[release-1.2] 🌱 Bump actions/cache from 3.0.4 to 3.2.1 #7813
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/lgtm |
|
@fabriziopandini: you cannot LGTM your own PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@fabriziopandini Q: Why did we start to cherry-pick GitHub action bumps to older release branches? Just curious what the reasons behind it are, I assume as long as there are no CVE's in them (we never had that) it's not really worth the effort. (just want to understand why we're doing it as it's a non-trivial amount of work with all the bump PRs from dependabot, I'm fine with doing it if we think it's worth the effort) |
|
We started backporting dependabot bumps due to CVE, then continued without thinking too much about discriminating bumps for CVE vs regular bumps vs GitHub actions bumps. |
|
I'll merge this PR given it's already open and ready and we backported the same to release-1.3 I'll open an issue to discuss a bit what kind of dependency bumps we want to pro-actively backport (+ follow-up policy update) It's not really that I'm objecting to merging GitHub action bumps if someone wants to invest the effort to open the PRs. I just tend to not want to invest the effort to do it pro-actively I guess. /lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: c18cc33172050b719e96e22bc25348538cd7fafc
|
Manual cherry-pick of #7805
Bumps actions/cache from 3.0.11 to 3.2.1.