chore(deps): update gradle/actions action to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
gradle/actions	action	major	v4.3.0 → v6.2.0

---

Release Notes

gradle/actions (gradle/actions)

v6.2.0

Compare Source

Highlights

This release brings significant behaviour improvements to Enhanced caching, improvements to the generated Job Summary, and a number of correctness and security fixes.

1. Improved cache-cleanup mechanism. Cleanup of stale files from the Gradle User Home is now faster, and no longer depends on Gradle or a JVM. It works by inspecting the local file state directly, removing the Gradle invocation from the post-build step.
2. More granular, more stable caching. The local build cache is stored as a separate cache entry, so it can be restored and invalidated independently of the main Gradle User Home entry. Transient Gradle housekeeping files are excluded from the cache, reducing its size and improving stability.
3. Hide obsolete Job summaries in PR commments: When a new Job summary comment is added to a PR, previous outdated Job summaries are now hidden.
4. Improved caching report in the job summary. The cache report now uses a single, consistent layout across all cache states and providers. Provider information is integrated directly into the report, and per-entry details are available in an expandable section. (#​985)
5. Correctness and security fixes. A unique cache key is now used per run attempt, so re-runs no longer collide; the job summary shows the cache key string rather than an internal id; and bundled dependencies have been updated, including a ReDoS fix and a fast-xml CVE fix.

What's Changed

• Remove unnecessary dependency overrides by @​bigdaz in #​981
• Scope CI-integ-test concurrency groups per-branch by @​bigdaz in #​983
• Improve typings by @​Vampire in #​938
• Hide obsolete Job summaries by @​SimonMarquis in #​902
• CI: add requireable aggregate/no-op checks for branch protection by @​bigdaz in #​984
• Redesign the caching Job Summary by @​bigdaz in #​985

New Contributors

• @​Vampire made their first contribution in #​938

Full Changelog: gradle/actions@v6.1.1...v6.2.0

v6.1.1

Compare Source

This release updates various dependency versions, resolving several reported security vulnerabilities.
No functional changes are included

What's Changed

• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /sources/test/init-scripts by @​bot-githubaction in #​961
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/gradle-plugin by @​bot-githubaction in #​962
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/groovy-dsl by @​bot-githubaction in #​963
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/java-toolchain by @​bot-githubaction in #​964
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/kotlin-dsl by @​bot-githubaction in #​965
• Update known wrapper checksums by @​github-actions[bot] in #​937
• Bump the github-actions group across 2 directories with 8 updates by @​dependabot[bot] in #​976
• Bump the npm-dependencies group across 1 directory with 14 updates by @​dependabot[bot] in #​970
• Bump references to Develocity Gradle plugin from 4.4.0 to 4.4.2 by @​bot-githubaction in #​973
• Bump the npm-dependencies group in /sources with 5 updates by @​dependabot[bot] in #​977
• Update @​actions/cache and @​actions/artifact, stop ignoring them in Dependabot by @​bigdaz in #​978
• Resolve npm security vulnerabilities via dependency overrides by @​bigdaz in #​980

Full Changelog: gradle/actions@v6.1.0...v6.1.1

v6.1.0

Compare Source

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

• Built on @actions/cache -- fully open source
• Caches ~/.gradle/caches and ~/.gradle/wrapper directories
• Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
• Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

• New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
• Simplified licensing notices in README, docs, and runtime log output
• Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

• Use a unique cache entry for wrapper-validation test by @​bigdaz in #​921
• Update Dependencies by @​bigdaz in #​922
• Update dependencies and resolve npm vulnerabilities by @​bigdaz in #​933
• Add open-source 'basic' cache provider and revamp licensing documentation by @​bigdaz in #​930
• Restructure caching documentation for basic and enhanced providers by @​bigdaz in #​934

