action-allowlist-review: bump mozilla-actions/sccache-action from 0.0.9 to 0.0.10 in /.github/actions/for-dependabot-triggered-reviews

[dependabot]

Bumps mozilla-actions/sccache-action from 0.0.9 to 0.0.10.

Release notes

Sourced from mozilla-actions/sccache-action's releases.

v0.0.10

What's Changed

• Use tar on all platforms by @​brianmichel in Mozilla-Actions/sccache-action#193
• Bump eslint-plugin-prettier from 5.2.3 to 5.2.5 by @​dependabot[bot] in Mozilla-Actions/sccache-action#196
• Bump typescript from 5.7.2 to 5.8.2 by @​dependabot[bot] in Mozilla-Actions/sccache-action#195
• Bump @​types/node from 22.13.0 to 22.13.17 by @​dependabot[bot] in Mozilla-Actions/sccache-action#194
• Bump undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in Mozilla-Actions/sccache-action#204
• Bump eslint-config-prettier from 9.1.0 to 10.1.2 by @​dependabot[bot] in Mozilla-Actions/sccache-action#201
• Bump ts-jest from 29.2.6 to 29.3.2 by @​dependabot[bot] in Mozilla-Actions/sccache-action#200
• Bump eslint-plugin-prettier from 5.2.5 to 5.5.4 by @​dependabot[bot] in Mozilla-Actions/sccache-action#221
• Bump eslint-config-prettier from 10.1.2 to 10.1.8 by @​dependabot[bot] in Mozilla-Actions/sccache-action#214
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in Mozilla-Actions/sccache-action#220
• Add job id to annotation title by @​wetheredge in Mozilla-Actions/sccache-action#212
• Bump @​actions/io from 1.1.3 to 2.0.0 by @​dependabot[bot] in Mozilla-Actions/sccache-action#228
• Bump eslint-plugin-import from 2.31.0 to 2.32.0 by @​dependabot[bot] in Mozilla-Actions/sccache-action#227
• Bump actions/setup-node from 5 to 6 in the github-actions group by @​dependabot[bot] in Mozilla-Actions/sccache-action#226
• Bump @​actions/github from 6.0.0 to 6.0.1 by @​dependabot[bot] in Mozilla-Actions/sccache-action#233
• Bump minimatch by @​dependabot[bot] in Mozilla-Actions/sccache-action#239
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in Mozilla-Actions/sccache-action#232
• Bump ts-jest from 29.3.2 to 29.4.6 by @​dependabot[bot] in Mozilla-Actions/sccache-action#240
• Bump to node24 by @​cakebaker in Mozilla-Actions/sccache-action#245
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in Mozilla-Actions/sccache-action#248
• Bump picomatch from 2.3.1 to 2.3.2 by @​dependabot[bot] in Mozilla-Actions/sccache-action#249
• Bump handlebars from 4.7.8 to 4.7.9 by @​dependabot[bot] in Mozilla-Actions/sccache-action#250
• Fix code block formatting in README.md by @​baseplate-admin in Mozilla-Actions/sccache-action#246
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in Mozilla-Actions/sccache-action#231
• prepare version 0.0.10 by @​sylvestre in Mozilla-Actions/sccache-action#251

New Contributors

• @​brianmichel made their first contribution in Mozilla-Actions/sccache-action#193
• @​wetheredge made their first contribution in Mozilla-Actions/sccache-action#212
• @​baseplate-admin made their first contribution in Mozilla-Actions/sccache-action#246

Full Changelog: Mozilla-Actions/sccache-action@v0.0.9...v0.0.10

Commits

• 9e7fa8a Merge pull request #251 from sylvestre/ver
• 3ca012d prepare version 0.0.10
• 7cf1643 Merge pull request #231 from Mozilla-Actions/dependabot/npm_and_yarn/js-yaml-...
• b2be802 Merge pull request #246 from baseplate-admin/patch-1
• 84812a5 Merge pull request #250 from Mozilla-Actions/dependabot/npm_and_yarn/handleba...
• 4e28318 Merge pull request #249 from Mozilla-Actions/dependabot/npm_and_yarn/picomatc...
• cfa813e Merge pull request #248 from Mozilla-Actions/dependabot/npm_and_yarn/flatted-...
• ef3762b Merge pull request #245 from cakebaker/bump_to_node24
• 919bfb6 Bump handlebars from 4.7.8 to 4.7.9
• 167904b Bump picomatch from 2.3.1 to 2.3.2
• Additional commits viewable in compare view

[potiuk]

verify-action-build flagged this as the same class of problem we hit in #669 (SonarSource/sonarqube-scan-action 7.0.0 → 7.1.0): the committed dist/ at v0.0.10 only matches a clean rebuild when package.json + package-lock.json are swapped back to the v0.0.9 commit. In other words the upstream release commit bumped the lockfile version strings but shipped a dist/ that was built against the previous toolchain. Source changes between versions look clean — no suspicious behaviour introduced — so the underlying bump itself is fine to accept, as we did for #669.

Unlike #669 (where SonarSource had issues/PRs disabled so we couldn't report it), Mozilla's repo accepts PRs, so I opened an upstream CI-hardening PR to prevent this recurring on future releases:

• Mozilla-Actions/sccache-action#252

The proposed fix adds a verify-dist job that runs npm ci && npm run build on Node 24 (matching action.yml's using: node24) and fails if the committed dist/ differs from a clean rebuild — catching this kind of drift at the release-repo CI rather than downstream in verify-action-build.

Conditionally approving on the same basis as #669, but would like a second pair of eyes before merge.

Generated-by: Claude Opus 4.7 (1M context)

[dave2wave]

Given @potiuk analysis we should allow this bump.