build(deps): bump actions/cache from 5.0.5 to 6.1.0

[dependabot]

Bumps actions/cache from 5.0.5 to 6.1.0.

Release notes

Sourced from actions/cache's releases.

v6.1.0

What's Changed

• Bump @​actions/cache to v6.1.0 - handle read-only cache access by @​jasongin in actions/cache#1768

Full Changelog: actions/cache@v6...v6.1.0

v6.0.0

What's Changed

• Update packages, migrate to ESM by @​Samirat in actions/cache#1760

Full Changelog: actions/cache@v5...v6.0.0

v5.1.0

What's Changed

• Bump @​actions/cache to v5.1.0 - handle read-only cache access by @​jasongin in actions/cache#1775

Full Changelog: actions/cache@v5...v5.1.0

Changelog

Sourced from actions/cache's changelog.

6.1.0

• Bump @actions/cache to v6.1.0 to pick up actions/toolkit#2435 Handle cache write error due to read-only token
• Switch redundant "Cache save failed" warning to debug log in save-only

6.0.0

• Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
• Migrated to ESM module system
• Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

4.3.0

• Bump @actions/cache to v4.1.0

4.2.4

• Bump @actions/cache to v4.0.5

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

... (truncated)

Commits

• 55cc834 Merge pull request #1768 from jasongin/readonly-cache
• d8cd72f Bump @​actions/cache to v6.1.0 - handle cache write error due to RO token
• 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
• e9b91fd Prettier fixes
• e4884b8 Rebuild dist
• 10baf01 Fixed licenses
• e39b386 Fix test mock return order
• b692820 PR feedback
• 6074912 Rebuild dist bundles as ESM to match type:module
• 5a912e8 Fix lint and jest issues
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 27, 2026, 8:56 AM ET / 12:56 UTC.

Summary
This PR updates the Discord backup workflow cache restore/save action refs from actions/cache v5.0.5 to v6.1.0.

Reproducibility: not applicable. this is a Dependabot dependency update, not a bug report. Source inspection and PR checks verify the branch composes, while live scheduled workflow behavior would require workflow_dispatch or the next scheduled run.

Review metrics: 2 noteworthy metrics.

• Action refs changed: 4 refs changed across 2 workflows. The diff is limited to cache restore/save action versions in the scheduled Discord backup workflows.
• Current PR checks: 10 successful, 0 failing. The branch composes with the repository's normal CI, security, Docker, and release-check jobs.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Optionally run workflow_dispatch for the two backup workflows against the PR branch if maintainers want secret-backed runtime proof before merge.

Risk before merge

• [P1] The affected scheduled/dispatch backup workflows rely on repository secrets, so normal PR CI does not fully exercise the exact cache restore/save path with live backup workflow context.

Maintainer options:

1. Merge On Green Checks (recommended)
   Maintainers can accept the limited scheduled-workflow runtime risk because the patch is only an official action version bump and all current PR checks are green.
2. Dispatch Backup Workflows First
   A maintainer with access to the required secrets can run the two backup workflows manually against the PR branch before merging to prove the live cache path.

Next step before merge

• [P2] No code repair is indicated; maintainers only need to decide whether green checks are enough or whether to dispatch the secret-backed backup workflows before merge.

Security
Cleared: The diff introduces no concrete security or supply-chain regression; it updates existing official actions/cache refs without changing permissions, secrets, or adding a new third-party action.

Review details

Best possible solution:

Keep the official cache action refs current while preserving the existing workflow shape, permissions, and secret handling.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a Dependabot dependency update, not a bug report. Source inspection and PR checks verify the branch composes, while live scheduled workflow behavior would require workflow_dispatch or the next scheduled run.

Is this the best way to solve the issue?

Yes; updating the existing cache restore/save refs is the narrowest maintainable way to take the upstream action release. The only safer extra proof would be a maintainer-run workflow_dispatch, not a code change.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 670994a45f61.

Label changes

Label changes:

• add P3: This is low-risk dependency maintenance on GitHub Actions workflow refs with clean checks.
• add merge-risk: 🚨 automation: The PR changes action code used by scheduled backup automation that PR CI does not fully exercise with live secrets.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are not required to provide contributor real behavior proof.

Label justifications:

• P3: This is low-risk dependency maintenance on GitHub Actions workflow refs with clean checks.
• merge-risk: 🚨 automation: The PR changes action code used by scheduled backup automation that PR CI does not fully exercise with live secrets.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are not required to provide contributor real behavior proof.

Evidence reviewed

What I checked:

• Target policy check: No AGENTS.md was found under the target repository root, so no target-specific AGENTS policy applied. (670994a45f61)
• Current main cache refs: Current main still pins the four affected cache restore/save refs to actions/cache v5.0.5, so the requested bump is not already implemented on main. (.github/workflows/discord-backup-report.yml:31, 670994a45f61)
• PR diff scope: The PR commit changes only four action version refs across the two Discord backup workflows. (.github/workflows/discord-backup-report.yml:31, edc1610317ea)
• Upstream release exists: actions/cache v6.1.0 exists upstream and its release notes describe the read-only cache access handling update. (55cc8345863c)
• Tag provenance: The upstream actions/cache tags for v5.0.5, v6.0.0, and v6.1.0 resolve to concrete tag SHAs. (55cc8345863c)
• PR checks: GitHub reports mergeStateStatus CLEAN with all listed checks completed successfully. (edc1610317ea)

Likely related people:

• Peter Steinberger: Introduced the Discord backup database cache workflow path, moved it to Node 24, bumped the cache action to v5, and has the most workflow-history touches for the affected files. (role: feature-history owner; confidence: high; commits: 0c616391111f, ce3437c0d430, 33b19dfd6284; files: .github/workflows/discord-backup-report.yml, .github/workflows/publish-discord-backup.yml)
• Vincent Koc: Recent commits reworked or reintroduced the current Discord backup workflow content and own the current blamed lines in the checkout. (role: recent area contributor; confidence: medium; commits: f01e699c1c86, 6a91d9cc67bb; files: .github/workflows/discord-backup-report.yml, .github/workflows/publish-discord-backup.yml)
• Hannes Rudolph: Recently changed the publish workflow's Discord member refresh behavior adjacent to the cache path. (role: adjacent workflow contributor; confidence: medium; commits: f77e560318fa; files: .github/workflows/publish-discord-backup.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.