From 353bc3eda45b924819556e221d41f13364675e77 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 13:10:42 +0000 Subject: [PATCH 1/3] deps(actions): bump the actions group across 1 directory with 10 updates Bumps the actions group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github/codeql-action](https://github.com/github/codeql-action) | `4.33.0` | `4.35.2` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.6.1` | `3.0.0` | | [gradle/actions](https://github.com/gradle/actions) | `5.0.2` | `6.1.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `6.0.0` | `8.1.0` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.13.0` | `1.14.0` | | [ruby/setup-ruby](https://github.com/ruby/setup-ruby) | `1.293.0` | `1.302.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [rhysd/actionlint](https://github.com/rhysd/actionlint) | `1.7.11` | `1.7.12` | | [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.2` | `0.5.3` | | [actions/cache](https://github.com/actions/cache) | `5.0.4` | `5.0.5` | Updates `github/codeql-action` from 4.33.0 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b1bff81932f5cdfc8695c7752dcee935dcd061c8...95e58e9a2cdfd71adc6e0353d5c52f41a045d225) Updates `softprops/action-gh-release` from 2.6.1 to 3.0.0 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/153bb8e04406b158c6c84fc1615b65b24149a1fe...b4309332981a82ec1c5618f44dd2e27cc8bfbfda) Updates `gradle/actions` from 5.0.2 to 6.1.0 - [Release notes](https://github.com/gradle/actions/releases) - [Commits](https://github.com/gradle/actions/compare/0723195856401067f7a2779048b490ace7a47d7c...50e97c2cd7a37755bbfafc9c5b7cafaece252f6e) Updates `astral-sh/setup-uv` from 6.0.0 to 8.1.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/c7f87aa956e4c323abf06d5dec078e358f6b4d04...08807647e7069bb48b6ef5acd8ec9567f424441b) Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e...cef221092ed1bacb1cc03d23a2d87d1d172e277b) Updates `ruby/setup-ruby` from 1.293.0 to 1.302.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](https://github.com/ruby/setup-ruby/compare/dffb23f65a78bba8db45d387d5ea1bbd6be3ef18...7372622e62b60b3cb750dcd2b9e32c247ffec26a) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `rhysd/actionlint` from 1.7.11 to 1.7.12 - [Release notes](https://github.com/rhysd/actionlint/releases) - [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md) - [Commits](https://github.com/rhysd/actionlint/compare/393031adb9afb225ee52ae2ccd7a5af5525e03e8...914e7df21a07ef503a81201c76d2b11c789d3fca) Updates `zizmorcore/zizmor-action` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/71321a20a9ded102f6e9ce5718a2fcec2c4f70d8...b1d7e1fb5de872772f31590499237e7cce841e8e) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: softprops/action-gh-release dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: gradle/actions dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ruby/setup-ruby dependency-version: 1.302.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: rhysd/actionlint dependency-version: 1.7.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 12 ++++++------ .github/workflows/release-github.yml | 2 +- .github/workflows/release-kotlin.yml | 4 ++-- .github/workflows/release-python.yml | 6 +++--- .github/workflows/release-ruby.yml | 4 ++-- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/security.yml | 12 ++++++------ .github/workflows/test.yml | 18 +++++++++--------- 8 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bcd65967..90c74443 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -110,7 +110,7 @@ jobs: # --- CodeQL init --- - name: Initialize CodeQL - uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -128,7 +128,7 @@ jobs: # --- Analysis (fails build on real errors) --- - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:${{ matrix.language }}" upload: never @@ -162,7 +162,7 @@ jobs: # --- Upload (tolerates GHAS unavailability) --- - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: always() continue-on-error: true # Requires GitHub Advanced Security with: @@ -188,7 +188,7 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: swift build-mode: manual @@ -199,7 +199,7 @@ jobs: run: swift build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:swift" upload: never @@ -225,7 +225,7 @@ jobs: done - name: Upload SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: always() continue-on-error: true # Requires GitHub Advanced Security with: diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 913ef772..8356c16f 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -188,7 +188,7 @@ jobs: } > body.md - name: Create GitHub Release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 # zizmor: ignore[superfluous-actions] -- consider removal + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2.6.1 # zizmor: ignore[superfluous-actions] -- consider removal with: tag_name: ${{ steps.tag.outputs.tag }} name: Basecamp SDK ${{ steps.version.outputs.version }} diff --git a/.github/workflows/release-kotlin.yml b/.github/workflows/release-kotlin.yml index 7c0526e8..2d8f1fe7 100644 --- a/.github/workflows/release-kotlin.yml +++ b/.github/workflows/release-kotlin.yml @@ -38,7 +38,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v5.0.2 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation - name: Build run: ./gradlew :basecamp-sdk:build @@ -86,7 +86,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v5.0.2 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache - name: Extract version id: version diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index c29e12af..15fafb49 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v6.0.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation - name: Set up Python run: uv python install 3.13 @@ -87,7 +87,7 @@ jobs: git merge-base --is-ancestor "$GITHUB_SHA" origin/main - name: Install uv - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v6.0.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache - name: Set up Python run: uv python install 3.13 @@ -136,7 +136,7 @@ jobs: - name: Publish to PyPI if: github.event_name == 'push' && steps.check-published.outputs.already_published != 'true' - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: packages-dir: python/dist/ attestations: true diff --git a/.github/workflows/release-ruby.yml b/.github/workflows/release-ruby.yml index 29e9a204..8fb50b9b 100644 --- a/.github/workflows/release-ruby.yml +++ b/.github/workflows/release-ruby.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: Set up Ruby - uses: ruby/setup-ruby@dffb23f65a78bba8db45d387d5ea1bbd6be3ef18 # v1.293.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.293.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation with: ruby-version: '3.3' bundler-cache: true @@ -68,7 +68,7 @@ jobs: git merge-base --is-ancestor "$GITHUB_SHA" origin/main - name: Set up Ruby - uses: ruby/setup-ruby@dffb23f65a78bba8db45d387d5ea1bbd6be3ef18 # v1.293.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.293.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache with: ruby-version: '3.3' bundler-cache: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 11529ada..e223559e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,13 +27,13 @@ jobs: results_format: sarif publish_results: true - - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 continue-on-error: true with: sarif_file: results.sarif diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index c1336b26..bbe4732f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -36,7 +36,7 @@ jobs: output: 'trivy-go-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: always() continue-on-error: true # Requires GitHub Advanced Security with: @@ -67,7 +67,7 @@ jobs: output: 'trivy-ts-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: always() continue-on-error: true # Requires GitHub Advanced Security with: @@ -128,7 +128,7 @@ jobs: run: gosec -severity high -exclude-dir=pkg/generated -fmt sarif -out gosec-results.sarif ./... - name: Upload gosec results - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: always() continue-on-error: true with: @@ -184,7 +184,7 @@ jobs: output: 'trivy-ruby-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 if: always() continue-on-error: true with: @@ -206,7 +206,7 @@ jobs: persist-credentials: false - name: Set up Ruby - uses: ruby/setup-ruby@dffb23f65a78bba8db45d387d5ea1bbd6be3ef18 # v1.293.0 + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0 with: ruby-version: '3.3' bundler-cache: true @@ -242,7 +242,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Run dependency verification run: ./gradlew :basecamp-sdk:dependencies --scan diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 99b77987..379d4546 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,10 +20,10 @@ jobs: persist-credentials: false - name: Run actionlint - uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11 + uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca # v1.7.12 - name: Run zizmor - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: advanced-security: false @@ -143,7 +143,7 @@ jobs: persist-credentials: false - name: Set up Ruby - uses: ruby/setup-ruby@dffb23f65a78bba8db45d387d5ea1bbd6be3ef18 # v1.293.0 + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0 with: ruby-version: ${{ matrix.ruby }} bundler-cache: true @@ -175,7 +175,7 @@ jobs: persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Set up Python run: uv python install ${{ matrix.python }} @@ -249,7 +249,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Build run: ./gradlew :basecamp-sdk:build @@ -301,7 +301,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Run Kotlin conformance tests working-directory: kotlin @@ -327,7 +327,7 @@ jobs: npm test - name: Set up Ruby - uses: ruby/setup-ruby@dffb23f65a78bba8db45d387d5ea1bbd6be3ef18 # v1.293.0 + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0 with: ruby-version: '3.3' bundler-cache: true @@ -338,7 +338,7 @@ jobs: run: ruby runner.rb - name: Install uv (Python) - uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Run Python conformance tests working-directory: conformance/runner/python @@ -413,7 +413,7 @@ jobs: cache-dependency-path: 'go/go.sum' - name: Cache Go tools - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/go/bin key: go-tools-${{ runner.os }}-go${{ hashFiles('go/go.mod') }}-apidiff-v0.9.0 From 1e062635f0f63a17f3de41b7490462eeb2cabd3e Mon Sep 17 00:00:00 2001 From: Jeremy Daer Date: Tue, 28 Apr 2026 12:36:06 -0700 Subject: [PATCH 2/3] deps(actions): sync version comments to bumped SHAs Dependabot's comment rewriter doesn't handle the trailing `# zizmor: ignore[...]