chore(deps): bump actions/cache from 5 to 6#119
Conversation
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v6) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
||
| - name: Cache zstd build | ||
| uses: actions/cache@v5 | ||
| uses: actions/cache@v6 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
actions/cache@v6 uses a mutable tag, so if v6 is repointed, this workflow can execute attacker-controlled code during CI.
More details about this
Cache zstd build pulls actions/cache using the mutable ref @v6, not a specific commit. If the v6 tag is ever moved to a different commit, this workflow will run that new code during host_tests, before npm run install-zstd, npm install, and npm test.
A plausible attack looks like this:
- An attacker gains the ability to publish a new commit under the
actions/cacherepository and repoints thev6tag to it. - Your workflow starts on
push,pull_request, orworkflow_dispatchand reachesuses: actions/cache@v6in theCache zstd buildstep. - GitHub downloads and executes the attacker's version of
actions/cachebecause the workflow trusts@v6. - That malicious action can read this job's workspace, inspect files used in
path: depsandkey: zstd-deps-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles(...) }}, and use the job's token or other available secrets to send repository data to an external server. - Because this happens before later build and test commands, the attacker-controlled action runs inside your CI for every matching job without changing this repository's code.
This is a supply-chain risk in the exact uses: actions/cache@v6 line because the workflow follows a tag that can be silently changed later.
To resolve this comment:
✨ Commit fix suggestion
- Replace the mutable action reference
actions/cache@v6with a full 40-character commit SHA for the exactactions/cacherelease you want to use. - Keep the version as a comment next to the SHA so the workflow stays readable, for example:
uses: actions/cache@<full-40-char-sha> # v6.x.x. - Choose the SHA from the official
actions/cacherelease you intend to trust, and make sure it is the commit for that release tag rather than a branch or short tag. Pinning to a commit SHA prevents the action owner from silently changing what runs under the same tag. - Update only the
usesvalue for this step; the existingwith:settings such aspath:andkey:can stay as they are.
Alternatively, if you need to confirm the correct pinned revision before editing, look up the actions/cache release page and copy the full commit SHA associated with the v6 release you want to keep using.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
🛟 Help? Slack #semgrep-help or go/semgrep-help.
Resolution Options:
- Fix the code
- Reply
/fp $reason(if security gap doesn’t exist) - Reply
/ar $reason(if gap is valid but intentional; add mitigations/monitoring) - Reply
/other $reason(e.g., test-only)
You can view more details about this finding in the Semgrep AppSec Platform.
Bumps actions/cache from 5 to 6.
Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
55cc834Merge pull request #1768 from jasongin/readonly-cached8cd72fBump@actions/cacheto v6.1.0 - handle cache write error due to RO token2c8a9bdMerge pull request #1760 from actions/samirat/esm_migration_and_package_updatee9b91fdPrettier fixese4884b8Rebuild dist10baf01Fixed licensese39b386Fix test mock return orderb692820PR feedback6074912Rebuild dist bundles as ESM to match type:module5a912e8Fix lint and jest issuesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)