Skip to content

MCP-439 Pin build-gradle to v1.3.24 to fix Renovate#359

Merged
nquinquenel merged 1 commit intomasterfrom
task/nq/fix-renovate-gh-actions
Apr 27, 2026
Merged

MCP-439 Pin build-gradle to v1.3.24 to fix Renovate#359
nquinquenel merged 1 commit intomasterfrom
task/nq/fix-renovate-gh-actions

Conversation

@nquinquenel
Copy link
Copy Markdown
Member

@nquinquenel nquinquenel commented Apr 24, 2026

No description provided.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Pin build-gradle to v1.3.24 to fix Renovate MCP-439 Pin build-gradle to v1.3.24 to fix Renovate Apr 24, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 24, 2026
edited by atlassian Bot
Loading

MCP-439

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 24, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@nquinquenel nquinquenel marked this pull request as ready for review April 27, 2026 07:33
@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 27, 2026
edited
Loading

Summary

Pins the build-gradle workflow action to a specific commit (v1.3.24) instead of the master branch in the shadow scans GitHub Actions workflow. This replaces the unstable @master reference with a pinned commit hash @148774f456203f228b7bd1bd68ed0c22254d9cd1, making the dependency explicit and allowing Renovate to track updates properly. Also fixes a trailing newline in the file.

What reviewers should know

What changed:

  • .github/workflows/shadow_scans.yml: Updated the build-gradle action reference from @master (marked as "dogfood") to a pinned commit hash

Why it matters:
Using @master in GitHub Actions is problematic for Renovate because it's a constantly moving target. Renovate cannot reliably detect or suggest updates to moving branch references. Pinning to a specific commit with a version tag (v1.3.24) makes the dependency explicit and enables Renovate to track and propose version updates.

For reviewers:

  • Confirm the pinned commit hash 148774f456203f228b7bd1bd68ed0c22254d9cd1 corresponds to the intended v1.3.24 release
  • This is a low-risk change that improves dependency management without altering workflow behavior
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix correctly moves off @master so Renovate can track the dependency, but the chosen version (v1.3.24) is behind what the rest of the repo already uses (v1.3.29 in build.yml and pr-cleanup.yml). Also note the comment format inconsistency: this file uses # v1.3.24 while the other files omit the v prefix (# 1.3.29).

🗣️ Give feedback

Comment thread .github/workflows/shadow_scans.yml
@nquinquenel nquinquenel merged commit b2f7ad3 into master Apr 27, 2026
14 checks passed
@nquinquenel nquinquenel deleted the task/nq/fix-renovate-gh-actions branch April 27, 2026 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@sophio-japharidze-sonarsource sophio-japharidze-sonarsource sophio-japharidze-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nquinquenel @sophio-japharidze-sonarsource