Highlights

This release brings significant behaviour improvements to Enhanced caching, improvements to the generated Job Summary, and a number of correctness and security fixes.

1. Improved cache-cleanup mechanism. Cleanup of stale files from the Gradle User Home is now faster, and no longer depends on Gradle or a JVM. It works by inspecting the local file state directly, removing the Gradle invocation from the post-build step.
2. More granular, more stable caching. The local build cache is stored as a separate cache entry, so it can be restored and invalidated independently of the main Gradle User Home entry. Transient Gradle housekeeping files are excluded from the cache, reducing its size and improving stability.
3. Hide obsolete Job summaries in PR commments: When a new Job summary comment is added to a PR, previous outdated Job summaries are now hidden.
4. Improved caching report in the job summary. The cache report now uses a single, consistent layout across all cache states and providers. Provider information is integrated directly into the report, and per-entry details are available in an expandable section. (#985)
5. Correctness and security fixes. A unique cache key is now used per run attempt, so re-runs no longer collide; the job summary shows the cache key string rather than an internal id; and bundled dependencies have been updated, including a ReDoS fix and a fast-xml CVE fix.

What's Changed

• Remove unnecessary dependency overrides by @bigdaz in #981
• Scope CI-integ-test concurrency groups per-branch by @bigdaz in #983
• Improve typings by @Vampire in #938
• Hide obsolete Job summaries by @SimonMarquis in #902
• CI: add requireable aggregate/no-op checks for branch protection by @bigdaz in #984
• Redesign the caching Job Summary by @bigdaz in #985

New Contributors

• @Vampire made their first contribution in #938

Full Changelog: v6.1.1...v6.2.0

Contributors

• @bigdaz
• @Vampire
• @SimonMarquis

This release updates various dependency versions, resolving several reported security vulnerabilities.
No functional changes are included

What's Changed

• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /sources/test/init-scripts by @bot-githubaction in #961
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/gradle-plugin by @bot-githubaction in #962
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/groovy-dsl by @bot-githubaction in #963
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/java-toolchain by @bot-githubaction in #964
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/kotlin-dsl by @bot-githubaction in #965
• Update known wrapper checksums by @github-actions[bot] in #937
• Bump the github-actions group across 2 directories with 8 updates by @dependabot[bot] in #976
• Bump the npm-dependencies group across 1 directory with 14 updates by @dependabot[bot] in #970
• Bump references to Develocity Gradle plugin from 4.4.0 to 4.4.2 by @bot-githubaction in #973
• Bump the npm-dependencies group in /sources with 5 updates by @dependabot[bot] in #977
• Update @actions/cache and @actions/artifact, stop ignoring them in Dependabot by @bigdaz in #978
• Resolve npm security vulnerabilities via dependency overrides by @bigdaz in #980

Full Changelog: v6.1.0...v6.1.1

Contributors

• @bigdaz
• @dependabot
• @bot-githubaction

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

• Built on @actions/cache -- fully open source
• Caches ~/.gradle/caches and ~/.gradle/wrapper directories
• Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
• Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

• New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
• Simplified licensing notices in README, docs, and runtime log output
• Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

• Use a unique cache entry for wrapper-validation test by @bigdaz in #921
• Update Dependencies by @bigdaz in #922
• Update dependencies and resolve npm vulnerabilities by @bigdaz in #933
• Add open-source 'basic' cache provider and revamp licensing documentation by @bigdaz in #930
• Restructure caching documentation for basic and enhanced providers by @bigdaz in #934

Full Changelog: v6.0.1...v6.1.0

Contributors

• @bigdaz

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @Goooler in #792
• Add typing information for use by typesafegithub by @bigdaz in #910
• Mute license warning when terms are accepted by @bigdaz in #911
• Mention explicit license acceptance in notice by @bigdaz in #912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @dependabot[bot] in #907

Full Changelog: v6.0.0...v6.0.1

Contributors

• @bigdaz
• @Goooler
• @dependabot

Summary

• Caching functionality of 'gradle-actions' has been extracted into a separate gradle-actions-caching library, and is no longer open-source. See this blog post for more context.
• Existing, rudimentary, configuration-cache support has been removed, pending a fully functional implementation in gradle-actions-caching.
• Dependencies updated to address security vulnerabilities

What's Changed

• Bump the npm-dependencies group in /sources with 2 updates by @dependabot[bot] in #866
• Update known wrapper checksums by @github-actions[bot] in #868
• Dependency updates by @bigdaz in #876
• Update known wrapper checksums by @github-actions[bot] in #878
• Bump @types/node from 25.3.3 to 25.3.5 in /sources in the npm-dependencies group across 1 directory by @dependabot[bot] in #877
• Bump the github-actions group across 3 directories with 3 updates by @dependabot[bot] in #867
• Update known wrapper checksums by @github-actions[bot] in #881
• Bump the npm-dependencies group in /sources with 6 updates by @dependabot[bot] in #879
• Bump the github-actions group across 3 directories with 5 updates by @dependabot[bot] in #880
• Remove configuration-cache support by @bigdaz in #884
• Extract caching logic into a separate gradle-actions-caching component by @bigdaz in #885
• Update gradle-actions-caching library to v0.3.0 by @bot-githubaction in #899
• Avoid windows shutdown bug by @bigdaz in #900
• Dependency updates by @bigdaz in #905
• Fix critical and high npm vulnerabilities by @bigdaz in #904
• Fix rendering of job-disabled message by @bigdaz in #909

