Skip to content

ci: upgrade GitHub Actions and fix Dependabot yarn.lock alerts#63

Merged
OmarAlJarrah merged 3 commits into
mainfrom
ci/upgrade-actions-checkout-java-gradle
Jul 13, 2026
Merged

ci: upgrade GitHub Actions and fix Dependabot yarn.lock alerts#63
OmarAlJarrah merged 3 commits into
mainfrom
ci/upgrade-actions-checkout-java-gradle

Conversation

@OmarAlJarrah

@OmarAlJarrah OmarAlJarrah commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

  • Bumps actions/checkout v4 → v7, actions/setup-java v4 → v5, and gradle/actions/setup-gradle v4 → v6 across ci.yml, codeql.yml, commit-convention.yml, and publish.yml.
  • checkout and setup-java are Node24 runtime bumps with no input/output changes affecting how this repo uses them (no pull_request_target/workflow_run triggers, no Docker container actions running authenticated git commands — the areas those release notes flag).
  • Every setup-gradle step uses gradle/actions v6's default Enhanced Caching (gradle-actions-caching) rather than overriding to the MIT-only Basic provider — Enhanced is free for public repos and Basic drops restore-keys/cleanup/dedup, so the default is the better tradeoff here.
  • Fixes all 5 open Dependabot alerts on kotlin-js-store/yarn.lock (1 high, 1 moderate, 3 low — serialize-javascript CPU-exhaustion DoS and prototype-pollution-adjacent issues, webpack and diff advisories). That lockfile pins whatever transitive test-tooling versions (mocha/karma/webpack) the Kotlin/JS Gradle plugin declares internally, which aren't reachable as ordinary Gradle dependency declarations. Root build.gradle.kts now forces Yarn's resolution field for webpack, serialize-javascript, and diff to their first patched release, and kotlin-js-store/yarn.lock is regenerated accordingly — no Kotlin Gradle plugin bump required.

Test plan

  • YAML validated for all four workflow files (python3 -c "import yaml; yaml.safe_load(open(...))")
  • ./gradlew jsTest wasmJsTest (Node + Karma/webpack browser legs) green against the bumped webpack/serialize-javascript/diff
  • ./gradlew :kuri:jvmTest :kuri:detekt :kuri:apiCheck ktlintCheck green
  • CI green on this PR

Bumps actions/checkout v4 -> v7, actions/setup-java v4 -> v5, and
gradle/actions/setup-gradle v4 -> v6 across ci.yml, codeql.yml,
commit-convention.yml, and publish.yml. The checkout and setup-java
jumps are Node24 runtime bumps with no input/output changes.

gradle/actions v6 defaults setup-gradle's caching to a proprietary
"Enhanced Caching" component with its own Terms of Use, separate from
this project's MIT license. Every setup-gradle step now sets
cache-provider: basic to opt into the newly-added, fully open-source
(MIT) caching path instead, keeping the CI toolchain all-OSS.
Enhanced Caching (gradle-actions-caching) is free for public repos like this
one, so the earlier switch to cache-provider: basic bought OSS-only tooling
at the cost of Basic's known gaps (no restore-keys, no cleanup/dedup). Drop
the override and use the default on every setup-gradle call site.
…ascript/diff CVEs

kotlin-js-store/yarn.lock pins whatever transitive test-tooling versions the
Kotlin/JS Gradle plugin declares (mocha/karma/webpack); those aren't reachable
from build.gradle.kts as ordinary dependency declarations. Force Yarn's
resolution field for webpack, serialize-javascript, and diff to their first
patched release so the lockfile no longer carries the flagged CVEs, without
waiting on a Kotlin Gradle plugin bump. Verified jsTest/wasmJsTest (including
the Karma/webpack browser legs) still pass against the bumped versions.
@OmarAlJarrah OmarAlJarrah changed the title ci: upgrade actions/checkout, actions/setup-java, gradle/actions ci: upgrade GitHub Actions and fix Dependabot yarn.lock alerts Jul 13, 2026
@OmarAlJarrah OmarAlJarrah merged commit 2b933d2 into main Jul 13, 2026
14 checks passed
@OmarAlJarrah OmarAlJarrah deleted the ci/upgrade-actions-checkout-java-gradle branch July 13, 2026 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant