actions/setup-python
1
0
Fork 0
mirror of https://code.forgejo.org/actions/setup-python.git synced 2026-03-17 12:35:54 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

feat: add cache-write input for read-only cache mode

Browse source 
Add a 'cache-write' input (default: true) that controls whether the cache
is saved at the end of the workflow. When set to 'false', the action will
restore cached dependencies but skip saving, providing a read-only cache
mode.

This is useful for preventing cache poisoning attacks from untrusted PR
builds while still benefiting from cached dependencies.
This commit is contained in:
Salman Chishti 2026-03-09 05:35:59 -07:00 committed by GitHub
parent a309ff8b42
commit 8a88e9f333
3 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
action.yml
View file

@ -20,6 +20,9 @@ inputs:
default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
cache-dependency-path:
description: "Used to specify the path to dependency files. Supports wildcards or a list of file names for caching multiple dependencies."
cache-write:
description: "Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds."
default: true
update-environment:
description: "Set this option if you want the action to update environment variables."
default: true

5
dist/cache-save/index.js vendored
View file

@ -44170,6 +44170,11 @@ const cache_distributor_1 = __nccwpck_require__(92326);
// https://github.com/actions/cache/pull/1217
async function run(earlyExit) {
try {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return;
}
const cache = core.getInput('cache');
if (cache) {
await saveCache(cache);

6
src/cache-save.ts
View file

@ -9,6 +9,12 @@ import {State} from './cache-distributions/cache-distributor';
// https://github.com/actions/cache/pull/1217
export async function run(earlyExit?: boolean) {
try {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return;
}
const cache = core.getInput('cache');
if (cache) {
await saveCache(cache);