diff --git a/action.yml b/action.yml
index 861fb9d75..bd91a24a4 100644
--- a/action.yml
+++ b/action.yml
@@ -24,6 +24,10 @@ inputs:
   cache-dependency-path:
     description: 'Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies.'
     required: false
+  cache-write:
+    description: 'Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds.'
+    required: false
+    default: true
   workloads:
     description: 'Optional SDK workloads to install for additional platform support. Examples: wasm-tools, maui, aspire.'
     required: false
diff --git a/dist/cache-save/index.js b/dist/cache-save/index.js
index 43e7b8b61..6636f730d 100644
--- a/dist/cache-save/index.js
+++ b/dist/cache-save/index.js
@@ -44650,6 +44650,11 @@ process.on('uncaughtException', e => {
 });
 async function run() {
     try {
+        const cacheWriteEnabled = core.getInput('cache-write');
+        if (cacheWriteEnabled === 'false') {
+            core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+            return;
+        }
         if (core.getBooleanInput('cache')) {
             await cachePackages();
         }
diff --git a/src/cache-save.ts b/src/cache-save.ts
index 3f942b9a6..dbfa4dd8b 100644
--- a/src/cache-save.ts
+++ b/src/cache-save.ts
@@ -14,6 +14,12 @@ process.on('uncaughtException', e => {
 
 export async function run() {
   try {
+    const cacheWriteEnabled = core.getInput('cache-write');
+    if (cacheWriteEnabled === 'false') {
+      core.info('Cache write is disabled (read-only mode). Skipping cache save.');
+      return;
+    }
+
     if (core.getBooleanInput('cache')) {
       await cachePackages();
     }