Full Changelog: v5.0.2...v6.0.0

Contributors

• @bigdaz
• @dependabot
• @bot-githubaction

Summary

This release contains no functional changes. It updates dependencies and known Gradle wrapper checksums.

What's Changed

• Update dependencies by @bigdaz in #851
• Bump the github-actions group across 2 directories with 3 updates by @dependabot[bot] in #850
• Update DV config by @bigdaz in #848
• Convert project to ESM and update dependencies by @bigdaz in #854
• Workflow fixes by @bigdaz in #856
• Remove superfluous text from log message by @bigdaz in #861
• Bump the github-actions group across 1 directory with 2 updates by @dependabot[bot] in #860
• Bump the npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #859
• Update known wrapper checksums by @github-actions[bot] in #857
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.0 to 2.21.1 in /sources/test/init-scripts in the gradle group across 1 directory by @dependabot[bot] in #862
• Bump the npm-dependencies group in /sources with 2 updates by @dependabot[bot] in #863
• Bump github/codeql-action from 4.32.3 to 4.32.4 in the github-actions group across 1 directory by @dependabot[bot] in #864

Full Changelog: v5.0.1...v5.0.2

Contributors

• @bigdaz
• @dependabot

What's Changed

• Bump npm code dependency versions
• Bump Gradle versions used in sample builds
• Bump dependencies versions in Gradle sample builds
• Bump GitHub actions used for build and test
• Update known wrapper checksums to include Gradle 9.2+

Full Changelog: v5.0.0...v5.0.1

What's Changed

Breaking Changes

• Upgrade to node 24 by @amyu in #721

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency upgrades

• Bump the github-actions group across 1 directory with 2 updates by @dependabot[bot] in #748

Full Changelog: v4...v5.0.0

Contributors

• @amyu
• @dependabot

What's Changed

• Bump the github-actions group across 2 directories with 3 updates by @dependabot[bot] in #726
• Regenerating package lock by @cdsap in #729
• Update known wrapper checksums by @github-actions[bot] in #730
• Bump the github-actions group across 1 directory with 3 updates by @dependabot[bot] in #735
• Bump the gradle group across 3 directories with 1 update by @dependabot[bot] in #734
• Bump the npm-dependencies group in /sources with 4 updates by @dependabot[bot] in #733
• Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 by @bot-githubaction in #736
• Handle gracefully parse errors in checksum file by @jprinet in #737
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl by @bot-githubaction in #742
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/java-toolchain by @bot-githubaction in #741
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/groovy-dsl by @bot-githubaction in #740
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/gradle-plugin by @bot-githubaction in #739
• Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /sources/test/init-scripts by @bot-githubaction in #738
• Update known wrapper checksums by @github-actions[bot] in #743
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by @dependabot[bot] in #746
• Bump the npm-dependencies group in /sources with 5 updates by @dependabot[bot] in #745

Full Changelog: v4...v4.4.4

Contributors

• @cdsap
• @jprinet
• @dependabot
• @bot-githubaction

What's Changed

• Adapt tests to future new Build Scan publication message by @alextu in #708
• Add missing Gradle version input to setup-gradle by @jprinet in #713
• Bump the github-actions group across 2 directories with 4 updates by @dependabot[bot] in #710
• Bump references to Develocity Gradle plugin from 4.1 to 4.1.1 by @bot-githubaction in #712
• Update known wrapper checksums by @github-actions[bot] in #709
• Bump the npm-dependencies group across 1 directory with 4 updates by @dependabot[bot] in #711
• Do not run setup-gradle post action if workflow is cancelled by @jprinet in #716
• Bump the github-actions group across 2 directories with 2 updates by @dependabot[bot] in #715
• Bump the npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in #720
• Bump github/codeql-action from 3.29.11 to 3.30.0 in the github-actions group across 1 directory by @dependabot[bot] in #719
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.19.2 to 2.20.0 in /sources/test/init-scripts in the gradle group across 1 directory by @dependabot[bot] in #718
• Update known wrapper checksums by @github-actions[bot] in #723
• Bump the npm-dependencies group in /sources with 5 updates by @dependabot[bot] in #725

Full Changelog: v4.4.2...v4.4.3

Contributors

• @alextu
• @jprinet
• @dependabot
• @bot-githubaction