Hi folks, I just closed a dependabot PR to bump gradle actions from 5 to 6 and told it to "ignore this version".
I initially held off an earlier proposed change since it arrived about the same time as we learnt about the Trivy Compromise and the new version wasn't in the updated ASF Infra whitelist of actions. But there has also been discussion around the changed license terms where the gradle-actions-caching component is no longer released under open source. And some folks have questioned some of the terms in the new license. I suspect there will end up being no issue with using the new version, but I thought I would give it time for further discussion to play out since we are not in any urgent need to use the new version, and we know of no security vulnerabilities with the current version. We can easily just apply the proposed PR manually if we need. But if anyone has dived into the issue in a little more depth please feel free to have a discussion. Cheers, Paul.
