diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index 202c830..c5b4a30 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -4,7 +4,7 @@ on:
workflow_call:
inputs:
use_setup_gradle:
- description: 'OBSOLETE. This is now autodetected and enabled if `build.gradle(.kt(s))` is found. Uses "gradle/action/setup-gradle" before running autobuild (Java/Kotlin/Scala only). Potentially speeds up build times if cache from main branch is utilized'
+ description: 'OBSOLETE. This is now autodetected and enabled if `build.gradle(.kt(s))` is found. Uses "gradle/action/setup-gradle" before running autobuild (Java/Kotlin/Scala only).'
default: false
required: false
type: boolean
@@ -346,7 +346,7 @@ jobs:
ARTIFACTORY_AUTH_TOKEN: ${{ secrets.ARTIFACTORY_AUTH_TOKEN }}
ARTIFACTORY_URL: ${{ vars.ARTIFACTORY_URL }}
with:
- cache-read-only: true # Force read only, even in main
+ cache-disabled: true
add-job-summary: 'on-failure'
dependency-graph: 'generate-and-upload'
dependency-graph-continue-on-failure: true
@@ -434,7 +434,7 @@ jobs:
if: needs.get-repository-metadata.outputs.found_gradle == 'True' && (matrix.language == 'kotlin' || matrix.language == 'java')
uses: gradle/actions/setup-gradle@v5
with:
- cache-read-only: true # Force read only, even in main
+ cache-disabled: true
add-job-summary: 'on-failure'
dependency-graph: 'generate-and-upload'
github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -561,4 +561,5 @@ jobs:
}}
uses: gradle/actions/dependency-submission@v5
with:
+ cache-disabled: true
dependency-graph: download-and-submit # Download saved dependency-graph and submit
\ No newline at end of file
diff --git a/README-code-scan.md b/README-code-scan.md
index bd72b72..9cd437a 100644
--- a/README-code-scan.md
+++ b/README-code-scan.md
@@ -18,18 +18,18 @@ or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your
-| INPUT | TYPE | REQUIRED | DEFAULT | DESCRIPTION |
-|----------------------------------------------------------------------------------------------------------------|---------|----------|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [codeql_queries](#input_codeql_queries) | string | false | `"security-extended"` | Comma-separated list of queries for
CodeQL to run. By default
is set to security-extended. |
-| [gradle_opts](#input_gradle_opts) | string | false | `"-Dorg.gradle.jvmargs=-Xmx4g"` | [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to
the CodeQL scanner |
-| [ignore_language](#input_ignore_language) | string | false | | Comma-separated list of languages for
CodeQL or Semgrep to ignore.
See [CodeQL Languages](https://github.com/github/codeql-action/blob/main/src/languages.ts) or "scala" for
Semgrep |
-| [java_distribution](#input_java_distribution) | string | false | `"temurin"` | Java distribution for "actions/setup-java" to
use |
-| [java_server_id_artifactory](#input_java_server_id_artifactory) | string | false | | Java server id for "actions/setup-java"
to use. This will setup
maven server with artifactory credentials
for CodeQL autobuild to use. |
-| [java_version](#input_java_version) | string | false | `"21"` | Java version for "actions/setup-java" to
use |
-| [job_runner](#input_job_runner) | string | false | `"ubuntu-24.04"` | Customizable job runner for CodeQL
or Semgrep jobs that require
a little extra performance/memory. List
of runners is available in
[Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners). |
-| [use_maven_cache](#input_use_maven_cache) | boolean | false | `false` | Uses "actions/cache" to cache local
maven repository, and can speed
up autobuild times for CodeQL |
-| [use_setup_gradle](#input_use_setup_gradle) | boolean | false | `false` | OBSOLETE. This is now autodetected
and enabled if `build.gradle(.kt(s))` is
found. Uses "gradle/action/setup-gradle" before running
autobuild (Java/Kotlin/Scala only). Potentially speeds up
build times if cache from
main branch is utilized |
-| [use_setup_java](#input_use_setup_java) | boolean | false | `false` | Uses "actions/setup-java" before running CodeQL
or Gradle Dependency Graph (Java/Kotlin/Scala only).
CodeQL autobuild / Gradle Dependency
Graph will use the Java
version from "actions/setup-java". |
+| INPUT | TYPE | REQUIRED | DEFAULT | DESCRIPTION |
+|----------------------------------------------------------------------------------------------------------------|---------|----------|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [codeql_queries](#input_codeql_queries) | string | false | `"security-extended"` | Comma-separated list of queries for
CodeQL to run. By default
is set to security-extended. |
+| [gradle_opts](#input_gradle_opts) | string | false | `"-Dorg.gradle.jvmargs=-Xmx4g"` | [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to
the CodeQL scanner |
+| [ignore_language](#input_ignore_language) | string | false | | Comma-separated list of languages for
CodeQL or Semgrep to ignore.
See [CodeQL Languages](https://github.com/github/codeql-action/blob/main/src/languages.ts) or "scala" for
Semgrep |
+| [java_distribution](#input_java_distribution) | string | false | `"temurin"` | Java distribution for "actions/setup-java" to
use |
+| [java_server_id_artifactory](#input_java_server_id_artifactory) | string | false | | Java server id for "actions/setup-java"
to use. This will setup
maven server with artifactory credentials
for CodeQL autobuild to use. |
+| [java_version](#input_java_version) | string | false | `"21"` | Java version for "actions/setup-java" to
use |
+| [job_runner](#input_job_runner) | string | false | `"ubuntu-24.04"` | Customizable job runner for CodeQL
or Semgrep jobs that require
a little extra performance/memory. List
of runners is available in
[Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners). |
+| [use_maven_cache](#input_use_maven_cache) | boolean | false | `false` | Uses "actions/cache" to cache local
maven repository, and can speed
up autobuild times for CodeQL |
+| [use_setup_gradle](#input_use_setup_gradle) | boolean | false | `false` | OBSOLETE. This is now autodetected
and enabled if `build.gradle(.kt(s))` is
found. Uses "gradle/action/setup-gradle" before running
autobuild (Java/Kotlin/Scala only). |
+| [use_setup_java](#input_use_setup_java) | boolean | false | `false` | Uses "actions/setup-java" before running CodeQL
or Gradle Dependency Graph (Java/Kotlin/Scala only).
CodeQL autobuild / Gradle Dependency
Graph will use the Java
version from "actions/setup-java". |
@@ -122,11 +122,6 @@ jobs:
Code vulnerability scans of Java and Kotlin are done by running autobuild, which runs any identified build systems, like Gradle.
-If the project uses the [gradle/actions/setup-gradle](https://github.com/gradle/actions/?tab=readme-ov-file#the-setup-gradle-action) action, you can set code scanning to utilize any available cache from the 'main' branch. This potentially speeds up code analysis jobs.
-
-
-**Gradle Caching is detected by default.**
-
## Allowlists
The reusable workflow uses [CodeQL](https://codeql.github.com/) to scan the codebase for vulnerabilities. Any discovered vulnerabilities will be published in the _Security_ tab for the repository, under the _Code Scanning_ section. If you believe a finding is a false positive or otherwise not relevant, you can either manually dimiss the alert, or create a scanner config file (YAML-file) with allowlist spec that dismisses all alerts that matches a vulnerability ID. This list is then used in the current repo, but can also be shared and used with other repos.