Update testlens

[koppor]

Testlens 1.8.0 was released one year ago - https://github.com/testlens-app/setup-testlens/releases/tag/v1.8.0

@calixtus report output issues at https://github.com/testlens-app/setup-testlens/issues

Steps to test

See CI passing

Checklist

• I own the copyright of the code submitted and I license it under the MIT license
• [/] I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I added a screenshot in the PR description showing a library with a single entry with me as author and as title the issue number
• [/I described the change in CHANGELOG.md in a way that can be understood by the average user (if change is visible to the user)
• [/] I checked the user documentation for up to dateness and submitted a pull request to our user documentation repository

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Update TestLens to v1.8.0 and disable cache debug

✨ Enhancement

Walkthroughs

Description

• Update TestLens action from v1.7.0 to v1.8.0
• Disable Gradle build action cache debug logging

Diagram

flowchart LR
  A["GitHub Actions Config"] -- "Update TestLens version" --> B["v1.8.0"]
  A -- "Disable cache debug" --> C["GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: false"]

Loading

File Changes

1. .github/actions/setup-gradle/action.yml ⚙️ Configuration changes +2/-2

Update TestLens and disable cache debug logging

• Updated TestLens setup action from v1.7.0 to v1.8.0
• Changed GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED from true to false

.github/actions/setup-gradle/action.yml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Unpinned action version 🐞 Bug ⛨ Security

Description

The composite action references testlens-app/setup-testlens via a mutable tag (v1.8.0) instead
of a commit SHA, so the exact code executed in CI is not guaranteed to stay the same over time.
Workflows that call this composite action run it with write-capable GITHUB_TOKEN permissions,
amplifying the impact of any unexpected upstream action change.

Code

.github/actions/setup-gradle/action.yml[30]

+      uses: testlens-app/setup-testlens@v1.8.0

Evidence

The composite action executes a third-party action by tag rather than commit SHA, which means the
referenced content is not cryptographically fixed. This composite action is used by CI workflows
(e.g., tests-code.yml) that grant actions: write and pull-requests: write, and the repo
already demonstrates SHA-pinning for other third-party actions (e.g.,
slidoapp/import-codesign-certs@<sha>), indicating SHA pinning is an accepted approach here.

.github/actions/setup-gradle/action.yml[23-31]
.github/workflows/tests-code.yml[26-55]
.github/workflows/binaries.yml[613-623]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow uses `testlens-app/setup-testlens@v1.8.0` (a tag), which does not guarantee a fixed commit for CI execution.

### Issue Context
This composite action is reused across multiple workflows, some of which run with elevated `GITHUB_TOKEN` permissions (e.g., `actions: write`, `pull-requests: write`).

### Fix
Update the `uses:` reference to a specific commit SHA for the `v1.8.0` release, and keep the human-readable version as a comment, e.g.:

```yml
- name: Setup TestLens
 uses: testlens-app/setup-testlens@<full_commit_sha> # v1.8.0
```

### Fix Focus Areas
- .github/actions/setup-gradle/action.yml[28-31]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more