Full Changelog: gradle/actions@v6.0.1...v6.1.0

v6.0.1

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @​Goooler in #​792
• Add typing information for use by typesafegithub by @​bigdaz in #​910
• Mute license warning when terms are accepted by @​bigdaz in #​911
• Mention explicit license acceptance in notice by @​bigdaz in #​912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​907

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

• Caching functionality of 'gradle-actions' has been extracted into a separate gradle-actions-caching library, and is no longer open-source. See this blog post for more context.
• Existing, rudimentary, configuration-cache support has been removed, pending a fully functional implementation in gradle-actions-caching.
• Dependencies updated to address security vulnerabilities

[!IMPORTANT]

Licensing notice

The caching functionality in `gradle-actions` has been extracted into `gradle-actions-caching`, a proprietary commercial component that is not covered by the MIT License.
The bundled `gradle-actions-caching` component is licensed and governed by a separate license, available at https://gradle.com/legal/terms-of-use/.

The `gradle-actions-caching` component is used only when caching is enabled and is not loaded or used when caching is disabled.

Use of the `gradle-actions-caching` component is subject to a separate license, available at https://gradle.com/legal/terms-of-use/.
If you do not agree to these license terms, do not use the `gradle-actions-caching` component.

What's Changed

• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​866
• Update known wrapper checksums by @​github-actions[bot] in #​868
• Dependency updates by @​bigdaz in #​876
• Update known wrapper checksums by @​github-actions[bot] in #​878
• Bump @​types/node from 25.3.3 to 25.3.5 in /sources in the npm-dependencies group across 1 directory by @​dependabot[bot] in #​877
• Bump the github-actions group across 3 directories with 3 updates by @​dependabot[bot] in #​867
• Update known wrapper checksums by @​github-actions[bot] in #​881
• Bump the npm-dependencies group in /sources with 6 updates by @​dependabot[bot] in #​879
• Bump the github-actions group across 3 directories with 5 updates by @​dependabot[bot] in #​880
• Remove configuration-cache support by @​bigdaz in #​884
• Extract caching logic into a separate gradle-actions-caching component by @​bigdaz in #​885
• Update gradle-actions-caching library to v0.3.0 by @​bot-githubaction in #​899
• Avoid windows shutdown bug by @​bigdaz in #​900
• Dependency updates by @​bigdaz in #​905
• Fix critical and high npm vulnerabilities by @​bigdaz in #​904
• Fix rendering of job-disabled message by @​bigdaz in #​909

Full Changelog: gradle/actions@v5.0.2...v6.0.0

v6

Compare Source

v5.0.2

Compare Source

Summary

This release contains no functional changes. It updates dependencies and known Gradle wrapper checksums.

What's Changed

• Update dependencies by @​bigdaz in #​851
• Bump the github-actions group across 2 directories with 3 updates by @​dependabot[bot] in #​850
• Update DV config by @​bigdaz in #​848
• Convert project to ESM and update dependencies by @​bigdaz in #​854
• Workflow fixes by @​bigdaz in #​856
• Remove superfluous text from log message by @​bigdaz in #​861
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​860
• Bump the npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​859
• Update known wrapper checksums by @​github-actions[bot] in #​857
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.0 to 2.21.1 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​862
• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​863
• Bump github/codeql-action from 4.32.3 to 4.32.4 in the github-actions group across 1 directory by @​dependabot[bot] in #​864

Full Changelog: gradle/actions@v5.0.1...v5.0.2

v5.0.1

Compare Source

What's Changed

• Bump npm code dependency versions
• Bump Gradle versions used in sample builds
• Bump dependencies versions in Gradle sample builds
• Bump GitHub actions used for build and test
• Update known wrapper checksums to include Gradle 9.2+

Full Changelog: gradle/actions@v5.0.0...v5.0.1

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​amyu in #​721

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency upgrades

• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​748

Full Changelog: gradle/actions@v4...v5.0.0

v5

Compare Source

v4.4.4

Compare Source

What's Changed

• Bump the github-actions group across 2 directories with 3 updates by @​dependabot[bot] in #​726
• Regenerating package lock by @​cdsap in #​729
• Update known wrapper checksums by @​github-actions[bot] in #​730
• Bump the github-actions group across 1 directory with 3 updates by @​dependabot[bot] in #​735
• Bump the gradle group across 3 directories with 1 update by @​dependabot[bot] in #​734
• Bump the npm-dependencies group in /sources with 4 updates by @​dependabot[bot] in #​733
• Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 by @​bot-githubaction in #​736
• Handle gracefully parse errors in checksum file by @​jprinet in #​737
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl by @​bot-githubaction in #​742
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/java-toolchain by @​bot-githubaction in #​741
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/groovy-dsl by @​bot-githubaction in #​740
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/gradle-plugin by @​bot-githubaction in #​739
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /sources/test/init-scripts by @​bot-githubaction in #​738
• Update known wrapper checksums by @​github-actions[bot] in #​743
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by @​dependabot[bot] in #​746
• Bump the npm-dependencies group in /sources with 5 updates by @​dependabot[bot] in #​745

Full Changelog: gradle/actions@v4...v4.4.4

v4.4.3

Compare Source

What's Changed

• Adapt tests to future new Build Scan publication message by @​alextu in #​708
• Add missing Gradle version input to setup-gradle by @​jprinet in #​713
• Bump the github-actions group across 2 directories with 4 updates by @​dependabot[bot] in #​710
• Bump references to Develocity Gradle plugin from 4.1 to 4.1.1 by @​bot-githubaction in #​712
• Update known wrapper checksums by @​github-actions[bot] in #​709
• Bump the npm-dependencies group across 1 directory with 4 updates by @​dependabot[bot] in #​711
• Do not run setup-gradle post action if workflow is cancelled by @​jprinet in #​716
• Bump the github-actions group across 2 directories with 2 updates by @​dependabot[bot] in #​715
• Bump the npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​720
• Bump github/codeql-action from 3.29.11 to 3.30.0 in the github-actions group across 1 directory by @​dependabot[bot] in #​719
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.19.2 to 2.20.0 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​718
• Update known wrapper checksums by @​github-actions[bot] in #​723
• Bump the npm-dependencies group in /sources with 5 updates by @​dependabot[bot] in #​725

Full Changelog: gradle/actions@v4.4.2...v4.4.3

v4.4.2

Compare Source

This patch release updates a bunch of dependency versions

What's Changed

• Bump github/codeql-action from 3.29.4 to 3.29.5 in the github-actions group across 1 directory (#​703)
• Bumps the npm-dependencies group in /sources with 4 updates (#​702)
• Upgrade to gradle 9 in workflows and tests (#​704)
• Update known wrapper checksums (#​701)
• Bump Gradle Wrapper from 8.14.3 to 9.0.0 in /.github/workflow-samples/gradle-plugin (#​695)
• Bump Gradle Wrapper from 8.14.3 to 9.0.0 in /.github/workflow-samples/groovy-dsl (#​696)
• Bump Gradle Wrapper from 8.14.3 to 9.0.0 in /.github/workflow-samples/java-toolchain (#​697)
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.19.1 to 2.19.2 in /sources/test/init-scripts in the gradle group across 1 directory (#​693)
• Bump github/codeql-action from 3.29.0 to 3.29.4 in the github-actions group across 1 directory (#​691)
• Bump the npm-dependencies group in /sources with 5 updates (#​692)
• Bump references to Develocity Gradle plugin from 4.0.2 to 4.1 (#​685)
• Bump the npm-dependencies group across 1 directory with 8 updates (#​684)
• Run Gradle release candidate tests with JDK 17 (#​690)
• Update Develocity npm agent to version 1.0.1 (#​687)
• Update known wrapper checksums (#​688)
• Bump Gradle Wrapper from 8.14.2 to 8.14.3 in /.github/workflow-samples/kotlin-dsl (#​683
• Bump the github-actions group across 1 directory with 3 updates (#​675)
• Bump the gradle group across 3 directories with 2 updates (#​674)
• Bump Gradle Wrapper from 8.14.2 to 8.14.3 in /sources/test/init-scripts (#​679)
• Bump Gradle Wrapper from 8.14.2 to 8.14.3 in /.github/workflow-samples/java-toolchain (#​682)
• Bump Gradle Wrapper from 8.14.2 to 8.14.3 in /.github/workflow-samples/groovy-dsl (#​681)
• Bump Gradle Wrapper from 8.14.2 to 8.14.3 in /.github/workflow-samples/gradle-plugin (#​680)
• Update known wrapper checksums (#​676)

Full Changelog: gradle/actions@v4.4.1...v4.4.2

v4.4.1

Compare Source

This patch release fixes a bug in Develocity Injection with a custom plugin repository.
The gradle-plugin-repository-* action parameters were not being correctly mapped to environment variables that are read by the Develocity Injection init script.

This issue has been fixed by setting the correct environment variables:

• gradle-plugin-repository-url is mapped to DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_URL
• gradle-plugin-repository-username is mapped to DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_USERNAME
• gradle-plugin-repository-password is mapped to DEVELOCITY_INJECTION_PLUGIN_REPOSITORY_PASSWORD

Additionally, these parameters can now be used to configure a custom plugin repository for the GitHub Dependency Graph Gradle Plugin, required for dependency submission.

What's Changed

• Dependency updates by @​bigdaz in #​667
• Fix plugin repository env vars by @​bigdaz in #​669

Full Changelog: gradle/actions@v4.4.0...v4.4.1

v4.4.0

Compare Source

This release updates 2 downstream components:

• Develocity injection has been updated to v2.0
  • Some environment variables related to Develocity injection have been renamed. All vars now being with DEVELOCITY_INJECTION_. Check the docs for more details.
• Dependency-graph plugin has been updated to v1.4.0
  • The 'detector' values included in the generated graph can now be configured via environment variables.

What's Changed

• Update develocity-injection init script to v1.3 by @​bot-githubaction in #​592
• Update develocity-injection init script to v2.0 by @​bot-githubaction in #​593
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in #​597
• Use v1.4.0 of dependency graph plugin by @​bigdaz in #​638

New Contributors

• @​step-security-bot made their first contribution in #​597

Full Changelog: gradle/actions@v4.3.1...v4.4.0

v4.3.1

Compare Source

This release fixes a couple of minor issues, as well as keeping dependencies up to date.

Fixed issues

• The develocity-allow-untrusted-server parameter should be honoured when fetching short-lived access tokens #​583
• Build summary may incorrectly report build success #​415

What's Changed

• Update develocity-injection init script to v1.1.1 by @​bot-githubaction in #​545
• Bump the github-actions group across 2 directories with 3 updates by @​dependabot in #​547
• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot in #​548
• Update develocity-injection init script to v1.2 by @​bot-githubaction in #​550
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot in #​552
• Bump the npm-dependencies group across 1 directory with 5 updates by @​dependabot in #​558
• Update known wrapper checksums by @​github-actions in #​560
• Bump references to Develocity Gradle plugin from 3.19.1 to 3.19.2 by @​bot-githubaction in #​561
• Catch more build failures in job summary by @​bigdaz in #​571
• Scope captured build failures by @​erichaagdev in #​574
• Ignore SSL certificate validation when fetching Develocity short-lived access token if develocity-allow-untrusted-server is enabled by @​remcomokveld in #​575
• Dependency updates by @​bigdaz in #​579
• Bump com.google.guava:guava from 33.4.5-jre to 33.4.6-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by @​dependabot in #​580
• Bump the github-actions group across 2 directories with 2 updates by @​dependabot in #​582

New Contributors

• @​erichaagdev made their first contribution in #​574
• @​remcomokveld made their first contribution in #​575

Full Changelog: gradle/actions@v4.3.0...v4.3.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.