Skip to content

build(deps): bump actions/cache from 5.0.5 to 6.1.0#3864

Merged
ten9876 merged 1 commit into
mainfrom
dependabot/github_actions/actions/cache-6.1.0
Jun 27, 2026
Merged

build(deps): bump actions/cache from 5.0.5 to 6.1.0#3864
ten9876 merged 1 commit into
mainfrom
dependabot/github_actions/actions/cache-6.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 27, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/cache from 5.0.5 to 6.1.0.

Release notes

Sourced from actions/cache's releases.

v6.1.0

What's Changed

Full Changelog: actions/cache@v6...v6.1.0

v6.0.0

What's Changed

Full Changelog: actions/cache@v5...v6.0.0

v5.1.0

What's Changed

Full Changelog: actions/cache@v5...v5.1.0

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

6.0.0

  • Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
  • Migrated to ESM module system
  • Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

... (truncated)

Commits
  • 55cc834 Merge pull request #1768 from jasongin/readonly-cache
  • d8cd72f Bump @​actions/cache to v6.1.0 - handle cache write error due to RO token
  • 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
  • e9b91fd Prettier fixes
  • e4884b8 Rebuild dist
  • 10baf01 Fixed licenses
  • e39b386 Fix test mock return order
  • b692820 PR feedback
  • 6074912 Rebuild dist bundles as ESM to match type:module
  • 5a912e8 Fix lint and jest issues
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 27, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 27, 2026 10:34
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 27, 2026

@aethersdr-agent aethersdr-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the bump of actions/cache 5.0.5 → 6.1.0.

SHA pin verified. All six usages move from 27d5ce7f107fe9357f9df03efb73ab90386fccae to 55cc8345863c7cc4c66a329aec7e433d2d1c52a9, which matches the head of the v6.1.0 release (55cc834 Merge pull request #1768 from jasongin/readonly-cache). The pin is correct and consistent across ci.yml and windows-installer.yml.

No functional concerns. The 6.x line migrates the action to ESM internally and adds read-only-token handling for cache writes — neither affects how it's invoked here (path/key/id), and the FFTW3/Opus/hidapi/DeepFilterNet3/qtkeychain cache steps are unchanged in behavior.

One minor nit: the trailing comment still reads # v5 on all six lines, but the SHA now points at v6.1.0. Worth updating to # v6.1.0 (or # v6) so the pin and the human-readable tag don't drift — Dependabot occasionally leaves these stale. Not blocking.

Thanks @dependabot — looks good to merge once CI is green.


🤖 aethersdr-agent · cost: $1.3350 · model: claude-opus-4-8

@ten9876 ten9876 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. Verified the new SHA 55cc8345 is actions/cache v6.1.0 (the v6 tag points there). Major bump (v6.0.0 ESM migration + v6.1.0 read-only cache handling) but the action interface (path/key/restore-keys) is unchanged, and CI is green on all jobs that use it (build/macOS/Windows). Note: the inline # v5 comments are now stale (SHA is v6.1.0) — tracking a follow-up on whether to keep version comments at all. Thanks @dependabot.

@ten9876 ten9876 merged commit bea059c into main Jun 27, 2026
4 checks passed
@ten9876 ten9876 deleted the dependabot/github_actions/actions/cache-6.1.0 branch June 27, 2026 15:56
ten9876 added a commit that referenced this pull request Jun 27, 2026
…endabot drift) (#3867)

## Summary

Drops the trailing `# vX` version comments from all SHA-pinned GitHub
Actions and documents the SHA-only convention in `dependabot.yml`.

## Why

Dependabot bumps a SHA-pinned action's commit SHA but **doesn't reliably
keep the `# vX` comment in sync**. In #3864 it bumped `actions/cache` to
the **v6.1.0** SHA while leaving the comment reading `# v5` — stale and
misleading. Correcting these by hand on every major bump is recurring
toil, and the comment is purely cosmetic (Dependabot resolves the
version from the SHA, not the comment).

## What

- Removed the trailing version comment from every SHA-pinned `uses:`
line across 11 workflows (42 lines). **SHA pinning is unchanged** — same
supply-chain guarantee; only the comment is gone.
- Added a convention note to `.github/dependabot.yml` so contributors
don't re-add comments.

The version is still discoverable from Dependabot's PR title and the
action repo.

## Non-functional

Pins, `path`s, and `key`s are byte-identical — only comments removed.
All workflow YAML re-validated as parsing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant