Skip to content

ci: audit and update GitHub Actions to ASF-approved versions#512

Open
jamesfredley wants to merge 1 commit into
masterfrom
ci/setup-gradle-v6-basic-cache
Open

ci: audit and update GitHub Actions to ASF-approved versions#512
jamesfredley wants to merge 1 commit into
masterfrom
ci/setup-gradle-v6-basic-cache

Conversation

@jamesfredley
Copy link
Copy Markdown
Contributor

@jamesfredley jamesfredley commented May 29, 2026

What

Audit of every GitHub Action used in this repository against the ASF approved actions allow-list, updating each to its current approved version and pinning every external action to a full commit SHA with a trailing comment naming the version it resolves to.

This mirrors the audit performed on grails-core in apache/grails-core#15690 and brings this repository back onto supported, allow-list-approved action versions.

Why (setup-gradle)

The primary driver is gradle/actions/setup-gradle:

  • The previously-used SHAs were either never on the ASF allow-list or are scheduled to expire from it on 2026-06-20.
  • gradle/actions v6.0.0 moved caching into a proprietary enhanced provider governed by Gradle's commercial Terms of Use. v6.1.0 reintroduced an MIT-licensed basic cache provider.

Standardizing on the approved v6.1.0 SHA with cache-provider: basic (3 steps) keeps us on a supported version while caching stays MIT-licensed. Each cache-provider line carries an inline comment documenting the distinction.

Changes

Action Before After (pinned SHA # version)
actions/checkout v4, v6 de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
actions/setup-java v4, v5 be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
gradle/actions/setup-gradle 017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2, 0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
scacap/action-surefire-report 5609ce4db72c09db044803b344a8968fd1f315da # v1.9.1 3dacff26879cd2a7f2160d101254032a3707fe6f # v1.12.0
actions/cache v5 27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5

Plus cache-provider: basic added to all 3 setup-gradle steps.

First-party apache/grails-github-actions/* references and local ./.github/actions/* composites are intentionally left unchanged.

Verification

  • Every external action is SHA-pinned with a # version comment; the only non-SHA refs remaining are the first-party apache/* @asf ones and local composite actions.
  • All modified workflow YAML files parse cleanly.

@jamesfredley
ci: audit and update GitHub Actions to ASF-approved versions
ffd8a67 
Pin every external GitHub Action to a full commit SHA from the ASF
approved actions allow-list, with a trailing comment naming the version
it resolves to. Mirrors the grails-core audit in apache/grails-core#15690.

- actions/checkout -> de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (was v4, v6)
- actions/setup-java -> be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 (was v4, v5)
- gradle/actions/setup-gradle -> 50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 (was 017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2, 0723195856401067f7a2779048b490ace7a47d7c # v5.0.2)
- scacap/action-surefire-report -> 3dacff26879cd2a7f2160d101254032a3707fe6f # v1.12.0 (was 5609ce4db72c09db044803b344a8968fd1f315da # v1.9.1)
- actions/cache -> 27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 (was v5)

Add cache-provider: basic to all 3 setup-gradle steps so caching
stays on the MIT-licensed provider rather than the proprietary enhanced
provider introduced in gradle/actions v6 (Gradle commercial Terms of Use).

First-party apache/grails-github-actions/* and local ./.github/actions/*
references are intentionally left unchanged.

Assisted-by: claude-code:claude-4.8-opus
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates active GitHub Actions workflows to use ASF-approved, SHA-pinned external actions, with inline version comments. It also standardizes Gradle setup on gradle/actions/setup-gradle v6.1.0 using the MIT-licensed basic cache provider.

Changes:

  • Pins third-party workflow actions to full commit SHAs with version comments.
  • Updates checkout, setup-java, setup-gradle, cache, and surefire-report actions to newer approved versions.
  • Adds cache-provider: basic to all setup-gradle steps.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/rendersite.yml Pins checkout/setup-java/setup-gradle and configures Gradle basic cache provider.
.github/workflows/release.yml Pins checkout and setup-java for the release workflow.
.github/workflows/release-companion.yml Pins checkout and setup-java for companion release updates.
.github/workflows/publish.yml Pins publish workflow actions and configures Gradle basic cache provider.
.github/workflows/gradle.yml Pins CI workflow actions, updates surefire report action, and configures Gradle basic cache provider.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jdaugherty jdaugherty Awaiting requested review from jdaugherty

@matrei matrei Awaiting requested review from matrei

@sbglasius sbglasius Awaiting requested review from sbglasius

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesfredley