gateway: bump gradle/actions from 6.0.1 to 6.1.0#681
Conversation
Bumps [gradle/actions](https://github.com/gradle/actions) from 6.0.1 to 6.1.0. - [Release notes](https://github.com/gradle/actions/releases) - [Commits](gradle/actions@39e147c...50e97c2) --- updated-dependencies: - dependency-name: gradle/actions dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
This action now contains proprietary 'Enhanced Caching' code. Not sure if we're comfortable with that? |
|
Agreed. I missed it in previous version but I think we should just not allow it. |
|
6.1.0 introduced
|
I guess that changes things - the only thing it is not default, and we have - currently no way to verify it - unless we add custom check on our actions scanner. |
|
Got it. So, is this |
I guess - if we agree to that. |
raboof
left a comment
raboof
left a comment
There was a problem hiding this comment.
Having slept on this I think it is OK to leave this for the projects to decide.
Since it is possible to use the action transparently, and Gradle is a 'trustworthy' partner so we don't expect shenanigans even in the proprietary cache implementation, I think we can allow the action here and leave it up to the individual projects to decide their risk appetite.
While adding this check to a scanner tool would be neat, it doesn't seem like a high priority - we're already overloading projects with information so we should be careful with that.
Approving, but not merging yet, would be good to have more consensus.
I am ok with that - maybe we can - indeed add some checks in our current (and updated in the future) action checker for ASF PMCs. That could be a warning initially or error later if we find that gradle action is miconfigured. |
|
Is 2 people enough for a consensus ? :) |
|
:D since the license change is actually already there since the previous update and I saw no other objections I think 2 is sufficient - we can always revisit this decision later. |
|
Thank you. It's great to have v6.1.0. |
### What changes were proposed in this pull request? This PR adds `gradle/actions/setup-gradle` to GitHub Actions workflows (`build_and_test.yml`, `publish_snapshot_chart.yml`) and removes the `cache: 'gradle'` option from `actions/setup-java` and `Java Tool Chain caching` step since `setup-gradle` handles Gradle caching. ### Why are the changes needed? The `gradle/actions/setup-gradle` action is the officially recommended way to set up Gradle in GitHub Actions, offering several advantages over the `cache: 'gradle'` option in `actions/setup-java`: - actions/setup-java#588 - apache/infrastructure-actions#681 - apache/infrastructure-actions#696 Advantages: - **More efficient caching**: Provides more sophisticated and optimized caching of Gradle User Home between invocations, with detailed reporting of cache usage and configuration options. - **Dependency Graph support**: Can generate and submit a GitHub Dependency Graph for the project, enabling Dependabot security alerts. - **Build Scan link capture**: Automatically captures Build Scan links from the build, making them easier to locate in workflow runs. - **Separation of concerns**: `actions/setup-java` is a general-purpose Java setup tool. Delegating Gradle-specific setup to the dedicated first-party action avoids sub-optimal caching strategies (`actions/setup-java#588`). ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? CI should pass with the updated workflows. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (claude-opus-4-6) Closes #621 from dongjoon-hyun/SPARK-56401. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
3 participants
Bumps gradle/actions from 6.0.1 to 6.1.0.
Release notes
Sourced from gradle/actions's releases.
Commits
50e97c2Link to docs for caching providersf2e6298Restructure caching documentation for basic and enhanced providers (#934)b294b1eReally fix integ-test-full83d3189Revise license details for gradle-actions-caching1d5db06Update license link for gradle-actions-caching component1c80961Fix license link for Enhanced Caching component9e99920Fix integ-test-full workflowbb8aaafFix workflow permissionsf5dfb43[bot] Update dist directoryff9ae24Add open-source 'basic' cache provider and revamp licensing documentation (#930)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)