chore(deps): bump actions/cache from 5.0.4 to 5.0.5 in the github-actions group across 1 directory

[dependabot]

Bumps the github-actions group with 1 update in the / directory: actions/cache.

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

[claude]

LGTM — straightforward Dependabot patch bump; the stale version comment is noted inline.

Extended reasoning...

Overview\nThis PR updates a single line in , bumping the pinned commit hash for from the v5.0.4 hash to the v5.0.5 hash. No application code is touched.\n\n### Security risks\nMinimal. The change is confined to CI infrastructure (a mypy cache step). The commit hash is pinned, which is the secure pattern for GitHub Actions. The annotation was already present and is unchanged.\n\n### Level of scrutiny\nLow. This is a routine Dependabot patch-level bump generated automatically. The only functional change is the commit SHA on line 47; the rest of the file is untouched. The sole bug flagged is a cosmetic stale version comment ( should be ), which has no runtime impact since GitHub Actions resolves the action by hash, not the comment.\n\n### Other factors\nNo prior reviews or comments on this PR. The Dependabot compatibility score is included in the PR description. The change is self-contained and carries no risk to production code.

[claude]

🟡 The inline comment on line 47 still reads # v5.0.4 after the commit hash was updated to the v5.0.5 hash (27d5ce7f). Update the comment to # v5.0.5 to accurately reflect the pinned version.

Extended reasoning...

What the bug is: This PR bumps actions/cache from v5.0.4 to v5.0.5 by updating the pinned commit hash on line 47 of .github/workflows/ci.yml. However, the inline human-readable version comment on the same line was not updated and still reads # v5.0.4 instead of # v5.0.5.

The specific code path: The single changed line in this PR is:

- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]

The commit hash 27d5ce7f107fe9357f9df03efb73ab90386fccae corresponds to v5.0.5 (as stated in the PR title and description), but the comment still says v5.0.4.

Why existing code doesn't prevent it: Dependabot automatically updates the pinned commit hash but does not always update the adjacent human-readable version comment. There is no automated check that validates the comment matches the actual version of the pinned commit.

Impact: The workflow functions correctly because GitHub Actions resolves the action by the commit hash, not the comment. However, maintainers who read the file to determine which version is pinned will be misled into thinking v5.0.4 is in use when v5.0.5 is actually running.

How to fix it: Change the comment from # v5.0.4 to # v5.0.5 on line 47:

- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 # zizmor: ignore[cache-poisoning]

Step-by-step proof:

1. The PR description states: "Updates actions/cache from 5.0.4 to 5.0.5"
2. The commit 27d5ce7f107fe9357f9df03efb73ab90386fccae is the merge commit for actions/cache v5.0.5 (confirmed in the PR's commit list)
3. The old hash 668228422ae6a00e4ad889ee87cd7109ec5666a7 was v5.0.4
4. After the diff, line 47 now has the v5.0.5 hash but the # v5.0.4 comment was not updated
5. Anyone reading .github/workflows/ci.yml and trusting the comment will incorrectly believe v5.0.4 is pinned

[dependabot]

Looks like actions/cache is updatable in another way, so this is no longer needed.