` annotation, so version labels stayed at the pre-bump tag while the SHA pins moved forward. Update the seven affected lines in release-{github,kotlin,python,ruby}.yml to match the SHA's actual tag and clear zizmor's ref-version-mismatch findings. --- .github/workflows/release-github.yml | 2 +- .github/workflows/release-kotlin.yml | 4 ++-- .github/workflows/release-python.yml | 4 ++-- .github/workflows/release-ruby.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 8356c16f..f8dd0bbe 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -188,7 +188,7 @@ jobs: } > body.md - name: Create GitHub Release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2.6.1 # zizmor: ignore[superfluous-actions] -- consider removal + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 # zizmor: ignore[superfluous-actions] -- consider removal with: tag_name: ${{ steps.tag.outputs.tag }} name: Basecamp SDK ${{ steps.version.outputs.version }} diff --git a/.github/workflows/release-kotlin.yml b/.github/workflows/release-kotlin.yml index 2d8f1fe7..4aff274e 100644 --- a/.github/workflows/release-kotlin.yml +++ b/.github/workflows/release-kotlin.yml @@ -38,7 +38,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v5.0.2 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation - name: Build run: ./gradlew :basecamp-sdk:build @@ -86,7 +86,7 @@ jobs: java-version: '17' - name: Setup Gradle - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v5.0.2 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache - name: Extract version id: version diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 15fafb49..d255a784 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v6.0.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation - name: Set up Python run: uv python install 3.13 @@ -87,7 +87,7 @@ jobs: git merge-base --is-ancestor "$GITHUB_SHA" origin/main - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v6.0.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache - name: Set up Python run: uv python install 3.13 diff --git a/.github/workflows/release-ruby.yml b/.github/workflows/release-ruby.yml index 8fb50b9b..c850a498 100644 --- a/.github/workflows/release-ruby.yml +++ b/.github/workflows/release-ruby.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: Set up Ruby - uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.293.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation with: ruby-version: '3.3' bundler-cache: true @@ -68,7 +68,7 @@ jobs: git merge-base --is-ancestor "$GITHUB_SHA" origin/main - name: Set up Ruby - uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.293.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache with: ruby-version: '3.3' bundler-cache: true From eb38125dd343e7e28a2b7e95e6794439c789b50d Mon Sep 17 00:00:00 2001 From: Jeremy Daer Date: Tue, 28 Apr 2026 13:19:30 -0700 Subject: [PATCH 3/3] ci(actions): pin gradle/actions to MIT-licensed basic cache provider gradle/actions@v6 extracted caching into a separate, proprietary gradle-actions-caching component governed by the Develocity Terms of Use. Using the v6 default ('enhanced') silently accepts those terms on every Gradle CI run. v6.1.0 introduced an MIT-licensed open-source 'basic' cache provider as an explicit opt-out. Set cache-provider: basic on all five setup-gradle call sites (test.yml, security.yml, release-kotlin.yml) so caching stays on but no proprietary code or ToU acceptance is loaded. --- .github/workflows/release-kotlin.yml | 4 ++++ .github/workflows/security.yml | 2 ++ .github/workflows/test.yml | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/release-kotlin.yml b/.github/workflows/release-kotlin.yml index 4aff274e..2d8939c9 100644 --- a/.github/workflows/release-kotlin.yml +++ b/.github/workflows/release-kotlin.yml @@ -39,6 +39,8 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation + with: + cache-provider: basic - name: Build run: ./gradlew :basecamp-sdk:build @@ -87,6 +89,8 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache + with: + cache-provider: basic - name: Extract version id: version diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index bbe4732f..80789d1b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -243,6 +243,8 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + with: + cache-provider: basic - name: Run dependency verification run: ./gradlew :basecamp-sdk:dependencies --scan diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 379d4546..37d6a72b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -250,6 +250,8 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + with: + cache-provider: basic - name: Build run: ./gradlew :basecamp-sdk:build @@ -302,6 +304,8 @@ jobs: - name: Setup Gradle uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 + with: + cache-provider: basic - name: Run Kotlin conformance tests working-directory: kotlin