chore(deps): bump the dependencies group with 2 updates #503

dependabot · 2025-10-06T07:05:29Z

Bumps the dependencies group with 2 updates: gradle/actions and ossf/scorecard-action.

Updates gradle/actions from 4.4.3 to 5.0.0

Release notes

Sourced from gradle/actions's releases.

v5.0.0

What's Changed

Breaking Changes

Upgrade to node 24 by @amyu in gradle/actions#721

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency upgrades

Bump the github-actions group across 1 directory with 2 updates by @dependabot[bot] in gradle/actions#748

Full Changelog: gradle/actions@v4...v5.0.0

v4.4.4

What's Changed

Bump the github-actions group across 2 directories with 3 updates by @dependabot[bot] in gradle/actions#726

Regenerating package lock by @cdsap in gradle/actions#729

Update known wrapper checksums by @github-actions[bot] in gradle/actions#730

Bump the github-actions group across 1 directory with 3 updates by @dependabot[bot] in gradle/actions#735

Bump the gradle group across 3 directories with 1 update by @dependabot[bot] in gradle/actions#734

Bump the npm-dependencies group in /sources with 4 updates by @dependabot[bot] in gradle/actions#733

Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 by @bot-githubaction in gradle/actions#736

Handle gracefully parse errors in checksum file by @jprinet in gradle/actions#737

Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl by @bot-githubaction in gradle/actions#742

Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/java-toolchain by @bot-githubaction in gradle/actions#741

Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/groovy-dsl by @bot-githubaction in gradle/actions#740

Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/gradle-plugin by @bot-githubaction in gradle/actions#739

Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /sources/test/init-scripts by @bot-githubaction in gradle/actions#738

Update known wrapper checksums by @github-actions[bot] in gradle/actions#743

Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by @dependabot[bot] in gradle/actions#746

Bump the npm-dependencies group in /sources with 5 updates by @dependabot[bot] in gradle/actions#745

Full Changelog: gradle/actions@v4...v4.4.4

Commits

4d9f0ba Bump the github-actions group across 1 directory with 2 updates (#748)
4b530e3 Bump the github-actions group across 1 directory with 2 updates
e60655a Upgrade to node 24 (#721)
748248d Bump the npm-dependencies group in /sources with 5 updates (#745)
81b68c9 Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflo...
1361730 Bump com.google.guava:guava
a86ac11 Bump the npm-dependencies group in /sources with 5 updates
182e4d3 [bot] Update dist directory
a48a0fa Update known wrapper checksums (#743)
6d7d019 Update known wrapper checksums
Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

docs: clarify GITHUB_TOKEN permissions needed for private repos by @pankajtaneja5 in ossf/scorecard-action#1574

📖 Fix recommended command to test the image in development by @deivid-rodriguez in ossf/scorecard-action#1583

Other

add missing top-level token permissions to workflows by @timothyklee in ossf/scorecard-action#1566

setup codeowners for requesting reviews by @spencerschrock in ossf/scorecard-action#1576

🌱 Improve printing options by @deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

@timothyklee made their first contribution in ossf/scorecard-action#1566

@pankajtaneja5 made their first contribution in ossf/scorecard-action#1574

@deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

Commits

4eaacf0 bump docker to ghcr v2.4.3 (#1587)
42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
92083b5 📖 Fix recommended command to test the image in development (#1583)
7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
c3f1350 🌱 Improve printing options (#1584)
43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dependencies group with 2 updates: [gradle/actions](https://github.com/gradle/actions) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `gradle/actions` from 4.4.3 to 5.0.0 - [Release notes](https://github.com/gradle/actions/releases) - [Commits](gradle/actions@ed40850...4d9f0ba) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) --- updated-dependencies: - dependency-name: gradle/actions dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <[email protected]>

coderabbitai · 2025-10-06T07:05:41Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Oct 08 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

fossabot · 2025-10-06T07:15:43Z

Needs Review

I recommend reviewing this upgrade before merging because the dependabot metadata claims to update gradle/actions to version 5.0.0, but this version does not exist yet according to the GitHub releases page - the current latest version is in the 4.x series. Additionally, the upgrade includes a high-severity security fix (CVE-2023-30853) for the deprecated gradle-build-action package, though the current codebase uses the newer gradle/actions package which replaced it. The ossf/scorecard-action patch update to 2.4.3 appears to be a routine maintenance release. Manual verification is needed to confirm the gradle/actions version is correct and that the Java release workflow functions properly with the claimed v5.0.0 update.

What we checked

gradle/actions/wrapper-validation uses commit hash 4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 with comment '# v4', but dependabot claims this is v5.0.0 ^[1]
gradle/actions/setup-gradle uses same commit hash 4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 with comment '# v4' for Maven Central publishing workflow ^[2]
ossf/scorecard-action updated to v2.4.3 (commit 4eaacf0543bb3f2c246792bd56e8cdeffafb205a) - routine patch update for security scanning ^[3]
According to web research, gradle/actions v5.0.0 does not exist yet - current latest is v4.x series, contradicting the dependabot upgrade claim from 4.4.3 to 5.0.0 ^[4]
gradle/actions replaced the deprecated gradle-build-action starting from v3, requiring workflow updates. The CVE-2023-30853 vulnerability applies to the old gradle-build-action package, not the current gradle/actions being used ^[5]

Dependency Usage

These GitHub Actions are used exclusively in CI/CD automation workflows: gradle/actions enables Java package publishing to Maven Central and GitHub Packages through Gradle wrapper validation and build setup, while ossf/scorecard-action performs automated supply-chain security analysis with results published to GitHub's code scanning dashboard. Together they support the release pipeline for the Java SDK package and maintain security compliance monitoring for the repository.

Changes

This pull request upgrades two GitHub Actions dependencies: gradle/actions adds Node 24 support and improves Gradle wrapper checksum handling, while ossf/scorecard-action adds missing top-level token permissions to workflows and fixes documentation for private repository setup. The changes include one bug fix for checksum parsing errors and one security-focused feature for workflow permissions.

Upgrade to node 24 by @amyu in Upgrade to node 24 gradle/actions#721 (vv5.0.0, release notes)
Bump the github-actions group across 1 directory with 2 updates by @dependabot[bot] in Bump the github-actions group across 1 directory with 2 updates gradle/actions#748 (vv5.0.0, release notes)
Regenerating package lock by @cdsap in Regenerating package lock gradle/actions#729 (vv4.4.4, release notes)

View 13 more changes

Update known wrapper checksums by @github-actions[bot] in Update known wrapper checksums gradle/actions#730 (vv4.4.4, release notes)
Bump the gradle group across 3 directories with 1 update by @dependabot[bot] in Bump the gradle group across 3 directories with 1 update gradle/actions#734 (vv4.4.4, release notes)
Bump the npm-dependencies group in /sources with 4 updates by @dependabot[bot] in Bump the npm-dependencies group in /sources with 4 updates gradle/actions#733 (vv4.4.4, release notes)
Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 by @bot-githubaction in Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 gradle/actions#736 (vv4.4.4, release notes)
Handle gracefully parse errors in checksum file by @jprinet in Handle gracefully parse errors in checksum file gradle/actions#737 (vv4.4.4, release notes)
Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl by @bot-githubaction in Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl gradle/actions#742 (vv4.4.4, release notes)
Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by @dependabot[bot] in Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory gradle/actions#746 (vv4.4.4, release notes)
docs: clarify GITHUB_TOKEN permissions needed for private repos by @pankajtaneja5 in docs: clarify GITHUB_TOKEN permissions needed for private repos ossf/scorecard-action#1574 (vv2.4.3, release notes)
📖 Fix recommended command to test the image in development by @deivid-rodriguez in 📖 Fix recommended command to test the image in development ossf/scorecard-action#1583 (vv2.4.3, release notes)
add missing top-level token permissions to workflows by @timothyklee in add missing top-level token permissions to workflows ossf/scorecard-action#1566 (vv2.4.3, release notes)
setup codeowners for requesting reviews by @spencerschrock in setup codeowners for requesting reviews ossf/scorecard-action#1576 (vv2.4.3, release notes)
🌱 Improve printing options by @deivid-rodriguez in 🌱 Improve printing options ossf/scorecard-action#1584 (vv2.4.3, release notes)
@timothyklee made their first contribution in add missing top-level token permissions to workflows ossf/scorecard-action#1566 (vv2.4.3, release notes)

References (5)

[1]: gradle/actions/wrapper-validation uses commit hash 4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 with comment '# v4', but dependabot claims this is v5.0.0

language/.github/workflows/pkg-java-release.yaml

Line 40 in 2115b16

    
           uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v4

[2]: gradle/actions/setup-gradle uses same commit hash 4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 with comment '# v4' for Maven Central publishing workflow

language/.github/workflows/pkg-java-release.yaml

Line 43 in 2115b16

uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v4

[3]: ossf/scorecard-action updated to v2.4.3 (commit 4eaacf0543bb3f2c246792bd56e8cdeffafb205a) - routine patch update for security scanning

language/.github/workflows/scorecard.yml

Line 42 in 2115b16

uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3

[4]: According to web research, gradle/actions v5.0.0 does not exist yet - current latest is v4.x series, contradicting the dependabot upgrade claim from 4.4.3 to 5.0.0 (source link)

[5]: gradle/actions replaced the deprecated gradle-build-action starting from v3, requiring workflow updates. The CVE-2023-30853 vulnerability applies to the old gradle-build-action package, not the current gradle/actions being used (source link)

fossabot analyzed this PR using dependency research.

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 6, 2025

dependabot bot requested review from a team as code owners October 6, 2025 07:05

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump the dependencies group with 2 updates #503

chore(deps): bump the dependencies group with 2 updates #503

Uh oh!

dependabot bot commented on behalf of github Oct 6, 2025

Uh oh!

coderabbitai bot commented Oct 6, 2025

Review skipped

Free review on us!

Uh oh!

fossabot bot commented Oct 6, 2025 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): bump the dependencies group with 2 updates #503

Are you sure you want to change the base?

chore(deps): bump the dependencies group with 2 updates #503

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 6, 2025

v5.0.0

What's Changed

Breaking Changes

Dependency upgrades

v4.4.4

What's Changed

v2.4.3

What's Changed

Documentation

Other

New Contributors

Uh oh!

coderabbitai bot commented Oct 6, 2025

Review skipped

Free review on us!

Uh oh!

fossabot bot commented Oct 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Needs Review

What we checked

Dependency Usage

Changes

Uh oh!

Uh oh!

fossabot bot commented Oct 6, 2025 •

edited

Loading