Merge pull request #911 - Improve dependency review support

A common issue when submitting a dependency graph is that the required
'contents: write' permission is not set.
We now catch any dependency submission failure and inform the user to check
that the required permissions are available.

.github/dependabot.yml

@@ -20,7 +20,8 @@ updates:
     schedule:
       interval: "weekly"
     ignore:
-      - dependency-name: "@types/node"
+      - dependency-name: "@types/node" # Breaking change: update with next major release
+      - dependency-name: "@octokit/rest" # Tied to node version
     groups:
       npm-dependencies:
         patterns:

.github/workflow-samples/gradle-plugin/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
+distributionSha256Sum=591855b517fc635b9e04de1d05d5e76ada3f89f5fc76f87978d1b245b4f69225
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/gradle-plugin/gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/groovy-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
+distributionSha256Sum=591855b517fc635b9e04de1d05d5e76ada3f89f5fc76f87978d1b245b4f69225
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/groovy-dsl/gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/groovy-dsl/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.enterprise" version "3.14.1"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "1.11.1"
+    id "com.gradle.enterprise" version "3.15"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "1.11.2"
 }
 
 gradleEnterprise {

.github/workflow-samples/java-toolchain/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
+distributionSha256Sum=591855b517fc635b9e04de1d05d5e76ada3f89f5fc76f87978d1b245b4f69225
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/java-toolchain/gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/java-toolchain/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id("org.gradle.toolchains.foojay-resolver-convention") version("0.4.0")
+    id("org.gradle.toolchains.foojay-resolver-convention") version("0.7.0")
 }
 
 rootProject.name = 'basic'

.github/workflow-samples/kotlin-dsl/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
+distributionSha256Sum=591855b517fc635b9e04de1d05d5e76ada3f89f5fc76f87978d1b245b4f69225
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

.github/workflow-samples/kotlin-dsl/gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

.github/workflow-samples/kotlin-dsl/settings.gradle.kts

@@ -1,6 +1,6 @@
 plugins {
-    id("com.gradle.enterprise") version "3.14.1"
-    id("com.gradle.common-custom-user-data-gradle-plugin") version "1.11.1"
+    id("com.gradle.enterprise") version "3.15"
+    id("com.gradle.common-custom-user-data-gradle-plugin") version "1.11.2"
 }
 
 gradleEnterprise {

.github/workflow-samples/no-ge/build.gradle

@@ -0,0 +1 @@
+// Required to keep dependabot happy

.github/workflow-samples/no-ge/settings.gradle

@@ -0,0 +1 @@
+rootProject.name = 'no-ge'

.github/workflow-samples/no-wrapper-gradle-5/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.build-scan" version "3.14.1" 
+    id "com.gradle.build-scan" version "3.15" 
 }
 
 gradleEnterprise {

.github/workflow-samples/no-wrapper/settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id "com.gradle.enterprise" version "3.14.1"
+    id "com.gradle.enterprise" version "3.15"
 }
 
 gradleEnterprise {

.github/workflows/ci-codeql.yml

@@ -38,7 +38,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/ci-dependency-review.yml

@@ -15,6 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v3

.github/workflows/ci-full-check.yml

@@ -44,6 +44,13 @@ jobs:
     with:
       cache-key-prefix: ${{github.run_number}}-
 
+  gradle-enterprise-injection:
+    uses: ./.github/workflows/integ-test-inject-gradle-enterprise.yml
+    with:
+      cache-key-prefix: ${{github.run_number}}-
+    secrets:
+      GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_SOLUTIONS_ACCESS_TOKEN }}
+
   provision-gradle-versions:
     uses: ./.github/workflows/integ-test-provision-gradle-versions.yml
     with:
@@ -83,3 +90,8 @@ jobs:
     uses: ./.github/workflows/integ-test-sample-gradle-plugin.yml
     with:
       cache-key-prefix: ${{github.run_number}}-
+
+  toolchain-detection:
+    uses: ./.github/workflows/integ-test-detect-java-toolchains.yml
+    with:
+      cache-key-prefix: ${{github.run_number}}-

.github/workflows/ci-init-script-check.yml

@@ -13,14 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Java
       uses: actions/setup-java@v3
       with:
         distribution: temurin
         java-version: 8
     - name: Setup Gradle
-      uses: gradle/gradle-build-action@v2.7.0 # Use a released version to avoid breakages
+      uses: gradle/gradle-build-action@v2.8.1 # Use a released version to avoid breakages
     - name: Run integration tests
       working-directory: test/init-scripts
       run: ./gradlew check

.github/workflows/ci-quick-check.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Build and upload distribution
       uses: ./.github/actions/build-dist
 
@@ -18,11 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Configure Gradle as default for unit test
       uses: ./
       with:
-        gradle-version: 8.2.1
+        gradle-version: 8.3
     - name: Run tests
       run: |
         npm install
@@ -71,6 +71,15 @@ jobs:
       runner-os: '["ubuntu-latest"]'
       download-dist: true
 
+  gradle-enterprise-injection:
+    needs: build-distribution
+    uses: ./.github/workflows/integ-test-inject-gradle-enterprise.yml
+    with:
+      runner-os: '["ubuntu-latest"]'
+      download-dist: true
+    secrets:
+      GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_SOLUTIONS_ACCESS_TOKEN }}
+
   provision-gradle-versions:
     needs: build-distribution
     uses: ./.github/workflows/integ-test-provision-gradle-versions.yml
@@ -124,3 +133,10 @@ jobs:
     with:
       runner-os: '["ubuntu-latest"]'
       download-dist: true
+
+  toolchain-detection:
+    needs: build-distribution
+    uses: ./.github/workflows/integ-test-detect-java-toolchains.yml
+    with:
+      runner-os: '["ubuntu-latest"]'
+      download-dist: true

.github/workflows/ci-verify-outputs.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Build
       run: |
         npm -v

.github/workflows/demo-failure-cases.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Test build failure
       uses: ./
       continue-on-error: true
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Test wrapper missing
       uses: ./
       continue-on-error: true
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Test bad config value
       uses: ./
       continue-on-error: true

.github/workflows/demo-job-summary.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Build distribution
       shell: bash
       run: |
@@ -41,3 +41,25 @@ jobs:
       working-directory: .github/workflow-samples/groovy-dsl
       continue-on-error: true
       run: ./gradlew not-a-real-task
+
+  pre-existing-gradle-home:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Build distribution
+      shell: bash
+      run: |
+        npm install
+        npm run build
+    - name: Pre-create Gradle User Home
+      shell: bash
+      run: |
+        mkdir ~/.gradle
+        mkdir ~/.gradle/caches
+        touch ~/.gradle/caches/dummy.txt
+    - name: Setup Gradle
+      uses: ./
+    - name: Run build
+      working-directory: .github/workflow-samples/groovy-dsl
+      run: ./gradlew assemble

.github/workflows/demo-pr-build-scan-comment.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout project sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Gradle
       uses: ./
     - name: Run build with Gradle wrapper

.github/workflows/integ-test-action-inputs-caching.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -52,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -77,7 +77,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -100,7 +100,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Create dummy Gradle User Home
@@ -128,7 +128,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -149,7 +149,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.github/workflows/integ-test-action-inputs.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Invoke with multi-line arguments

.github/workflows/integ-test-cache-cleanup.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -45,7 +45,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -65,7 +65,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.github/workflows/integ-test-dependency-graph.yml

@@ -1,4 +1,4 @@
-name: Test execution with caching
+name: Test dependency graph
 
 on:
   workflow_call:
@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle for dependency-graph generate
@@ -43,7 +43,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle for dependency-graph generate
@@ -59,7 +59,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Submit dependency graphs
@@ -68,10 +68,13 @@ jobs:
         dependency-graph: download-and-submit
 
   multiple-builds:
-    runs-on: "ubuntu-latest"
+    strategy:
+      matrix:
+        os: ${{fromJSON(inputs.runner-os)}}
+    runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle for dependency-graph generate
@@ -85,12 +88,16 @@ jobs:
       run: ./gradlew build
       working-directory: .github/workflow-samples/groovy-dsl
     - name: Check generated dependency graphs
+      shell: bash
       run: |
         echo "gradle-assemble report file: ${{ steps.gradle-assemble.outputs.dependency-graph-file }}"
         echo "gradle-build report file: ${{ steps.gradle-build.outputs.dependency-graph-file }}"
         ls -l dependency-graph-reports
-        if ([ ! -e ${{ steps.gradle-assemble.outputs.dependency-graph-file }} ] || [ ! -e ${{ steps.gradle-build.outputs.dependency-graph-file }} ])
-        then
-            echo "Did not find expected dependency graph files"
+        if [ ! -e "${{ steps.gradle-assemble.outputs.dependency-graph-file }}" ]; then
+            echo "Did not find gradle-assemble dependency graph file"
+            exit 1
+        fi
+        if [ ! -e "${{ steps.gradle-build.outputs.dependency-graph-file }}" ]; then
+            echo "Did not find gradle-build dependency graph files"
             exit 1
         fi

.github/workflows/integ-test-detect-java-toolchains.yml

@@ -0,0 +1,113 @@
+name: Test detect java toolchains
+
+on:
+  workflow_call:
+    inputs:
+      cache-key-prefix:
+        type: string
+      runner-os:
+        type: string
+        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+      download-dist:
+        type: boolean
+        default: false
+
+env:
+  DOWNLOAD_DIST: ${{ inputs.download-dist }}
+  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
+  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
+
+jobs:
+  # Test that pre-installed runner JDKs are detected
+  pre-installed-toolchains:
+    strategy:
+      matrix:
+        os: ${{fromJSON(inputs.runner-os)}}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Download distribution if required
+      uses: ./.github/actions/download-dist
+    - name: Setup Gradle
+      uses: ./
+    - name: List detected toolchains
+      shell: bash
+      working-directory: .github/workflow-samples/groovy-dsl
+      run: | 
+        gradle -q javaToolchains > output.txt
+        cat output.txt
+    - name: Verify detected toolchains
+      shell: bash
+      working-directory: .github/workflow-samples/groovy-dsl
+      run: | 
+        grep -q 'Eclipse Temurin JDK 1.8' output.txt || (echo "::error::Did not detect preinstalled JDK 1.8" && exit 1)
+        grep -q 'Eclipse Temurin JDK 11' output.txt || (echo "::error::Did not detect preinstalled JDK 11" && exit 1)
+        grep -q 'Eclipse Temurin JDK 17' output.txt || (echo "::error::Did not detect preinstalled JDK 17" && exit 1)
+
+  # Test that JDKs provisioned by setup-java are detected
+  setup-java-installed-toolchain:
+    strategy:
+      matrix:
+        os: ${{fromJSON(inputs.runner-os)}}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Download distribution if required
+      uses: ./.github/actions/download-dist
+    - name: Setup Java 20
+      uses: actions/setup-java@v3
+      with:
+        distribution: 'temurin'
+        java-version: '20'
+    - name: Setup Java 16
+      uses: actions/setup-java@v3
+      with:
+        distribution: 'temurin'
+        java-version: '16'
+    - name: Setup Gradle
+      uses: ./
+    - name: List detected toolchains
+      shell: bash
+      working-directory: .github/workflow-samples/groovy-dsl
+      run: | 
+        gradle -q javaToolchains > output.txt
+        cat output.txt
+    - name: Verify detected toolchains
+      shell: bash
+      working-directory: .github/workflow-samples/groovy-dsl
+      run: | 
+        grep -q 'Eclipse Temurin JDK 16' output.txt || (echo "::error::Did not detect setup-java installed JDK 16" && exit 1)
+        grep -q 'Eclipse Temurin JDK 20' output.txt || (echo "::error::Did not detect setup-java installed JDK 20" && exit 1)
+
+  # Test that predefined JDK detection property is not overwritten by action
+  check-no-overwrite:
+    strategy:
+      matrix:
+        os: ${{fromJSON(inputs.runner-os)}}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Download distribution if required
+      uses: ./.github/actions/download-dist
+    - name: Configure java installations env var in Gradle User Home
+      shell: bash
+      run: | 
+        mkdir -p ~/.gradle
+        echo "org.gradle.java.installations.fromEnv=XXXXX" > ~/.gradle/gradle.properties
+    - name: Setup Gradle
+      uses: ./
+    - name: Check gradle.properties
+      shell: bash
+      run: |
+        cat ~/.gradle/gradle.properties
+        if grep -q 'org.gradle.java.installations.fromEnv=JAVA_HOME' ~/.gradle/gradle.properties ; then
+          echo 'Found overwritten fromEnv'
+          exit 1
+        fi
+        if ! grep -q 'org.gradle.java.installations.fromEnv=XXXXX' ~/.gradle/gradle.properties ; then
+          echo 'Did NOT find original fromEnv'
+          exit 1
+        fi

.github/workflows/integ-test-execution-with-caching.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Execute Gradle build
@@ -44,7 +44,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Execute Gradle build

.github/workflows/integ-test-execution.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Test use defined Gradle version
@@ -68,7 +68,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Java

.github/workflows/integ-test-inject-gradle-enterprise.yml

@@ -0,0 +1,60 @@
+name: Test gradle enterprise injection
+
+on:
+  workflow_call:
+    inputs:
+      cache-key-prefix:
+        type: string
+      runner-os:
+        type: string
+        default: '["ubuntu-latest", "windows-latest", "macos-latest"]'
+      download-dist:
+        type: boolean
+        default: false
+    secrets:
+      GRADLE_ENTERPRISE_ACCESS_KEY:
+        required: true
+
+env:
+  DOWNLOAD_DIST: ${{ inputs.download-dist }}
+  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
+  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
+  GRADLE_ENTERPRISE_INJECTION_ENABLED: true
+  GRADLE_ENTERPRISE_URL: https://ge.solutions-team.gradle.com
+  GRADLE_ENTERPRISE_PLUGIN_VERSION: 3.15
+  GRADLE_ENTERPRISE_CCUD_PLUGIN_VERSION: 1.11.2
+  GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
+
+jobs:
+  inject-gradle-enterprise:
+    strategy:
+      matrix:
+        gradle: [current, 7.6.2, 6.9.4, 5.6.4]
+        os: ${{fromJSON(inputs.runner-os)}}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Download distribution if required
+      uses: ./.github/actions/download-dist
+    - name: Setup Java
+      uses: actions/setup-java@v3
+      with:
+        distribution: temurin
+        java-version: 8
+    - name: Setup Gradle
+      id: setup-gradle
+      uses: ./
+      with:
+        cache-read-only: false # For testing, allow writing cache entries on non-default branches
+        gradle-version: ${{ matrix.gradle }}
+    - name: Run Gradle build
+      id: gradle
+      working-directory: .github/workflow-samples/no-ge
+      run: gradle help
+    - name: Check Build Scan url
+      if: ${{ !steps.gradle.outputs.build-scan-url }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          core.setFailed('No Build Scan detected')   

.github/workflows/integ-test-provision-gradle-versions.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle with v6.9
@@ -55,6 +55,17 @@ jobs:
     - name: Test use release-candidate
       working-directory: .github/workflow-samples/no-wrapper
       run: gradle help
+    - name: Setup Gradle with current
+      id: gradle-current
+      uses: ./
+      with:
+        gradle-version: current
+    - name: Check current version output parameter
+      if: ${{ !startsWith(steps.gradle-current.outputs.gradle-version , '8.') }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.gradle-current.outputs.gradle-version }}"')    
   
   gradle-versions:
     strategy:
@@ -71,7 +82,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Java
@@ -80,10 +91,17 @@ jobs:
         distribution: temurin
         java-version: 8
     - name: Setup Gradle
+      id: setup-gradle
       uses: ./
       with:
         cache-read-only: false # For testing, allow writing cache entries on non-default branches
         gradle-version: ${{ matrix.gradle }}
+    - name: Check output parameter
+      if: ${{ steps.setup-gradle.outputs.gradle-version != matrix.gradle }}
+      uses: actions/github-script@v6
+      with:
+        script: |
+          core.setFailed('Gradle version parameter not set correctly: value was "${{ steps.setup-gradle.outputs.gradle-version }}"')    
     - name: Run Gradle build
       id: gradle
       working-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}

.github/workflows/integ-test-restore-configuration-cache.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -48,7 +48,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -79,7 +79,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle with no extracted cache entries restored
@@ -101,7 +101,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -122,7 +122,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -144,7 +144,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.github/workflows/integ-test-restore-containerized-gradle-home.yml

@@ -20,7 +20,7 @@ jobs:
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Java
@@ -43,7 +43,7 @@ jobs:
     container: fedora:latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Java

.github/workflows/integ-test-restore-custom-gradle-home.yml

@@ -23,7 +23,7 @@ jobs:
         mkdir -p $GITHUB_WORKSPACE/gradle-user-home
         echo "GRADLE_USER_HOME=$GITHUB_WORKSPACE/gradle-user-home" >> $GITHUB_ENV
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -44,7 +44,7 @@ jobs:
         mkdir -p $GITHUB_WORKSPACE/gradle-user-home
         echo "GRADLE_USER_HOME=$GITHUB_WORKSPACE/gradle-user-home" >> $GITHUB_ENV
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -65,7 +65,7 @@ jobs:
         mkdir -p $GITHUB_WORKSPACE/gradle-user-home
         echo "GRADLE_USER_HOME=$GITHUB_WORKSPACE/gradle-user-home" >> $GITHUB_ENV
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.github/workflows/integ-test-restore-gradle-home.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -46,7 +46,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -66,7 +66,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -86,7 +86,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle with no extracted cache entries restored
@@ -99,3 +99,40 @@ jobs:
       working-directory: .github/workflow-samples/groovy-dsl
       run: ./gradlew test
 
+  # Test that a pre-existing gradle-user-home can be overwritten by the restored cache
+  pre-existing-gradle-home:
+    needs: seed-build
+    strategy:
+      matrix:
+        os: ${{fromJSON(inputs.runner-os)}}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+    - name: Download distribution if required
+      uses: ./.github/actions/download-dist
+    - name: Pre-create Gradle User Home
+      shell: bash
+      run: |
+        mkdir -p ~/.gradle/caches
+        touch ~/.gradle/gradle.properties
+        touch ~/.gradle/caches/dummy.txt
+    - name: Setup Gradle
+      uses: ./
+      with:
+        cache-read-only: true
+        cache-overwrite-existing: true
+    - name: Check that pre-existing content still exists
+      shell: bash
+      run: |
+        if [ ! -e ~/.gradle/caches/dummy.txt ]; then
+          echo "::error ::Should find dummy.txt after cache restore"
+          exit 1
+        fi
+        if [ ! -e ~/.gradle/gradle.properties ]; then
+          echo "::error ::Should find gradle.properties after cache restore"
+          exit 1
+        fi
+    - name: Execute Gradle build with --offline
+      working-directory: .github/workflow-samples/groovy-dsl
+      run: ./gradlew test --offline

.github/workflows/integ-test-restore-java-toolchain.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -45,7 +45,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.github/workflows/integ-test-sample-gradle-plugin.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -44,7 +44,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.github/workflows/integ-test-sample-kotlin-dsl.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle
@@ -44,7 +44,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Download distribution if required
       uses: ./.github/actions/download-dist
     - name: Setup Gradle

.tool-versions

@@ -1,3 +1,3 @@
 # Configuration file for asdf version manager
 nodejs 16.18.1
-gradle 8.2.1
+gradle 8.3

README.md

@@ -8,10 +8,11 @@ It is possible to directly invoke Gradle in your workflow, and the `actions/setu
 
 However, the `gradle-build-action` offers a number of advantages over this approach:
 
-- Easily [configure your workflow to use a specific version of Gradle](#use-a-specific-gradle-version) using the `gradle-version` parameter. Gradle distributions are automatically downloaded and cached. 
-- More sophisticated and more efficient caching of Gradle User Home between invocations, compared to `setup-java` and most custom configurations using `actions/cache`. [More details below](#caching).
+- Easily [configure your workflow to use a specific version of Gradle](#choose-a-specific-gradle-version) using the `gradle-version` parameter. Gradle distributions are automatically downloaded and cached. 
+- More sophisticated and more efficient caching of Gradle User Home between invocations, compared to `setup-java` and most custom configurations using `actions/cache`. [More details below](#caching-build-state-between-jobs).
 - Detailed reporting of cache usage and cache configuration options allow you to [optimize the use of the GitHub actions cache](#optimizing-cache-effectiveness).
-- [Automatic capture of Build Scan® links](#build-scans) from the build, making these easier to locate for workflow run.
+- [Generate and Submit a GitHub Dependency Graph](#github-dependency-graph-support) for your project, enabling Dependabot security alerts.
+- [Automatic capture of Build Scan® links](#build-reporting) from the build, making these easier to locate for workflow run.
 
 The `gradle-build-action` is designed to provide these benefits with minimal configuration. 
 These features work both when Gradle is executed via the `gradle-build-action` and for any Gradle execution in subsequent steps.
@@ -20,7 +21,8 @@ These features work both when Gradle is executed via the `gradle-build-action` a
 
 The recommended way to use the `gradle-build-action` is in an initial "Setup Gradle" step, with subsquent steps invoking Gradle directly with a `run` step. This makes the action minimally invasive, and allows a workflow to configure and execute a Gradle execution in any way.
 
