From 8b55ac54c1c2bf45c314f8078b58d7d9b1a4be50 Mon Sep 17 00:00:00 2001
From: Lillie Rugtveit <126776478+LillieEntur@users.noreply.github.com>
Date: Tue, 24 Mar 2026 12:04:59 +0100
Subject: [PATCH 1/3] fix: disable gradle-action cache to prepare for v6
 changes

---
 .github/workflows/code-scan.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index 202c830..c5b4a30 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       use_setup_gradle:
-        description: 'OBSOLETE. This is now autodetected and enabled if `build.gradle(.kt(s))` is found. Uses "gradle/action/setup-gradle" before running autobuild (Java/Kotlin/Scala only). Potentially speeds up build times if cache from main branch is utilized'
+        description: 'OBSOLETE. This is now autodetected and enabled if `build.gradle(.kt(s))` is found. Uses "gradle/action/setup-gradle" before running autobuild (Java/Kotlin/Scala only).'
         default: false
         required: false
         type: boolean
@@ -346,7 +346,7 @@ jobs:
           ARTIFACTORY_AUTH_TOKEN: ${{ secrets.ARTIFACTORY_AUTH_TOKEN }}
           ARTIFACTORY_URL: ${{ vars.ARTIFACTORY_URL }}
         with:
-          cache-read-only: true  # Force read only, even in main
+          cache-disabled: true
           add-job-summary: 'on-failure'
           dependency-graph: 'generate-and-upload'
           dependency-graph-continue-on-failure: true
@@ -434,7 +434,7 @@ jobs:
         if: needs.get-repository-metadata.outputs.found_gradle == 'True' && (matrix.language == 'kotlin' || matrix.language == 'java')
         uses: gradle/actions/setup-gradle@v5
         with: 
-          cache-read-only: true  # Force read only, even in main
+          cache-disabled: true
           add-job-summary: 'on-failure'
           dependency-graph: 'generate-and-upload'
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -561,4 +561,5 @@ jobs:
           }}
         uses: gradle/actions/dependency-submission@v5
         with:
+          cache-disabled: true
           dependency-graph: download-and-submit # Download saved dependency-graph and submit
\ No newline at end of file

From b9dc634dd443b90d6b4d55827ce2710cd4ac608f Mon Sep 17 00:00:00 2001
From: LillieEntur <LillieEntur@users.noreply.github.com>
Date: Tue, 24 Mar 2026 11:11:33 +0000
Subject: [PATCH 2/3] docs: Update workflow documentation

---
 README-code-scan.md | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/README-code-scan.md b/README-code-scan.md
index bd72b72..28a990e 100644
--- a/README-code-scan.md
+++ b/README-code-scan.md
@@ -18,18 +18,18 @@ or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your
 
 <!-- AUTO-DOC-INPUT:START - Do not remove or modify this section -->
 
-|                                                     INPUT                                                      |  TYPE   | REQUIRED |             DEFAULT             |                                                                                                                             DESCRIPTION                                                                                                                              |
-|----------------------------------------------------------------------------------------------------------------|---------|----------|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                   <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries)                   | string  |  false   |      `"security-extended"`      |                                                                                 Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended.                                                                                   |
-|                       <a name="input_gradle_opts"></a>[gradle_opts](#input_gradle_opts)                        | string  |  false   | `"-Dorg.gradle.jvmargs=-Xmx4g"` |                                                    [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to <br>the CodeQL scanner                                                     |
-|                 <a name="input_ignore_language"></a>[ignore_language](#input_ignore_language)                  | string  |  false   |                                 |                                  Comma-separated list of languages for <br>CodeQL or Semgrep to ignore. <br>See [CodeQL Languages](https://github.com/github/codeql-action/blob/main/src/languages.ts) or "scala" for <br>Semgrep                                    |
-|              <a name="input_java_distribution"></a>[java_distribution](#input_java_distribution)               | string  |  false   |           `"temurin"`           |                                                                                                        Java distribution for "actions/setup-java" to <br>use                                                                                                         |
-| <a name="input_java_server_id_artifactory"></a>[java_server_id_artifactory](#input_java_server_id_artifactory) | string  |  false   |                                 |                                                         Java server id for "actions/setup-java" <br>to use. This will setup <br>maven server with artifactory credentials <br>for CodeQL autobuild to use.                                                           |
-|                      <a name="input_java_version"></a>[java_version](#input_java_version)                      | string  |  false   |             `"21"`              |                                                                                                          Java version for "actions/setup-java" to <br>use                                                                                                            |
-|                         <a name="input_job_runner"></a>[job_runner](#input_job_runner)                         | string  |  false   |        `"ubuntu-24.04"`         |       Customizable job runner for CodeQL <br>or Semgrep jobs that require <br>a little extra performance/memory. List <br>of runners is available in <br>[Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners).        |
-|                 <a name="input_use_maven_cache"></a>[use_maven_cache](#input_use_maven_cache)                  | boolean |  false   |             `false`             |                                                                              Uses "actions/cache" to cache local <br>maven repository, and can speed <br>up autobuild times for CodeQL                                                                               |
-|                <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle)                | boolean |  false   |             `false`             | OBSOLETE. This is now autodetected <br>and enabled if `build.gradle(.kt(s))` is <br>found. Uses "gradle/action/setup-gradle" before running <br>autobuild (Java/Kotlin/Scala only). Potentially speeds up <br>build times if cache from <br>main branch is utilized  |
-|                   <a name="input_use_setup_java"></a>[use_setup_java](#input_use_setup_java)                   | boolean |  false   |             `false`             |                        Uses "actions/setup-java" before running CodeQL <br>or Gradle Dependency Graph (Java/Kotlin/Scala only). <br>CodeQL autobuild / Gradle Dependency <br>Graph will use the Java <br>version from "actions/setup-java".                          |
+|                                                     INPUT                                                      |  TYPE   | REQUIRED |             DEFAULT             |                                                                                                                       DESCRIPTION                                                                                                                        |
+|----------------------------------------------------------------------------------------------------------------|---------|----------|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                   <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries)                   | string  |  false   |      `"security-extended"`      |                                                                           Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended.                                                                             |
+|                       <a name="input_gradle_opts"></a>[gradle_opts](#input_gradle_opts)                        | string  |  false   | `"-Dorg.gradle.jvmargs=-Xmx4g"` |                                              [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to <br>the CodeQL scanner                                               |
+|                 <a name="input_ignore_language"></a>[ignore_language](#input_ignore_language)                  | string  |  false   |                                 |                            Comma-separated list of languages for <br>CodeQL or Semgrep to ignore. <br>See [CodeQL Languages](https://github.com/github/codeql-action/blob/main/src/languages.ts) or "scala" for <br>Semgrep                              |
+|              <a name="input_java_distribution"></a>[java_distribution](#input_java_distribution)               | string  |  false   |           `"temurin"`           |                                                                                                  Java distribution for "actions/setup-java" to <br>use                                                                                                   |
+| <a name="input_java_server_id_artifactory"></a>[java_server_id_artifactory](#input_java_server_id_artifactory) | string  |  false   |                                 |                                                   Java server id for "actions/setup-java" <br>to use. This will setup <br>maven server with artifactory credentials <br>for CodeQL autobuild to use.                                                     |
+|                      <a name="input_java_version"></a>[java_version](#input_java_version)                      | string  |  false   |             `"21"`              |                                                                                                    Java version for "actions/setup-java" to <br>use                                                                                                      |
+|                         <a name="input_job_runner"></a>[job_runner](#input_job_runner)                         | string  |  false   |        `"ubuntu-24.04"`         | Customizable job runner for CodeQL <br>or Semgrep jobs that require <br>a little extra performance/memory. List <br>of runners is available in <br>[Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners).  |
+|                 <a name="input_use_maven_cache"></a>[use_maven_cache](#input_use_maven_cache)                  | boolean |  false   |             `false`             |                                                                        Uses "actions/cache" to cache local <br>maven repository, and can speed <br>up autobuild times for CodeQL                                                                         |
+|                <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle)                | boolean |  false   |             `false`             |                                   OBSOLETE. This is now autodetected <br>and enabled if `build.gradle(.kt(s))` is <br>found. Uses "gradle/action/setup-gradle" before running <br>autobuild (Java/Kotlin/Scala only).                                    |
+|                   <a name="input_use_setup_java"></a>[use_setup_java](#input_use_setup_java)                   | boolean |  false   |             `false`             |                  Uses "actions/setup-java" before running CodeQL <br>or Gradle Dependency Graph (Java/Kotlin/Scala only). <br>CodeQL autobuild / Gradle Dependency <br>Graph will use the Java <br>version from "actions/setup-java".                    |
 
 <!-- AUTO-DOC-INPUT:END -->
 

From e79c83436addedce533335ac671d2e639cbe2e05 Mon Sep 17 00:00:00 2001
From: Lillie Rugtveit <126776478+LillieEntur@users.noreply.github.com>
Date: Tue, 24 Mar 2026 12:31:54 +0100
Subject: [PATCH 3/3] docs: Remove mentions of setup-gradle cache from
 README-code-scan.md

---
 README-code-scan.md | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/README-code-scan.md b/README-code-scan.md
index 28a990e..9cd437a 100644
--- a/README-code-scan.md
+++ b/README-code-scan.md
@@ -122,11 +122,6 @@ jobs:
 
 Code vulnerability scans of Java and Kotlin are done by running autobuild, which runs any identified build systems, like Gradle.
 
-If the project uses the [gradle/actions/setup-gradle](https://github.com/gradle/actions/?tab=readme-ov-file#the-setup-gradle-action) action, you can set code scanning to utilize any available cache from the 'main' branch. This potentially speeds up code analysis jobs.
-
-
-**Gradle Caching is detected by default.**
-
 ## Allowlists
 The reusable workflow uses [CodeQL](https://codeql.github.com/) to scan the codebase for vulnerabilities. Any discovered vulnerabilities will be published in the _Security_ tab for the repository, under the _Code Scanning_ section. If you believe a finding is a false positive or otherwise not relevant, you can either manually dimiss the alert, or create a scanner config file (YAML-file) with allowlist spec that dismisses all alerts that matches a vulnerability ID. This list is then used in the current repo, but can also be shared and used with other repos.