Bump actions/cache from 5 to 5.0.5#376
Conversation
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v5.0.5) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing the dependency update for supply-chain risk: checking workflow changes, upstream diff, and malware scan findings. This PR only pins Top evidence
Actionable note: Pinning Recommendation: Safe to merge from a supply-chain perspective. Compatibility AnalysisReviewing Compatibility & adoption analysis —
|
| File | Action | Purpose |
|---|---|---|
.github/workflows/rust.yml:40 |
actions/cache@v5.0.5 |
Cargo registry/build + fuzz corpus cache |
.github/workflows/build-packages.yml:175 |
actions/cache/restore@v5.0.5 |
Restore Windows Boost install |
.github/workflows/build-packages.yml:183 |
actions/cache@v5.0.5 |
Cache mpir_gc_x64 checkout |
.github/workflows/build-packages.yml:228 |
actions/cache/save@v5.0.5 |
Save Windows Boost after install |
Inputs used: path, key only.
Outputs used: cache-hit, cache-primary-key (Windows Boost restore/save flow).
No other workflows reference actions/cache.
2) Intersection with upstream changes
Important: In upstream, tags v5 and v5.0.5 resolve to the same commit (27d5ce7). This PR pins @v5 → @v5.0.5; it does not introduce new runtime behavior if you were already on the floating @v5 tag.
Changes between v5.0.0 and v5.0.5 (already included in current @v5):
| Version | Change | Touches your usage? |
|---|---|---|
| 5.0.1 | Node 24 runtime; runner ≥ 2.327.1 | Already required by @v5; GitHub-hosted runners satisfy this |
| 5.0.2 | No retry on HTTP 429 when saving cache | Affects cache/save on Windows Boost step only; save failure is non-blocking |
| 5.0.3–5.0.4 | Security/dependency bumps (@actions/cache, minimatch, undici, etc.) |
Internal; no workflow API change |
| 5.0.5 | ts-http-runtime 0.3.2 → 0.3.5 |
Internal HTTP client only |
No changes to action.yml, restore/action.yml, or save/action.yml inputs/outputs between v5.0.0 and v5.0.5. Your path/key/cache-hit/cache-primary-key usage is unchanged.
3) Risks / unknowns
- Functional risk: very low. Patch pin only; same commit as
@v5. - Runner requirement: None for this repo (no self-hosted runners).
- Cache invalidation: Keys unchanged; existing caches remain compatible.
- 429 on save (5.0.2): Windows Boost cache save may skip retry under rate limiting → slower CI, not build failure.
- Malware scan
maintainer_drift(5→5.0.5): Expected artifact of pinning a major tag to an explicit patch; not a supply-chain red flag here.
4) Recommendation: merge
Safe to merge. This is a supply-chain hygiene pin with security dependency updates already on the @v5 line. No workflow changes needed.
Test plan: Confirm CI on a PR run — especially build-packages on windows-latest (restore/save path) and rust fuzz job (cache restore). Expect behavior identical to current @v5 runs.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
0 - Resolution strategy:
to_version_single_commit - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved upstream range:
27d5ce7f107fe9357f9df03efb73ab90386fccae..27d5ce7f107fe9357f9df03efb73ab90386fccae - Resolved refs: from=
27d5ce7f107fe9357f9df03efb73ab90386fccaeto=27d5ce7f107fe9357f9df03efb73ab90386fccae - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
1
Top findings
actions/cache:0maintainer_drift ::5->5.0.5
|
@dependabot ignore this major version |
|
OK, I won't notify you about version 5.x.x again, unless you re-open this PR. |
Bumps actions/cache from 5 to 5.0.5.
Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
CI-only action version pin with identical cache configuration; no application or runtime behavior changes.
Overview
Pins
actions/cachefrom the floating@v5tag to@v5.0.5in CI workflows so cache restore/save steps use a specific patch release.In
build-packages.yml, this updates Windows Boost restore (actions/cache/restore), mpir checkout cache (actions/cache), and Boost save (actions/cache/save). Inrust.yml, it updates the fuzz job’s Cargo registry and build artifact cache step. Cache paths and keys are unchanged.Reviewed by Cursor Bugbot for commit eb0cc75. Bugbot is set up for automated code reviews on this repo. Configure here.