gateway: bump gradle/actions from 6.0.1 to 6.1.0#681
Conversation
Bumps [gradle/actions](https://github.com/gradle/actions) from 6.0.1 to 6.1.0. - [Release notes](https://github.com/gradle/actions/releases) - [Commits](gradle/actions@39e147c...50e97c2) --- updated-dependencies: - dependency-name: gradle/actions dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
This action now contains proprietary 'Enhanced Caching' code. Not sure if we're comfortable with that? |
|
Agreed. I missed it in previous version but I think we should just not allow it. |
|
6.1.0 introduced
|
I guess that changes things - the only thing it is not default, and we have - currently no way to verify it - unless we add custom check on our actions scanner. |
|
Got it. So, is this |
I guess - if we agree to that. |
raboof
left a comment
raboof
left a comment
There was a problem hiding this comment.
Having slept on this I think it is OK to leave this for the projects to decide.
Since it is possible to use the action transparently, and Gradle is a 'trustworthy' partner so we don't expect shenanigans even in the proprietary cache implementation, I think we can allow the action here and leave it up to the individual projects to decide their risk appetite.
While adding this check to a scanner tool would be neat, it doesn't seem like a high priority - we're already overloading projects with information so we should be careful with that.
Approving, but not merging yet, would be good to have more consensus.
I am ok with that - maybe we can - indeed add some checks in our current (and updated in the future) action checker for ASF PMCs. That could be a warning initially or error later if we find that gradle action is miconfigured. |
|
Is 2 people enough for a consensus ? :) |
|
:D since the license change is actually already there since the previous update and I saw no other objections I think 2 is sufficient - we can always revisit this decision later. |
3 participants
Bumps gradle/actions from 6.0.1 to 6.1.0.
Release notes
Sourced from gradle/actions's releases.
Commits
50e97c2Link to docs for caching providersf2e6298Restructure caching documentation for basic and enhanced providers (#934)b294b1eReally fix integ-test-full83d3189Revise license details for gradle-actions-caching1d5db06Update license link for gradle-actions-caching component1c80961Fix license link for Enhanced Caching component9e99920Fix integ-test-full workflowbb8aaafFix workflow permissionsf5dfb43[bot] Update dist directoryff9ae24Add open-source 'basic' cache provider and revamp licensing documentation (#930)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)