
+    id "com.gradle.develocity" version "3.18.1"
 }
 
 develocity {

.github/workflows/ci-check-and-unit-test.yml

@@ -15,43 +15,22 @@ permissions:
 jobs:
   check-format-and-unit-test:
     runs-on: ubuntu-latest
-
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-    - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
       with:
         node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
-    - name: Setup Gradle
-      # Use a released version to avoid breakages
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
-      env:
-        ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
-      with:
-        gradle-version: '8.14.2'
-
-    - name: Install npm dependencies
-      run: |
-        npm clean-install
-      working-directory: sources
 
     - name: Check formatting and compile
       run: |
+        npm install
         npm run check
         npm run compile
       working-directory: sources
-      env:
-        NODE_OPTIONS: '-r @gradle-tech/develocity-agent/preload'
-        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
-        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
-
     - name: Run unit tests
       run: |
         npm test
       working-directory: sources
-      env:
-        NODE_OPTIONS: '-r @gradle-tech/develocity-agent/preload'
-        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
-        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'

.github/workflows/ci-check-no-dist-update.yml

@@ -15,13 +15,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: Get changed files
       id: changed-files
-      uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+      uses: tj-actions/changed-files@v45
       with:
         files: |
           dist/**

.github/workflows/ci-codeql.yml

@@ -6,15 +6,16 @@ on:
     - 'main'
     - 'release/**'
     - 'dev/**' # Allow running Code QL on dev branches without a PR
+    paths-ignore:
+    - 'dist/**'
   pull_request:
     branches:
     - 'main'
+    paths-ignore:
+    - 'dist/**'
   schedule:
     - cron: '25 23 * * 2'
 
-permissions:
-  contents: read
-
 jobs:
   analyze:
     name: Analyze
@@ -31,11 +32,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         config: |
@@ -43,4 +44,4 @@ jobs:
           - sources/src
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5
+      uses: github/codeql-action/analyze@v3

.github/workflows/ci-init-script-check.yml

@@ -14,23 +14,19 @@ on:
       - 'sources/test/init-scripts/**'
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   test-init-scripts:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      uses: actions/setup-java@v4
       with:
         distribution: temurin
-        java-version: 17
+        java-version: 11
     - name: Setup Gradle
-      # Use a released version to avoid breakages
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@v4 # Use a released version to avoid breakages
       env:
         ALLOWED_GRADLE_WRAPPER_CHECKSUMS: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 # Invalid wrapper jar used for testing
     - name: Run integration tests

.github/workflows/ci-integ-test-full.yml

@@ -3,18 +3,16 @@ name: CI-integ-test-full
 on:
   workflow_dispatch:
   push:
-    branches:
-    - 'main'
     paths:
     - 'dist/**'
 
+permissions:
+  contents: write
+
 concurrency:
   group: integ-test
   cancel-in-progress: false
 
-permissions:
-  contents: read
-
 jobs:
   caching-integ-tests:
     uses: ./.github/workflows/suite-integ-test-caching.yml
@@ -27,8 +25,6 @@ jobs:
     secrets: inherit
 
   other-integ-tests:
-    permissions:
-      contents: write
     uses: ./.github/workflows/suite-integ-test-other.yml
     concurrency:
       group: CI-integ-test-full

.github/workflows/ci-integ-test.yml

@@ -11,19 +11,19 @@ on:
     paths-ignore:
     - 'dist/**'
 
+permissions:
+  contents: write
+
 concurrency:
   group: integ-test
   cancel-in-progress: false
 
-permissions:
-  contents: read
-
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Build and upload distribution
       if: ${{ needs.determine-suite.outputs.suite != 'full' }}
       uses: ./.github/actions/build-dist
@@ -36,8 +36,6 @@ jobs:
     secrets: inherit
 
   other-integ-tests:
-    permissions:
-      contents: write
     needs: build-distribution
     uses: ./.github/workflows/suite-integ-test-other.yml
     with:

.github/workflows/ci-ossf-scorecard.yml

@@ -1,57 +0,0 @@
-name: CI-ossf-scorecard
-on:
-  schedule:
-    - cron: '0 5 * * 1'
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-
-    steps:
-      - name: 'Checkout code'
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          show-progress: false
-
-      - name: 'Run analysis'
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
-        with:
-          results_file: results.sarif
-          results_format: sarif
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: 'Upload artifact'
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5
-        with:
-          sarif_file: results.sarif

.github/workflows/ci-update-dist.yml

@@ -3,73 +3,50 @@ name: CI-update-dist
 on:
   workflow_dispatch:
   push:
-    branches:
+    branches: 
     - 'main'
-    - 'prerelease/**'
     - 'release/**'
     paths-ignore:
     - 'dist/**'
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   update-dist:
-    # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
-    # it would erroneously update `dist` on their branch (and the pull request)
-    if: github.repository == 'gradle/actions'
-    permissions:
-      contents: write
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@v4
       with:
         token: ${{ secrets.BOT_GITHUB_TOKEN }}
 
     - name: Set up Node.js
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@v4
       with:
         node-version: 20
         cache: npm
         cache-dependency-path: sources/package-lock.json
 
-    - name: Install npm dependencies
-      run: |
-        npm clean-install
-      working-directory: sources
-
     - name: Build distribution
       run: |
+        npm clean-install
         npm run check
         npm run compile
       working-directory: sources
-      env:
-        NODE_OPTIONS: '-r @gradle-tech/develocity-agent/preload'
-        DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
-        DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
-
+    
     - name: Copy the generated sources/dist directory to the top-level dist
       run: |
         cp -r sources/dist .
 
-    - name: Import GPG key to sign commits
-      uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-      with:
-        gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
-        passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}
-        git_user_signingkey: true
-        git_commit_gpgsign: true
-        git_config_global: true
-
     # Commit and push changes; has no effect if the files did not change
     # Important: The push event will not trigger any other workflows, see
     # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
     - name: Commit & push changes
-      uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
+      # Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
+      # it would erroneously update `dist` on their branch (and the pull request)
+      if: github.repository == 'gradle/actions'
+      uses: stefanzweifel/git-auto-commit-action@v5
       with:
-        commit_author: bot-githubaction <bot-githubaction@gradle.com>
-        commit_user_name: bot-githubaction
-        commit_user_email: bot-githubaction@gradle.com
         commit_message: '[bot] Update dist directory'
         file_pattern: dist

.github/workflows/ci-validate-wrappers.yml

@@ -1,17 +0,0 @@
-name: CI-validate-wrappers
-
-on:
-  push:
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  validation:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
-        with:
-          allow-checksums: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

.github/workflows/demo-job-summary.yml

@@ -3,15 +3,12 @@ name: Demo Job Summary, for Gradle builds
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
@@ -20,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -62,7 +59,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -82,7 +79,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -103,7 +100,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/demo-pr-build-scan-comment.yml

@@ -4,25 +4,23 @@ on:
     types: [assigned, review_requested]
 
 permissions:
-  contents: read
+  pull-requests: write
 
 jobs:
   build-distribution:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
   successful-build-with-always-comment:
-    permissions:
-      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -36,13 +34,11 @@ jobs:
       run: ./gradlew build --scan
 
   successful-build-with-comment-on-failure:
-    permissions:
-      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -56,13 +52,11 @@ jobs:
       run: ./gradlew build --scan
 
   failing-build-with-comment-on-failure:
-    permissions:
-      pull-requests: write
     needs: build-distribution
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-build-scan-publish.yml

@@ -17,36 +17,25 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   build-scan-publish:
     strategy:
       fail-fast: false
       matrix:
-        gradle: ['current', '8.14.3', '7.6.2', '6.9.4', '5.6.4']
+        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        include:
-          - java-version: 17
-          - gradle: '8.14.3'
-            java-version: 11
-          - gradle: '7.6.2'
-            java-version: 11
-          - gradle: '6.9.4'
-            java-version: 11
-          - gradle: '5.6.4'
-            java-version: 11
-
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
-      with:
-        java-version: ${{ matrix.java-version }}
 
+    - name: Setup Java
+      uses: actions/setup-java@v4
+      with:
+        distribution: temurin
+        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -54,15 +43,15 @@ jobs:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         gradle-version: ${{ matrix.gradle }}
         build-scan-publish: true
-        build-scan-terms-of-use-url: 'https://gradle.com/terms-of-service'
-        build-scan-terms-of-use-agree: 'yes'
+        build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
+        build-scan-terms-of-use-agree: "yes"
     - name: Run Gradle build
       id: gradle
       working-directory: .github/workflow-samples/no-ge
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('No Build Scan detected')   

.github/workflows/integ-test-cache-cleanup.yml

@@ -18,9 +18,6 @@ env:
   # Requires a fresh cache entry each run
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
 
-permissions:
-  contents: read
-
 jobs:
   cache-cleanup-full-build:
     strategy:
@@ -31,7 +28,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -77,7 +74,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-caching-config.yml

@@ -17,9 +17,6 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   caching-config-seed-build:
     strategy:
@@ -30,11 +27,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
@@ -62,7 +58,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -91,7 +87,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -105,7 +101,7 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -115,7 +111,7 @@ jobs:
     runs-on: ubuntu-latest # This test only runs on Ubuntu
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -129,7 +125,7 @@ jobs:
       run: ./gradlew help
     - name: Check Build Scan url is captured
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -146,7 +142,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -170,7 +166,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-graph.yml

@@ -13,20 +13,20 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: write
+
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
-permissions:
-  contents: read
-
 jobs:
   dependency-graph-groovy-upload:
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -39,13 +39,11 @@ jobs:
       working-directory: .github/workflow-samples/groovy-dsl
 
   dependency-graph-groovy-submit:
-    permissions:
-      contents: write
     needs: [dependency-graph-groovy-upload]
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -57,12 +55,10 @@ jobs:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
 
   dependency-graph-kotlin-generate-and-submit:
-    permissions:
-      contents: write
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -75,12 +71,10 @@ jobs:
       working-directory: .github/workflow-samples/kotlin-dsl
 
   dependency-graph-multiple-builds:
-    permissions:
-      contents: write
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -118,12 +112,10 @@ jobs:
         fi
         
   dependency-graph-config-cache:
-    permissions:
-      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -153,40 +145,3 @@ jobs:
             ls -l dependency-graph-reports
             exit 1
         fi        
-
-  dependency-graph-generate-submit-and-upload:
-    permissions:
-      contents: write
-    runs-on: "ubuntu-latest"
-    steps:
-    - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-    - name: Initialize integ-test
-      uses: ./.github/actions/init-integ-test
-
-    - name: Setup Gradle for dependency-graph generate
-      uses: ./setup-gradle
-      with:
-        dependency-graph: generate-submit-and-upload
-    - name: Run gradle build
-      id: gradle-build
-      run: ./gradlew build
-      working-directory: .github/workflow-samples/groovy-dsl
-
-  dependency-graph-generate-submit-and-upload-check:
-    needs: [dependency-graph-generate-submit-and-upload]
-    runs-on: "ubuntu-latest"
-    steps:
-    - name: Download dependency-graph artifact
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
-      with:
-        path: downloaded-dependency-graphs
-        pattern: dependency-graph_*dependency-graph-generate-submit-and-upload.json
-    - name: Check for downloaded dependency graphs
-      shell: bash
-      run: |
-        ls -A "${{ github.workspace }}/downloaded-dependency-graphs"
-        if [ -z "$(ls -A "${{ github.workspace }}/downloaded-dependency-graphs")" ]; then
-          echo "No dependency graph files found"
-          exit 1
-        fi

.github/workflows/integ-test-dependency-submission-failures.yml

@@ -18,15 +18,12 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
-permissions:
-  contents: read
-
 jobs:
   dependency-submission-failures-failing-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -55,7 +52,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -63,7 +60,7 @@ jobs:
       id: gradle-build
       uses: ./dependency-submission
       with:
-        gradle-version: '7.0.1'
+        gradle-version: 7.0.1
         build-root-directory: .github/workflow-samples/groovy-dsl
       continue-on-error: true
     - name: Check step failed
@@ -86,7 +83,7 @@ jobs:
       contents: read
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-dependency-submission.yml

@@ -13,18 +13,16 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: write
+
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
   GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
 
-permissions:
-  contents: read
-
 jobs:
   dependency-submission-groovy-generate-and-upload:
-    permissions:
-      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -33,7 +31,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -47,8 +45,6 @@ jobs:
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
   dependency-submission-groovy-restore-cache:
-    permissions:
-      contents: write
     needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
       max-parallel: 1
@@ -58,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -71,8 +67,6 @@ jobs:
         GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
 
   dependency-submission-groovy-download-and-submit:
-    permissions:
-      contents: write
     needs: [dependency-submission-groovy-generate-and-upload]
     strategy:
       max-parallel: 1
@@ -82,7 +76,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -94,8 +88,6 @@ jobs:
         DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
 
   dependency-submission-kotlin-generate-and-submit:
-    permissions:
-      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -104,7 +96,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -114,8 +106,6 @@ jobs:
         build-root-directory: .github/workflow-samples/kotlin-dsl
 
   dependency-submission-multiple-builds:
-    permissions:
-      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -124,7 +114,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -162,8 +152,6 @@ jobs:
         fi
 
   dependency-submission-multiple-builds-upload:
-    permissions:
-      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -172,7 +160,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -188,12 +176,10 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   dependency-submission-config-cache:
-    permissions:
-      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -225,41 +211,23 @@ jobs:
         fi
 
   dependency-submission-gradle-versions:
-    permissions:
-      contents: write
     strategy:
       fail-fast: false
       matrix:
         os: ${{fromJSON(inputs.runner-os)}}
-        gradle: ['9.0.0', '8.14.3', '8.0.2', '7.6.4', '7.1.1', '6.9.4', '6.0.1', '5.6.4', '5.2.1']
+        gradle: [8.0.2, 7.6.4, 7.1.1, 6.9.4, 6.0.1, 5.6.4, 5.2.1]
         include:
-          - java-version: 17
-          - gradle: '8.14.3'
-            java-version: 11
-          - gradle: '8.0.2'
-            java-version: 11
-          - gradle: '7.6.4'
-            java-version: 11
-          - gradle: '7.1.1'
-            java-version: 11
-          - gradle: '6.9.4'
-            java-version: 11
-          - gradle: '6.0.1'
-            java-version: 11
-          - gradle: '5.6.4'
-            java-version: 11
+          - gradle: 5.6.4
             build-root-suffix: -gradle-5
-          - gradle: '5.2.1'
-            java-version: 11
+          - gradle: 5.2.1
             build-root-suffix: -gradle-5
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
-      with:
-        java-version: ${{ matrix.java-version }}
+
     - name: Generate and submit dependencies
       uses: ./dependency-submission
       with:
@@ -267,12 +235,10 @@ jobs:
         build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
 
   dependency-submission-with-setup-gradle:
-    permissions:
-      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -304,12 +270,10 @@ jobs:
         fi
 
   dependency-submission-with-includes-and-excludes:
-    permissions:
-      contents: write
     runs-on: ubuntu-latest # Test is not compatible with Windows
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -340,8 +304,6 @@ jobs:
 
 
   dependency-submission-custom-report-dir-submit:
-    permissions:
-      contents: write
     strategy:
       max-parallel: 1
       fail-fast: false
@@ -350,7 +312,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -377,12 +339,10 @@ jobs:
         fi
 
   dependency-submission-custom-report-dir-upload:
-    permissions:
-      contents: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -395,13 +355,11 @@ jobs:
         build-root-directory: .github/workflow-samples/groovy-dsl
 
   custom-report-dir-download-and-submit:
-    permissions:
-      contents: write
     needs: [dependency-submission-custom-report-dir-upload]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-detect-toolchains.yml

@@ -17,9 +17,6 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   # Test that pre-installed runner JDKs are detected
   detect-toolchains-pre-installed-jdks:
@@ -30,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -46,7 +43,7 @@ jobs:
       shell: bash
       working-directory: .github/workflow-samples/groovy-dsl
       run: | 
-        grep -q 'Eclipse Temurin JDK 8' output.txt || (echo "::error::Did not detect preinstalled JDK 8" && exit 1)
+        grep -q 'Eclipse Temurin JDK 1.8' output.txt || (echo "::error::Did not detect preinstalled JDK 1.8" && exit 1)
         grep -q 'Eclipse Temurin JDK 11' output.txt || (echo "::error::Did not detect preinstalled JDK 11" && exit 1)
         grep -q 'Eclipse Temurin JDK 17' output.txt || (echo "::error::Did not detect preinstalled JDK 17" && exit 1)
         grep -q 'Eclipse Temurin JDK 21' output.txt || (echo "::error::Did not detect preinstalled JDK 21" && exit 1)
@@ -60,20 +57,20 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
-    - name: Setup Java 16
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        distribution: 'temurin'
-        java-version: 16
     - name: Setup Java 20
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      uses: actions/setup-java@v4
       with:
         distribution: 'temurin'
         java-version: 20
+    - name: Setup Java 16
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: 16
     - name: Setup Gradle
       uses: ./setup-gradle
     - name: List detected toolchains
@@ -92,7 +89,7 @@ jobs:
       shell: bash
       working-directory: .github/workflow-samples/groovy-dsl
       run: | 
-        grep -q 'Eclipse Temurin JDK 8' output.txt || (echo "::error::Did not detect preinstalled JDK 8" && exit 1)
+        grep -q 'Eclipse Temurin JDK 1.8' output.txt || (echo "::error::Did not detect preinstalled JDK 1.8" && exit 1)
         grep -q 'Eclipse Temurin JDK 11' output.txt || (echo "::error::Did not detect preinstalled JDK 11" && exit 1)
         grep -q 'Eclipse Temurin JDK 17' output.txt || (echo "::error::Did not detect preinstalled JDK 17" && exit 1)
         grep -q 'Eclipse Temurin JDK 21' output.txt || (echo "::error::Did not detect preinstalled JDK 21" && exit 1)

.github/workflows/integ-test-inject-develocity.yml

@@ -20,46 +20,38 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   inject-develocity:
+    env:
+      DEVELOCITY_INJECTION_ENABLED: true
+      DEVELOCITY_URL: https://ge.solutions-team.gradle.com
+      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
+      ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
     strategy:
       fail-fast: false
       matrix:
-        gradle: ['current', '8.14.3', '7.6.2', '6.9.4', '5.6.4']
+        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: ['3.16.2', '4.2.2']
+        plugin-version: [3.16.2, 3.18.1]
         include:
-          - java-version: 17
-          - gradle: '8.14.3'
-            java-version: 11
-          - gradle: '7.6.2'
-            java-version: 11
-          - gradle: '6.9.4'
-            java-version: 11
-          - gradle: '5.6.4'
-            java-version: 11
-          - plugin-version: '3.16.2'
-            accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
-          - plugin-version: '4.2.2'
-            accessKeyEnv: DEVELOCITY_ACCESS_KEY
-    runs-on: ${{ matrix.os }}
-    env:
-      DEVELOCITY_INJECTION_ENABLED: true
-      DEVELOCITY_INJECTION_URL: https://ge.solutions-team.gradle.com
-      DEVELOCITY_INJECTION_DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_INJECTION_CCUD_PLUGIN_VERSION: '2.2.1'
-      ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+        - plugin-version: 3.16.2
+          accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY
+        - plugin-version: 3.18.1
+          accessKeyEnv: DEVELOCITY_ACCESS_KEY
 
+    runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
+
+    - name: Setup Java
+      uses: actions/setup-java@v4
       with:
-        java-version: ${{ matrix.java-version }}
+        distribution: temurin
+        java-version: 11
     - name: Setup Gradle
       id: setup-gradle
       uses: ./setup-gradle
@@ -72,7 +64,7 @@ jobs:
       run: gradle help
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('No Build Scan detected')
@@ -84,33 +76,26 @@ jobs:
   inject-develocity-with-access-key:
     env:
       DEVELOCITY_INJECTION_ENABLED: true
-      DEVELOCITY_INJECTION_URL: 'https://ge.solutions-team.gradle.com'
-      DEVELOCITY_INJECTION_DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_INJECTION_CCUD_PLUGIN_VERSION: '2.2.1'
+      DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
+      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
     strategy:
       fail-fast: false
       matrix:
-        gradle: ['current', '8.14.3', '7.6.2', '6.9.4', '5.6.4']
+        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: ['3.16.2', '4.2.2']
-        include:
-          - java-version: 17
-          - gradle: '8.14.3'
-            java-version: 11
-          - gradle: '7.6.2'
-            java-version: 11
-          - gradle: '6.9.4'
-            java-version: 11
-          - gradle: '5.6.4'
-            java-version: 11
+        plugin-version: [3.16.2, 3.18.1]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
+      - name: Setup Java
+        uses: actions/setup-java@v4
         with:
-          java-version: ${{ matrix.java-version }}
+          distribution: temurin
+          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -129,7 +114,7 @@ jobs:
         run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v7
         with:
           script: |
             core.setFailed('No Build Scan detected')
@@ -137,41 +122,34 @@ jobs:
   inject-develocity-short-lived-token-failed:
     env:
       DEVELOCITY_INJECTION_ENABLED: true
-      DEVELOCITY_INJECTION_URL: 'https://localhost:3333/'
-      DEVELOCITY_INJECTION_DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
-      DEVELOCITY_INJECTION_CCUD_PLUGIN_VERSION: '2.1'
+      DEVELOCITY_URL: 'https://localhost:3333/'
+      DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
+      DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
       # Access key also set as an env var, we want to check it does not leak
       GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
     strategy:
       fail-fast: false
       matrix:
-        gradle: ['current', '8.14.3', '7.6.2', '6.9.4', '5.6.4']
+        gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ '3.16.2', '4.2.2' ]
-        include:
-          - java-version: 17
-          - gradle: '8.14.3'
-            java-version: 11
-          - gradle: '7.6.2'
-            java-version: 11
-          - gradle: '6.9.4'
-            java-version: 11
-          - gradle: '5.6.4'
-            java-version: 11
+        plugin-version: [ 3.16.2, 3.18.1 ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
         with:
-          java-version: ${{ matrix.java-version }}
+          distribution: temurin
+          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
         with:
-          gradle-version: ${{ matrix.gradle }}
           cache-read-only: false # For testing, allow writing cache entries on non-default branches
           develocity-access-key: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       - name: Run Gradle build
@@ -189,27 +167,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        gradle: ['current', '8.14.3', '7.6.2', '6.9.4', '5.6.4']
+        gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
         os: ${{fromJSON(inputs.runner-os)}}
-        plugin-version: [ '3.16.2', '4.2.2' ]
-        include:
-          - java-version: 17
-          - gradle: '8.14.3'
-            java-version: 11
-          - gradle: '7.6.2'
-            java-version: 11
-          - gradle: '6.9.4'
-            java-version: 11
-          - gradle: '5.6.4'
-            java-version: 11
+        plugin-version: [ 3.16.2, 3.18.1 ]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
       - name: Initialize integ-test
         uses: ./.github/actions/init-integ-test
+      - name: Setup Java
+        uses: actions/setup-java@v4
         with:
-          java-version: ${{ matrix.java-version }}
+          distribution: temurin
+          java-version: 8
       - name: Setup Gradle
         id: setup-gradle
         uses: ./setup-gradle
@@ -225,7 +196,7 @@ jobs:
         run: gradle help
       - name: Check Build Scan url
         if: ${{ !steps.gradle.outputs.build-scan-url }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v7
         with:
           script: |
             core.setFailed('No Build Scan detected')

.github/workflows/integ-test-provision-gradle-versions.yml

@@ -18,9 +18,6 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
 
-permissions:
-  contents: read
-
 jobs:   
   # Tests for executing with different Gradle versions. 
   # Each build verifies that it is executed with the expected Gradle version.
@@ -33,33 +30,25 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
-      with:
-        java-version: '11'
 
     - name: Setup Gradle with v6.9
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
-        gradle-version: '6.9'
+        gradle-version: 6.9
     - name: Test uses Gradle v6.9
       working-directory: .github/workflow-samples/no-wrapper
       run: gradle help "-DgradleVersionCheck=6.9"
     - name: Setup Gradle with v7.1.1
       uses: ./setup-gradle
       with:
-        gradle-version: '7.1.1'
+        gradle-version: 7.1.1
     - name: Test uses Gradle v7.1.1
       working-directory: .github/workflow-samples/no-wrapper
       run: gradle help "-DgradleVersionCheck=7.1.1"
-    # Configure JDK 17 for Gradle 9 and later
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        distribution: temurin
-        java-version: 17
     - name: Setup Gradle with release-candidate
       uses: ./setup-gradle
       with:
@@ -76,41 +65,39 @@ jobs:
       working-directory: .github/workflow-samples/no-wrapper
       run: gradle help
     - name: Check current version output parameter
-      if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '9.') }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
-
+  
   provision-gradle-version:
     strategy:
       fail-fast: false
       matrix:
-        gradle: ['9.0.0', '8.14.2', '8.12', '8.12-rc-1', '8.9', '8.1', '7.6.4', '6.9.4', '5.6.4', '4.10.3', '3.5.1']
+        gradle: ["8.10", 8.9, 8.1, 7.6.4, 6.9.4, 5.6.4, 4.10.3, 3.5.1]
         os: ${{fromJSON(inputs.runner-os)}}
         include:
           - java-version: 11
-          - gradle: '9.0.0'
-            java-version: 17
-          - gradle: '5.6.4'
+          - gradle: 5.6.4
             build-root-suffix: -gradle-5
-          - gradle: '4.10.3'
+          - gradle: 4.10.3
             build-root-suffix: -gradle-4
-          - gradle: '3.5.1'
+          - gradle: 3.5.1
             build-root-suffix: -gradle-4
             java-version: 8
         exclude:
           - os: macos-latest # Java 8 is not supported on macos-latest, so we cannot test Gradle 3.5.1
-            gradle: '3.5.1'
+            gradle: 3.5.1
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
     - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      uses: actions/setup-java@v4
       with:
         distribution: temurin
         java-version: ${{ matrix.java-version }}
@@ -122,7 +109,7 @@ jobs:
         gradle-version: ${{ matrix.gradle }}
     - name: Check output parameter
       if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
@@ -132,7 +119,7 @@ jobs:
       run: gradle help "-DgradleVersionCheck=${{matrix.gradle}}"
     - name: Check Build Scan url
       if: ${{ !steps.gradle.outputs.build-scan-url }}
-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      uses: actions/github-script@v7
       with:
         script: |
           core.setFailed('No Build Scan detected')    

.github/workflows/integ-test-restore-configuration-cache.yml

@@ -20,9 +20,6 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   restore-cc-seed-build-groovy:
     env:
@@ -35,16 +32,22 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
@@ -62,16 +65,22 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false
         cache-cleanup: on-success
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -98,15 +107,21 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Groovy build with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/groovy-dsl
@@ -133,10 +148,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle with no extracted cache entries restored
       uses: ./setup-gradle
       env: 
@@ -144,6 +164,7 @@ jobs:
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Check execute Gradle build with configuration cache enabled (but not restored)
       working-directory: .github/workflow-samples/groovy-dsl
       run: gradle test --configuration-cache
@@ -159,16 +180,22 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-write-only: true # Ensure we start with a clean cache entry
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Execute 'help' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle help --configuration-cache
@@ -186,15 +213,21 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Execute 'test' with configuration-cache enabled
       working-directory: .github/workflow-samples/kotlin-dsl
       run: gradle test --configuration-cache
@@ -213,15 +246,21 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
+    - name: Setup Java to ensure consistency
+      uses: actions/setup-java@v4
+      with:
+        distribution: 'liberica'
+        java-version: 17
     - name: Setup Gradle
       uses: ./setup-gradle
       with:
         cache-read-only: true
         cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
     - name: Execute 'test' again with configuration-cache enabled
       id: execute
       working-directory: .github/workflow-samples/kotlin-dsl

.github/workflows/integ-test-restore-containerized-gradle-home.yml

@@ -14,16 +14,13 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   restore-containerized-seed-build:
     runs-on: ubuntu-latest
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -42,7 +39,7 @@ jobs:
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-custom-gradle-home.yml

@@ -14,15 +14,12 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   restore-custom-gradle-home-seed-build:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -44,7 +41,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -66,7 +63,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-gradle-home.yml

@@ -18,9 +18,6 @@ env:
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
   GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
 
-permissions:
-  contents: read
-
 jobs:
   restore-gradle-home-seed-build:
     strategy:
@@ -31,7 +28,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -54,7 +51,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -77,7 +74,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -100,7 +97,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -125,7 +122,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-restore-java-toolchain.yml

@@ -17,9 +17,6 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   restore-java-toolchain-seed-build:
     strategy:
@@ -30,11 +27,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
-      with:
-        java-version: '17'
 
     - name: Setup Gradle
       uses: ./setup-gradle
@@ -55,11 +50,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
-      with:
-        java-version: '17'
 
     - name: Setup Gradle
       uses: ./setup-gradle

.github/workflows/integ-test-sample-gradle-plugin.yml

@@ -17,9 +17,6 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   sample-gradle-plugin-seed-build:
     strategy:
@@ -30,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-sample-kotlin-dsl.yml

@@ -17,9 +17,6 @@ env:
   SKIP_DIST: ${{ inputs.skip-dist }}
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
 
-permissions:
-  contents: read
-
 jobs:
   sample-kotlin-dsl-seed-build:
     strategy:
@@ -30,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -52,7 +49,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 

.github/workflows/integ-test-wrapper-validation.yml

@@ -13,9 +13,6 @@ on:
 env:
   SKIP_DIST: ${{ inputs.skip-dist }}
 
-permissions:
-  contents: read
-
 jobs:
   wrapper-validation-setup-gradle:
     strategy:
@@ -25,7 +22,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -48,7 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -77,7 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -110,7 +107,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@v4
     - name: Initialize integ-test
       uses: ./.github/actions/init-integ-test
 
@@ -140,7 +137,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.2.2 # Checkout the repository with no wrappers
+      uses: actions/checkout@v4 # Checkout the repository with no wrappers
       with:
         sparse-checkout: |
           .github/actions

.github/workflows/suite-integ-test-caching.yml

@@ -10,9 +10,6 @@ on:
         type: boolean
         default: false
 
-permissions:
-  contents: read
-
 jobs:
   cache-cleanup:
     uses: ./.github/workflows/integ-test-cache-cleanup.yml

.github/workflows/suite-integ-test-other.yml

@@ -10,9 +10,6 @@ on:
         type: boolean
         default: false
 
-permissions:
-  contents: read
-
 jobs:
   build-scan-publish:
     uses: ./.github/workflows/integ-test-build-scan-publish.yml

.github/workflows/update-checksums-file.js

@@ -7,7 +7,7 @@
 
 // @ts-check
 
-const httpm = require('../../sources/node_modules/@actions/http-client')
+const httpm = require('../../sources/node_modules/typed-rest-client/HttpClient')
 
 const path = require('path')
 const fs = require('fs')

.github/workflows/update-checksums-file.yml

@@ -7,22 +7,20 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   update-checksums:
-    permissions:
-      contents: write
-      pull-requests: write
     name: Update checksums
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        uses: actions/setup-node@v4
         with:
           node-version: 20
           cache: npm
@@ -30,29 +28,18 @@ jobs:
 
       - name: Install dependencies
         run: |
-          npm clean-install typed-rest-client@1.8.11 --no-save
+          npm install typed-rest-client@1.8.11 --no-save
         working-directory: sources
 
       - name: Update checksums file
         run: node ../.github/workflows/update-checksums-file.js
         working-directory: sources
 
-      - name: Import GPG key to sign commits
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-          git_config_global: true
-
       # If there are no changes, this action will not create a pull request
       - name: Create or update pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@v7
         with:
           branch: bot/wrapper-checksums-update
-          author: bot-githubaction <bot-githubaction@gradle.com>
-          committer: bot-githubaction <bot-githubaction@gradle.com>
           commit-message: Update known wrapper checksums
           title: Update known wrapper checksums
           # Note: Unfortunately this action cannot trigger the regular workflows for the PR automatically, see

CONTRIBUTING.md

@@ -3,9 +3,8 @@
 The `build` script in the project root provides a convenient way to perform many local build tasks:
 1. `./build` will lint and compile typescript sources
 2. `./build all` will lint and compile typescript and run unit tests
-3. `./build install` will install npm packages followed by lint and compile
-4. `./build init-scripts` will run the init-script integration tests
-5. `./build act <act-commands>` will run `act` after building local changes (see below)
+3. `./build init-scripts` will run the init-script integration tests
+4. `./build act <act-commands>` will run `act` after building local changes (see below)
 
 ## Using `act` to run integ-test workflows locally
 

README.md

@@ -1,7 +1,5 @@
 # GitHub Actions for Gradle builds
 
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/gradle/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/gradle/actions)
-
 This repository contains a set of GitHub Actions that are useful for building Gradle projects on GitHub.
 
 ## The `setup-gradle` action
@@ -32,7 +30,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
     - name: Build with Gradle
       run: ./gradlew build
 ```
@@ -70,7 +68,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
 ```
 
 See the [full action documentation](docs/dependency-submission.md) for more advanced usage scenarios.
@@ -99,7 +97,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v5
+      - uses: gradle/actions/wrapper-validation@v4
 ```
 
 See the [full action documentation](docs/wrapper-validation.md) for more advanced usage scenarios.

RELEASING.md

@@ -11,17 +11,16 @@
   - Note: The gradle actions follow the GitHub Actions convention of including a .0 patch number for the first release of a minor version, unlike the Gradle convention which omits the trailing .0.
 
 ## Release gradle/actions
-- Create a tag for the release. The tag should have the format `v5.0.0`
-  - From CLI: `git tag -s -m "v5.0.0" v5.0.0 && git push --tags`
-  - Note that we sign the tag and set the commit message for the tag to the newly released version.
+- Create a tag for the release. The tag should have the format `v4.1.0`
+  - From CLI: `git tag v4.1.0 && git push --tags`
 - Go to https://github.com/gradle/actions/releases and "Draft new release"
   - Use the newly created tag and copy the tag name exactly as the release title.
   - Craft release notes content based on issues closed, PRs merged and commits
   - Include a Full changelog link in the format https://github.com/gradle/actions/compare/v2.12.0...v3.0.0
 - Publish the release.
-- Force push the `v5` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
-  - From CLI: `git tag -f -s -a -m "v5.0.0" v5 v5.0.0 && git push -f --tags`
-  - Note that we sign the tag and set the commit message for the tag to the newly released version.
+- Force push the `v4` tag (or current major version) to point to the new release. It is conventional for users to bind to a major release version using this tag.
+  - From CLI: `git tag -f -a -m "v4.0.0" v4 v4.0.0 && git push -f --tags`
+  - Note that we set the commit message for the tag to the newly released version.
 
 ## Post release steps
 

build

@@ -2,18 +2,14 @@
 
 cd sources
 
-if [[ -f ~/.gradle/develocity/keys.properties ]]; then
-    export NODE_OPTIONS='-r @gradle-tech/develocity-agent/preload'
-    export DEVELOCITY_URL=https://ge.solutions-team.gradle.com
-    export DEVELOCITY_ACCESS_KEY=$(paste -sd ';' ~/.gradle/develocity/keys.properties)
-fi
-
 case "$1" in
     all)
+        npm clean-install
         npm run all
         ;;
     act)
         # Build and copy outputs to the dist directory
+        npm install
         npm run build
         cd ..
         cp -r sources/dist .
@@ -22,25 +18,18 @@ case "$1" in
         # Revert the changes to the dist directory
         git checkout -- dist
         ;;
-    dist)
-        npm clean-install
-        npm run build
-        cd ..
-        cp -r sources/dist .
-        ;;
     init-scripts)
         cd test/init-scripts
         ./gradlew check
         ;;
-    install)
-        npm clean-install
+    dist)
+        npm install
         npm run build
-        ;;
-    test)
-        shift
-        npm test -- $@
+        cd ..
+        cp -r sources/dist .
         ;;
     *)
+        npm install
         npm run build
         ;;
 esac

dependency-submission/README.md

@@ -29,7 +29,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
 ```
 
 See the [full action documentation](../docs/dependency-submission.md) for more advanced usage scenarios.

dependency-submission/action.yml

@@ -96,20 +96,17 @@ inputs:
   # Dependency Graph configuration
   dependency-graph:
     description: |
-      Specifies how the dependency-graph should be handled by this action. 
-      By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
+      Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
       Valid values are:
-        'generate-and-submit': Generates a dependency graph for the project and submits it in the same Job.
-        'generate-submit-and-upload (default)': As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
-        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
+        'generate-and-submit' (default): Generates a dependency graph for the project and submits it in the same Job.
+        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact.
         'download-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.
 
-      Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
       The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
       where the workflow generating the dependency-graph cannot (or should not) be given the `contents: write` permissions
       required to submit via the Dependency Submission API.
     required: false
-    default: 'generate-submit-and-upload'
+    default: 'generate-and-submit'
 
   dependency-graph-report-dir:
     description: |
@@ -150,6 +147,7 @@ inputs:
   artifact-retention-days:
     description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
     required: false
+    default: 1
 
   # Build Scan configuration
   build-scan-publish:
@@ -222,7 +220,7 @@ outputs:
     description: Version of Gradle that was setup by the action
 
 runs:
-  using: 'node24'
+  using: 'node20'
   main: '../dist/dependency-submission/main/index.js'
   post: '../dist/dependency-submission/post/index.js'
 

docs/dependency-submission.md

@@ -43,7 +43,7 @@ jobs:
         java-version: 17
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
 ```
 
 ### Gradle execution
@@ -68,7 +68,7 @@ Three input parameters are required, one to enable publishing and two more to ac
 
 ```yaml
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
       with:
         build-scan-publish: true
         build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
@@ -83,10 +83,10 @@ In some cases, the default action configuration will not be sufficient, and addi
 
 ```yaml
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
       with:
         # Use a particular Gradle version instead of the configured wrapper.
-        gradle-version: '8.6'
+        gradle-version: 8.6
 
         # The gradle project is not in the root of the repository.
         build-root-directory: my-gradle-project
@@ -103,9 +103,6 @@ In some cases, the default action configuration will not be sufficient, and addi
         # Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
         dependency-graph: generate-and-upload
 
-        # Change the number of days that workflow artifacts are retained. (Default is 30 days).
-        artifact-retention-days: 5
-
         # Specify the location where dependency graph files will be generated.
         dependency-graph-report-dir: custom-report-dir
 
@@ -121,29 +118,6 @@ The `GitHub Dependency Graph Gradle Plugin` can be further
 These will be automatically set by the `dependency-submission` action, but you may override these values 
 by setting them explicitly in your workflow file.
 
-### Reducing storage costs for saved dependency graph artifacts
-
-By default, the dependency graph that is generated is stored as a workflow artifact.
-To reduce storage costs for these artifacts, you can:
-
-1. Set the `artifact-retention-days`:
-
-```yaml
-    - name: Generate dependency graph but only store workflow artifacts for 1 day
-      uses: gradle/actions/dependency-submission@v5
-      with:
-        artifact-retention-days: 1 # Default is 30 days or as configured for repository
-```
-
-2. Disable storing dependency-graph artifacts using `generate-and-submit`
-
-```yaml
-    - name: Generate and submit dependency graph but do not store as workflow artifact
-      uses: gradle/actions/dependency-submission@v5
-      with:
-        dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
-```
-
 # Resolving a dependency vulnerability
 
 ## Finding the source of a dependency vulnerability
@@ -299,10 +273,10 @@ For example, if you want to exclude dependencies resolved by the `buildSrc` proj
 
 ```yaml
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
       with:
         # Exclude all dependencies that originate solely in the 'buildSrc' project
-        dependency-graph-exclude-projects: ':buildSrc'
+        dependency-graph-exclude-projets: ':buildSrc'
         # Exclude dependencies that are only resolved in test classpaths
         dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath'
 ```
@@ -321,19 +295,12 @@ The GitHub [dependency-review-action](https://github.com/actions/dependency-revi
 understand dependency changes (and the security impact of these changes) for a pull request,
 by comparing the dependency graph for the pull-request with that of the HEAD commit.
 
-Integrating the Dependency Review Action requires 2 changes to your workflows:
-
-#### 1. Add a `pull_request` trigger to your existing Dependency Submission workflow.
-
-In order to perform Dependency Review on a pull request, the dependency graph must be submitted for the pull request.
-To do this, simply add a `pull_request` trigger to your existing dependency submission workflow.
+Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
 
 ```yaml
-name: Dependency Submission
+name: Dependency review for pull requests
 
 on:
-  push:
-    branches: [ 'main' ]
   pull_request:
 
 permissions:
@@ -350,38 +317,12 @@ jobs:
         java-version: 17
 
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
-```
+      uses: gradle/actions/dependency-submission@v4
 
-#### 2. Add a dedicated Dependency Review workflow
-
-The Dependency Review workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
-submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
-
-Here's an example of a separate "Dependency Review" workflow that will wait up to 10 minutes for dependency submission to complete.
-
-```yaml
-name: Dependency Review
-
-on:
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    steps:
-    - name: 'Dependency Review'
+    - name: Perform dependency review
       uses: actions/dependency-review-action@v4
-      with:
-        retry-on-snapshot-warnings: true
-        retry-on-snapshot-warnings-timeout: 600
 ```
 
-The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the modified dependency-submission workflow to complete.
-
 ## Usage with pull requests from public forked repositories
 
 This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
@@ -412,7 +353,7 @@ jobs:
         java-version: 17
 
     - name: Generate and save dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
       with:
         dependency-graph: generate-and-upload
 ```
@@ -435,11 +376,41 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Download and submit dependency graph
-      uses: gradle/actions/dependency-submission@v5
+      uses: gradle/actions/dependency-submission@v4
       with:
         dependency-graph: download-and-submit # Download saved dependency-graph and submit
 ```
 
+### Integrating `dependency-review-action` for pull requests from public forked repositories
+
+To integrate the `dependency-review-action` into the pull request workflows above, a third workflow file is required.
+This workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
+submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
+
+Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the above PR check workflow to complete.
+
+```yaml
+name: dependency-review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Dependency Review'
+      uses: actions/dependency-review-action@v4
+      with:
+        retry-on-snapshot-warnings: true
+        retry-on-snapshot-warnings-timeout: 600
+```
+
+The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
+
 # Gradle version compatibility
 
 Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against 

docs/deprecation-upgrade-guide.md

@@ -20,7 +20,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/setup-gradle@v5
+    uses: gradle/actions/setup-gradle@v4
 ```
 
 ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
@@ -40,7 +40,7 @@ To convert your workflows, simply replace:
 ```
 with
 ```
-    uses: gradle/actions/wrapper-validation@v5
+    uses: gradle/actions/wrapper-validation@v4
 ```
 
 ## Using the action to execute Gradle via the `arguments` parameter is deprecated
@@ -82,7 +82,7 @@ The exact syntax depends on whether or not your project is configured with the [
 
 ```
 - name: Setup Gradle
-  uses: gradle/actions/setup-gradle@v5
+  uses: gradle/actions/setup-gradle@v4
 
 - name: Assemble the project
   run: ./gradlew assemble
@@ -99,9 +99,9 @@ The exact syntax depends on whether or not your project is configured with the [
 
 ```
 - name: Setup Gradle for a non-wrapper project
-  uses: gradle/actions/setup-gradle@v5
+  uses: gradle/actions/setup-gradle@v4
   with:
-    gradle-version: '8.11'
+    gradle-version: "8.10"
 
 - name: Assemble the project
   run: gradle assemble

docs/setup-gradle.md

@@ -45,7 +45,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
 
     - name: Execute Gradle build
       run: ./gradlew build
@@ -58,9 +58,9 @@ Downloaded Gradle versions are stored in the GitHub Actions cache, to avoid havi
 
 ```yaml
  - name: Setup Gradle 8.10
-   uses: gradle/actions/setup-gradle@v5
+   uses: gradle/actions/setup-gradle@v4
    with:
-     gradle-version: '8.10' # Quotes required to prevent YAML converting to number
+     gradle-version: "8.10" # Quotes required to prevent YAML converting to number
   - name: Build with Gradle 8.10
     run: gradle build
 ```
@@ -96,7 +96,7 @@ jobs:
         distribution: temurin
         java-version: 17
 
-    - uses: gradle/actions/setup-gradle@v5
+    - uses: gradle/actions/setup-gradle@v4
       id: setup-gradle
       with:
         gradle-version: release-candidate
@@ -127,8 +127,6 @@ cache-disabled: true
 
 By default, The `setup-gradle` action will only write to the cache from Jobs on the default (`main`/`master`) branch.
 Jobs on other branches will read entries from the cache but will not write updated entries.
-
-This setup is designed around [GitHub imposed restrictions on cache access](https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) and should work well in most scenarios.
 See [Optimizing cache effectiveness](#select-which-branches-should-write-to-the-cache) for a more detailed explanation.
 
 In some circumstances, it makes sense to change this default and configure a workflow Job to read existing cache entries but not to write changes back.
@@ -198,9 +196,6 @@ When Gradle is executed with the [configuration-cache](https://docs.gradle.org/c
 in the project directory, at `<project-dir>/.gradle/configuration-cache`. Due to the way the configuration-cache works, [this file may contain stored credentials and other
 secrets](https://docs.gradle.org/release-nightly/userguide/configuration_cache.html#config_cache:secrets), and this data needs to be encrypted to be safely stored in the GitHub Actions cache.
 
-> [!IMPORTANT]
-> To avoid potentially leaking secrets in the configuration-cache entry, the action will only save or restore configuration-cache data if the `cache-encryption-key` parameter is set.
-
 To benefit from configuration caching in your GitHub Actions workflow, you must:
 - Execute your build with Gradle 8.6 or newer. This can be achieved directly or via the Gradle Wrapper.
 - Enable the configuration cache for your build.
@@ -218,17 +213,14 @@ jobs:
         distribution: temurin
         java-version: 17
 
-    - uses: gradle/actions/setup-gradle@v5
+    - uses: gradle/actions/setup-gradle@v4
       with:
-        gradle-version: '8.6'
-        cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+        gradle-version: 8.6
+        cache-encryption-key: ${{ secrets.GradleEncryptionKey }}
     - run: gradle build --configuration-cache
 ```
 
-Even with everything correctly configured, you may find that the configuration-cache entry is not reused in your workflow.
-This is often due to a known issue: [Included builds containing build logic prevent configuration-cache reuse](https://github.com/gradle/actions/issues/21). Refer to the issue for more details.
-
-> [!NOTE]
+> [!IMPORTANT]
 > The configuration cache cannot be saved or restored in workflows triggered by a pull requests from a repository fork.
 > This is because [GitHub secrets are not passed to workflows triggered by PRs from forks](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow).
 > This prevents a malicious PR from reading the configuration-cache data, which may encode secrets read by Gradle.
@@ -438,15 +430,6 @@ so that a Job Summary is never generated, or so that a Job Summary is only gener
 add-job-summary: 'on-failure' # Valid values are 'always' (default), 'never', and 'on-failure'
 ```
 
-### Excluding specific Gradle builds from Job Summary
-
-The Job Summary works by installing an init-script in Gradle User Home which will record details of any Gradle execution during the workflow.
-This means that any Gradle excecution sharing the same Gradle User Home will show up in the Job Summary, which may include Gradle executions 
-run as part of integration testing.
-
-To avoid having these test builds show up in the Job Summary, add the `GRADLE_ACTIONS_SKIP_BUILD_RESULT_CAPTURE=true` environment variable
-to the process that executes Gradle. This will stop the init-script from collecting any build results.
-
 ### Adding Job Summary as a Pull Request comment
 
 It is sometimes more convenient to view the results of a GitHub Actions Job directly from the Pull Request that triggered
@@ -472,9 +455,9 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
-        add-job-summary-as-pr-comment: 'on-failure' # Valid values are 'never' (default), 'always', and 'on-failure'
+        add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure'
 
     - run: ./gradlew build --scan
 ```
@@ -509,7 +492,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
 
     - name: Run build with Gradle wrapper
       run: ./gradlew build --scan
@@ -519,7 +502,7 @@ jobs:
       if: always()
       with:
         name: build-reports
-        path: **/build/reports/
+        path: build/reports/
 ```
 
 ### Use of custom init-scripts in Gradle User Home
@@ -540,7 +523,7 @@ If you do not want wrapper-validation to occur automatically, you can disable it
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         validate-wrappers: false
 ```
@@ -552,7 +535,7 @@ These are not allowed by default.
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         validate-wrappers: true
         allow-snapshot-wrappers: true
@@ -617,7 +600,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate-and-submit
     - name: Run the usual CI build (dependency-graph will be generated and submitted post-job)
@@ -644,7 +627,7 @@ graph cannot be generated or submitted. You can enable this behavior with the `d
 
 ```yaml
 # Ensure that the workflow Job will fail if the dependency graph cannot be submitted
-- uses: gradle/actions/setup-gradle@v5
+- uses: gradle/actions/setup-gradle@v4
   with:
     dependency-graph: generate-and-submit
     dependency-graph-continue-on-failure: false
@@ -669,13 +652,13 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate-and-submit
     - name: Run a build, resolving the 'dependency-graph' plugin from the plugin portal proxy
       run: ./gradlew build
       env:
-        GRADLE_PLUGIN_REPOSITORY_URL: 'https://gradle-plugins-proxy.mycorp.com'
+        GRADLE_PLUGIN_REPOSITORY_URL: "https://gradle-plugins-proxy.mycorp.com"
 
         # Set the following variables if your custom plugin repository requires authentication
         # GRADLE_PLUGIN_REPOSITORY_USERNAME: "username"
@@ -699,7 +682,7 @@ jobs:
         java-version: 17
 
     - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         dependency-graph: generate-and-submit
     - name: Build the app, generating a graph of dependencies required
@@ -727,6 +710,20 @@ A known exception to this is that Gradle `7.0`, `7.0.1`, and `7.0.2` are not sup
 
 See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
 
+### Reducing storage costs for saved dependency graph artifacts
+
+When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact.
+By default, these artifacts are retained for 30 days (or as configured for the repository).
+To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number.
+
+```yaml
+    - name: Generate dependency graph, but only retain artifact for one day
+      uses: gradle/actions/setup-gradle@v4
+      with:
+        dependency-graph: generate
+        artifact-retention-days: 1
+```
+
 # Develocity Build Scan® integration
 
 Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a
@@ -743,19 +740,16 @@ To publish to https://scans.gradle.com, you must specify in your workflow that y
 
 ```yaml
     - name: Setup Gradle to publish build scans
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         build-scan-publish: true
-        build-scan-terms-of-use-url: 'https://gradle.com/terms-of-service'
-        build-scan-terms-of-use-agree: 'yes'
+        build-scan-terms-of-use-url: "https://gradle.com/terms-of-service"
+        build-scan-terms-of-use-agree: "yes"
 
     - name: Run a Gradle build - a build scan will be published automatically
       run: ./gradlew build
 ```
 
-If your build is configured to [publish on demand](https://docs.gradle.com/develocity/gradle-plugin/current/#publishing_on_demand) 
-using `onlyIf { false }`, setting `build-scan-publish: true` will not force a scan to be published.
-
 ## Managing Develocity access keys
 
 Develocity access keys are long-lived, creating risks if they are leaked. To mitigate this risk this, 
@@ -765,7 +759,7 @@ The short-lived access token will then be used wherever a Develocity access key
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }} # Long-lived access key, visiblility is restricted to this step.
 
@@ -783,10 +777,10 @@ To avoid this, use the `develocity-token-expiry` parameter to specify a differen
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
-        develocity-token-expiry: '8' # The number of hours that the access token should remain valid (max 24).
+        develocity-token-expiry: 8 # The number of hours that the access token should remain valid (max 24).
 ```
 
 ### Develocity access key supplied as environment variable
@@ -805,7 +799,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
 
     # The build will automatically use a short-lived access token to authenticate with Develocity
     - name: Run a Gradle build that is configured to publish to Develocity.
@@ -837,33 +831,33 @@ Here's a minimal example:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         develocity-injection-enabled: true
-        develocity-url: 'https://develocity.your-server.com'
-        develocity-plugin-version: '4.0'
+        develocity-url: https://develocity.your-server.com
+        develocity-plugin-version: 3.17.5
 
     - name: Run a Gradle build with Develocity injection enabled
       run: ./gradlew build
 ```
 
-This configuration will automatically apply `v4.2.2` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
+This configuration will automatically apply `v3.18.1` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com.
 
 This example assumes that the `develocity.your-server.com` server allows anonymous publishing of build scans.
 In the likely scenario that your Develocity server requires authentication, you will also need to pass a valid [Develocity access key](https://docs.gradle.com/develocity/gradle-plugin/#via_environment_variable) taken from a secret:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
       with:
         develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }}
 
     - name: Run a Gradle build with Develocity injection enabled
       run: ./gradlew build
-      with:
-        develocity-injection-enabled: true
-        develocity-url: 'https://develocity.your-server.com'
-        develocity-plugin-version: '4.0'
+      env:
+        DEVELOCITY_INJECTION_ENABLED: true
+        DEVELOCITY_URL: https://develocity.your-server.com
+        DEVELOCITY_PLUGIN_VERSION: 3.17
 ```
 
 This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable.
@@ -873,7 +867,7 @@ This access key will be used during the action execution to get a short-lived to
 The `init-script` supports several additional configuration parameters that you may find useful. All configuration options (required and optional) are detailed below:
 
 | Variable                             | Required | Description                                                                                                                                                             |
-|--------------------------------------| :---: |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|--------------------------------------| --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | develocity-injection-enabled         | :white_check_mark: | enables Develocity injection                                                                                                                                            |
 | develocity-url                       | :white_check_mark: | the URL of the Develocity server                                                                                                                                        |
 | develocity-allow-untrusted-server    | | allow communication with an untrusted server; set to _true_ if your Develocity instance is using a self-signed certificate                                              |
@@ -887,34 +881,34 @@ The `init-script` supports several additional configuration parameters that you
 
 The input parameters can be expressed as environment variables following the relationships outlined in the table below:
 
-| Input                                | Environment Variable                           |
-|--------------------------------------|------------------------------------------------|
-| develocity-injection-enabled         | DEVELOCITY_INJECTION_ENABLED                   |
-| develocity-url                       | DEVELOCITY_INJECTION_URL                       |
-| develocity-enforce-url               | DEVELOCITY_INJECTION_ENFORCE_URL               |
-| develocity-allow-untrusted-server    | DEVELOCITY_INJECTION_ALLOW_UNTRUSTED_SERVER    |
-| develocity-capture-file-fingerprints | DEVELOCITY_INJECTION_CAPTURE_FILE_FINGERPRINTS |
-| develocity-plugin-version            | DEVELOCITY_INJECTION_DEVELOCITY_PLUGIN_VERSION |
-| develocity-ccud-plugin-version       | DEVELOCITY_INJECTION_CCUD_PLUGIN_VERSION       |
-| gradle-plugin-repository-url         | DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_URL     |
-| gradle-plugin-repository-username    | DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_USERNAME|
-| gradle-plugin-repository-password    | DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_PASSWORD|
+| Input                                | Environment Variable                 |
+|--------------------------------------|--------------------------------------|
+| develocity-injection-enabled         | DEVELOCITY_INJECTION_ENABLED         |
+| develocity-url                       | DEVELOCITY_URL                       |
+| develocity-allow-untrusted-server    | DEVELOCITY_ALLOW_UNTRUSTED_SERVER    |
+| develocity-capture-file-fingerprints | DEVELOCITY_CAPTURE_FILE_FINGERPRINTS |
+| develocity-enforce-url               | DEVELOCITY_ENFORCE_URL               |
+| develocity-plugin-version            | DEVELOCITY_PLUGIN_VERSION            |
+| develocity-ccud-plugin-version       | DEVELOCITY_CCUD_PLUGIN_VERSION       |
+| gradle-plugin-repository-url         | GRADLE_PLUGIN_REPOSITORY_URL         |
+| gradle-plugin-repository-username    | GRADLE_PLUGIN_REPOSITORY_USERNAME    |
+| gradle-plugin-repository-password    | GRADLE_PLUGIN_REPOSITORY_PASSWORD    |
 
 
 Here's an example using the env vars:
 
 ```yaml
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
 
     - name: Run a Gradle build with Develocity injection enabled with environment variables
       run: ./gradlew build
       env:
         DEVELOCITY_INJECTION_ENABLED: true
-        DEVELOCITY_INJECTION_URL: https://develocity.your-server.com
-        DEVELOCITY_INJECTION_ENFORCE_URL: true
-        DEVELOCITY_INJECTION_DEVELOCITY_PLUGIN_VERSION: '4.0'
-        DEVELOCITY_INJECTION_CCUD_PLUGIN_VERSION: '2.2.1'
+        DEVELOCITY_URL: https://develocity.your-server.com
+        DEVELOCITY_ENFORCE_URL: true
+        DEVELOCITY_PLUGIN_VERSION: "3.18.1"
+        DEVELOCITY_CCUD_PLUGIN_VERSION: "2.0.2"
 ```
 
 # Dependency verification

docs/wrapper-validation.md

@@ -50,7 +50,7 @@ We created an example [Homoglyph attack PR here](https://github.com/JLLeitschuh/
 Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:
 
 ```yaml
-uses: gradle/actions/wrapper-validation@v5
+uses: gradle/actions/wrapper-validation@v4
 ```
 
 This action step should precede any step using `gradle/gradle-build-action` or `gradle/actions/setup-gradle`.
@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: gradle/actions/wrapper-validation@v5
+      - uses: gradle/actions/wrapper-validation@v4
 ```
 
 ## Contributing to an external GitHub Repository
@@ -102,8 +102,7 @@ A wrapper jar can fail validation for a few reasons:
 1. The wrapper is from a snapshot build of Gradle (nightly or release nightly) and you have not set `allow-snapshots`
    or `allow-snapshot-wrappers` to `true`.
 2. The wrapper jar is from a version of Gradle with an unverifiable wrapper jar (see below).
-3. The wrapper jar is saved in Git LFS, and has not been correctly restored on checkout (see below).
-4. The wrapper jar was not published by Gradle, and could be compromised.
+3. The wrapper jar was not published by Gradle, and could be compromised.
 
 If this GitHub action fails because a `gradle-wrapper.jar` was not published by Gradle,
 we highly recommend that you reach out to us at [security@gradle.com](mailto:security@gradle.com).
@@ -114,17 +113,6 @@ Wrapper Jars generated by Gradle versions `3.3` to `4.0` are not verifiable beca
 - If the Gradle version in `gradle-wrapper.properties` is outside of this range, you can regenerate the `gradle-wrapper.jar` by running `./gradlew wrapper`. This will generate a new, verifiable wrapper jar.
 - If you need to run your build with a version of Gradle between 3.3 and 4.0, you can use a newer version of Gradle to generate the `gradle-wrapper.jar`.
 
-#### Wrapper Jar stored with Git LFS
-If your repository is configured to store Wrapper Jars in Git Large File Storage (LFS), then you must include the configuration to correctly
-restore these Jars on checkout. Without this, only a pointer to the Wrapper Jar is restored, and the checksum verification will fail.
-
-```
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          lfs: true  # gradle-wrapper.jar verification will fail without this
-```
-
 ## Resources
 
 To learn more about verifying the Gradle Wrapper JAR locally, see our

setup-gradle/README.md

@@ -26,7 +26,7 @@ jobs:
         distribution: 'temurin'
         java-version: 17
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@v4
     - name: Build with Gradle
       run: ./gradlew build
 ```

setup-gradle/action.yml

@@ -80,7 +80,7 @@ inputs:
   dependency-graph:
     description: |
       Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
-      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-submit-and-upload', 'generate-and-upload', and 'download-and-submit'.
+      Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', and 'download-and-submit'.
     required: false
     default: 'disabled'
 
@@ -239,10 +239,9 @@ outputs:
     description: Version of Gradle that was setup by the action
 
 runs:
-  using: 'node24'
+  using: 'node20'
   main: '../dist/setup-gradle/main/index.js'
   post: '../dist/setup-gradle/post/index.js'
-  post-if: '!cancelled()'
 
 branding:
   icon: 'box'

sources/.eslintignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

sources/.eslintrc.json

@@ -0,0 +1,57 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/recommended"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "i18n-text/no-en": "off",
+      "no-unused-vars": "off",
+      "no-shadow": "off",
+      "sort-imports": "off",
+      "github/array-foreach": "off",
+      "@typescript-eslint/no-unused-vars": ["error", { "argsIgnorePattern": "^_" }],
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "camelcase": "off",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error", 
+      "@typescript-eslint/no-non-null-assertion": "off",
+      "@typescript-eslint/no-shadow": "error",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": ["error", {"ignoreStringArrays":  true}],
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

sources/.tool-versions

@@ -1,3 +1,3 @@
 # Configuration file for asdf version manager
-nodejs 24.3.0
-gradle 8.14.2
+nodejs 20.10.0
+gradle 8.10

sources/eslint.config.mjs

@@ -1,70 +0,0 @@
-import globals from "globals";
-import typescriptParser from "@typescript-eslint/parser";
-import typescriptPlugin from "@typescript-eslint/eslint-plugin";
-
-export default {
-
-    plugins: {
-        "@typescript-eslint": typescriptPlugin,
-    },
-
-    languageOptions: {
-        globals: {
-            ...globals.node,
-        },
-
-        ecmaVersion: 9,
-        sourceType: "module",
-
-        parser: typescriptParser,
-        parserOptions: {
-            project: "./tsconfig.json",
-        },
-    },
-
-    files: ['**/*.ts', '**/*.tsx'],
-
-    rules: {
-        camelcase: "off",
-        semi: "off",
-
-        "@typescript-eslint/explicit-member-accessibility": ["error", {
-            accessibility: "no-public",
-        }],
-
-        "@typescript-eslint/no-require-imports": "error",
-        "@typescript-eslint/array-type": "error",
-        "@typescript-eslint/await-thenable": "error",
-
-        "@typescript-eslint/explicit-function-return-type": ["error", {
-            allowExpressions: true,
-        }],
-
-        "@typescript-eslint/no-array-constructor": "error",
-        "@typescript-eslint/no-empty-interface": "error",
-        "@typescript-eslint/no-explicit-any": "error",
-        "@typescript-eslint/no-extraneous-class": "error",
-        "@typescript-eslint/no-for-in-array": "error",
-        "@typescript-eslint/no-inferrable-types": "error",
-        "@typescript-eslint/no-misused-new": "error",
-        "@typescript-eslint/no-namespace": "error",
-        "@typescript-eslint/no-non-null-assertion": "off",
-        "@typescript-eslint/no-shadow": "error",
-        "@typescript-eslint/no-unnecessary-qualifier": "error",
-        "@typescript-eslint/no-unnecessary-type-assertion": "error",
-        "@typescript-eslint/no-useless-constructor": "error",
-        "@typescript-eslint/no-var-requires": "error",
-        "@typescript-eslint/prefer-for-of": "warn",
-        "@typescript-eslint/prefer-function-type": "warn",
-        "@typescript-eslint/prefer-includes": "error",
-        "@typescript-eslint/prefer-string-starts-ends-with": "error",
-        "@typescript-eslint/promise-function-async": "error",
-
-        "@typescript-eslint/require-array-sort-compare": ["error", {
-            ignoreStringArrays: true,
-        }],
-
-        "@typescript-eslint/restrict-plus-operands": "error",
-        "@typescript-eslint/unbound-method": "error",
-    },
-};

