build(deps): bump actions/cache from 5 to 6

[dependabot]

Bumps actions/cache from 5 to 6.

Release notes

Sourced from actions/cache's releases.

v6.0.0

What's Changed

• Update packages, migrate to ESM by @​Samirat in actions/cache#1760

Full Changelog: actions/cache@v5...v6.0.0

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

• Bump @actions/cache to v6.1.0 to pick up actions/toolkit#2435 Handle cache write error due to read-only token
• Switch redundant "Cache save failed" warning to debug log in save-only

6.0.0

• Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
• Migrated to ESM module system
• Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

... (truncated)

Commits

• 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
• e9b91fd Prettier fixes
• e4884b8 Rebuild dist
• 10baf01 Fixed licenses
• e39b386 Fix test mock return order
• b692820 PR feedback
• 6074912 Rebuild dist bundles as ESM to match type:module
• 5a912e8 Fix lint and jest issues
• b9bf592 Update documentation for v6 release
• 80f7777 Update packages, migrate to ESM
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Walkthrough

The actions/cache action in the lint-and-unit job of .github/workflows/testing.yaml is bumped from v5 to v6. No other workflow steps or configuration are changed.

Changes

CI Cache Version Bump

Layer / File(s)	Summary
Bump actions/cache to v6 .github/workflows/testing.yaml	The Go dependency caching step in the lint-and-unit job is updated from actions/cache@v5 to actions/cache@v6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping the actions/cache dependency from version 5 to version 6 in the workflow file.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing detailed release notes, changelog information, and migration details for the actions/cache v6 update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/cache-6

---

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.29%. Comparing base (c6a881f) to head (cdff53f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1142   +/-   ##
=======================================
  Coverage   63.29%   63.29%           
=======================================
  Files          13       13           
  Lines         869      869           
=======================================
  Hits          550      550           
  Misses        280      280           
  Partials       39       39           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/testing.yaml (2)

84-92: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider removing duplicate Go cache paths.

The actions/setup-go@v6 action at line 78 already provides built-in caching for ~/go/pkg/mod and ~/.cache/go-build when cache-dependency-path is configured. The manual cache step duplicates these paths, which is redundant and may cause conflicts or inefficiency.

If the custom .cache directory (used at line 103) needs caching, consider caching only that path:

♻️ Streamline caching to avoid duplication

     - uses: actions/cache@v6
       with:
         path: |
           .cache
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
+        key: ${{ runner.os }}-custom-cache-${{ hashFiles('**/go.sum') }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/testing.yaml around lines 84 - 92, The actions/cache@v6
step is duplicating Go module and build cache paths that are already handled by
the actions/setup-go@v6 action configured at line 78. Remove the duplicate cache
paths ~/go/pkg/mod and ~/.cache/go-build from the path list in the
actions/cache@v6 step. Keep only the .cache path if custom caching for that
directory is needed, and simplify the key and restore-keys accordingly to
reflect the reduced scope of the manual cache step.

---

84-84: 🔒 Security & Privacy | 🔵 Trivial

Consider whether the v6.1.0 cache release aligns with project needs.

The repository consistently uses minor version pinning for GitHub Actions (e.g., @v6, @v7, @v4 across all workflows), with no documented policy requiring commit SHA pinning. The @v6 reference at this line is consistent with the project's established pattern.

However, v6.1.0 introduced improvements for handling cache write errors when the workflow token is restricted to read-only access. If these fixes are relevant to your use case, updating to @v6.1.0 may be worth considering. Otherwise, the current configuration follows the project's standard practice.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/testing.yaml at line 84, Evaluate whether the cache write
error handling improvements in v6.1.0 of the actions/cache action are necessary
for your project's workflow token configuration. If your workflows use read-only
access tokens and you need better handling of cache write errors, update the
actions/cache action reference from `@v6` to `@v6.1.0`. If these improvements are
not relevant to your use case, the current `@v6` pinning is acceptable and follows
the project's established version pinning pattern across other GitHub Actions.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/testing.yaml:
- Around line 84-92: The actions/cache@v6 step is duplicating Go module and
build cache paths that are already handled by the actions/setup-go@v6 action
configured at line 78. Remove the duplicate cache paths ~/go/pkg/mod and
~/.cache/go-build from the path list in the actions/cache@v6 step. Keep only the
.cache path if custom caching for that directory is needed, and simplify the key
and restore-keys accordingly to reflect the reduced scope of the manual cache
step.
- Line 84: Evaluate whether the cache write error handling improvements in
v6.1.0 of the actions/cache action are necessary for your project's workflow
token configuration. If your workflows use read-only access tokens and you need
better handling of cache write errors, update the actions/cache action reference
from `@v6` to `@v6.1.0`. If these improvements are not relevant to your use case,
the current `@v6` pinning is acceptable and follows the project's established
version pinning pattern across other GitHub Actions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 1894443a-b9f0-49f1-827d-8a1125ca28b7

📥 Commits

Reviewing files that changed from the base of the PR and between c6a881f and cdff53f.

📒 Files selected for processing (1)

• .github/workflows/testing.yaml