BUILD-10450 use gh-action_cache v1#216
Conversation
julien-carsique-sonarsource
force-pushed
the
fix/jcarsique/BUILD-10450-postRun
branch
from
f52b154 to
2a41b42
Compare
SonarQube reviewer guide
|
julien-carsique-sonarsource
requested review from
Copilot and
mikolaj-matuszny-ext-sonarsource
julien-carsique-sonarsource
changed the title
julien-carsique-sonarsource
deleted the
fix/jcarsique/BUILD-10450-postRun
branch
There was a problem hiding this comment.
Pull request overview
Updates the repository’s composite actions to use SonarSource/gh-action_cache major version v1, aligning all caching steps on the same major release.
Changes:
- Switched
SonarSource/gh-action_cachereferences from@v1.2.1to@v1across multiple composite actions. - Kept existing caching keys/paths/conditions unchanged while standardizing the action reference.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| config-pip/action.yml | Updates pip dependency caching step to use gh-action_cache@v1. |
| config-npm/action.yml | Updates NPM dependency caching step to use gh-action_cache@v1. |
| config-maven/action.yml | Updates Maven repository caching step to use gh-action_cache@v1. |
| config-gradle/action.yml | Updates Gradle cache step to use gh-action_cache@v1. |
| code-signing/action.yml | Updates code-signing tools cache step to use gh-action_cache@v1. |
| cache/action.yml | Updates deprecated wrapper action to delegate to gh-action_cache@v1. |
| build-yarn/action.yml | Updates Yarn dependency caching step to use gh-action_cache@v1. |
| build-poetry/action.yml | Updates Poetry cache step to use gh-action_cache@v1. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "Please migrate to using the SonarSource/gh-action_cache action directly." | ||
|
|
||
| - uses: SonarSource/gh-action_cache@v1.2.1 | ||
| - uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| - uses: SonarSource/gh-action_cache@v1 | |
| - uses: SonarSource/gh-action_cache@5c909a0b8eaf0da8228a64a96b86c09f70f9137d # v1 |
|
|
||
| - name: Cache Yarn dependencies | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@f3bd9d9a0e2c4fcbdeb18f0d33bd44a14bcbb157 # v1 |
| host-actions-root: ${{ steps.set-path.outputs.host_actions_root }} | ||
| - name: Cache local Poetry cache | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@d8fef62f62c5ce57a4e2e828534a4f38ebb33e32 # v1 |
|
|
||
| - name: Cache pip dependencies | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@3bb181121986b31bb0d5854e379d4c0b04e5a577 # v1 |
|
|
||
| - name: Cache NPM dependencies | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@cde4c457175e8800dc303e6d2ee1b90a3b0a4b2f # v1.0.0 |
|
|
||
| - name: Cache local Maven repository | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@d0d3a52e4e9747ce226869e6d64a9e6a6c6a79a # v1.x.y |
|
|
||
| - name: Gradle Cache | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@a86d965f3caba3a099f7d2188ef3c9bbd67af9f1 # v1 |
|
|
||
| - name: Cache code signing tools | ||
| uses: SonarSource/gh-action_cache@v1.2.1 | ||
| uses: SonarSource/gh-action_cache@v1 |
There was a problem hiding this comment.
Using the floating SonarSource/gh-action_cache@v1 tag reduces build reproducibility and increases supply-chain risk, since the referenced code can change without a PR in this repo. Consider pinning to an immutable commit SHA (and optionally keep a comment like # v1.x.y) so updates remain explicit and reviewable.
| uses: SonarSource/gh-action_cache@v1 | |
| uses: SonarSource/gh-action_cache@3d9f3f5a4a14f0b0e98c0245ce57a4e2e5b0f881 # v1.x.y |
BUILD-10450 use gh-action_cache v1