-Most of the functionality of the `gradle-build-action` is applied via Gradle init-scripts, and so will apply to all subsequent Gradle executions on the runner, no matter how Gradle is invoked. This means that if you have an existing workflow that executes Gradle with a `run` step, you can add an initial "Setup Gradle" Step to benefit from caching, build-scan capture and other features of the gradle-build-action.
+The `gradle-build-action` works by configuring environment variables and by adding a set of Gradle init-scripts to the Gradle User Home. These will apply to all Gradle executions on the runner, no matter how Gradle is invoked. 
+This means that if you have an existing workflow that executes Gradle with a `run` step, you can add an initial "Setup Gradle" Step to benefit from caching, build-scan capture and other features of the gradle-build-action.
 
 
 ```yaml
@@ -71,6 +73,8 @@ Moreover, you can use the following aliases:
 
 This can be handy to automatically verify your build works with the latest release candidate of Gradle:
 
+The actual Gradle version used is available as an action output: `gradle-version`.
+
 ```yaml
 name: Test latest Gradle RC
 on:
@@ -86,11 +90,14 @@ jobs:
         distribution: temurin
         java-version: 11
     - uses: gradle/gradle-build-action@v2
+      id: setup-gradle
       with:
         gradle-version: release-candidate
     - run: gradle build --dry-run # just test build configuration
+    - run: echo "The release-candidate version was ${{ steps.setup-gradle.outputs.gradle-version }}"
 ```
 
+
 ## Caching build state between Jobs
 
 The `gradle-build-action` will use the GitHub Actions cache to save and restore reusable state that may be speed up a subsequent build invocation. This includes most content that is downloaded from the internet as part of a build, as well as expensive to create content like compiled build scripts, transformed Jar files, etc.
@@ -140,6 +147,20 @@ In certain circumstances it may be desirable to start with a clean Gradle User H
 cache-write-only: true
 ```
 
+### Overwriting an existing Gradle User Home
+
+When the action detects that the Gradle User Home caches directory already exists (`~/.gradle/caches`), then by default it will not overwrite the existing content of this directory.
+This can occur when a prior action initializes this directory, or when using a self-hosted runner that retains this directory between uses.
+
+In this case the Job Summary will display a message like: 
+> Caching for gradle-build-action was disabled due to pre-existing Gradle User Home
+
+If you want override the default and have the `gradle-build-action` caches overwrite existing content in the Gradle User Home, you can set the `cache-overwrite-existing` parameter to 'true':
+
+```yaml
+cache-overwrite-existing: true
+```
+
 ### Incompatibility with other caching mechanisms
 
 When using `gradle-build-action` we recommend that you avoid using other mechanisms to save and restore the Gradle User Home. 
@@ -525,8 +546,6 @@ You enable GitHub Dependency Graph support by setting the `dependency-graph` act
 | `generate-and-submit` | As per `generate`, but any generated dependency graph snapshots will be submitted at the end of the job. |
 | `download-and-submit` | Download any previously saved dependency graph snapshots, submitting them via the Dependency Submission API. This can be useful to collect all snapshots in a matrix of builds and submit them in one step. |
 
-Dependency Graph _submission_ (but not generation) requires the `contents: write` permission, which may need to be explicitly enabled in the workflow file.
-
 Example of a simple workflow that generates and submits a dependency graph:
 ```yaml
 name: Submit dependency graph
@@ -545,14 +564,62 @@ jobs:
       uses: gradle/gradle-build-action@v2
       with:
         dependency-graph: generate-and-submit
-    - name: Run a build, generating the dependency graph snapshot which will be submitted
+    - name: Run a build and generate the dependency graph which will be submitted post-job
       run: ./gradlew build
 ```
 
-The `contents: write` permission is not required to generate the dependency graph, but is required in order to submit the graph via the GitHub API.
+The `contents: write` permission is not required to generate the dependency graph, but is required in order to submit the graph via the GitHub API. This permission will need to be explicitly enabled in the workflow file for dependency graph submission to succeed.
 
-The above configuration will work for workflows that run as a result of commits to a repository branch, but not when a workflow is triggered by a PR from a repository fork.
-For a configuration that supports this setup, see [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows).
+> [!IMPORTANT]
+> The above configuration will work for workflows that run as a result of commits to a repository branch, 
+> but not when a workflow is triggered by a PR from a repository fork.
+> This is because the `contents: write` permission is not available when executing a workflow 
+> for a PR submitted from a forked repository.
+> For a configuration that supports this setup, see [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows).
+
+### Integrating the `dependency-review-action`
+
+The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
+understand dependency changes (and the security impact of these changes) for a pull request.
+For the `dependency-review-action` to succeed, it must run _after_ the dependency graph has been submitted for a PR.
+
+When using `generate-and-submit`, dependency graph files are submitted at the end of the job, after all steps have been
+executed. For this reason, the `dependency-review-action` must be executed in a dependent job,
+and not as a subsequent step in the job that generates the dependency graph.
+
+Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
+
+```yaml
+name: PR check
+
+on:
+  pull_request:
+  
+permissions:
+  contents: write
+  # Note that this permission will not be available if the PR is from a forked repository
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Gradle to generate and submit dependency graphs
+      uses: gradle/gradle-build-action@v2
+      with:
+        dependency-graph: generate-and-submit
+    - name: Run a build and generate the dependency graph which will be submitted post-job
+      run: ./gradlew build
+
+  dependency-review:
+    needs: build
+    runs-on: ubuntu-latest
+    - name: Perform dependency review
+      uses: actions/dependency-review-action@v3
+```
+
+See [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows) for a more complex
+(and less functional) example that will work for pull requests submitted from forked repositories.
 
 ## Limiting the scope of the dependency graph
 
@@ -562,7 +629,7 @@ For example, a vulnerability in the tool you use to generate documentation is un
 There are a number of techniques you can employ to limit the scope of the generated dependency graph:
 - [Don't generate a dependency graph for all Gradle executions](#choosing-which-gradle-invocations-will-generate-a-dependency-graph)
 - [For a Gradle execution, filter which Gradle projects and configurations will contribute dependencies](#filtering-which-gradle-configurations-contribute-to-the-dependency-graph)
-- [Use a separate workflow that only resolves the required dependencies]()
+- [Use a separate workflow that only resolves the required dependencies](#use-a-dedicated-workflow-for-dependency-graph-generation)
 
 > [!NOTE]
 > Ideally, all dependencies involved in building and testing a project will be extracted and reported in a dependency graph. 
@@ -661,6 +728,9 @@ Note: when `download-and-submit` is used in a workflow triggered via [workflow_r
 ```yaml
 name: run-build-and-generate-dependency-snapshot
 
+on:
+  pull_request:
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -672,6 +742,13 @@ jobs:
         dependency-graph: generate # Only generate in this job
     - name: Run a build, generating the dependency graph snapshot which will be submitted
       run: ./gradlew build
+
+  dependency-review:
+    needs: build
+    runs-on: ubuntu-latest
+    - name: Perform dependency review
+      uses: actions/dependency-review-action@v3
+      
 ```
 
 ***Dependent workflow file***
@@ -684,7 +761,7 @@ on:
     types: [completed]
 
 jobs:
-  submit-snapshots:
+  submit-dependency-graph:
     runs-on: ubuntu-latest
     steps:
     - name: Retrieve dependency graph artifact and submit
@@ -693,9 +770,42 @@ jobs:
         dependency-graph: download-and-submit
 ```
 
+### Integrating `dependency-review-action` for pull request workflows
+
+The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
+understand dependency changes (and the security impact of these changes) for a pull request.
+
+To integrate the `dependency-review-action` into the pull request workflows above, a separate workflow should be added.
+This workflow will be triggered directly on `pull_request`, but will need to wait until the dependency graph results are
+submitted before the dependency review can complete. How long to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
+
+Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the PR check workflow to complete.
+
+```yaml
+name: dependency-review
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Dependency Review'
+      uses: actions/dependency-review-action@v3
+      with:
+        retry-on-snapshot-warnings: true
+        retry-on-snapshot-warnings-timeout: 600
+```
+
+The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `run-build-and-generate-dependency-snapshot` and `submit-dependency-snapshot` workflows (above) to complete.
+
 ## Gradle version compatibility
 
-The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against 
+The GitHub Dependency Graph plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against 
 Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.
 
 The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
@@ -706,3 +816,65 @@ limited to Gradle "8.1.0" and later:
 To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
 configuration-cache disabled.
 
+# Gradle Enterprise plugin injection
+
+The `gradle-build-action` provides support for injecting and configuring the Gradle Enterprise Gradle plugin into any Gradle build, without any modification to the project sources.
+This is achieved via an init-script installed into Gradle User Home, which is enabled and parameterized via environment variables.
+
+The same auto-injection behavior is available for the Common Custom User Data Gradle plugin, which enriches any build scans published with additional useful information.
+
+## Enabling Gradle Enterprise injection
+
+In order to enable Gradle Enterprise for your build, you must provide the required configuration via environment variables. 
+
+Here's a minimal example:
+
+```yaml
+name: Run build with Gradle Enterprise injection
+  
+env:
+  GRADLE_ENTERPRISE_INJECTION_ENABLED: true
+  GRADLE_ENTERPRISE_URL: https://ge.gradle.org
+  GRADLE_ENTERPRISE_PLUGIN_VERSION: 3.15
+  GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_KEY }} # Required to publish scans to ge.gradle.org
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@v2
+    - name: Run a Gradle build with Gradle Enterprise injection enabled
+      run: ./gradlew build
+```
+
+This configuration will automatically apply `v3.15` of the [Gradle Enterprise Gradle plugin](https://docs.gradle.com/enterprise/gradle-plugin/), and publish build scans to https://ge.gradle.org.
+
+Note that the `ge.gradle.org` server requires authentication in order to publish scans. The provided `GRADLE_ENTERPRISE_ACCESS_KEY` isn't required by the Gradle Enterprise injection script, 
+but will be used by the GE plugin in order to authenticate with the server.
+
+## Configuring Gradle Enterprise injection
+
+The `init-script` supports a number of additional configuration parameters that you may fine useful. All configuration options (required and optional) are detailed below:
+
+| Variable | Required | Description |
+| --- | --- | --- |
+| GRADLE_ENTERPRISE_INJECTION_ENABLED | :white_check_mark: | enables Gradle Enterprise injection |
+| GRADLE_ENTERPRISE_URL | :white_check_mark: | the URL of the Gradle Enterprise server |
+| GRADLE_ENTERPRISE_ALLOW_UNTRUSTED_SERVER | | allow communication with an untrusted server; set to _true_ if your Gradle Enterprise instance is using a self-signed certificate |
+| GRADLE_ENTERPRISE_ENFORCE_URL | | enforce the configured Gradle Enterprise URL over a URL configured in the project's build; set to _true_ to enforce publication of build scans to the configured Gradle Enterprise URL |
+| GRADLE_ENTERPRISE_PLUGIN_VERSION | :white_check_mark: | the version of the [Gradle Enterprise Gradle plugin](https://docs.gradle.com/enterprise/gradle-plugin/) to apply |
+| GRADLE_ENTERPRISE_CCUD_PLUGIN_VERSION |  | the version of the [Common Custom User Data Gradle plugin](https://github.com/gradle/common-custom-user-data-gradle-plugin) to apply, if any |
+| GRADLE_ENTERPRISE_PLUGIN_REPOSITORY_URL |  | the URL of the repository to use when resolving the GE and CCUD plugins; the Gradle Plugin Portal is used by default |
+
+## Publishing to scans.gradle.com
+
+Gradle Enterprise injection is designed to enable publishing of build scans to a Gradle Enterprise instance,
+and is not suitable for publishing to the public Build Scans instance (https://scans.gradle.com).
+
+In order to publish Build Scans to scans.gradle.com, you need to:
+- Apply the Gradle Enterprise plugin to your build configuration ([see docs](https://docs.gradle.com/enterprise/get-started/#applying_the_plugin))
+- Programmatically accept the Terms of Service for scans.gradle.com ([see docs](https://docs.gradle.com/enterprise/gradle-plugin/#connecting_to_scans_gradle_com))
+- Execute the build with `--scan` or configure your build with `publishAlways()` ([see docs](https://docs.gradle.com/enterprise/get-started/#always_publishing_a_build_scan))
+

action.yml

@@ -35,6 +35,11 @@ inputs:
     required: false
     default: false
 
+  cache-overwrite-existing:
+    description: When 'true', a pre-existing Gradle User Home will not prevent the cache from being restored.
+    required: false
+    default: false
+
   gradle-home-cache-includes:
     description: Paths within Gradle User Home to cache.
     required: false
@@ -90,6 +95,8 @@ outputs:
     description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
   dependency-graph-file:
     description: Path to the GitHub Dependency Graph snapshot file generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
+  gradle-version:
+    description: Version of Gradle that was setup by the action
 
 runs:
   using: 'node16'

package.json

@@ -30,32 +30,33 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@actions/artifact": "1.1.1",
+    "@actions/artifact": "1.1.2",
     "@actions/cache": "3.2.2",
-    "@actions/core": "1.10.0",
+    "@actions/core": "1.10.1",
     "@actions/exec": "1.1.1",
     "@actions/github": "5.1.1",
     "@actions/glob": "0.4.0",
     "@actions/http-client": "2.1.1",
     "@actions/tool-cache": "2.0.1",
     "@octokit/rest": "19.0.13",
+    "@octokit/webhooks-types": "7.3.1",
     "string-argv": "0.3.2"
   },
   "devDependencies": {
     "@types/node": "16.18.38",
-    "@types/jest": "29.5.3",
-    "@types/unzipper": "0.10.6",
-    "@typescript-eslint/parser": "6.4.0",
-    "@vercel/ncc": "0.36.1",
-    "eslint": "8.47.0",
-    "eslint-plugin-github": "4.9.2",
-    "eslint-plugin-jest": "27.2.3",
+    "@types/jest": "29.5.5",
+    "@types/unzipper": "0.10.7",
+    "@typescript-eslint/parser": "6.7.3",
+    "@vercel/ncc": "0.38.0",
+    "eslint": "8.50.0",
+    "eslint-plugin-github": "4.10.0",
+    "eslint-plugin-jest": "27.4.0",
     "eslint-plugin-prettier": "5.0.0",
-    "jest": "29.6.2",
+    "jest": "29.7.0",
     "js-yaml": "4.1.0",
     "patch-package": "8.0.0",
-    "prettier": "3.0.1",
+    "prettier": "3.0.3",
     "ts-jest": "29.1.1",
-    "typescript": "5.1.6"
+    "typescript": "5.2.2"
   }
 }

src/cache-base.ts

@@ -172,11 +172,28 @@ export class GradleStateCache {
     }
 
     private initializeGradleUserHome(gradleUserHome: string, initScriptsDir: string): void {
+        // Ensure that pre-installed java versions are detected. Only add property if it isn't already defined.
+        const gradleProperties = path.resolve(gradleUserHome, 'gradle.properties')
+        const existingGradleProperties = fs.existsSync(gradleProperties)
+            ? fs.readFileSync(gradleProperties, 'utf8')
+            : ''
+        if (!existingGradleProperties.includes('org.gradle.java.installations.fromEnv=')) {
+            fs.appendFileSync(
+                gradleProperties,
+                `
+# Auto-detect pre-installed JDKs
+org.gradle.java.installations.fromEnv=JAVA_HOME_8_X64,JAVA_HOME_11_X64,JAVA_HOME_17_X64
+`
+            )
+        }
+
+        // Copy init scripts from src/resources
         const initScriptFilenames = [
-            'build-result-capture.init.gradle',
-            'build-result-capture-service.plugin.groovy',
-            'github-dependency-graph.init.gradle',
-            'github-dependency-graph-gradle-plugin-apply.groovy'
+            'gradle-build-action.build-result-capture.init.gradle',
+            'gradle-build-action.build-result-capture-service.plugin.groovy',
+            'gradle-build-action.github-dependency-graph.init.gradle',
+            'gradle-build-action.github-dependency-graph-gradle-plugin-apply.groovy',
+            'gradle-build-action.inject-gradle-enterprise.init.gradle'
         ]
         for (const initScriptFilename of initScriptFilenames) {
             const initScriptContent = this.readInitScriptAsString(initScriptFilename)

src/cache-cleaner.ts

@@ -42,7 +42,8 @@ export class CacheCleaner {
         )
         fs.writeFileSync(path.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}')
 
-        await exec.exec(`gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet noop`, [], {
+        const gradleCommand = `gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet -DGITHUB_DEPENDENCY_GRAPH_ENABLED=false noop`
+        await exec.exec(gradleCommand, [], {
             cwd: cleanupProjectDir
         })
     }

src/cache-reporting.ts

@@ -10,6 +10,7 @@ export class CacheListener {
     cacheReadOnly = false
     cacheWriteOnly = false
     cacheDisabled = false
+    cacheDisabledReason = 'disabled'
 
     get fullyRestored(): boolean {
         return this.cacheEntries.every(x => !x.wasRequestedButNotRestored())
@@ -17,7 +18,7 @@ export class CacheListener {
 
     get cacheStatus(): string {
         if (!cache.isFeatureAvailable()) return 'not available'
-        if (this.cacheDisabled) return 'disabled'
+        if (this.cacheDisabled) return this.cacheDisabledReason
         if (this.cacheWriteOnly) return 'write-only'
         if (this.cacheReadOnly) return 'read-only'
         return 'enabled'

src/cache-utils.ts

@@ -37,6 +37,10 @@ export function isCacheWriteOnly(): boolean {
     return params.isCacheWriteOnly()
 }
 
+export function isCacheOverwriteExisting(): boolean {
+    return params.isCacheOverwriteExisting()
+}
+
 export function isCacheDebuggingEnabled(): boolean {
     return params.isCacheDebuggingEnabled()
 }

src/caches.ts

@@ -1,5 +1,11 @@
 import * as core from '@actions/core'
-import {isCacheCleanupEnabled, isCacheDisabled, isCacheReadOnly, isCacheWriteOnly} from './cache-utils'
+import {
+    isCacheCleanupEnabled,
+    isCacheDisabled,
+    isCacheReadOnly,
+    isCacheWriteOnly,
+    isCacheOverwriteExisting
+} from './cache-utils'
 import {CacheListener} from './cache-reporting'
 import {DaemonController} from './daemon-controller'
 import {GradleStateCache} from './cache-base'
@@ -26,11 +32,16 @@ export async function restore(gradleUserHome: string, cacheListener: CacheListen
     }
 
     if (gradleStateCache.cacheOutputExists()) {
+        if (!isCacheOverwriteExisting()) {
             core.info('Gradle User Home already exists: will not restore from cache.')
             // Initialize pre-existing Gradle User Home.
             gradleStateCache.init()
+            cacheListener.cacheDisabled = true
+            cacheListener.cacheDisabledReason = 'disabled due to pre-existing Gradle User Home'
             return
         }
+        core.info('Gradle User Home already exists: will overwrite with cached contents.')
+    }
 
     gradleStateCache.init()
     // Mark the state as restored so that post-action will perform save.

src/dependency-graph.ts

@@ -3,7 +3,9 @@ import * as artifact from '@actions/artifact'
 import * as github from '@actions/github'
 import * as glob from '@actions/glob'
 import * as toolCache from '@actions/tool-cache'
-import {Octokit} from '@octokit/rest'
+import {GitHub} from '@actions/github/lib/utils'
+import {RequestError} from '@octokit/request-error'
+import type {PullRequestEvent} from '@octokit/webhooks-types'
 
 import * as path from 'path'
 import fs from 'fs'
@@ -13,16 +15,23 @@ import {DependencyGraphOption, getJobMatrix} from './input-params'
 
 const DEPENDENCY_GRAPH_ARTIFACT = 'dependency-graph'
 
-export function setup(option: DependencyGraphOption): void {
-    if (option === DependencyGraphOption.Disabled || option === DependencyGraphOption.DownloadAndSubmit) {
+export async function setup(option: DependencyGraphOption): Promise<void> {
+    if (option === DependencyGraphOption.Disabled) {
+        return
+    }
+    // Download and submit early, for compatability with dependency review.
+    if (option === DependencyGraphOption.DownloadAndSubmit) {
+        await downloadAndSubmitDependencyGraphs()
         return
     }
 
     core.info('Enabling dependency graph generation')
-    const jobCorrelator = getJobCorrelator()
     core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true')
-    core.exportVariable('GITHUB_JOB_CORRELATOR', jobCorrelator)
-    core.exportVariable('GITHUB_JOB_ID', github.context.runId)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', getJobCorrelator())
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_REF', github.context.ref)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', getShaFromContext())
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_WORKSPACE', layout.workspaceDirectory())
     core.exportVariable(
         'DEPENDENCY_GRAPH_REPORT_DIR',
         path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports')
@@ -32,6 +41,7 @@ export function setup(option: DependencyGraphOption): void {
 export async function complete(option: DependencyGraphOption): Promise<void> {
     switch (option) {
         case DependencyGraphOption.Disabled:
+        case DependencyGraphOption.DownloadAndSubmit: // Performed in setup
             return
         case DependencyGraphOption.Generate:
             await uploadDependencyGraphs()
@@ -39,8 +49,6 @@ export async function complete(option: DependencyGraphOption): Promise<void> {
         case DependencyGraphOption.GenerateAndSubmit:
             await submitDependencyGraphs(await uploadDependencyGraphs())
             return
-        case DependencyGraphOption.DownloadAndSubmit:
-            await downloadAndSubmitDependencyGraphs()
     }
 }
 
@@ -63,9 +71,26 @@ async function downloadAndSubmitDependencyGraphs(): Promise<void> {
 }
 
 async function submitDependencyGraphs(dependencyGraphFiles: string[]): Promise<void> {
-    const octokit: Octokit = getOctokit()
-
     for (const jsonFile of dependencyGraphFiles) {
+        try {
+            await submitDependencyGraphFile(jsonFile)
+        } catch (error) {
+            if (error instanceof RequestError) {
+                const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
+                core.warning(
+                    `Failed to submit dependency graph ${relativeJsonFile}.\n` +
+                        "Please ensure that the 'contents: write' permission is available for the workflow job.\n" +
+                        "Note that this permission is never available for a 'pull_request' trigger from a repository fork."
+                )
+            } else {
+                throw error
+            }
+        }
+    }
+}
+
+async function submitDependencyGraphFile(jsonFile: string): Promise<void> {
+    const octokit = getOctokit()
     const jsonContent = fs.readFileSync(jsonFile, 'utf8')
 
     const jsonObject = JSON.parse(jsonContent)
@@ -75,7 +100,6 @@ async function submitDependencyGraphs(dependencyGraphFiles: string[]): Promise<v
 
     const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
     core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`)
-    }
 }
 
 async function retrieveDependencyGraphs(workspaceDirectory: string): Promise<string[]> {
@@ -86,7 +110,7 @@ async function retrieveDependencyGraphs(workspaceDirectory: string): Promise<str
 }
 
 async function retrieveDependencyGraphsForWorkflowRun(runId: number, workspaceDirectory: string): Promise<string[]> {
-    const octokit: Octokit = getOctokit()
+    const octokit = getOctokit()
 
     // Find the workflow run artifacts named "dependency-graph"
     const artifacts = await octokit.rest.actions.listWorkflowRunArtifacts({
@@ -136,10 +160,8 @@ async function findDependencyGraphFiles(dir: string): Promise<string[]> {
     return graphFiles
 }
 
-function getOctokit(): Octokit {
-    return new Octokit({
-        auth: getGithubToken()
-    })
+function getOctokit(): InstanceType<typeof GitHub> {
+    return github.getOctokit(getGithubToken())
 }
 
 function getGithubToken(): string {
@@ -151,7 +173,26 @@ function getRelativePathFromWorkspace(file: string): string {
     return path.relative(workspaceDirectory, file)
 }
 
-export function getJobCorrelator(): string {
+function getShaFromContext(): string {
+    const context = github.context
+    const pullRequestEvents = [
+        'pull_request',
+        'pull_request_comment',
+        'pull_request_review',
+        'pull_request_review_comment'
+        // Note that pull_request_target is omitted here.
+        // That event runs in the context of the base commit of the PR,
+        // so the snapshot should not be associated with the head commit.
+    ]
+    if (pullRequestEvents.includes(context.eventName)) {
+        const pr = (context.payload as PullRequestEvent).pull_request
+        return pr.head.sha
+    } else {
+        return context.sha
+    }
+}
+
+function getJobCorrelator(): string {
     return constructJobCorrelator(github.context.workflow, github.context.job, getJobMatrix())
 }
 

src/input-params.ts

@@ -13,6 +13,10 @@ export function isCacheWriteOnly(): boolean {
     return getBooleanInput('cache-write-only')
 }
 
+export function isCacheOverwriteExisting(): boolean {
+    return getBooleanInput('cache-overwrite-existing')
+}
+
 export function isCacheStrictMatch(): boolean {
     return getBooleanInput('gradle-home-cache-strict-match')
 }

src/provision.ts

@@ -38,6 +38,12 @@ async function addToPath(executable: string): Promise<string> {
 }
 
 async function installGradle(version: string): Promise<string> {
+    const versionInfo = await resolveGradleVersion(version)
+    core.setOutput('gradle-version', versionInfo.version)
+    return installGradleVersion(versionInfo)
+}
+
+async function resolveGradleVersion(version: string): Promise<GradleVersionInfo> {
     switch (version) {
         case 'current':
             return gradleCurrent()
@@ -55,36 +61,33 @@ async function installGradle(version: string): Promise<string> {
     }
 }
 
-async function gradleCurrent(): Promise<string> {
-    const versionInfo = await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/current`)
-    return installGradleVersion(versionInfo)
+async function gradleCurrent(): Promise<GradleVersionInfo> {
+    return await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/current`)
 }
 
-async function gradleReleaseCandidate(): Promise<string> {
+async function gradleReleaseCandidate(): Promise<GradleVersionInfo> {
     const versionInfo = await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/release-candidate`)
     if (versionInfo && versionInfo.version && versionInfo.downloadUrl) {
-        return installGradleVersion(versionInfo)
+        return versionInfo
     }
     core.info('No current release-candidate found, will fallback to current')
     return gradleCurrent()
 }
 
-async function gradleNightly(): Promise<string> {
-    const versionInfo = await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/nightly`)
-    return installGradleVersion(versionInfo)
+async function gradleNightly(): Promise<GradleVersionInfo> {
+    return await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/nightly`)
 }
 
-async function gradleReleaseNightly(): Promise<string> {
-    const versionInfo = await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/release-nightly`)
-    return installGradleVersion(versionInfo)
+async function gradleReleaseNightly(): Promise<GradleVersionInfo> {
+    return await gradleVersionDeclaration(`${gradleVersionsBaseUrl}/release-nightly`)
 }
 
-async function gradle(version: string): Promise<string> {
+async function gradle(version: string): Promise<GradleVersionInfo> {
     const versionInfo = await findGradleVersionDeclaration(version)
     if (!versionInfo) {
         throw new Error(`Gradle version ${version} does not exists`)
     }
-    return installGradleVersion(versionInfo)
+    return versionInfo
 }
 
 async function gradleVersionDeclaration(url: string): Promise<GradleVersionInfo> {

src/resources/init-scripts/gradle-build-action.build-result-capture.init.gradle

@@ -82,7 +82,7 @@ def captureUsingBuildFinished(gradle, invocationId) {
 
 def captureUsingBuildService(settings, invocationId) {
     gradle.ext.invocationId = invocationId
-    apply from: 'build-result-capture-service.plugin.groovy'
+    apply from: 'gradle-build-action.build-result-capture-service.plugin.groovy'
 }
 
 class BuildResults {

src/resources/init-scripts/gradle-build-action.github-dependency-graph-gradle-plugin-apply.groovy

@@ -3,7 +3,7 @@ buildscript {
     maven { url "https://plugins.gradle.org/m2/" }
   }
   dependencies {
-    classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0"
+    classpath "org.gradle:github-dependency-graph-gradle-plugin:0.4.1"
   }
 }
 apply plugin: org.gradle.github.GitHubDependencyGraphPlugin

src/resources/init-scripts/gradle-build-action.github-dependency-graph.init.gradle

@@ -1,7 +1,7 @@
 import org.gradle.util.GradleVersion
 
 // Only run when dependency graph is explicitly enabled
-if (System.env.GITHUB_DEPENDENCY_GRAPH_ENABLED != "true") {
+if (getVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED') != "true") {
   return
 }
 
@@ -15,10 +15,10 @@ if (GradleVersion.current().baseVersion < GradleVersion.version("5.0")) {
 // This is only required for top-level builds
 def isTopLevelBuild = gradle.getParent() == null
 if (isTopLevelBuild) {
-  def reportFile = getUniqueReportFile(System.env.GITHUB_JOB_CORRELATOR)
+  def reportFile = getUniqueReportFile(getVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR'))
 
   if (reportFile == null) {
-    println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_JOB_CORRELATOR var for this step."
+    println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR var for this step."
     return
   }
 
@@ -31,7 +31,7 @@ if (isTopLevelBuild) {
   println "Generating dependency graph into '${reportFile}'"
 }
 
-apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
+apply from: 'gradle-build-action.github-dependency-graph-gradle-plugin-apply.groovy'
 
 /**
  * Using the supplied jobCorrelator value:
@@ -40,7 +40,7 @@ apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
  * - When found, this value is set as a System property override.
  */
 File getUniqueReportFile(String jobCorrelator) {
-    def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR
+    def reportDir = getVariable('DEPENDENCY_GRAPH_REPORT_DIR')
     def reportFile = new File(reportDir, jobCorrelator + ".json")
     if (!reportFile.exists()) return reportFile
 
@@ -49,7 +49,7 @@ File getUniqueReportFile(String jobCorrelator) {
         def candidateCorrelator = jobCorrelator + "-" + i
         def candidateFile = new File(reportDir, candidateCorrelator + ".json")
         if (!candidateFile.exists()) {
-           System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator
+           System.properties['GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR'] = candidateCorrelator
            return candidateFile
         }
     }
@@ -57,3 +57,10 @@ File getUniqueReportFile(String jobCorrelator) {
     // Could not determine unique job correlator
     return null
 }
+
+/**
+* Return the environment variable value, or equivalent system property (if set)
+*/
+String getVariable(String name) {
+  return System.properties[name] ?: System.getenv(name)
+}

src/resources/init-scripts/gradle-build-action.inject-gradle-enterprise.init.gradle

@@ -0,0 +1,192 @@
+import org.gradle.util.GradleVersion
+
+// note that there is no mechanism to share code between the initscript{} block and the main script, so some logic is duplicated
+
+// conditionally apply the GE / Build Scan plugin to the classpath so it can be applied to the build further down in this script
+initscript {
+    def isTopLevelBuild = !gradle.parent
+    if (!isTopLevelBuild) {
+        return
+    }
+
+    def getInputParam = { String name ->
+        def envVarName = name.toUpperCase().replace('.', '_').replace('-', '_')
+        return System.getProperty(name) ?: System.getenv(envVarName)
+    }
+
+    // finish early if injection is disabled
+    def gradleInjectionEnabled = getInputParam("gradle-enterprise.injection-enabled")
+    if (gradleInjectionEnabled != "true") {
+        return
+    }
+
+    def pluginRepositoryUrl = getInputParam('gradle-enterprise.plugin-repository.url')
+    def gePluginVersion = getInputParam('gradle-enterprise.plugin.version')
+    def ccudPluginVersion = getInputParam('gradle-enterprise.ccud-plugin.version')
+
+    def atLeastGradle5 = GradleVersion.current() >= GradleVersion.version('5.0')
+    def atLeastGradle4 = GradleVersion.current() >= GradleVersion.version('4.0')
+
+    if (gePluginVersion || ccudPluginVersion && atLeastGradle4) {
+        pluginRepositoryUrl = pluginRepositoryUrl ?: 'https://plugins.gradle.org/m2'
+        logger.quiet("Gradle Enterprise plugins resolution: $pluginRepositoryUrl")
+
+        repositories {
+            maven { url pluginRepositoryUrl }
+        }
+    }
+
+    dependencies {
+        if (gePluginVersion) {
+            classpath atLeastGradle5 ?
+                "com.gradle:gradle-enterprise-gradle-plugin:$gePluginVersion" :
+                "com.gradle:build-scan-plugin:1.16"
+        }
+
+        if (ccudPluginVersion && atLeastGradle4) {
+            classpath "com.gradle:common-custom-user-data-gradle-plugin:$ccudPluginVersion"
+        }
+    }
+}
+
+def BUILD_SCAN_PLUGIN_ID = 'com.gradle.build-scan'
+def BUILD_SCAN_PLUGIN_CLASS = 'com.gradle.scan.plugin.BuildScanPlugin'
+
+def GRADLE_ENTERPRISE_PLUGIN_ID = 'com.gradle.enterprise'
+def GRADLE_ENTERPRISE_PLUGIN_CLASS = 'com.gradle.enterprise.gradleplugin.GradleEnterprisePlugin'
+def GRADLE_ENTERPRISE_EXTENSION_CLASS = 'com.gradle.enterprise.gradleplugin.GradleEnterpriseExtension'
+def CI_AUTO_INJECTION_CUSTOM_VALUE_NAME = 'CI auto injection'
+def CI_AUTO_INJECTION_CUSTOM_VALUE_VALUE = 'gradle-build-action'
+def CCUD_PLUGIN_ID = 'com.gradle.common-custom-user-data-gradle-plugin'
+def CCUD_PLUGIN_CLASS = 'com.gradle.CommonCustomUserDataGradlePlugin'
+
+def isTopLevelBuild = !gradle.parent
+if (!isTopLevelBuild) {
+    return
+}
+
+def getInputParam = { String name ->
+    def envVarName = name.toUpperCase().replace('.', '_').replace('-', '_')
+    return System.getProperty(name) ?: System.getenv(envVarName)
+}
+
+// finish early if injection is disabled
+def gradleInjectionEnabled = getInputParam("gradle-enterprise.injection-enabled")
+if (gradleInjectionEnabled != "true") {
+    return
+}
+
+def geUrl = getInputParam('gradle-enterprise.url')
+def geAllowUntrustedServer = Boolean.parseBoolean(getInputParam('gradle-enterprise.allow-untrusted-server'))
+def geEnforceUrl = Boolean.parseBoolean(getInputParam('gradle-enterprise.enforce-url'))
+def buildScanUploadInBackground = Boolean.parseBoolean(getInputParam('gradle-enterprise.build-scan.upload-in-background'))
+def gePluginVersion = getInputParam('gradle-enterprise.plugin.version')
+def ccudPluginVersion = getInputParam('gradle-enterprise.ccud-plugin.version')
+
+def atLeastGradle4 = GradleVersion.current() >= GradleVersion.version('4.0')
+
+// finish early if configuration parameters passed in via system properties are not valid/supported
+if (ccudPluginVersion && isNotAtLeast(ccudPluginVersion, '1.7')) {
+    logger.warn("Common Custom User Data Gradle plugin must be at least 1.7. Configured version is $ccudPluginVersion.")
+    return
+}
+
+// register buildScanPublished listener and optionally apply the GE / Build Scan plugin
+if (GradleVersion.current() < GradleVersion.version('6.0')) {
+    rootProject {
+        buildscript.configurations.getByName("classpath").incoming.afterResolve { ResolvableDependencies incoming ->
+            def resolutionResult = incoming.resolutionResult
+
+            if (gePluginVersion) {
+                def scanPluginComponent = resolutionResult.allComponents.find {
+                    it.moduleVersion.with { group == "com.gradle" && (name == "build-scan-plugin" || name == "gradle-enterprise-gradle-plugin") }
+                }
+                if (!scanPluginComponent) {
+                    logger.quiet("Applying $BUILD_SCAN_PLUGIN_CLASS via init script")
+                    logger.quiet("Connection to Gradle Enterprise: $geUrl, allowUntrustedServer: $geAllowUntrustedServer")
+                    applyPluginExternally(pluginManager, BUILD_SCAN_PLUGIN_CLASS)
+                    buildScan.server = geUrl
+                    buildScan.allowUntrustedServer = geAllowUntrustedServer
+                    buildScan.publishAlways()
+                    if (buildScan.metaClass.respondsTo(buildScan, 'setUploadInBackground', Boolean)) buildScan.uploadInBackground = buildScanUploadInBackground  // uploadInBackground not available for build-scan-plugin 1.16
+                    buildScan.value CI_AUTO_INJECTION_CUSTOM_VALUE_NAME, CI_AUTO_INJECTION_CUSTOM_VALUE_VALUE
+                }
+
+                if (geUrl && geEnforceUrl) {
+                    pluginManager.withPlugin(BUILD_SCAN_PLUGIN_ID) {
+                        afterEvaluate {
+                            logger.quiet("Enforcing Gradle Enterprise: $geUrl, allowUntrustedServer: $geAllowUntrustedServer")
+                            buildScan.server = geUrl
+                            buildScan.allowUntrustedServer = geAllowUntrustedServer
+                        }
+                    }
+                }
+            }
+
+            if (ccudPluginVersion && atLeastGradle4) {
+                def ccudPluginComponent = resolutionResult.allComponents.find {
+                    it.moduleVersion.with { group == "com.gradle" && name == "common-custom-user-data-gradle-plugin" }
+                }
+                if (!ccudPluginComponent) {
+                    logger.quiet("Applying $CCUD_PLUGIN_CLASS via init script")
+                    pluginManager.apply(initscript.classLoader.loadClass(CCUD_PLUGIN_CLASS))
+                }
+            }
+        }
+    }
+} else {
+    gradle.settingsEvaluated { settings ->
+        if (gePluginVersion) {
+            if (!settings.pluginManager.hasPlugin(GRADLE_ENTERPRISE_PLUGIN_ID)) {
+                logger.quiet("Applying $GRADLE_ENTERPRISE_PLUGIN_CLASS via init script")
+                logger.quiet("Connection to Gradle Enterprise: $geUrl, allowUntrustedServer: $geAllowUntrustedServer")
+                applyPluginExternally(settings.pluginManager, GRADLE_ENTERPRISE_PLUGIN_CLASS)
+                extensionsWithPublicType(settings, GRADLE_ENTERPRISE_EXTENSION_CLASS).collect { settings[it.name] }.each { ext ->
+                    ext.server = geUrl
+                    ext.allowUntrustedServer = geAllowUntrustedServer
+                    ext.buildScan.publishAlways()
+                    ext.buildScan.uploadInBackground = buildScanUploadInBackground
+                    ext.buildScan.value CI_AUTO_INJECTION_CUSTOM_VALUE_NAME, CI_AUTO_INJECTION_CUSTOM_VALUE_VALUE
+                }
+            }
+
+            if (geUrl && geEnforceUrl) {
+                extensionsWithPublicType(settings, GRADLE_ENTERPRISE_EXTENSION_CLASS).collect { settings[it.name] }.each { ext ->
+                    logger.quiet("Enforcing Gradle Enterprise: $geUrl, allowUntrustedServer: $geAllowUntrustedServer")
+                    ext.server = geUrl
+                    ext.allowUntrustedServer = geAllowUntrustedServer
+                }
+            }
+        }
+
+        if (ccudPluginVersion) {
+            if (!settings.pluginManager.hasPlugin(CCUD_PLUGIN_ID)) {
+                logger.quiet("Applying $CCUD_PLUGIN_CLASS via init script")
+                settings.pluginManager.apply(initscript.classLoader.loadClass(CCUD_PLUGIN_CLASS))
+            }
+        }
+    }
+}
+
+void applyPluginExternally(PluginManager pluginManager, String pluginClassName) {
+    def externallyApplied = 'gradle.enterprise.externally-applied'
+    def oldValue = System.getProperty(externallyApplied)
+    System.setProperty(externallyApplied, 'true')
+    try {
+        pluginManager.apply(initscript.classLoader.loadClass(pluginClassName))
+    } finally {
+        if (oldValue == null) {
+            System.clearProperty(externallyApplied)
+        } else {
+            System.setProperty(externallyApplied, oldValue)
+        }
+    }
+}
+
+static def extensionsWithPublicType(def container, String publicType) {
+    container.extensions.extensionsSchema.elements.findAll { it.publicType.concreteClass.name == publicType }
+}
+
+static boolean isNotAtLeast(String versionUnderTest, String referenceVersion) {
+    GradleVersion.version(versionUnderTest) < GradleVersion.version(referenceVersion)
+}

src/setup-gradle.ts

@@ -38,7 +38,7 @@ export async function setup(): Promise<void> {
 
     core.saveState(CACHE_LISTENER, cacheListener.stringify())
 
-    dependencyGraph.setup(params.getDependencyGraphOption())
+    await dependencyGraph.setup(params.getDependencyGraphOption())
 }
 
 export async function complete(): Promise<void> {
@@ -62,7 +62,7 @@ export async function complete(): Promise<void> {
         logJobSummary(buildResults, cacheListener)
     }
 
-    dependencyGraph.complete(params.getDependencyGraphOption())
+    await dependencyGraph.complete(params.getDependencyGraphOption())
 }
 
 async function determineGradleUserHome(): Promise<string> {

test/init-scripts/gradle/wrapper/gradle-wrapper.properties

@@ -1,7 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip
+distributionSha256Sum=591855b517fc635b9e04de1d05d5e76ada3f89f5fc76f87978d1b245b4f69225
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

test/init-scripts/gradlew

@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

test/init-scripts/settings.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id "com.gradle.enterprise" version "3.14.1"
-    id "com.gradle.common-custom-user-data-gradle-plugin" version "1.11.1"
+    id "com.gradle.enterprise" version "3.15"
+    id "com.gradle.common-custom-user-data-gradle-plugin" version "1.11.2"
 }
 
 gradleEnterprise {

test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/BaseInitScriptTest.groovy

@@ -16,6 +16,8 @@ import java.nio.file.Files
 import java.util.zip.GZIPOutputStream
 
 class BaseInitScriptTest extends Specification {
+    static final String GE_PLUGIN_VERSION = '3.15'
+    static final String CCUD_PLUGIN_VERSION = '1.11.2'
 
     static final TestGradleVersion GRADLE_3_X = new TestGradleVersion(GradleVersion.version('3.5.1'), 7, 9)
     static final TestGradleVersion GRADLE_4_X = new TestGradleVersion(GradleVersion.version('4.10.3'), 7, 10)
@@ -24,7 +26,7 @@ class BaseInitScriptTest extends Specification {
     static final TestGradleVersion GRADLE_6_X = new TestGradleVersion(GradleVersion.version('6.9.4'), 8, 15)
     static final TestGradleVersion GRADLE_7_X = new TestGradleVersion(GradleVersion.version('7.6.2'), 8, 19)
     static final TestGradleVersion GRADLE_8_0 = new TestGradleVersion(GradleVersion.version('8.0.2'), 8, 19)
-    static final TestGradleVersion GRADLE_8_X = new TestGradleVersion(GradleVersion.version('8.2.1'), 8, 19)
+    static final TestGradleVersion GRADLE_8_X = new TestGradleVersion(GradleVersion.version('8.3'), 8, 19)
 
     static final List<TestGradleVersion> ALL_VERSIONS = [
         GRADLE_3_X, // First version where TestKit supports environment variables
@@ -126,12 +128,17 @@ class BaseInitScriptTest extends Specification {
         buildFile << ''
     }
 
-    def declareGePluginApplication(GradleVersion gradleVersion) {
-        settingsFile.text = maybeAddPluginsToSettings(gradleVersion) + settingsFile.text
-        buildFile.text = maybeAddPluginsToRootProject(gradleVersion) + buildFile.text
+    def declareGePluginApplication(GradleVersion gradleVersion, URI serverUrl = mockScansServer.address) {
+        settingsFile.text = maybeAddPluginsToSettings(gradleVersion, null, serverUrl) + settingsFile.text
+        buildFile.text = maybeAddPluginsToRootProject(gradleVersion, null, serverUrl) + buildFile.text
     }
 
-    String maybeAddPluginsToSettings(GradleVersion gradleVersion) {
+    def declareGePluginAndCcudPluginApplication(GradleVersion gradleVersion, URI serverUrl = mockScansServer.address) {
+        settingsFile.text = maybeAddPluginsToSettings(gradleVersion, CCUD_PLUGIN_VERSION, serverUrl) + settingsFile.text
+        buildFile.text = maybeAddPluginsToRootProject(gradleVersion, CCUD_PLUGIN_VERSION, serverUrl) + buildFile.text
+    }
+
+    String maybeAddPluginsToSettings(GradleVersion gradleVersion, String ccudPluginVersion, URI serverUri) {
         if (gradleVersion < GradleVersion.version('5.0')) {
             '' // applied in build.gradle
         } else if (gradleVersion < GradleVersion.version('6.0')) {
@@ -139,10 +146,11 @@ class BaseInitScriptTest extends Specification {
         } else {
             """
               plugins {
-                id 'com.gradle.enterprise' version '3.14.1'
+                id 'com.gradle.enterprise' version '${GE_PLUGIN_VERSION}'
+                ${ccudPluginVersion ? "id 'com.gradle.common-custom-user-data-gradle-plugin' version '$ccudPluginVersion'" : ""}
               }
               gradleEnterprise {
-                server = '$mockScansServer.address'
+                server = '$serverUri'
                 buildScan {
                   publishAlways()
                 }
@@ -151,24 +159,26 @@ class BaseInitScriptTest extends Specification {
         }
     }
 
-    String maybeAddPluginsToRootProject(GradleVersion gradleVersion) {
+    String maybeAddPluginsToRootProject(GradleVersion gradleVersion, String ccudPluginVersion, URI serverUrl) {
         if (gradleVersion < GradleVersion.version('5.0')) {
             """
               plugins {
                 id 'com.gradle.build-scan' version '1.16'
+                ${ccudPluginVersion ? "id 'com.gradle.common-custom-user-data-gradle-plugin' version '$ccudPluginVersion'" : ""}
               }
               buildScan {
-                server = '$mockScansServer.address'
+                server = '$serverUrl'
                 publishAlways()
               }
             """
         } else if (gradleVersion < GradleVersion.version('6.0')) {
             """
               plugins {
-                id 'com.gradle.build-scan' version '3.14.1'
+                id 'com.gradle.build-scan' version '${GE_PLUGIN_VERSION}'
+                ${ccudPluginVersion ? "id 'com.gradle.common-custom-user-data-gradle-plugin' version '$ccudPluginVersion'" : ""}
               }
               gradleEnterprise {
-                server = '$mockScansServer.address'
+                server = '$serverUrl'
                 buildScan {
                   publishAlways()
                 }

test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestBuildResultRecorder.groovy

@@ -5,7 +5,7 @@ import groovy.json.JsonSlurper
 import static org.junit.Assume.assumeTrue
 
 class TestBuildResultRecorder extends BaseInitScriptTest {
-    def initScript = 'build-result-capture.init.gradle'
+    def initScript = 'gradle-build-action.build-result-capture.init.gradle'
 
     def "produces build results file for build with #testGradleVersion"() {
         assumeTrue testGradleVersion.compatibleWithCurrentJvm
@@ -154,7 +154,7 @@ class TestBuildResultRecorder extends BaseInitScriptTest {
         when:
         settingsFile.text = """
             plugins {
-                id 'com.gradle.enterprise' version '3.14.1' apply(false)
+                id 'com.gradle.enterprise' version '3.15' apply(false)
             }
             gradle.settingsEvaluated {
                 apply plugin: 'com.gradle.enterprise'

test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestDependencyGraph.groovy

@@ -3,7 +3,7 @@ package com.gradle.gradlebuildaction
 import static org.junit.Assume.assumeTrue
 
 class TestDependencyGraph extends BaseInitScriptTest {
-    def initScript = 'github-dependency-graph.init.gradle'
+    def initScript = 'gradle-build-action.github-dependency-graph.init.gradle'
 
     static final List<TestGradleVersion> NO_DEPENDENCY_GRAPH_VERSIONS = [GRADLE_3_X, GRADLE_4_X]
     static final List<TestGradleVersion> DEPENDENCY_GRAPH_VERSIONS = ALL_VERSIONS - NO_DEPENDENCY_GRAPH_VERSIONS
@@ -32,20 +32,20 @@ class TestDependencyGraph extends BaseInitScriptTest {
         assert gitHubOutputFile.text == "dependency-graph-file=${reportFile.absolutePath}\n"
 
         where:
-        testGradleVersion << GRADLE_8_X
+        testGradleVersion << [GRADLE_8_X]
     }
 
-    // Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle
     def "produces dependency graph with configuration-cache on latest Gradle"() {
         assumeTrue testGradleVersion.compatibleWithCurrentJvm
 
         when:
-        run(['help'], initScript, testGradleVersion.gradleVersion, [], envVars)
+        run(['help', '--configuration-cache'], initScript, testGradleVersion.gradleVersion, [], envVars)
 
         then:
         assert reportFile.exists()
 
         where:
+        // Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle
         testGradleVersion << [GRADLE_8_X]
     }
 
@@ -110,11 +110,11 @@ class TestDependencyGraph extends BaseInitScriptTest {
     def getEnvVars() {
         return [
             GITHUB_DEPENDENCY_GRAPH_ENABLED: "true",
-            GITHUB_JOB_CORRELATOR: "CORRELATOR",
-            GITHUB_JOB_ID: "1",
-            GITHUB_REF: "main",
-            GITHUB_SHA: "123456",
-            GITHUB_WORKSPACE: testProjectDir.absolutePath,
+            GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR: "CORRELATOR",
+            GITHUB_DEPENDENCY_GRAPH_JOB_ID: "1",
+            GITHUB_DEPENDENCY_GRAPH_REF: "main",
+            GITHUB_DEPENDENCY_GRAPH_SHA: "123456",
+            GITHUB_DEPENDENCY_GRAPH_WORKSPACE: testProjectDir.absolutePath,
             DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath,
             GITHUB_OUTPUT: gitHubOutputFile.absolutePath
         ]

test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestGradleEnterpriseInjection.groovy

@@ -0,0 +1,401 @@
+package com.gradle.gradlebuildaction
+
+import org.gradle.testkit.runner.BuildResult
+import org.gradle.util.GradleVersion
+
+import static org.junit.Assume.assumeTrue
+
+class TestGradleEnterpriseInjection  extends BaseInitScriptTest {
+    static final List<TestGradleVersion> CCUD_COMPATIBLE_VERSIONS = ALL_VERSIONS - [GRADLE_3_X]
+
+    def initScript = 'gradle-build-action.inject-gradle-enterprise.init.gradle'
+
+    private static final GradleVersion GRADLE_6 = GradleVersion.version('6.0')
+
+    def "does not apply GE plugins when not requested"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def result = run([], initScript, testGradleVersion.gradleVersion)
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "does not override GE plugin when already defined in project"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        given:
+        declareGePluginApplication(testGradleVersion.gradleVersion)
+
+        when:
+        def result = run(testGradleVersion, testConfig())
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "applies GE plugin via init script when not defined in project"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def result = run(testGradleVersion, testConfig())
+
+        then:
+        outputContainsGePluginApplicationViaInitScript(result, testGradleVersion.gradleVersion)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "applies GE and CCUD plugins via init script when not defined in project"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def result = run(testGradleVersion, testConfig().withCCUDPlugin())
+
+        then:
+        outputContainsGePluginApplicationViaInitScript(result, testGradleVersion.gradleVersion)
+        outputContainsCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << CCUD_COMPATIBLE_VERSIONS
+    }
+
+    def "applies CCUD plugin via init script where GE plugin already applied"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        given:
+        declareGePluginApplication(testGradleVersion.gradleVersion)
+
+        when:
+        def result = run(testGradleVersion, testConfig().withCCUDPlugin())
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputContainsCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << CCUD_COMPATIBLE_VERSIONS
+    }
+
+    def "does not override CCUD plugin when already defined in project"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        given:
+        declareGePluginAndCcudPluginApplication(testGradleVersion.gradleVersion)
+
+        when:
+        def result = run(testGradleVersion, testConfig().withCCUDPlugin())
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << CCUD_COMPATIBLE_VERSIONS
+    }
+
+    def "ignores GE URL and allowUntrustedServer when GE plugin is not applied by the init script"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        given:
+        declareGePluginApplication(testGradleVersion.gradleVersion)
+
+        when:
+        def config = testConfig().withServer(URI.create('https://ge-server.invalid'))
+        def result = run(testGradleVersion, config)
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "configures GE URL and allowUntrustedServer when GE plugin is applied by the init script"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def config = testConfig().withServer(mockScansServer.address)
+        def result = run(testGradleVersion, config)
+
+        then:
+        outputContainsGePluginApplicationViaInitScript(result, testGradleVersion.gradleVersion)
+        outputContainsGeConnectionInfo(result, mockScansServer.address.toString(), true)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+        outputContainsPluginRepositoryInfo(result, 'https://plugins.gradle.org/m2')
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "enforces GE URL and allowUntrustedServer in project if enforce url parameter is enabled"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        given:
+        declareGePluginApplication(testGradleVersion.gradleVersion, URI.create('https://ge-server.invalid'))
+
+        when:
+        def config = testConfig().withServer(mockScansServer.address, true)
+        def result = run(testGradleVersion, config)
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputEnforcesGeUrl(result, mockScansServer.address.toString(), true)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "can configure alternative repository for plugins when GE plugin is applied by the init script"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def config = testConfig().withPluginRepository(new URI('https://plugins.grdev.net/m2'))
+        def result = run(testGradleVersion, config)
+
+        then:
+        outputContainsGePluginApplicationViaInitScript(result, testGradleVersion.gradleVersion)
+        outputContainsGeConnectionInfo(result, mockScansServer.address.toString(), true)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+        outputContainsPluginRepositoryInfo(result, 'https://plugins.grdev.net/m2')
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "stops gracefully when requested CCUD plugin version is <1.7"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def config = testConfig().withCCUDPlugin("1.6.6")
+        def result = run(testGradleVersion, config)
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+        result.output.contains('Common Custom User Data Gradle plugin must be at least 1.7. Configured version is 1.6.6.')
+
+        where:
+        testGradleVersion << ALL_VERSIONS
+    }
+
+    def "can configure GE via CCUD system property overrides when CCUD plugin is inject via init script"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def config = testConfig().withCCUDPlugin().withServer(URI.create('https://ge-server.invalid'))
+        def result = run(testGradleVersion, config, ["help", "-Dgradle.enterprise.url=${mockScansServer.address}".toString()])
+
+        then:
+        outputContainsGePluginApplicationViaInitScript(result, testGradleVersion.gradleVersion)
+        outputContainsCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << CCUD_COMPATIBLE_VERSIONS
+    }
+
+    def "init script is configuration cache compatible"() {
+        assumeTrue testGradleVersion.compatibleWithCurrentJvm
+
+        when:
+        def config = testConfig().withCCUDPlugin()
+        def result = run(testGradleVersion, config, ["help", "--configuration-cache"])
+
+        then:
+        outputContainsGePluginApplicationViaInitScript(result, testGradleVersion.gradleVersion)
+        outputContainsCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        when:
+        result = run(testGradleVersion, config, ["help", "--configuration-cache"])
+
+        then:
+        outputMissesGePluginApplicationViaInitScript(result)
+        outputMissesCcudPluginApplicationViaInitScript(result)
+
+        and:
+        outputContainsBuildScanUrl(result)
+
+        where:
+        testGradleVersion << CONFIGURATION_CACHE_VERSIONS
+    }
+
+    void outputContainsBuildScanUrl(BuildResult result) {
+        def message = "Publishing build scan...\n${mockScansServer.address}s/$PUBLIC_BUILD_SCAN_ID"
+        assert result.output.contains(message)
+        assert 1 == result.output.count(message)
+    }
+
+    void outputContainsGePluginApplicationViaInitScript(BuildResult result, GradleVersion gradleVersion) {
+        def pluginApplicationLogMsgGradle4And5 = "Applying com.gradle.scan.plugin.BuildScanPlugin via init script"
+        def pluginApplicationLogMsgGradle6AndHigher = "Applying com.gradle.enterprise.gradleplugin.GradleEnterprisePlugin via init script"
+        if (gradleVersion < GRADLE_6) {
+            assert result.output.contains(pluginApplicationLogMsgGradle4And5)
+            assert 1 == result.output.count(pluginApplicationLogMsgGradle4And5)
+            assert !result.output.contains(pluginApplicationLogMsgGradle6AndHigher)
+        } else {
+            assert result.output.contains(pluginApplicationLogMsgGradle6AndHigher)
+            assert 1 == result.output.count(pluginApplicationLogMsgGradle6AndHigher)
+            assert !result.output.contains(pluginApplicationLogMsgGradle4And5)
+        }
+    }
+
+    void outputMissesGePluginApplicationViaInitScript(BuildResult result) {
+        def pluginApplicationLogMsgGradle4And5 = "Applying com.gradle.scan.plugin.BuildScanPlugin via init script"
+        def pluginApplicationLogMsgGradle6AndHigher = "Applying com.gradle.enterprise.gradleplugin.GradleEnterprisePlugin via init script"
+        assert !result.output.contains(pluginApplicationLogMsgGradle4And5)
+        assert !result.output.contains(pluginApplicationLogMsgGradle6AndHigher)
+    }
+
+    void outputContainsCcudPluginApplicationViaInitScript(BuildResult result) {
+        def pluginApplicationLogMsg = "Applying com.gradle.CommonCustomUserDataGradlePlugin via init script"
+        assert result.output.contains(pluginApplicationLogMsg)
+        assert 1 == result.output.count(pluginApplicationLogMsg)
+    }
+
+    void outputMissesCcudPluginApplicationViaInitScript(BuildResult result) {
+        def pluginApplicationLogMsg = "Applying com.gradle.CommonCustomUserDataGradlePlugin via init script"
+        assert !result.output.contains(pluginApplicationLogMsg)
+    }
+
+    void outputContainsGeConnectionInfo(BuildResult result, String geUrl, boolean geAllowUntrustedServer) {
+        def geConnectionInfo = "Connection to Gradle Enterprise: $geUrl, allowUntrustedServer: $geAllowUntrustedServer"
+        assert result.output.contains(geConnectionInfo)
+        assert 1 == result.output.count(geConnectionInfo)
+    }
+
+    void outputContainsPluginRepositoryInfo(BuildResult result, String gradlePluginRepositoryUrl) {
+        def repositoryInfo = "Gradle Enterprise plugins resolution: ${gradlePluginRepositoryUrl}"
+        assert result.output.contains(repositoryInfo)
+        assert 1 == result.output.count(repositoryInfo)
+    }
+
+    void outputEnforcesGeUrl(BuildResult result, String geUrl, boolean geAllowUntrustedServer) {
+        def enforceUrl = "Enforcing Gradle Enterprise: $geUrl, allowUntrustedServer: $geAllowUntrustedServer"
+        assert result.output.contains(enforceUrl)
+        assert 1 == result.output.count(enforceUrl)
+    }
+
+    private BuildResult run(TestGradleVersion testGradleVersion, TestConfig config, List<String> args = ["help"]) {
+        if (testKitSupportsEnvVars(testGradleVersion.gradleVersion)) {
+            return run(args, initScript, testGradleVersion.gradleVersion, [], config.envVars)
+        } else {
+            return run(args, initScript, testGradleVersion.gradleVersion, config.jvmArgs, [:])
+        }
+    }
+
+    private boolean testKitSupportsEnvVars(GradleVersion gradleVersion) {
+        // TestKit supports env vars for Gradle 3.5+, except on M1 Mac where only 6.9+ is supported
+        def isM1Mac = System.getProperty("os.arch") == "aarch64"
+        if (isM1Mac) {
+            return gradleVersion >= GRADLE_6_X.gradleVersion
+        } else {
+            return gradleVersion >= GRADLE_3_X.gradleVersion
+        }
+    }
+
+    private TestConfig testConfig() {
+        new TestConfig()
+    }
+
+    class TestConfig {
+        String serverUrl = mockScansServer.address.toString()
+        boolean enforceUrl = false
+        String ccudPluginVersion = null
+        String pluginRepositoryUrl = null
+
+        TestConfig withCCUDPlugin(String version = CCUD_PLUGIN_VERSION) {
+            ccudPluginVersion = version
+            return this
+        }
+
+        TestConfig withServer(URI url, boolean enforceUrl = false) {
+            serverUrl = url.toASCIIString()
+            this.enforceUrl = enforceUrl
+            return this
+        }
+
+        TestConfig withPluginRepository(URI pluginRepositoryUrl) {
+            this.pluginRepositoryUrl = pluginRepositoryUrl
+            return this
+        }
+
+        def getEnvVars() {
+            Map<String, String> envVars = [
+                GRADLE_ENTERPRISE_INJECTION_ENABLED: "true",
+                GRADLE_ENTERPRISE_URL: serverUrl,
+                GRADLE_ENTERPRISE_ALLOW_UNTRUSTED_SERVER: "true",
+                GRADLE_ENTERPRISE_PLUGIN_VERSION: GE_PLUGIN_VERSION,
+                GRADLE_ENTERPRISE_BUILD_SCAN_UPLOAD_IN_BACKGROUND: "true" // Need to upload in background since our Mock server doesn't cope with foreground upload
+            ]
+            if (enforceUrl) envVars.put("GRADLE_ENTERPRISE_ENFORCE_URL", "true")
+            if (ccudPluginVersion != null) envVars.put("GRADLE_ENTERPRISE_CCUD_PLUGIN_VERSION", ccudPluginVersion)
+            if (pluginRepositoryUrl != null) envVars.put("GRADLE_ENTERPRISE_PLUGIN_REPOSITORY_URL", pluginRepositoryUrl)
+
+            return envVars
+        }
+
+        def getJvmArgs() {
+            List<String> jvmArgs = [
+                "-Dgradle-enterprise.injection-enabled=true",
+                "-Dgradle-enterprise.url=$serverUrl",
+                "-Dgradle-enterprise.allow-untrusted-server=true",
+                "-Dgradle-enterprise.plugin.version=$GE_PLUGIN_VERSION",
+                "-Dgradle-enterprise.build-scan.upload-in-background=true"
+            ]
+
+            if (enforceUrl) jvmArgs.add("-Dgradle-enterprise.enforce-url=true")
+            if (ccudPluginVersion != null) jvmArgs.add("-Dgradle-enterprise.ccud-plugin.version=$ccudPluginVersion")
+            if (pluginRepositoryUrl != null) jvmArgs.add("-Dgradle-enterprise.plugin-repository.url=$pluginRepositoryUrl")
+
+            return jvmArgs.collect { it.toString() } // Convert from GStrings
+        }
+    }
+}

test/jest/cache-cleanup.test.ts

@@ -49,7 +49,7 @@ test('will cleanup unused gradle versions', async () => {
 
     const gradle802 = path.resolve(gradleUserHome, "caches/8.0.2")
     const wrapper802 = path.resolve(gradleUserHome, "wrapper/dists/gradle-8.0.2-bin")
-    const gradleCurrent = path.resolve(gradleUserHome, "caches/8.2.1")
+    const gradleCurrent = path.resolve(gradleUserHome, "caches/8.3")
 
     expect(fs.existsSync(gradle802)).toBe(true)
     expect(fs.existsSync(wrapper802)).toBe(true)