actions/setup-java
1
0
Fork 0
mirror of https://github.com/actions/setup-java.git synced 2026-03-14 06:15:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add cache-write input for read-only cache mode

Browse Source 
Add a 'cache-write' input (default: true) that controls whether the cache
is saved at the end of the workflow. When set to 'false', the action will
restore cached dependencies but skip saving, providing a read-only cache
mode.

This is useful for preventing cache poisoning attacks from untrusted PR
builds while still benefiting from cached dependencies.
This commit is contained in:
Salman Chishti 2026-03-09 05:35:59 -07:00 committed by GitHub
parent 1d018f9b8b
commit 974f2a8de3
3 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
action.yml
View File

@ -59,6 +59,10 @@ inputs:
cache-dependency-path:
description: 'The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies.'
required: false
cache-write:
description: 'Whether to save the cache at the end of the workflow. Set to false for cache read-only mode, useful for preventing cache poisoning from untrusted PR builds.'
required: false
default: true
job-status:
description: 'Workaround to pass job status to post job step. This variable is not intended for manual setting'
default: ${{ job.status }}

5
dist/cleanup/index.js vendored
View File

@ -76919,6 +76919,11 @@ function removePrivateKeyFromKeychain() {
*/
function saveCache() {
return __awaiter(this, void 0, void 0, function* () {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return Promise.resolve();
}
const jobStatus = (0, util_1.isJobStatusSuccess)();
const cache = core.getInput(constants.INPUT_CACHE);
return jobStatus && cache ? (0, cache_1.save)(cache) : Promise.resolve();

6
src/cleanup-java.ts
View File

@ -25,6 +25,12 @@ async function removePrivateKeyFromKeychain() {
* @returns Promise that will be resolved when the save process finishes
*/
async function saveCache() {
const cacheWriteEnabled = core.getInput('cache-write');
if (cacheWriteEnabled === 'false') {
core.info('Cache write is disabled (read-only mode). Skipping cache save.');
return Promise.resolve();
}
const jobStatus = isJobStatusSuccess();
const cache = core.getInput(constants.INPUT_CACHE);
return jobStatus && cache ? save(cache) : Promise.resolve();