Deprecation Notice - Upgrade to latest before February 1st 2025

[Link-]

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before March 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

Context

The cache backend service has been rewritten from the ground up for improved performance and reliability. In latest versions actions/cache, we introduced a more consistent API contract with the cache backend service.

The new service will decrease the cache upload duration by up to ~80% when using GitHub Hosted Runners. The cache download performance will be the same. If you’re using self-hosted runners the upload duration is expected to improve, or in the worst-case stay the same. Cache upload/download performance depends on your network topology, hardware and geographical region used for hosting among other factors.

We will start rolling out the new backend service gradually as of February 1st, 2025. We will issue further guidance as we approach this deadline.

The legacy backend service will be sunset shortly after February 1st, 2025. We will not support both services at the same time. Refer to the migration guide below for further information on how to prevent disruption to your teams.

Migration guide

The new changes to the actions/cache should be seamless and fully backward compatible. You are not expected to change anything in your workflows to use the new service beyond upgrading to the latest releases.

In order to upgrade, edit your workflows to use one of these supported releases:

Supported versions and tags
actions/cache@v4
actions/cache@v3
actions/cache@v4.2.0
actions/cache@v3.4.0

If you are caching or have forked these actions, please make sure you update your caches or your forks!

The following is the list of all the deprecated versions of this action. If you are using any of these version (or have pinned to any of their SHAs), your workflows will break as of March 1st, 2025.

Deprecated versions	TYPE	TAG NAME	PUBLISHED
v4.1.2	Latest	v4.1.2	about 1 month ago
v4.1.1		v4.1.1	about 1 month ago
v4.1.0		v4.1.0	about 2 months ago
v4.0.2		v4.0.2	about 8 months ago
v4.0.1		v4.0.1	about 9 months ago
v4.0.0		v4.0.0	about 10 months ago
v3.3.3		v3.3.3	about 10 months ago
v3.3.2		v3.3.2	about 1 year ago
v1.2.1		v1.2.1	about 1 year ago
v2.1.8		v2.1.8	about 1 year ago
v3.3.1		v3.3.1	about 1 year ago
v3.3.0		v3.3.0	about 1 year ago
v3.2.6		v3.2.6	about 1 year ago
v3.2.5		v3.2.5	about 1 year ago
v3.2.4		v3.2.4	about 1 year ago
v3.2.3		v3.2.3	about 1 year ago
v3.2.2		v3.2.2	about 1 year ago
v3.2.1	Pre-release	v3.2.1	about 1 year ago
v3.2.0		v3.2.0	about 1 year ago
v3.2.0-beta.1	Pre-release	v3.2.0-beta.1	about 1 year ago
v3.1.0-beta.3	Pre-release	v3.1.0-beta.3	about 1 year ago
v3.1.0-beta.2	Pre-release	v3.1.0-beta.2	about 1 year ago
v3.1.0-beta.1	Pre-release	v3.1.0-beta.1	about 2 years ago
v3.0.11		v3.0.11	about 2 years ago
v3.0.10		v3.0.10	about 2 years ago
v3.0.9		v3.0.9	about 2 years ago
v3.0.8		v3.0.8	about 2 years ago
v3.0.7		v3.0.7	about 2 years ago
v3.0.6		v3.0.6	about 2 years ago
v3.0.5		v3.0.5	about 2 years ago
v3.0.4		v3.0.4	about 2 years ago
v3.0.3		v3.0.3	about 2 years ago
v3.0.2		v3.0.2	about 2 years ago
v3.0.1		v3.0.1	about 2 years ago
v3.0.0		v3.0.0	about 2 years ago
v2.1.7		v2.1.7	about 3 years ago
v2.1.6		v2.1.6	about 3 years ago
v2.1.5		v2.1.5	about 3 years ago
v2.1.4		v2.1.4	about 3 years ago
v2.1.3		v2.1.3	about 4 years ago
v2.1.2		v2.1.2	about 4 years ago
v2.1.1		v2.1.1	about 4 years ago
v2.1.0		v2.1.0	about 4 years ago
v2.0.0		v2.0.0	about 4 years ago
v1.2.0		v1.2.0	about 4 years ago
v1.1.2		v1.1.2	about 4 years ago
v1.1.1		v1.1.1	about 4 years ago
v1.1.0		v1.1.0	about 4 years ago
v1.0.3		v1.0.3	about 5 years ago
v1.0.2		v1.0.2	about 5 years ago
v1.0.1		v1.0.1	about 5 years ago
v1.0.0		v1.0.0	about 5 years ago
Preview v0.0.2	Pre-release	v0.0.2	about 5 years ago
Preview v0.0.1	Pre-release	v0.0.1	about 5 years ago

Brownouts

To raise awareness of the upcoming deprecation, builds using deprecated versions that are scheduled to run during the brownout periods will fail. Planned brownouts schedule:

February 4, 5pm – 6pm UTC
February 11, 3pm – 7pm UTC
February 18, 2pm – 10pm UTC

Keeping your actions up to date with Dependabot

When you enable Dependabot version updates for GitHub Actions, Dependabot will help ensure that references to actions in a repository's workflow.yml file and reusable workflows used inside workflows are kept up to date.

Read more about that: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#about-dependabot-version-updates-for-actions

GitHub Enterprise Server

This deprecation will not impact any existing versions of GitHub Enterprise Server that are currently in use.

[daveisfera]

Is this really a deprecation? It feels like a very hard breaking change since it appears that all existing branches/tags will stop working unless upgraded. Is this harsh of a change really necessary?

[rasa-jmac]

Hey @Link- , completely understand the points you're making here, but I don't think the extent of this change has been communicated clearly enough given the breaking changes this is introducing. The deprecation notice on the Github blog here uses the headline that v1-v2 are deprecated, and the paragraph below says that versions prior to 4.0.0 are closing down.

To me, this suggests that as long as I am using >= v4.0.0, my workflows won't be impacted. This discussion page instead suggests that I need to be on the very latest 4.2.0 release and that all other versions from 4.0.0 to 4.1.2 are now deprecated. This is a significant breaking change for anyone with security critical workflows who are pinning by SHA instead of floating version - and the main announcements do not make the extent of the deprecation obvious.

[Link-]

@rasa-jmac - I believe in addition to the changelog posts, these announcements & the brown-outs we're planning, we have sent out at least 2 email communications regarding this deprecation that clearly state the versions that will remain supported. We acknowledge this is a big change & we're doing the best we can to spread awareness as much as possible.

From my personal experience with deprecations, I'm afraid it's never the right time to do them no matter how much communication we send out.

[rasa-jmac]

I think I see the source of the confusion now - it was not immediately obvious to me that the versioning of the @actions/cache package is different to the actions/cache action. I'm not sure this is something that will be apparent to users who consume the action but aren't familiar with building their own actions using the package. It's easy to parse this messaging as "as long as my action is >4.0.0 everything will be fine"

[Link-]

That's a fair point @rasa-jmac and I can understand the source of confusion. It's a distinction that is very difficult to reason about especially since the names of the package and the action are the same.

That's also why the announcement here is different than the announcement in the package repo: actions/toolkit#1890

[max-frank]

It's easy to parse this messaging as "as long as my action is >4.0.0 everything will be fine"

Can confirm this is exactly what happened when I read this error message and looked at the linked announcement. Note we also made sure to upgrade everything v4 in February already that was not v4 already.

Error: This request has been automatically failed because it uses a deprecated version of actions/cache: 6849a6489940f00c2f30c0fb92c6274307ccb58a. Please update your workflow to use v3/v4 of actions/cache to avoid interruptions. Learn more: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down

6849a6489940f00c2f30c0fb92c6274307ccb58a is v4.1.2

From a user perspective we are just interacting with the tags (or commit shas) of the repo so reading <4.0.0 is automatically gonna be interpreted as tags <4.0.0. The text in the announcement linked in the error message is confusing from a user perspective.

[NicholasEllul]

@Link- You may have seen the following blog post, or more recently the Ultralytics supply chain attack, both of which take advantage of the legacy cache service's behaviour to poison the cache of other workflows with malicious code.

Will the newly built cache backend service include any improvements to mitigate these kinds of attacks?

[Link-]

Thanks @NicholasEllul - this is on our radar & we're working through it.

[marcagarcia]

During the last brown-out, our builds failed even though we are only using v4.

Error: This request has been automatically failed because it uses a deprecated version of actions/cache: v4.0.2. Please update your workflow to use v3/v4 of actions/cache to avoid interruptions. Learn more: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down

Note in the error notice we are using v4.0.2 and the suggestion is to use v3/v4.
Bringing this up for visibility in case there is a bug in the rollout.

[srl295]

I'm afraid we cannot be more verbose in our communication

I appreciate the communication, but the blog posts and emails actually do not mention that some versions of 4.x are also deprecated, such as 4.0.2. They do mention "1" and "2" as being deprecated, and specifically "before 4.0.0".

Please consider updating the blog posts to say that you must use v3.4.0, v4.2.0, or the symbolic names v3 or v4. This would have saved a lot of back and forth from our teams.

It's hard, but yes, i think you could have (and still can) be more verbose - please take this as constructive criticism.

Is it possible to fix the deprecation message when the run fails? That would be really helpful.

[tkloht]

I'm afraid we cannot be more verbose in our communication

I respectfully disagree and would like to propose these changes to your communication:

• adjust the error message to This request has been automatically failed because it uses a deprecated version of actions/cache: vX.Y.Z. Please update your workflow to use v3.4.0/v4.2.0 of actions/cache before March 1st, 2025 to avoid interruptions.
• In the linked blog post (https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down) you state versions prior to 4.0.0 will be closing down - adjust this to 3.4.0 and 4.2.0
• In addition I would suggest mentioning explicitly in the blog post that version 4.1.1 will stop working, even though being a very recent release

[srl295]

@tkloht Just noting that it's Feb 11th, 2025 right now - past the 1st.

[tkloht]

right, updated 🙏

[tkloht]

although I guess february 1st is accurate since we definitely have interruptions

[AdnaneKhan]

Is there some indicator that a workflow is using the new Cache backend or the old one?

Based on the toolkit code there is a ACTIONS_CACHE_SERVICE_V2 environment variable that informs the cache toolkit whether it should use the old backend or the new one.

Is the new back-end only available during the brown-out windows, and workflows can ONLY use the old back-end until that hard switchover is completed later this month? I tried to force a workflow to use a new Cache backend by setting the environment variable and it failed to use the new Twirp RPC backend.

I think it would be valuable to call out the specific URLs and endpoints used by the new one for anyone who is strictly monitoring egress from their self-hosted runners.

[JoannaaKL]

@theUpsider your workflows started failing because you are using the tag v4.1.0 of SonarSource/sonarqube-scan-action that in turn is using the deprecated tag v4.0.2 of actions/cache:
https://github.com/SonarSource/sonarqube-scan-action/blob/1b442ee39ac3fa7c2acdd410208dcb2bcfaae6c4/action.yml#L35
After an upgrade to the latest version of SonarSource/sonarqube-scan-action your issue should be fixed.

[theUpsider]

@JoannaaKL @Link- Thanks for looking into this. Will update Sonarqube.

[admangum]

If the problem is recurring, please open a support ticket and share the workflows affected & we will have a look at it. If it's a public repository, feel free to share a link here. Thank you for reporting this.

It's a private repo. I've created an issue here.

[michieldondorp]

The text in the blog post specifically mentions before v4.0.0, 4.0.2 is of date 19 march 2024. The check is wrong.

[JoannaaKL]

@michieldondorp actions/toolkit is not affected by the brownouts. Workflows that were failed above were using a deprecated version of actions/cache.

[chaithanyaangalagunta]

@Link- I have been facing cache related issues for the past couple of days sporadically. Is there any chance that these brownouts are causing issue for actions/cache@v3 too?

[JoannaaKL]

Hi @chaithanyaangalagunta - workflows using deprecated versions of actions/cache were blocked only during announced brownout dates. Please share a link to your workflow run or more details describing what kind of issues are you experiencing so that we can help. :)

[chetbox]

I missed the the brownout periods and now my builds are failing. I have some very helpful data in the cache. Is it possible to recover data from cache v1, however manually?

[JoannaaKL]

@chetbox done, please try now

[chetbox]

I have retrieved the latest cache file, thank you. 🙏🏼 Will I need to be restore the cache again when switched back to cache v2?

In the meantime I'll look into a backup system for this, or store the data somewhere that's designed for more persistent storage!

[JoannaaKL]

When I'll switch the flag for you again your repo is going to use the new cache service and your secret's won't be accessible anymore. You'll need to use values you saved now and upload them again. If you retrieved the cache I am switching you to the new backend. :)

[chetbox]

Once I could see my cache list was empty I uploaded a new cache entry using a temporary branch upload-cache:

      - run: echo "RANDOM_SUFFIX=${RANDOM}${RANDOM}" >> $GITHUB_ENV
      - uses: actions/cache/save@v4
        with:
          path: .signal-cli-data
          key: signal-cli-data-${{ env.RANDOM_SUFFIX }}

Then deleted the branch:

$ gh push origin :upload-cache

Now I can see the singular new cache entry:

$ gh cache list

ID        KEY                        ...
20599463  signal-cli-data-256722088  ...

But, when running a workflow which is designed to fetch the latest cache with a matching prefix,

    - run: echo "RANDOM_SUFFIX=${RANDOM}${RANDOM}" >> $GITHUB_ENV
    - uses: actions/cache@v4
      with:
        path: .signal-cli-data
        key: signal-cli-data-${{ env.RANDOM_SUFFIX }}
        restore-keys: |
          signal-cli-data-

it cannot find any cache items with this prefix:

Cache not found for input keys: signal-cli-data-829215335, signal-cli-data-

What have I done wrong?

This setup worked fine with cache v1. According to the the docs I believe this should still work.

[chetbox]

I worked it out! The cache I uploaded from my temporary branch is only scoped to that branch.

The cache is scoped to the key, version, and branch. The default branch cache is available to other branches.

-- https://github.com/actions/cache#cache-scopes

Instead I created a commit on my default branch, main, that uploads a new cache entry. This is available to restore from all branches and now my caches are restored successfully.

For anyone who wants to understand this further, see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache for more info on cache scope restrictions.