diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e2f5b4c3d3..03692e2227 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,39 +7,24 @@ env:
   GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
   ALLOWED_ENDPOINTS: >
     1k4dacprodeus2file4.blob.core.windows.net:443
-    artifactcache.actions.githubusercontent.com:443
-    artifacts.codacy.com:443
-    api.azul.com:443
-    api.codacy.com:443
     api.github.com:443
+    api.azul.com:443
+    artifactcache.actions.githubusercontent.com:443
     caffeine.gradle-enterprise.cloud:443
     cdn.azul.com:443
-    checkerframework.org:443
     cloudflare.com:443
-    codecov.io:443
-    coveralls.io:443
-    fastly.com:443
-    docs.oracle.com:443
     downloads.gradle-dn.com:443
     ghcr.io:443
     github.com:443
-    guava.dev:443
-    lightbend.github.io:443
-    nodejs.org:443
-    objects.githubusercontent.com:443
     oss.sonatype.org:443
     pipelines.actions.githubusercontent.com:443
     plugins.gradle.org:443
     plugins-artifacts.gradle.org:443
-    raw.githubusercontent.com
     repo.gradle.org:443
     repo.maven.apache.org:443
     repo1.maven.org:443
     scans-in.gradle.com:443
     services.gradle.org:443
-    sonarcloud.io:443
-    storage.googleapis.com:443
-    uploader.codecov.io:443
   LANG: en_US.utf8
   MIN_JVM: 11
   MAX_JVM: 18
@@ -221,7 +206,12 @@ jobs:
         uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
         with:
           egress-policy: block
-          allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
+          allowed-endpoints: >
+            ${{ env.ALLOWED_ENDPOINTS }}
+            checkerframework.org:443
+            docs.oracle.com:443
+            lightbend.github.io:443
+            guava.dev:443
       - uses: actions/checkout@v3
       - name: Set up JDK ${{ env.MIN_JVM }}
         uses: actions/setup-java@v3
@@ -255,7 +245,19 @@ jobs:
         uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
         with:
           egress-policy: block
-          allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
+          allowed-endpoints: >
+            ${{ env.ALLOWED_ENDPOINTS }}
+            artifacts.codacy.com:443
+            api.codacy.com:443
+            codecov.io:443
+            coveralls.io:443
+            fastly.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com
+            sonarcloud.io:443
+            storage.googleapis.com:443
+            uploader.codecov.io:443
       - name: Checkout
         uses: actions/checkout@v3
       - name: Set up JDK ${{ env.MAX_JVM }}
diff --git a/gradle/coverage.gradle b/gradle/coverage.gradle
index 82bd6b87a7..5c48660907 100644
--- a/gradle/coverage.gradle
+++ b/gradle/coverage.gradle
@@ -3,7 +3,6 @@
  */
 apply plugin: 'com.github.kt3k.coveralls'
 apply plugin: 'jacoco'
-apply plugin: 'java'
 
 def testReport = tasks.register('testReport', TestReport) {
   group = 'Build'
@@ -39,6 +38,9 @@ def jacocoFullReport = tasks.register('jacocoFullReport', JacocoReport) {
     mustRunAfter proj.tasks.withType(Test)
     executionData fileTree(rootDir.absolutePath).include("**/*${proj.name}*/**/jacoco/*.exec")
   }
+  subprojects.each { proj ->
+    dependsOn proj.tasks.processResources
+  }
 
   reports {
     html.required = true // human readable
@@ -61,10 +63,8 @@ tasks.named('coveralls').configure {
 
 allprojects {
   apply plugin: 'org.sonarqube'
-
-  rootProject.tasks.sonarqube.dependsOn(jacocoFullReport)
-  rootProject.tasks.sonarqube.dependsOn(tasks.processResources)
 }
+tasks.sonarqube.dependsOn(jacocoFullReport)
 
 sonarqube {
   properties {