Upgrade GitHub Actions versions and pin with SHA hashes

[sh-cho]

Motivation:

Keep GitHub Actions dependencies up-to-date and secure by upgrading to the latest versions with pinned SHA hashes.

Modifications:

• Upgraded GitHub Actions to their latest major versions:
  • actions/checkout: v4.3.1 -> v6.0.2
  • actions/setup-java: v4.8.0 -> v5.2.0
  • gradle/actions/setup-gradle: v4.4.3 -> v5.0.2
  • actions/upload-artifact: v4.6.2 -> v7.0.1
  • codecov/codecov-action: v5.5.4 -> v6.0.0
  • actions/stale: v9.1.0 -> v10.2.0
  • actions/setup-node: v4.4.0 -> v6.3.0
  • dawidd6/action-download-artifact: v7 -> v20
  • crazy-max/ghaction-import-gpg: v6.3.0 -> v7.0.0
  • peter-evans/create-pull-request: v7.0.11 -> v8.1.1
• Renamed gradle-enterprise-... to develocity-... to match Gradle's rebranding
• Pinned actions with SHA hash
• Added cooldown: default-days: 7 to all Dependabot ecosystems

Result:

• All GitHub Actions are pinned to the latest secure versions.
  • gradle/actions is kept at v5.x. I think upgrading to v6 should be revisited once maintainers have reviewed the licensing implications
• Resolves Improve github actions security #6718

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b3df30bc-204c-4bdd-82b9-3bf2d2ed6348

📥 Commits

Reviewing files that changed from the base of the PR and between 9509586 and 595965e.

📒 Files selected for processing (7)

• .github/workflows/actions_build.yml
• .github/workflows/e2e-chaos-tests.yml
• .github/workflows/gradle-enterprise-postjob.yml
• .github/workflows/public-suffixes.yml
• .github/workflows/publish-release.yml
• .github/workflows/publish-site.yml
• .github/workflows/tag-new-release.yml

✅ Files skipped from review due to trivial changes (7)

• .github/workflows/publish-site.yml
• .github/workflows/tag-new-release.yml
• .github/workflows/gradle-enterprise-postjob.yml
• .github/workflows/public-suffixes.yml
• .github/workflows/publish-release.yml
• .github/workflows/actions_build.yml
• .github/workflows/e2e-chaos-tests.yml

---

📝 Walkthrough

Walkthrough

Pins third-party GitHub Actions to specific commit SHAs across many workflows and adds a 7-day Dependabot cooldown for Gradle, GitHub Actions, and npm updates; no runtime code or public API changes.

Changes

Cohort / File(s)	Summary
Dependabot configuration /.github/dependabot.yml	Added cooldown with default-days: 7 to Gradle, GitHub Actions, and npm update entries; adjusted indentation of npm schedule.interval (formatting only).
CI workflows — action pinning /.github/workflows/actions_build.yml, /.github/workflows/e2e-chaos-tests.yml, /.github/workflows/gradle-cache-check.yml, /.github/workflows/gradle-enterprise-postjob.yml, /.github/workflows/pr-stale.yml, /.github/workflows/public-suffixes.yml, /.github/workflows/publish-release.yml, /.github/workflows/publish-site.yml, /.github/workflows/tag-new-release.yml, /.github/workflows/xds-apply-updates.yml, /.github/workflows/xds-compare-versions.yml	Replaced floating version tags with pinned commit SHAs for many uses: entries (e.g., actions/checkout, actions/setup-java, gradle/actions/setup-gradle, actions/upload-artifact, codecov/codecov-action, medyagh/setup-minikube, actions/setup-node, actions/stale, crazy-max/ghaction-import-gpg, peter-evans/create-pull-request, peaceiris/actions-gh-pages, dawidd6/action-download-artifact). One workflow swapped Gradle validation action paths from gradle/gradle-enterprise-build-validation-scripts to gradle/develocity-build-validation-scripts and pinned them. No other job logic, inputs, or environment changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

dependencies

Suggested reviewers

• trustin
• minwoox
• ikhoon

Poem

🐇 I twitch my whiskers, give a cheer,
SHAs are set so threats stay clear.
Seven days' pause between each update,
Secure the paths, and guard the gate.
A rabbit hops—builds safe and dear.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Upgrade GitHub Actions versions and pin with SHA hashes' clearly and concisely summarizes the main changes: upgrading GitHub Actions to new versions and pinning them with SHA hashes, which is the core objective of this PR.
Description check	✅ Passed	The description is well-structured and directly related to the changeset, detailing specific version upgrades, the Dependabot cooldown addition, Gradle rebranding changes, and the linked issue resolution.
Linked Issues check	✅ Passed	The PR successfully addresses the primary objective from issue #6718: pinning GitHub Actions with SHA hashes to reduce supply-chain risk. Version upgrades and the Dependabot cooldown further strengthen security posture.
Out of Scope Changes check	✅ Passed	All changes are directly in scope: GitHub Actions version upgrades with SHA pinning, Dependabot cooldown configuration, and gradle-enterprise to develocity renaming align with the issue #6718 security improvement objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/publish-release.yml (1)

51-53: Explicitly disable npm cache in Node setup for release job handling secrets.

