mirror of
https://github.com/gradle/actions.git
synced 2026-03-23 04:25:46 +08:00
a0ee12f71e
With this change, the caching functionality of `setup-gradle` and `dependency-submission` is now provided by `gradle-actions-caching`, a closed-source library distributed under our [Terms of Use](https://gradle.com/legal/terms-of-use/). The rest of the action implementation remains open source. Using `setup-gradle` or `dependency-submission` with caching enabled involves loading and using the `gradle-actions-caching` component, requiring acceptance of the [Terms of Use](https://gradle.com/legal/terms-of-use/). There are no functional changes to caching provided by these actions: all workflows will continue to function as before. The non-caching aspects of action implementation remain open source. By running these actions with caching disabled they can be used without ever loading `gradle-actions-caching` or accepting the license terms. Supporting the caching infrastructure in this project requires a substantial engineering investment by Gradle Technologies, which we can sustain thanks to Develocity, our commercial offering. Caching technologies are a core part of the Develocity offering, and the caching in `setup-gradle` fits squarely in that space. This licensing change lets us continue to build advanced capabilities that go beyond what we would offer as open source. Proper production-ready Configuration Cache support will be the first capability. Improving build performance for self-hosted runners will follow. We may introduce functionality restrictions in future updates. However, caching functionality will remain free for public repositories. We have a long-standing commitment to open source, as maintainers of Gradle Build Tool, and by [sponsoring the open source community](https://gradle.com/oss-sponsored-by-develocity/) with free Develocity licenses. Public repositories are primarily used by open source projects, and we remain committed to supporting them. - Implementation of caching logic to save and restore Gradle User Home content has been removed, replaced by the `gradle-actions-caching` component. - The `@actions/caching` library is still used to cache Gradle distributions that are downloaded and provisioned by `setup-gradle`. This PR updates to the latest version of `@actions/caching`, and removes the patch that is no longer required. - License notices are now displayed in documentation, logs and the generated Job Summary.
52 lines
1.6 KiB
YAML
52 lines
1.6 KiB
YAML
name: CI-ossf-scorecard
|
|
on:
|
|
schedule:
|
|
- cron: '0 5 * * 1'
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
analysis:
|
|
name: Scorecard analysis
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# Needed to upload the results to code-scanning dashboard.
|
|
security-events: write
|
|
# Needed to publish results and get a badge (see publish_results below).
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: 'Checkout code'
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
show-progress: false
|
|
|
|
- name: 'Run analysis'
|
|
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
|
|
with:
|
|
results_file: results.sarif
|
|
results_format: sarif
|
|
|
|
# Public repositories:
|
|
# - Publish results to OpenSSF REST API for easy access by consumers
|
|
# - Allows the repository to include the Scorecard badge.
|
|
# - See https://github.com/ossf/scorecard-action#publishing-results.
|
|
# For private repositories:
|
|
# - `publish_results` will always be set to `false`, regardless
|
|
# of the value entered here.
|
|
publish_results: true
|
|
|
|
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
|
# format to the repository Actions tab.
|
|
- name: 'Upload artifact'
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: SARIF file
|
|
path: results.sarif
|
|
retention-days: 5
|