sources/jest.config.js

@@ -6,9 +6,5 @@ module.exports = {
   transform: {
     '^.+\\.ts$': 'ts-jest'
   },
-  reporters: [
-      'default',
-      '@gradle-tech/develocity-agent/jest-reporter',
-  ],
   verbose: true
 }

sources/package.json

@@ -31,50 +31,41 @@
     "gradle"
   ],
   "license": "MIT",
-  "engines": {
-    "node": ">=24.0.0"
-  },
   "dependencies": {
-    "@actions/artifact": "2.3.2",
-    "@actions/cache": "4.0.5",
-    "@actions/core": "1.11.1",
+    "@actions/artifact": "2.1.9",
+    "@actions/cache": "3.2.4",
+    "@actions/core": "1.10.1",
     "@actions/exec": "1.1.1",
-    "@actions/github": "6.0.1",
+    "@actions/github": "6.0.0",
     "@actions/glob": "0.5.0",
     "@actions/http-client": "2.2.3",
-    "@actions/tool-cache": "2.0.2",
-    "@octokit/webhooks-types": "7.6.1",
-    "cheerio": "1.1.2",
-    "semver": "7.7.2",
+    "@actions/tool-cache": "2.0.1",
+    "@octokit/rest": "21.0.2",
+    "@octokit/webhooks-types": "7.5.1",
+    "cheerio": "^1.0.0",
+    "semver": "7.6.3",
     "string-argv": "0.3.2",
+    "typed-rest-client": "2.0.2",
     "unhomoglyph": "1.0.6",
-    "which": "5.0.0"
+    "which": "4.0.0"
   },
   "devDependencies": {
-    "@gradle-tech/develocity-agent": "2.0.2",
-    "@jest/globals": "30.1.2",
-    "@types/jest": "30.0.0",
-    "@types/node": "24.5.2",
-    "@types/semver": "7.7.1",
-    "@types/unzipper": "0.10.11",
+    "@types/jest": "29.5.13",
+    "@types/node": "20.16.5",
+    "@types/unzipper": "0.10.10",
     "@types/which": "3.0.4",
-    "@typescript-eslint/eslint-plugin": "8.44.1",
-    "@vercel/ncc": "0.38.4",
-    "dedent": "1.7.0",
-    "eslint": "9.24.0",
-    "globals": "16.4.0",
-    "jest": "30.1.3",
-    "nock": "13.5.6",
+    "@typescript-eslint/parser": "7.18.0",
+    "@vercel/ncc": "0.38.1",
+    "eslint": "8.57.0",
+    "eslint-plugin-github": "5.0.2",
+    "eslint-plugin-jest": "28.8.3",
+    "jest": "29.7.0",
+    "js-yaml": "4.1.0",
+    "nock": "13.5.5",
     "npm-run-all": "4.1.5",
     "patch-package": "8.0.0",
-    "prettier": "3.6.2",
-    "ts-jest": "29.4.4",
-    "typescript": "5.9.2"
-  },
-  "overrides": {
-    "@azure/logger": "1.1.4",
-    "@octokit/request": "8.4.1",
-    "@octokit/request-error": "5.1.1",
-    "@octokit/plugin-paginate-rest": "9.2.2"
+    "prettier": "3.3.3",
+    "ts-jest": "29.2.5",
+    "typescript": "5.6.2"
   }
 }

sources/patches/@actions+cache+3.2.4.patch

@@ -0,0 +1,113 @@
+diff --git a/node_modules/@actions/cache/lib/cache.d.ts b/node_modules/@actions/cache/lib/cache.d.ts
+index 4658366..b796e58 100644
+--- a/node_modules/@actions/cache/lib/cache.d.ts
++++ b/node_modules/@actions/cache/lib/cache.d.ts
+@@ -21,7 +21,7 @@ export declare function isFeatureAvailable(): boolean;
+  * @param enableCrossOsArchive an optional boolean enabled to restore on windows any cache created on any platform
+  * @returns string returns the key for the cache hit, otherwise returns undefined
+  */
+-export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<string | undefined>;
++export declare function restoreCache(paths: string[], primaryKey: string, restoreKeys?: string[], options?: DownloadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry | undefined>;
+ /**
+  * Saves a list of files with the specified key
+  *
+@@ -31,4 +31,12 @@ export declare function restoreCache(paths: string[], primaryKey: string, restor
+  * @param options cache upload options
+  * @returns number returns cacheId if the cache was saved successfully and throws an error if save fails
+  */
+-export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<number>;
++export declare function saveCache(paths: string[], key: string, options?: UploadOptions, enableCrossOsArchive?: boolean): Promise<CacheEntry>;
++
++// PATCHED: Add `CacheEntry` as return type for save/restore functions
++// This allows us to track and report on cache entry sizes.
++export declare class CacheEntry {
++    key: string;
++    size?: number;
++    constructor(key: string, size?: number);
++}
+diff --git a/node_modules/@actions/cache/lib/cache.js b/node_modules/@actions/cache/lib/cache.js
+index 9d636aa..a176bd7 100644
+--- a/node_modules/@actions/cache/lib/cache.js
++++ b/node_modules/@actions/cache/lib/cache.js
+@@ -127,18 +127,21 @@ function restoreCache(paths, primaryKey, restoreKeys, options, enableCrossOsArch
+             core.info(`Cache Size: ~${Math.round(archiveFileSize / (1024 * 1024))} MB (${archiveFileSize} B)`);
+             yield (0, tar_1.extractTar)(archivePath, compressionMethod);
+             core.info('Cache restored successfully');
+-            return cacheEntry.cacheKey;
+-        }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else {
+-                // Supress all non-validation cache related errors because caching should be optional
+-                core.warning(`Failed to restore: ${error.message}`);
+-            }
++
++            // PATCHED - Return more inforamtion about restored entry
++            return new CacheEntry(cacheEntry.cacheKey, archiveFileSize);;
+         }
++        // PATCHED - propagate errors
++        // catch (error) {
++        //     const typedError = error;
++        //     if (typedError.name === ValidationError.name) {
++        //         throw error;
++        //     }
++        //     else {
++        //         // Supress all non-validation cache related errors because caching should be optional
++        //         core.warning(`Failed to restore: ${error.message}`);
++        //     }
++        // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -206,19 +209,23 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
+             }
+             core.debug(`Saving Cache (ID: ${cacheId})`);
+             yield cacheHttpClient.saveCache(cacheId, archivePath, options);
++
++            // PATCHED - Return more inforamtion about saved entry
++            return new CacheEntry(key, archiveFileSize);
+         }
+-        catch (error) {
+-            const typedError = error;
+-            if (typedError.name === ValidationError.name) {
+-                throw error;
+-            }
+-            else if (typedError.name === ReserveCacheError.name) {
+-                core.info(`Failed to save: ${typedError.message}`);
+-            }
+-            else {
+-                core.warning(`Failed to save: ${typedError.message}`);
+-            }
+-        }
++        // PATCHED - propagate errors
++        // catch (error) {
++        //     const typedError = error;
++        //     if (typedError.name === ValidationError.name) {
++        //         throw error;
++        //     }
++        //     else if (typedError.name === ReserveCacheError.name) {
++        //         core.info(`Failed to save: ${typedError.message}`);
++        //     }
++        //     else {
++        //         core.warning(`Failed to save: ${typedError.message}`);
++        //     }
++        // }
+         finally {
+             // Try to delete the archive to save space
+             try {
+@@ -232,4 +239,11 @@ function saveCache(paths, key, options, enableCrossOsArchive = false) {
+     });
+ }
+ exports.saveCache = saveCache;
++class CacheEntry {
++    constructor(key, size) {
++        this.key = key;
++        this.size = size;
++    }
++}
++exports.CacheEntry = CacheEntry;
+ //# sourceMappingURL=cache.js.map
+\ No newline at end of file