While auto-caching won't be triggered in this repository (no package.json with packageManager field), explicitly setting package-manager-cache: false hardens the job configuration. Since this step follows Maven publication using sensitive credentials, being explicit about cache behavior prevents accidental caching of sensitive files or credentials.

Proposed change

       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 18
+          package-manager-cache: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-release.yml around lines 51 - 53, Update the
actions/setup-node step to explicitly disable the npm/package-manager cache by
adding package-manager-cache: false to the step configuration; locate the
actions/setup-node@... step (the one with node-version: 18) and add the
package-manager-cache: false key so the Node setup does not create or use a
package manager cache after the Maven publish step.

.github/workflows/gradle-enterprise-postjob.yml (1)

94-96: Explicitly disable npm cache in this tokenized workflow.

This workflow uses secrets (DEVELOCITY_ACCESS_KEY, GITHUB_TOKEN), and npm caching should be controlled explicitly for security. Set package-manager-cache: false unless caching is specifically required.

Proposed change

       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 18
+          package-manager-cache: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gradle-enterprise-postjob.yml around lines 94 - 96, The
workflow uses actions/setup-node with node-version: 18 but doesn't explicitly
disable npm package caching; update the setup step where actions/setup-node is
configured (the block containing "uses:
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f" and "with:
node-version: 18") to add package-manager-cache: false so npm caching is
explicitly disabled in this tokenized workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gradle-cache-check.yml:
- Around line 22-33: The workflow uses mutable action refs (the three
occurrences of "uses:
gradle/develocity-build-validation-scripts/.github/actions/gradle/...@actions-stable")
which should be pinned to immutable 40-character commit SHAs; update each "uses"
entry (the download, experiment-1, and experiment-3 actions) to replace
"@actions-stable" with the exact commit SHA for that action and add an inline
comment indicating the original "@actions-stable" tag for traceability.

---

Nitpick comments:
In @.github/workflows/gradle-enterprise-postjob.yml:
- Around line 94-96: The workflow uses actions/setup-node with node-version: 18
but doesn't explicitly disable npm package caching; update the setup step where
actions/setup-node is configured (the block containing "uses:
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f" and "with:
node-version: 18") to add package-manager-cache: false so npm caching is
explicitly disabled in this tokenized workflow.

In @.github/workflows/publish-release.yml:
- Around line 51-53: Update the actions/setup-node step to explicitly disable
the npm/package-manager cache by adding package-manager-cache: false to the step
configuration; locate the actions/setup-node@... step (the one with
node-version: 18) and add the package-manager-cache: false key so the Node setup
does not create or use a package manager cache after the Maven publish step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 54f58a38-caa1-4994-9b6f-631a99fc642d

📥 Commits

Reviewing files that changed from the base of the PR and between 233b5d8 and ad3a759.

📒 Files selected for processing (12)

• .github/dependabot.yml
• .github/workflows/actions_build.yml
• .github/workflows/e2e-chaos-tests.yml
• .github/workflows/gradle-cache-check.yml
• .github/workflows/gradle-enterprise-postjob.yml
• .github/workflows/pr-stale.yml
• .github/workflows/public-suffixes.yml
• .github/workflows/publish-release.yml
• .github/workflows/publish-site.yml
• .github/workflows/tag-new-release.yml
• .github/workflows/xds-apply-updates.yml
• .github/workflows/xds-compare-versions.yml

[github-actions]

🔍 Build Scan® (commit: 5c23759)

Job name	Status	Build Scan®
build-ubicloud-standard-16-jdk-8	✅	https://ge.armeria.dev/s/sskrrmp26e23a
build-ubicloud-standard-16-jdk-25	❌ (failure)	https://ge.armeria.dev/s/exf7xo2aogtgq
build-ubicloud-standard-16-jdk-21-snapshot-blockhound	✅	https://ge.armeria.dev/s/ljvynkjtcqt3y
build-ubicloud-standard-16-jdk-17-min-java-17-coverage	✅	https://ge.armeria.dev/s/b43ifq3mntpdi
build-ubicloud-standard-16-jdk-17-min-java-11	❌ (failure)	https://ge.armeria.dev/s/wrpk4g2lt35jw
build-ubicloud-standard-16-jdk-17-leak	✅	https://ge.armeria.dev/s/7hsc3wgoo635w
build-ubicloud-standard-16-jdk-11	❌ (failure)	https://ge.armeria.dev/s/xj2v7lynixuma
build-macos-latest-jdk-25	❌ (failure)	https://ge.armeria.dev/s/33c6itbe63knk

[jrhee17]

👍 👍

[minwoox]

Thanks a lot!

gradle/actions is kept at v5.x. I think upgrading to v6 should be revisited once maintainers have reviewed the licensing implications

Yeah, let us discuss and upgrade if there's no issue.

[ikhoon]

Thanks!

[minwoox]

gradle/actions is kept at v5.x. I think upgrading to v6 should be revisited once maintainers have reviewed the licensing implications

Would you mind updating it?

[sh-cho]

@minwoox done :)