From ba7fc6f41306f8040a23e22c18a553af50076edc Mon Sep 17 00:00:00 2001 From: Jakub Hertyk Date: Wed, 1 Apr 2026 12:46:34 -0400 Subject: [PATCH] chore: ignore gradle/actions/setup-gradle v6 in dependabot gradle/actions/setup-gradle v6 introduced a licensing change requiring acceptance of new Terms of Use tied to a proprietary caching component. The ToS language is broad and legally ambiguous, raising concerns about IP rights over cached build artifacts (e.g. sources.jar). Key concerns: - ToS grants Gradle broad rights over "user submissions", unclear scope - Disabling the new caching also disables Gradle distribution caching (known bug) - No clear legal guidance for private/commercial repos yet Gradle maintainers have stated no data is currently sent to Gradle and plan to clarify the ToS, but until that happens we stay on v5 to avoid accidental acceptance of unclear terms. --- .github/dependabot.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index ea7bf942..71a850d7 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -48,6 +48,9 @@ updates: directory: "/" schedule: interval: "monthly" + ignore: + - dependency-name: "gradle/actions/setup-gradle" + versions: [">= 6.0.0, < 7.0.0"] groups: dependencies: patterns: