chore: ignore gradle/actions/setup-gradle v6 in dependabot (#317)

curfew-marathon · web-flow · commit 14305a31534d · 2026-04-01T17:11:04.000Z
gradle/actions/setup-gradle v6 introduced a licensing change requiring
acceptance of new Terms of Use tied to a proprietary caching component.
The ToS language is broad and legally ambiguous, raising concerns about
IP rights over cached build artifacts (e.g. sources.jar).

Key concerns:
- ToS grants Gradle broad rights over "user submissions", unclear scope
- Disabling the new caching also disables Gradle distribution caching (known bug)
- No clear legal guidance for private/commercial repos yet

Gradle maintainers have stated no data is currently sent to Gradle and
plan to clarify the ToS, but until that happens we stay on v5 to avoid
accidental acceptance of unclear terms.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -48,6 +48,9 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    ignore:
+      - dependency-name: "gradle/actions/setup-gradle"
+        versions: [">= 6.0.0, < 7.0.0"]
     groups:
       dependencies:
         patterns:
