build(deps): bump actions/cache from 5 to 6#748
Conversation
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v6) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
WalkthroughTwo GitHub Actions workflow files update the ChangesCache action version bump
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/publish-components-for-e2e-tests.yml (1)
59-64: 🔒 Security & Privacy | 🟠 MajorUse
actions/cache/restore@v6to prevent cache poisoning in untrusted PR runs.This workflow runs on
pull_request_targetandissue_commentevents, checking out untrusted PR code. Using the fullactions/cache@v6action (which automatically saves cache on success) allows attackers to poison the Go module cache by modifying~/go/pkg/modand passing the build. Replace withactions/cache/restore@v6and move explicit cache save to a separate, trusted-only workflow or step.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-components-for-e2e-tests.yml around lines 59 - 64, The workflow is vulnerable to cache poisoning because it uses the full `actions/cache@v6` action which automatically saves the cache after successful execution. Since this workflow runs on `pull_request_target` with untrusted PR code, replace `actions/cache@v6` with `actions/cache/restore@v6` to only restore the cached Go modules without saving. If explicit cache saving is needed, move that operation to a separate trusted-only workflow or step that runs only on trusted events (like after merge to main branch).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Line 59: The `actions/cache@v6` reference on line 59 uses a mutable version
tag instead of a full commit SHA, which poses a supply-chain security risk.
Replace the tag reference with the complete commit SHA for the v6 release of
actions/cache and add the version tag as a comment for readability, following
the format `actions/cache@<full-commit-sha> # v6` to make the version still
visible while ensuring immutability.
---
Outside diff comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 59-64: The workflow is vulnerable to cache poisoning because it
uses the full `actions/cache@v6` action which automatically saves the cache
after successful execution. Since this workflow runs on `pull_request_target`
with untrusted PR code, replace `actions/cache@v6` with
`actions/cache/restore@v6` to only restore the cached Go modules without saving.
If explicit cache saving is needed, move that operation to a separate
trusted-only workflow or step that runs only on trusted events (like after merge
to main branch).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 3abbb066-fb09-41ba-9799-b1b58fd22648
📒 Files selected for processing (2)
.github/workflows/operator-cd.yml.github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual)codeready-toolchain/host-operator(manual)codeready-toolchain/toolchain-e2e(manual)
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/publish-components-for-e2e-tests.yml
[error] 59-59: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/operator-cd.yml
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 29-29: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🔀 Multi-repo context codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e
Linked repositories findings
Based on my cross-repository exploration, I found that the actions/cache@v5 to v6 upgrade affects two other repositories that consume this action:
codeready-toolchain/host-operator
Uses actions/cache in two workflows:
-
operator-cd.yml(line 29) [::codeready-toolchain/host-operator::]- name: Cache dependencies uses: actions/cache@v5 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }} restore-keys: | ${{ runner.os }}-go-
-
publish-components-for-e2e-tests.yml(line 59) [::codeready-toolchain/host-operator::]- name: Cache dependencies uses: actions/cache@v5 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }} restore-keys: | ${{ runner.os }}-go-
codeready-toolchain/toolchain-e2e
Uses actions/cache in one workflow:
publish-components-for-e2e-tests.yml(line 61) [::codeready-toolchain/toolchain-e2e::]- name: Cache dependencies uses: actions/cache@v5 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go-
Compatibility Assessment
No breaking changes detected:
- The v6 upgrade is primarily an internal implementation change (ESM migration and dependency updates)
- The public API for the
actions/cacheaction (path,key,restore-keysinputs) remains backward compatible - All identified usage patterns in both host-operator and toolchain-e2e are standard and compatible with v6
- The cache configurations are identical across all workflows and pose no compatibility concerns
Additional findings
- codeready-toolchain/api and codeready-toolchain/toolchain-common do not use
actions/cache; they use alternative caching mechanisms in their build configuration - No custom cache logic or dependencies on specific v5 behavior were identified in any repository
🔇 Additional comments (1)
.github/workflows/operator-cd.yml (1)
29-29: 🔒 Security & PrivacyAction reference uses tag-based versioning, consistent with repository standards.
Line 29 uses
actions/cache@v6, which follows the established pattern throughout member-operator and related repositories (host-operator, toolchain-e2e all use tag-based refs). SHA pinning is only applied in this codebase as a workaround for specific issues (e.g., octokit/request-action), not as an enforced policy. No documented policy mandating action SHA pinning exists in the repository.> Likely an incorrect or invalid review comment.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dependabot[bot], MatousJobanek The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |



Bumps actions/cache from 5 to 6.
Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
2c8a9bdMerge pull request #1760 from actions/samirat/esm_migration_and_package_updatee9b91fdPrettier fixese4884b8Rebuild dist10baf01Fixed licensese39b386Fix test mock return orderb692820PR feedback6074912Rebuild dist bundles as ESM to match type:module5a912e8Fix lint and jest issuesb9bf592Update documentation for v6 release80f7777Update packages, migrate to ESMDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit