Add workflow for Update Gradle Wrapper Action. #3297
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I think as a general principle we'd want to use Dependabot for all version bumping - but it doesn't cover Gradle version upgrades, so there's definitely a gap that this action addresses! I think I'd be happy with a couple of tweaks:
Thanks |
|
@rnorth thanks for your reply!
It makes sense to me if you want to stay on the safe side. You might not automatically benefit from new functionalities or fixes as v1 continues to get updated, but I totally understand that you want to have more control over a 3rd party repo that is not part of the Gradle org.
Sure thing, will work on it! Would it be ok for your use case if the labels you specify are added to the one already set by the action?
This is totally doable, you can add another step in the workflow that runs the WVA just after UGW. Will update the PR with all the changes mentioned above 馃檪 |
|
Thanks!
It's not just not being part of the gradle org - actually we should use SHA pinning for the Gradle-provided action as well, because the same risk exists with that. We're just keen to make sure any action that isn't provided by GitHub themselves is pinned.
Yep, absolutely fine! As long as we can add a specific label, we don't mind which other labels are there. Thanks again |
This action keeps Gradle Wrapper up-to-date to the latest release. It will run every day at midnight (UTC) and create a pull request if a new Gradle version is available. The updated Wrapper script is validated (with checksum verification) during the update process, and the Wrapper is setup so that it will validate the Gradle binary itself on first run of the new version. Here we stick to action version v1.0.9 (74a035c).
|
Hey @rnorth I've updated this PR with the requested changes:
Let me know if it looks ok to you 馃檪 |
rnorth
approved these changes
Oct 11, 2020
rnorth
reviewed
Oct 11, 2020
rnorth
requested changes
Oct 11, 2020
Co-authored-by: Richard North <rich.north@gmail.com>
Sure, have committed your suggestion! |
bsideup
added a commit
that referenced
this pull request
Feb 6, 2021
* Simplify `KafkaContainerCluster#start` * When an image version is not specified, use `latest` as the default tag (#3313) * Add workflow for Update Gradle Wrapper Action. (#3297) Co-authored-by: Richard North <rich.north@gmail.com> * Always continue on error for examples CI (#3339) * Bump snakeyaml from 1.25 to 1.27 in /core (#3252) Bumps [snakeyaml](https://bitbucket.org/asomov/snakeyaml) from 1.25 to 1.27. - [Commits](https://bitbucket.org/asomov/snakeyaml/branches/compare/snakeyaml-1.27..snakeyaml-1.25) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump lombok from 1.18.12 to 1.18.14 in /examples (#3322) Bumps [lombok](https://github.com/rzwitserloot/lombok) from 1.18.12 to 1.18.14. - [Release notes](https://github.com/rzwitserloot/lombok/releases) - [Changelog](https://github.com/rzwitserloot/lombok/blob/master/doc/changelog.markdown) - [Commits](projectlombok/lombok@v1.18.12...v1.18.14) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump r2dbc-mariadb from 0.8.3-beta1 to 0.8.4-rc in /modules/mariadb (#3300) Bumps [r2dbc-mariadb](https://github.com/mariadb-corporation/mariadb-connector-r2dbc) from 0.8.3-beta1 to 0.8.4-rc. - [Release notes](https://github.com/mariadb-corporation/mariadb-connector-r2dbc/releases) - [Changelog](https://github.com/mariadb-corporation/mariadb-connector-r2dbc/blob/master/CHANGELOG.md) - [Commits](https://github.com/mariadb-corporation/mariadb-connector-r2dbc/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump testng from 7.2.0 to 7.3.0 in /examples (#3068) Bumps [testng](https://github.com/cbeust/testng) from 7.2.0 to 7.3.0. - [Release notes](https://github.com/cbeust/testng/releases) - [Changelog](https://github.com/cbeust/testng/blob/master/CHANGES.txt) - [Commits](https://github.com/cbeust/testng/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump assertj-core from 3.17.1 to 3.17.2 in /core (#3251) Bumps [assertj-core](https://github.com/joel-costigliola/assertj-core) from 3.17.1 to 3.17.2. - [Release notes](https://github.com/joel-costigliola/assertj-core/releases) - [Commits](assertj/assertj@assertj-core-3.17.1...assertj-core-3.17.2) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump aws-java-sdk-dynamodb from 1.11.865 to 1.11.880 in /modules/dynalite (#3332) Bumps [aws-java-sdk-dynamodb](https://github.com/aws/aws-sdk-java) from 1.11.865 to 1.11.880. - [Release notes](https://github.com/aws/aws-sdk-java/releases) - [Changelog](https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-java@1.11.865...1.11.880) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump mockito-core from 3.5.11 to 3.5.13 in /core (#3275) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump elasticsearch-rest-client from 7.9.1 to 7.9.2 in /modules/elasticsearch (#3276) Bumps [elasticsearch-rest-client](https://github.com/elastic/elasticsearch) from 7.9.1 to 7.9.2. - [Release notes](https://github.com/elastic/elasticsearch/releases) - [Commits](elastic/elasticsearch@v7.9.1...v7.9.2) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Increase memory limits used in example (#3340) For improved test stability * Bump mockito-core from 3.5.11 to 3.5.13 in /modules/junit-jupiter (#3283) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump tomcat-jdbc from 9.0.37 to 9.0.39 in /modules/jdbc-test (#3338) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump junit from 4.13 to 4.13.1 in /examples (#3328) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump mariadb-java-client from 2.6.2 to 2.7.0 in /modules/mariadb (#3278) Bumps [mariadb-java-client](https://github.com/mariadb-corporation/mariadb-connector-j) from 2.6.2 to 2.7.0. - [Release notes](https://github.com/mariadb-corporation/mariadb-connector-j/releases) - [Changelog](https://github.com/mariadb-corporation/mariadb-connector-j/blob/master/CHANGELOG.md) - [Commits](mariadb-corporation/mariadb-connector-j@2.6.2...2.7.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump solr-solrj from 8.6.2 to 8.6.3 in /examples (#3321) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump postgresql from 42.2.16 to 42.2.17 in /examples (#3323) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump postgresql from 42.2.16 to 42.2.17 in /modules/junit-jupiter (#3327) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump postgresql from 42.2.16 to 42.2.17 in /modules/spock (#3330) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump tomcat-jdbc from 9.0.37 to 9.0.39 in /modules/jdbc (#3333) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump postgresql from 42.2.16 to 42.2.17 in /modules/postgresql (#3334) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump aws-java-sdk-sqs from 1.11.860 to 1.11.880 in /modules/localstack (#3337) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump httpclient from 4.5.12 to 4.5.13 in /modules/junit-jupiter (#3326) Bumps httpclient from 4.5.12 to 4.5.13. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump httpclient from 4.5.12 to 4.5.13 in /modules/spock (#3329) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump cucumber-junit from 6.7.0 to 6.8.1 in /examples (#3325) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump org.springframework.boot from 2.3.3.RELEASE to 2.3.4.RELEASE in /examples (#3247) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump aws-java-sdk-s3 from 1.11.870 to 1.11.880 in /modules/localstack (#3336) Bumps [aws-java-sdk-s3](https://github.com/aws/aws-sdk-java) from 1.11.870 to 1.11.880. - [Release notes](https://github.com/aws/aws-sdk-java/releases) - [Changelog](https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-java@1.11.870...1.11.880) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump zt-exec from 1.10 to 1.12 in /core (#3253) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Richard North <rich.north@gmail.com> * Bump s3 from 2.14.21 to 2.15.7 in /modules/localstack (#3335) Bumps s3 from 2.14.21 to 2.15.7. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump cucumber-java from 6.6.0 to 6.8.1 in /examples (#3324) Bumps [cucumber-java](https://github.com/cucumber/cucumber-jvm) from 6.6.0 to 6.8.1. - [Release notes](https://github.com/cucumber/cucumber-jvm/releases) - [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md) - [Commits](cucumber/cucumber-jvm@v6.6.0...v6.8.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Remove GitHub Actions cache restore keys (#3342) For more specific cache matching * Allow users to specify a MongoDB database name (#2980) Co-authored-by: Richard North <rich.north@gmail.com> * Add GCloud module for Google Cloud Datastore, Firestore, PubSub, and Spanner emulators (#2690) Co-authored-by: Richard North <rich.north@gmail.com> * Use a lighter weight image for MultiplePortsExposedTest (#3343) * Use a lighter weight image for MultiplePortsExposedTest * Update helloworld container version * docker-machine: get full remote daemon URL, to allow for use of custom daemon port (#2769) (#3237) Co-authored-by: Vitalii Chura <c-vitalii.chura@hulu.com> * Fix remote gradle cache 400 InvalidArgument error (#3346) per hint given in https://www.digitalocean.com/community/questions/node-upload-file-to-s3-error-invalidargument-null * Add gcloud endpoint accessors (#3344) Co-authored-by: Sergei Egorov <bsideup@gmail.com> Co-authored-by: Richard North <rich.north@gmail.com> Co-authored-by: Cristian Greco <cristian@regolo.cc> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: silaev <silaev256@gmail.com> Co-authored-by: Edd煤 Mel茅ndez Gonzales <eddu.melendez@gmail.com> Co-authored-by: vcvitaly <vcvitaly@yahoo.com> Co-authored-by: Vitalii Chura <c-vitalii.chura@hulu.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hey there 馃憢, first of all thanks for your work on the TestContainers project!
I've got a suggested change: would you be willing to use this GitHub Action to automatically keep Gradle Wrapper updated to latest release?
What does "Update Gradle Wrapper Action" do? It can be configured to run at scheduled intervals (e.g. daily or weekly) and will check whether the Wrapper script in the repo is up-to-date to the latest Gradle release: in case a new Gradle version is available, it will create a PR to update the Wrapper. And that's it!
Why is that a good thing? Well, first of all it alleviates the chore of manually updating the Wrapper, as you got a task that keeps track of new Gradle releases for you! More importantly, it boosts security around the Wrapper update and usage processes: this actions verifies that the
gradle-wrapper.jarfile has not been tampered with (uses checksum comparison), and it sets thedistributionSha256Sumproperty so that the new Gradle binary itself will be verified locally upon download.Where can I find more about? The README contains quite detailed information!
In this PR I propose adding a new workflow which runs the action every day at midnight (but feel free to adjust the frequency as you prefer). I've verified it works correctly in my fork of the repo, and you can see here how a PR will look like.
The action is under active development, you can have a look at the list of inputs currently supported. There's new features coming up soon and if you'd like to request any particular change just let me know!
I'd love to see the action used by TestContainers and I genuinely hope you can find this useful. Would love your feedback! 鉂わ笍