Explicitly disable caches in sensitive publish workflows#1549
Open
slorber wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
Updates published workflow documentation to explicitly disable automatic dependency caching in sensitive publish scenarios (including npm Trusted Publisher/OIDC) to reduce cache-poisoning supply-chain risk.
Changes:
- Added
package-manager-cache: falseto npm publish examples (npmjs + GitHub Packages). - Added
package-manager-cache: falseto yarn publish examples. - Added
package-manager-cache: falseto the Trusted Publisher (OIDC) publish example.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
402
to
406
| node-version: '24.x' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| package-manager-cache: false # Prevent cache poisoning issues | ||
| - run: npm ci | ||
| - run: npm publish |
Comment on lines
507
to
512
| - uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| package-manager-cache: false # Prevent cache poisoning issues | ||
|
|
This was referenced May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Sensitive workflows like the Trusted Publishing workflow should explicitly disable cache to reduce supply chain risk due to cache poisoning. See recent hack: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
It would be better if that default was applied automatically, and not depending on various conditions that are not so easy to understand, so explicitly disabling this in the documentation is safer for now.
Automatic caching was afaik turned on by default in v5 in certain conditions. I think it's worth considering reverting that change and making caching opt-in, to have a more secure action by default, even if it's less performant.
Note that many people upgrade actions without looking at the changelog, using Dependabot. Default value changes like this can introduce vulnerabilities, so whatever the default is, explicitly disabling the cache for sensitive workflows remains a good idea IMHO.
Note that on README.md, there's already a disclaimer giving similar advice. However it's not easy to find and your Trusted Publishing docs don't even follow that recommendation:
https://github.com/actions/setup-node#breaking-changes-in-v5
I believe all your documented examples should follow that recommendation, explicitly disable caching with
package-manager-cache: false, and link to a canonical doc page explaining the security problem.This PR is just to kickstart the discussion; there are probably other sensitive workflows you document that do not have
package-manager-cache: false, and probably other official GitHub Actions whose docs show insecure examples.Related issue:
See my comment here: #1445 (comment)
Check list: