Skip to content

Bump actions/cache from 5 to 6#886

Merged
shanselman merged 1 commit into
mainfrom
dependabot/github_actions/actions/cache-6
Jun 30, 2026
Merged

Bump actions/cache from 5 to 6#886
shanselman merged 1 commit into
mainfrom
dependabot/github_actions/actions/cache-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/cache from 5 to 6.

Release notes

Sourced from actions/cache's releases.

v6.0.0

What's Changed

Full Changelog: actions/cache@v5...v6.0.0

v5.1.0

What's Changed

Full Changelog: actions/cache@v5...v5.1.0

v5.0.5

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

6.0.0

  • Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
  • Migrated to ESM module system
  • Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

... (truncated)

Commits
  • 55cc834 Merge pull request #1768 from jasongin/readonly-cache
  • d8cd72f Bump @​actions/cache to v6.1.0 - handle cache write error due to RO token
  • 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
  • e9b91fd Prettier fixes
  • e4884b8 Rebuild dist
  • 10baf01 Fixed licenses
  • e39b386 Fix test mock return order
  • b692820 PR feedback
  • 6074912 Rebuild dist bundles as ESM to match type:module
  • 5a912e8 Fix lint and jest issues
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5...v6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 29, 2026
@clawsweeper

clawsweeper Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed June 29, 2026, 2:14 AM ET / 06:14 UTC.

Summary
The PR changes four NuGet cache steps in .github/workflows/ci.yml from actions/cache@v5 to actions/cache@v6.

Reproducibility: not applicable. This is a dependency maintenance PR rather than a bug report; source inspection and the PR diff identify the affected workflow surface.

Review metrics: 1 noteworthy metric.

  • Cache action references: 4 replacements in 1 workflow. All existing NuGet cache uses in CI move from actions/cache@v5 to actions/cache@v6, so the pending CI run exercises the touched surface.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Wait for the pending Build and Test jobs on the PR head to finish before merging.

Risk before merge

  • [P1] The main Build and Test workflow jobs were still pending at review time, so merge should wait for the normal PR checks on the exact head commit.

Maintainer options:

  1. Decide the mitigation before merge
    Merge the focused dependency update after the standard CI run completes successfully, keeping the existing cache keys and continue-on-error behavior unchanged.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • No ClawSweeper repair lane is needed; maintainers only need the normal CI result and dependency-update merge decision.

Security
Cleared: The diff only updates an official GitHub Action major tag in existing cache steps and does not add secrets, permissions, scripts, or new dependency sources.

Review details

Best possible solution:

Merge the focused dependency update after the standard CI run completes successfully, keeping the existing cache keys and continue-on-error behavior unchanged.

Do we have a high-confidence way to reproduce the issue?

Not applicable. This is a dependency maintenance PR rather than a bug report; source inspection and the PR diff identify the affected workflow surface.

Is this the best way to solve the issue?

Yes. The branch is the narrowest maintainable path for this update because it changes only the existing actions/cache references and leaves permissions, cache keys, and workflow shape unchanged.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 87dc3dc79d7c.

Label changes

Label changes:

  • add P3: This is routine GitHub Actions dependency maintenance with limited blast radius because the cache steps are already continue-on-error.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so contributor real behavior proof is not required; CI is the relevant validation signal.

Label justifications:

  • P3: This is routine GitHub Actions dependency maintenance with limited blast radius because the cache steps are already continue-on-error.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so contributor real behavior proof is not required; CI is the relevant validation signal.
Evidence reviewed

What I checked:

  • Current main cache references: Current main still has four NuGet cache steps using actions/cache@v5 at lines 94, 329, 431, and 515. (.github/workflows/ci.yml:94, 87dc3dc79d7c)
  • PR diff scope: The PR head changes only .github/workflows/ci.yml, replacing actions/cache@v5 with actions/cache@v6 in four existing cache steps. (.github/workflows/ci.yml:94, b3ed98d31ba9)
  • Upstream v6 tag exists: actions/cache publishes a v6 major tag, resolving to 55cc8345863c7cc4c66a329aec7e433d2d1c52a9 at review time. (55cc8345863c)
  • Action metadata comparison: The upstream v6 action metadata keeps the same cache inputs used by this workflow and runs as an official GitHub JavaScript action. (55cc8345863c)
  • CI status at review: repo-hygiene and setup-gate checks had passed, while the main Build and Test jobs were still pending on the PR head. (b3ed98d31ba9)
  • Workflow history: The current cache references trace to the initial ci.yml addition in commit 3e00346, with later workflow edits by Dependabot and E2E workflow contributors. (.github/workflows/ci.yml:94, 3e003463c9e2)

Likely related people:

What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jun 29, 2026
@shanselman shanselman merged commit 31d8e4d into main Jun 30, 2026
16 checks passed
@shanselman shanselman deleted the dependabot/github_actions/actions/cache-6 branch June 30, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant