Skip to content

Add cache-write input for read-only cache mode #710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
salmanmkc wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add cache-write input for read-only cache mode #710

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ inputs:
cache-dependency-path:
description: 'Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies.'
required: false
cache-write:
description: 'Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds.'
required: false
default: true
workloads:
description: 'Optional SDK workloads to install for additional platform support. Examples: wasm-tools, maui, aspire.'
required: false
Expand Down
5 changes: 5 additions & 0 deletions dist/cache-save/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44650,6 +44650,11 @@ process.on('uncaughtException', e => {
});
async function run() {
try {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return;
}
if (core.getBooleanInput('cache')) {
await cachePackages();
}
Expand Down
6 changes: 6 additions & 0 deletions src/cache-save.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ process.on('uncaughtException', e => {

export async function run() {
try {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
Comment on lines +17 to +18
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cache-write is defined as a boolean input (action.yml default: true), but the code reads it with core.getInput() and compares to the exact string 'false'. This is brittle (e.g., False/FALSE/whitespace won’t be treated as false) and could unintentionally enable cache writes. Prefer core.getBooleanInput('cache-write') and negate it for the early-return check.

Suggested change
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
const cacheWriteEnabled = core.getBooleanInput('cache-write');
if (!cacheWriteEnabled) {

Copilot uses AI. Check for mistakes.
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return;
}

if (core.getBooleanInput('cache')) {
await cachePackages();
Comment on lines +17 to 24
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New behavior (skipping the post-step cache save when cache-write is false) isn’t covered by tests. There are existing unit tests for cache-save; please add a case that sets cache: true and cache-write: false and asserts no save attempt is made (e.g., no getState/saveCache calls).

Copilot uses AI. Check for mistakes.
}
Comment on lines +17 to 25
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cache-write early-return runs before checking whether cache is enabled. If a workflow sets cache-write: false but cache: false, this will still emit a “Skipping cache save” message even though no save would happen anyway. Consider checking cache first (or only logging when caching is enabled) to avoid confusing logs.

Suggested change
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return;
}
if (core.getBooleanInput('cache')) {
await cachePackages();
}
const cacheEnabled = core.getBooleanInput('cache');
if (!cacheEnabled) {
return;
}
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return;
}
await cachePackages();

Copilot uses AI. Check for mistakes.
Expand Down
Loading