Skip to content

feat: disable gradle-action cache to prepare for v6 changes #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LillieEntur merged 3 commits into from
Mar 24, 2026
Merged

feat: disable gradle-action cache to prepare for v6 changes #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8b55ac5
fix: disable gradle-action cache to prepare for v6 changes
LillieEntur Mar 24, 2026
b9dc634
docs: Update workflow documentation
LillieEntur Mar 24, 2026
e79c834
docs: Remove mentions of setup-gradle cache from README-code-scan.md
LillieEntur Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions .github/workflows/code-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
workflow_call:
inputs:
use_setup_gradle:
description: 'OBSOLETE. This is now autodetected and enabled if `build.gradle(.kt(s))` is found. Uses "gradle/action/setup-gradle" before running autobuild (Java/Kotlin/Scala only). Potentially speeds up build times if cache from main branch is utilized'
description: 'OBSOLETE. This is now autodetected and enabled if `build.gradle(.kt(s))` is found. Uses "gradle/action/setup-gradle" before running autobuild (Java/Kotlin/Scala only).'
default: false
required: false
type: boolean
Expand Down Expand Up @@ -346,7 +346,7 @@ jobs:
ARTIFACTORY_AUTH_TOKEN: ${{ secrets.ARTIFACTORY_AUTH_TOKEN }}
ARTIFACTORY_URL: ${{ vars.ARTIFACTORY_URL }}
with:
cache-read-only: true # Force read only, even in main
cache-disabled: true
add-job-summary: 'on-failure'
dependency-graph: 'generate-and-upload'
dependency-graph-continue-on-failure: true
Expand Down Expand Up @@ -434,7 +434,7 @@ jobs:
if: needs.get-repository-metadata.outputs.found_gradle == 'True' && (matrix.language == 'kotlin' || matrix.language == 'java')
uses: gradle/actions/setup-gradle@v5
with:
cache-read-only: true # Force read only, even in main
cache-disabled: true
add-job-summary: 'on-failure'
dependency-graph: 'generate-and-upload'
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -561,4 +561,5 @@ jobs:
}}
uses: gradle/actions/dependency-submission@v5
with:
cache-disabled: true
dependency-graph: download-and-submit # Download saved dependency-graph and submit
29 changes: 12 additions & 17 deletions README-code-scan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,18 @@ or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your

<!-- AUTO-DOC-INPUT:START - Do not remove or modify this section -->

| INPUT | TYPE | REQUIRED | DEFAULT | DESCRIPTION |
|----------------------------------------------------------------------------------------------------------------|---------|----------|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries) | string | false | `"security-extended"` | Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended. |
| <a name="input_gradle_opts"></a>[gradle_opts](#input_gradle_opts) | string | false | `"-Dorg.gradle.jvmargs=-Xmx4g"` | [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to <br>the CodeQL scanner |
| <a name="input_ignore_language"></a>[ignore_language](#input_ignore_language) | string | false | | Comma-separated list of languages for <br>CodeQL or Semgrep to ignore. <br>See [CodeQL Languages](https://github.com/github/codeql-action/blob/main/src/languages.ts) or "scala" for <br>Semgrep |
| <a name="input_java_distribution"></a>[java_distribution](#input_java_distribution) | string | false | `"temurin"` | Java distribution for "actions/setup-java" to <br>use |
| <a name="input_java_server_id_artifactory"></a>[java_server_id_artifactory](#input_java_server_id_artifactory) | string | false | | Java server id for "actions/setup-java" <br>to use. This will setup <br>maven server with artifactory credentials <br>for CodeQL autobuild to use. |
| <a name="input_java_version"></a>[java_version](#input_java_version) | string | false | `"21"` | Java version for "actions/setup-java" to <br>use |
| <a name="input_job_runner"></a>[job_runner](#input_job_runner) | string | false | `"ubuntu-24.04"` | Customizable job runner for CodeQL <br>or Semgrep jobs that require <br>a little extra performance/memory. List <br>of runners is available in <br>[Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners). |
| <a name="input_use_maven_cache"></a>[use_maven_cache](#input_use_maven_cache) | boolean | false | `false` | Uses "actions/cache" to cache local <br>maven repository, and can speed <br>up autobuild times for CodeQL |
| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean | false | `false` | OBSOLETE. This is now autodetected <br>and enabled if `build.gradle(.kt(s))` is <br>found. Uses "gradle/action/setup-gradle" before running <br>autobuild (Java/Kotlin/Scala only). Potentially speeds up <br>build times if cache from <br>main branch is utilized |
| <a name="input_use_setup_java"></a>[use_setup_java](#input_use_setup_java) | boolean | false | `false` | Uses "actions/setup-java" before running CodeQL <br>or Gradle Dependency Graph (Java/Kotlin/Scala only). <br>CodeQL autobuild / Gradle Dependency <br>Graph will use the Java <br>version from "actions/setup-java". |
| INPUT | TYPE | REQUIRED | DEFAULT | DESCRIPTION |
|----------------------------------------------------------------------------------------------------------------|---------|----------|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <a name="input_codeql_queries"></a>[codeql_queries](#input_codeql_queries) | string | false | `"security-extended"` | Comma-separated list of queries for <br>CodeQL to run. By default <br>is set to security-extended. |
| <a name="input_gradle_opts"></a>[gradle_opts](#input_gradle_opts) | string | false | `"-Dorg.gradle.jvmargs=-Xmx4g"` | [Gradle build options](https://docs.gradle.org/current/userguide/build_environment.html#environment_variables_reference) to pass on to <br>the CodeQL scanner |
| <a name="input_ignore_language"></a>[ignore_language](#input_ignore_language) | string | false | | Comma-separated list of languages for <br>CodeQL or Semgrep to ignore. <br>See [CodeQL Languages](https://github.com/github/codeql-action/blob/main/src/languages.ts) or "scala" for <br>Semgrep |
| <a name="input_java_distribution"></a>[java_distribution](#input_java_distribution) | string | false | `"temurin"` | Java distribution for "actions/setup-java" to <br>use |
| <a name="input_java_server_id_artifactory"></a>[java_server_id_artifactory](#input_java_server_id_artifactory) | string | false | | Java server id for "actions/setup-java" <br>to use. This will setup <br>maven server with artifactory credentials <br>for CodeQL autobuild to use. |
| <a name="input_java_version"></a>[java_version](#input_java_version) | string | false | `"21"` | Java version for "actions/setup-java" to <br>use |
| <a name="input_job_runner"></a>[job_runner](#input_job_runner) | string | false | `"ubuntu-24.04"` | Customizable job runner for CodeQL <br>or Semgrep jobs that require <br>a little extra performance/memory. List <br>of runners is available in <br>[Confluence](https://enturas.atlassian.net/wiki/spaces/ESP/pages/4989059095/GitHub+Actions+Runners). |
| <a name="input_use_maven_cache"></a>[use_maven_cache](#input_use_maven_cache) | boolean | false | `false` | Uses "actions/cache" to cache local <br>maven repository, and can speed <br>up autobuild times for CodeQL |
| <a name="input_use_setup_gradle"></a>[use_setup_gradle](#input_use_setup_gradle) | boolean | false | `false` | OBSOLETE. This is now autodetected <br>and enabled if `build.gradle(.kt(s))` is <br>found. Uses "gradle/action/setup-gradle" before running <br>autobuild (Java/Kotlin/Scala only). |
| <a name="input_use_setup_java"></a>[use_setup_java](#input_use_setup_java) | boolean | false | `false` | Uses "actions/setup-java" before running CodeQL <br>or Gradle Dependency Graph (Java/Kotlin/Scala only). <br>CodeQL autobuild / Gradle Dependency <br>Graph will use the Java <br>version from "actions/setup-java". |

<!-- AUTO-DOC-INPUT:END -->

Expand Down Expand Up @@ -122,11 +122,6 @@ jobs:

Code vulnerability scans of Java and Kotlin are done by running autobuild, which runs any identified build systems, like Gradle.

If the project uses the [gradle/actions/setup-gradle](https://github.com/gradle/actions/?tab=readme-ov-file#the-setup-gradle-action) action, you can set code scanning to utilize any available cache from the 'main' branch. This potentially speeds up code analysis jobs.


**Gradle Caching is detected by default.**

## Allowlists
The reusable workflow uses [CodeQL](https://codeql.github.com/) to scan the codebase for vulnerabilities. Any discovered vulnerabilities will be published in the _Security_ tab for the repository, under the _Code Scanning_ section. If you believe a finding is a false positive or otherwise not relevant, you can either manually dimiss the alert, or create a scanner config file (YAML-file) with allowlist spec that dismisses all alerts that matches a vulnerability ID. This list is then used in the current repo, but can also be shared and used with other repos.

Expand Down
Loading