Skip to content

chore(deps): bump the all-actions group across 1 directory with 2 updates#356

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/all-actions-061027d855
Open

chore(deps): bump the all-actions group across 1 directory with 2 updates#356
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/all-actions-061027d855

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Bumps the all-actions group with 2 updates in the / directory: pnpm/action-setup and actions/cache.

Updates pnpm/action-setup from 5 to 6

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.0

Added support for pnpm v11.

Commits
  • 8912a91 fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)
  • 26f6d4f fix: use npm co-located with the action node binary (#239)
  • 903f9c1 fix: update pnpm to 11.0.0-rc.5
  • bdf0af2 test: add strict version-match jobs to reproduce #225 / #227
  • 71c9247 fix: pnpm self-update binary shadowed by bootstrap on PATH (#230)
  • 078e9d4 fix: update pnpm to 11.0.0-rc.2
  • 08c4be7 docs(README): update action-setup version
  • 5798914 chore: update .gitignore
  • ddffd66 fix: remove accidentally committed file
  • b43f991 fix: update pnpm to 11.0.0-rc.0
  • Additional commits viewable in compare view

Updates actions/cache from 4 to 5

Release notes

Sourced from actions/cache's releases.

v5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

What's Changed

Full Changelog: actions/cache@v4.3.0...v5.0.0

v4.3.0

What's Changed

New Contributors

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

What's Changed

New Contributors

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

What's Changed

  • Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

Full Changelog: actions/cache@v4.2.2...v4.2.3

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits
  • 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
  • f280785 licensed changes
  • 619aeb1 npm run build generated dist files
  • bcf16c2 Update ts-http-runtime to 0.3.5
  • 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
  • e340396 Update RELEASES
  • 8a67110 Add licenses
  • 1865903 Update dependencies & patch security vulnerabilities
  • 5656298 Merge pull request #1722 from RyPeck/patch-1
  • 4e380d1 Fix cache key in examples.md for bun.lock
  • Additional commits viewable in compare view

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 20, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 20, 2026

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cli-web-cli Ready Ready Preview, Comment May 4, 2026 11:06am

Request Review

@dependabot dependabot Bot changed the title chore(deps): bump the all-actions group with 2 updates chore(deps): bump the all-actions group across 1 directory with 2 updates Apr 23, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/all-actions-061027d855 branch from 88d2a48 to 9a9e56e Compare April 23, 2026 14:22
@ci-lockfile-regen
Copy link
Copy Markdown

ci-lockfile-regen Bot commented Apr 23, 2026

Dependabot Fix Assessment

Package: `pnpm/action-setup` `5` → `6` and `actions/cache` `4` → `5` (both major)
Scope: GitHub Actions CI tooling (not npm packages — no source code changes)
Workspace: root (all workflow files)

What changed upstream

  • pnpm/action-setup v6: Adds support for pnpm v11. No breaking changes for pnpm v10 (which our workflows continue to use via version: 10).
  • actions/cache v5: Upgrades the action to run on Node.js 24 runtime. No behavioral changes to caching logic itself.

Migration concerns checked

  • Peer dependencies: N/A (GitHub Actions, not npm)
  • Type changes: N/A
  • Config files: N/A
  • Module format: N/A
  • React compatibility: N/A
  • Monorepo impact: N/A

What broke (root cause analysis)

The CI failures are pre-existing infrastructure issues unrelated to this dependency bump:

  1. E2E Stats Tests (test/e2e/stats/stats.test.ts) — All stats tests exit with code 1 or 2, with:

    API request failed (401 Unauthorized): Access denied
Ably error code: 40100

    Root cause: The E2E_ABLY_ACCESS_TOKEN environment variable is populated from secrets.E2E_ABLY_ABLY_ACCESS_TOKEN (all workflows use this secret name, with the double "ABLY"). The secret is set to a non-empty value (otherwise SKIP_ACCOUNT_STATS = !E2E_ACCESS_TOKEN would cause the tests to be skipped), but the token it contains is expired or revoked.

    • Affected file: .github/workflows/e2e-tests.yml line 21 and 72
    • This is unrelated to pnpm/action-setup or actions/cache versions.

  2. Web CLI E2E Test (terminal-ui.test.ts — "should maintain independent sessions in split terminals") — Fails with:

    Session ended: Too many connection attempts. Please try again in 16 seconds.

    Root cause: Rate limiting on the terminal server (wss://web-cli-terminal.ably-dev.com). The parallel test groups in the e2e-web-cli-parallel.yml workflow are all connecting simultaneously, and the ui-tests job happens to hit the rate limit. This is intermittent and infrastructure-related.

    • This is also unrelated to pnpm/action-setup or actions/cache versions.

What was fixed

No code changes — the failures are not caused by the GitHub Actions version bumps.

