build(deps): bump actions/cache from 5 to 5.0.5#21032
Conversation
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v5.0.5) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing the PR diff and upstream This PR only pins Scanner evidence (supports benign):
Checklist highlights:
Actionable note: Safe to merge from a malware/supply-chain perspective. Pinning to Compatibility AnalysisReviewing Compatibility & adoption analysis —
|
| Workflow | Uses | Purpose |
|---|---|---|
.github/workflows/test-single.yml |
2 | npm cache (Ubuntu); test blocks/plots/bundles |
.github/workflows/build-windows-installer.yml |
2 | npm cache; GUI submodule cache |
.github/workflows/build-macos-installers.yml |
1 | GUI submodule cache |
.github/workflows/build-linux-installer-deb.yml |
1 | GUI submodule cache |
.github/workflows/build-linux-installer-rpm.yml |
1 | GUI submodule cache |
Not in scope: chia-network/actions/cache-pip@main in benchmarks.yml, test-single.yml, and build-windows-installer.yml is a separate wrapper action.
Usage pattern: Standard composite restore/save — inputs path, key, restore-keys; output cache-hit gates follow-on steps. test-single.yml also sets SEGMENT_DOWNLOAD_TIMEOUT_MIN. No advanced inputs (save-always, lookup-only, enableCrossOsArchive, etc.).
Runners: GitHub-hosted (ubuntu-latest, windows-2022, macos-15, etc.) and some third-party (e.g. Blacksmith in test-single.yml). No primary self-hosted runner usage observed.
2) Intersection with upstream changes
Upstream tags v5 and v5.0.5 currently resolve to the same commit (27d5ce7). This PR is effectively a pin from floating @v5 to explicit @v5.0.5.
Changes in the v5.0.0 → v5.0.5 range are internal — no action.yml input/output changes:
| Patch | Relevant change | Touches Chia usage? |
|---|---|---|
| 5.0.1 | Node 24 runtime; runner ≥ 2.327.1 | Already implied by @v5 |
| 5.0.2 | No retry on 429 during cache save | Indirect only |
| 5.0.3–5.0.4 | Transitive security bumps (minimatch, undici, fast-xml-parser) |
No API impact |
| 5.0.5 | @typespec/ts-http-runtime 0.3.2 → 0.3.5 |
No API impact |
Chia workflows use only the stable public surface (path / key / restore-keys / cache-hit). No usage site intersects with changed APIs.
3) Risks / unknowns
- Immediate runtime delta: None today —
@v5and@v5.0.5are identical at merge time. - Self-hosted runners: v5 requires Actions Runner ≥ 2.327.1. Low concern here given GitHub-hosted defaults; verify only if you rely on outdated self-hosted runners.
- 429 on cache save (5.0.2): Under heavy cache-service rate limiting, save could fail slightly sooner. Unlikely to affect normal CI; worst case is a cache miss on the next run.
- Malware scan
maintainer_drift(5→5.0.5): Expected for a version pin; not a supply-chain red flag. No IOC/unicode findings.
4) Recommendation: Merge
Low-risk semver patch pin within major v5. Standard cache usage, no breaking API changes, includes intermediate security fixes, and pinning @v5.0.5 improves reproducibility vs. a floating @v5 tag.
Post-merge validation: Confirm CI on workflows that exercise cache steps (test-single, installer builds) — mainly as a sanity check, not because a functional change is expected.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
0 - Resolution strategy:
to_version_single_commit - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved upstream range:
27d5ce7f107fe9357f9df03efb73ab90386fccae..27d5ce7f107fe9357f9df03efb73ab90386fccae - Resolved refs: from=
27d5ce7f107fe9357f9df03efb73ab90386fccaeto=27d5ce7f107fe9357f9df03efb73ab90386fccae - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
1
Top findings
actions/cache:0maintainer_drift ::5->5.0.5
Coverage Report for CI Build 28054572913Coverage increased (+0.001%) to 91.582%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions11 previously-covered lines in 4 files lost coverage.
Coverage Stats💛 - Coveralls |
|
@dependabot ignore this major version |
|
OK, I won't notify you about version 5.x.x again, unless you re-open this PR. |
Bumps actions/cache from 5 to 5.0.5.
Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Workflow-only dependency pin with no application or cache-key changes; main caveat is self-hosted runners must meet actions/cache v5 runner requirements if used.
Overview
Pins
actions/cachefrom the floating@v5tag to@v5.0.5in installer and CI workflows so cache restore/save runs a specific patch release (including dependency/security fixes in the upstream action).Linux DEB/RPM, macOS, and Windows installer workflows update the GUI build cache step; Windows also updates the npm cache step. The reusable
test-singleworkflow updates Ubuntu npm caching and the test blocks/plots cache. Cache paths, keys, and step conditions are unchanged.Reviewed by Cursor Bugbot for commit 1c12c88. Bugbot is set up for automated code reviews on this repo. Configure here.