chore(deps): update actions/cache action to v5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	major	v4 → v5

---

Release Notes

actions/cache (actions/cache)

v5

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[lgallard]

@claude shouldn't we using sha instead of tagged versions?

[claude]

Claude finished @lgallard's task —— View job

---

Analyzing Actions Version Pinning Strategy

Great question about security best practices! Let me analyze the current setup and provide recommendations.

Todo List:

• Read the modified workflow file to understand current usage
• Analyze Actions security implications of tags vs SHAs
• Provide recommendation based on project context
• Update comment with findings

Current Usage Analysis

I've reviewed your workflow files and found:

Current Actions Usage Pattern:

• actions/checkout@v4 and @v5 (tags)
• actions/setup-python@v5 (tags)
• hashicorp/setup-terraform@v3 (tags)
• actions/cache@v5 (the updated action - tags)
• github/codeql-action/upload-sarif@v3 (tags)

SHA vs Tagged Versions: Security Analysis

SHA Pinning Advantages:

• Immutable references - SHA hashes cannot be modified, preventing supply chain attacks
• Complete security - Even if a tag gets moved to malicious code, your SHA remains safe
• Compliance - Required by many security frameworks (SOC2, NIST, etc.)

Tagged Version Advantages:

• Automatic security updates - Get patches within major versions (e.g., v4.1.2 → v4.1.3)
• Easier maintenance - No need to manually update hashes for security fixes
• Better readability - Clear semantic meaning

Recommendation for Your Project

For terraform-aws-backup specifically, I recommend staying with tagged versions for these reasons:

1. Security Posture: You already have excellent security scanning with Checkov + tfsec
2. Official Actions Only: All actions used are from trusted publishers (GitHub, HashiCorp)
3. Maintenance Overhead: SHA pinning requires manual updates for security patches
4. Renovate Integration: Your current setup with Renovate works perfectly for dependency updates

When to Consider SHA Pinning

Consider switching to SHAs if:

• Compliance requirements mandate it
• Using third-party/community actions (none currently used)
• High-security environment (government, finance, healthcare)
• Supply chain attacks become a significant concern for your threat model

Current Setup Assessment: ✅ Secure & Appropriate

Your current approach is well-balanced for a Terraform module project:

• Trusted official actions only
• Automated dependency updates via Renovate
• Comprehensive security scanning in place
• Clear maintenance workflow

The actions/cache@v5 update is safe to proceed with as-is.

---