chore(deps): bump actions/cache from 5 to 6

[dependabot]

Bumps actions/cache from 5 to 6.

Release notes

Sourced from actions/cache's releases.

v6.0.0

What's Changed

• Update packages, migrate to ESM by @​Samirat in actions/cache#1760

Full Changelog: actions/cache@v5...v6.0.0

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

• Bump @actions/cache to v6.1.0 to pick up actions/toolkit#2435 Handle cache write error due to read-only token
• Switch redundant "Cache save failed" warning to debug log in save-only

6.0.0

• Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
• Migrated to ESM module system
• Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

... (truncated)

Commits

• 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
• e9b91fd Prettier fixes
• e4884b8 Rebuild dist
• 10baf01 Fixed licenses
• e39b386 Fix test mock return order
• b692820 PR feedback
• 6074912 Rebuild dist bundles as ESM to match type:module
• 5a912e8 Fix lint and jest issues
• b9bf592 Update documentation for v6 release
• 80f7777 Update packages, migrate to ESM
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated the dependency cache action in two CI workflows to the latest version, helping keep automated builds and releases current.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign metlos for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e8e6f73c-2992-4da2-b822-4e1b0fea6f49

📥 Commits

Reviewing files that changed from the base of the PR and between 715f8ae and 574a3b6.

📒 Files selected for processing (2)

• .github/workflows/operator-cd.yml
• .github/workflows/publish-components-for-e2e-tests.yml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• codeready-toolchain/registration-service (manual)
• codeready-toolchain/member-operator (manual)
• codeready-toolchain/api (manual)
• codeready-toolchain/toolchain-common (manual)
• codeready-toolchain/host-operator (manual)
• codeready-toolchain/toolchain-e2e (manual)

📜 Recent review details

⏰ Context from checks skipped due to timeout. (4)

• GitHub Check: test
• GitHub Check: GolangCI Lint
• GitHub Check: govulncheck
• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🧰 Additional context used

🪛 zizmor (1.26.1)

.github/workflows/publish-components-for-e2e-tests.yml

[error] 59-59: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/operator-cd.yml

[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 29-29: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🔀 Multi-repo context codeready-toolchain/registration-service, codeready-toolchain/member-operator, codeready-toolchain/toolchain-e2e, codeready-toolchain/api, codeready-toolchain/toolchain-common

Linked repositories findings

codeready-toolchain/registration-service

• .github/workflows/operator-cd.yml:28-29 uses actions/cache@v5
• .github/workflows/publish-components-for-e2e-tests.yml:58-59 uses actions/cache@v5
  These workflows match the same cache-step bump in the PR and should be updated consistently. [::codeready-toolchain/registration-service::]

codeready-toolchain/member-operator

• .github/workflows/operator-cd.yml:28-29 uses actions/cache@v5
• .github/workflows/publish-components-for-e2e-tests.yml:58-59 uses actions/cache@v5
  Same pattern as the PR; this repo also has the older cache action version in the same workflow types. [::codeready-toolchain/member-operator::]

codeready-toolchain/toolchain-e2e

• .github/workflows/publish-components-for-e2e-tests.yml:60-61 uses actions/cache@v5
  This workflow is aligned with the PR’s changed workflow and would be the comparable place to update if this repo is kept in sync. [::codeready-toolchain/toolchain-e2e::]

codeready-toolchain/api

• No matches for actions/cache@v5/v6 or the named workflows in .github. [::codeready-toolchain/api::]

codeready-toolchain/toolchain-common

• No matches for actions/cache@v5/v6 or the named workflows in .github. [::codeready-toolchain/toolchain-common::]

🔇 Additional comments (2)

.github/workflows/publish-components-for-e2e-tests.yml (1)

59-59: LGTM!

.github/workflows/operator-cd.yml (1)

29-29: 🔒 Security & Privacy

No action needed for this cache bump. This workflow only runs on trusted pushes to master, so the actions/cache@v6 change doesn’t introduce a new cache-poisoning path.

---

Walkthrough

Two GitHub Actions workflow files (operator-cd.yml and publish-components-for-e2e-tests.yml) have their dependency caching step updated from actions/cache@v5 to actions/cache@v6.

Changes

CI Cache Version Bump

Layer / File(s)	Summary
Update actions/cache to v6 .github/workflows/operator-cd.yml, .github/workflows/publish-components-for-e2e-tests.yml	The actions/cache step in both workflows is bumped from @v5 to @v6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

ci

Suggested reviewers

• mfrancisc
• xcoulon
• MatousJobanek

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the dependency bump from actions/cache v5 to v6 across the workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/cache-6

---

_{Comment @coderabbitai help to get the list of available commands.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud