chore(deps): update dependency @actions/tool-cache to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@actions/tool-cache (source)	dependencies	major	2.0.2 → 4.0.0

---

Release Notes

actions/toolkit (@​actions/tool-cache)

v4.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()

3.0.1

• Bump @actions/http-client to 3.0.2

3.0.0

• Update to v2.0.1 of @actions/core
• Update to v2.0.0 of @actions/exec
• Update to v3.0.1 of @actions/http-client
• Update to v2.0.0 of @actions/io

2.0.2

• Update @actions/core to v1.11.1 #​1872
• Remove dependency on uuid package #​1824, #​1842

2.0.1

• Update to v2.0.1 of @actions/http-client #​1087

2.0.0

• Update to v2.0.0 of @actions/http-client
• The type of the headers parameter in the exported function downloadTool has been narrowed from { [header: string]: any } to { [header: string]: number | string | string[] | undefined; } (that is, http.OutgoingHttpHeaders).
  This is strictly a compile-time change for TypeScript consumers. Previous attempts to use a header value of a type other than those now accepted would have resulted in an error at run time.

1.7.2

• Update lockfileVersion to v2 in package-lock.json #​1025

1.7.1

• Fallback to os-releases file to get linux version
• Update to latest @​actions/io verison

1.7.0

• Allow arbirtary headers when downloading tools to the tc
• Export isExplicitVersion and evaluateVersions functions
• Force overwrite on default when extracted compressed files

1.6.1

• Update @​actions/core version

1.6.0

• Add extractXar function to extract XAR files

1.3.5

• Check if tool path exists before executing
• Make extract functions quiet by default

1.3.4

• Update the http-client to 1.0.8 which had a security fix

Here is the security issue that was fixed in the http-client 1.0.8 release

1.3.3

• Update downloadTool to only retry 500s and 408 and 429

1.3.2

• Update downloadTool with better error handling and retries

1.3.1

• Increase http-client min version

1.3.0

• Uses @​actions/http-client

1.2.0

• Overload downloadTool to accept destination path
• Fix extractTar on Windows
• Add "types" to package.json

1.1.2

• Use zip and unzip from PATH
• Support custom flags for extractTar

1.0.0

• Initial release

v3.0.1

• Bump @actions/http-client to 3.0.2

v3.0.0

• Update to v2.0.1 of @actions/core
• Update to v2.0.0 of @actions/exec
• Update to v3.0.1 of @actions/http-client
• Update to v2.0.0 of @actions/io

---

Configuration

📅 Schedule: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 2 files

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​actions/​tool-cache@​2.0.2 ⏵ 4.0.0	+1			+5

View full report

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

? Verifying lockfile against supply-chain policies (557 entries)...
[WARN] Request took 10569ms: https://registry.npmjs.org/@typescript-eslint%2Feslint-plugin
✗ Lockfile failed supply-chain policy check (557 entries in 15.4s)
[ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION] 1 lockfile entries failed verification:
  ts-jest@29.4.10 was published at 2026-05-19T08:22:41.237Z, within the minimumReleaseAge cutoff (2026-05-19T03:04:25.059Z)

The lockfile contains entries that the active policies reject. This can mean the lockfile is stale, or that someone committed a lockfile that bypassed the policy locally — inspect recent changes to pnpm-lock.yaml before trusting it. If the changes look expected, run "pnpm clean --lockfile" and then "pnpm install" to rebuild from a fresh resolution. Alternatively, relax the policy that flagged them.