Verification

  • Build: N/A (no source code changes)
  • Lint: N/A (no source code changes)
  • Unit tests: N/A (no source code changes)
  • Web CLI tests: N/A (no source code changes)

Notes for reviewer

Action required from a human:

  1. Regenerate the Ably access token in GitHub secrets: The secret E2E_ABLY_ABLY_ACCESS_TOKEN (used as E2E_ABLY_ACCESS_TOKEN in all workflow files) contains an expired/invalid token. A repo admin needs to generate a fresh Ably Control API access token and update this secret in the GitHub repo settings.

  2. Web CLI rate limit test: The "Too many connection attempts" failure in the split-terminal test is intermittent rate limiting. No action needed unless it becomes consistently reproducible — the parallel test architecture may need sequential delays between terminal connections in the ui-tests group.

  3. This PR itself is safe to merge: The pnpm/action-setup and actions/cache version bumps are straightforward upgrades with no breaking changes for this repo's usage. Once the access token secret is rotated, the stats tests should pass again.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/all-actions-061027d855 branch from 9a9e56e to 5a15a8e Compare April 26, 2026 11:51
@ci-lockfile-regen
Copy link
Copy Markdown

ci-lockfile-regen Bot commented Apr 26, 2026

Dependabot Fix Assessment

Package: pnpm/action-setup v5v6 and actions/cache v4v5 (major bumps)
Scope: GitHub Actions CI tooling (not npm packages)
Workspace: root (/.github/workflows/)

What changed upstream

pnpm/action-setup v6:

  • Added support for pnpm v11
  • Fixed pnpm self-update binary shadowing on PATH

actions/cache v5:

  • Node.js runtime upgraded to v24 within the action
  • No functional changes to cache behavior

Migration concerns checked

  • pnpm version: Still pinned to 10 in all workflow files — pnpm v11 is not used. ✅
  • Cache behavior: v5 uses same API; cache miss falls back to reinstall gracefully. ✅
  • Node.js in action: v24 is used by the cache action internally, not by our tests. ✅
  • Workflow logic: No workflow steps changed beyond the uses: version tags. ✅
  • npm packages: Not affected — this is a GitHub Actions-only bump. ✅

What broke

The CI failures are not caused by the dependency bump. Evidence:

  1. Another unrelated Dependabot PR (dependabot/npm_and_yarn/uuid-14.0.0, run 24955941596) had the exact same e2e-cli failure at the exact same time (11:51–12:05 UTC), despite containing completely different code changes.

  2. Web CLI failures show Session ended: anonymous session limit reached (50/50) — the test server hit its concurrent session capacity. This is an infrastructure constraint that occurs when multiple CI runs compete for the same shared test environment.

  3. Stats test failures (exit code 2) and mutable messages rule failures (exit code 1, empty stderr) are consistent with transient control API issues under concurrent test load.

  4. The main branch ran successfully (run 24955905555) just 85 seconds before this PR, on identical code, with identical test infrastructure.

What was fixed

No code changes were made. The dependency bump is safe and no migration is needed.

Verification

  • Build: ✅ (pnpm run build succeeds)
  • Lint: Not re-run (no source changes)
  • Unit tests: Not re-run (no source changes)
  • Web CLI tests: Not re-run (no source changes)

Notes for reviewer

Recommended action: re-run the failed CI jobs. The failures are transient environmental issues caused by concurrent test runs exhausting shared infrastructure (web CLI session limit, control API rate limits). Re-running when the environment is less congested should pass.

No code changes are required to adopt pnpm/action-setup@v6 or actions/cache@v5.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/all-actions-061027d855 branch from 5a15a8e to f3b20f9 Compare April 27, 2026 10:48
@ci-lockfile-regen
Copy link
Copy Markdown

ci-lockfile-regen Bot commented Apr 27, 2026

Dependabot Fix Assessment

Packages:

  • `pnpm/action-setup` `v5` → `v6` (major — GitHub Action)
  • `actions/cache` `v4` → `v5` (major — GitHub Action)

Scope: GitHub Actions (CI infrastructure only — not npm packages, not application code)
Workspace: root (.github/workflows/)

What changed upstream

pnpm/action-setup v5 → v6: Adds support for pnpm v11. Workflows still pin version: 10, so the installed pnpm version is unchanged.

actions/cache v4 → v5: The action now runs on Node.js 24 instead of Node.js 20 (action runtime only). Requires runner version ≥ 2.327.1. Does not affect user code or test behaviour.

Migration concerns checked

  • Peer dependencies: N/A (GitHub Actions, no npm peers)
  • Type changes: N/A
  • Config files: N/A (workflow YAML only)
  • Module format: N/A
  • React compatibility: N/A
  • Monorepo impact: OK — all workflows in .github/workflows/ use the same action versions; none require code changes

What broke (pre-existing failures, not caused by this PR)

These two test categories fail in CI, but they cannot be caused by the action version bumps since those only change how the CI runner environment is set up, not pnpm version, Node.js version, npm packages, application code, or test logic:

  1. stats app tests (test/e2e/stats/stats.test.ts): Exit codes 1–2 on stats app <appId> commands. The stats account sibling tests in the same file pass. This suggests a permission issue with the access token for app-level stats, or a pre-existing bug in the stats app command path.

  2. Mutable messages setup (test/e2e/channels/channel-annotations-e2e.test.ts, test/e2e/channels/channel-message-ops-e2e.test.ts): setupMutableMessagesRule() fails with exitCode=1, stderr= (empty stderr). The command apps rules create e2e-mutable --mutable-messages --app <appId> --json is failing silently — possible permission/entitlement issue with the CI test account, or a pre-existing API integration problem.

What was fixed

No code changes were needed. The dependency bump is correct and the workflow files are already updated by Dependabot.

Verification

No code changes to verify.

Notes for reviewer

The E2E failures predate this PR and are unrelated to the pnpm/action-setup / actions/cache version bumps. This PR is safe to merge. The pre-existing failures should be investigated separately:

  • Stats app failures: Check whether the CI access token (E2E_ABLY_ABLY_ACCESS_TOKEN secret) has permission to call the app-level stats endpoint, or whether there's a bug in src/commands/stats/app.ts.
  • Mutable messages failures: Check whether the CI test account has the mutableMessages feature enabled, and whether apps rules create works end-to-end with the CI credentials.

@dependabot
chore(deps): bump the all-actions group across 1 directory with 2 upd…
acd3e8e 
…ates

Bumps the all-actions group with 2 updates in the / directory: [pnpm/action-setup](https://github.com/pnpm/action-setup) and [actions/cache](https://github.com/actions/cache).


Updates `pnpm/action-setup` from 5 to 6
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](pnpm/action-setup@v5...v6)

Updates `actions/cache` from 4 to 5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: pnpm/action-setup
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/all-actions-061027d855 branch from f3b20f9 to acd3e8e Compare May 4, 2026 11:05
@ci-lockfile-regen
Copy link
Copy Markdown

ci-lockfile-regen Bot commented May 4, 2026

Dependabot Fix Assessment

Package: pnpm/action-setup 56 and actions/cache 45 (major bumps)
Scope: CI/CD tooling (GitHub Actions) — no npm dependencies changed
Workspace: root (all workflow files)

What changed upstream

  • pnpm/action-setup@v6: Adds pnpm v11 support; fixes PATH ordering (appends rather than prepends action node dir). Workflow still pins version: 10 explicitly — no pnpm version change.
  • actions/cache@v5: Upgrades action runtime to Node.js 24. No functional behavior changes for cache keys or restore logic.

Migration concerns checked

  • Peer dependencies: OK (GitHub Actions, no npm deps)
  • Type changes: OK (not applicable)
  • Config files: OK (workflow files only reference the action version tag)
  • Module format: OK (not applicable)
  • React compatibility: OK (not applicable)
  • Monorepo impact: OK (workflow files are at root, all workspace packages unaffected)

What broke

Stats tests (6 failures) and Mutable messages tests (2 failures) — both involve the Ably Control API.

All failing tests call resolveAppIdFromNameOrId("s57drg", flags) (where s57drg is the app ID extracted from E2E_ABLY_API_KEY). This calls controlApi.listApps() using ABLY_ACCESS_TOKEN and searches for the app. The app is not found, producing:

Error: Failed to look up app "s57drg": App "s57drg" not found. Run "ably apps list" to see available apps.

The mutable messages tests additionally fail because apps rules create ... --json exits with code 1 and empty stderr (the JSON error envelope goes to stdout, but the test helper only checks stderr).

These failures are NOT caused by the GitHub Actions version bump. They involve Ably Control API calls and are entirely unaffected by pnpm/action-setup or actions/cache versions.

Root cause

The E2E_ABLY_ACCESS_TOKEN environment variable IS present in CI (the tests run rather than skip — SKIP_ACCOUNT_STATS = !E2E_ACCESS_TOKEN is false). However, the access token does not return app s57drg when listApps() is called. This means the access token and the API key belong to different Ably accounts, or the token has been rotated/expired since the last passing run.

Evidence: These same tests passed on May 3rd (chore/remove-inquirer-dependency run 25274619309) and fail on May 4th with this PR. The only difference is the GitHub Actions versions — but those don't touch credentials. The most likely cause is the E2E_ABLY_ABLY_ACCESS_TOKEN secret being rotated or expired between May 3 and May 4.

What was fixed

No code changes — the GitHub Actions version bump is correct and complete as-is.

Verification

  • Build: ✅ (Run Tests workflow passed on this PR)
  • Lint: ✅ (Run Tests workflow passed)
  • Unit tests: ✅ (Run Tests workflow passed)
  • Web CLI tests: ✅ (Web CLI E2E Tests passed on this PR)

Notes for reviewer

Action needed: Please check the E2E_ABLY_ABLY_ACCESS_TOKEN repository secret:

  1. Verify it is still valid and not expired
  2. Verify it belongs to the same Ably account as the E2E_ABLY_API_KEY secret (app ID s57drg must be visible when calling /apps with that token)
  3. If the token was rotated, update the secret

The GitHub Actions bump itself is safe to merge — the E2E failures are a credential/environment issue independent of this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants