Skip to content

chore(deps): bump actions/cache from 4 to 5 #11665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: dev
Choose a base branch
from
+22 −22
Open

chore(deps): bump actions/cache from 4 to 5 #11665

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/classic-autogpt-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ jobs:
- name: Set up Python dependency cache
# On Windows, unpacking cached dependencies takes longer than just installing them
if: runner.os != 'Windows'
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ${{ runner.os == 'macOS' && '~/Library/Caches/pypoetry' || '~/.cache/pypoetry' }}
key: poetry-${{ runner.os }}-${{ hashFiles('classic/original_autogpt/poetry.lock') }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/classic-benchmark-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
- name: Set up Python dependency cache
# On Windows, unpacking cached dependencies takes longer than just installing them
if: runner.os != 'Windows'
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ${{ runner.os == 'macOS' && '~/Library/Caches/pypoetry' || '~/.cache/pypoetry' }}
key: poetry-${{ runner.os }}-${{ hashFiles('classic/benchmark/poetry.lock') }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/classic-forge-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ jobs:
- name: Set up Python dependency cache
# On Windows, unpacking cached dependencies takes longer than just installing them
if: runner.os != 'Windows'
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ${{ runner.os == 'macOS' && '~/Library/Caches/pypoetry' || '~/.cache/pypoetry' }}
key: poetry-${{ runner.os }}-${{ hashFiles('classic/forge/poetry.lock') }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/classic-python-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ jobs:
python-version: ${{ env.min-python-version }}

- name: Set up Python dependency cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.cache/pypoetry
key: ${{ runner.os }}-poetry-${{ hashFiles(format('{0}/poetry.lock', matrix.sub-package)) }}
Expand Down Expand Up @@ -130,7 +130,7 @@ jobs:
python-version: ${{ env.min-python-version }}

- name: Set up Python dependency cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.cache/pypoetry
key: ${{ runner.os }}-poetry-${{ hashFiles(format('{0}/poetry.lock', matrix.sub-package)) }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/claude-dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
python-version: "3.11" # Use standard version matching CI

- name: Set up Python dependency cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.cache/pypoetry
key: poetry-${{ runner.os }}-${{ hashFiles('autogpt_platform/backend/poetry.lock') }}
Expand Down Expand Up @@ -91,7 +91,7 @@ jobs:
echo "PNPM_HOME=$HOME/.pnpm-store" >> $GITHUB_ENV

- name: Cache frontend dependencies
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-pnpm-${{ hashFiles('autogpt_platform/frontend/pnpm-lock.yaml', 'autogpt_platform/frontend/package.json') }}
Expand Down Expand Up @@ -124,7 +124,7 @@ jobs:
# Phase 1: Cache and load Docker images for faster setup
- name: Set up Docker image cache
id: docker-cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/docker-cache
# Use a versioned key for cache invalidation when image list changes
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
python-version: "3.11" # Use standard version matching CI
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM - Third-party action using version tag without SHA pinning
Agent: security

Category: security

Description:
The jlumbroso/free-disk-space action uses @v1.3.1 (version tag).

Suggestion:
Pin to full commit SHA for maximum security.

Why this matters: Supply chain attacks on popular actions can compromise all dependent repositories.

Confidence: 70%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray


- name: Set up Python dependency cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.cache/pypoetry
key: poetry-${{ runner.os }}-${{ hashFiles('autogpt_platform/backend/poetry.lock') }}
Expand Down Expand Up @@ -107,7 +107,7 @@ jobs:
echo "PNPM_HOME=$HOME/.pnpm-store" >> $GITHUB_ENV

- name: Cache frontend dependencies
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-pnpm-${{ hashFiles('autogpt_platform/frontend/pnpm-lock.yaml', 'autogpt_platform/frontend/package.json') }}
Expand Down Expand Up @@ -140,7 +140,7 @@ jobs:
# Phase 1: Cache and load Docker images for faster setup
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM - Third-party action using version tag without SHA pinning
Agent: security

Category: security

Description:
The docker/setup-buildx-action uses @V3 (version tag).

Suggestion:
Pin to full commit SHA for maximum security.

Why this matters: Supply chain attacks on popular actions can compromise all dependent repositories.

Confidence: 65%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray

- name: Set up Docker image cache
id: docker-cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/docker-cache
# Use a versioned key for cache invalidation when image list changes
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
python-version: "3.11" # Use standard version matching CI

- name: Set up Python dependency cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.cache/pypoetry
key: poetry-${{ runner.os }}-${{ hashFiles('autogpt_platform/backend/poetry.lock') }}
Expand Down Expand Up @@ -89,7 +89,7 @@ jobs:
echo "PNPM_HOME=$HOME/.pnpm-store" >> $GITHUB_ENV

- name: Cache frontend dependencies
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ runner.os }}-pnpm-${{ hashFiles('autogpt_platform/frontend/pnpm-lock.yaml', 'autogpt_platform/frontend/package.json') }}
Expand Down Expand Up @@ -122,7 +122,7 @@ jobs:
# Phase 1: Cache and load Docker images for faster setup
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM - Third-party action using version tag without SHA pinning
Agent: security

Category: security

Description:
The docker/setup-buildx-action uses @V3 (version tag).

Suggestion:
Pin to full commit SHA for maximum security.

Why this matters: Supply chain attacks on popular actions can compromise all dependent repositories.

Confidence: 65%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray

- name: Set up Docker image cache
id: docker-cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/docker-cache
# Use a versioned key for cache invalidation when image list changes
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/platform-backend-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ jobs:
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM - Third-party action using version tag without SHA pinning
Agent: security

Category: security

Description:
The supabase/setup-cli uses @v1 (version tag).

Suggestion:
Pin to full commit SHA for maximum security.

Why this matters: Supply chain attacks on popular actions can compromise all dependent repositories.

Confidence: 78%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray


- name: Set up Python dependency cache
uses: actions/cache@v4
uses: actions/cache@v5
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM - First-party GitHub action using version tag without SHA pinning
Agent: security

Category: security

Description:
The actions/cache action uses @v5 (version tag).

Suggestion:
Pin to full commit SHA or rely on Dependabot for auto-updates.

Why this matters: Supply chain attacks on popular actions can compromise all dependent repositories.

Confidence: 65%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray

with:
path: ~/.cache/pypoetry
key: poetry-${{ runner.os }}-${{ hashFiles('autogpt_platform/backend/poetry.lock') }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/platform-frontend-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
run: echo "key=${{ runner.os }}-pnpm-${{ hashFiles('autogpt_platform/frontend/pnpm-lock.yaml', 'autogpt_platform/frontend/package.json') }}" >> $GITHUB_OUTPUT

- name: Cache dependencies
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ steps.cache-key.outputs.key }}
Expand Down Expand Up @@ -72,7 +72,7 @@ jobs:
run: corepack enable

- name: Restore dependencies cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ needs.setup.outputs.cache-key }}
Expand Down Expand Up @@ -107,7 +107,7 @@ jobs:
run: corepack enable

- name: Restore dependencies cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ needs.setup.outputs.cache-key }}
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 HIGH - Third-party action using @latest version tag
Agent: security

Category: security

Description:
The chromaui/action is using @latest, which is unpinned and can pull malicious code if the action is compromised. Version tags are mutable and can be moved to point to different commits.

Suggestion:
Pin to a specific version tag (e.g., @v1.2.3) or better yet, pin to a full 40-character commit SHA (e.g., @a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0).

Confidence: 95%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray

Expand Down Expand Up @@ -155,7 +155,7 @@ jobs:
uses: docker/setup-buildx-action@v3
Copy link

@diffray-bot diffray-bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM - Third-party action using version tag without SHA pinning
Agent: security

Category: security

Description:
The docker/setup-buildx-action uses @V3 (version tag) instead of a full commit SHA. While Docker is a reputable vendor, SHA pinning provides stronger guarantees.

Suggestion:
Pin to full commit SHA (e.g., @<40-char-sha>) for maximum security, especially in CI pipelines with elevated permissions.

Confidence: 70%
Rule: gha_unpinned_action_version
Review ID: 3291cb5c-715f-4b33-acc2-77a0d8829dd9
Rate it 👍 or 👎 to improve future reviews | Powered by diffray


- name: Cache Docker layers
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-frontend-test-${{ hashFiles('autogpt_platform/docker-compose.yml', 'autogpt_platform/backend/Dockerfile', 'autogpt_platform/backend/pyproject.toml', 'autogpt_platform/backend/poetry.lock') }}
Expand Down Expand Up @@ -210,7 +210,7 @@ jobs:
fi

- name: Restore dependencies cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ needs.setup.outputs.cache-key }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/platform-fullstack-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
run: echo "key=${{ runner.os }}-pnpm-${{ hashFiles('autogpt_platform/frontend/pnpm-lock.yaml', 'autogpt_platform/frontend/package.json') }}" >> $GITHUB_OUTPUT

- name: Cache dependencies
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ steps.cache-key.outputs.key }}
Expand Down Expand Up @@ -88,7 +88,7 @@ jobs:
docker compose -f ../docker-compose.yml --profile local --profile deps_backend up -d

- name: Restore dependencies cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ~/.pnpm-store
key: ${{ needs.setup.outputs.cache-key }}
Expand Down
Loading