Skip to content

build(deps): bump actions/cache from 5 to 5.0.5#21032

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/cache-5.0.5
Closed

build(deps): bump actions/cache from 5 to 5.0.5#21032
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/cache-5.0.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/cache from 5 to 5.0.5.

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.


v5.0.1

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.0.0

  • Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
  • Migrated to ESM module system
  • Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Workflow-only dependency pin with no application or cache-key changes; main caveat is self-hosted runners must meet actions/cache v5 runner requirements if used.

Overview
Pins actions/cache from the floating @v5 tag to @v5.0.5 in installer and CI workflows so cache restore/save runs a specific patch release (including dependency/security fixes in the upstream action).

Linux DEB/RPM, macOS, and Windows installer workflows update the GUI build cache step; Windows also updates the npm cache step. The reusable test-single workflow updates Ubuntu npm caching and the test blocks/plots cache. Cache paths, keys, and step conditions are unchanged.

Reviewed by Cursor Bugbot for commit 1c12c88. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [actions/cache](https://github.com/actions/cache) from 5 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5...v5.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jun 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 23, 2026 20:23
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels Jun 23, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the PR diff and upstream actions/cache changes for supply-chain risk.
Verdict: benign

This PR only pins actions/cache from the floating major ref @v5 to the explicit patch @v5.0.5 in seven workflow steps across five files. No lockfiles, node_modules/, or vendor paths change in the Chia repo.

Scanner evidence (supports benign):

  • Unicode / confusable / IOC findings: 0
  • Upstream diff scanned: 0 files — because v5 and v5.0.5 both resolve to the same commit (27d5ce7), so runtime behavior is unchanged if you were already on @v5
  • The single warn (maintainer_drift: 5->5.0.5) is a false positive: it reflects a semver ref string change, not a publisher/maintainer identity change. I disagree with treating this as supply-chain drift.

Checklist highlights:

Category Assessment
Obfuscation / exfil / spawn No new suspicious patterns. Bundled dist/*.js contains expected Azure/GitHub SDK code (base64, spawn, auth headers) — normal for cache I/O
Invisible Unicode / GlassWorm None detected (scanner + upstream review)
Dependency integrity Upstream v5.0.5 is a tagged release from actions/cache, merged via #1747 by known maintainer @yacaovsnc. Only transitive change: @typespec/ts-http-runtime 0.3.2 → 0.3.5. No new lifecycle scripts
Dependabot context Workflow edits are expected for GitHub Actions bumps; changes are version-string-only on existing cache steps, not new logic

Actionable note: Safe to merge from a malware/supply-chain perspective. Pinning to @v5.0.5 is actually slightly better than @v5 because it prevents silent future major-tag moves. Confirm CI passes on GitHub-hosted runners (already required for @v5); only relevant if you use self-hosted runners below v2.327.1 — that constraint predates this pin.

Compatibility Analysis

Reviewing actions/cache usage and upstream changes between v5 and v5.0.5.

Compatibility & adoption analysis — actions/cache 5 → 5.0.5

1) Where it’s used

Direct actions/cache (7 call sites, 5 workflows):

Workflow Uses Purpose
.github/workflows/test-single.yml 2 npm cache (Ubuntu); test blocks/plots/bundles
.github/workflows/build-windows-installer.yml 2 npm cache; GUI submodule cache
.github/workflows/build-macos-installers.yml 1 GUI submodule cache
.github/workflows/build-linux-installer-deb.yml 1 GUI submodule cache
.github/workflows/build-linux-installer-rpm.yml 1 GUI submodule cache

Not in scope: chia-network/actions/cache-pip@main in benchmarks.yml, test-single.yml, and build-windows-installer.yml is a separate wrapper action.

Usage pattern: Standard composite restore/save — inputs path, key, restore-keys; output cache-hit gates follow-on steps. test-single.yml also sets SEGMENT_DOWNLOAD_TIMEOUT_MIN. No advanced inputs (save-always, lookup-only, enableCrossOsArchive, etc.).

Runners: GitHub-hosted (ubuntu-latest, windows-2022, macos-15, etc.) and some third-party (e.g. Blacksmith in test-single.yml). No primary self-hosted runner usage observed.


2) Intersection with upstream changes

Upstream tags v5 and v5.0.5 currently resolve to the same commit (27d5ce7). This PR is effectively a pin from floating @v5 to explicit @v5.0.5.

Changes in the v5.0.0v5.0.5 range are internal — no action.yml input/output changes:

Patch Relevant change Touches Chia usage?
5.0.1 Node 24 runtime; runner ≥ 2.327.1 Already implied by @v5
5.0.2 No retry on 429 during cache save Indirect only
5.0.3–5.0.4 Transitive security bumps (minimatch, undici, fast-xml-parser) No API impact
5.0.5 @typespec/ts-http-runtime 0.3.2 → 0.3.5 No API impact

Chia workflows use only the stable public surface (path / key / restore-keys / cache-hit). No usage site intersects with changed APIs.


3) Risks / unknowns

  • Immediate runtime delta: None today — @v5 and @v5.0.5 are identical at merge time.
  • Self-hosted runners: v5 requires Actions Runner ≥ 2.327.1. Low concern here given GitHub-hosted defaults; verify only if you rely on outdated self-hosted runners.
  • 429 on cache save (5.0.2): Under heavy cache-service rate limiting, save could fail slightly sooner. Unlikely to affect normal CI; worst case is a cache miss on the next run.
  • Malware scan maintainer_drift (5→5.0.5): Expected for a version pin; not a supply-chain red flag. No IOC/unicode findings.

4) Recommendation: Merge

Low-risk semver patch pin within major v5. Standard cache usage, no breaking API changes, includes intermediate security fixes, and pinning @v5.0.5 improves reproducibility vs. a floating @v5 tag.

Post-merge validation: Confirm CI on workflows that exercise cache steps (test-single, installer builds) — mainly as a sanity check, not because a functional change is expected.


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 0
  • Resolution strategy: to_version_single_commit
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 27d5ce7f107fe9357f9df03efb73ab90386fccae..27d5ce7f107fe9357f9df03efb73ab90386fccae
  • Resolved refs: from=27d5ce7f107fe9357f9df03efb73ab90386fccae to=27d5ce7f107fe9357f9df03efb73ab90386fccae
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 1

Top findings

  • actions/cache:0 maintainer_drift :: 5->5.0.5

@coveralls-official

Copy link
Copy Markdown

Coverage Report for CI Build 28054572913

Coverage increased (+0.001%) to 91.582%

Details

  • Coverage increased (+0.001%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 11 coverage regressions across 4 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

11 previously-covered lines in 4 files lost coverage.

File Lines Losing Coverage Coverage
chia/full_node/full_node.py 6 88.11%
chia/data_layer/data_layer.py 2 87.7%
chia/timelord/timelord_launcher.py 2 70.21%
chia/_tests/simulation/test_simulation.py 1 96.5%

Coverage Stats

Coverage Status
Relevant Lines: 123400
Covered Lines: 113192
Line Coverage: 91.73%
Relevant Branches: 12136
Covered Branches: 10935
Branch Coverage: 90.1%
Branches in Coverage %: Yes
Coverage Strength: 1.83 hits per line

💛 - Coveralls

@cmmarslender

Copy link
Copy Markdown
Member

@dependabot ignore this major version

@dependabot @github

dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you about version 5.x.x again, unless you re-open this PR.

@dependabot dependabot Bot deleted the dependabot/github_actions/actions/cache-5.0.5 branch June 23, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant